[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] pam_krb5 & kdm: local root compromise (or misconfiguration?)

Hello list,

in the process of installing Suse 8.1Prof I am configuring all
workstations to authenticate against a kerberos 5 server, using ldap for
directory services. I stumbled about something which looks to me like a
very dangerous security hole, but maybe I did some blatant
misconfiguration (in that case I would be more than thankful if someone
could point it out to me).

- using nss_ldap for users and groups
- /etc/krb5.conf configured for our realm
- created host principal for workstation and added to /etc/krb5.keytab
- inserted "auth sufficient pam_krb5.so debug" line to the beginning of
/etc/pam.d/xdm, according lines for "account" and "session"

The problem goes as follows:
- user logs in via kdm
- tickets are obtained and validated from kdc
- credentials cache file /tmp/krb5cc_0 (!) is created and KRB5CCNAME set
accordingly for the session
- user logs out, but credentials file is *not* deleted
- log in as a different (!) user
- tickets are obtained and validated from kdc
- cc file /tmp/krb5cc_0 already exists, and cannot be written (according
to logs, pam_krb5 module returns 'error in service module')
- error return is discarded, login continues and all processes strangely
start up with root privileges

I think the naming of the cc file (krb5cc_0) is already indicative that
root privileges are retained for too long.

Furthermore the fact that the cc file is not correctly removed on logout
is already a security concern in itself.

Additional info:
- sshd behaves correctly, i.e. the cc file is named /tmp/krb5cc_{uid},
and it is removed after logout
- gdm behaves semi-correctly, i.e. the cc file is named /tmp/krb5cc_0, it
is removed after logout, and the case of an existing unwritable cache file
is treated by refusing login (of course this still qualifies a DoS
attack against the workstation)
- maybe part of the problem is related to an incorrect ordering of pam
calls inside kdm (in fact I had posted a bug report about something
similiar three years ago, I wonder if it still has not fixed ?)

Can someone reproduce or comment on this? I can provide additional info,
complete log- and configuration-files on request.

Helge Bahmann <bahmann@xxxxxxxxxxxxxxxxxxx>             /| \__
The past: Smart users in front of dumb terminals       /_|____\
                                                     _/\ |   __)
$ ./configure                                        \\ \|__/__|
checking whether build environment is sane... yes     \\/___/ |
checking for AIX... no (we already did this)            |

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here