From: Daniel J Walsh <dwalsh@redhat.com>
To: Joerg Hoh <joerg@devone.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: Apache on FedoraCore1(Was Re: log_domain macro)
Date: Mon, 22 Dec 2003 07:57:58 -0500 [thread overview]
Message-ID: <3FE6EA56.7010708@redhat.com> (raw)
In-Reply-To: <20031221224916.GA3419@hydra.joerghoh.de>
[-- Attachment #1: Type: text/plain, Size: 1110 bytes --]
Joerg Hoh wrote:
>On Mon, Dec 22, 2003 at 10:54:07AM +1300, Kerry Thompson wrote:
>
>
>>PAM ( and others ) make calls to the kerberos library which will always
>>open /etc/krb5.conf in r/w mode, even though no apps should be writing to
>>it. I suggest allowing read from all, and dontaudit for write.
>>
>>
>
>But the longterm solution would be to check why kerberos wants to have write
>access to that file (and change it to read-only, if it isn't necessary at
>all).
>
>Joerg
>
Kerberos has a sort of getstatusinfo call that it uses for all its
configuration files. It basically loads up a information structure that
allows it to make decistions on a file. Included in this information is
whether the file is writable. So the Kerberos library does an
access(filename,W_OK) on the file it is investigating. I believe all of
kerberos should have a security policy written on it, since some of the
config files are as important as /etc/passwd, shadow. If I can somehow
get the system to trust a different kerberos server then I can gain
access to the machine and wreak havoc.
Dan
>
>
>
[-- Attachment #2: Type: text/html, Size: 1669 bytes --]
next prev parent reply other threads:[~2003-12-22 12:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-15 10:02 log_domain macro Yuichi Nakamura
2003-12-15 15:45 ` Stephen Smalley
2003-12-16 4:39 ` Yuichi Nakamura
[not found] ` <1071688353.1403.137.camel@moss-spartans.epoch.ncsc.mil>
2003-12-19 10:50 ` Apache on FedoraCore1(Was Re: log_domain macro) Yuichi Nakamura
2003-12-21 21:54 ` Kerry Thompson
2003-12-21 22:49 ` Joerg Hoh
2003-12-22 12:57 ` Daniel J Walsh [this message]
2003-12-23 0:01 ` Yuichi Nakamura
2003-12-23 3:38 ` Russell Coker
2003-12-23 9:45 ` Yuichi Nakamura
2003-12-23 9:45 ` Russell Coker
2003-12-15 15:54 ` log_domain macro Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3FE6EA56.7010708@redhat.com \
--to=dwalsh@redhat.com \
--cc=joerg@devone.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.