Joerg Hoh wrote:

On Mon, Dec 22, 2003 at 10:54:07AM +1300, Kerry Thompson wrote:

PAM ( and others ) make calls to the kerberos library which will always
open /etc/krb5.conf in r/w mode, even though no apps should be writing to
it. I suggest allowing read from all, and dontaudit for write.


But the longterm solution would be to check why kerberos wants to have write
access to that file (and change it to read-only, if it isn't necessary at
all).

Joerg

Kerberos has a sort of getstatusinfo call that it uses for all its configuration files. It basically loads up a information structure that allows it to make decistions on a file. Included in this information is whether the file is writable. So the Kerberos library does an access(filename,W_OK) on the file it is investigating. I believe all of kerberos should have a security policy written on it, since some of the config files are as important as /etc/passwd, shadow. If I can somehow get the system to trust a different kerberos server then I can gain access to the machine and wreak havoc.

Dan

  