Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all?

public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed

* Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all?
@ 2009-08-26 11:46 Carlos André
  2009-08-26 11:51 ` Ondrej Valousek
  0 siblings, 1 reply; 5+ messages in thread
From: Carlos André @ 2009-08-26 11:46 UTC (permalink / raw)
  To: NFS list, Linux NFSv4 mailing list

I got a strange security issue. I logon via SSH or local console with
my user and get a ticket, then if local root su to my user, local root
can access my files.

I'm using CentOS 5.3:
kernel-2.6.18-128.2.1.el5
krb5-workstation-1.6.1-31.el5_3.3


SESSION 1:
-----------------------------------------------------------------
$ ssh root@1.2.3.4
root@1.2.3.4's password:
Last login: Wed Aug 26 08:06:49 2009 from X
[root@KSTATION ~]# su carlos.andre
[carlos.andre@KSTATION root]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)


Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
bash: cd: /misc/home/carlos.andre: Permission denied
[carlos.andre@KSTATION root]$
-----------------------------------------------------------------
[--OK--]


SESSION 2:
-----------------------------------------------------------------
$ ssh carlos.andre@1.2.3.4
carlos.andre@1.2.3.4's password:
Last login: Wed Aug 26 08:01:33 2009 from X
[carlos.andre@KSTATION ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF
Default principal: carlos.andre@X.BR

Valid starting     Expires            Service principal
08/26/09 08:30:12  08/26/09 18:30:12  krbtgt/X.BR@X.BR
        renew until 08/26/09 08:30:12


Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre
[carlos.andre@KSTATION carlos.andre]$ ls -la
total 8
drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
drwxr-xr-x 3 root         root               0 Aug 26 08:30 ..
[carlos.andre@KSTATION carlos.andre]$
-----------------------------------------------------------------
[--OK--]


NOW BACK TO SESSION 1:
-----------------------------------------------------------------
[carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
[carlos.andre@KSTATION carlos.andre]$ ls -la
total 8
drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
drwxr-xr-x 3 root         root               0 Aug 26 08:30 ..
[carlos.andre@KSTATION carlos.andre]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)


Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION carlos.andre]$
-----------------------------------------------------------------
[WTF!?!?]

Then, if I log on someone machine, local root user (and 'su' to my
user) will have access to my files like NFS without Kerberos?? This
behavior is "correct" or it's a bug?
And more strange it's credentials, root 'su'ed to my user doesnt got
credentials, but still have access to my files...

Or I'm doing something wrong? -_-'

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Kerberos+NFSv4: Security - Multiple sessions with same user. One  ticket for all?
  2009-08-26 11:46 Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all? Carlos André
@ 2009-08-26 11:51 ` Ondrej Valousek
  2009-08-26 21:09   ` le wang
  0 siblings, 1 reply; 5+ messages in thread
From: Ondrej Valousek @ 2009-08-26 11:51 UTC (permalink / raw)
  Cc: NFS list, Linux NFSv4 mailing list

VGhpcyBpc3N1ZSBoYXMgYWxyZWFkeSBiZWVuIGRpc2N1c3NlZCBvbiB0aGlzIGxpc3QuCkxvY2Fs
IHJvb3QgaGFzIGFjY2VzcyB0byBhbGwgY3JlZGVudGlhbHMgc3RvcmVkIG9uIHRoYXQgbWFjaGlu
ZSBhbmQgCnRoZXJlIGlzIG5vdGhpbmcgeW91IGNhbiBkbyB3aXRoIHRoaXMuIFlvdSBjYW4gb25s
eSB0ZWxsIHRoZSB1c2VyIG5vdCB0byAKbG9nIHRvIGEgbWFjaGluZSB3aGljaCBpcyBhbHJlYWR5
IGNvbXByb21pc2VkIGJ5IG1hbGljaW91cyBhdHRhY2tlciAKaGF2aW5nIHJvb3QgYWNjZXNzLgpP
bmRyZWoKCkNhcmxvcyBBbmRyw6kgd3JvdGU6Cj4gSSBnb3QgYSBzdHJhbmdlIHNlY3VyaXR5IGlz
c3VlLiBJIGxvZ29uIHZpYSBTU0ggb3IgbG9jYWwgY29uc29sZSB3aXRoCj4gbXkgdXNlciBhbmQg
Z2V0IGEgdGlja2V0LCB0aGVuIGlmIGxvY2FsIHJvb3Qgc3UgdG8gbXkgdXNlciwgbG9jYWwgcm9v
dAo+IGNhbiBhY2Nlc3MgbXkgZmlsZXMuCj4KPiBJJ20gdXNpbmcgQ2VudE9TIDUuMzoKPiBrZXJu
ZWwtMi42LjE4LTEyOC4yLjEuZWw1Cj4ga3JiNS13b3Jrc3RhdGlvbi0xLjYuMS0zMS5lbDVfMy4z
Cj4KPgo+IFNFU1NJT04gMToKPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQo+ICQgc3NoIHJvb3RAMS4yLjMuNAo+IHJvb3RA
MS4yLjMuNCdzIHBhc3N3b3JkOgo+IExhc3QgbG9naW46IFdlZCBBdWcgMjYgMDg6MDY6NDkgMjAw
OSBmcm9tIFgKPiBbcm9vdEBLU1RBVElPTiB+XSMgc3UgY2FybG9zLmFuZHJlCj4gW2Nhcmxvcy5h
bmRyZUBLU1RBVElPTiByb290XSQga2xpc3QKPiBrbGlzdDogTm8gY3JlZGVudGlhbHMgY2FjaGUg
Zm91bmQgKHRpY2tldCBjYWNoZSBGSUxFOi90bXAva3JiNWNjXzEwMDAwKQo+Cj4KPiBLZXJiZXJv
cyA0IHRpY2tldCBjYWNoZTogL3RtcC90a3QxMDAwMAo+IGtsaXN0OiBZb3UgaGF2ZSBubyB0aWNr
ZXRzIGNhY2hlZAo+IFtjYXJsb3MuYW5kcmVAS1NUQVRJT04gcm9vdF0kIGNkIC9taXNjL2hvbWUv
Y2FybG9zLmFuZHJlCj4gYmFzaDogY2Q6IC9taXNjL2hvbWUvY2FybG9zLmFuZHJlOiBQZXJtaXNz
aW9uIGRlbmllZAo+IFtjYXJsb3MuYW5kcmVAS1NUQVRJT04gcm9vdF0kCj4gLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KPiBb
LS1PSy0tXQo+Cj4KPiBTRVNTSU9OIDI6Cj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KPiAkIHNzaCBjYXJsb3MuYW5kcmVA
MS4yLjMuNAo+IGNhcmxvcy5hbmRyZUAxLjIuMy40J3MgcGFzc3dvcmQ6Cj4gTGFzdCBsb2dpbjog
V2VkIEF1ZyAyNiAwODowMTozMyAyMDA5IGZyb20gWAo+IFtjYXJsb3MuYW5kcmVAS1NUQVRJT04g
fl0kIGtsaXN0Cj4gVGlja2V0IGNhY2hlOiBGSUxFOi90bXAva3JiNWNjXzEwMDAwX1BQTE1xRgo+
IERlZmF1bHQgcHJpbmNpcGFsOiBjYXJsb3MuYW5kcmVAWC5CUgo+Cj4gVmFsaWQgc3RhcnRpbmcg
ICAgIEV4cGlyZXMgICAgICAgICAgICBTZXJ2aWNlIHByaW5jaXBhbAo+IDA4LzI2LzA5IDA4OjMw
OjEyICAwOC8yNi8wOSAxODozMDoxMiAga3JidGd0L1guQlJAWC5CUgo+ICAgICAgICAgcmVuZXcg
dW50aWwgMDgvMjYvMDkgMDg6MzA6MTIKPgo+Cj4gS2VyYmVyb3MgNCB0aWNrZXQgY2FjaGU6IC90
bXAvdGt0MTAwMDAKPiBrbGlzdDogWW91IGhhdmUgbm8gdGlja2V0cyBjYWNoZWQKPiBbY2FybG9z
LmFuZHJlQEtTVEFUSU9OIH5dJCBjZCAvbWlzYy9ob21lL2Nhcmxvcy5hbmRyZQo+IFtjYXJsb3Mu
YW5kcmVAS1NUQVRJT04gY2FybG9zLmFuZHJlXSQgbHMgLWxhCj4gdG90YWwgOAo+IGRyd3hyd3gt
LS0gMiBjYXJsb3MuYW5kcmUgdXNlcnMgNDA5NiBBdWcgMjEgMDk6MDQgLgo+IGRyd3hyLXhyLXgg
MyByb290ICAgICAgICAgcm9vdCAgICAgICAgICAgICAgIDAgQXVnIDI2IDA4OjMwIC4uCj4gW2Nh
cmxvcy5hbmRyZUBLU1RBVElPTiBjYXJsb3MuYW5kcmVdJAo+IC0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCj4gWy0tT0stLV0K
Pgo+Cj4gTk9XIEJBQ0sgVE8gU0VTU0lPTiAxOgo+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCj4gW2Nhcmxvcy5hbmRyZUBL
U1RBVElPTiByb290XSQgY2QgL21pc2MvaG9tZS9jYXJsb3MuYW5kcmUKPiBbY2FybG9zLmFuZHJl
QEtTVEFUSU9OIGNhcmxvcy5hbmRyZV0kIGxzIC1sYQo+IHRvdGFsIDgKPiBkcnd4cnd4LS0tIDIg
Y2FybG9zLmFuZHJlIHVzZXJzIDQwOTYgQXVnIDIxIDA5OjA0IC4KPiBkcnd4ci14ci14IDMgcm9v
dCAgICAgICAgIHJvb3QgICAgICAgICAgICAgICAwIEF1ZyAyNiAwODozMCAuLgo+IFtjYXJsb3Mu
YW5kcmVAS1NUQVRJT04gY2FybG9zLmFuZHJlXSQga2xpc3QKPiBrbGlzdDogTm8gY3JlZGVudGlh
bHMgY2FjaGUgZm91bmQgKHRpY2tldCBjYWNoZSBGSUxFOi90bXAva3JiNWNjXzEwMDAwKQo+Cj4K
PiBLZXJiZXJvcyA0IHRpY2tldCBjYWNoZTogL3RtcC90a3QxMDAwMAo+IGtsaXN0OiBZb3UgaGF2
ZSBubyB0aWNrZXRzIGNhY2hlZAo+IFtjYXJsb3MuYW5kcmVAS1NUQVRJT04gY2FybG9zLmFuZHJl
XSQKPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLQo+IFtXVEYhPyE/XQo+Cj4gVGhlbiwgaWYgSSBsb2cgb24gc29tZW9uZSBt
YWNoaW5lLCBsb2NhbCByb290IHVzZXIgKGFuZCAnc3UnIHRvIG15Cj4gdXNlcikgd2lsbCBoYXZl
IGFjY2VzcyB0byBteSBmaWxlcyBsaWtlIE5GUyB3aXRob3V0IEtlcmJlcm9zPz8gVGhpcwo+IGJl
aGF2aW9yIGlzICJjb3JyZWN0IiBvciBpdCdzIGEgYnVnPwo+IEFuZCBtb3JlIHN0cmFuZ2UgaXQn
cyBjcmVkZW50aWFscywgcm9vdCAnc3UnZWQgdG8gbXkgdXNlciBkb2VzbnQgZ290Cj4gY3JlZGVu
dGlhbHMsIGJ1dCBzdGlsbCBoYXZlIGFjY2VzcyB0byBteSBmaWxlcy4uLgo+Cj4gT3IgSSdtIGRv
aW5nIHNvbWV0aGluZyB3cm9uZz8gLV8tJwo+Cj4gVGhhbmtzLgo+IF9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj4gTkZTdjQgbWFpbGluZyBsaXN0Cj4gTkZT
djRAbGludXgtbmZzLm9yZwo+IGh0dHA6Ly9saW51eC1uZnMub3JnL2NnaS1iaW4vbWFpbG1hbi9s
aXN0aW5mby9uZnN2NAo+ICAgCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fXwpORlN2NCBtYWlsaW5nIGxpc3QKTkZTdjRAbGludXgtbmZzLm9yZwpodHRwOi8v
bGludXgtbmZzLm9yZy9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbmZzdjQ=

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all?
  2009-08-26 11:51 ` Ondrej Valousek
@ 2009-08-26 21:09   ` le wang
       [not found]     ` <cbeb1f2b0908261409t21222b37le77f9afc03da038a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  0 siblings, 1 reply; 5+ messages in thread
From: le wang @ 2009-08-26 21:09 UTC (permalink / raw)
  To: Ondrej Valousek; +Cc: NFS list, Linux NFSv4 mailing list


[-- Attachment #1.1: Type: text/plain, Size: 4463 bytes --]

This is the security issue of NFS which exists extensively in NIS directory
environment since regular NFS authentication depends on UID and GID.
$ ypcat password |grep $FOO to get the user FOO's UID and GID;
Local root of ANY machine in this Directory could create a faked user with
FOO's UID and GID through cmd "groupadd" and "useradd", and then access
FOO's files on any machine.
If Kerberos 5 is applied, this kind of security issue could be solved
partially and limited on the scenario which Ondrej described below.
-Le


On Wed, Aug 26, 2009 at 7:51 AM, Ondrej Valousek <webserv@s3group.cz> wrote:

> This issue has already been discussed on this list.
> Local root has access to all credentials stored on that machine and there
> is nothing you can do with this. You can only tell the user not to log to a
> machine which is already compromised by malicious attacker having root
> access.
> Ondrej
>
> Carlos André wrote:
>
>> I got a strange security issue. I logon via SSH or local console with
>> my user and get a ticket, then if local root su to my user, local root
>> can access my files.
>>
>> I'm using CentOS 5.3:
>> kernel-2.6.18-128.2.1.el5
>> krb5-workstation-1.6.1-31.el5_3.3
>>
>>
>> SESSION 1:
>> -----------------------------------------------------------------
>> $ ssh root@1.2.3.4
>> root@1.2.3.4's password:
>> Last login: Wed Aug 26 08:06:49 2009 from X
>> [root@KSTATION ~]# su carlos.andre
>> [carlos.andre@KSTATION root]$ klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt10000
>> klist: You have no tickets cached
>> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
>> bash: cd: /misc/home/carlos.andre: Permission denied
>> [carlos.andre@KSTATION root]$
>> -----------------------------------------------------------------
>> [--OK--]
>>
>>
>> SESSION 2:
>> -----------------------------------------------------------------
>> $ ssh carlos.andre@1.2.3.4
>> carlos.andre@1.2.3.4's password:
>> Last login: Wed Aug 26 08:01:33 2009 from X
>> [carlos.andre@KSTATION ~]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF
>> Default principal: carlos.andre@X.BR
>>
>> Valid starting     Expires            Service principal
>> 08/26/09 08:30:12  08/26/09 18:30:12  krbtgt/X.BR@X.BR
>>        renew until 08/26/09 08:30:12
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt10000
>> klist: You have no tickets cached
>> [carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre
>> [carlos.andre@KSTATION carlos.andre]$ ls -la
>> total 8
>> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
>> drwxr-xr-x 3 root         root               0 Aug 26 08:30 ..
>> [carlos.andre@KSTATION carlos.andre]$
>> -----------------------------------------------------------------
>> [--OK--]
>>
>>
>> NOW BACK TO SESSION 1:
>> -----------------------------------------------------------------
>> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
>> [carlos.andre@KSTATION carlos.andre]$ ls -la
>> total 8
>> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
>> drwxr-xr-x 3 root         root               0 Aug 26 08:30 ..
>> [carlos.andre@KSTATION carlos.andre]$ klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt10000
>> klist: You have no tickets cached
>> [carlos.andre@KSTATION carlos.andre]$
>> -----------------------------------------------------------------
>> [WTF!?!?]
>>
>> Then, if I log on someone machine, local root user (and 'su' to my
>> user) will have access to my files like NFS without Kerberos?? This
>> behavior is "correct" or it's a bug?
>> And more strange it's credentials, root 'su'ed to my user doesnt got
>> credentials, but still have access to my files...
>>
>> Or I'm doing something wrong? -_-'
>>
>> Thanks.
>> _______________________________________________
>> NFSv4 mailing list
>> NFSv4@linux-nfs.org
>> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>>
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Le Wang
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The good man is the friend of all living things.
Gandhi, Mahatma(1869-1948)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[-- Attachment #1.2: Type: text/html, Size: 5743 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
NFSv4 mailing list
NFSv4@linux-nfs.org
http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <cbeb1f2b0908261409t21222b37le77f9afc03da038a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]

* Re: Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all?
       [not found]     ` <cbeb1f2b0908261409t21222b37le77f9afc03da038a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2009-08-26 22:31       ` Carlos André
       [not found]         ` <f6ce31e30908261531m1ce99cd8m9ddde6269f0e536f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
  0 siblings, 1 reply; 5+ messages in thread
From: Carlos André @ 2009-08-26 22:31 UTC (permalink / raw)
  To: le wang; +Cc: Ondrej Valousek, NFS list, Linux NFSv4 mailing list

Wang,

I know about "normal NFS" security issues... old times... "trust on
host"... -_-'
But I thought that this problem never happen using NFSv4+Kerberos5. In
resume, it's more secure then only NFS (without Kerberos), but still
have alot of serious security problems...

On Wed, Aug 26, 2009 at 6:09 PM, le wang<lewang2000@gmail.com> wrote:
> This is the security issue of NFS which exists extensively in NIS dir=
ectory
> environment since regular NFS authentication depends on UID and GID.
> $ ypcat password |grep $FOO to get the user FOO's UID and GID;
> Local root of ANY machine in this Directory could create a faked user=
 with
> FOO's UID and GID through cmd "groupadd" and "useradd", and then acce=
ss
> FOO's files on any machine.
> If Kerberos 5 is applied, this kind of security issue could be solved
> partially and limited on the scenario which Ondrej described below.
> -Le
>
>
> On Wed, Aug 26, 2009 at 7:51 AM, Ondrej Valousek <webserv-K2D8ygZuxnnrBKCeMvbIDA@public.gmane.org>=
 wrote:
>>
>> This issue has already been discussed on this list.
>> Local root has access to all credentials stored on that machine and =
there
>> is nothing you can do with this. You can only tell the user not to l=
og to a
>> machine which is already compromised by malicious attacker having ro=
ot
>> access.
>> Ondrej
>>
>> Carlos Andr=E9 wrote:
>>>
>>> I got a strange security issue. I logon via SSH or local console wi=
th
>>> my user and get a ticket, then if local root su to my user, local r=
oot
>>> can access my files.
>>>
>>> I'm using CentOS 5.3:
>>> kernel-2.6.18-128.2.1.el5
>>> krb5-workstation-1.6.1-31.el5_3.3
>>>
>>>
>>> SESSION 1:
>>> -----------------------------------------------------------------
>>> $ ssh root@1.2.3.4
>>> root@1.2.3.4's password:
>>> Last login: Wed Aug 26 08:06:49 2009 from X
>>> [root@KSTATION ~]# su carlos.andre
>>> [carlos.andre@KSTATION root]$ klist
>>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10=
000)
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt10000
>>> klist: You have no tickets cached
>>> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
>>> bash: cd: /misc/home/carlos.andre: Permission denied
>>> [carlos.andre@KSTATION root]$
>>> -----------------------------------------------------------------
>>> [--OK--]
>>>
>>>
>>> SESSION 2:
>>> -----------------------------------------------------------------
>>> $ ssh carlos.andre@1.2.3.4
>>> carlos.andre@1.2.3.4's password:
>>> Last login: Wed Aug 26 08:01:33 2009 from X
>>> [carlos.andre@KSTATION ~]$ klist
>>> Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF
>>> Default principal: carlos.andre@X.BR
>>>
>>> Valid starting =A0 =A0 Expires =A0 =A0 =A0 =A0 =A0 =A0Service princ=
ipal
>>> 08/26/09 08:30:12 =A008/26/09 18:30:12 =A0krbtgt/X.BR@X.BR
>>> =A0 =A0 =A0 =A0renew until 08/26/09 08:30:12
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt10000
>>> klist: You have no tickets cached
>>> [carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre
>>> [carlos.andre@KSTATION carlos.andre]$ ls -la
>>> total 8
>>> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
>>> drwxr-xr-x 3 root =A0 =A0 =A0 =A0 root =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
0 Aug 26 08:30 ..
>>> [carlos.andre@KSTATION carlos.andre]$
>>> -----------------------------------------------------------------
>>> [--OK--]
>>>
>>>
>>> NOW BACK TO SESSION 1:
>>> -----------------------------------------------------------------
>>> [carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
>>> [carlos.andre@KSTATION carlos.andre]$ ls -la
>>> total 8
>>> drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
>>> drwxr-xr-x 3 root =A0 =A0 =A0 =A0 root =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
0 Aug 26 08:30 ..
>>> [carlos.andre@KSTATION carlos.andre]$ klist
>>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10=
000)
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt10000
>>> klist: You have no tickets cached
>>> [carlos.andre@KSTATION carlos.andre]$
>>> -----------------------------------------------------------------
>>> [WTF!?!?]
>>>
>>> Then, if I log on someone machine, local root user (and 'su' to my
>>> user) will have access to my files like NFS without Kerberos?? This
>>> behavior is "correct" or it's a bug?
>>> And more strange it's credentials, root 'su'ed to my user doesnt go=
t
>>> credentials, but still have access to my files...
>>>
>>> Or I'm doing something wrong? -_-'
>>>
>>> Thanks.
>>> _______________________________________________
>>> NFSv4 mailing list
>>> NFSv4@linux-nfs.org
>>> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs"=
 in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at =A0http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Le Wang
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> The good man is the friend of all living things.
> Gandhi, Mahatma(1869-1948)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> NFSv4 mailing list
> NFSv4@linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <f6ce31e30908261531m1ce99cd8m9ddde6269f0e536f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]

* Re: Kerberos+NFSv4: Security - Multiple sessions with same user. One  ticket for all?
       [not found]         ` <f6ce31e30908261531m1ce99cd8m9ddde6269f0e536f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2009-08-26 22:56           ` Trond Myklebust
  0 siblings, 0 replies; 5+ messages in thread
From: Trond Myklebust @ 2009-08-26 22:56 UTC (permalink / raw)
  To: Carlos André
  Cc: le wang, Ondrej Valousek, NFS list, Linux NFSv4 mailing list

On Wed, 2009-08-26 at 19:31 -0300, Carlos Andr=C3=A9 wrote:
> Wang,
>=20
> I know about "normal NFS" security issues... old times... "trust on
> host"... -_-'
> But I thought that this problem never happen using NFSv4+Kerberos5. I=
n
> resume, it's more secure then only NFS (without Kerberos), but still
> have alot of serious security problems...

This discussion keeps coming up, over and over again because people kee=
p
misunderstanding the Linux/*NIX security model.

The real issue is that a user with root privileges has a million ways o=
f
sniffing your passwords (e.g. as you type them in), reading your cached
data (e.g. /dev/kmem), or hijacking your processes (e.g. a /bin/ls
trojan). There is _nothing_ NFS can do to protect you against a
compromised root account.
Schemes like David Howells' keyrings can help against one or two of
these attacks, but cannot eliminate them all.

IOW: The problem isn't NFS. The exact same attacks can be used against
ssh, cifs, and all the other 'secure' protocols.

All Krb5 does is to make you safe against unprivileged users
impersonating you, and to make you safe against network packet sniffing
and spoofing.

Trond

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2009-08-26 22:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-26 11:46 Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all? Carlos André
2009-08-26 11:51 ` Ondrej Valousek
2009-08-26 21:09   ` le wang
     [not found]     ` <cbeb1f2b0908261409t21222b37le77f9afc03da038a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 22:31       ` Carlos André
     [not found]         ` <f6ce31e30908261531m1ce99cd8m9ddde6269f0e536f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 22:56           ` Trond Myklebust

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox