From: "Carlos André" <candrecn@gmail.com>
To: NFS list <linux-nfs@vger.kernel.org>,
Linux NFSv4 mailing list <nfsv4@linux-nfs.org>
Subject: Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all?
Date: Wed, 26 Aug 2009 08:46:37 -0300 [thread overview]
Message-ID: <f6ce31e30908260446g534bb70bxd742e35141ae99c1@mail.gmail.com> (raw)
I got a strange security issue. I logon via SSH or local console with
my user and get a ticket, then if local root su to my user, local root
can access my files.
I'm using CentOS 5.3:
kernel-2.6.18-128.2.1.el5
krb5-workstation-1.6.1-31.el5_3.3
SESSION 1:
-----------------------------------------------------------------
$ ssh root@1.2.3.4
root@1.2.3.4's password:
Last login: Wed Aug 26 08:06:49 2009 from X
[root@KSTATION ~]# su carlos.andre
[carlos.andre@KSTATION root]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)
Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
bash: cd: /misc/home/carlos.andre: Permission denied
[carlos.andre@KSTATION root]$
-----------------------------------------------------------------
[--OK--]
SESSION 2:
-----------------------------------------------------------------
$ ssh carlos.andre@1.2.3.4
carlos.andre@1.2.3.4's password:
Last login: Wed Aug 26 08:01:33 2009 from X
[carlos.andre@KSTATION ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_PPLMqF
Default principal: carlos.andre@X.BR
Valid starting Expires Service principal
08/26/09 08:30:12 08/26/09 18:30:12 krbtgt/X.BR@X.BR
renew until 08/26/09 08:30:12
Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION ~]$ cd /misc/home/carlos.andre
[carlos.andre@KSTATION carlos.andre]$ ls -la
total 8
drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
drwxr-xr-x 3 root root 0 Aug 26 08:30 ..
[carlos.andre@KSTATION carlos.andre]$
-----------------------------------------------------------------
[--OK--]
NOW BACK TO SESSION 1:
-----------------------------------------------------------------
[carlos.andre@KSTATION root]$ cd /misc/home/carlos.andre
[carlos.andre@KSTATION carlos.andre]$ ls -la
total 8
drwxrwx--- 2 carlos.andre users 4096 Aug 21 09:04 .
drwxr-xr-x 3 root root 0 Aug 26 08:30 ..
[carlos.andre@KSTATION carlos.andre]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)
Kerberos 4 ticket cache: /tmp/tkt10000
klist: You have no tickets cached
[carlos.andre@KSTATION carlos.andre]$
-----------------------------------------------------------------
[WTF!?!?]
Then, if I log on someone machine, local root user (and 'su' to my
user) will have access to my files like NFS without Kerberos?? This
behavior is "correct" or it's a bug?
And more strange it's credentials, root 'su'ed to my user doesnt got
credentials, but still have access to my files...
Or I'm doing something wrong? -_-'
Thanks.
next reply other threads:[~2009-08-26 11:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-26 11:46 Carlos André [this message]
2009-08-26 11:51 ` Kerberos+NFSv4: Security - Multiple sessions with same user. One ticket for all? Ondrej Valousek
2009-08-26 21:09 ` le wang
[not found] ` <cbeb1f2b0908261409t21222b37le77f9afc03da038a-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 22:31 ` Carlos André
[not found] ` <f6ce31e30908261531m1ce99cd8m9ddde6269f0e536f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 22:56 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6ce31e30908260446g534bb70bxd742e35141ae99c1@mail.gmail.com \
--to=candrecn@gmail.com \
--cc=linux-nfs@vger.kernel.org \
--cc=nfsv4@linux-nfs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox