Simon Ruderich <he29h...@cip.cs.fau.de> writes: > The attacked patch adds a setuid-wrapper to allow verification of > the keytab for non-root PAM programs.
> The new verify_creds_setuid_helper function forks our new suid > helper binary against which it does a standard kerberos service > authentication by getting a service ticket from the KDC and > sending a AP_REQ and verifying the resulting AP_REP it receives. I'm too nervous about the many possible attack approaches to setuid binaries to be entirely comfortable with this approach. My tentative thought about the right way to approach this was to instead add a daemon that listens on a UNIX domain socket for validation requests and replies with simple success or failure. That sort of oracle should be okay to expose to the rest of the system, and running it as a separate daemon will remove the security concerns about setuid. (It does mean some additional operational complexity to start and manage the daemon, but the Debian package, at least, can easily take care of that.) -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
