Package: libpam-heimdal,libpam-krb5
Version: 2.4-1
Severity: normal
Many applications that need to verify user credentials, especially
screensaves like xlock, xscreensaver and friends, no longer run as
root on a standard Debian system.
They still can authenticate using pam_unix (and therefore indirectly
/etc/shadow), because libpam-modules brings a suid root helper tool:
-r-sr-xr-x 1 root root 18000 Oct 23 14:48 /sbin/unix_chkpwd*
I assume that pam_unix uses this when it doesn't have the required
privileges to access /etc/shadow itself.
With kerberos the situation is similar. In order to protect against
certain KDC impersonation attacks one really wants to set
verify_ap_req_nofail to true in krb5.conf. Now, in order to
authenticate pam verifies it can get a proper ticket encrypted to the
local host principal. This verification is only possible when it can
read the pricipal's key, stored in /etc/krb5.keytab.
Of course the keytab usually is read protected, so only when the pam
module is run as root can this step work.
I think that this very step should be delegated to a helper tool similar
in spirit to /sbin/unix_chkpwd.
Peter
One could, of course, also muck with the group ownership of all the
screensavers and the keytab file and throw in a few g+s bits, and for a
few tools this will work. This has several disadvantes. One, it gives
the programs direct privilege to read the keytab. Two, it doesn't work
so well when the program is trying to smart and get rid of the group
gotten by the sgid bit (hi xscreensaver). Three, it's not suitable for
a default in Debian, and thus required admin intervention.
[ This issue concerns both, libpam-heimdal and libpam-krb5. This bug is
initially filed against both, I'll split one off and reassign the two
parts. ]
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
