Public bug reported:
Binary package hint: libpam-krb5
When creating a new ticket cache libpam-krb5 stashes the cache in a
temporary location;
api-auth.c: pamret = pamk5_cache_init_random(args, creds);
api-password.c: pamret = pamk5_cache_init_random(args, creds);
in cache.c: pamk5_cache_init_random:
char cache_name[] = "/tmp/krb5cc_pam_XXXXXX";
/* Store the obtained credentials in a temporary cache. */
pamret = pamk5_cache_mkstemp(args, cache_name);
if (pamret != PAM_SUCCESS)
return pamret;
If /tmp is full this call fails and the entire pam stack will fail.
When the rootfs is full users kind of expect to be able to do normal
operations such as unlocking their screen or using sudo to gain root
access to delete files.
It would be nice if we could control where the tempfile was written in
/etc/krb5.conf like many of the other pam options.
antarus@goats ~/local/libpam-krb5-4.2 $ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
antarus@goats ~/local/libpam-krb5-4.2 $ apt-cache policy libpam-krb5
libpam-krb5:
Installed: 4.2-1
Candidate: 4.2-1
I expect to be able to configure libpam-krb5 to write to a tmpfs or
something that is harder to fill up. An attacker could fill /tmp and
cause any krb5-based authentication to fail.
** Affects: libpam-krb5 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/732990
Title:
libpam-krb5 writes to /tmp, does not work when disk is full.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
