[Bug 732990] Re: libpam-krb5 writes to /tmp, does not work when disk is full.
Alec Warner
732990 at bugs.launchpad.net
Sun Feb 5 22:05:34 UTC 2012
Can we get it in Precise?
On Sun, Feb 5, 2012 at 1:31 PM, Russ Allbery <rra at debian.org> wrote:
> As of libpam-krb5 4.5, the temporary ticket cache will be written to
> ccache_dir rather than /tmp if ccache_dir is set. This version is in
> Debian (and has been for a little bit), but it looks like it's not yet
> been imported into Ubuntu.
>
> ** Changed in: libpam-krb5 (Ubuntu)
> Status: New => Fix Committed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/732990
>
> Title:
> libpam-krb5 writes to /tmp, does not work when disk is full.
>
> Status in “libpam-krb5” package in Ubuntu:
> Fix Committed
>
> Bug description:
> Binary package hint: libpam-krb5
>
> When creating a new ticket cache libpam-krb5 stashes the cache in a
> temporary location;
>
> api-auth.c: pamret = pamk5_cache_init_random(args, creds);
> api-password.c: pamret = pamk5_cache_init_random(args, creds);
>
> in cache.c: pamk5_cache_init_random:
> char cache_name[] = "/tmp/krb5cc_pam_XXXXXX";
> /* Store the obtained credentials in a temporary cache. */
> pamret = pamk5_cache_mkstemp(args, cache_name);
> if (pamret != PAM_SUCCESS)
> return pamret;
>
> If /tmp is full this call fails and the entire pam stack will fail.
> When the rootfs is full users kind of expect to be able to do normal
> operations such as unlocking their screen or using sudo to gain root
> access to delete files.
>
> It would be nice if we could control where the tempfile was written in
> /etc/krb5.conf like many of the other pam options.
>
> antarus at goats ~/local/libpam-krb5-4.2 $ lsb_release -rd
> Description: Ubuntu 10.04.1 LTS
> Release: 10.04
>
> antarus at goats ~/local/libpam-krb5-4.2 $ apt-cache policy libpam-krb5
> libpam-krb5:
> Installed: 4.2-1
> Candidate: 4.2-1
>
> I expect to be able to configure libpam-krb5 to write to a tmpfs or
> something that is harder to fill up. An attacker could fill /tmp and
> cause any krb5-based authentication to fail.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/732990/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/732990
Title:
libpam-krb5 writes to /tmp, does not work when disk is full.
Status in “libpam-krb5” package in Ubuntu:
Fix Committed
Bug description:
Binary package hint: libpam-krb5
When creating a new ticket cache libpam-krb5 stashes the cache in a
temporary location;
api-auth.c: pamret = pamk5_cache_init_random(args, creds);
api-password.c: pamret = pamk5_cache_init_random(args, creds);
in cache.c: pamk5_cache_init_random:
char cache_name[] = "/tmp/krb5cc_pam_XXXXXX";
/* Store the obtained credentials in a temporary cache. */
pamret = pamk5_cache_mkstemp(args, cache_name);
if (pamret != PAM_SUCCESS)
return pamret;
If /tmp is full this call fails and the entire pam stack will fail.
When the rootfs is full users kind of expect to be able to do normal
operations such as unlocking their screen or using sudo to gain root
access to delete files.
It would be nice if we could control where the tempfile was written in
/etc/krb5.conf like many of the other pam options.
antarus at goats ~/local/libpam-krb5-4.2 $ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
antarus at goats ~/local/libpam-krb5-4.2 $ apt-cache policy libpam-krb5
libpam-krb5:
Installed: 4.2-1
Candidate: 4.2-1
I expect to be able to configure libpam-krb5 to write to a tmpfs or
something that is harder to fill up. An attacker could fill /tmp and
cause any krb5-based authentication to fail.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/732990/+subscriptions
More information about the foundations-bugs
mailing list