[OpenAFS] Redux: Linux: systemctl --user vs. AFS

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 06 Aug 2021 11:44:45 -0400

>So why is storage in files so much more dangrous than storage in
>memory? If one happens to get a process which can read the files in
>local /tmp, why could that process not modify any of /proc/<pid>/mem
>on the same computer to get at the ticket cache anyway? 

A fair question.  I mean, conceptually, if the end system is compromised
in theory everything is vulnerable.

But the real world is a bit messier.  What I discovered when doing
post-attack analysis is that not all attackers are that sophisticated.
The ones we dealt with mostly had a few basic recipes for attack; they
weren't developing new ones.  I am sure my credential cache would not
survive a nation-state level attack, but it sure did stop the ones
we were experiencing and I am not aware of any credential cache theft
attacks we have experienced since then.  We have been migrating to
KEYRING on Linux systems, which is better in that the the credentials
are stored in kernel memory and not user space.

The other advantage that occurs to to in-memory credential caches vs
file credential caches that occurs to me is that's very easy to trawl
the filesystem to look for credential caches.  Scanning the entire OS
memory is much harder.