[OpenAFS] Changes for Mosaic's AFS cell...
Derrick J Brashear
Thu, 6 Apr 2006 14:14:25 -0400 (EDT)
On Thu, 6 Apr 2006, Christopher Allen Wing wrote:
>> What does Linux have to do with it? I had a module which worked on Linux
>> and Solaris in 1998 or so... which handled all 3 cases
> I was aware of this behavior with some Linux PAM modules, I'm not familiar
> with what every other OS and every other other PAM module did, that's all.
Fair. I'd argue targeting one platform is crappy, but I actually gave up
on pam like 5 years ago as futile.
>> but did not honor env, though I suppose with the relevant checks you could
>> avoid the attack I was concerned about... which at this point I no longer
>> even remember the details of.
> On these particular (Linux) systems, xscreensaver didn't run as root, so you
> couldn't attack it by feeding it an incorrect $KRB5CCNAME.
Actually, now I do remember. 1) a primitive I wanted didn't exist in krb4
and so i was doing something ugly and 2) whether you were root or yourself
was not well-defined and so there was some hoop-jumpoing to make sure the
ticket file ended up being owned correctly which was made harder if you
wanted to reuse an existing ticket file.