[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PIPE ccache implementation for Heimdal



On Fri, 23 May 2008 09:04:31 -0400
"Ken Hornstein (Contractor)" <kenh@cmf.nrl.navy.mil> wrote:

> >Unfortunately I've only tested kinit, klist and kdestroy because I don't
> >have access to the necessary kerberized services like rcp and such. I
> >was just curious as to how this worked in general and I won't be using
> >it in the near future (it still doesn't solve my web server scenario
> >since a mischievous user can easily find the said descriptor and access
> >the ccache).
> 
> Um, that is not correct (that was the whole point of the PIPE cache).
> How could a mischievous user get access to that descriptor if they are
> not one of the descendants of the original process?  While the PIPE
> descriptor does appear in /proc for the processes on some operating
> systems, when I looked at that you couldn't actually use descriptors
> created by socketpair() for anything.
> 
> Now if your concern is processes WITHIN the ancestry hierarchy of the
> master process, well, I can't imagine a credential cache that could
> possibly solve that problem.

I need something that is created when the web server starts. In that
scenario, with your PIPE ccache, all HTTP worker processes will inherit
the pipe descriptor and thus have access to the PIPE ccache.

So I'm not pointing out somd kind of flaw in your code. It's just wrong
for my scenario.

I need a shared hashmap storage with authentication. When a ccache
is created an authenticator is returned. That authenticator is placed
into the user's HTTP session. Existing ccaches can be opened with the
appropriate authenticator.

Or something like that :->

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/