<<< Date Index >>>     <<< Thread Index >>>

Re: Sudo: local root compromise with krb5 enabled



On Jun 14, 2007, at 11:00, Kyle Wheeler wrote:
On Monday, June 11 at 06:52 PM, quoth Ken Raeburn:
In some MIT applications there was a conscious choice to that
effect.  The MIT library's interface for verifying credentials has a
flag that can be set to indicate whether it should return success or
failure for this specific case.  (Though personally, I think the
default should be the more paranoid one, it would be an incompatible
break from previous versions.)

Maybe I'm misunderstanding here, but so what? This sounds like the
equivalent of this:

     My program respects the $ALLOW_ROOT_COMPROMISE environment
     variable. You may think root compromises are bad, and that the
environment variable is ludicrous, and I agree (that "feature" was
     added before I took over), but if I removed it then that would be
     an incompatible break from previous versions.

Don't forget, "... and we have a trivial way to turn it off, though some programs can't be bothered to use it".

And, as I indicated, in a few environments (including certain parts of the environment in which the code was developed), root compromises actually aren't considered a problem.

Just because older programs allowed it doesn't make it sacrosanct.

No, it doesn't. But backwards compatibility isn't irrelevant either. Both sides were considered in the decision, years ago. I'm not saying we've got the best solution -- just that there were reasons we wound up with the more open default and a function to tighten it up, rather than the other way around. Perhaps it's time to revisit it -- but the existing code is out there and is in use, generally using the APIs correctly...

Ken