suexec

Has anyone any thoughts on using SaveKrbCredentials with suEXEC - the
security implications thereof?

Specifically, Bob installs a CGI in his personal web-space which is run
using suEXEC

Bob uses this CGI to access his IMAP account - a web-mail script, RSS
feed generator, etc.

To avoid plain-text passwords, Bob uses SaveKrbCredentials to
authenticate to the IMAP server

Since the CGI is run as Bob's user-id, the SaveKrbCredentials
credentials cache must be readable by Bob's user-id

Now suppose the credentials cache is readable by Bob's userid & Sally
accesses Bob's CGI - her credentials are available to Bob for any
purpose he should choose

Should it be Sally's responsibility to avoid authenticating to Bob's
script unless she trusts Bob?

Is this any different from authenticating to a web-mail script using
plain-text passwords - you must trust the user who installed to script
before authenticating to it

Currently, the credentials cache is readable only by Apache's user-id.
While this prevents Bob from hijacking Sally's credentials, it also
prevents Bob from developing a useful CGI using SaveKrbCredentials in
his personal web-space

In this case, Bob is only using SaveKrbCredentials to authenticate
himself to his script & - by proxy - to his IMAP account - his script
need not read anyone else's credentials

Bob could store his credentials persistently, so that his script could
always authenticate to his IMAP account - but if he made a mistake,
Sally might use Bob's script to authenticate to Bob's IMAP account

I think using forwarded credentials is a highly secure arrangement,
since it avoids plain-text passwords & Bob's script cannot be used by
anyone else to access Bob's IMAP account

Perhaps a third alternative to a credentials cache readable by 1)
Apache's user-id only or 2) Apache's user-id & the user-id executing
the CGI, is a credentials cache readable by 3) Apache's user-id & the
user-id to whom the credentials belong

This third alternative prevents Bob from hijacking Sally's credentials
but enables Bob to develop a CGI using SaveKrbCredentials in his
personal web-space

If there're no security problems with this alternative, I think it
would be technically feasible & a desirable feature

Would appreciate your thoughts!

Jack



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click