Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: tlyu@mit.edu Subject: SVN Commit RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 1409 pull up r18379 from trunk r18379@cathode-dark-space: jaltman | 2006-07-24 02:58:23 -0400 ticket: new subject: Windows Integrated Login Fixes for KFW 3.1 tags: pullup component: windows KFW integrated login was failing when the user is not a power user or administrator. This was occurring because the temporary file ccache was being created in a directory the user could not read. While fixing this it was noticed that the ACLs on the ccache were too broad. Instead of applying a fix to the FILE: krb5_ccache implementation it was decided that simply applying a new set of ACLs (SYSTEM and "user" with no inheritance) to the file immediately after the krb5_cc_initialize() call would close the broadest security issues. The file is initially created in the SYSTEM %TEMP% directory with "SYSTEM" ACL only. Then it is moved to the user's %TEMP% directory with "SYSTEM" and "user" ACLs. Finally, after copying the credentials to the API: ccache, the file is deleted. Commit By: tlyu Revision: 18386 Changed Files: _U branches/krb5-1-5/ U branches/krb5-1-5/src/windows/kfwlogon/Makefile.in U branches/krb5-1-5/src/windows/kfwlogon/kfwcommon.c U branches/krb5-1-5/src/windows/kfwlogon/kfwcpcc.c U branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.c U branches/krb5-1-5/src/windows/kfwlogon/kfwlogon.h