Skip Menu |
 

From: kaduk@MIT.EDU
Subject: SVN Commit

Do not be over-restrictive in the presence of UAC

We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

[kaduk@mit.edu: delete instead of comment out, move comment.]

https://github.com/krb5/krb5/commit/8020c64554dd25a4f09df8a28dca924c6ecb5608
Author: Kevin Wasserman <kevin.wasserman@painless-security.com>
Committer: Ben Kaduk <kaduk@mit.edu>
Commit: 8020c64554dd25a4f09df8a28dca924c6ecb5608
Branch: master
src/lib/krb5/ccache/cc_mslsa.c | 43 +++------------------------------------
1 files changed, 4 insertions(+), 39 deletions(-)
From: tlyu@mit.edu
Subject: SVN Commit

Do not be over-restrictive in the presence of UAC

We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>

[kaduk@mit.edu: delete instead of comment out, move comment.]

(cherry picked from commit 8020c64554dd25a4f09df8a28dca924c6ecb5608)

https://github.com/krb5/krb5/commit/4e52b28c39bc48c3cad60ae833156061a0ae9b02
Author: Kevin Wasserman <kevin.wasserman@painless-security.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 4e52b28c39bc48c3cad60ae833156061a0ae9b02
Branch: krb5-1.10
src/lib/krb5/ccache/cc_mslsa.c | 43 +++------------------------------------
1 files changed, 4 insertions(+), 39 deletions(-)