Re: Sudo: local root compromise with krb5 enabled

From: Thor Lancelot Simon <tls@xxxxxxxxxxxx>
Date: Mon, 16 Jul 2007 13:22:22 -0400

On Fri, Jun 15, 2007 at 02:36:11PM -0400, Ken Raeburn wrote:

On Jun 14, 2007, at 11:00, Kyle Wheeler wrote:

Maybe I'm misunderstanding here, but so what? This sounds like the
equivalent of this:

My program respects the $ALLOW_ROOT_COMPROMISE environment
variable. You may think root compromises are bad, and that the
environment variable is ludicrous, and I agree (that "feature"
was
added before I took over), but if I removed it then that would be
an incompatible break from previous versions.

Don't forget, "... and we have a trivial way to turn it off, though
some programs can't be bothered to use it".

Honestly, when one's security software has an "API" consisting of hundreds
of functions (many duplicative) and a long history of not including many
functions used by the maintainers' own application code in that API
documentation, the suggestion "we have another function very much like that
in the API, except that it works right" is... well, I personally don't
consider it a terribly helpful suggestion. As I'm sure Ken recalls, until
around the year 2000 it wasn't actually possible to write a function
equivalent to krb5_verify_user() without using functions present in MIT
libkrb5, but not documented in the API documentation! (Or, if it was,
then none of MIT's own example application code did it that way)

Bad library API design like this almost inevitably leads to security holes
in application code. What Heimdal has done in this instance seems to me
to be a much, much better way out of this particular Kerberos API pit.
There are other ways to pass ancillary data to Kerberized applications that
must run as root than by insanely dangerous use of environment variables.

Thor

Prev by Date: ExLibris Aleph and Metalib Cross Site Scripting Attack
Next by Date: Official release of SQL Power Injector 1.2
Previous by thread: ExLibris Aleph and Metalib Cross Site Scripting Attack
Next by thread: Official release of SQL Power Injector 1.2
Index(es):
- Date
- Thread

Relevant Pages

Re: Tired of 100s of stupid Getter/Setter methods
... seeing as you're now scratching for even more marginal cases to ... >>reading the documentation that the library developer wrote. ... > ability to become familiar with an API. ... >>been ignoring real bugs in favor of some syntactic sugar. ...
(comp.lang.java.programmer)
Re: Bluetooth application development
... It's a VERY complex API, maybe the most-complex that I've seen for Windows. ... Why MSDN is not providing enough documentation to develop application from ... I don't see any way to truely automate pairing; ... Here also i have to start the pairing process then Headset profile ...
(microsoft.public.windowsce.app.development)
Re: Are things getting difficult?
... any files have been added since we last saw that card, ... I'm faced with a lot of documentation that waffles on endlessly about ... resource is, or what the syntax is for describing one. ... To me that's an admission that the API is badly designed. ...
(uk.comp.os.linux)
Re: Tired of 100s of stupid Getter/Setter methods
... > reading the documentation that the library developer wrote. ... ability to become familiar with an API. ... Given the choice between finding out about a bug as I'm writing the ... say about a language that's one of the more readable that I work in. ...
(comp.lang.java.programmer)
Re: Basic x86 instructions?
... > If you have second level documentation about the x86 architecture ... a good asm-based introduction to the WIN32 API. ... >> linux syscalls, dos interrupts, or WIN32 API). ...
(alt.lang.asm)