diff options
author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2006-07-24 06:58:23 +0000 |
---|---|---|
committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2006-07-24 06:58:23 +0000 |
commit | e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7 (patch) | |
tree | 3a4bf8fe2592b2737b9891e9f4b9c3feb38c7d79 /src/windows/kfwlogon/kfwlogon.h | |
parent | dedcfc188f4f9a30f136d4fe145b5bc545d220b9 (diff) | |
download | krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.tar.gz krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.tar.xz krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.zip |
Windows Integrated Login Fixes for KFW 3.1
KFW integrated login was failing when the user is
not a power user or administrator. This was occurring
because the temporary file ccache was being created in
a directory the user could not read. While fixing this
it was noticed that the ACLs on the ccache were too broad.
Instead of applying a fix to the FILE: krb5_ccache
implementation it was decided that simply applying a new
set of ACLs (SYSTEM and "user" with no inheritance) to
the file immediately after the krb5_cc_initialize() call
would close the broadest security issues.
The file is initially created in the SYSTEM %TEMP% directory
with "SYSTEM" ACL only. Then it is moved to the user's %TEMP%
directory with "SYSTEM" and "user" ACLs. Finally, after
copying the credentials to the API: ccache, the file is deleted.
ticket: new
tags: pullup
component: windows
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18379 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/windows/kfwlogon/kfwlogon.h')
-rw-r--r-- | src/windows/kfwlogon/kfwlogon.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h index 34c8cc70c8..d3fa6709d6 100644 --- a/src/windows/kfwlogon/kfwlogon.h +++ b/src/windows/kfwlogon/kfwlogon.h @@ -1,6 +1,6 @@ /*
-Copyright 2005 by the Massachusetts Institute of Technology
+Copyright 2005,2006 by the Massachusetts Institute of Technology
All rights reserved.
@@ -194,6 +194,8 @@ int KFW_is_available(void); int KFW_get_cred( char * username, char * password, int lifetime, char ** reasonP );
void KFW_copy_cache_to_system_file(char * user, char * szLogonId);
int KFW_destroy_tickets_for_principal(char * user);
+int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken);
+int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size);
#ifdef __cplusplus
}
|