From owner-freebsd-stable@FreeBSD.ORG  Fri Feb  5 14:59:43 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 35D11106566C;
	Fri,  5 Feb 2010 14:59:43 +0000 (UTC)
	(envelope-from mamalos@eng.auth.gr)
Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1])
	by mx1.freebsd.org (Postfix) with ESMTP id B20168FC1E;
	Fri,  5 Feb 2010 14:59:42 +0000 (UTC)
Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr
	[155.207.33.29])
	by vergina.eng.auth.gr (8.14.3/8.14.1) with ESMTP id o15Exf2i098509;
	Fri, 5 Feb 2010 16:59:41 +0200 (EET)
	(envelope-from mamalos@eng.auth.gr)
Message-ID: <4B6C3258.7050607@eng.auth.gr>
Date: Fri, 05 Feb 2010 16:59:36 +0200
From: George Mamalakis <mamalos@eng.auth.gr>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.9.1.5) Gecko/20100115 Thunderbird/3.0
MIME-Version: 1.0
To: freebsd-stable <freebsd-stable@freebsd.org>, freebsd-current@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Kerberized NFSv3 incorrect behavior (revisited)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2010 14:59:43 -0000

What's more,

if I obtain (as root for example) a ticket for user mamalos and kdestroy 
it, and then login as user root in a new terminal, the root user in the 
new terminal has still all privileges of mamalos in the share. Klist, of 
course, shows no tickets. This could be also a security threat, in case 
different kerberos principals (users in this setup) use a shared machine 
account to logon, and then access their resources by kiniting to their 
respective principals.

I assume that this must have to do with kernel's KGSSAPI support, which 
"forgets" to delete or renew its kerberos' cache.

Thank you all, again, for your time.

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379