[security] Incorrect file permissions for ccache file

[dafanasiev]

Describe the bug
Only owner can read/write ccache file (when krb5 tiket cache store as local file).
Currently (at least on Linux) the generated ccache file has the wrong permissions (because of umask?).

To Reproduce

var client = new KerberosClient(new Krb5Config
{
    Defaults =
    {
        DnsLookupKdc = false,
        DefaultCCacheName = "FILE:/tmp/ccache.test",   // file not exists
    },
})
{
    CacheInMemory = false
};

var kerbCred = new KerberosPasswordCredential("[email protected]", "password", "company.corp");

client.PinKdc("company.corp", "dc.company.corp");
await client.Authenticate(kerbCred);

// see in shell: 
//
// # umask
// 0002
// # ls -la /tmp/ccache.test
// -rw-rw-r--  ......  /tmp/ccache.test

Additional context
The same problem was previously fixed in nuget cli: https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Packaging/NuGetExtractionFileIO.cs

[SteveSyfuhs]

Why would we want to allow more than the owner to access the ticket cache for their own user?

[dafanasiev]

Why would we want to allow more than the owner to access the ticket cache for their own user?

No, we don't want that.
Now (with umask=0002) any user can read (and any user in owner group can read-write) saved ticket.
We need to set the unix file security attributes explicitly, regardless of the umask value.

See also: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_file.c#L866-L873

[DanielMGoldberg]

Hey, I'm trying to save my ccache file inside my linux container but it doesn't seem to work and I don't see any error.
I'm hosting my app on openshift.

Anyone knows what might be the issue ?

[amranmo1]

up. would like to know how to achieve this too

[wfurt]

I think it boils down to

File.Open("test",  FileMode.Create, FileAccess.Write, FileShare.None);

creates file like

-rw-rw-r--  1 furt furt    0 Oct 30 22:09 test

This file is readable by anybody as the base File class has no idea it contains security sensitive information.

While many distributions create unique group for each user I would expect that Kerberos.Net should not depend on it and locations like "/tmp/XXXX" may be viewed as security weakness @SteveSyfuhs.

Starting with .NET 7.0 File.SetUnixFileMode is available and it should probably be called explicitly if !OperatingSystem.IsWindows()

I could probably craft PR @SteveSyfuhs - but I'm not sure if we care about Framework or .NET Standard...?

[wfurt]

Note that since the cache location if known, anybody who needs to can use the SetUnixFileMode directly as workaround.

[SteveSyfuhs]

Yeah we need to continue supporting Framework for a while still.

There's a hacky workaround I use in other places that does a reflection call to find the relevant method: https://github.com/dotnet/Kerberos.NET/blob/develop/Kerberos.NET/Crypto/Pal/Rfc2898DeriveBytes.cs

That would probably work well enough here?

[wfurt]

yes, one can possibly multi-target and have separate binaries ... but that is pain IMHO. This is not perf critical IMHO and the API is unlikely to change or vanish.

[amranmo1]

I manage to get it work locally by configuring the right volume mount and permission.
Setting the default CCachename in kerberos.net config to write on writeable volume (basically any location within /app is writable)
also to set CacheInMemory = false as the default is true and it won't write to file when its writing to memory

Kerberos.NET config

client.Configuration.Defaults.DefaultCCacheName = "FILE:/app/krb_cache/krb5cc";

docker-compose.override.yml

volumes:
      - krbcache:/app/krb_cache

krb5.conf

[libdefaults]
    default_ccache_name = FILE:/app/krb_cache/krb5cc

dockerfile (to copy the modified default cache file krb5.conf to etc)

COPY ["krb5.conf", "/etc/krb5.conf"]