>[...]
>This too only protects against casual attacks, since root can still get
>access to this ticket cache by trying hard enough.


It's all about what you define as "casual". Just opening files in
/proc will not work; your best bet is to ptrace() one of the existing
processes that has the credential cache descriptor available (or simply
attack via ptrace() the credential manager process itself). From what
I've seen of existing ptrace()-based attack tools this technique
requires some skill and would involve some work. I prefer to use the
term "unsophisticated" attacks when describing what this credential
cache protects against. Kernel keyrings are better, of course, but
they're not available everywhere.

I don't think there is a complete solution if you posit an attacker having
root access to a client workstation. And that old joke who's punchline
is, "I don't have to run faster than the bear, I just have to run faster
than you," comes to mind.

--Ken