NetBSD Problem Report #12825

Received: (qmail 5339 invoked from network); 4 May 2001 02:37:29 -0000
Message-Id: <200105040237.f442bTC01886@nutcracker.dynarc.se>
Date: Fri, 4 May 2001 04:37:29 +0200 (CEST)
From: lha@stacken.kth.se
Reply-To: lha@stacken.kth.se
To: gnats-bugs@gnats.netbsd.org
Subject: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
X-Send-Pr-Version: 3.95

>Number:         12825
>Category:       bin
>Synopsis:       su doesn't reset KRB5CCNAME nor KRBTKFILE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 04 02:38:00 +0000 2001
>Closed-Date:    
>Last-Modified:  Mon Jun 18 03:11:00 +0000 2001
>Originator:     Love
>Release:        1.5U
>Organization:
	Stacken Computer Club
>Environment:

System: NetBSD nutcracker.dynarc.se 1.5U NetBSD 1.5U (NUTCRACKER) #3: Mon Apr 9 16:12:48 CEST 2001 lha@nutcracker.dynarc.se:/usr/src/sys/arch/i386/compile/NUTCRACKER i386
Architecture: i386
Machine: i386
>Description:

	su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos

	This make you overwrite your creds too easily.

>How-To-Repeat:

	: lha@nutcracker ; klist | head -2
	Credentials cache: FILE:/tmp/krb5cc_913.ttyE0
	        Principal: lha@E.KTH.SE
	: lha@nutcracker ; PATH=/usr/bin:$PATH
	: lha@nutcracker ; klist | head -2
	Credentials cache: FILE:/tmp/krb5cc_913.ttyE0
	        Principal: lha@E.KTH.SE
	: lha@nutcracker ; su -K
	Password:
	nutcracker# klist | head -2
	klist: No ticket file (tf_util)
	Credentials cache: FILE:/tmp/krb5cc_913.ttyE0
	        Principal: lha@E.KTH.SE

>Fix:

	Setting the KRB5CCNAME and KRBTKFILE is not done in the main
	code-path but in kerberos() and kerberos5() functions.

	I think part of the trick is to break out setting of these env
	variables to always be done.
>Release-Note:
>Audit-Trail:

From: John Hawkinson <jhawk@MIT.EDU>
To: lha@stacken.kth.se
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: Thu, 10 May 2001 01:48:25 -0400 (EDT)

 I don't think this is a bug.
 Traditionally, su has not been kerberos-aware and does not change
 these env vars. I don't think that we should change that behavior.

 Certainly it's my expectation that I'll keep my credentials
 when I su, and if I want differently, I will reset the vars
 by hand.

 Do you have any precedent for such a change?

 I'm also a little disturbed that 'su -K' might be necessary for su-ing
 to root. It seems unnecessarily difficult.

 --jhawk

From: Love <lha@stacken.kth.se>
To: John Hawkinson <jhawk@MIT.EDU>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: 20 May 2001 18:56:43 +0200

 John Hawkinson <jhawk@MIT.EDU> writes:

 > I don't think this is a bug.
 > Traditionally, su has not been kerberos-aware and does not change
 > these env vars. I don't think that we should change that behavior.

 Su sets the env vars in case it uses Kerberos (of course).

 > Certainly it's my expectation that I'll keep my credentials
 > when I su, and if I want differently, I will reset the vars
 > by hand.

 In my experience its usually the opposite, just becase I sued to root,
 I don't want to modify the the orignal users credentials when as root
 typing kinit.

 > Do you have any precedent for such a change?

 kth-krb/heimdal's su behaves like I described it. It set both
 KRBTKFILE and KRB5CCNAME.

 > I'm also a little disturbed that 'su -K' might be necessary for su-ing
 > to root. It seems unnecessarily difficult.

 If there are no /etc/krb5.conf, kerberos wont be used. The case it
 might fail when there is a /etc/krb5.conf is when DNS don't work. The
 Heimdal code is happy about doing resolving names. I think that is a
 good thing, its make it easy for the user.

 There should be a good way to turn it of thou. The non-existance of
 /etc/krb5.conf is a really lousy test. Just because the files is
 missing I should (as a user w/o root access) be denied to used
 programs like kinit ? The existance of a keytab file is a better test.

 Love

From: John Hawkinson <jhawk@MIT.EDU>
To: Love <lha@stacken.kth.se>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: Sun, 17 Jun 2001 20:04:37 -0400

 Love <lha@stacken.kth.se> wrote on Sun, 20 May 2001
 at 18:56:43 +0200 in <amk83cj6wk.fsf@stevens.e.kth.se>:

 Wow. Sorry this sat so long.

 > > Certainly it's my expectation that I'll keep my credentials
 > > when I su, and if I want differently, I will reset the vars
 > > by hand.
 > 
 > In my experience its usually the opposite, just becase I sued to root,
 > I don't want to modify the the orignal users credentials when as root
 > typing kinit.

 Hmm. So, for instance, if I su in a window, it's generally to edit
 some specific configuration file on the machine in question. But I might
 still want to perform operations like "zwrite" in that window
 that should be done with my own credentials.

 > > Do you have any precedent for such a change?
 > 
 > kth-krb/heimdal's su behaves like I described it. It set both
 > KRBTKFILE and KRB5CCNAME.

 Hmm. Different from what happens over here in Athena-land.

 > > I'm also a little disturbed that 'su -K' might be necessary for su-ing
 > > to root. It seems unnecessarily difficult.
 > 
 > If there are no /etc/krb5.conf, kerberos wont be used. The case it
 > might fail when there is a /etc/krb5.conf is when DNS don't work. The
 > Heimdal code is happy about doing resolving names. I think that is a
 > good thing, its make it easy for the user.

 I often use Kerberos as a user when it has nothing to do with the
 management of my machine. For instance, I may run zephyr or afs
 on a machine, but there is no central kerberos-based administration
 of the machine in question, and it may have no keytab.

 --jhawk

From: Love <lha@stacken.kth.se>
To: John Hawkinson <jhawk@MIT.EDU>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: 18 Jun 2001 03:22:08 +0200

 John Hawkinson <jhawk@MIT.EDU> writes:

 > Love <lha@stacken.kth.se> wrote on Sun, 20 May 2001
 > at 18:56:43 +0200 in <amk83cj6wk.fsf@stevens.e.kth.se>:
 > 
 > Wow. Sorry this sat so long.

 Don't worry, there are other things sitting that have been sitting
 longer...

 > > > Certainly it's my expectation that I'll keep my credentials
 > > > when I su, and if I want differently, I will reset the vars
 > > > by hand.
 > > 
 > > In my experience its usually the opposite, just becase I sued to root,
 > > I don't want to modify the the orignal users credentials when as root
 > > typing kinit.
 > 
 > Hmm. So, for instance, if I su in a window, it's generally to edit
 > some specific configuration file on the machine in question. But I might
 > still want to perform operations like "zwrite" in that window
 > that should be done with my own credentials.

 So you trust zephyr programs to be ran as root :)

 If pagsh was built it would be ok and I would keep quiet.

 > > > Do you have any precedent for such a change?
 > > 
 > > kth-krb/heimdal's su behaves like I described it. It set both
 > > KRBTKFILE and KRB5CCNAME.
 > 
 > Hmm. Different from what happens over here in Athena-land.

 It doesn't change PAG neither ? In kth-land it does.

 > > > I'm also a little disturbed that 'su -K' might be necessary for su-ing
 > > > to root. It seems unnecessarily difficult.
 > > 
 > > If there are no /etc/krb5.conf, kerberos wont be used. The case it
 > > might fail when there is a /etc/krb5.conf is when DNS don't work. The
 > > Heimdal code is happy about doing resolving names. I think that is a
 > > good thing, its make it easy for the user.
 > 
 > I often use Kerberos as a user when it has nothing to do with the
 > management of my machine. For instance, I may run zephyr or afs
 > on a machine, but there is no central kerberos-based administration
 > of the machine in question, and it may have no keytab.

 Yes, that is why i proposed that su, telnetd and login should use the
 existance of keytab/srvtab to decide if they should use kerberos. Now login
 always talk to the kdc even if it doesn't have srvtab, and I'm sure you
 know that that isn't safe. Using the existance of krb5.conf is a really bad
 test.

 kinit should do that it was told, get tickets. Telnet should check if it
 has tickets if it could start to talk kerberos.

 Love

From: John Hawkinson <jhawk@MIT.EDU>
To: Love <lha@stacken.kth.se>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: Sun, 17 Jun 2001 23:13:16 -0400

 Love <lha@stacken.kth.se> wrote on Mon, 18 Jun 2001
 at 03:22:08 +0200 in <amzob67fb3.fsf@stevens.e.kth.se>:

 > > Hmm. Different from what happens over here in Athena-land.
 > 
 > It doesn't change PAG neither ? In kth-land it does.

 Well, in Athena-land we just use the stock OS 'su', so of course no
 PAG or ticket-file handling occurs...

 > Yes, that is why i proposed that su, telnetd and login should use the
 > existance of keytab/srvtab to decide if they should use kerberos.

 I'm not sure this is good enough, either, but I guess it's definitely
 better than using krb5.conf.

 --jhawk
>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.