NetBSD Problem Report #12825
Received: (qmail 5339 invoked from network); 4 May 2001 02:37:29 -0000
Message-Id: <200105040237.f442bTC01886@nutcracker.dynarc.se>
Date: Fri, 4 May 2001 04:37:29 +0200 (CEST)
From: lha@stacken.kth.se
Reply-To: lha@stacken.kth.se
To: gnats-bugs@gnats.netbsd.org
Subject: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
X-Send-Pr-Version: 3.95
>Number: 12825
>Category: bin
>Synopsis: su doesn't reset KRB5CCNAME nor KRBTKFILE
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri May 04 02:38:00 +0000 2001
>Closed-Date:
>Last-Modified: Mon Jun 18 03:11:00 +0000 2001
>Originator: Love
>Release: 1.5U
>Organization:
Stacken Computer Club
>Environment:
System: NetBSD nutcracker.dynarc.se 1.5U NetBSD 1.5U (NUTCRACKER) #3: Mon Apr 9 16:12:48 CEST 2001 lha@nutcracker.dynarc.se:/usr/src/sys/arch/i386/compile/NUTCRACKER i386
Architecture: i386
Machine: i386
>Description:
su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
This make you overwrite your creds too easily.
>How-To-Repeat:
: lha@nutcracker ; klist | head -2
Credentials cache: FILE:/tmp/krb5cc_913.ttyE0
Principal: lha@E.KTH.SE
: lha@nutcracker ; PATH=/usr/bin:$PATH
: lha@nutcracker ; klist | head -2
Credentials cache: FILE:/tmp/krb5cc_913.ttyE0
Principal: lha@E.KTH.SE
: lha@nutcracker ; su -K
Password:
nutcracker# klist | head -2
klist: No ticket file (tf_util)
Credentials cache: FILE:/tmp/krb5cc_913.ttyE0
Principal: lha@E.KTH.SE
>Fix:
Setting the KRB5CCNAME and KRBTKFILE is not done in the main
code-path but in kerberos() and kerberos5() functions.
I think part of the trick is to break out setting of these env
variables to always be done.
>Release-Note:
>Audit-Trail:
From: John Hawkinson <jhawk@MIT.EDU>
To: lha@stacken.kth.se
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: Thu, 10 May 2001 01:48:25 -0400 (EDT)
I don't think this is a bug.
Traditionally, su has not been kerberos-aware and does not change
these env vars. I don't think that we should change that behavior.
Certainly it's my expectation that I'll keep my credentials
when I su, and if I want differently, I will reset the vars
by hand.
Do you have any precedent for such a change?
I'm also a little disturbed that 'su -K' might be necessary for su-ing
to root. It seems unnecessarily difficult.
--jhawk
From: Love <lha@stacken.kth.se>
To: John Hawkinson <jhawk@MIT.EDU>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: 20 May 2001 18:56:43 +0200
John Hawkinson <jhawk@MIT.EDU> writes:
> I don't think this is a bug.
> Traditionally, su has not been kerberos-aware and does not change
> these env vars. I don't think that we should change that behavior.
Su sets the env vars in case it uses Kerberos (of course).
> Certainly it's my expectation that I'll keep my credentials
> when I su, and if I want differently, I will reset the vars
> by hand.
In my experience its usually the opposite, just becase I sued to root,
I don't want to modify the the orignal users credentials when as root
typing kinit.
> Do you have any precedent for such a change?
kth-krb/heimdal's su behaves like I described it. It set both
KRBTKFILE and KRB5CCNAME.
> I'm also a little disturbed that 'su -K' might be necessary for su-ing
> to root. It seems unnecessarily difficult.
If there are no /etc/krb5.conf, kerberos wont be used. The case it
might fail when there is a /etc/krb5.conf is when DNS don't work. The
Heimdal code is happy about doing resolving names. I think that is a
good thing, its make it easy for the user.
There should be a good way to turn it of thou. The non-existance of
/etc/krb5.conf is a really lousy test. Just because the files is
missing I should (as a user w/o root access) be denied to used
programs like kinit ? The existance of a keytab file is a better test.
Love
From: John Hawkinson <jhawk@MIT.EDU>
To: Love <lha@stacken.kth.se>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: Sun, 17 Jun 2001 20:04:37 -0400
Love <lha@stacken.kth.se> wrote on Sun, 20 May 2001
at 18:56:43 +0200 in <amk83cj6wk.fsf@stevens.e.kth.se>:
Wow. Sorry this sat so long.
> > Certainly it's my expectation that I'll keep my credentials
> > when I su, and if I want differently, I will reset the vars
> > by hand.
>
> In my experience its usually the opposite, just becase I sued to root,
> I don't want to modify the the orignal users credentials when as root
> typing kinit.
Hmm. So, for instance, if I su in a window, it's generally to edit
some specific configuration file on the machine in question. But I might
still want to perform operations like "zwrite" in that window
that should be done with my own credentials.
> > Do you have any precedent for such a change?
>
> kth-krb/heimdal's su behaves like I described it. It set both
> KRBTKFILE and KRB5CCNAME.
Hmm. Different from what happens over here in Athena-land.
> > I'm also a little disturbed that 'su -K' might be necessary for su-ing
> > to root. It seems unnecessarily difficult.
>
> If there are no /etc/krb5.conf, kerberos wont be used. The case it
> might fail when there is a /etc/krb5.conf is when DNS don't work. The
> Heimdal code is happy about doing resolving names. I think that is a
> good thing, its make it easy for the user.
I often use Kerberos as a user when it has nothing to do with the
management of my machine. For instance, I may run zephyr or afs
on a machine, but there is no central kerberos-based administration
of the machine in question, and it may have no keytab.
--jhawk
From: Love <lha@stacken.kth.se>
To: John Hawkinson <jhawk@MIT.EDU>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: 18 Jun 2001 03:22:08 +0200
John Hawkinson <jhawk@MIT.EDU> writes:
> Love <lha@stacken.kth.se> wrote on Sun, 20 May 2001
> at 18:56:43 +0200 in <amk83cj6wk.fsf@stevens.e.kth.se>:
>
> Wow. Sorry this sat so long.
Don't worry, there are other things sitting that have been sitting
longer...
> > > Certainly it's my expectation that I'll keep my credentials
> > > when I su, and if I want differently, I will reset the vars
> > > by hand.
> >
> > In my experience its usually the opposite, just becase I sued to root,
> > I don't want to modify the the orignal users credentials when as root
> > typing kinit.
>
> Hmm. So, for instance, if I su in a window, it's generally to edit
> some specific configuration file on the machine in question. But I might
> still want to perform operations like "zwrite" in that window
> that should be done with my own credentials.
So you trust zephyr programs to be ran as root :)
If pagsh was built it would be ok and I would keep quiet.
> > > Do you have any precedent for such a change?
> >
> > kth-krb/heimdal's su behaves like I described it. It set both
> > KRBTKFILE and KRB5CCNAME.
>
> Hmm. Different from what happens over here in Athena-land.
It doesn't change PAG neither ? In kth-land it does.
> > > I'm also a little disturbed that 'su -K' might be necessary for su-ing
> > > to root. It seems unnecessarily difficult.
> >
> > If there are no /etc/krb5.conf, kerberos wont be used. The case it
> > might fail when there is a /etc/krb5.conf is when DNS don't work. The
> > Heimdal code is happy about doing resolving names. I think that is a
> > good thing, its make it easy for the user.
>
> I often use Kerberos as a user when it has nothing to do with the
> management of my machine. For instance, I may run zephyr or afs
> on a machine, but there is no central kerberos-based administration
> of the machine in question, and it may have no keytab.
Yes, that is why i proposed that su, telnetd and login should use the
existance of keytab/srvtab to decide if they should use kerberos. Now login
always talk to the kdc even if it doesn't have srvtab, and I'm sure you
know that that isn't safe. Using the existance of krb5.conf is a really bad
test.
kinit should do that it was told, get tickets. Telnet should check if it
has tickets if it could start to talk kerberos.
Love
From: John Hawkinson <jhawk@MIT.EDU>
To: Love <lha@stacken.kth.se>
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/12825: su doesn't reset KRB5CCNAME nor KRBTKFILE when not using kerberos
Date: Sun, 17 Jun 2001 23:13:16 -0400
Love <lha@stacken.kth.se> wrote on Mon, 18 Jun 2001
at 03:22:08 +0200 in <amzob67fb3.fsf@stevens.e.kth.se>:
> > Hmm. Different from what happens over here in Athena-land.
>
> It doesn't change PAG neither ? In kth-land it does.
Well, in Athena-land we just use the stock OS 'su', so of course no
PAG or ticket-file handling occurs...
> Yes, that is why i proposed that su, telnetd and login should use the
> existance of keytab/srvtab to decide if they should use kerberos.
I'm not sure this is good enough, either, but I guess it's definitely
better than using krb5.conf.
--jhawk
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.