From djm@web.us.uu.net Fri Apr 14 12:24:37 2000 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03184 for ; Fri, 14 Apr 2000 12:24:37 -0400 (EDT) Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP id AA02051; Fri, 14 Apr 00 12:24:32 EDT Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP (peer crosschecked as: dagger.web.us.uu.net [208.211.134.28]) id MAA11576; Fri, 14 Apr 2000 12:24:36 -0400 (EDT) Received: by dagger.web.us.uu.net id MAA28479; Fri, 14 Apr 2000 12:24:12 -0400 Message-Id: Date: Fri, 14 Apr 2000 12:24:12 -0400 From: djm@web.us.uu.net (David J. MacKenzie) Reply-To: djm@web.us.uu.net To: krb5-bugs@MIT.EDU Cc: djm@web.us.uu.net Subject: ksu uses the wrong principal by default X-Send-Pr-Version: 3.99 >Number: 839 >Category: krb5-clients >Synopsis: ksu uses the wrong principal by default >Confidential: no >Severity: serious >Priority: high >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Apr 14 12:25:00 EDT 2000 >Last-Modified: Mon Apr 24 13:32:00 EDT 2000 >Originator: David MacKenzie >Organization: UUNET Technologies >Release: krb5-1.1.1 >Environment: System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown Architecture: i686 >Description: ksu to root prompts for the password for "root@REALM" instead of "$USER/root@REALM". The workaround is to use -n to specify the right principal. My understanding of the Kerberos security model is that each user is supposed to have their own root instance. At least, that's how we've been running it for about 9 years at the University of Maryland and UUNET. >How-To-Repeat: ksu >Fix: I accidentally included this hunk of diff also in my change request for adding ksu -m. --- /homes/elves/djm/src/krb5-1.1.1/src/clients/ksu/main.c Fri Dec 17 15:44:39 1999 +++ src/clients/ksu/main.c Tue Mar 28 02:05:48 2000 @@ -371,6 +386,19 @@ exit(1); } } + + if (options.princ == 0 && target_uid == 0 && source_uid != 0) { + char *source_princ = xmalloc(strlen(source_user) + 6); + sprintf(source_princ, "%s/root", source_user); + + if ((retval = krb5_parse_name(ksu_context, source_princ, &client))){ + com_err(prog_name, retval, "when parsing name %s", source_princ); + errflg++; + } + free(source_princ); + options.princ = 1; + } + if ((retval = get_best_princ_for_target(ksu_context, source_uid, target_uid, source_user, target_user, cc_source, &options, cmd, localhostname, &client, &hp))){ >Audit-Trail: From: Ken Raeburn To: djm@web.us.uu.net Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-clients/839: ksu uses the wrong principal by default Date: 21 Apr 2000 08:58:20 -0400 > ksu to root prompts for the password for "root@REALM" instead of > "$USER/root@REALM". The workaround is to use -n to specify the > right principal. My understanding of the Kerberos security model > is that each user is supposed to have their own root instance. > At least, that's how we've been running it for about 9 years > at the University of Maryland and UUNET. The call to get_best_princ_for_target should be taking care of selecting $USER/root if that principal is listed in ~root/.k5login. Is it not working in your case? Ken From: "David J. MacKenzie" To: Ken Raeburn Cc: djm@web.us.uu.net, krb5-bugs@MIT.EDU Subject: Re: krb5-clients/839: ksu uses the wrong principal by default Date: Mon, 24 Apr 2000 13:20:53 -0400 > > > ksu to root prompts for the password for "root@REALM" instead of > > "$USER/root@REALM". The workaround is to use -n to specify the > > right principal. My understanding of the Kerberos security model > > is that each user is supposed to have their own root instance. > > At least, that's how we've been running it for about 9 years > > at the University of Maryland and UUNET. > > The call to get_best_princ_for_target should be taking care of > selecting $USER/root if that principal is listed in ~root/.k5login. > Is it not working in your case? It is now. I suspect that before, I hadn't yet put a ~root/.k5login onto the machine. It looks like the algorithm for selecting a principal is documented in the ksu man page, but it's so complicated that I didn't understand what it was trying to do! From: Ken Raeburn To: "David J. MacKenzie" Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-clients/839: ksu uses the wrong principal by default Date: 24 Apr 2000 13:31:02 -0400 > It looks like the algorithm for selecting a principal is documented > in the ksu man page, but it's so complicated that I didn't understand > what it was trying to do! Yep. Longstanding bug. :-( >Unformatted: