From ericm@gauss.math.montana.edu Tue Apr 21 16:15:53 1998 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA21030 for ; Tue, 21 Apr 1998 16:15:51 -0400 Received: from gauss.math.montana.edu by MIT.EDU with SMTP id AA09716; Tue, 21 Apr 98 16:15:40 EDT Received: (from ericm@localhost) by gauss.math.montana.edu (5.65/DEC-Ultrix/4.3/) id OAA00350; Tue, 21 Apr 1998 14:15:39 -0600 (MDT) Message-Id: <199804212015.OAA00350@gauss.math.montana.edu> Date: Tue, 21 Apr 1998 14:15:39 -0600 (MDT) From: ericm@math.montana.edu Reply-To: ericm@math.montana.edu To: krb5-bugs@MIT.EDU Subject: chdir(2) problem X-Send-Pr-Version: 3.99 >Number: 582 >Category: krb5-appl >Synopsis: problem with chdir(2) in login.krb5 >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Apr 21 16:16:01 EDT 1998 >Last-Modified: Fri Aug 07 00:54:51 EDT 1998 >Originator: Eric McWhorter >Organization: Montana State University Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717 College of Letters and Science (406)994-1788 Montana State University ericm@math.montana.edu >Release: krb5-1.0.5 >Environment: sun ultrasparc 2170, dec mips 5000/240 solaris 2.6, netbsd 1.3.1 System: SunOS gauss 5.6 Generic_105181-04 sun4u sparc SUNW,Ultra-2 Architecture: sun4 >Description: When src/appl/bsd/login.c and src/appl/gssftp/ftpd/ftpd.c check to see if the user login directory is valid, the assumption is made that root can chdir(2) to the user's home directory. >How-To-Repeat: nfs export home dir with root remapped to nobody, login to an account with $HOME chmod 700. chdir(2) will fail and login will be to system root dir. >Fix: src/appl/bsd/login.c: seteuid(2) to user before chdir(2), then seteuid back to root after chdir(2) (see patch). src/appl/gssftp/ftpd/ftpd.c: move setuid(2) call to just before chdir(2) call to home directory (see patch). Here's a patch: *** krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c.orig Mon Apr 20 16:40:59 1998 --- krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c Mon Apr 20 16:41:05 1998 *************** *** 837,842 **** --- 837,847 ---- ftp_logwtmp(ttyline, pw->pw_name, remotehost); logged_in = 1; + if (seteuid((uid_t)pw->pw_uid) < 0) { + reply(550, "Can't set uid."); + goto bad; + } + if (guest) { /* * We MUST do a chdir() after the chroot. Otherwise *************** *** 854,863 **** goto bad; } else lreply(230, "No directory! Logging in with home=/"); - } - if (seteuid((uid_t)pw->pw_uid) < 0) { - reply(550, "Can't set uid."); - goto bad; } if (guest) { reply(230, "Guest login ok, access restrictions apply."); --- 859,864 ---- *** krb5-1.0.5/src/appl/bsd/login.c.orig Fri Feb 6 20:41:18 1998 --- krb5-1.0.5/src/appl/bsd/login.c Tue Apr 21 12:00:25 1998 *************** *** 401,406 **** --- 401,407 ---- struct passwd *pwd; static char *salt; + uid_t root_uid; #ifdef HAVE_SHADOW struct spwd *spwd; *************** *** 1542,1553 **** --- 1543,1569 ---- sleepexit(0); } #endif + /* root uid is likely 0, but should check just in case */ + root_uid = getuid(); + + /* Should this call fail, we might login to / instead of our + home dir if root hasn't permissions on cwd, which is okay */ + seteuid((uid_t) pwd->pw_uid); + if (chdir(pwd->pw_dir) < 0) { printf("No directory %s!\n", pwd->pw_dir); if (chdir("/")) exit(0); pwd->pw_dir = "/"; printf("Logging in with home = \"/\".\n"); + } + + /* switch back to root to finish login proceedure + if this call fails, things will be goofy */ + if(seteuid(root_uid) < 0) { + syslog(LOG_ERR, + "seteuid: %s", + error_message(errno)); } /* nothing else left to fail -- really log in */ >Audit-Trail: From: Sam Hartman To: ericm@math.montana.edu Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-appl/582: chdir(2) problem Date: 02 May 1998 14:59:09 -0400 Note that we probably want to use krb5_seteuid in ftpd in general. For login, it's unclear what we want to do. I do not want to introduce any calls to krb5_setuid into a new program unless we have to do so because POSIX does not guarantee that function will be able to work. It might be more reasonable to have login check to see if directory is valid *after* calling setuid. Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login. From: Eric McWhorter To: Sam Hartman Cc: Subject: Re: krb5-appl/582: chdir(2) problem Date: Mon, 4 May 1998 07:53:37 -0600 (MDT) Sam Hartman writes: > Note that we probably want to use krb5_seteuid in ftpd in general. > For login, it's unclear what we want to do. I do not want to > introduce any calls to krb5_setuid into a new program unless we have > to do so because POSIX does not guarantee that function will be able > to work. It might be more reasonable to have login check to see if > directory is valid *after* calling setuid. My code doesn't work, so don't use it. :) I broke anon ftp. Checking after setuid sounds okay. > Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login. But shouldn't the daemons be able to read .k5login as the user rather than root, in other words, shouldn't the daemons all seteuid to the user before working with .k5login rather than assuming/insisting root has/have access? Thanks! -- Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717 College of Letters and Science (406)994-1788 Montana State University ericm@math.montana.edu >Unformatted: [Matthew D. Hancher -- Fri Aug 7 00:52:36 EDT 1998] I fixed this for ftpd, by moving the seteuid before the chdir() and moving the guest chroot() even earlier. I have not yet done anything with login. -mdh