Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 12252 From daemon@netmediatech.com Mon Nov 25 12:04:43 1996 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA07288 for ; Mon, 25 Nov 1996 12:04:43 -0500 Received: from netmediatech.com by MIT.EDU with SMTP id AA11788; Mon, 25 Nov 96 12:04:36 EST Received: from net ([207.34.208.137]) by media.netmediatech.com with SMTP id <38940-4545>; Mon, 25 Nov 1996 12:05:25 -0500 Message-Id: <3299D1D1.167E@netmediatech.com> Date: Mon, 25 Nov 1996 12:05:21 -0500 From: Peter Ziobrzynski Sender: daemon To: schemers@stanford.edu Cc: krb5-bugs@MIT.EDU, kerberos@MIT.EDU Subject: Re: Can't forward credentials with beta7 (fwd) References: <199611230119.RAA03923@slapshot.stanford.edu> >Number: 235 >Category: pending >Synopsis: Re: Can't forward credentials with beta7 (fwd) >Confidential: yes >Severity: serious >Priority: medium >Responsible: gnats-admin >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Mon Nov 25 12:05:01 EST 1996 >Last-Modified: Sat Nov 30 17:59:27 EST 1996 >Originator: >Organization: >Release: >Environment: >Description: >How-To-Repeat: >Fix: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: tlyu State-Changed-When: Sat Nov 30 17:59:05 1996 State-Changed-Why: This will be fixed in the 1.0 release. >Unformatted: schemers@stanford.edu wrote: > > ------- start of forwarded message (RFC 934 encapsulation) ------- > Path: nntp.Stanford.EDU!news.Stanford.EDU!nntp-hub2.barrnet.net!cpk-news-feed2.bbnplanet.com!cam-news-hub1.bbnplanet.com!news3.near.net!pad-thai.cam.ov.com!INTERNET!dont-mail-to-path-lines > Newsgroups: comp.protocols.kerberos > Organization: comp.protocols.kerberos<->kerberos@mit.edu gateway > Lines: 242 > Message-ID: > References: <51rnqi$3gj@news.ox.ac.uk> > NNTP-Posting-Host: pad-thai.cam.ov.com > From: hartmans@MIT.EDU (Sam Hartman) > Sender: daemon@cam.ov.com > Subject: Re: Can't forward credentials with beta7 > Date: 19 Sep 1996 15:40:32 -0400 > > The inability to forward credentials was introduced by a > last-minute (well, last-hour at least) patch to fix a political bug. > Basically, there was a potential security problem if /tmp didn't have > the sticky bit set and you run login.krb5. This isn't really a > problem because many other products and other parts of Kerberos assume > that/tmp has the sticky bit set. > > This is fairly substantially my fault as I had an opportunity > to audit the patch and missed the fairly obvious fact that it > completely broke forwarding tickets. I don't think someone has worked > out a correct patch yet and they certainly haven't committed it to our > tree. However, since the problem it fixes is not a problem on > correctly configured systems, you can just unapply the patch with > patch -R. > > >From bjaspan@MIT.EDU Wed Sep 11 15:49:00 1996 > Received: from SOUTH-STATION-ANNEX.MIT.EDU by po10.MIT.EDU (5.61/4.7) id AA24620; Wed, 11 Sep 96 15:32:23 EDT > Received: from DUN-DUN-NOODLES.MIT.EDU by MIT.EDU with SMTP > id AA26766; Wed, 11 Sep 96 15:32:17 EDT > Received: by DUN-DUN-NOODLES.MIT.EDU (5.x/4.7) id AA16374; Wed, 11 Sep 1996 15:32:14 -0400 > Date: Wed, 11 Sep 1996 15:32:14 -0400 > Message-Id: <9609111932.AA16374@DUN-DUN-NOODLES.MIT.EDU> > From: "Barry Jaspan" > To: hartmans@MIT.EDU > Lines: 212 > Xref: tertius.mit.edu mail.misc:5258 > > Index: login.c > =================================================================== > RCS file: /mit/krbdev/.cvsroot/src/appl/bsd/login.c,v > retrieving revision 5.49 > diff -c -r5.49 login.c > *** login.c 1996/06/24 04:05:09 5.49 > - --- login.c 1996/09/10 17:53:23 > *************** > *** 612,618 **** > /* get_name pulls out just the name not the > type */ > strcpy(ccfile, krb5_cc_get_name(kcontext, ccache)); > - - (void) chown(ccfile, pwd->pw_uid, pwd->pw_gid); > krbflag = got_v5_tickets = 1; > return 1; > } > - --- 612,617 ---- > *************** > *** 704,710 **** > } > got_v4_tickets = 1; > strcpy(tkfile, tkt_string()); > - - (void) chown(tkfile, pwd->pw_uid, pwd->pw_gid); > return 1; > } > #endif > - --- 703,708 ---- > *************** > *** 726,732 **** > kpass_ok = 1; > krbflag = 1; > strcpy(tkfile, tkt_string()); > - - (void) chown(tkfile, pwd->pw_uid, pwd->pw_gid); > break; > /* These errors should be silent */ > /* So the Kerberos database can't be probed */ > - --- 724,729 ---- > *************** > *** 877,884 **** > krb5_ticket *ticket = NULL; > > /* XXX This is to work around a library bug. I'm not sure if it's > ! been fixed for beta-6, so leave this in for now. Remove it (and > ! fix the bug if necessary) after beta-6 ships. */ > sleep(2); > > /* get the server principal for the local host */ > - --- 874,886 ---- > krb5_ticket *ticket = NULL; > > /* XXX This is to work around a library bug. I'm not sure if it's > ! been fixed for beta-7, so leave this in for now. Remove it (and > ! fix the bug if necessary) after beta-7 ships. > ! > ! Whoever wrote that comment didn't mention what the bug is! Ted > ! says it is something about the starttime of the ticket and > ! "now" being equal. He thinks it is fixed, but isn't sure. > ! */ > sleep(2); > > /* get the server principal for the local host */ > *************** > *** 1157,1163 **** > int retval; > #ifdef KRB5_GET_TICKETS > krb5_principal me; > ! #endif /* KRB5_GET_TICKETS */ > char *ccname = 0; /* name of forwarded cache */ > char *tz = 0; > > - --- 1159,1169 ---- > int retval; > #ifdef KRB5_GET_TICKETS > krb5_principal me; > ! krb5_creds save_v5creds; > ! #endif > ! #ifdef KRB4_GET_TICKETS > ! CREDENTIALS save_v4creds; > ! #endif > char *ccname = 0; /* name of forwarded cache */ > char *tz = 0; > > *************** > *** 1639,1644 **** > - --- 1645,1714 ---- > (void)setgid((gid_t) pwd->pw_gid); > (void) initgroups(username, pwd->pw_gid); > > + /* > + * The V5 ccache and V4 ticket file are both created as root. > + * They need to be owned by the user, and chown (a) assumes > + * they are stored in a file and (b) allows a race condition > + * in which a user can delete the file (if the directory > + * sticky bit is not set) and make it a symlink to somewhere > + * else; on some platforms, chown() on a symlink actually > + * changes the owner of the pointed-to file. This is Bad. > + * > + * So, we suck the V5 and V4 krbtgts into memory here, destroy > + * the ccache/ticket file, and recreate them later after the > + * setuid. > + */ > + #ifdef KRB5_GET_TICKETS > + if (got_v5_tickets) { > + krb5_creds mcreds; > + > + memset(&mcreds, 0, sizeof(mcreds)); > + memset(&save_v5creds, 0, sizeof(save_v5creds)); > + > + mcreds.client = me; > + retval = krb5_build_principal_ext(kcontext, &mcreds.server, > + krb5_princ_realm(kcontext, me)->length, > + krb5_princ_realm(kcontext, me)->data, > + tgtname.length, tgtname.data, > + krb5_princ_realm(kcontext, me)->length, > + krb5_princ_realm(kcontext, me)->data, > + 0); > + if (retval) { > + syslog(LOG_ERR, > + "%s while creating V5 krbtgt principal", > + error_message(retval)); > + sleepexit(1); > + } > + mcreds.ticket_flags = TKT_FLG_INITIAL; > + > + if (retval = krb5_cc_retrieve_cred(kcontext, ccache, > + KRB5_TC_MATCH_FLAGS, > + &mcreds, &save_v5creds)) { > + syslog(LOG_ERR, > + "%s while retrieiving V5 initial ticket for copy", > + error_message(retval)); > + sleepexit(1); > + } > + krb5_free_principal(kcontext, mcreds.server); > + } > + #endif /* KRB5_GET_TICKETS */ > + #ifdef KRB4_GET_TICKETS > + if (got_v4_tickets) { > + memset(&save_v4creds, 0, sizeof(save_v4creds)); > + > + retval = krb_get_cred("krbtgt", realm, realm, &save_v4creds); > + if (retval != KSUCCESS) { > + syslog(LOG_ERR, > + "%s while retrieving V4 initial ticket for copy", > + error_message(retval)); > + sleepexit(1); > + } > + } > + #endif /* KRB4_GET_TICKETS */ > + #if defined(KRB5_GET_TICKETS) || defined(KRB4_GET_TICKETS) > + destroy_tickets(); > + #endif > + > #ifdef OQUOTA > quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0); > #endif > *************** > *** 1665,1670 **** > - --- 1735,1788 ---- > perror("setuid"); > sleepexit(1); > } > + > + /* > + * We are the user now. Re-create the destroyed ccache and > + * ticket file. > + */ > + #ifdef KRB5_GET_TICKETS > + if (got_v5_tickets) { > + retval = krb5_cc_initialize (kcontext, ccache, me); > + if (retval) { > + syslog(LOG_ERR, > + "%s while re-initializing V5 ccache as user", > + error_message(retval)); > + sleepexit(1); > + } > + if (retval = krb5_cc_store_cred(kcontext, ccache, &save_v5creds)) { > + syslog(LOG_ERR, > + "%s while re-storing V5 credentials as user", > + error_message(retval)); > + sleepexit(1); > + } > + krb5_free_cred_contents(kcontext, &save_v5creds); > + } > + #endif /* KRB5_GET_TICKETS */ > + #ifdef KRB4_GET_TICKETS > + if (got_v4_tickets) { > + retval = in_tkt(save_v4creds.pname, save_v4creds.pinst); > + if (retval != KSUCCESS) { > + syslog(LOG_ERR, > + "%s while re-initializing V4 ticket cache as user", > + error_message(retval)); > + sleepexit(1); > + } > + retval = krb_save_credentials(save_v4creds.service, > + save_v4creds.instance, > + save_v4creds.realm, > + save_v4creds.session, > + save_v4creds.lifetime, > + save_v4creds.kvno, > + &(save_v4creds.ticket_st), > + save_v4creds.issue_date); > + if (retval != KSUCCESS) { > + syslog(LOG_ERR, > + "%s while re-storing V4 tickets as user", > + error_message(retval)); > + sleepexit(1); > + } > + } > + #endif /* KRB4_GET_TICKETS */ > > if (*pwd->pw_shell == '\0') > pwd->pw_shell = BSHELL; > > ------- end ------- I located a patch for login.c in http://www.mit.edu:8008/menelaus.mit.edu/kerberos/8259. THis was posted to comp.protocols.kerberos some time ago. I applied - fixed the problem - I can forward creds no problem. Thanks anyway. I think somebody should come up with the mergerer of these two patches and distribute the official one (krb5-bugs@athena.mit.edu ?) cheers - Peter -- Peter Ziobrzynski, netMedia Technology Inc. 204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6 tel.(416) 596-8520x242, fax.(416) 596-8610