Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 11990 From sean@mail.tgd.net Sat Jan 26 18:59:13 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id SAA27153 for ; Sat, 26 Jan 2002 18:59:12 -0500 (EST) Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id SAA01898 for ; Sat, 26 Jan 2002 18:59:12 -0500 (EST) Received: by mail.tgd.net (Postfix, from userid 1001) id 8375220F0A; Sat, 26 Jan 2002 15:59:11 -0800 (PST) Message-Id: <20020126235911.8375220F0A@mail.tgd.net> Date: Sat, 26 Jan 2002 15:59:11 -0800 (PST) From: sean@chittenden.org Reply-To: sean@chittenden.org To: krb5-bugs@mit.edu Subject: telnet sets the key cache to UID/GID 0 for non-UID 0 users X-Send-Pr-Version: 3.99 >Number: 1046 >Category: telnet >Synopsis: telnet sets the key cache to UID/GID 0 for non-UID 0 users >Confidential: no >Severity: serious >Priority: medium >Responsible: hartmans >State: analyzed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Sat Jan 26 19:00:00 EST 2002 >Last-Modified: Mon Apr 22 17:19:00 EDT 2002 >Originator: Sean Chittenden >Organization: >Release: krb5-1.2.3 >Environment: System: FreeBSD ninja1.internal 4.5-RC FreeBSD 4.5-RC #0: Thu Jan 10 14:10:58 PST 2002 root@ninja1.internal:/opt/obj/opt/src/sys/NINJA i386 >Description: I just upgraded from 1.2.2 to 1.2.3 and when I telnet to a system using kerberos (telnet -axF) I am granted access to the system, however my key cache on the remote system is set to UID/GID 0:0 and I can't ksu to root. I didn't see anything in the release notes. >How-To-Repeat: > kinit Password for sean@INTERNAL: sean@ninja1:~ > /usr/local/bin/telnet -axF lan.internal Trying 192.168.1.253... Connected to lan.internal (192.168.1.253). Escape character is '^]'. Waiting for encryption to be negotiated... [ Kerberos V5 accepts you as ``sean@INTERNAL'' ] [ Kerberos V5 accepted forwarded credentials ] done. Last login: Sat Jan 26 15:10:30 from ninja1 sean@lan:~ > ls -lA /tmp/krb5* -rw------- 1 root wheel 423 Jan 26 15:52 /tmp/krb5cc_p55699 3:53pm sean@lan:~ > ksu ksu: Credentials cache permissions incorrect while opening ccache sean@lan:~ > grep telnetd /etc/inetd.conf telnet stream tcp nowait root /usr/local/sbin/telnetd telnetd -a valid sean@lan:~ > exit Connection closed by foreign host. sean@ninja1:~ > /usr/local/bin/telnet -axF -l root lan.internal Trying 192.168.1.253... Connected to lan.internal (192.168.1.253). Escape character is '^]'. Waiting for encryption to be negotiated... [ Kerberos V5 accepts you as ``sean@INTERNAL'' ] [ Kerberos V5 accepted forwarded credentials ] done. Last login: Sat Jan 26 15:53:00 from ninja1 3:55pm root@lan:~ # >Fix: man 2 chown #include int chown(const char *path, uid_t owner, gid_t group); >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: tlyu State-Changed-When: Tue Jan 29 15:33:57 2002 State-Changed-Why: From: Tom Yu To: sean@chittenden.org Cc: krb5-bugs@MIT.EDU Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Tue, 29 Jan 2002 15:33:50 -0500 (EST) Are you sure you changed nothing else while upgrading? We didn't change any of the ccache-rewriting code between 1.2.2 and 1.2.3. Does reverting to 1.2.2 cause the problem to go away? ---Tom From: Sam Hartman To: sean@chittenden.org Cc: krb5-bugs@MIT.EDU Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Tue, 16 Apr 2002 14:55:34 -0400 (EDT) Hi. Do you see any errors being syslogged by telnetd or login.krb5? Also, does the problem go away if you set v4_convert to false in /etc/krb5.conf in the login stanza? I tried to reproduce your problem and failed. From: Sean Chittenden To: Sam Hartman Cc: krb5-bugs@MIT.EDU Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Thu, 18 Apr 2002 16:59:58 -0700 --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > Hi. Do you see any errors being syslogged by telnetd or login.krb5? >=20 > Also, does the problem go away if you set v4_convert to false in > /etc/krb5.conf in the login stanza? I tried to reproduce your > problem and failed. I have an almost empty krb5.conf file: [libdefaults] ticket_lifetime =3D 6000 default_realm =3D EXAMPLE.COM default_tkt_enctypes =3D des3-hmac-sha1 des-cbc-crc default_tgs_enctypes =3D des3-hmac-sha1 des-cbc-crc [realms] EXAMPLE.COM =3D { kdc =3D kerberos.internal:88 admin_server =3D kerberos.internal:749 default_domain =3D internal } [domain_realm] .internal =3D EXAMPLE.COM internal =3D EXAMPLE.COM .tgd.net =3D EXAMPLE.COM tgd.net =3D EXAMPLE.COM [logging] kdc =3D FILE:/var/log/krb5kdc.log admin_server =3D FILE:/var/log/kadmin.log default =3D FILE:/var/log/krb5lib.log # From my /etc/inetd.conf telnet stream tcp nowait root /usr/local/sbin/telnetd tel= netd -a valid And here's a sample session: > kinit Password for user@EXAMPLE.COM:=20 > telnet -axF host2 Trying 192.168.1.11... Connected to host2.internal (192.168.1.11). Escape character is '^]'. Waiting for encryption to be negotiated... [ Kerberos V5 accepts you as ``user@EXAMPLE.COM'' ] [ Kerberos V5 accepted forwarded credentials ] done. Last login: Thu Apr 18 16:51:31 from ninja1 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. > env |grep krb KRB5CCNAME=3DFILE:/tmp/krb5cc_p27004 > ls -l /tmp/krb5cc_p27004=20 -rw------- 1 root wheel 419 Apr 18 16:54 /tmp/krb5cc_p27004 > kinit Password for user@EXAMPLE.COM:=20 kinit(v5): Internal credentials cache error when initializing cache=20 > ls -lA /tmp/krb5cc_p27004 -rw------- 1 root wheel 419 Apr 18 16:54 /tmp/krb5cc_p27004 > uname -s -r FreeBSD 4.5-STABLE Kerberos version 1.2.3. I've been looking at the commits and haven't seen anything to suggest that this has been fixed. What other information do you want/need? -sc --=20 Sean Chittenden --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iEYEARECAAYFAjy/Xf4ACgkQn09c7x7d+q3kGACeIWib610U11SaWnONtal2jmCg gcEAoMPD4dulGMyJxuTQ+DM5XEztU58w =up/5 -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7-- From: Sam Hartman To: Sean Chittenden Cc: krb5-bugs@MIT.EDU Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Fri, 19 Apr 2002 11:44:47 -0400 As I indicated in my original mail I need any syslog messages that are logged. From: Sean Chittenden To: Sam Hartman Cc: krb5-bugs@mit.edu Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Fri, 19 Apr 2002 12:16:27 -0700 > As I indicated in my original mail I need any syslog messages that > are logged. I don't see how this'll help, but I'm game. On the KDC when I do a kinit: Apr 19 12:00:24 kdc-host krb5kdc[102]: AS_REQ (2 etypes {16 1}) 192.168.1.10(88): ISSUE: authtime 1019242824, etypes {rep=16 tkt=16 ses=16}, user@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM And when I telnet to the remote host: Apr 19 12:03:10 kdc-host krb5kdc[102]: TGS_REQ (1 etypes {1}) 192.168.1.10(88): ISSUE: authtime 1019242824, etypes {rep=16 tkt=16 ses=1}, user@EXAMPLE.COM for host/host2.internal@EXAMPLE.COM Apr 19 12:03:11 kdc-host krb5kdc[102]: TGS_REQ (1 etypes {1}) 192.168.1.10(88): ISSUE: authtime 1019242824, etypes {rep=16 tkt=16 ses=1}, user@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM And on the remote host: > klist -5acf klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_p39849) # KRB5CCNAME="FILE:/tmp/krb5cc_p39849" klist -5acf Ticket cache: FILE:/tmp/krb5cc_p39849 Default principal: user@EXAMPLE.COM Valid starting Expires Service principal 04/19/02 12:03:11 04/19/02 22:00:24 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: FfPT Addresses: host2.internal When telnet accepts the request, it looks like the chown() call is failing and the proper user permissions aren't being set. Just a guess. -sc -- Sean Chittenden From: Sean Chittenden To: Sam Hartman Cc: gnats-admin@rt-11.mit.edu Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Fri, 19 Apr 2002 14:14:13 -0700 > Sean> When telnet accepts the request, it looks like the chown() > Sean> call is failing and the proper user permissions aren't > being Sean> set. Just a guess. -sc > > Except that telnetd doesn't do the chown; login.krb5 does. ANd if > that chown login.krb5 syslogs an error. Please look at syslogs on > the remote host. This is the extent of what gets logged. I used a catch-all *.* to send everything to one file and this is everything: # Apr 19 14:03:51 host2 login: login from host1 on ttyp4 as user What else do you need/want to hear? -sc PS If logins are done via src/appl/bsd/login.c, then there isn't a chown() call being issued. After having cruised through the code, it looks like the forwarded ticket is being written out to /tmp, but isn't being chowned. ~1639 of login.c, I think it's trying to recreate the ticket in its place, but is failing because the ticket already exists with root perms. I could be wrong, but that's my best guess at the moment. hth. -- Sean Chittenden From: Sam Hartman To: Sean Chittenden Cc: gnats-admin@rt-11.mit.edu, krb5-bugs@MIT.EDU Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Fri, 19 Apr 2002 17:39:52 -0400 We are unable to reproduce the problem. From: Sean Chittenden To: Sam Hartman Cc: gnats-admin@rt-11.mit.edu, krb5-bugs@mit.edu Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Fri, 19 Apr 2002 14:45:46 -0700 > We are unable to reproduce the problem. I have this behavior on an entire installation of FreeBSD machines with kerberos built from the ports and the bare min config that I sent earlier. It's very reproducible for me. Where would you like me to insert some debugging code? -sc -- Sean Chittenden From: Sam Hartman To: Sean Chittenden Cc: krb5-bugs@MIT.EDU Subject: Re: telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users Date: Mon, 22 Apr 2002 17:18:15 -0400 >>>>> "Sean" == Sean Chittenden writes: >> We are unable to reproduce the problem. Sean> I have this behavior on an entire installation of FreeBSD Sean> machines with kerberos built from the ports and the bare min Sean> config that I sent earlier. It's very reproducible for me. Sean> Where would you like me to insert some debugging code? -sc First, please make sure the problem happens with Kerberos built from our sources with no FreeBSD patches applied. If so, you should insert code in login or walk through it with a debugger. Login reads in the tickets as root, destroys the ticket cache, seteuids to the user and then writes them out again. Something is going wrong in this code path. >Unformatted: