Skip Menu |

Download (untitled) / with headers
text/plain 4.5KiB
From Tue Oct 9 19:25:06 2001
Received: from (FORT-POINT-STATION.MIT.EDU [])
by (8.9.3/8.9.3) with ESMTP id TAA25483
for <>; Tue, 9 Oct 2001 19:25:06 -0400 (EDT)
Received: from ( [])
by (8.9.2/8.9.2) with ESMTP id TAA17434
for <>; Tue, 9 Oct 2001 19:25:04 -0400 (EDT)
Received: from ( [])
by (AIX4.3/8.9.3/8.9.3) with ESMTP id SAA03224
for <>; Tue, 9 Oct 2001 18:24:06 -0500
Received: from ( [])
by (AIX4.3/8.9.3/8.9.3) with ESMTP id SAA34060
for <>; Tue, 9 Oct 2001 18:25:02 -0500
Received: by (Postfix, from userid 501)
id 7030282BFF; Tue, 9 Oct 2001 18:24:57 -0500 (CDT)
Message-Id: <>
Date: Tue, 9 Oct 2001 18:24:57 -0500 (CDT)
Subject: ksu core dump if .k5login or .k5users has bad ownership
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1004
>Category: krb5-clients
>Synopsis: ksu core dumps if .k5login or .k5users exists in target user's home directory but has other ownership
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: feedback
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 9 19:26:01 EDT 2001
>Last-Modified: Thu Oct 18 22:10:29 EDT 2001
>Originator: Emily Ratliff
IBM Linux Technology Center, Security
Show quoted text
>Release: krb5-1.2.1

System: Linux 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686

Show quoted text
ksu seg faults when the .k5login or .k5users file in the target user's
home directory is not owned by that user. This has a fairly low probability
of actually occurring. What happens is that get_authorized_princ_names()
in heuristic.c opens the files and checks to make sure that the target
user owns them by calling fowner() (in authorization.c). When fowner()
discovers that the target user does not own them it closes the files and
returns FALSE. When get_authorized_princ_names sees that the files
are not owned by the target user, it calls close_time() to close
the already closed files which causes the segmentation fault.

krb5_authorization() also calls fowner() and does not attempt to close
close the files if the call reveals they are not owned by the target
user. krb5_authorization() and get_authorized_princ_names() need
to exhibit the same behavior after the fowner() call. The attached
patch removes the call to close from fowner() and adds them to

close_time() calls close on the files based on whether or not they
exist rather than whether or not they were sucessfully opened. This
can lead to races. It would be cleaner to eliminate this call, but
that code is not included in this patch, since the existing code
is operational. I can send a patch for this if you want.

Show quoted text
Create a .k5login or .k5users file in UserA's home directory.
Insert an entry for UserB. Chown either or both files to UserC. Login
as UserB and run `ksu UserA`. A segmentation fault will occur.
Show quoted text

diff -ur src.old/clients/ksu/authorization.c src/clients/ksu/authorization.c
--- src.old/clients/ksu/authorization.c Mon Oct 1 16:55:51 2001
+++ src/clients/ksu/authorization.c Tue Oct 9 17:53:22 2001
@@ -40,12 +40,10 @@
* the user himself, or by root. Otherwise, don't grant access.
if (fstat(fileno(fp), &sbuf)) {
- fclose(fp);

if ((sbuf.st_uid != uid) && sbuf.st_uid) {
- fclose(fp);

@@ -103,8 +101,10 @@
if (!k5login_flag){
if ((login_fp = fopen(k5login_path, "r")) == NULL)
return 0;
- if ( fowner(login_fp, pwd->pw_uid) == FALSE)
+ if ( fowner(login_fp, pwd->pw_uid) == FALSE) {
+ fclose(login_fp);
return 0;
+ }

if (!k5users_flag){
@@ -112,6 +112,7 @@
return 0;
if ( fowner(users_fp, pwd->pw_uid) == FALSE){
+ fclose(users_fp);
return 0;

Show quoted text

State-Changed-From-To: open-feedback
State-Changed-By: raeburn
State-Changed-When: Thu Oct 18 22:10:17 2001

Thanks, this patch will be in our next release.

Show quoted text