Skip Menu |
 

Download (untitled) / with headers
text/plain 11.9KiB
From daemon@netmediatech.com Mon Nov 25 12:04:43 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA07288 for <bugs@RT-11.MIT.EDU>; Mon, 25 Nov 1996 12:04:43 -0500
Received: from netmediatech.com by MIT.EDU with SMTP
id AA11788; Mon, 25 Nov 96 12:04:36 EST
Received: from net ([207.34.208.137]) by media.netmediatech.com with SMTP id <38940-4545>; Mon, 25 Nov 1996 12:05:25 -0500
Message-Id: <3299D1D1.167E@netmediatech.com>
Date: Mon, 25 Nov 1996 12:05:21 -0500
From: Peter Ziobrzynski <pzi@netmediatech.com>
Sender: daemon <daemon@netmediatech.com>
To: schemers@stanford.edu
Cc: krb5-bugs@MIT.EDU, kerberos@MIT.EDU
Subject: Re: Can't forward credentials with beta7 (fwd)
References: <199611230119.RAA03923@slapshot.stanford.edu>

Show quoted text
>Number: 235
>Category: pending
>Synopsis: Re: Can't forward credentials with beta7 (fwd)
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Nov 25 12:05:01 EST 1996
>Last-Modified: Sat Nov 30 17:59:27 EST 1996
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Sat Nov 30 17:59:05 1996
State-Changed-Why:

This will be fixed in the 1.0 release.

Show quoted text
>Unformatted:
schemers@stanford.edu wrote:
Show quoted text
>
> ------- start of forwarded message (RFC 934 encapsulation) -------
> Path: nntp.Stanford.EDU!news.Stanford.EDU!nntp-hub2.barrnet.net!cpk-news-feed2.bbnplanet.com!cam-news-hub1.bbnplanet.com!news3.near.net!pad-thai.cam.ov.com!INTERNET!dont-mail-to-path-lines
> Newsgroups: comp.protocols.kerberos
> Organization: comp.protocols.kerberos<->kerberos@mit.edu gateway
> Lines: 242
> Message-ID: <tslohj22ujb.fsf@tertius.mit.edu>
> References: <51rnqi$3gj@news.ox.ac.uk>
> NNTP-Posting-Host: pad-thai.cam.ov.com
> From: hartmans@MIT.EDU (Sam Hartman)
> Sender: daemon@cam.ov.com
> Subject: Re: Can't forward credentials with beta7
> Date: 19 Sep 1996 15:40:32 -0400
>
> The inability to forward credentials was introduced by a
> last-minute (well, last-hour at least) patch to fix a political bug.
> Basically, there was a potential security problem if /tmp didn't have
> the sticky bit set and you run login.krb5. This isn't really a
> problem because many other products and other parts of Kerberos assume
> that/tmp has the sticky bit set.
>
> This is fairly substantially my fault as I had an opportunity
> to audit the patch and missed the fairly obvious fact that it
> completely broke forwarding tickets. I don't think someone has worked
> out a correct patch yet and they certainly haven't committed it to our
> tree. However, since the problem it fixes is not a problem on
> correctly configured systems, you can just unapply the patch with
> patch -R.
>
> >From bjaspan@MIT.EDU Wed Sep 11 15:49:00 1996
> Received: from SOUTH-STATION-ANNEX.MIT.EDU by po10.MIT.EDU (5.61/4.7) id AA24620; Wed, 11 Sep 96 15:32:23 EDT
> Received: from DUN-DUN-NOODLES.MIT.EDU by MIT.EDU with SMTP
> id AA26766; Wed, 11 Sep 96 15:32:17 EDT
> Received: by DUN-DUN-NOODLES.MIT.EDU (5.x/4.7) id AA16374; Wed, 11 Sep 1996 15:32:14 -0400
> Date: Wed, 11 Sep 1996 15:32:14 -0400
> Message-Id: <9609111932.AA16374@DUN-DUN-NOODLES.MIT.EDU>
> From: "Barry Jaspan" <bjaspan@MIT.EDU>
> To: hartmans@MIT.EDU
> Lines: 212
> Xref: tertius.mit.edu mail.misc:5258
>
> Index: login.c
> ===================================================================
> RCS file: /mit/krbdev/.cvsroot/src/appl/bsd/login.c,v
> retrieving revision 5.49
> diff -c -r5.49 login.c
> *** login.c 1996/06/24 04:05:09 5.49
> - --- login.c 1996/09/10 17:53:23
> ***************
> *** 612,618 ****
> /* get_name pulls out just the name not the
> type */
> strcpy(ccfile, krb5_cc_get_name(kcontext, ccache));
> - - (void) chown(ccfile, pwd->pw_uid, pwd->pw_gid);
> krbflag = got_v5_tickets = 1;
> return 1;
> }
> - --- 612,617 ----
> ***************
> *** 704,710 ****
> }
> got_v4_tickets = 1;
> strcpy(tkfile, tkt_string());
> - - (void) chown(tkfile, pwd->pw_uid, pwd->pw_gid);
> return 1;
> }
> #endif
> - --- 703,708 ----
> ***************
> *** 726,732 ****
> kpass_ok = 1;
> krbflag = 1;
> strcpy(tkfile, tkt_string());
> - - (void) chown(tkfile, pwd->pw_uid, pwd->pw_gid);
> break;
> /* These errors should be silent */
> /* So the Kerberos database can't be probed */
> - --- 724,729 ----
> ***************
> *** 877,884 ****
> krb5_ticket *ticket = NULL;
>
> /* XXX This is to work around a library bug. I'm not sure if it's
> ! been fixed for beta-6, so leave this in for now. Remove it (and
> ! fix the bug if necessary) after beta-6 ships. */
> sleep(2);
>
> /* get the server principal for the local host */
> - --- 874,886 ----
> krb5_ticket *ticket = NULL;
>
> /* XXX This is to work around a library bug. I'm not sure if it's
> ! been fixed for beta-7, so leave this in for now. Remove it (and
> ! fix the bug if necessary) after beta-7 ships.
> !
> ! Whoever wrote that comment didn't mention what the bug is! Ted
> ! says it is something about the starttime of the ticket and
> ! "now" being equal. He thinks it is fixed, but isn't sure.
> ! */
> sleep(2);
>
> /* get the server principal for the local host */
> ***************
> *** 1157,1163 ****
> int retval;
> #ifdef KRB5_GET_TICKETS
> krb5_principal me;
> ! #endif /* KRB5_GET_TICKETS */
> char *ccname = 0; /* name of forwarded cache */
> char *tz = 0;
>
> - --- 1159,1169 ----
> int retval;
> #ifdef KRB5_GET_TICKETS
> krb5_principal me;
> ! krb5_creds save_v5creds;
> ! #endif
> ! #ifdef KRB4_GET_TICKETS
> ! CREDENTIALS save_v4creds;
> ! #endif
> char *ccname = 0; /* name of forwarded cache */
> char *tz = 0;
>
> ***************
> *** 1639,1644 ****
> - --- 1645,1714 ----
> (void)setgid((gid_t) pwd->pw_gid);
> (void) initgroups(username, pwd->pw_gid);
>
> + /*
> + * The V5 ccache and V4 ticket file are both created as root.
> + * They need to be owned by the user, and chown (a) assumes
> + * they are stored in a file and (b) allows a race condition
> + * in which a user can delete the file (if the directory
> + * sticky bit is not set) and make it a symlink to somewhere
> + * else; on some platforms, chown() on a symlink actually
> + * changes the owner of the pointed-to file. This is Bad.
> + *
> + * So, we suck the V5 and V4 krbtgts into memory here, destroy
> + * the ccache/ticket file, and recreate them later after the
> + * setuid.
> + */
> + #ifdef KRB5_GET_TICKETS
> + if (got_v5_tickets) {
> + krb5_creds mcreds;
> +
> + memset(&mcreds, 0, sizeof(mcreds));
> + memset(&save_v5creds, 0, sizeof(save_v5creds));
> +
> + mcreds.client = me;
> + retval = krb5_build_principal_ext(kcontext, &mcreds.server,
> + krb5_princ_realm(kcontext, me)->length,
> + krb5_princ_realm(kcontext, me)->data,
> + tgtname.length, tgtname.data,
> + krb5_princ_realm(kcontext, me)->length,
> + krb5_princ_realm(kcontext, me)->data,
> + 0);
> + if (retval) {
> + syslog(LOG_ERR,
> + "%s while creating V5 krbtgt principal",
> + error_message(retval));
> + sleepexit(1);
> + }
> + mcreds.ticket_flags = TKT_FLG_INITIAL;
> +
> + if (retval = krb5_cc_retrieve_cred(kcontext, ccache,
> + KRB5_TC_MATCH_FLAGS,
> + &mcreds, &save_v5creds)) {
> + syslog(LOG_ERR,
> + "%s while retrieiving V5 initial ticket for copy",
> + error_message(retval));
> + sleepexit(1);
> + }
> + krb5_free_principal(kcontext, mcreds.server);
> + }
> + #endif /* KRB5_GET_TICKETS */
> + #ifdef KRB4_GET_TICKETS
> + if (got_v4_tickets) {
> + memset(&save_v4creds, 0, sizeof(save_v4creds));
> +
> + retval = krb_get_cred("krbtgt", realm, realm, &save_v4creds);
> + if (retval != KSUCCESS) {
> + syslog(LOG_ERR,
> + "%s while retrieving V4 initial ticket for copy",
> + error_message(retval));
> + sleepexit(1);
> + }
> + }
> + #endif /* KRB4_GET_TICKETS */
> + #if defined(KRB5_GET_TICKETS) || defined(KRB4_GET_TICKETS)
> + destroy_tickets();
> + #endif
> +
> #ifdef OQUOTA
> quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0);
> #endif
> ***************
> *** 1665,1670 ****
> - --- 1735,1788 ----
> perror("setuid");
> sleepexit(1);
> }
> +
> + /*
> + * We are the user now. Re-create the destroyed ccache and
> + * ticket file.
> + */
> + #ifdef KRB5_GET_TICKETS
> + if (got_v5_tickets) {
> + retval = krb5_cc_initialize (kcontext, ccache, me);
> + if (retval) {
> + syslog(LOG_ERR,
> + "%s while re-initializing V5 ccache as user",
> + error_message(retval));
> + sleepexit(1);
> + }
> + if (retval = krb5_cc_store_cred(kcontext, ccache, &save_v5creds)) {
> + syslog(LOG_ERR,
> + "%s while re-storing V5 credentials as user",
> + error_message(retval));
> + sleepexit(1);
> + }
> + krb5_free_cred_contents(kcontext, &save_v5creds);
> + }
> + #endif /* KRB5_GET_TICKETS */
> + #ifdef KRB4_GET_TICKETS
> + if (got_v4_tickets) {
> + retval = in_tkt(save_v4creds.pname, save_v4creds.pinst);
> + if (retval != KSUCCESS) {
> + syslog(LOG_ERR,
> + "%s while re-initializing V4 ticket cache as user",
> + error_message(retval));
> + sleepexit(1);
> + }
> + retval = krb_save_credentials(save_v4creds.service,
> + save_v4creds.instance,
> + save_v4creds.realm,
> + save_v4creds.session,
> + save_v4creds.lifetime,
> + save_v4creds.kvno,
> + &(save_v4creds.ticket_st),
> + save_v4creds.issue_date);
> + if (retval != KSUCCESS) {
> + syslog(LOG_ERR,
> + "%s while re-storing V4 tickets as user",
> + error_message(retval));
> + sleepexit(1);
> + }
> + }
> + #endif /* KRB4_GET_TICKETS */
>
> if (*pwd->pw_shell == '\0')
> pwd->pw_shell = BSHELL;
>
> ------- end -------



I located a patch for login.c in
http://www.mit.edu:8008/menelaus.mit.edu/kerberos/8259.
THis was posted to comp.protocols.kerberos some time ago.

I applied - fixed the problem - I can forward creds no problem.
Thanks anyway. I think somebody should come up with the mergerer
of these two patches and distribute the official one
(krb5-bugs@athena.mit.edu ?)

cheers - Peter
--
Peter Ziobrzynski, netMedia Technology Inc. <pzi@netmediatech.com>
204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6
tel.(416) 596-8520x242, fax.(416) 596-8610