From: | ghudson@mit.edu |
Subject: | git commit |
In ksu, without the -e flag, also check .k5users
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
https://github.com/krb5/krb5/commit/3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52
Author: Nalin Dahyabhai <nalin@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52
Branch: master
src/clients/ksu/heuristic.c | 19 ++++++-------------
1 files changed, 6 insertions(+), 13 deletions(-)