Skip Menu |
 

Download (untitled) / with headers
text/plain 4.8KiB
From djm@web.us.uu.net Fri Apr 14 12:24:37 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03184
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:24:37 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA02051; Fri, 14 Apr 00 12:24:32 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11576; Fri, 14 Apr 2000 12:24:36 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28479; Fri, 14 Apr 2000 12:24:12 -0400
Message-Id: <MAA28479.200004141624@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:24:12 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: ksu uses the wrong principal by default
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 839
>Category: krb5-clients
>Synopsis: ksu uses the wrong principal by default
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:25:00 EDT 2000
>Last-Modified: Mon Apr 24 13:32:00 EDT 2000
>Originator: David MacKenzie
>Organization:
UUNET Technologies
Show quoted text
>Release: krb5-1.1.1
>Environment:

System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown
Architecture: i686

Show quoted text
>Description:
ksu to root prompts for the password for "root@REALM" instead of
"$USER/root@REALM". The workaround is to use -n to specify the
right principal. My understanding of the Kerberos security model
is that each user is supposed to have their own root instance.
At least, that's how we've been running it for about 9 years
at the University of Maryland and UUNET.

Show quoted text
>How-To-Repeat:
ksu
Show quoted text
>Fix:

I accidentally included this hunk of diff also in my change request
for adding ksu -m.

--- /homes/elves/djm/src/krb5-1.1.1/src/clients/ksu/main.c Fri Dec 17 15:44:39 1999
+++ src/clients/ksu/main.c Tue Mar 28 02:05:48 2000
@@ -371,6 +386,19 @@
exit(1);
}
}
+
+ if (options.princ == 0 && target_uid == 0 && source_uid != 0) {
+ char *source_princ = xmalloc(strlen(source_user) + 6);
+ sprintf(source_princ, "%s/root", source_user);
+
+ if ((retval = krb5_parse_name(ksu_context, source_princ, &client))){
+ com_err(prog_name, retval, "when parsing name %s", source_princ);
+ errflg++;
+ }
+ free(source_princ);
+ options.princ = 1;
+ }
+
if ((retval = get_best_princ_for_target(ksu_context, source_uid,
target_uid, source_user, target_user, cc_source,
&options, cmd, localhostname, &client, &hp))){
Show quoted text
>Audit-Trail:

From: Ken Raeburn <raeburn@MIT.EDU>
To: djm@web.us.uu.net
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-clients/839: ksu uses the wrong principal by default
Date: 21 Apr 2000 08:58:20 -0400

Show quoted text
> ksu to root prompts for the password for "root@REALM" instead of
> "$USER/root@REALM". The workaround is to use -n to specify the
> right principal. My understanding of the Kerberos security model
> is that each user is supposed to have their own root instance.
> At least, that's how we've been running it for about 9 years
> at the University of Maryland and UUNET.

The call to get_best_princ_for_target should be taking care of
selecting $USER/root if that principal is listed in ~root/.k5login.
Is it not working in your case?

Ken

From: "David J. MacKenzie" <djm@web.us.uu.net>
To: Ken Raeburn <raeburn@MIT.EDU>
Cc: djm@web.us.uu.net, krb5-bugs@MIT.EDU
Subject: Re: krb5-clients/839: ksu uses the wrong principal by default
Date: Mon, 24 Apr 2000 13:20:53 -0400

Show quoted text
>
> > ksu to root prompts for the password for "root@REALM" instead of
> > "$USER/root@REALM". The workaround is to use -n to specify the
> > right principal. My understanding of the Kerberos security model
> > is that each user is supposed to have their own root instance.
> > At least, that's how we've been running it for about 9 years
> > at the University of Maryland and UUNET.
>
> The call to get_best_princ_for_target should be taking care of
> selecting $USER/root if that principal is listed in ~root/.k5login.
> Is it not working in your case?

It is now. I suspect that before, I hadn't yet put a ~root/.k5login
onto the machine.

It looks like the algorithm for selecting a principal is documented
in the ksu man page, but it's so complicated that I didn't understand
what it was trying to do!

From: Ken Raeburn <raeburn@MIT.EDU>
To: "David J. MacKenzie" <djm@web.us.uu.net>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-clients/839: ksu uses the wrong principal by default
Date: 24 Apr 2000 13:31:02 -0400

Show quoted text
> It looks like the algorithm for selecting a principal is documented
> in the ksu man page, but it's so complicated that I didn't understand
> what it was trying to do!

Yep. Longstanding bug. :-(
Show quoted text
>Unformatted: