Skip Menu |

Date: Thu, 30 Mar 2017 15:48:23 -0500
From: Nico Williams <>
Subject: krb5_init_context() should detect set-uid-ness

The krb5_init_secure_context() approach does not work for GSS

An application might use GSS unwittingly (via SASL, via LDAP, via
nss_ldap, via the name service switch).

It would be better to have krb5_init_context() automatically detect
set-uid context and function like krb5_init_secure_context() when in
set-uid context.

Heimdal has a portable set-uid detection facility that you could copy:

It's not always possible to determine if the application is set-uid.

In some cases it's not.

Solaris/Illumos and OpenBSD have the only fail-safe method: the
issetugid(2) system call. FreeBSD and NetBSD have a system call with
the same name that unfortunately doesn't quite work correctly but which
will do. Recent Linux kernels supply ELF aux vector entries that
include the necessary information.
I am a bit concerned that using the broken issetugid() on FreeBSD (and
NetBSD, if it's also broken there) could break legitimate uses of
Kerberos environment variables with httpd. Of course we can address
that, at least partially, by limiting our use of issetugid() to
platforms where it is known not to be broken.
Date: Fri, 31 Mar 2017 12:34:16 -0500
From: Nico Williams <>
To: Greg Hudson via RT <>
Subject: Re: [ #8566] krb5_init_context() should detect set-uid-ness

Adds more intelligence to issuid():

- if AT_EXECPATH/AT_EXECFN/AT_SUN_EXECNAME is set, it will stat() that
to see if that file is set-uid/set-gid

- it will more intelligently detect getauxval() implementations that do
not set errno = ENOENT when the type is not found and will try
reading /proc/self/auxv if it is available

- it will use getresuid() and getregid() if available as part of the
last ditch effort (that now should only apply to non-ELF programs)

- it will memoize its results to avoid doing slow things repeatedly