Ticket History #8566: krb5_init_context() should detect set-uid-ness

# Fri Mar 31 00:06:52 2017 Nico Williams <nico@cryptonector.com> - Ticket created

Date:	Thu, 30 Mar 2017 15:48:23 -0500
From:	Nico Williams <nico@cryptonector.com>
To:	krb5-bugs@mit.edu
Subject:	krb5_init_context() should detect set-uid-ness

Download (untitled) / with headers
text/plain 881B

The krb5_init_secure_context() approach does not work for GSS
applications.

An application might use GSS unwittingly (via SASL, via LDAP, via
nss_ldap, via the name service switch).

It would be better to have krb5_init_context() automatically detect
set-uid context and function like krb5_init_secure_context() when in
set-uid context.

Heimdal has a portable set-uid detection facility that you could copy:

https://github.com/heimdal/heimdal/blob/master/lib/roken/issuid.c

It's not always possible to determine if the application is set-uid.

In some cases it's not.

Solaris/Illumos and OpenBSD have the only fail-safe method: the
issetugid(2) system call. FreeBSD and NetBSD have a system call with
the same name that unfortunately doesn't quite work correctly but which
will do. Recent Linux kernels supply ELF aux vector entries that
include the necessary information.

# Fri Mar 31 00:18:01 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'open'

# Fri Mar 31 00:18:01 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 319B

I am a bit concerned that using the broken issetugid() on FreeBSD (and
NetBSD, if it's also broken there) could break legitimate uses of
Kerberos environment variables with httpd. Of course we can address
that, at least partially, by limiting our use of issetugid() to
platforms where it is known not to be broken.

# Fri Mar 31 13:36:10 2017 Nico Williams <nico@cryptonector.com> - Comments added

Date:	Fri, 31 Mar 2017 12:34:16 -0500
From:	Nico Williams <nico@cryptonector.com>
To:	Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject:	Re: [krbdev.mit.edu #8566] krb5_init_context() should detect set-uid-ness
RT-Send-Cc:

Download (untitled) / with headers
text/plain 593B

https://github.com/heimdal/heimdal/pull/270

Adds more intelligence to issuid():

- if AT_EXECPATH/AT_EXECFN/AT_SUN_EXECNAME is set, it will stat() that
to see if that file is set-uid/set-gid

- it will more intelligently detect getauxval() implementations that do
not set errno = ENOENT when the type is not found and will try
reading /proc/self/auxv if it is available

- it will use getresuid() and getregid() if available as part of the
last ditch effort (that now should only apply to non-ELF programs)

- it will memoize its results to avoid doing slow things repeatedly