Ticket History #8895: ksu does not honor KRB5CCNAME

# Sun Apr 05 23:42:38 2020 Garrett Wollman <wollman@bimajority.org> - Ticket created

From:	"Garrett Wollman" <wollman@bimajority.org>
Date:	Sat, 4 Apr 2020 22:07:55 -0400
To:	krb5-bugs@mit.edu
Subject:	ksu broken on 1.18

Download (untitled) / with headers
text/plain 553B

The change described thusly in the release notes:

setuid programs will automatically ignore environment
variables that normally affect krb5 API functions, even if the
caller does not use krb5_init_secure_context().

breaks ksu when run in an ssh session (either interactively, or, e.g.,
by ansible). ssh creates separate ccaches for each session and sets
KRB5CCNAME accordingly; ignoring the process environment causes ksu to
look at the nonexistent default ccache and conclude that the user
needs to enter a password to authenticate.

-GAWollman

# Mon Apr 06 20:46:48 2020 ghudson@mit.edu (Greg Hudson) - Subject changed from 'ksu broken on 1.18' to 'ksu does not honor KRB5CCNAME'

# Mon Apr 06 20:46:48 2020 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'open'

# Wed Apr 08 16:27:17 2020 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'resolved'

# Wed Apr 08 16:27:18 2020 ghudson@mit.edu (Greg Hudson) - Target_Version 1.18-next added

# Wed Apr 08 16:27:18 2020 ghudson@mit.edu (Greg Hudson) - Taken

# Wed Apr 08 16:27:18 2020 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Wed Apr 08 16:27:18 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

Subject:	git commit
From:	ghudson@mit.edu

Download (untitled) / with headers
text/plain 729B

Make ksu honor KRB5CCNAME again

Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.

Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().

https://github.com/krb5/krb5/commit/8b1fff99f59f779bf7f7261f17b835576e20d35d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 8b1fff99f59f779bf7f7261f17b835576e20d35d
Branch: master
src/clients/ksu/main.c | 31 ++++++++++++++++++++++++++++++-
1 files changed, 30 insertions(+), 1 deletions(-)

# Fri Apr 10 15:07:17 2020 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.18.1 added

# Fri Apr 10 15:07:17 2020 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 802B

Make ksu honor KRB5CCNAME again

Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.

Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().

(cherry picked from commit 8b1fff99f59f779bf7f7261f17b835576e20d35d)

https://github.com/krb5/krb5/commit/0ea94d49ba5861b2f78de4f27d37a53e0f4264b6
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0ea94d49ba5861b2f78de4f27d37a53e0f4264b6
Branch: krb5-1.18
src/clients/ksu/main.c | 31 ++++++++++++++++++++++++++++++-
1 files changed, 30 insertions(+), 1 deletions(-)

# Fri Apr 10 15:09:18 2020 ghudson@mit.edu (Greg Hudson) - Tags pullup deleted