Skip Menu |
 

Download (untitled) / with headers
text/plain 6.1KiB
From ericm@gauss.math.montana.edu Tue Apr 21 16:15:53 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA21030 for <bugs@RT-11.MIT.EDU>; Tue, 21 Apr 1998 16:15:51 -0400
Received: from gauss.math.montana.edu by MIT.EDU with SMTP
id AA09716; Tue, 21 Apr 98 16:15:40 EDT
Received: (from ericm@localhost)
by gauss.math.montana.edu (5.65/DEC-Ultrix/4.3/) id OAA00350;
Tue, 21 Apr 1998 14:15:39 -0600 (MDT)
Message-Id: <199804212015.OAA00350@gauss.math.montana.edu>
Date: Tue, 21 Apr 1998 14:15:39 -0600 (MDT)
From: ericm@math.montana.edu
Reply-To: ericm@math.montana.edu
To: krb5-bugs@MIT.EDU
Subject: chdir(2) problem
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 582
>Category: krb5-appl
>Synopsis: problem with chdir(2) in login.krb5
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Apr 21 16:16:01 EDT 1998
>Last-Modified: Fri Aug 07 00:54:51 EDT 1998
>Originator: Eric McWhorter
>Organization:
Montana State University
Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717
College of Letters and Science (406)994-1788
Montana State University ericm@math.montana.edu
Show quoted text
>Release: krb5-1.0.5
>Environment:
sun ultrasparc 2170, dec mips 5000/240
solaris 2.6, netbsd 1.3.1
System: SunOS gauss 5.6 Generic_105181-04 sun4u sparc SUNW,Ultra-2
Architecture: sun4

Show quoted text
>Description:
When src/appl/bsd/login.c and src/appl/gssftp/ftpd/ftpd.c
check to see if the user login directory is valid, the
assumption is made that root can chdir(2) to the user's
home directory.
Show quoted text
>How-To-Repeat:
nfs export home dir with root remapped to nobody, login
to an account with $HOME chmod 700. chdir(2) will fail
and login will be to system root dir.
Show quoted text
>Fix:
src/appl/bsd/login.c:
seteuid(2) to user before chdir(2), then seteuid back to root
after chdir(2) (see patch).

src/appl/gssftp/ftpd/ftpd.c:
move setuid(2) call to just before chdir(2) call to home
directory (see patch).

Here's a patch:

*** krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c.orig Mon Apr 20 16:40:59 1998
--- krb5-1.0.5/src/appl/gssftp/ftpd/ftpd.c Mon Apr 20 16:41:05 1998
***************
*** 837,842 ****
--- 837,847 ----
ftp_logwtmp(ttyline, pw->pw_name, remotehost);
logged_in = 1;

+ if (seteuid((uid_t)pw->pw_uid) < 0) {
+ reply(550, "Can't set uid.");
+ goto bad;
+ }
+
if (guest) {
/*
* We MUST do a chdir() after the chroot. Otherwise
***************
*** 854,863 ****
goto bad;
} else
lreply(230, "No directory! Logging in with home=/");
- }
- if (seteuid((uid_t)pw->pw_uid) < 0) {
- reply(550, "Can't set uid.");
- goto bad;
}
if (guest) {
reply(230, "Guest login ok, access restrictions apply.");
--- 859,864 ----
*** krb5-1.0.5/src/appl/bsd/login.c.orig Fri Feb 6 20:41:18 1998
--- krb5-1.0.5/src/appl/bsd/login.c Tue Apr 21 12:00:25 1998
***************
*** 401,406 ****
--- 401,407 ----

struct passwd *pwd;
static char *salt;
+ uid_t root_uid;

#ifdef HAVE_SHADOW
struct spwd *spwd;
***************
*** 1542,1553 ****
--- 1543,1569 ----
sleepexit(0);
}
#endif
+ /* root uid is likely 0, but should check just in case */
+ root_uid = getuid();
+
+ /* Should this call fail, we might login to / instead of our
+ home dir if root hasn't permissions on cwd, which is okay */
+ seteuid((uid_t) pwd->pw_uid);
+
if (chdir(pwd->pw_dir) < 0) {
printf("No directory %s!\n", pwd->pw_dir);
if (chdir("/"))
exit(0);
pwd->pw_dir = "/";
printf("Logging in with home = \"/\".\n");
+ }
+
+ /* switch back to root to finish login proceedure
+ if this call fails, things will be goofy */
+ if(seteuid(root_uid) < 0) {
+ syslog(LOG_ERR,
+ "seteuid: %s",
+ error_message(errno));
}

/* nothing else left to fail -- really log in */
Show quoted text
>Audit-Trail:

From: Sam Hartman <hartmans@MIT.EDU>
To: ericm@math.montana.edu
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/582: chdir(2) problem
Date: 02 May 1998 14:59:09 -0400

Note that we probably want to use krb5_seteuid in ftpd in general.
For login, it's unclear what we want to do. I do not want to
introduce any calls to krb5_setuid into a new program unless we have
to do so because POSIX does not guarantee that function will be able
to work. It might be more reasonable to have login check to see if
directory is valid *after* calling setuid.

Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login.

From: Eric McWhorter <ericm@gauss.math.montana.edu>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Subject: Re: krb5-appl/582: chdir(2) problem
Date: Mon, 4 May 1998 07:53:37 -0600 (MDT)

Sam Hartman writes:
Show quoted text
> Note that we probably want to use krb5_seteuid in ftpd in general.
> For login, it's unclear what we want to do. I do not want to
> introduce any calls to krb5_setuid into a new program unless we have
> to do so because POSIX does not guarantee that function will be able
> to work. It might be more reasonable to have login check to see if
> directory is valid *after* calling setuid.

My code doesn't work, so don't use it. :) I broke anon ftp. Checking
after setuid sounds okay.

Show quoted text
> Of course, if you are using krb5, you probably want to have your home dir mode 711 or better so that the daemons can read .k5login.

But shouldn't the daemons be able to read .k5login as the user rather
than root, in other words, shouldn't the daemons all seteuid to the user
before working with .k5login rather than assuming/insisting root
has/have access?

Thanks!

--
Eric McWhorter 2-207 Wilson Hall, MSU, Bozeman, MT 59717
College of Letters and Science (406)994-1788
Montana State University ericm@math.montana.edu
Show quoted text
>Unformatted:



[Matthew D. Hancher -- Fri Aug 7 00:52:36 EDT 1998]

I fixed this for ftpd, by moving the seteuid before the chdir() and moving
the guest chroot() even earlier. I have not yet done anything with login.

-mdh
Download (untitled) / with headers
text/plain 3.2KiB
From kovert@omniscient.com Tue Apr 17 18:48:47 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id SAA12158
for <bugs@RT-11.mit.edu>; Tue, 17 Apr 2001 18:48:46 -0400 (EDT)
Received: from surly.omniscient.com (surly.omniscient.com [208.213.83.10])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id SAA01956
for <krb5-bugs@mit.edu>; Tue, 17 Apr 2001 18:48:46 -0400 (EDT)
Received: from surly.omniscient.com (localhost [127.0.0.1])
by surly.omniscient.com (8.11.1/8.11.1) with ESMTP id f3HMmaD1208004
for <krb5-bugs@mit.edu>; Tue, 17 Apr 2001 18:48:36 -0400 (EDT)
Message-Id: <200104172248.f3HMmaD1208004@surly.omniscient.com>
Date: Tue, 17 Apr 2001 18:48:35 -0400
From: Todd Kover <kovert@omniscient.com>
To: krb5-bugs@mit.edu
Subject: login bug + fix

Show quoted text
>Number: 943
>Category: krb5-appl
>Synopsis: login fails to chdir on nfs mounted files systems w/ ~ mode 700
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: raeburn
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Apr 17 18:49:00 EDT 2001
>Last-Modified: Fri Oct 26 21:45:19 EDT 2001
>Originator: Todd Kover
>Organization:
Little
Show quoted text
>Release: krb5-1.2.2
>Environment:
solaris on sparc, various vresions

Show quoted text
>Description:

If a site uses nfs mounted home directories, where root is mapped to
nobody and a user attempts to rlogin into one of those machines with
a home directory of mode 700, it will fail to chdir() to the directory
on login.
Show quoted text
>How-To-Repeat:
should be pretty obvious. :-)
Show quoted text
>Fix:
besides changing the mode on a home directory, moving the chdir to
after the setuid() fixes this, ala:

--- ../orig/krb5-1.2.2/src/appl/bsd/login.c Wed Feb 28 17:06:43 2001
+++ src/appl/bsd/login.c Tue Apr 17 16:39:44 2001
@@ -1416,14 +1416,6 @@
}
#endif

- if (chdir(pwd->pw_dir) < 0) {
- printf("No directory %s!\n", pwd->pw_dir);
- if (chdir("/"))
- exit(0);
- pwd->pw_dir = "/";
- printf("Logging in with home = \"/\".\n");
- }
-
/* nothing else left to fail -- really log in */
{
struct utmp utmp;
@@ -1629,6 +1621,14 @@
if (setuid((uid_t) pwd->pw_uid) < 0) {
perror("setuid");
sleepexit(1);
+ }
+
+ if (chdir(pwd->pw_dir) < 0) {
+ printf("No directory %s!\n", pwd->pw_dir);
+ if (chdir("/"))
+ exit(0);
+ pwd->pw_dir = "/";
+ printf("Logging in with home = \"/\".\n");
}

/*


Show quoted text
>Audit-Trail:

Responsible-Changed-From-To: krb5-unassigned->raeburn
Responsible-Changed-By: raeburn
Responsible-Changed-When: Fri Oct 26 21:15:47 2001
Responsible-Changed-Why:
I'll take it...

State-Changed-From-To: open-analyzed
State-Changed-By: raeburn
State-Changed-When: Fri Oct 26 21:16:02 2001
State-Changed-Why:

There are a couple problems with this patch. First, the chdir is
moved down past some code that's sensitive to what the current
directory is, in particular the HUSHLOGIN check. (Fix by constructing
the full pathname in a buffer.) Second, simply calling exit(0) may
not be correct after utmp has been updated to note the user's login;
that has to get cleaned up. (Look at the dofork path. If we exit
after the dofork call, maybe exiting is good enough.)

Show quoted text
>Unformatted:
Download (untitled) / with headers
text/plain 8.1KiB
From ppomes@qualcomm.com Wed Oct 22 17:35:50 1997
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id RAA11456 for <bugs@RT-11.MIT.EDU>; Wed, 22 Oct 1997 17:35:40 -0400
Received: from zelkova.qualcomm.com by MIT.EDU with SMTP
id AA29260; Wed, 22 Oct 97 17:33:57 EDT
Received: (from ppomes@localhost) by zelkova.qualcomm.com (8.8.5/1.4/8.7.2/1.13) id OAA28689; Wed, 22 Oct 1997 14:33:21 -0700 (PDT)
Message-Id: <199710222133.OAA28689@zelkova.qualcomm.com>
Date: Wed, 22 Oct 1997 14:33:21 -0700 (PDT)
From: Paul Pomes <ppomes@qualcomm.com>
Reply-To: ppomes@qualcomm.com
To: krb5-bugs@MIT.EDU
Cc: ppomes@qualcomm.com
Subject: .k5login visibility problem on NFS-mounted home directories
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 482
>Category: krb5-libs
>Synopsis: .k5login file not always readable on NFS-mounted homes
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Oct 22 17:36:01 EDT 1997
>Last-Modified:
>Originator: Paul Pomes
>Organization:
QUALCOMM, Inc.
6455 Lusk Blvd
San Diego, CA 92121-2779
Show quoted text
>Release: 1.0pl1
>Environment:

System: SunOS zelkova 5.5.1 Generic_103640-04 sun4m sparc SUNW,SPARCstation-20
Architecture: sun4

Show quoted text
>Description:
Unless user home directories are exported with root un-mapped,
krb5_kuserok() cannot always read the .k5login file. If search
access on the user's home directory is allowed to all and the
.k5login file itself is world-readable, then root can be un-mapped.
Show quoted text
>How-To-Repeat:
Make your home directory (/home/foo) mode 700 and/or your
~foo/.k5login file mode 400.

Insert bar's principal name into your .k5login file. kinit to bar.
Attempt to telnet to a host that has the home directories mounted
without the root clause in /etc/dfs/dfstab ala

telnet -l foo newhost

Note the failed login. Change the /home/foo to mode 755 and
~foo/.k5login to 644. Retry the telnet command and note success.
Show quoted text
>Fix:
Apply the following three patches. The patch to lib/krb5/os/kuserok.c
mimics similar behavior in the v4 version of this function. The other
changes handle the proper changing to the home directory. The chdir()
is attempted twice, once before and once after the setuid() call.


*** src/appl/bsd/login.c 1997/10/22 18:59:48 1.1
--- src/appl/bsd/login.c 1997/10/22 21:13:11
***************
*** 133,138 ****
--- 133,145 ----
#define siglongjmp longjmp
#endif

+ #ifndef HAVE_SETEUID
+ #ifdef HAVE_SETRESUID
+ #define seteuid(e) setresuid(-1,e,-1)
+ #define setegid(e) setresgid(-1,e,-1)
+ #endif
+ #endif
+
#ifdef POSIX_SIGNALS
typedef struct sigaction handler;
#define handler_init(H,F) (sigemptyset(&(H).sa_mask), \
***************
*** 1542,1553 ****
sleepexit(0);
}
#endif
if (chdir(pwd->pw_dir) < 0) {
! printf("No directory %s!\n", pwd->pw_dir);
! if (chdir("/"))
exit(0);
! pwd->pw_dir = "/";
! printf("Logging in with home = \"/\".\n");
}

/* nothing else left to fail -- really log in */
--- 1549,1563 ----
sleepexit(0);
}
#endif
+ /*
+ * Don't complain if the first chdir fails - NFS may prevent that
+ * until after the setuid().
+ */
if (chdir(pwd->pw_dir) < 0) {
! if (chdir("/")) {
! (void) printf("No directory!\n");
exit(0);
! }
}

/* nothing else left to fail -- really log in */
***************
*** 1748,1753 ****
--- 1758,1772 ----
sleepexit(1);
}

+ /* Try the chdir again in case NFS was blocking us before. */
+ if (chdir(pwd->pw_dir) < 0) {
+ printf("No directory %s!\n", pwd->pw_dir);
+ if (chdir("/"))
+ sleepexit(1);
+ pwd->pw_dir = "/";
+ printf("Logging in with home = \"/\".\n");
+ }
+
/*
* We are the user now. Re-create the destroyed ccache and
* ticket file.
***************
*** 2249,2254 ****
--- 2268,2275 ----
{
static char lusername[UT_NAMESIZE+1];
char rusername[UT_NAMESIZE+1];
+ int euid = -1;
+ int rokval;

lgetstr(rusername, sizeof(rusername), "Remote user");
lgetstr(lusername, sizeof(lusername), "Local user");
***************
*** 2257,2263 ****
pwd = getpwnam(username);
if (pwd == NULL)
return(-1);
! return(ruserok(host, (pwd->pw_uid == 0), rusername, username));
}

#ifdef KRB4_KLOGIN
--- 2278,2291 ----
pwd = getpwnam(username);
if (pwd == NULL)
return(-1);
! if (getuid() == 0 && pwd->pw_uid != 0) {
! euid = geteuid();
! (void) seteuid(pwd->pw_uid);
! }
! rokval = ruserok(host, (pwd->pw_uid == 0), rusername, username);
! if (euid != -1)
! (void) seteuid (euid);
! return(rokval);
}

#ifdef KRB4_KLOGIN
*** src/appl/bsd/krshd.c 1997/10/22 17:28:10 1.1
--- src/appl/bsd/krshd.c 1997/10/22 21:13:19
***************
*** 150,155 ****
--- 150,162 ----
#include "com_err.h"
#include "loginpaths.h"

+ #ifndef HAVE_SETEUID
+ #ifdef HAVE_SETRESUID
+ #define seteuid(e) setresuid(-1,e,-1)
+ #define setegid(e) setresgid(-1,e,-1)
+ #endif
+ #endif
+
#define ARGSTR "ek54ciD:S:M:AP:?L:"


***************
*** 1048,1057 ****


#else
! if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
! ruserok(hostname, pwd->pw_uid == 0, remuser, locuser) < 0) {
! error("Permission denied.\n");
! goto signout_please;
}
#endif /* KERBEROS */

--- 1055,1075 ----


#else
! if (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0') {
! int euid = -1;
! int rokval;
!
! if (getuid() == 0 && pwd->pw_uid != 0) {
! euid = geteuid();
! (void) seteuid(pwd->pw_uid);
! }
! rokval = ruserok(hostname, pwd->pw_uid == 0, remuser, locuser);
! if (euid != -1)
! (void) seteuid (euid);
! if (rokval < 0) {
! error("Permission denied.\n");
! goto signout_please;
! }
}
#endif /* KERBEROS */

*** src/lib/krb5/os/kuserok.c 1997/10/22 19:03:04 1.1
--- src/lib/krb5/os/kuserok.c 1997/10/22 21:13:55
***************
*** 35,40 ****
--- 35,47 ----
#define getpwnam(user) getpwnam((char *)user)
#endif

+ #ifndef HAVE_SETEUID
+ #ifdef HAVE_SETRESUID
+ #define seteuid(e) setresuid(-1,e,-1)
+ #define setegid(e) setresgid(-1,e,-1)
+ #endif
+ #endif
+
#define MAX_USERNAME 10

/*
***************
*** 72,77 ****
--- 79,85 ----
char linebuf[BUFSIZ];
char *newline;
int gobble;
+ int euid = -1;

/* no account => no access */
if ((pwd = getpwnam(luser)) == NULL) {
***************
*** 82,103 ****

if (access(pbuf, F_OK)) { /* not accessible */
/*
* if he's trying to log in as himself, and there is no .k5login file,
* let him. To find out, call
* krb5_aname_to_localname to convert the principal to a name
* which we can string compare.
*/
! if (!(krb5_aname_to_localname(context, principal,
sizeof(kuser), kuser))
&& (strcmp(kuser, luser) == 0)) {
return(TRUE);
}
}
! if (krb5_unparse_name(context, principal, &princname))
return(FALSE); /* no hope of matching */

/* open ~/.k5login */
! if ((fp = fopen(pbuf, "r")) == NULL) {
free(princname);
return(FALSE);
}
--- 90,127 ----

if (access(pbuf, F_OK)) { /* not accessible */
/*
+ * The .k5login file may not be readable by root on a user's
+ * home directory accessed via NFS. Switch UIDs and try again.
+ */
+ if (getuid() == 0 && pwd->pw_uid != 0) {
+ euid = geteuid();
+ (void) seteuid(pwd->pw_uid);
+ }
+ /*
* if he's trying to log in as himself, and there is no .k5login file,
* let him. To find out, call
* krb5_aname_to_localname to convert the principal to a name
* which we can string compare.
*/
! if (access(pbuf, F_OK) && !(krb5_aname_to_localname(context, principal,
sizeof(kuser), kuser))
&& (strcmp(kuser, luser) == 0)) {
+ if (euid != -1)
+ (void) seteuid (euid);
return(TRUE);
}
}
! if (krb5_unparse_name(context, principal, &princname)) {
! if (euid != -1)
! (void) seteuid (euid);
return(FALSE); /* no hope of matching */
+ }

/* open ~/.k5login */
! fp = fopen(pbuf, "r");
! if (euid != -1)
! (void) seteuid (euid);
! if (fp == NULL) {
free(princname);
return(FALSE);
}
Show quoted text
>Audit-Trail:
>Unformatted: