Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 316461 Details for
Bug 461960
CVE-2008-3825 pam_krb5 existing_ticket permission flaw
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch from nalin
pam_krb5-2.3.1-ccacheperms.patch (text/plain), 7.67 KB, created by
Josh Bressers
on 2008-09-11 17:23:16 UTC
(
hide
)
Description:
Patch from nalin
Filename:
MIME Type:
Creator:
Josh Bressers
Created:
2008-09-11 17:23:16 UTC
Size:
7.67 KB
patch
obsolete
>diff --git a/src/Makefile.am b/src/Makefile.am >index 61526e8..9b54f2a 100644 >--- a/src/Makefile.am >+++ b/src/Makefile.am >@@ -31,6 +31,8 @@ libpam_krb5_la_SOURCES = \ > kuserok.c \ > kuserok.h \ > minikafs.h \ >+ perms.c \ >+ perms.h \ > prompter.c \ > prompter.h \ > shmem.c \ >@@ -106,6 +108,7 @@ harness_LDADD = \ > map.lo \ > initopts.lo \ > options.lo \ >+ perms.lo \ > userinfo.lo \ > sly.lo \ > v4.lo \ >@@ -119,6 +122,7 @@ harness_newpag_LDADD = \ > pam_newpag.lo \ > logstdio.lo \ > options.lo \ >+ perms.lo \ > v4.lo \ > v5.lo > harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ >diff --git a/src/perms.c b/src/perms.c >new file mode 100644 >index 0000000..d999846 >--- /dev/null >+++ b/src/perms.c >@@ -0,0 +1,89 @@ >+/* >+ * Copyright 2008 Red Hat, Inc. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, and the entire permission notice in its entirety, >+ * including the disclaimer of warranties. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * 3. The name of the author may not be used to endorse or promote >+ * products derived from this software without specific prior >+ * written permission. >+ * >+ * ALTERNATIVELY, this product may be distributed under the terms of the >+ * GNU Lesser General Public License, in which case the provisions of the >+ * LGPL are required INSTEAD OF the above restrictions. >+ * >+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED >+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN >+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF >+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON >+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+ >+#include "../config.h" >+ >+#include <sys/types.h> >+#include <stdlib.h> >+#include <unistd.h> >+#include "perms.h" >+ >+struct _pam_krb5_perms { >+ uid_t ruid, euid; >+ gid_t rgid, egid; >+}; >+ >+struct _pam_krb5_perms * >+_pam_krb5_switch_perms(void) >+{ >+ struct _pam_krb5_perms *ret; >+ ret = malloc(sizeof(*ret)); >+ if (ret != NULL) { >+ ret->ruid = getuid(); >+ ret->euid = geteuid(); >+ ret->rgid = getgid(); >+ ret->egid = getegid(); >+ if (ret->ruid == ret->euid) { >+ ret->ruid = -1; >+ ret->euid = -1; >+ } >+ if (ret->rgid == ret->egid) { >+ ret->rgid = -1; >+ ret->egid = -1; >+ } >+ if (setregid(ret->egid, ret->rgid) == -1) { >+ free(ret); >+ ret = NULL; >+ } else { >+ if (setreuid(ret->euid, ret->ruid) == -1) { >+ setregid(ret->rgid, ret->egid); >+ free(ret); >+ ret = NULL; >+ } >+ } >+ } >+ return ret; >+} >+ >+int >+_pam_krb5_restore_perms(struct _pam_krb5_perms *saved) >+{ >+ int ret = -1; >+ if (saved != NULL) { >+ if ((setreuid(saved->ruid, saved->euid) == 0) && >+ (setregid(saved->rgid, saved->egid) == 0)) { >+ ret = 0; >+ } >+ free(saved); >+ } >+ return ret; >+} >diff --git a/src/perms.h b/src/perms.h >new file mode 100644 >index 0000000..7aedb61 >--- /dev/null >+++ b/src/perms.h >@@ -0,0 +1,40 @@ >+/* >+ * Copyright 2008 Red Hat, Inc. >+ * >+ * Redistribution and use in source and binary forms, with or without >+ * modification, are permitted provided that the following conditions >+ * are met: >+ * 1. Redistributions of source code must retain the above copyright >+ * notice, and the entire permission notice in its entirety, >+ * including the disclaimer of warranties. >+ * 2. Redistributions in binary form must reproduce the above copyright >+ * notice, this list of conditions and the following disclaimer in the >+ * documentation and/or other materials provided with the distribution. >+ * 3. The name of the author may not be used to endorse or promote >+ * products derived from this software without specific prior >+ * written permission. >+ * >+ * ALTERNATIVELY, this product may be distributed under the terms of the >+ * GNU Lesser General Public License, in which case the provisions of the >+ * LGPL are required INSTEAD OF the above restrictions. >+ * >+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED >+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN >+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, >+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT >+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF >+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON >+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF >+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ */ >+ >+#ifndef pam_krb5_perms_h >+#define pam_krb5_perms_h >+ >+struct _pam_krb5_perms; >+struct _pam_krb5_perms *_pam_krb5_switch_perms(void); >+int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); >+ >+#endif >diff --git a/src/v5.c b/src/v5.c >index 87bf3b6..24ffbc6 100644 >--- a/src/v5.c >+++ b/src/v5.c >@@ -66,6 +66,7 @@ > > #include "conv.h" > #include "log.h" >+#include "perms.h" > #include "prompter.h" > #include "stash.h" > #include "userinfo.h" >@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx, > const char *realm; > struct pam_message message; > struct _pam_krb5_prompter_data prompter_data; >+ struct _pam_krb5_perms *saved_perms; > krb5_principal service_principal; > krb5_creds tmpcreds; > krb5_ccache ccache; >@@ -884,20 +886,46 @@ v5_get_creds(krb5_context ctx, > "from %s", krb5_cc_default_name(ctx)); > } > memset(&ccache, 0, sizeof(ccache)); >- if (krb5_cc_default(ctx, &ccache) == 0) { >+ /* In case we're setuid/setgid, switch to the caller's >+ * permissions. */ >+ saved_perms = _pam_krb5_switch_perms(); >+ if ((saved_perms != NULL) && >+ (krb5_cc_default(ctx, &ccache) == 0)) { > tmpcreds.client = userinfo->principal_name; > tmpcreds.server = service_principal; > i = krb5_cc_retrieve_cred(ctx, ccache, 0, > &tmpcreds, creds); > /* FIXME: check if the creds are expired? > * What's the right error code if we check, and > * they are? */ > memset(&tmpcreds, 0, sizeof(tmpcreds)); > krb5_cc_close(ctx, ccache); >+ /* In case we're setuid/setgid, restore the >+ * previous permissions. */ >+ if (saved_perms != NULL) { >+ if (_pam_krb5_restore_perms(saved_perms) != 0) { >+ krb5_free_cred_contents(ctx, creds); >+ memset(creds, 0, sizeof(*creds)); >+ krb5_free_principal(ctx, service_principal); >+ return PAM_SYSTEM_ERR; >+ } >+ saved_perms = NULL; >+ } > } else { > warn("error opening default ccache"); > i = KRB5_CC_NOTFOUND; > } >+ /* In case we're setuid/setgid, switch back to the >+ * previous permissions if we didn't already. */ >+ if (saved_perms != NULL) { >+ if (_pam_krb5_restore_perms(saved_perms) != 0) { >+ krb5_free_cred_contents(ctx, creds); >+ memset(creds, 0, sizeof(*creds)); >+ krb5_free_principal(ctx, service_principal); >+ return PAM_SYSTEM_ERR; >+ } >+ saved_perms = NULL; >+ } > krb5_free_principal(ctx, service_principal); > } else { > warn("error parsing TGT principal name (%s) "
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=316461">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 461960
: 316461