Bug 11535

Summary: ksu permissions wrong in krb5-workstation-1.1.1-16
Product: [Retired] Red Hat Linux Reporter: Stephen Tweedie <sct>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 6.2CC: chris, dbergstein, k.georgiou, redhat, satan, sct, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-10 01:38:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Tweedie 2000-05-20 10:28:34 UTC 
This is a packaging bug only, but it does mean that "ksu" as shipped
simply does not work at all.

krb5-workstation-1.1.1-16 sets the "ksu" permissions to mode 755.
Obviously, the "su" part needs to have root privileges in order to
change uid!  ksu works once more after a "chmod u+s ksu".
Comment 1 Nalin Dahyabhai 2000-05-22 16:46:59 UTC 
We did this because the MIT team hasn't released fixes for an information leak
in ksu that Chris Evans found along with the buffer overflows.  A setuid ksu can
be used to determine if files exist, even in directories that the executing user
can't read.  We added some access() checks in the errata release, but I'm still
not satisfied with it.
Comment 2 SB 2000-05-23 00:59:59 UTC 
Is the ksu DoS discussed in e-mails fixed with new krb5 packages? Sorry to ask
but I can't access my e-mail right now anyway.

-Stan Bubrouski
Comment 3 Nalin Dahyabhai 2000-05-23 13:47:59 UTC 
If it's the one that went out with the CERT advisory, then yes, it's fixed.  The
default configuration of the server uses FILE:-based logging, so it doesn't have
the syslog-related DoS problem.  I'm not aware that MIT has any fixes for it
other than recommending not to use syslog.
Comment 4 Nalin Dahyabhai 2000-09-11 18:27:51 UTC 
*** Bug 17405 has been marked as a duplicate of this bug. ***
Comment 5 Chris Evans 2000-10-15 22:36:44 UTC 
If made suid-root once more, there should be a prerequisite of "ksu" (and all
kerberos library functions it calls) receiving a thorough audit.
Also, the "ksu" program should contain code _very early_ in main(), to detect if
Kerberos has
been configured and exit if not. This will protect people not actively using
kerberos but having
the package installed.
Comment 6 Peter E. Popovich 2003-11-21 01:22:46 UTC 
just stumbled across this. no progress since 2000. seems like it ought
to be a simple tweak to the specfile.
Comment 7 Peter E. Popovich 2005-01-03 21:52:25 UTC 
see also bug 122731 and bug 137934
Comment 9 Kostas Georgiou 2006-03-08 18:25:54 UTC 
RHEL4 got fixed with update3 and Fedora5 (rawhide) also has ksu suid enabled so
I guess the bug can be closed.