Bug 11535
Summary: | ksu permissions wrong in krb5-workstation-1.1.1-16 | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Stephen Tweedie <sct> |
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 6.2 | CC: | chris, dbergstein, k.georgiou, redhat, satan, sct, tao |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-03-10 01:38:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Stephen Tweedie
2000-05-20 10:28:34 UTC
We did this because the MIT team hasn't released fixes for an information leak in ksu that Chris Evans found along with the buffer overflows. A setuid ksu can be used to determine if files exist, even in directories that the executing user can't read. We added some access() checks in the errata release, but I'm still not satisfied with it. Is the ksu DoS discussed in e-mails fixed with new krb5 packages? Sorry to ask but I can't access my e-mail right now anyway. -Stan Bubrouski If it's the one that went out with the CERT advisory, then yes, it's fixed. The default configuration of the server uses FILE:-based logging, so it doesn't have the syslog-related DoS problem. I'm not aware that MIT has any fixes for it other than recommending not to use syslog. *** Bug 17405 has been marked as a duplicate of this bug. *** If made suid-root once more, there should be a prerequisite of "ksu" (and all kerberos library functions it calls) receiving a thorough audit. Also, the "ksu" program should contain code _very early_ in main(), to detect if Kerberos has been configured and exit if not. This will protect people not actively using kerberos but having the package installed. just stumbled across this. no progress since 2000. seems like it ought to be a simple tweak to the specfile. see also bug 122731 and bug 137934 RHEL4 got fixed with update3 and Fedora5 (rawhide) also has ksu suid enabled so I guess the bug can be closed. |