|Summary:||ksu needs to be suid root|
|Product:||[Fedora] Fedora||Reporter:||Martin Donnelly <martin.donnelly>|
|Component:||krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||3||CC:||ddoucett, k.georgiou, mattdm, redhat|
|Fixed In Version:||1.4.3-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-05-08 17:10:47 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Martin Donnelly 2004-05-07 15:32:04 UTC
Description of problem: Running ksu outputs a 'ksu: Operation not permitted while selecting the best principal' error Version-Release number of selected component (if applicable): krb5-workstation-1.3.3-1 How reproducible: run 'ksu' Expected results: Should allow an authenticated principal access. Additional info: Found the fix for this http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html#ksu_4 Changing ksu to be suid-root fixes the problem.
Comment 1 Derek Doucette 2004-07-12 13:07:22 UTC
I have also reproduced this problem with the following package versions with AS 3.0: krb5-libs-1.2.7-24 krb5-workstation-1.2.7-24
Comment 2 Thornton Prime 2004-07-14 22:22:00 UTC
Verified that this is still broken in Fedora Core 2. This seems to have existed as a bug for years. It is very annoying. Bug #122731 describes the same thing and documented that the potential security vulnerability is fixed. ksu does get a thorough security workover with the rest of the Kerberos distribution, and looking at the code I don't see any way anyone can exploit this ... especially if they don't have Kerberos credentials. This is easy to fix!
Comment 3 Derek Doucette 2004-07-15 13:17:27 UTC
I agree that this is not exploitable, but it is very annoying. Especially when sending out to hundreds of hosts. You referred to Bug #122731 being the same thing, but that is this bug. Is there another bug you are referring to? This is an easy fix, but it is much easier to just fix the one rpm and have it right the first time.
Comment 5 Matthew Miller 2005-04-26 16:30:45 UTC
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match.
Comment 6 Peter E. Popovich 2005-04-30 03:50:11 UTC
Problem persists in FC3. Stupid bugzilla won't let me reopen or change the version.
Comment 8 Peter E. Popovich 2006-05-07 22:04:56 UTC
Comment 9 Nalin Dahyabhai 2006-05-08 17:10:47 UTC
I'll mark it CURRENTRELEASE, if only because I'm not sure ATM that a version which changes this was ever pushed for FC3, and I don't want to falsely raise any expectations. Thanks!