Bug 122731

Summary: ksu needs to be suid root
Product: [Fedora] Fedora Reporter: Martin Donnelly <martin.donnelly>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: ddoucett, k.georgiou, mattdm, redhat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.4.3-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-08 17:10:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Donnelly 2004-05-07 15:32:04 UTC 
Description of problem:

Running ksu outputs a 'ksu: Operation not permitted while selecting
the best principal' error

Version-Release number of selected component (if applicable):

krb5-workstation-1.3.3-1

How reproducible:
run 'ksu'

Expected results:

Should allow an authenticated principal access.

Additional info:

Found the fix for this 
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html#ksu_4

Changing ksu to be suid-root fixes the problem.
Comment 1 Derek Doucette 2004-07-12 13:07:22 UTC 
I have also reproduced this problem with the following package
versions with AS 3.0:
krb5-libs-1.2.7-24
krb5-workstation-1.2.7-24
Comment 2 Thornton Prime 2004-07-14 22:22:00 UTC 
Verified that this is still broken in Fedora Core 2.

This seems to have existed as a bug for years. It is very annoying.

Bug #122731 describes the same thing and documented that the potential
security vulnerability is fixed.

ksu does get a thorough security workover with the rest of the
Kerberos distribution, and looking at the code I don't see any way
anyone can exploit this ... especially if they don't have Kerberos
credentials.

This is easy to fix!
Comment 3 Derek Doucette 2004-07-15 13:17:27 UTC 
I agree that this is not exploitable, but it is very annoying. 
Especially when sending out to hundreds of hosts.  You referred to Bug
#122731 being the same thing, but that is this bug.  Is there another
bug you are referring to?

This is an easy fix, but it is much easier to just fix the one rpm and
have it right the first time.
Comment 4 Peter E. Popovich 2005-01-03 21:51:14 UTC 
see also bug 11535 and bug 137934
Comment 5 Matthew Miller 2005-04-26 16:30:45 UTC 
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 6 Peter E. Popovich 2005-04-30 03:50:11 UTC 
Problem persists in FC3.

Stupid bugzilla won't let me reopen or change the version.
Comment 7 Matthew Miller 2005-04-30 03:54:33 UTC 
Thanks for testing. Bug -> fc3 as per comment #6.
Comment 8 Peter E. Popovich 2006-05-07 22:04:56 UTC 
this can probably be closed with ERRATA, per bugs 11535, 137934, and 171047
Comment 9 Nalin Dahyabhai 2006-05-08 17:10:47 UTC 
I'll mark it CURRENTRELEASE, if only because I'm not sure ATM that a version
which changes this was ever pushed for FC3, and I don't want to falsely raise
any expectations.  Thanks!