Bug 204939

Summary: RFE: distinguish between ccaches created by session and cred mgmt functions
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-09 14:44:59 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Nalin Dahyabhai 2006-09-01 10:45:53 EDT
Description of problem:
Some applications use both session management and credential management PAM APIs
(which is normal), but propagate the PAM environment to the real environment in
between calling pam_open_session() and pam_setcred().  This sets the environment
variables to values which are invalidated when the second function (whichever
one that is) is called.

Version-Release number of selected component (if applicable):
2.2.9 and earlier

How reproducible:

Steps to Reproduce:
1. Install RHEL4 box with coreutils no newer than 5.2.1-31.4.
2. Configure 'su' so that it no longer trusts root.
3. Attempt to 'su' to an unprivileged user who is authenticated using Kerberos.
Actual results:
You get a ccache, but KRB5CCNAME points elsewhere.  The debug log shows
$KRB5CCNAME being created, destroyed, and then another ccache being created.

Expected results:
Something less confusing/annoying/infuriating.

Additional info:
See bug #150056 for the RHEL 4 instance where this bites 'su'.
Comment 1 Nalin Dahyabhai 2007-11-09 14:44:59 EST
This should have been fixed in 2.2.13, but I forgot to close this when the
package hit Raw Hide.  Closing now.