Red Hat Bugzilla – Bug 11535
ksu permissions wrong in krb5-workstation-1.1.1-16
Last modified: 2007-04-18 12:27:04 EDT
This is a packaging bug only, but it does mean that "ksu" as shipped
simply does not work at all.
krb5-workstation-1.1.1-16 sets the "ksu" permissions to mode 755.
Obviously, the "su" part needs to have root privileges in order to
change uid! ksu works once more after a "chmod u+s ksu".
We did this because the MIT team hasn't released fixes for an information leak
in ksu that Chris Evans found along with the buffer overflows. A setuid ksu can
be used to determine if files exist, even in directories that the executing user
can't read. We added some access() checks in the errata release, but I'm still
not satisfied with it.
Is the ksu DoS discussed in e-mails fixed with new krb5 packages? Sorry to ask
but I can't access my e-mail right now anyway.
If it's the one that went out with the CERT advisory, then yes, it's fixed. The
default configuration of the server uses FILE:-based logging, so it doesn't have
the syslog-related DoS problem. I'm not aware that MIT has any fixes for it
other than recommending not to use syslog.
*** Bug 17405 has been marked as a duplicate of this bug. ***
If made suid-root once more, there should be a prerequisite of "ksu" (and all
kerberos library functions it calls) receiving a thorough audit.
Also, the "ksu" program should contain code _very early_ in main(), to detect if
been configured and exit if not. This will protect people not actively using
kerberos but having
the package installed.
just stumbled across this. no progress since 2000. seems like it ought
to be a simple tweak to the specfile.
see also bug 122731 and bug 137934
RHEL4 got fixed with update3 and Fedora5 (rawhide) also has ksu suid enabled so
I guess the bug can be closed.