Bug 11535 - ksu permissions wrong in krb5-workstation-1.1.1-16
Summary: ksu permissions wrong in krb5-workstation-1.1.1-16
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: krb5   
(Show other bugs)
Version: 6.2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
: 17405 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2000-05-20 10:28 UTC by Stephen Tweedie
Modified: 2007-04-18 16:27 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-10 01:38:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Stephen Tweedie 2000-05-20 10:28:34 UTC
This is a packaging bug only, but it does mean that "ksu" as shipped
simply does not work at all.

krb5-workstation-1.1.1-16 sets the "ksu" permissions to mode 755.
Obviously, the "su" part needs to have root privileges in order to
change uid!  ksu works once more after a "chmod u+s ksu".

Comment 1 Nalin Dahyabhai 2000-05-22 16:46:59 UTC
We did this because the MIT team hasn't released fixes for an information leak
in ksu that Chris Evans found along with the buffer overflows.  A setuid ksu can
be used to determine if files exist, even in directories that the executing user
can't read.  We added some access() checks in the errata release, but I'm still
not satisfied with it.

Comment 2 SB 2000-05-23 00:59:59 UTC
Is the ksu DoS discussed in e-mails fixed with new krb5 packages? Sorry to ask
but I can't access my e-mail right now anyway.

-Stan Bubrouski

Comment 3 Nalin Dahyabhai 2000-05-23 13:47:59 UTC
If it's the one that went out with the CERT advisory, then yes, it's fixed.  The
default configuration of the server uses FILE:-based logging, so it doesn't have
the syslog-related DoS problem.  I'm not aware that MIT has any fixes for it
other than recommending not to use syslog.

Comment 4 Nalin Dahyabhai 2000-09-11 18:27:51 UTC
*** Bug 17405 has been marked as a duplicate of this bug. ***

Comment 5 Chris Evans 2000-10-15 22:36:44 UTC
If made suid-root once more, there should be a prerequisite of "ksu" (and all
kerberos library functions it calls) receiving a thorough audit.
Also, the "ksu" program should contain code _very early_ in main(), to detect if
Kerberos has
been configured and exit if not. This will protect people not actively using
kerberos but having
the package installed.

Comment 6 Peter E. Popovich 2003-11-21 01:22:46 UTC
just stumbled across this. no progress since 2000. seems like it ought
to be a simple tweak to the specfile.

Comment 7 Peter E. Popovich 2005-01-03 21:52:25 UTC
see also bug 122731 and bug 137934

Comment 9 Kostas Georgiou 2006-03-08 18:25:54 UTC
RHEL4 got fixed with update3 and Fedora5 (rawhide) also has ksu suid enabled so
I guess the bug can be closed.

Note You need to log in before you can comment on or make changes to this bug.