Bug 11535 - ksu permissions wrong in krb5-workstation-1.1.1-16
ksu permissions wrong in krb5-workstation-1.1.1-16
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
: 17405 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2000-05-20 06:28 EDT by Stephen Tweedie
Modified: 2007-04-18 12:27 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-03-09 20:38:04 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen Tweedie 2000-05-20 06:28:34 EDT
This is a packaging bug only, but it does mean that "ksu" as shipped
simply does not work at all.

krb5-workstation-1.1.1-16 sets the "ksu" permissions to mode 755.
Obviously, the "su" part needs to have root privileges in order to
change uid!  ksu works once more after a "chmod u+s ksu".
Comment 1 Nalin Dahyabhai 2000-05-22 12:46:59 EDT
We did this because the MIT team hasn't released fixes for an information leak
in ksu that Chris Evans found along with the buffer overflows.  A setuid ksu can
be used to determine if files exist, even in directories that the executing user
can't read.  We added some access() checks in the errata release, but I'm still
not satisfied with it.
Comment 2 SB 2000-05-22 20:59:59 EDT
Is the ksu DoS discussed in e-mails fixed with new krb5 packages? Sorry to ask
but I can't access my e-mail right now anyway.

-Stan Bubrouski
Comment 3 Nalin Dahyabhai 2000-05-23 09:47:59 EDT
If it's the one that went out with the CERT advisory, then yes, it's fixed.  The
default configuration of the server uses FILE:-based logging, so it doesn't have
the syslog-related DoS problem.  I'm not aware that MIT has any fixes for it
other than recommending not to use syslog.
Comment 4 Nalin Dahyabhai 2000-09-11 14:27:51 EDT
*** Bug 17405 has been marked as a duplicate of this bug. ***
Comment 5 Chris Evans 2000-10-15 18:36:44 EDT
If made suid-root once more, there should be a prerequisite of "ksu" (and all
kerberos library functions it calls) receiving a thorough audit.
Also, the "ksu" program should contain code _very early_ in main(), to detect if
Kerberos has
been configured and exit if not. This will protect people not actively using
kerberos but having
the package installed.
Comment 6 Peter E. Popovich 2003-11-20 20:22:46 EST
just stumbled across this. no progress since 2000. seems like it ought
to be a simple tweak to the specfile.
Comment 7 Peter E. Popovich 2005-01-03 16:52:25 EST
see also bug 122731 and bug 137934
Comment 9 Kostas Georgiou 2006-03-08 13:25:54 EST
RHEL4 got fixed with update3 and Fedora5 (rawhide) also has ksu suid enabled so
I guess the bug can be closed.

Note You need to log in before you can comment on or make changes to this bug.