Red Hat Bugzilla – Bug 122731
ksu needs to be suid root
Last modified: 2007-11-30 17:10:42 EST
Description of problem:
Running ksu outputs a 'ksu: Operation not permitted while selecting
the best principal' error
Version-Release number of selected component (if applicable):
Should allow an authenticated principal access.
Found the fix for this
Changing ksu to be suid-root fixes the problem.
I have also reproduced this problem with the following package
versions with AS 3.0:
Verified that this is still broken in Fedora Core 2.
This seems to have existed as a bug for years. It is very annoying.
Bug #122731 describes the same thing and documented that the potential
security vulnerability is fixed.
ksu does get a thorough security workover with the rest of the
Kerberos distribution, and looking at the code I don't see any way
anyone can exploit this ... especially if they don't have Kerberos
This is easy to fix!
I agree that this is not exploitable, but it is very annoying.
Especially when sending out to hundreds of hosts. You referred to Bug
#122731 being the same thing, but that is this bug. Is there another
bug you are referring to?
This is an easy fix, but it is much easier to just fix the one rpm and
have it right the first time.
see also bug 11535 and bug 137934
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Problem persists in FC3.
Stupid bugzilla won't let me reopen or change the version.
Thanks for testing. Bug -> fc3 as per comment #6.
this can probably be closed with ERRATA, per bugs 11535, 137934, and 171047
I'll mark it CURRENTRELEASE, if only because I'm not sure ATM that a version
which changes this was ever pushed for FC3, and I don't want to falsely raise
any expectations. Thanks!