122731 – ksu needs to be suid root

Bug 122731 - ksu needs to be suid root

Summary: ksu needs to be suid root

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-05-07 15:32 UTC by Martin Donnelly
Modified:	2007-11-30 22:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:	1.4.3-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-05-08 17:10:47 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Donnelly 2004-05-07 15:32:04 UTC

Description of problem:

Running ksu outputs a 'ksu: Operation not permitted while selecting
the best principal' error

Version-Release number of selected component (if applicable):

krb5-workstation-1.3.3-1

How reproducible:
run 'ksu'

Expected results:

Should allow an authenticated principal access.

Additional info:

Found the fix for this 
http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html#ksu_4

Changing ksu to be suid-root fixes the problem.

Comment 1 Derek Doucette 2004-07-12 13:07:22 UTC

I have also reproduced this problem with the following package
versions with AS 3.0:
krb5-libs-1.2.7-24
krb5-workstation-1.2.7-24

Comment 2 Thornton Prime 2004-07-14 22:22:00 UTC

Verified that this is still broken in Fedora Core 2.

This seems to have existed as a bug for years. It is very annoying.

Bug #122731 describes the same thing and documented that the potential
security vulnerability is fixed.

ksu does get a thorough security workover with the rest of the
Kerberos distribution, and looking at the code I don't see any way
anyone can exploit this ... especially if they don't have Kerberos
credentials.

This is easy to fix!

Comment 3 Derek Doucette 2004-07-15 13:17:27 UTC

I agree that this is not exploitable, but it is very annoying. 
Especially when sending out to hundreds of hosts.  You referred to Bug
#122731 being the same thing, but that is this bug.  Is there another
bug you are referring to?

This is an easy fix, but it is much easier to just fix the one rpm and
have it right the first time.

Comment 4 Peter E. Popovich 2005-01-03 21:51:14 UTC

see also bug 11535 and bug 137934

Comment 5 Matthew Miller 2005-04-26 16:30:45 UTC

Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.

Comment 6 Peter E. Popovich 2005-04-30 03:50:11 UTC

Problem persists in FC3.

Stupid bugzilla won't let me reopen or change the version.

Comment 7 Matthew Miller 2005-04-30 03:54:33 UTC

Thanks for testing. Bug -> fc3 as per comment #6.

Comment 8 Peter E. Popovich 2006-05-07 22:04:56 UTC

this can probably be closed with ERRATA, per bugs 11535, 137934, and 171047

Comment 9 Nalin Dahyabhai 2006-05-08 17:10:47 UTC

I'll mark it CURRENTRELEASE, if only because I'm not sure ATM that a version
which changes this was ever pushed for FC3, and I don't want to falsely raise
any expectations.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.