1329998 – [RFE] Add support to ksu for k5login_directory

Bug 1329998 - [RFE] Add support to ksu for k5login_directory

Summary: [RFE] Add support to ksu for k5login_directory

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Karel Srot
Docs Contact:
URL:	http://krbdev.mit.edu/rt/Ticket/Displ...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-25 09:08 UTC by Matthew Richardson
Modified:	2016-11-17 19:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-17 19:13:06 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matthew Richardson 2016-04-25 09:08:24 UTC

ksu as packaged in krb5-workstation-1.13.2-12.el7_2 seems to ignore the option 'k5login_directory' set in /etc/krb5.conf and always looks in the user's homedir for the .k5login file.


Steps to Reproduce:
1. Edit /root/.k5login - add a valid principal.
2. ksu root -n <principal>
3. mv /root/.k5login /etc/k5login/root
4. Edit krb5.conf - add 'k5login_directory = /etc/k5login
4. ksu root -n <principal> # Account root: authorization of <principal> failed

An strace of the ksu process shows that it is always trying to open /root/.k5login, regardless of the state of k5login_directory option.

Other commands (e.g. ssh) honour this config option as expected.

Comment 3 Robbie Harwood 2016-04-25 17:23:14 UTC

Can you please provide strace logs which include how strace was invoked?  ksu is a setuid program and I would like to verify the interaction between it and strace.

Comment 4 Matthew Richardson 2016-04-26 09:17:11 UTC

A little wary of posting a whole strace of a ksu process, in case any csecrets end up in it, but I'm running it as follows (using principal mattr@REALM):

sudo strace -fF -o /tmp/ksu.out sudo -u mattr ksu root -n mattr


Looking at all stats, reads etc in strace the only apparent ones of relevance are:

3872  stat("/root/.k5login", 0x7ffcf3955b40) = -1 ENOENT (No such file or directory)
3872  stat("/root/.k5users", 0x7ffcf3955b40) = -1 ENOENT (No such file or directory)

This is the same regardless of the state of k5login_directory option.

I've had a quick look at the source in the src rpm, and it does look like this is hard-coded for ksu.

lib/krb5/os/localauth_k5login.c provides a 'get_k5login_filename' method which does the 'try k5login_directory/look in homedir' logic.

However this doesn't seem to be called anywhere in clients/ksu/ with ksu.h having:

#define KRB5_LOGIN_NAME ".k5login"
#define KRB5_USERS_NAME ".k5users"

Which is then used through the rest of ksu's code.

I've had a quick look at the latest upstream code from MIT and ksu.h looks pretty identical, so I suspect this is really an upstream bug... don't know if that's something I need to open separately with the krb5 project, or if this bug report can be 'redirected' to them?

Comment 6 Robbie Harwood 2016-04-26 16:42:59 UTC

(In reply to Matthew Richardson from comment #4)
> A little wary of posting a whole strace of a ksu process, in case any
> csecrets end up in it, but I'm running it as follows (using principal
> mattr@REALM):

Sorry, assumed you had a realm set up for testing not something in production.  The information you've provided should be (more than) sufficient; thanks!

Comment 7 Robbie Harwood 2016-04-26 21:35:24 UTC

Created upstream ticket to track this.

Note You need to log in before you can comment on or make changes to this bug.