When building the package as non-root something goes wrong with the `ksu' program (see 4th and last line): -------------- making install in clients/ksu... make[2]: Entering directory `/usr/src/redhat/BUILD/krb5-1.2.1/src/clients/ksu' for f in ksu; do \ /usr/bin/install -c -s -m 4755 -o root $f \ /var/tmp/krb5-root/usr/kerberos/bin/`echo $f|sed 's,x,x,'`; \ /usr/bin/install -c -m 644 ./$f.M \ /var/tmp/krb5-root/usr/kerberos/man/man1/`echo $f|sed 's,x,x,'`.1; \ done /usr/bin/install: /var/tmp/krb5-root/usr/kerberos/bin/ksu: Operation not permitted --------------
Our build system defaults to building packages as a non-root user specifically to catch these cases. Does the ksu binary still end up in the right place?
I've just rebuilt the package as myself, and the files get included. The error message is harmless.
But: # ll /usr/kerberos/bin/ksu -rwxr-xr-x 1 root root 50364 Aug 21 14:22 /usr/kerberos/bin/ksu The official install-method tries to install it SUID; but the packaged file isn't it.
The MIT Kerberos team isn't sure that the previously-fixed vulnerabilities in ksu were all of the potential problems, so we took the setuid-bit off pending a complete audit of the sources.