Red Hat Bugzilla – Bug 204939
RFE: distinguish between ccaches created by session and cred mgmt functions
Last modified: 2007-11-30 17:11:41 EST
Description of problem:
Some applications use both session management and credential management PAM APIs
(which is normal), but propagate the PAM environment to the real environment in
between calling pam_open_session() and pam_setcred(). This sets the environment
variables to values which are invalidated when the second function (whichever
one that is) is called.
Version-Release number of selected component (if applicable):
2.2.9 and earlier
Steps to Reproduce:
1. Install RHEL4 box with coreutils no newer than 5.2.1-31.4.
2. Configure 'su' so that it no longer trusts root.
3. Attempt to 'su' to an unprivileged user who is authenticated using Kerberos.
You get a ccache, but KRB5CCNAME points elsewhere. The debug log shows
$KRB5CCNAME being created, destroyed, and then another ccache being created.
Something less confusing/annoying/infuriating.
See bug #150056 for the RHEL 4 instance where this bites 'su'.
This should have been fixed in 2.2.13, but I forgot to close this when the
package hit Raw Hide. Closing now.