Bug 204939 - RFE: distinguish between ccaches created by session and cred mgmt functions
RFE: distinguish between ccaches created by session and cred mgmt functions
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-09-01 10:45 EDT by Nalin Dahyabhai
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-09 14:44:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2006-09-01 10:45:53 EDT
Description of problem:
Some applications use both session management and credential management PAM APIs
(which is normal), but propagate the PAM environment to the real environment in
between calling pam_open_session() and pam_setcred().  This sets the environment
variables to values which are invalidated when the second function (whichever
one that is) is called.

Version-Release number of selected component (if applicable):
2.2.9 and earlier

How reproducible:

Steps to Reproduce:
1. Install RHEL4 box with coreutils no newer than 5.2.1-31.4.
2. Configure 'su' so that it no longer trusts root.
3. Attempt to 'su' to an unprivileged user who is authenticated using Kerberos.
Actual results:
You get a ccache, but KRB5CCNAME points elsewhere.  The debug log shows
$KRB5CCNAME being created, destroyed, and then another ccache being created.

Expected results:
Something less confusing/annoying/infuriating.

Additional info:
See bug #150056 for the RHEL 4 instance where this bites 'su'.
Comment 1 Nalin Dahyabhai 2007-11-09 14:44:59 EST
This should have been fixed in 2.2.13, but I forgot to close this when the
package hit Raw Hide.  Closing now.

Note You need to log in before you can comment on or make changes to this bug.