Bug 204939 - RFE: distinguish between ccaches created by session and cred mgmt functions
Summary: RFE: distinguish between ccaches created by session and cred mgmt functions
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2006-09-01 14:45 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-11-09 19:44:59 UTC

Attachments (Terms of Use)

Description Nalin Dahyabhai 2006-09-01 14:45:53 UTC
Description of problem:
Some applications use both session management and credential management PAM APIs
(which is normal), but propagate the PAM environment to the real environment in
between calling pam_open_session() and pam_setcred().  This sets the environment
variables to values which are invalidated when the second function (whichever
one that is) is called.

Version-Release number of selected component (if applicable):
2.2.9 and earlier

How reproducible:

Steps to Reproduce:
1. Install RHEL4 box with coreutils no newer than 5.2.1-31.4.
2. Configure 'su' so that it no longer trusts root.
3. Attempt to 'su' to an unprivileged user who is authenticated using Kerberos.
Actual results:
You get a ccache, but KRB5CCNAME points elsewhere.  The debug log shows
$KRB5CCNAME being created, destroyed, and then another ccache being created.

Expected results:
Something less confusing/annoying/infuriating.

Additional info:
See bug #150056 for the RHEL 4 instance where this bites 'su'.

Comment 1 Nalin Dahyabhai 2007-11-09 19:44:59 UTC
This should have been fixed in 2.2.13, but I forgot to close this when the
package hit Raw Hide.  Closing now.

Note You need to log in before you can comment on or make changes to this bug.