Bug 209512 - [RHEL4] krb5-workstation : ksu fails on exit
[RHEL4] krb5-workstation : ksu fails on exit
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5 (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-10-05 14:28 EDT by Jose Plans
Modified: 2007-11-16 20:14 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0238
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-07 18:09:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch fixing the problem (503 bytes, patch)
2006-10-05 14:28 EDT, Jose Plans
no flags Details | Diff

  None (edit)
Description Jose Plans 2006-10-05 14:28:38 EDT
Description of problem:
After upgrading from krb5(1.3.4-27) to krb5(1.3.4-33), when using ksu and
exiting, the user gets the error :
[krb_user@dhcp-0-190 root]$ exit
ksu: Operation not permitted while returning to source uid for destroying ccache
Checking on the source code, we can see this failure reported in
src/client/ksu/main.c [void sweep_up()]. There is there a condition that is not
right :

       if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {

In fact, seteuid(0) will always fail here unless we are root, or maybe under
other circunstances. After more researches, I've found the following :

* http://mailman.mit.edu/pipermail/kerberos/2006-August/010276.html

Which presents the same solution as the patch attached and seems committed to
1.5.1 too (haven't checked yet).

The solution would be to remove krb5_seteuid(0); from the loop, and if it fails
let it fail silently as we know it will on some circunstances, it is true,
though, that krb5_seteuid(target_uid) *has* to be monitored and has to exit if

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ksu krb_user
2. exit
Actual results:
[krb_user@dhcp-0-190 root]$ exit
ksu: Operation not permitted while returning to source uid for destroying ccache

Expected results:
exit silently, remove the ccache.

Additional info:
Patch attached.
Comment 1 Jose Plans 2006-10-05 14:28:39 EDT
Created attachment 137837 [details]
Patch fixing the problem
Comment 3 Nalin Dahyabhai 2006-10-05 16:45:23 EDT
The patch as provided matches what upstream's revised patch does, and
it looks correct to me.  There was a little bit of discussion to this
effect toward the end of bug #197818.  FWIW, I wouldn't object to moving
this to be a 4.5 item.

Note to QE and PM: the test for this shakes out to be the test for
CVE-2006-3083 (#197818) with the addition of the case described here.
Comment 4 Toure Dunnon 2006-10-30 15:49:04 EST
Raising the exception on this as it does address a security issue in the kerberos program.
Comment 5 RHEL Product and Program Management 2006-10-30 16:05:45 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 15 Red Hat Bugzilla 2007-05-07 18:09:25 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.