Bug 465906 - Exclude kerberos environement from being removed from sudo.
Exclude kerberos environement from being removed from sudo.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sudo (Show other bugs)
4.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-06 22:21 EDT by Wade Mealing
Modified: 2010-10-23 01:00 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
* when run, the sudo command removes all but a small group of environment variables. Previously, the Kerberos environment variable KRB5CCNAME was not among the variables retained. This prevented Kerberos from working with sudo when credentials not in the standard directory in /tmp were required. For example, Kerberos could not be used with sudo in a Windows Active Directory environment. Sudo now retains the KRB5CCNAME environment variable, allowing Kerberos to work with sudo correctly.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-18 04:55:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to skip on krb5ccname (969 bytes, patch)
2008-10-06 22:46 EDT, Wade Mealing
no flags Details | Diff

  None (edit)
Description Wade Mealing 2008-10-06 22:21:06 EDT
Description of problem:

Kerberos environment variable is removed when a user executes the sudo command.


Version-Release number of selected component (if applicable):

sudo-1.6.7p5 30

How reproducible:

Every time

Steps to Reproduce:
1. Get a kerberos ticket from an AD
2. run sudo to another user (no dash)
3. get kerberos credentials that are not in the standard /tmp/krb5_<uid> but something else.
  
Actual results:

Environment variable KRB5CCNAME is removed.

Expected results:

Environment variable to stay

Additional info:

Patch is a backport of the fix in sudo version 1.6.8p4, regarding the same problem.

---

 o The KRB5CCNAME environment variable is preserved during sudo
   execution for password lookups that use GSSAPI.

--

Patch tested by customer to be attached.
Comment 1 Wade Mealing 2008-10-06 22:46:52 EDT
Created attachment 319609 [details]
Patch to skip on krb5ccname
Comment 2 RHEL Product and Program Management 2008-10-31 12:48:51 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 6 Ruediger Landmann 2009-01-26 19:59:52 EST
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
* when run, the sudo command removes all but a small group of environment
variables. Previously, the Kerberos environment variable KRB5CCNAME was not
among the variables retained. This prevented Kerberos from working with
sudo when credentials not in the standard directory in /tmp were required.
For example, Kerberos could not be used with sudo in a Windows Active
Directory environment. Sudo now retains the KRB5CCNAME environment
variable, allowing Kerberos to work with sudo correctly.
Comment 7 Miroslav Vadkerti 2009-02-12 08:02:53 EST
Reproduced and tested as fixed in sudo-1.6.7p5-30.1.5. The enviroment variable KRB5CCNAME is retained after zero_env function.
Comment 10 errata-xmlrpc 2009-02-18 04:55:32 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0263.html

Note You need to log in before you can comment on or make changes to this bug.