Description of problem: Kerberos environment variable is removed when a user executes the sudo command. Version-Release number of selected component (if applicable): sudo-1.6.7p5 30 How reproducible: Every time Steps to Reproduce: 1. Get a kerberos ticket from an AD 2. run sudo to another user (no dash) 3. get kerberos credentials that are not in the standard /tmp/krb5_<uid> but something else. Actual results: Environment variable KRB5CCNAME is removed. Expected results: Environment variable to stay Additional info: Patch is a backport of the fix in sudo version 1.6.8p4, regarding the same problem. --- o The KRB5CCNAME environment variable is preserved during sudo execution for password lookups that use GSSAPI. -- Patch tested by customer to be attached.
Created attachment 319609 [details] Patch to skip on krb5ccname
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: * when run, the sudo command removes all but a small group of environment variables. Previously, the Kerberos environment variable KRB5CCNAME was not among the variables retained. This prevented Kerberos from working with sudo when credentials not in the standard directory in /tmp were required. For example, Kerberos could not be used with sudo in a Windows Active Directory environment. Sudo now retains the KRB5CCNAME environment variable, allowing Kerberos to work with sudo correctly.
Reproduced and tested as fixed in sudo-1.6.7p5-30.1.5. The enviroment variable KRB5CCNAME is retained after zero_env function.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0263.html