[16520] in Kerberos-V5-bugs
[krbdev.mit.edu #8895] ksu broken on 1.18
daemon@ATHENA.MIT.EDU (Garrett Wollman via RT)
Sun Apr 5 23:42:46 2020
From: "Garrett Wollman via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <24201.15739.14901.194820@hergotha.csail.mit.edu>
Message-ID: <rt-4.4.4-116190-1586144558-1362.8895-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8895":;
Date: Sun, 05 Apr 2020 23:42:38 -0400
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Sun Apr 05 23:42:38 2020: Request 8895 was acted upon.
Transaction: Ticket created by wollman@bimajority.org
Queue: krb5
Subject: ksu broken on 1.18
Owner: Nobody
Requestors: wollman@bimajority.org
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8895 >
The change described thusly in the release notes:
setuid programs will automatically ignore environment
variables that normally affect krb5 API functions, even if the
caller does not use krb5_init_secure_context().
breaks ksu when run in an ssh session (either interactively, or, e.g.,
by ansible). ssh creates separate ccaches for each session and sets
KRB5CCNAME accordingly; ignoring the process environment causes ksu to
look at the nonexistent default ccache and conclude that the user
needs to enter a password to authenticate.
-GAWollman
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
