[1681] in Kerberos-V5-bugs
Re: appl/bsd/login.c smashes TZ environment variable
daemon@ATHENA.MIT.EDU (Sam Hartman)
Sat Oct 21 17:42:42 1995
To: epeisach@MIT.EDU
Cc: krb5-bugs@MIT.EDU
In-Reply-To: Your message of "Sat, 21 Oct 1995 17:09:47 EDT."
<9510212109.AA25443@kangaroo.mit.edu>
Date: Sat, 21 Oct 1995 17:42:36 EDT
From: Sam Hartman <hartmans@MIT.EDU>
> Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po9.MIT.EDU (5.61/4.7) id AA22361; Sat, 21 Oct 95 17:09:58 EDT
> Received: from KANGAROO.MIT.EDU by MIT.EDU with SMTP
> id AA17184; Sat, 21 Oct 95 17:09:49 EDT
> .From: epeisach@MIT.EDU
> Received: by kangaroo.mit.edu; (5.65/1.1.8.2/03Mar95-1146AM)
> id AA25443; Sat, 21 Oct 1995 17:09:47 -0400
> Date: Sat, 21 Oct 1995 17:09:47 -0400
> Message-Id: <9510212109.AA25443@kangaroo.mit.edu>
> To: krb5-bugs@MIT.EDU
> Subject: appl/bsd/login.c smashes TZ environment variable
>
>
> The dejagnu tests fail on the SGI as TZ is set by init and expected to
> be inheritedt by all child processes.
>
> In login.krb5, all environment variables are nuked
> so you get
>
> FAIL: date
>
> problems...
>
> What is needed is to save the TZ environment variable (if set) and reset
> it later.
>
> The KRB5_CCACHE variable would be another good one that would elegible
> so that forwarded tickets were easilly referenced.
I complained to Ted because AIX has the same behavior.
The solution we came up with (long term) was to write a library of
useful functions for krshd, kinit, ksu, krlogind and telnetd. In
particular, you want functions to get tickets (both v4 and v5) for
kinit, ksu, and login.krb5, and you want environment processing stuff
to pass environment variables through as appropriate for telnetd,
krshd, login.krb5 and krlognd.
I was talking to Richard about this on the 15th, and we
realized that if the ticket-getting interface were done well, it could
probably be moved into libkrb5. (You don't just want to use
krb5_get_in_tkt_with_password because you want to verify against the
local keytab if it exists, you may want to get krb4 tickets as well,
and ideally, it could be simpler to use than krb5_get_in_tkt_*).
Unfortunately, it's difficult to develop a simpler interface without
losing functionality; if someone ever tries to do a good job of
integrating preauth--something that IMHO should happen--this simpler
interface could easily get in the way.
It's clear we need to solve these problems. Unfortunately,
the solutions tend to be somewhat OS dependent--there's the mess of
determining what environment variables to pass, dealing with ticket
file owners when a set-uid program needs to get tickets (seteuid()
isn't as standard as you'd like it to be), etc, etc.
--Sam
