[3070] in Kerberos-V5-bugs
pending/713: Problem in "ksu"
daemon@ATHENA.MIT.EDU (Marty Humphrey)
Wed Apr 21 10:47:16 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Marty Humphrey <humphrey@cs.virginia.edu>
Date: Wed, 21 Apr 1999 10:46:07 -0400 (EDT)
From: Marty Humphrey <humphrey@cs.virginia.edu>
To: krb5-bugs@MIT.EDU, humphrey@cs.virginia.edu
>Number: 713
>Category: pending
>Synopsis: Problem in "ksu"
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Apr 21 10:47:01 EDT 1999
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
I've found a problem in "ksu".
I want to, in essense, create processes on behalf of another user in
the following manner. Say that I am user "fred" and I want to create a
process for user "barney". I want to do the following: As user "fred",
/usr/local/bin/ksu barney -n barney -c FILE:barney_creds -e /usr/bin/ls
Note that "barney_creds" is a file owned by "fred" (mode 0600), which
contains a copy of barney's credentials. Barney has given Fred a copy
of Barney's ticket(s). Note, that "/usr/bin/ls" is just a simple
binary used for this example.
While I realize that there may be other ways to do this, I believe
that in principle "ksu" is designed to support this.
Currently, here is what happens when I invoke this:
>> Authenticated barney@KERB.REALM
>> ksu[37749651]: 'ksu barney' authenticated barney@KERB.REALM for fred on /dev/ttyq43
>> Account barney: authorization for barney@KERB.REALM for execution of
>> (null) successful
>> ksu[37749651]: Account barney: authorization for barney@KERB.REALM for execution of (null) successful
>> Changing uid to barney (8066)
>> Internal error: command /usr/bin/ls did not get resolved
The bug in KSU is that authentication and authorization has already
occured, so "/usr/bin/ls" *should* be fine. The fix to this bug can be
found in
krb5_current/src/clients/ksu/main.c
at or around line 855. This is the way it currently is written:
if ((source_uid == 0) || (source_uid == target_uid )){
exec_cmd = cmd;
}
I want it changed to remove the conditional, and always make the
assignment:
exec_cmd = cmd;
My belief is that this is an unnecessary line that the programmer put
it. Note that this is labeled an internal error (as opposed to an
error that should be shown to the user). This bug occurs because we
are attempting to use "ksu" in a manner in which people generally
don't use it. We have to use it this way because we are not allowed
to use "k5login" (nor k5users) --- this is a site-wide security policy
mandated by "higher-ups"; also, we *firmly* believe that this use is
consistent with the spirit and intent of the "ksu" operation.
Thanks,
Marty Humphrey
Research Assistant Professor
UVa Legion Project
