[3259] in Kerberos-V5-bugs
krb5-clients/1004: ksu core dump if .k5login or .k5users has bad ownership
daemon@ATHENA.MIT.EDU (ratliff@austin.ibm.com)
Tue Oct 9 19:26:09 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, ratliff@austin.ibm.com
Message-Id: <20011009232457.7030282BFF@spiff.austin.ibm.com>
Date: Tue, 9 Oct 2001 18:24:57 -0500 (CDT)
From: ratliff@austin.ibm.com
Reply-To: ratliff@austin.ibm.com
To: krb5-bugs@mit.edu, ratliff@austin.ibm.com
>Number: 1004
>Category: krb5-clients
>Synopsis: ksu core dumps if .k5login or .k5users exists in target user's home directory but has other ownership
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 9 19:26:01 EDT 2001
>Last-Modified:
>Originator: Emily Ratliff
>Organization:
IBM Linux Technology Center, Security
>Release: krb5-1.2.1
>Environment:
System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686
>Description:
ksu seg faults when the .k5login or .k5users file in the target user's
home directory is not owned by that user. This has a fairly low probability
of actually occurring. What happens is that get_authorized_princ_names()
in heuristic.c opens the files and checks to make sure that the target
user owns them by calling fowner() (in authorization.c). When fowner()
discovers that the target user does not own them it closes the files and
returns FALSE. When get_authorized_princ_names sees that the files
are not owned by the target user, it calls close_time() to close
the already closed files which causes the segmentation fault.
krb5_authorization() also calls fowner() and does not attempt to close
close the files if the call reveals they are not owned by the target
user. krb5_authorization() and get_authorized_princ_names() need
to exhibit the same behavior after the fowner() call. The attached
patch removes the call to close from fowner() and adds them to
krb5_authorization()
close_time() calls close on the files based on whether or not they
exist rather than whether or not they were sucessfully opened. This
can lead to races. It would be cleaner to eliminate this call, but
that code is not included in this patch, since the existing code
is operational. I can send a patch for this if you want.
>How-To-Repeat:
Create a .k5login or .k5users file in UserA's home directory.
Insert an entry for UserB. Chown either or both files to UserC. Login
as UserB and run `ksu UserA`. A segmentation fault will occur.
>Fix:
diff -ur src.old/clients/ksu/authorization.c src/clients/ksu/authorization.c
--- src.old/clients/ksu/authorization.c Mon Oct 1 16:55:51 2001
+++ src/clients/ksu/authorization.c Tue Oct 9 17:53:22 2001
@@ -40,12 +40,10 @@
* the user himself, or by root. Otherwise, don't grant access.
*/
if (fstat(fileno(fp), &sbuf)) {
- fclose(fp);
return(FALSE);
}
if ((sbuf.st_uid != uid) && sbuf.st_uid) {
- fclose(fp);
return(FALSE);
}
@@ -103,8 +101,10 @@
if (!k5login_flag){
if ((login_fp = fopen(k5login_path, "r")) == NULL)
return 0;
- if ( fowner(login_fp, pwd->pw_uid) == FALSE)
+ if ( fowner(login_fp, pwd->pw_uid) == FALSE) {
+ fclose(login_fp);
return 0;
+ }
}
if (!k5users_flag){
@@ -112,6 +112,7 @@
return 0;
}
if ( fowner(users_fp, pwd->pw_uid) == FALSE){
+ fclose(users_fp);
return 0;
}
}
>Audit-Trail:
>Unformatted:
