[3301] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

telnet/1046: telnet sets the key cache to UID/GID 0 for non-UID 0 users

daemon@ATHENA.MIT.EDU (sean@chittenden.org)
Sat Jan 26 19:00:05 2002

Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: hartmans@mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, sean@chittenden.org
Message-Id: <20020126235911.8375220F0A@mail.tgd.net>
Date: Sat, 26 Jan 2002 15:59:11 -0800 (PST)
From: sean@chittenden.org
Reply-To: sean@chittenden.org
To: krb5-bugs@mit.edu


>Number:         1046
>Category:       telnet
>Synopsis:       telnet sets the key cache to UID/GID 0 for non-UID 0 users
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    hartmans
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Sat Jan 26 19:00:00 EST 2002
>Last-Modified:
>Originator:     Sean Chittenden
>Organization:
	
>Release:        krb5-1.2.3
>Environment:
	
System: FreeBSD ninja1.internal 4.5-RC FreeBSD 4.5-RC #0: Thu Jan 10 14:10:58 PST 2002 root@ninja1.internal:/opt/obj/opt/src/sys/NINJA i386


>Description:
	I just upgraded from 1.2.2 to 1.2.3 and when I telnet to a system using
	kerberos (telnet -axF) I am granted access to the system, however
	my key cache on the remote system is set to UID/GID 0:0 and I can't
	ksu to root.  I didn't see anything in the release notes.
>How-To-Repeat:
> kinit
Password for sean@INTERNAL:
sean@ninja1:~ > /usr/local/bin/telnet -axF lan.internal
Trying 192.168.1.253...
Connected to lan.internal (192.168.1.253).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``sean@INTERNAL'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Sat Jan 26 15:10:30 from ninja1
sean@lan:~ > ls -lA /tmp/krb5*
-rw-------  1 root  wheel  423 Jan 26 15:52 /tmp/krb5cc_p55699
3:53pm sean@lan:~ > ksu
ksu: Credentials cache permissions incorrect while opening ccache
sean@lan:~ > grep telnetd /etc/inetd.conf
telnet          stream  tcp     nowait  root    /usr/local/sbin/telnetd telnetd -a valid
sean@lan:~ > exit
Connection closed by foreign host.
sean@ninja1:~ > /usr/local/bin/telnet -axF -l root lan.internal
Trying 192.168.1.253...
Connected to lan.internal (192.168.1.253).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``sean@INTERNAL'' ]
[ Kerberos V5 accepted forwarded credentials ]
done.
Last login: Sat Jan 26 15:53:00 from ninja1
3:55pm root@lan:~ #

>Fix:
	man 2 chown
	#include <unistd.h>
	int chown(const char *path, uid_t owner, gid_t group);
>Audit-Trail:
>Unformatted:
home help back first fref pref prev next nref lref last post