ports/167031: Heimdal ignore environment after process call setuid/setgid

Ivan Chetyrkin frice at inbox.ru
Tue Apr 17 16:10:08 UTC 2012


>Number:         167031
>Category:       ports
>Synopsis:       Heimdal ignore environment after process call setuid/setgid
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 17 16:10:01 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Ivan Chetyrkin
>Release:        FreeBSD-9
>Organization:
>Environment:
FreeBSD v64.devel.local 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue Mar 13 16:45:29 YEKT 2012     frice at frice.devel.local:/usr/obj/usr/src/sys/FRICE  amd64
>Description:
In port security/heimdal i found a bug.

There is fully environment ignore after process call setuid/setgid, because different implementation of issetugid() function on FreeBSD and Solaris. In Solaris this call indicated that effective uid/gid of caller is different that real uid/gid (for setuid'ed binary, as example), on FreeBSD it indicate uid/gid has changed. On Linux, that hasn't specified call, Heimdal checks for difference between real and effective uid/gid.
>How-To-Repeat:
1. Export kerberos keytab for some service (ktutil --keytab=/usr/local/etc/openldap/slapd.keytab get -p root ldap/dc).
2. Set KRB5_KTNAME to keytab from line above (setenv KRB5_KTNAME /usr/local/etc/openldap/slapd.keytab)
3. Run daemon with kerberos support that change uid/gid after running (i try OpenLDAP-server, compiled with SASL and Heimdal support: slapd -u ldap -g ldap).
4. Get kerberos ticket (kinit).
5. Try to access running daemon (ldapsearch -Y EXTERNAL, for OpenLDAP example).
6. Got authentication error instead of expected result.
>Fix:
--- lib/roken/issuid.c.orig 2012-04-17 21:50:58.599440467 +0600
+++ lib/roken/issuid.c  2012-04-17 21:51:14.623440235 +0600
@@ -38,7 +38,7 @@
 ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
 issuid(void)
 {
-#if defined(HAVE_ISSETUGID)
+#if defined(HAVE_ISSETUGID) && !defined(__FreeBSD__)
     return issetugid();
 #else /* !HAVE_ISSETUGID */

>Release-Note:
>Audit-Trail:
>Unformatted:



More information about the freebsd-ports-bugs mailing list