ports/167031: Heimdal ignore environment after process call setuid/setgid
Ivan Chetyrkin
frice at inbox.ru
Tue Apr 17 16:10:08 UTC 2012
>Number: 167031
>Category: ports
>Synopsis: Heimdal ignore environment after process call setuid/setgid
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 17 16:10:01 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Ivan Chetyrkin
>Release: FreeBSD-9
>Organization:
>Environment:
FreeBSD v64.devel.local 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue Mar 13 16:45:29 YEKT 2012 frice at frice.devel.local:/usr/obj/usr/src/sys/FRICE amd64
>Description:
In port security/heimdal i found a bug.
There is fully environment ignore after process call setuid/setgid, because different implementation of issetugid() function on FreeBSD and Solaris. In Solaris this call indicated that effective uid/gid of caller is different that real uid/gid (for setuid'ed binary, as example), on FreeBSD it indicate uid/gid has changed. On Linux, that hasn't specified call, Heimdal checks for difference between real and effective uid/gid.
>How-To-Repeat:
1. Export kerberos keytab for some service (ktutil --keytab=/usr/local/etc/openldap/slapd.keytab get -p root ldap/dc).
2. Set KRB5_KTNAME to keytab from line above (setenv KRB5_KTNAME /usr/local/etc/openldap/slapd.keytab)
3. Run daemon with kerberos support that change uid/gid after running (i try OpenLDAP-server, compiled with SASL and Heimdal support: slapd -u ldap -g ldap).
4. Get kerberos ticket (kinit).
5. Try to access running daemon (ldapsearch -Y EXTERNAL, for OpenLDAP example).
6. Got authentication error instead of expected result.
>Fix:
--- lib/roken/issuid.c.orig 2012-04-17 21:50:58.599440467 +0600
+++ lib/roken/issuid.c 2012-04-17 21:51:14.623440235 +0600
@@ -38,7 +38,7 @@
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
issuid(void)
{
-#if defined(HAVE_ISSETUGID)
+#if defined(HAVE_ISSETUGID) && !defined(__FreeBSD__)
return issetugid();
#else /* !HAVE_ISSETUGID */
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list