[krbdev.mit.edu #7728] ksu assumes the invoking user's using a FILE: ccache

The RT System itself via RT rt-comment at krbdev.mit.edu
Thu Oct 17 19:08:15 EDT 2013 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Thu Oct 17 19:08:15 2013
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 700155BAD7;
	Thu, 17 Oct 2013 19:08:15 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r9HN8DWs007177;
	Thu, 17 Oct 2013 19:08:13 -0400
Received: from mailhub-dmz-1.mit.edu (mailhub-dmz-1.mit.edu [18.9.21.41])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id r9HMjWJp004381
	for <krb5-bugs-incoming at PCH.mit.edu>; Thu, 17 Oct 2013 18:45:32 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu
	[18.7.68.36])
	by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id r9HMjSi1029025
	for <krb5-bugs at mit.edu>; Thu, 17 Oct 2013 18:45:31 -0400
X-AuditID: 12074424-b7f528e0000009aa-a7-5260688a6daf
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP
	id 4D.B6.02474.A8860625; Thu, 17 Oct 2013 18:45:31 -0400 (EDT)
Received: from int-mx01.intmail.prod.int.phx2.redhat.com
	(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r9HMjTvl002724
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <krb5-bugs at mit.edu>; Thu, 17 Oct 2013 18:45:29 -0400
Received: from blade.bos.redhat.com ([10.18.57.10])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id r9HMjSDG010373
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <krb5-bugs at mit.edu>; Thu, 17 Oct 2013 18:45:29 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.bos.redhat.com (8.14.7/8.14.5) with ESMTP id r9HMjSCP022296
	for <krb5-bugs at mit.edu>; Thu, 17 Oct 2013 18:45:28 -0400
Received: (from nalin at localhost)
	by blade.bos.redhat.com (8.14.7/8.14.7/Submit) id r9HMjRWx022295;
	Thu, 17 Oct 2013 18:45:27 -0400
Date: Thu, 17 Oct 2013 18:45:27 -0400
Message-Id: <201310172245.r9HMjRWx022295 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: ksu assumes the invoking user's using a FILE: ccache
From: nalin at redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgleJIrShJLcpLzFFi42K52LJdRrc7IyHIYPl1WYuGh8fZHRg9ms4c
	ZQ5gjOKySUnNySxLLdK3S+DKOHT2OmvBAs6KF20hDYz72bsYOTkkBEwkDnbeYQOxGQW8Jd5c
	PQ4VF5O4cG89UJyLQ0jgBKPE1Lt3mSGcTUwSP+bdZIdw+pkkXqzZCdYiJHCSUeLWdEaIRBuj
	RG/LakaQBIuAqsSzDb/BdvAK2ElMejCLBcQWERCVePn3GJDNwSEsYCvRuyERJMwGtPrGvFOs
	EDOlJNovTQdrZRZgkfjzZgMLxHniEju2n4Y6VVvicPMi1gmMggsYGVYxyqbkVunmJmbmFKcm
	6xYnJ+blpRbpmuvlZpbopaaUbmIEBpkQu4vKDsbmQ0qHGAU4GJV4eA98iw8SYk0sK67MPcQo
	ycGkJMq7NS4hSIgvKT+lMiOxOCO+qDQntfgQowQHs5IIb6swUI43JbGyKrUoHyYlzcGiJM57
	i8M+SEggPbEkNTs1tSC1CCbLxMF+iFGDg0Ogd83qC4xSLHn5ealKEryl6UCTBItS01Mr0jJz
	SpDVc4IILpCVPEArBUAKeYsLEnOLM9Mhik4xKkqJ8zqAJARAEhmleXADYAnjEqOslDAvIwMD
	gxAP0DXAQECVf8UoDgwAYd4okCk8mXklcNNfAS1mAlosPDEOZHFJIkJKqoFRMek4/7oKu1db
	Tk08I31ewfGat/XFF9d1HXIO77x3rOh5bS/DbJ+vCbta2Fg3tG7d9dbkW4q07GGBmK0O0XlS
	3g/vTYvVeyngLc3frsLF472jMun5sTJHZgeuPRk6P4rbPXcJWFv1aWX4eyis71myzFD1nXf9
	9Ni9B3V9mrQlU299mN2j7aXEUpyRaKjFXFScCACgTtd7EwMAAA==
X-Mailman-Approved-At: Thu, 17 Oct 2013 19:08:11 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	
>Organization:
>Confidential:	no
>Synopsis:	ksu assumes the invoking user's using a FILE: ccache
>Severity:	non-critical
>Priority:	low
>Category:	krb5-clients
>Class:		sw-bug
>Release:	1.11.3
>Environment:
	
System: Linux blade.bos.redhat.com 3.11.2-301.fc20.x86_64 #1 SMP Fri Sep 27 19:45:03 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	We've been testing with default_ccache_name set to DIR: and KEYRING:
	types, and it appears that ksu isn't able to read creds from them.
>How-To-Repeat:
	Add your test principal name to root's .k5login
	Set KRB5CCNAME to point to a DIR: ccache collection
	Use kinit to get credentials and store them in the collection
	Attempt to ksu - ksu will fail to read current creds and will go on to
	attempt to fetch new ones.
>Fix:
	The code uses stat() on the residual name in several places, but it's
	the failure of the check at ccache.c:80 that appears to cause it to
	ignore my ccache.  Skipping the stat() call, and always attempting to
	read the cache, seems to make ksu do the right thing, but I haven't
	really thought about any other implications.

More information about the krb5-bugs mailing list