[krbdev.mit.edu #7983] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Aug 6 12:09:43 EDT 2014
In ksu, without the -e flag, also check .k5users
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
https://github.com/krb5/krb5/commit/3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52
Author: Nalin Dahyabhai <nalin at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52
Branch: master
src/clients/ksu/heuristic.c | 19 ++++++-------------
1 files changed, 6 insertions(+), 13 deletions(-)
More information about the krb5-bugs
mailing list