Bad chown() in pam_krb5 module
kelbler at vumscomp.cz
Fri Nov 22 11:38:41 EST 2002
Hi guys from "pam_krb5" team at "sourceforge.net" or whoever !
I built and tested "pam_krb5" module on Solaris 8 together with installed
MIT Kerberos 5-1.2.6.
PAM telnetd worked well but PAM sshd (OpenSSH 3.4p1) not.
In /var/adm/messages log I found:
sunblade sshd: [ID 800047 auth.crit] fatal:
PAM setcred failed: Error in underlying service module
So I decided to debug and obtained:
sunblade sshd: [ID 843472 auth.debug] pam_krb5:
pam_sm_setcred(sshd user1005): chown(): Not owner
It seems to me:
pam_krb5 successfuly obtains for the user1005 tickets (TGT and
host/sunblade...>). I know it from KDC log.
It creates the CCache. Then it changes ownership to euid of target user1005.
And then it try to do "chown" of CCache file to permitions applicable for
This chown() gives this error. It cannot to change.
I don't know why.
I included in source program "pam_krb5_auth.c" before the call of chown()
4 tests for
UID, GID, EUID and EGID and printed them to syslog.
I tested 3 cases under PAM:
1) telnetd (it was OK)
2) sshd with option "UsePrivilegeSeparation=no" (It was bad)
3) sshd with option "UsePrivilegeSeparation=yes", where sshd used account
"sshd" (it was OK)
Here are results:
1) Telnet, UID=0, GID=10, EUID=1005, EGID=10
2) sshd (no separation), UID=0, GID=1, EUID=1005, EGID=1
3) sshd (with separation), UID=1005, GID=10, EUID=1005, EGID=10
UID=0 ... It is user root.
GID=10 ... It is group staff.
UID=1005 ... It is connecting user.
GID=1 ... It is group other.
pam_krb5 creates CCache in /etc/krb5cc_1005 (here). It creates it with EUID.
In the bad case (2 - sshd without separation) the created file
-rw --- --- user1005 other(group)
Then pam_krb5 changes by "chown()" ownership and group of that file to
user=1005 and group=10.
This chown() hands back error.
I think that by means of this present setup: EUID=1005 and EGID=1(other)
there is not possible change
this file to owner=1005 and group=10(staff).
I do not know why!
Do you know answer? It is a fault or what.
More information about the Kerberos