Bad chown() in pam_krb5 module
Josef Kelbler
kelbler at vumscomp.cz
Mon Nov 25 08:52:06 EST 2002
> > I tested 3 cases under PAM:
> > 1) telnetd (it was OK)
> > 2) sshd with option "UsePrivilegeSeparation=no" (It was bad)
> > 3) sshd with option "UsePrivilegeSeparation=yes", where sshd used
account
> > "sshd" (it was OK)
>
> > 2) sshd (no separation), UID=0, GID=1, EUID=1005, EGID=1
> > 3) sshd (with separation), UID=1005, GID=10, EUID=1005, EGID=10
>
> > UID=0 ... It is user root.
> > GID=10 ... It is group staff.
> > UID=1005 ... It is connecting user.
> > GID=1 ... It is group other.
>
> > pam_krb5 creates CCache in /etc/krb5cc_1005 (here). It creates it with
EUID.
> > In the bad case (2 - sshd without separation) the created file
> > /etc/krb5cc_1005 had:
> > -rw --- --- user1005 other(group)
>
> If I understand all of this, it appears that the file is created with the
> correct permissions initially; sshd is running as the user; but when
> privilege separation turned off, the primary effective GID is 1 instead of
> 10, and 10 is also not in the supplementary groups list of the process
> (see getgroups(2)), so the sshd process is not allowed to change the
> file's GID from 1 to 10.
You understand perfect.
More information about the Kerberos
mailing list