login.krb5

Grant, Martin Martin.Grant at fmr.com
Thu Oct 26 10:37:46 EDT 2006 

ALL,

	I seem to be having a problem with login.krb5.  When a user has
a home directory that gives no permission to root on the local server
they are logging into (e.g. mounted or auto-mounted file system that was
exported without the -root option to the local server and said directory
does not have other permissions - 700), the user gets an error when they
login that their home directory does not exist.  

Connected to testserver.fmrco.com.
Escape character is '^]'.
login: angryuser
Password for angryuser: 
No directory /home/angryuser!
Logging in with home = "/".
/ $ cd /home/angryuser
/home/angryuser $ ls -dal
drwx------   10 angryuser  users        4096 Oct 26 08:53 .

	However this error does not occur if the directory is 755, or if
the file system is NFS mounted with -root:

Connected to testserver.fmrco.com.
Escape character is '^]'.
login: angryuser
Password for angryuser: 
/home/angryuser $ ls -dal
drwxr-xr-x   10 angryuser  users        4096 Oct 26 08:53 .

	Looking at login.c I noticed the following lines (1450-1456):

    if (chdir(pwd->pw_dir) < 0) {
        printf("No directory %s!\n", pwd->pw_dir);
        if (chdir("/"))
            exit(0);
        pwd->pw_dir = "/";
        printf("Logging in with home = \"/\".\n");
    }

	are significantly before the user's setuid (1639-1661):

#ifdef  HAVE_SETLUID
        /*
         * If we're on a system which keeps track of login uids, then
         * set the login uid. If this fails this opens up a problem on
DEC OSF
         * with C2 enabled.
         */
        if (setluid((uid_t) pwd->pw_uid) < 0) {
            perror("setuid");
            sleepexit(1);
        }
#endif  /* HAVE_SETLUID */
#ifdef _IBMR2
    if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) {
        perror("setuidx");
        sleepexit(1);
    };
#endif

    /* This call MUST succeed */
    if (setuid((uid_t) pwd->pw_uid) < 0) {
        perror("setuid");
        sleepexit(1);
    }


	When I move the chdir down past setuid and recompile my errors
above go away.  Is there a reason for the existing ordering (i.e. a good
reason why I shouldn't make this change to login.krb5 in my
environment)?

Thank You,
-Martin Grant

More information about the Kerberos mailing list