MITKRB-SA-2006-001: multiple local privilege escalation vulnerabilities

[Tom Yu]

>>>>> "Sachin" == Sachin Punadikar <punadikar.sachin at gmail.com> writes:

Sachin> Hi Tom,
Sachin> I implemented the changes suggested by you for "MIT krb5 Security Advisory
Sachin> 2006-001" in the ksu utility. I am always observing below message when I
Sachin> exit from the ksu shell. I tested it on AIX and Linux. Behavior is same.
Sachin> ------------------------------------------
Sachin> # ksu tester
Sachin> Changing uid to tester (333)
Sachin> # exit
Sachin> exit
Sachin> ksu: Operation not permitted while returning to source uid for destroying
Sachin> ccache
Sachin> -------------------------------------------

Sachin> Code study shows that this is the new message being added for the security
Sachin> advisory 2006-001. Further I found out that, from the sweep_up function,
Sachin> krb5_seteuid(0) always fails. Ands that why I am getting this message. As a
Sachin> side effect it leaves around the cred cache file, exits without destroying
Sachin> it.

Sachin> --- src/clients/ksu/main.c-----
Sachin>    if (krb5_seteuid(0) < 0 || krb5_seteuid(target_uid) < 0) {
Sachin>       com_err(prog_name, errno,
Sachin>               "while returning to source uid for destroying ccache");
Sachin>       exit(1);
Sachin>    }
Sachin> ------------------------------------------

Sachin> Is this a expected behavior? Could you please provide inputs regarding why
Sachin> we are calling krb5_seteuid(0) ? Is it supposed to succeed at any point of
Sachin> time ? If not is it good idea to remove this call ?

This sounds like a bug in the patch.  Try moving the krb5_seteuid(0)
call to before the if-statement (so its return value gets
ignored... this is safe for seteuid(0) but not for seteuid(not_zero)).
I think the krb5_seteuid(0) call is to change back to UID 0 if that is
required (on some systems) for changing back to the original target
UID.

---Tom