Date: Tue, 17 Apr 2012 16:04:00 GMT From: Ivan Chetyrkin <frice@inbox.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/167031: Heimdal ignore environment after process call setuid/setgid Message-ID: <201204171604.q3HG40Wo075011@red.freebsd.org> Resent-Message-ID: <201204171610.q3HGA2sK008758@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 167031 >Category: ports >Synopsis: Heimdal ignore environment after process call setuid/setgid >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 17 16:10:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Ivan Chetyrkin >Release: FreeBSD-9 >Organization: >Environment: FreeBSD v64.devel.local 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue Mar 13 16:45:29 YEKT 2012 frice@frice.devel.local:/usr/obj/usr/src/sys/FRICE amd64 >Description: In port security/heimdal i found a bug. There is fully environment ignore after process call setuid/setgid, because different implementation of issetugid() function on FreeBSD and Solaris. In Solaris this call indicated that effective uid/gid of caller is different that real uid/gid (for setuid'ed binary, as example), on FreeBSD it indicate uid/gid has changed. On Linux, that hasn't specified call, Heimdal checks for difference between real and effective uid/gid. >How-To-Repeat: 1. Export kerberos keytab for some service (ktutil --keytab=/usr/local/etc/openldap/slapd.keytab get -p root ldap/dc). 2. Set KRB5_KTNAME to keytab from line above (setenv KRB5_KTNAME /usr/local/etc/openldap/slapd.keytab) 3. Run daemon with kerberos support that change uid/gid after running (i try OpenLDAP-server, compiled with SASL and Heimdal support: slapd -u ldap -g ldap). 4. Get kerberos ticket (kinit). 5. Try to access running daemon (ldapsearch -Y EXTERNAL, for OpenLDAP example). 6. Got authentication error instead of expected result. >Fix: --- lib/roken/issuid.c.orig 2012-04-17 21:50:58.599440467 +0600 +++ lib/roken/issuid.c 2012-04-17 21:51:14.623440235 +0600 @@ -38,7 +38,7 @@ ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL issuid(void) { -#if defined(HAVE_ISSETUGID) +#if defined(HAVE_ISSETUGID) && !defined(__FreeBSD__) return issetugid(); #else /* !HAVE_ISSETUGID */ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204171604.q3HG40Wo075011>