Date: Sat, 11 May 2002 16:10:27 -0700 From: Peter Wemm <peter@wemm.org> To: "Jacques A. Vidrine" <nectar@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, re@FreeBSD.org Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile Message-ID: <20020511231027.BF4283808@overcee.wemm.org> In-Reply-To: <20020511225532.E99C13809@overcee.wemm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Wemm wrote:
> "Jacques A. Vidrine" wrote:
> > On Sat, May 11, 2002 at 01:28:37PM -0700, Peter Wemm wrote:
> > > Jacques Vidrine wrote:
> > > > nectar 2002/05/11 08:35:12 PDT
> > > >
> > > > Modified files: (Branch: RELENG_4)
> > > > kerberos5/usr.bin/k5su Makefile
> > > > Log:
> > > > MFC 1.5: Do not install this with set-user-ID bit set.
> > >
> > > This is going to be fun on the FreeBSD.org cluster. Where is the
> > > override?
> >
> > There isn't one. Feel free to add one (default to no set-user-ID) if
> > you need it.
>
> This is not acceptable. You are breaking existing systems, for example,
> the *.freebsd.org cluster.
>
> I have formally complained to re@ about this MFC.
>
> If you are going to do this, do it right. Put a #if 0 around the fallback
> code that looks up the plaintext passwords or something. Do not screw up
> the whole tool. Even more inexcusable is that you are clobbering a working
> /usr/bin/k5su with a non-working one.
Specifically, consider something like this instead:
--- /tmp/su.c Sat May 11 16:05:07 2002
+++ su.c Sat May 11 16:01:39 2002
@@ -156,7 +156,7 @@
NULL);
else
ret = krb5_make_principal(context, &p, NULL,
- su_info->pw_name,
+ login_name,
NULL);
if(ret)
return 1;
@@ -325,7 +325,7 @@
(kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0)
ok++;
- if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) {
+ if(ok == 0 && login_info->pw_uid /* && verify_unix(su_info) != 0 */) {
printf("Sorry!\n");
exit(1);
}
This makes k5su purely use kerberos ACL's. Use plain-su for everything
else.
peter@nwww[4:08pm]/w/src/crypto/heimdal/appl/su-106> k5su
peter/root@FREEBSD.ORG's Password:
k5su: Password incorrect
Sorry!
peter@nwww[4:08pm]/w/src/crypto/heimdal/appl/su-107>
Cheers,
-Peter
--
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020511231027.BF4283808>