Attachment #180392 for bug #257075




    if (reinit) {
        const char *name, *k5name;

        /*
         * Solaris su calls pam_setcred as root with PAM_REINITIALIZE_CREDS,
         * preserving the user-supplied environment.  An xlock program may
         * also do this if it's setuid root and doesn't drop credentials
         * before calling pam_setcred.
         *
         * There isn't any safe way of reinitializing the exiting ticket cache
         * for the user if we're setuid without calling setreuid().  Calling
         * setreuid() is possible, but if the calling application is threaded,
         * it will change credentials for the whole application, with possibly
         * bizarre and unintended (and insecure) results.  Trying to verify
         * ownership of the existing ticket cache before using it fails under
         * various race conditions (for example, having one of the elements of
         * the path be a symlink and changing the target of that symlink
         * between our check and the call to krb5_cc_resolve.  Without calling
         * setreuid(), we run the risk of replacing a file owned by another
         * user with a credential cache.
         *
         * We could fail with an error in the setuid case, which would be
         * maximally safe, but it would prevent use of the module for
         * authentication with programs such as Solaris su.  Failure to
         * reinitialize the cache is normally not a serious problem, just a
         * missing feature.  We therefore log an error and exit with
         * PAM_SUCCESS for the setuid case.
         */
        if (getuid() != geteuid() || getgid() != getegid()) {
            pamk5_error(args, "credential reinitialization in a setuid"
                        " context ignored");
            pamret = PAM_SUCCESS;
            goto done;
        }
        name = get_krb5ccname(args, "KRB5CCNAME");
        if (name == NULL)
            name = krb5_cc_default_name(ctx->context);

Lines 22-27 Link Here

(-)a/context.c (-1 / +10 lines)
22	#endif	22	#endif
23	#include <stdlib.h>	23	#include <stdlib.h>
24	#include <string.h>	24	#include <string.h>
		25	#include <unistd.h>
25		26
26	#include "internal.h"	27	#include "internal.h"
27		28
Lines 31-36 Link Here
31	# define PAM_INCOMPLETE PAM_SERVICE_ERR	32	# define PAM_INCOMPLETE PAM_SERVICE_ERR
32	#endif	33	#endif
33		34
		35	/* Heimdal doesn't need krb5_init_secure_context. */
		36	#if HAVE_KRB5_HEIMDAL
		37	# define krb5_init_secure_context(c) krb5_init_context(c)
		38	#endif
		39
34	/*	40	/*
35	* Create a new context and populate it with the user from PAM and a new	41	* Create a new context and populate it with the user from PAM and a new
36	* Kerberos context. Set the default realm if one was configured.	42	* Kerberos context. Set the default realm if one was configured.
Lines 63-69 pamk5_context_new(struct pam_args *args) Link Here
63	goto done;	69	goto done;
64	}	70	}
65	ctx->name = strdup(name);	71	ctx->name = strdup(name);
66	retval = krb5_init_context(&ctx->context);	72	if (getuid() != geteuid() \|\| getgid() != getegid())
		73	retval = krb5_init_secure_context(&ctx->context);
		74	else
		75	retval = krb5_init_context(&ctx->context);
67	if (retval != 0) {	76	if (retval != 0) {
68	pamk5_error_krb5(args, "krb5_init_context", retval);	77	pamk5_error_krb5(args, "krb5_init_context", retval);
69	retval = PAM_SERVICE_ERR;	78	retval = PAM_SERVICE_ERR;

Lines 16-24 Link Here

(-)a/options.c (-1 / +10 lines)
16	#include <krb5.h>	16	#include <krb5.h>
17	#include <stdlib.h>	17	#include <stdlib.h>
18	#include <string.h>	18	#include <string.h>
		19	#include <unistd.h>
19		20
20	#include "internal.h"	21	#include "internal.h"
21		22
		23	/* Heimdal doesn't need krb5_init_secure_context. */
		24	#if HAVE_KRB5_HEIMDAL
		25	# define krb5_init_secure_context(c) krb5_init_context(c)
		26	#endif
		27
22	/*	28	/*
23	* Not all platforms have this, so just implement it ourselves. Copy a	29	* Not all platforms have this, so just implement it ourselves. Copy a
24	* certain number of characters of a string into a newly allocated	30	* certain number of characters of a string into a newly allocated
Lines 275-281 pamk5_args_parse(pam_handle_t pamh, int flags, int argc, const char *argv) Link Here
275	* proceed; we'll die soon enough later and this way we'll die after we	281	* proceed; we'll die soon enough later and this way we'll die after we
276	* know whether to debug things.	282	* know whether to debug things.
277	*/	283	*/
278	retval = krb5_init_context(&c);	284	if (getuid() != geteuid() \|\| getgid() != getegid())
		285	retval = krb5_init_secure_context(&c);
		286	else
		287	retval = krb5_init_context(&c);
279	if (retval != 0)	288	if (retval != 0)
280	c = NULL;	289	c = NULL;
281	if (c != NULL) {	290	if (c != NULL) {

Return to bug 257075

Lines 542-547 pam_sm_setcred(pam_handle_t pamh, int flags, int argc, const char *argv) Link Here

(-)a/api-auth.c (+31 lines)
542	if (reinit) {	542	if (reinit) {
543	const char name, k5name;	543	const char name, k5name;
544		544
		545	/*
		546	* Solaris su calls pam_setcred as root with PAM_REINITIALIZE_CREDS,
		547	* preserving the user-supplied environment. An xlock program may
		548	* also do this if it's setuid root and doesn't drop credentials
		549	* before calling pam_setcred.
		550	*
		551	* There isn't any safe way of reinitializing the exiting ticket cache
		552	* for the user if we're setuid without calling setreuid(). Calling
		553	* setreuid() is possible, but if the calling application is threaded,
		554	* it will change credentials for the whole application, with possibly
		555	* bizarre and unintended (and insecure) results. Trying to verify
		556	* ownership of the existing ticket cache before using it fails under
		557	* various race conditions (for example, having one of the elements of
		558	* the path be a symlink and changing the target of that symlink
		559	* between our check and the call to krb5_cc_resolve. Without calling
		560	* setreuid(), we run the risk of replacing a file owned by another
		561	* user with a credential cache.
		562	*
		563	* We could fail with an error in the setuid case, which would be
		564	* maximally safe, but it would prevent use of the module for
		565	* authentication with programs such as Solaris su. Failure to
		566	* reinitialize the cache is normally not a serious problem, just a
		567	* missing feature. We therefore log an error and exit with
		568	* PAM_SUCCESS for the setuid case.
		569	*/
		570	if (getuid() != geteuid() \|\| getgid() != getegid()) {
		571	pamk5_error(args, "credential reinitialization in a setuid"
		572	" context ignored");
		573	pamret = PAM_SUCCESS;
		574	goto done;
		575	}
545	name = get_krb5ccname(args, "KRB5CCNAME");	576	name = get_krb5ccname(args, "KRB5CCNAME");
546	if (name == NULL)	577	if (name == NULL)
547	name = krb5_cc_default_name(ctx->context);	578	name = krb5_cc_default_name(ctx->context);