[krbdev.mit.edu #8566] krb5_init_context() should detect set-uid-ness

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8566] krb5_init_context() should detect set-uid-ness

Greg Hudson via RT

The krb5_init_secure_context() approach does not work for GSS
applications.

An application might use GSS unwittingly (via SASL, via LDAP, via
nss_ldap, via the name service switch).

It would be better to have krb5_init_context() automatically detect
set-uid context and function like krb5_init_secure_context() when in
set-uid context.

Heimdal has a portable set-uid detection facility that you could copy:

https://github.com/heimdal/heimdal/blob/master/lib/roken/issuid.c

It's not always possible to determine if the application is set-uid.

In some cases it's not.

Solaris/Illumos and OpenBSD have the only fail-safe method: the
issetugid(2) system call.  FreeBSD and NetBSD have a system call with
the same name that unfortunately doesn't quite work correctly but which
will do.  Recent Linux kernels supply ELF aux vector entries that
include the necessary information.

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs