[krbdev.mit.edu #8895] ksu broken on 1.18

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8895] ksu broken on 1.18

Norm Green via RT

Sun Apr 05 23:42:38 2020: Request 8895 was acted upon.
 Transaction: Ticket created by [hidden email]
       Queue: krb5
     Subject: ksu broken on 1.18
       Owner: Nobody
  Requestors: [hidden email]
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8895 >


The change described thusly in the release notes:

        setuid programs will automatically ignore environment
        variables that normally affect krb5 API functions, even if the
        caller does not use krb5_init_secure_context().

breaks ksu when run in an ssh session (either interactively, or, e.g.,
by ansible).  ssh creates separate ccaches for each session and sets
KRB5CCNAME accordingly; ignoring the process environment causes ksu to
look at the nonexistent default ccache and conclude that the user
needs to enter a password to authenticate.

-GAWollman


_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs