Package: libpam-krb5
Tags: patch
If pam_krb5 is used with the search_k5login option, pam_krb5 checks the
ownership of the user's ~/.k5login. Unfortunately, if it deems
the .k5login ownership unsafe, it causes a segfault due to incorrectly
reporting the error. Attached is a patch to fix this, but I'm unsure if
it's the "correct" fix. Details below.
k5login_password_auth is what performs the check, in auth.c:259. It
sets *retval to errno, though, which is going to always be zero, since
we know that the previous call to fstat() succeeded. So, in
pamk5_password_auth in auth.c:595, retval gets set to zero, even though
success is set to PAM_AUTH_ERR. The error handling here seems to be
based almost entirely on retval, so this essentially gets determined as
a successful authentication. The *creds struct never got initialized to
anything, though, so pam_krb5 hands this off to the Kerberos library
full of zeroes. Something in the Kerberos library later just tries to
dereference something in the struct, and then a segfault occurs. I
could get a backtrace, but I didn't think it'd really matter.
At least, a segfault occurs when using pam_krb5.so in the 'auth'
section, and when using it for sudo. I haven't tested any other
configurations.
The patch sets *retval to PAM_AUTH_ERR and logs an error; no idea if
that's the right thing to do, but it gets rid of the bug for me.
--
Andrew Deason
[EMAIL PROTECTED]
--- libpam-krb5-3.11/auth.c 2008-09-18 21:10:11.000000000 -0500
+++ libpam-krb5-3.11.new/auth.c 2008-09-18 21:03:16.000000000 -0500
@@ -257,7 +257,8 @@
goto fail;
}
if (st.st_uid != 0 && (st.st_uid != pwd->pw_uid)) {
- *retval = errno;
+ pamk5_error(args, "unsafe .k5login ownership; owned by %d, should be %d", st.st_uid, pwd->pw_uid);
+ *retval = PAM_AUTH_ERR;
goto fail;
}
