This is the result of two bugs in LPRng.
1) Whatever mechanism LPRng uses to set the UID back to the real user
when the LPRng client executables are installed SUID does not impress
the kerberos library code. It was looking for the credential cache for
user '0' instead of user '500'.
2) The sense of the test for 'enable_setuid+set' in 'configure' is
backwards. This also has the effect of making '--enable-setuid' the
default.
*** configure.orig Mon May 6 12:00:18 2002
--- configure Mon May 13 10:11:28 2002
***************
*** 3048,3056 ****
# Check whether --enable-setuid or --disable-setuid was given.
if test "${enable_setuid+set}" = set; then
enableval="$enable_setuid"
- PERMS=NORM_PERMS
- else
PERMS=SUID_ROOT_PERMS
fi;
echo "$as_me:$LINENO: result: $PERMS" >&5
--- 3048,3056 ----
# Check whether --enable-setuid or --disable-setuid was given.
if test "${enable_setuid+set}" = set; then
enableval="$enable_setuid"
PERMS=SUID_ROOT_PERMS
+ else
+ PERMS=NORM_PERMS
fi;
echo "$as_me:$LINENO: result: $PERMS" >&5
Rick Cochran wrote:
>
> Moving right along, I decided to build LPRng 3.8.12 on the Red Hat 7.2
> box so that I could debug.
>
> I used './configure --enable-kerberos'.
>
> What I have now is worse than what I had before. Now I get:
>
> 2002-05-10-17:15:06.432 arctura [27510] lpr k-ccc1: client_krb5_auth:
> euid/egid 500/500, ruid/rguid 0/500, keytab '<NULL>', service 'lpr',
> host 'irene', sock 3, file '/tmp/temp00W8JQAa'
> 2002-05-10-17:15:06.432 arctura [27510] lpr k-ccc1: client_krb5_auth:
> using host='irene', server_principal '<NULL>'
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: client_krb5_auth:
> server '[EMAIL PROTECTED]'
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: setruid_wrapper:
> Before RUID/EUID 500/0, DaemonUID 2, UID_root 1
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: setruid_wrapper:
> After uid/euid 500/0
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: client_krb5_auth:
> freeing my_creds
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: client_krb5_auth:
> freeing rep_ret
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: client_krb5_auth:
> freeing err_ret
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: client_krb5_auth:
> freeing auth_context
> 2002-05-10-17:15:06.436 arctura [27510] lpr k-ccc1: client_krb5_auth:
> freeing context
> 2002-05-10-17:15:06.444 arctura [27510] lpr k-ccc1: client_krb5_auth:
> retval -1765328189, error 'on client krb5_cc_get_principal failed - No
> credentials cache file found'
> 2002-05-10-17:15:06.444 arctura [27510] lpr k-ccc1: Krb5_send:
> client_krb5_auth returned '-1765328189' - error 'on client
> krb5_cc_get_principal failed - No credentials cache file found'
> 2002-05-10-17:15:06.444 arctura [27510] lpr k-ccc1: Krb5_send: writing
> error to file 'on client krb5_cc_get_principal failed - No credentials
> cache file found'
>
> But:
>
> arctura> klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: [EMAIL PROTECTED]
>
> Valid starting Expires Service principal
> 05/10/02 17:14:55 05/11/02 03:14:55
> [EMAIL PROTECTED]
>
> One giant step backwards.
--
|Rick Cochran phone: 607-255-7618|
|Cornell CIT - Systems & Operations - Net-Print FAX: 607-255-8521|
|730 Rhodes Hall, Ithaca, N.Y. 14853 email: [EMAIL PROTECTED]|
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
The address you post from MUST be your subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
