Date: Wed, 9 May 2012 11:00:26 GMT From: Ryan Steinmetz <zi@FreeBSD.org> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/167031: Heimdal ignore environment after process call setuid/setgid Message-ID: <201205091100.q49B0QrA036488@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/167031; it has been noted by GNATS.
From: Ryan Steinmetz <zi@FreeBSD.org>
To: Ivan Chetyrkin <frice@inbox.ru>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/167031: Heimdal ignore environment after process call
setuid/setgid
Date: Wed, 9 May 2012 06:55:00 -0400
This is a security 'feature' that was introduced into Heimdal around
v1.1.
Various PRs exist proposing solutions, one of which is kern/161888. It
may be worth trying to take Harry's patches and sending them to the
Heimdal development team.
In my own environment, I elected to chroot OpenLDAP (via the -r flag to
slapd) with various nullfs mounts. This allowed me to create a new /etc
dir within the root and setup a custom krb5.conf that changed the
location of the default keytab (within the root) to another location.
This wasn't a problem as I had planned on chroot()ing the daemon anyway.
You will need to create the new directory hierarchy and use nullfs
mounts to get the various required directories inside the new root. For
me, this was: /lib, /usr/lib, /etc/gss, /var/run/openldap,
/var/db/openldap-data, /usr/local/lib/sasl2, /usr/local/etc/openldap,
/usr/local/libexec/openldap and /var/run/saslauthd.
The relevant items from the krb5.conf from within the new root are as
follows:
[libdefaults]
default_keytab_name = FILE:/usr/local/etc/openldap/ldap.keytab
-r
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205091100.q49B0QrA036488>