From owner-freebsd-ports-bugs@FreeBSD.ORG  Wed May  9 11:00:29 2012
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 28C581065674
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  9 May 2012 11:00:29 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 127678FC0C
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  9 May 2012 11:00:27 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q49B0QsB036489
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Wed, 9 May 2012 11:00:26 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q49B0QrA036488;
	Wed, 9 May 2012 11:00:26 GMT (envelope-from gnats)
Date: Wed, 9 May 2012 11:00:26 GMT
Message-Id: <201205091100.q49B0QrA036488@freefall.freebsd.org>
To: freebsd-ports-bugs@FreeBSD.org
From: Ryan Steinmetz <zi@FreeBSD.org>
Cc: 
Subject: Re: ports/167031: Heimdal ignore environment after process call
 setuid/setgid
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Ryan Steinmetz <zi@FreeBSD.org>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 11:00:29 -0000

The following reply was made to PR ports/167031; it has been noted by GNATS.

From: Ryan Steinmetz <zi@FreeBSD.org>
To: Ivan Chetyrkin <frice@inbox.ru>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/167031: Heimdal ignore environment after process call
 setuid/setgid
Date: Wed, 9 May 2012 06:55:00 -0400

 This is a security 'feature' that was introduced into Heimdal around
 v1.1.
 
 Various PRs exist proposing solutions, one of which is kern/161888.  It
 may be worth trying to take Harry's patches and sending them to the
 Heimdal development team.
 
 In my own environment, I elected to chroot OpenLDAP (via the -r flag to
 slapd) with various nullfs mounts.  This allowed me to create a new /etc
 dir within the root and setup a custom krb5.conf that changed the
 location of the default keytab (within the root) to another location.
 
 This wasn't a problem as I had planned on chroot()ing the daemon anyway.
 
 You will need to create the new directory hierarchy and use nullfs
 mounts to get the various required directories inside the new root.  For
 me, this was: /lib, /usr/lib, /etc/gss, /var/run/openldap,
 /var/db/openldap-data, /usr/local/lib/sasl2, /usr/local/etc/openldap,
 /usr/local/libexec/openldap and /var/run/saslauthd.
 
 The relevant items from the krb5.conf from within the new root are as
 follows:
 [libdefaults]
         default_keytab_name = FILE:/usr/local/etc/openldap/ldap.keytab
 
 -r