From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Apr 17 16:10:08 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFFA81065670 for ; Tue, 17 Apr 2012 16:10:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 64EA38FC12 for ; Tue, 17 Apr 2012 16:10:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q3HGA208008765 for ; Tue, 17 Apr 2012 16:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q3HGA2sK008758; Tue, 17 Apr 2012 16:10:02 GMT (envelope-from gnats) Resent-Date: Tue, 17 Apr 2012 16:10:02 GMT Resent-Message-Id: <201204171610.q3HGA2sK008758@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ivan Chetyrkin Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D448E106564A for ; Tue, 17 Apr 2012 16:04:01 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id BF30B8FC08 for ; Tue, 17 Apr 2012 16:04:01 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q3HG4128075039 for ; Tue, 17 Apr 2012 16:04:01 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q3HG40Wo075011; Tue, 17 Apr 2012 16:04:00 GMT (envelope-from nobody) Message-Id: <201204171604.q3HG40Wo075011@red.freebsd.org> Date: Tue, 17 Apr 2012 16:04:00 GMT From: Ivan Chetyrkin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/167031: Heimdal ignore environment after process call setuid/setgid X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2012 16:10:08 -0000 >Number: 167031 >Category: ports >Synopsis: Heimdal ignore environment after process call setuid/setgid >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 17 16:10:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Ivan Chetyrkin >Release: FreeBSD-9 >Organization: >Environment: FreeBSD v64.devel.local 9.0-STABLE FreeBSD 9.0-STABLE #0: Tue Mar 13 16:45:29 YEKT 2012 frice@frice.devel.local:/usr/obj/usr/src/sys/FRICE amd64 >Description: In port security/heimdal i found a bug. There is fully environment ignore after process call setuid/setgid, because different implementation of issetugid() function on FreeBSD and Solaris. In Solaris this call indicated that effective uid/gid of caller is different that real uid/gid (for setuid'ed binary, as example), on FreeBSD it indicate uid/gid has changed. On Linux, that hasn't specified call, Heimdal checks for difference between real and effective uid/gid. >How-To-Repeat: 1. Export kerberos keytab for some service (ktutil --keytab=/usr/local/etc/openldap/slapd.keytab get -p root ldap/dc). 2. Set KRB5_KTNAME to keytab from line above (setenv KRB5_KTNAME /usr/local/etc/openldap/slapd.keytab) 3. Run daemon with kerberos support that change uid/gid after running (i try OpenLDAP-server, compiled with SASL and Heimdal support: slapd -u ldap -g ldap). 4. Get kerberos ticket (kinit). 5. Try to access running daemon (ldapsearch -Y EXTERNAL, for OpenLDAP example). 6. Got authentication error instead of expected result. >Fix: --- lib/roken/issuid.c.orig 2012-04-17 21:50:58.599440467 +0600 +++ lib/roken/issuid.c 2012-04-17 21:51:14.623440235 +0600 @@ -38,7 +38,7 @@ ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL issuid(void) { -#if defined(HAVE_ISSETUGID) +#if defined(HAVE_ISSETUGID) && !defined(__FreeBSD__) return issetugid(); #else /* !HAVE_ISSETUGID */ >Release-Note: >Audit-Trail: >Unformatted: