From owner-cvs-all  Sat May 11 16:10:52 2002
Delivered-To: cvs-all@freebsd.org
Received: from fw.wemm.org (12-232-135-171.client.attbi.com [12.232.135.171])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0984037B406; Sat, 11 May 2002 16:10:34 -0700 (PDT)
Received: from overcee.wemm.org (overcee.wemm.org [10.0.0.3])
	by fw.wemm.org (8.11.6/8.11.6) with ESMTP id g4BNAX450304;
	Sat, 11 May 2002 16:10:33 -0700 (PDT)
	(envelope-from peter@wemm.org)
Received: from wemm.org (localhost [127.0.0.1])
	by overcee.wemm.org (Postfix) with ESMTP
	id BF4283808; Sat, 11 May 2002 16:10:27 -0700 (PDT)
	(envelope-from peter@wemm.org)
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, re@FreeBSD.org
Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile 
In-Reply-To: <20020511225532.E99C13809@overcee.wemm.org> 
Date: Sat, 11 May 2002 16:10:27 -0700
From: Peter Wemm <peter@wemm.org>
Message-Id: <20020511231027.BF4283808@overcee.wemm.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

Peter Wemm wrote:
> "Jacques A. Vidrine" wrote:
> > On Sat, May 11, 2002 at 01:28:37PM -0700, Peter Wemm wrote:
> > > Jacques Vidrine wrote:
> > > > nectar      2002/05/11 08:35:12 PDT
> > > > 
> > > >   Modified files:        (Branch: RELENG_4)
> > > >     kerberos5/usr.bin/k5su Makefile 
> > > >   Log:
> > > >   MFC 1.5: Do not install this with set-user-ID bit set.
> > > 
> > > This is going to be fun on the FreeBSD.org cluster.  Where is the
> > > override?
> > 
> > There isn't one.  Feel free to add one (default to no set-user-ID) if
> > you need it.
> 
> This is not acceptable.  You are breaking existing systems, for example,
> the *.freebsd.org cluster.
> 
> I have formally complained to re@ about this MFC.
> 
> If you are going to do this, do it right.  Put a #if 0 around the fallback
> code that looks up the plaintext passwords or something.  Do not screw up
> the whole tool.  Even more inexcusable is that you are clobbering a working
> /usr/bin/k5su with a non-working one.

Specifically, consider something like this instead:

--- /tmp/su.c   Sat May 11 16:05:07 2002
+++ su.c        Sat May 11 16:01:39 2002
@@ -156,7 +156,7 @@
                                  NULL);
     else
        ret = krb5_make_principal(context, &p, NULL, 
-                                 su_info->pw_name,
+                                 login_name,
                                  NULL);
     if(ret)
        return 1;
@@ -325,7 +325,7 @@
       (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0)
        ok++;
 
-    if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) {
+    if(ok == 0 && login_info->pw_uid /* && verify_unix(su_info) != 0 */) {
        printf("Sorry!\n");
        exit(1);
     }


This makes k5su purely use kerberos ACL's.  Use plain-su for everything
else.

peter@nwww[4:08pm]/w/src/crypto/heimdal/appl/su-106> k5su 
peter/root@FREEBSD.ORG's Password: 
k5su: Password incorrect
Sorry!
peter@nwww[4:08pm]/w/src/crypto/heimdal/appl/su-107> 


Cheers,
-Peter
--
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message