From owner-cvs-all Sat May 11 16:10:52 2002 Delivered-To: cvs-all@freebsd.org Received: from fw.wemm.org (12-232-135-171.client.attbi.com [12.232.135.171]) by hub.freebsd.org (Postfix) with ESMTP id 0984037B406; Sat, 11 May 2002 16:10:34 -0700 (PDT) Received: from overcee.wemm.org (overcee.wemm.org [10.0.0.3]) by fw.wemm.org (8.11.6/8.11.6) with ESMTP id g4BNAX450304; Sat, 11 May 2002 16:10:33 -0700 (PDT) (envelope-from peter@wemm.org) Received: from wemm.org (localhost [127.0.0.1]) by overcee.wemm.org (Postfix) with ESMTP id BF4283808; Sat, 11 May 2002 16:10:27 -0700 (PDT) (envelope-from peter@wemm.org) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "Jacques A. Vidrine" Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, re@FreeBSD.org Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile In-Reply-To: <20020511225532.E99C13809@overcee.wemm.org> Date: Sat, 11 May 2002 16:10:27 -0700 From: Peter Wemm Message-Id: <20020511231027.BF4283808@overcee.wemm.org> Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Peter Wemm wrote: > "Jacques A. Vidrine" wrote: > > On Sat, May 11, 2002 at 01:28:37PM -0700, Peter Wemm wrote: > > > Jacques Vidrine wrote: > > > > nectar 2002/05/11 08:35:12 PDT > > > > > > > > Modified files: (Branch: RELENG_4) > > > > kerberos5/usr.bin/k5su Makefile > > > > Log: > > > > MFC 1.5: Do not install this with set-user-ID bit set. > > > > > > This is going to be fun on the FreeBSD.org cluster. Where is the > > > override? > > > > There isn't one. Feel free to add one (default to no set-user-ID) if > > you need it. > > This is not acceptable. You are breaking existing systems, for example, > the *.freebsd.org cluster. > > I have formally complained to re@ about this MFC. > > If you are going to do this, do it right. Put a #if 0 around the fallback > code that looks up the plaintext passwords or something. Do not screw up > the whole tool. Even more inexcusable is that you are clobbering a working > /usr/bin/k5su with a non-working one. Specifically, consider something like this instead: --- /tmp/su.c Sat May 11 16:05:07 2002 +++ su.c Sat May 11 16:01:39 2002 @@ -156,7 +156,7 @@ NULL); else ret = krb5_make_principal(context, &p, NULL, - su_info->pw_name, + login_name, NULL); if(ret) return 1; @@ -325,7 +325,7 @@ (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0) ok++; - if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) { + if(ok == 0 && login_info->pw_uid /* && verify_unix(su_info) != 0 */) { printf("Sorry!\n"); exit(1); } This makes k5su purely use kerberos ACL's. Use plain-su for everything else. peter@nwww[4:08pm]/w/src/crypto/heimdal/appl/su-106> k5su peter/root@FREEBSD.ORG's Password: k5su: Password incorrect Sorry! peter@nwww[4:08pm]/w/src/crypto/heimdal/appl/su-107> Cheers, -Peter -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message