Date: Tue, 02 Mar 1999 09:26:25 -0700 From: Brett Glass <brett@lariat.org> To: questions@freebsd.org Subject: Segfault when executing "Kerberized" su Message-ID: <4.1.19990302092432.040f54b0@localhost>
next in thread | raw e-mail | index | archive | help
[Note: I first sent this question to the "security" list, but didn't receive a copy back from the listserv. (Is something broken?) So, I'm posting it to "questions" in the hope that I might get a quicker answer. -BG] I recently set up FreeBSD 2.2.8-RELEASE on a new system, bringing over most of the users from an older one that had suffered a security compromise. After installing FreeBSD with Kerberos, I secured the system by removing most of the daemons in inetd, adding S/key, adding TCP wrappers, and installing sshd for remote logins. I then added a random password generation script, merged in entries from the old system's password and group files, and nuked the users' old passwords so they'd have to be reassigned by the sysadmin via the random password generator. I used a Perl script to read the password file and create fresh home directories for all of the users I'd just merged in (that is, whose home directories didn't exist yet). After doing this, I logged off to go to lunch. When I logged back on and attempted to su to root, I discovered that su was taking a long time to run and then aborting with a segfault! Experimentation showed that if I used su -K, I could su to root as usual. So the problem appears to have something to do with Kerberos. Why is su segfaulting? Searching the mailing list archives, I found at http://www.freebsd.org/cgi/getmsg.cgi?fetch=208472+211455+/usr/local/www/db/ text/1997/freebsd-bugs/19970615.freebsd-bugs that there was once a bug with similar symptoms that was supposedly fixed. I thought at first that su might have been coughing on a large group containing 108 users, but removing the group from /etc/group didn't help. Could Kerberos be choking on the large number of users with "*" in their password fields in /etc/master.passwd? What else might be wrong? If the bug seems difficult to track down, I may want to de-Kerberize the system for now. Is there an easy way to do this? It looks as if the Kerberos installation overwrites the original, non-Kerberized versions of several utilities, so I can't just delete and rename some files here. What's the best way to regress to the non-Kerberos versions if I want to do that? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990302092432.040f54b0>