Package: libpam-krb5
Version: 1.0-10
Severity: normal
Tags: patch
The default Kerberos credentials cache file is by convention (at least
by kinit and ssh-krb5, the two other things I have that create ccaches)
called /tmp/krb5cc_<uid>_<random>; however, libpam-krb5 creates
/tmp/krb5cc_<random> (ie. no uid), even though the manpage claims
/tmp/krb5cc_[uid] default credentials cache ([uid] is the decimal UID
of the user).
The problem with this is that it confuses rpc.gssd (the helper d<C3><A6>mon for
using NFSv4 with Kerberos authentication), which only looks for
/tmp/krb5cc_<uid>_* when trying to find the ccache for <uid>. I could of
course work around this by sending "ccache=/tmp/krb5cc_%u", but I can't
see from the source whether this would allow a symlink attack or not;
the best thing would simply be fixing the module.
Please see the attached patch -- it compiles, but is otherwise untested
(sorry about that).
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-rc3
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages libpam-krb5 depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libcomerr2 1.36rc5-1 common error description library
ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries
ii libpam0g 0.76-22 Pluggable Authentication Modules l
--- pam_krb5_auth.c.orig 2005-02-13 03:09:08.000000000 +0100
+++ pam_krb5_auth.c 2005-02-13 03:08:16.000000000 +0100
@@ -349,12 +349,18 @@
/* Get the cache name */
if (!cache_name) {
int ccache_fd;
- cache_name = strdup ("/tmp/krb5cc_XXXXXX");
+ /*
+ * "/tmp/krb5cc_4294967295_XXXXXX" is the largest we can get,
+ * and is 29 bytes long
+ */
+ cache_name = (char *)malloc(32);
if (!cache_name) {
DLOG("malloc()", "failure");
pamret = PAM_BUF_ERR;
goto cleanup3;
}
+ snprintf(cache_name, 32, "krb5cc_%d_XXXXXX",
+ pw->pw_uid);
ccache_fd = mkstemp (cache_name);
if( ccache_fd == -1 ) {
DLOG ("mkstemp()", "failure");
