[Bug 705801] New: kerberos ksu comes with no suid-bit set.
https://bugzilla.novell.com/show_bug.cgi?id=705801 https://bugzilla.novell.com/show_bug.cgi?id=705801#c0 Summary: kerberos ksu comes with no suid-bit set. Classification: openSUSE Product: openSUSE 12.1 Version: Factory Platform: All OS/Version: openSUSE 11.4 Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: christof.hanke@rzg.mpg.de QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Could you audit the ksu binary of the package krb5 ? Once it is audited, please add it to /etc/permissions, so that the suid-bit can be set in the rpm. Thanks! Reproducible: Always Steps to Reproduce: N/A Actual Results: N/A Expected Results: N/A -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=705801 https://bugzilla.novell.com/show_bug.cgi?id=705801#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |christof.hanke@rzg.mpg.de --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2011-07-14 15:05:41 CEST --- what's the benefit of that over /bin/su? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=705801 https://bugzilla.novell.com/show_bug.cgi?id=705801#c2 Christof Hanke <christof.hanke@rzg.mpg.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |christof.hanke@rzg.mpg.de InfoProvider|christof.hanke@rzg.mpg.de | --- Comment #2 from Christof Hanke <christof.hanke@rzg.mpg.de> 2011-07-14 13:21:38 UTC --- With ksu each person has his/her own password (the one of the user/root@REALM principal). Like this I can allow this person to become root on any machine without disclosing the real root-password. Like this I can revoke the root-access without changing any password on the system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=705801 https://bugzilla.novell.com/show_bug.cgi?id=705801#c3 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |mc@novell.com Resolution| |WONTFIX --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2011-07-14 15:35:19 CEST --- I suppose this could be achieved with a pam module too. If one doesn't exist yet someone should write it :-) su like programs are generally horribly buggy and we already have too many of them. Please understand that we won't set a setuid bit on another one *by default* (ie every single installation) just because it's nice to have in some special configurations. You can set the setuid bit on your machines in /etc/permissions.local just fine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com