[Bug 203570] kcheckpass doesn't refresh credentials
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=203570 kuenne@rentec.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|kuenne@rentec.com | ------- Comment #15 from kuenne@rentec.com 2006-11-08 11:28 MST ------- (In reply to comment #14)
it seems to me that kcheckpass works fine without suid root bit in simple cases. does your krb5 case also work when kcheckpass is not suid root?
Yes, it ONLY works if kcheckpass is not suid root. That's because the pam_krb5 module tries to be overprotective and refuses to work if it's called suid or sgid. The following snippet from pam_krb5/sly.c shows it: .. /* Inexpensive checks. */ if (getenv("SUDO_COMMAND") != NULL) { warn("won't refresh credentials while running under sudo"); return PAM_SERVICE_ERR; } if ((getuid() != geteuid()) || (getgid() != getegid())) { warn("won't refresh credentials while running setuid/setgid"); return PAM_SERVICE_ERR; } .. I don't know what the best solution would be, change pam_krb5 to not be so overly protective or run kcheckpass not suid. For us I have chosen the latter solution for now, running kcheckpass without suid root and it works fine. But it might not work if you have local accounts in a shadow file. On the other hand, if you have local accounts and no krb5 you can run kcheckpass suid root again as the pam_unix2 module doesn't mind. As I said I don't have a good solution for this problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com