[sudo-workers] Kerberize sudo - include KRB5CCNAME in PAM environment
Todd C. Miller
Todd.Miller at sudo.ws
Thu Dec 3 10:28:21 MST 2020
On Mon, 30 Nov 2020 13:22:51 +0100, =?UTF-8?Q?Pavel_B=c5=99ezina?= wrote:
> Unfortunately, if user is using a non-default ccache (via KRB5CCNAME
> environment variable) the authentication fails [3] because sudo
> apparently clears the environment before executing the PAM stack so the
> variable is not available to the module. This can be workaround by
> including KRB5CCNAME in env_keep, however this will also make it
> available to the executed command which may not be always desirable.
>
> What can we do about it? Can we postpone environment reset after PAM or
> does it have any security meaning I am not aware of? Or can we include
> some pam_env_keep whitelist?
The issue is that some authentication methods may be influenced by
the user's environment and sudo is no longer setuid at that point
so the environment may be trusted.
There is code in sudo's ldap.c to deal with a similar issue. See
sudo_set_krb5_ccache_name() in that file for how it is handled for
the ldap back-end. It temporarily sets KRB5CCNAME based on the
stashed value in user_ccname and then restores things when it is
done.
- todd
More information about the sudo-workers
mailing list