[sudo-workers] Kerberize sudo - include KRB5CCNAME in PAM environment
Pavel Březina
pbrezina at redhat.com
Mon Dec 7 04:46:16 MST 2020
On 12/3/20 6:28 PM, Todd C. Miller wrote:
> On Mon, 30 Nov 2020 13:22:51 +0100, =?UTF-8?Q?Pavel_B=c5=99ezina?= wrote:
>
>> Unfortunately, if user is using a non-default ccache (via KRB5CCNAME
>> environment variable) the authentication fails [3] because sudo
>> apparently clears the environment before executing the PAM stack so the
>> variable is not available to the module. This can be workaround by
>> including KRB5CCNAME in env_keep, however this will also make it
>> available to the executed command which may not be always desirable.
>>
>> What can we do about it? Can we postpone environment reset after PAM or
>> does it have any security meaning I am not aware of? Or can we include
>> some pam_env_keep whitelist?
>
> The issue is that some authentication methods may be influenced by
> the user's environment and sudo is no longer setuid at that point
> so the environment may be trusted.
>
> There is code in sudo's ldap.c to deal with a similar issue. See
> sudo_set_krb5_ccache_name() in that file for how it is handled for
> the ldap back-end. It temporarily sets KRB5CCNAME based on the
> stashed value in user_ccname and then restores things when it is
> done.
So I will need to store current value of KRB5CCNAME in
sudoers_policy_main() before rebuild_name() is called. Then call
sudo_set_krb5_ccache_name() in sudo_pam_init2() and restore it again in
sudo_pam_cleanup(). Does this sound ok to you?
>
> - todd
>
More information about the sudo-workers
mailing list