[sudo-workers] Kerberize sudo - include KRB5CCNAME in PAM environment

Pavel Březina pbrezina at redhat.com
Mon Jan 18 04:36:28 MST 2021

On 12/7/20 12:46 PM, Pavel Březina wrote:
> On 12/3/20 6:28 PM, Todd C. Miller wrote:
>> On Mon, 30 Nov 2020 13:22:51 +0100, =?UTF-8?Q?Pavel_B=c5=99ezina?= wrote:
>>> Unfortunately, if user is using a non-default ccache (via KRB5CCNAME
>>> environment variable) the authentication fails [3] because sudo
>>> apparently clears the environment before executing the PAM stack so the
>>> variable is not available to the module. This can be workaround by
>>> including KRB5CCNAME in env_keep, however this will also make it
>>> available to the executed command which may not be always desirable.
>>> What can we do about it? Can we postpone environment reset after PAM or
>>> does it have any security meaning I am not aware of? Or can we include
>>> some pam_env_keep whitelist?
>> The issue is that some authentication methods may be influenced by
>> the user's environment and sudo is no longer setuid at that point
>> so the environment may be trusted.
>> There is code in sudo's ldap.c to deal with a similar issue.  See
>> sudo_set_krb5_ccache_name() in that file for how it is handled for
>> the ldap back-end.  It temporarily sets KRB5CCNAME based on the
>> stashed value in user_ccname and then restores things when it is
>> done.
> So I will need to store current value of KRB5CCNAME in 
> sudoers_policy_main() before rebuild_name() is called. Then call 
> sudo_set_krb5_ccache_name() in sudo_pam_init2() and restore it again in 
> sudo_pam_cleanup(). Does this sound ok to you?

PR: https://github.com/sudo-project/sudo/pull/80

More information about the sudo-workers mailing list