Pull up following revision(s) (requested by riastradh in ticket #1896):

lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.11

pam_ksu(8): Allow homedir access during kuserok.

Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.

(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)

I reviewed libkrb5 for homedir access checks.  There are three:
1. krb5_config_parse_file_multi, called only by:
   - verify_krb5_conf -- not relevant
   - krb5_config_parse_file -- not used here as far as I can tell,
     only by libhdb ldap logic and test code in heimdal
   - krb5_set_config_files -- used here only via krb5_init_context,
     which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
   which shouldn't be happening at this point, so this is almost
   certainly unreachable; also it only appears to control whether
   some old plugin API can be used, long after we have read the krb5
   config controlling which plugins are available, so this is
   probably harmless
3. krb5_kuserok, which is the one we want to allow

Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
This commit is contained in:
martin 2023-09-08 09:09:56 +00:00
parent d4eab99e7c
commit bb549d4dda
1 changed files with 4 additions and 2 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: pam_ksu.c,v 1.9.18.1 2023/06/21 22:08:16 martin Exp $ */ /* $NetBSD: pam_ksu.c,v 1.9.18.2 2023/09/08 09:09:56 martin Exp $ */
/*- /*-
* Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org>
@ -29,7 +29,7 @@
#ifdef __FreeBSD__ #ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $"); __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_ksu/pam_ksu.c,v 1.5 2004/02/10 10:13:21 des Exp $");
#else #else
__RCSID("$NetBSD: pam_ksu.c,v 1.9.18.1 2023/06/21 22:08:16 martin Exp $"); __RCSID("$NetBSD: pam_ksu.c,v 1.9.18.2 2023/09/08 09:09:56 martin Exp $");
#endif #endif
#include <sys/param.h> #include <sys/param.h>
@ -92,7 +92,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
goto out; goto out;
} }
PAM_LOG("kuserok: %s -> %s", su_principal_name, user); PAM_LOG("kuserok: %s -> %s", su_principal_name, user);
(void)krb5_set_home_dir_access(NULL, TRUE); /* ~user/.k5login */
rv = krb5_kuserok(context, su_principal, user); rv = krb5_kuserok(context, su_principal, user);
(void)krb5_set_home_dir_access(NULL, FALSE);
pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR; pamret = rv ? auth_krb5(pamh, context, su_principal_name, su_principal) : PAM_AUTH_ERR;
free(su_principal_name); free(su_principal_name);
krb5_free_principal(context, su_principal); krb5_free_principal(context, su_principal);