[Pkg-sssd-devel] Bug#1036993: Bug#1036993: /lib/x86_64-linux-gnu/security/pam_sss.so: pam_sss passes KRB5CCNAME with sudo -i (see redhat bug/fix 1324486)
Timo Aaltonen
tjaalton at debian.org
Thu Jun 1 10:21:27 BST 2023
J. Pfennig kirjoitti 31.5.2023 klo 21.34:
> Package: libpam-sss
> Version: 2.8.2-4
> Severity: normal
> File: /lib/x86_64-linux-gnu/security/pam_sss.so
>
> Dear Maintainer,
>
> * What led up to the situation?
>
> using kerberos, AD/DC, sssd and its pam module
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> kinit ... # to get a kerberos ticket
> echo $KRB5CCNAME # path to creditial cache
>
> sudo -i user2
> echo $KRB5CCNAME # ORIGINAL path to creditial cache
>
> * What was the outcome of this action?
>
> kinit, klist et al fail, wrong credential cache
> echo $KRB5CCNAME # path from original user
>
> * What outcome did you expect instead?
>
> KRB5CCNAME must not be passed
>
> the case is described better than I can do at:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1324486
>
> Bug fixed there in 2017. Could Debian fix it too?
>
The default value for pam_response_filter should already be
'ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i', so this issue should not
happen since 2.5.1.
--
t
More information about the Pkg-sssd-devel
mailing list