[Pkg-sssd-devel] Bug#1036993: Bug#1036993: /lib/x86_64-linux-gnu/security/pam_sss.so: pam_sss passes KRB5CCNAME with sudo -i (see redhat bug/fix 1324486)
Jürgen Pfennig
info at j-pfennig.de
Thu Jun 8 16:36:24 BST 2023
June 2, 2023 12:44 AM, "Timo Aaltonen" <tjaalton at debian.org> schrieb:
> J. Pfennig kirjoitti 31.5.2023 klo 21.34:
>
>> Package: libpam-sss
>> Version: 2.8.2-4
>> Severity: normal
>> File: /lib/x86_64-linux-gnu/security/pam_sss.so
>> Dear Maintainer,
>> * What led up to the situation?
>> using kerberos, AD/DC, sssd and its pam module
>> * What exactly did you do (or not do) that was effective (or
>> ineffective)?
>> kinit ... # to get a kerberos ticket
>> echo $KRB5CCNAME # path to creditial cache
>> sudo -i user2
>> echo $KRB5CCNAME # ORIGINAL path to creditial cache
>> * What was the outcome of this action?
>> kinit, klist et al fail, wrong credential cache
>> echo $KRB5CCNAME # path from original user
>> * What outcome did you expect instead?
>> KRB5CCNAME must not be passed
>> the case is described better than I can do at:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1324486
>> Bug fixed there in 2017. Could Debian fix it too?
>
> The default value for pam_response_filter should already be
> 'ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i', so this issue should not
happen since 2.5.1.
>
> -- t
But the still shows up in bookworm. I didn't know that a simple sudo is also
affected, making
things much worse. For sudo -i we can put a 'unset KRB5CCNAME' into .profile.
Here some more
details:
############
ENVIRONMENTS
############
login jpf # a samba AD/DC user
env # output follows ...
SHELL=/bin/bash
XDG_SEAT=seat0
PWD=/home/jpf
KRB5CCNAME=FILE:/tmp/krb5cc_30010_i1f8Bd
LOGNAME=jpf
XDG_SESSION_TYPE=tty
SYSTEMD_EXEC_PID=5152
MOTD_SHOWN=pam
LINES=60
HOME=/home/jpf
LANG=de_DE.UTF-8
COLUMNS=192
TMPDIR=/run/user/30010
INVOCATION_ID=0aef719acd824994b41aded975d5743f
LESSCLOSE=/usr/bin/lesspipe %s %s
XDG_SESSION_CLASS=user
TERM=linux
LESSOPEN=| /usr/bin/lesspipe %s
USER=jpf
SHLVL=1
XDG_VTNR=2
XDG_SESSION_ID=5
XDG_RUNTIME_DIR=/run/user/30010
XDG_DATA_DIRS=/home/jpf/.local/share/flatpak/exports/share:/var/lib/flatpak/
exports/share:/usr/local
share/:/usr/share/
HUSHLOGIN=FALSE
TMP=/run/user/30010
PATH=/shared/python/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/
games
GDK_DPI_SCALE_FIREFOX=0.8
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/30010/bus
MAIL=/var/mail/jpf
sudo -u local env # a local /etc/passwd user
# output follows...
_=/usr/bin/env
KRB5CCNAME=FILE:/tmp/krb5cc_30010_i1f8Bd
HOME=/home/jpf
LANG=de_DE.UTF-8
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MAIL=/var/mail/local
LOGNAME=local
USER=local
SUDO_COMMAND=/usr/bin/env
SUDO_USER=jpf
SUDO_UID=30010
SUDO_GID=1001
/etc/sudoers
############
Defaults env_reset
Defaults env_keep += "DISPLAY HOME GTK_RC_FILES GTK2_RC_FILES GDK_DPI_SCALE
KDE_FULL_SESSION"
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/
sbin:/bin"
root ALL=(ALL:ALL) NOPASSWD: ALL
local ALL=(ALL:ALL) NOPASSWD: ALL
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
%centauri ALL=NOPASSWD: /sbin/shutdown
%centauri ALL=NOPASSWD: /sbin/reboot
%vboxusers ALL=NOPASSWD: /usr/bin/systemctl start virtualbox
%vboxusers ALL=(vbox)NOPASSWD: SETENV: /usr/lib/virtualbox/*
%vboxusers ALL=NOPASSWD: /usr/bin/mount -l -- /var/centauri/vbox/*
%vboxusers ALL=NOPASSWD: /usr/bin/umount -- /var/centauri/vbox/*
%vboxusers ALL=(vbox)NOPASSWD: SETENV: /usr/bin/bash *
%users ALL=NOPASSWD: /var/centauri/tools/centauridata update
%users ALL=NOPASSWD: /var/centauri/tools/centauriusers -q passwd -
/etc/sssd/sssd.conf
###################
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
domains = centauri.home
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
offline_credentials_expiration = 365
offline_failed_login_attempts = 32
offline_failed_login_delay = 5
[domain/centauri.home]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
krb5_store_password_if_offline = True
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_id_mapping = false
dyndns_update = false
ad_gpo_access_control = permissive
ad_maximum_machine_account_password_age = 0
More information about the Pkg-sssd-devel
mailing list