[Pkg-sssd-devel] Bug#1036993: /lib/x86_64-linux-gnu/security/pam_sss.so: pam_sss passes KRB5CCNAME with sudo -i (see redhat bug/fix 1324486)
J. Pfennig
info at j-pfennig.de
Wed May 31 19:34:52 BST 2023
Package: libpam-sss
Version: 2.8.2-4
Severity: normal
File: /lib/x86_64-linux-gnu/security/pam_sss.so
Dear Maintainer,
* What led up to the situation?
using kerberos, AD/DC, sssd and its pam module
* What exactly did you do (or not do) that was effective (or
ineffective)?
kinit ... # to get a kerberos ticket
echo $KRB5CCNAME # path to creditial cache
sudo -i user2
echo $KRB5CCNAME # ORIGINAL path to creditial cache
* What was the outcome of this action?
kinit, klist et al fail, wrong credential cache
echo $KRB5CCNAME # path from original user
* What outcome did you expect instead?
KRB5CCNAME must not be passed
the case is described better than I can do at:
https://bugzilla.redhat.com/show_bug.cgi?id=1324486
Bug fixed there in 2017. Could Debian fix it too?
Thanks, Jürgen
-- System Information:
Debian Release: 12.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libpam-sss:amd64 depends on:
ii libc6 2.36-9
ii libgssapi-krb5-2 1.20.1-2
ii libpam-pwquality 1.4.5-1+b1
ii libpam-runtime 1.5.2-6
ii libpam0g 1.5.2-6
Versions of packages libpam-sss:amd64 recommends:
ii sssd 2.8.2-4
libpam-sss:amd64 suggests no packages.
-- no debconf information
More information about the Pkg-sssd-devel
mailing list