[Bug 732990] Re: libpam-krb5 writes to /tmp, does not work when disk is full.
Steve Langasek
steve.langasek at canonical.com
Mon Feb 6 05:47:40 UTC 2012
This bug was fixed in the package libpam-krb5 - 4.5-3
---------------
libpam-krb5 (4.5-3) unstable; urgency=low
* Fix build rule to not override CPPFLAGS, which deactivates some of the
options passed in by dpkg-buildflags. Instead, use --with-krb5-lib
and --with-krb5-include to locate the Kerberos headers and libraries.
Thanks, Moritz Muehlenhoff. (Closes: #654293)
-- Russ Allbery <rra at debian.org> Tue, 03 Jan 2012 13:38:12 -0800
libpam-krb5 (4.5-2) unstable; urgency=low
* Cherry-pick upstream patch to fix initialization of krb5_deltat
defaults on systems where krb5_deltat is not a long. Should fix FTBFS
on s390x.
-- Russ Allbery <rra at debian.org> Mon, 26 Dec 2011 16:36:21 -0800
libpam-krb5 (4.5-1) unstable; urgency=low
* New upstream release.
- The temporary root-only ticket cache is now stored relative to
ccache_dir rather than hard-coded to be in /tmp.
- Suppress the notice that the password is being changed because it's
expired if force_first_pass or use_first_pass are set in the
password stack.
- Confirm the password can get kadmin/changepw credentials before
returning the status code indicating it's expired, working around a
bug in old Heimdal versions that return expired even for incorrect
passwords.
- Better error reporting of authorization (such as .k5login) failures.
- Prefer the change password protocol when linked with MIT libraries
for better compatibility with older KDCs.
- Improve logging and authorization when defer_pwchange is set.
- Close some memory leaks.
- Report symbolic names of PAM flags in debug logging.
* Enable compiler hardening flags.
* Remove "v5" from the long description. Kerberos v5 has been the
default version of Kerberos for over ten years.
-- Russ Allbery <rra at debian.org> Sat, 24 Dec 2011 17:34:03 -0800
** Changed in: libpam-krb5 (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/732990
Title:
libpam-krb5 writes to /tmp, does not work when disk is full.
Status in “libpam-krb5” package in Ubuntu:
Fix Released
Bug description:
Binary package hint: libpam-krb5
When creating a new ticket cache libpam-krb5 stashes the cache in a
temporary location;
api-auth.c: pamret = pamk5_cache_init_random(args, creds);
api-password.c: pamret = pamk5_cache_init_random(args, creds);
in cache.c: pamk5_cache_init_random:
char cache_name[] = "/tmp/krb5cc_pam_XXXXXX";
/* Store the obtained credentials in a temporary cache. */
pamret = pamk5_cache_mkstemp(args, cache_name);
if (pamret != PAM_SUCCESS)
return pamret;
If /tmp is full this call fails and the entire pam stack will fail.
When the rootfs is full users kind of expect to be able to do normal
operations such as unlocking their screen or using sudo to gain root
access to delete files.
It would be nice if we could control where the tempfile was written in
/etc/krb5.conf like many of the other pam options.
antarus at goats ~/local/libpam-krb5-4.2 $ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
antarus at goats ~/local/libpam-krb5-4.2 $ apt-cache policy libpam-krb5
libpam-krb5:
Installed: 4.2-1
Candidate: 4.2-1
I expect to be able to configure libpam-krb5 to write to a tmpfs or
something that is harder to fill up. An attacker could fill /tmp and
cause any krb5-based authentication to fail.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/732990/+subscriptions
More information about the foundations-bugs
mailing list