kinit should print an error if credentials cache has invalid permissions

Bug #740477 reported by Alec Warner
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: krb5-user

The obvious use case is a user does something silly such as:

sudo kinit -p <principal> and promptly makes a root:root ccache file for the specified principal.

Then the user later tries to kinit as that user and in fact everything *looks* fine...the kinit doesn't print any errors and returns 0. However the truth is nothing was done because the ccache is the wrong permissions.

klist prints an error well enough:

klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/var/run/ccache/krb5cc_45531_DIPCWB)

-A

Tags: lucid
Revision history for this message
James Page (james-page) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please execute the following command, as it will automatically gather debugging information, in a terminal:

apport-collect 740477

When reporting bugs in the future please use apport by using 'ubuntu-bug' and the name of the package affected. You can learn more about this functionality at https://wiki.ubuntu.com/ReportingBugs.

Changed in krb5 (Ubuntu):
status: New → Incomplete
Revision history for this message
Russ Allbery (rra-debian) wrote :

The bug is trivially reproducible given the instructions given by the reporter. I don't see any need for them to run apport-collect to gather more data.

Changed in krb5 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 740477] [NEW] kinit should print an error if credentials cache has invalid permissions

I suspect what's going on here is that when
krb5_get_init_creds_set_out_ccache was added
the error reporting was bad.

I will attempt to look at this if no one gets there sooner.
take a look at the handling of out_ccahe in
src/lib/krb5/krb/get_in_tkt.c

scm (scm)
tags: added: glucid lucid
Mathew Hodson (mhodson)
tags: removed: glucid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.