--- - branch: netbsd-8 date: Fri Sep 8 09:09:56 UTC 2023 files: - new: 1.9.18.2 old: 1.9.18.1 path: src/lib/libpam/modules/pam_ksu/pam_ksu.c pathrev: src/lib/libpam/modules/pam_ksu/pam_ksu.c@1.9.18.2 type: modified id: 20230908T090956Z.62bbeb2daf665481e3a0aaf874526cf86c0e95d1 log: "Pull up following revision(s) (requested by riastradh in ticket #1896):\n\n\tlib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.11\n\npam_ksu(8): Allow homedir access during kuserok.\n\nOtherwise, the default kuserok logic to look at ~targetuser/.k5login\nwould be blocked by the security measure to thwart NetBSD-SA2023-005.\n\n(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf\nso the file is /etc/k5login.d/user instead of ~user/.k5login, but\nthat's not the default configuration and there are plenty of\ndeployments that rely on ~user/.k5login today.)\n\nI reviewed libkrb5 for homedir access checks. There are three:\n1. krb5_config_parse_file_multi, called only by:\n - verify_krb5_conf -- not relevant\n - krb5_config_parse_file -- not used here as far as I can tell,\n only by libhdb ldap logic and test code in heimdal\n - krb5_set_config_files -- used here only via krb5_init_context,\n \ which is done at this point\n2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,\n which shouldn't be happening at this point, so this is almost\n certainly unreachable; also it only appears to control whether\n \ some old plugin API can be used, long after we have read the krb5\n config controlling which plugins are available, so this is\n probably harmless\n3. krb5_kuserok, which is the one we want to allow\n\nNote: This will have to be updated again in the next Heimdal update,\nwhich eliminates the global homedir access flag in favour of making\nthe default per-context homedir access flag conditional on !issuid.\n" module: src subject: 'CVS commit: [netbsd-8] src/lib/libpam/modules/pam_ksu' unixtime: '1694164196' user: martin