#2296 pam_sss set KRB5CCNAME with sudo logins
Closed: Fixed None Opened 6 years ago by simo.

when running sudo -i pam_sss still sets the KRB5CCNAME environment variable of the user that was used for authentication. It should not set the environment variable for sudo cases or should be optionally configurable by the admin.

Otherwise with sudo -i root is given the ccache of the user, a kdestroy will wipe the user's ccache and any operation as root may change the ccache permissions or otherwise race with user processes.

This is not a security issue as the user ccache is the cache of the originating user, so nothing is really leaked, but it may cause issues and should be fixed.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 beta
rhbz: => todo

Fields changed

mark: => 0

Fields changed

milestone: SSSD 1.13 beta => SSSD 1.13 backlog
priority: major => minor

Mass-moving tickets not planned for the next two releases.

Please reply with a comment if you disagree about the move..

milestone: SSSD 1.13 backlog => SSSD 1.15 beta

Fields changed

milestone: SSSD 1.16 beta => SSSD 1.13.5
owner: somebody => sbose
sensitive: => 0

The solution proposed by Sumit is:
- add a new option for the pam responder that would list the services that don't receive the KRB5CCNAME value
- by default the option is empty for this release, affectd users can add sudo/sudo-i there manually
- in future releases we can extend the option by default

Fields changed

patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @simo:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3338

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.