Log when non-root ksu authorization fails

Resolves: #1575771
2018-06-01 14:04:16 -04:00 · 2018-06-01 14:04:16 -04:00 · 6e3058a9c5
commit 6e3058a9c5
parent 9467290bc7
3 changed files with 175 additions and 1 deletions
--- a/Fix-segfault-in-finish_dispatch.patch
+++ b/Fix-segfault-in-finish_dispatch.patch
@ -0,0 +1,133 @@
+From d134cd489a6841f510b3efdf4ddcb283493655f0 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 18 Apr 2018 14:13:28 -0400
+Subject: [PATCH] Fix segfault in finish_dispatch()
+
+dispatch() doesn't necessarily initialize state->active_realm which
+led to an explicit NULL dereference in finish_dispatch().
+
+Additionally, fix make_too_big_error() so that it won't subsequently
+dereference state->active_realm.
+
+tags: pullup
+target_version: 1.16-next
+target_version: 1.15-next
+---
+ src/kdc/dispatch.c | 79 ++++++++++++++++++++++++----------------------
+ 1 file changed, 42 insertions(+), 37 deletions(-)
+
+diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
+index 3ed5176a8..fb3686c98 100644
+--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
+@@ -35,9 +35,6 @@
+ 
+ static krb5_int32 last_usec = 0, last_os_random = 0;
+ 
+-static krb5_error_code make_too_big_error(kdc_realm_t *kdc_active_realm,
+-                                          krb5_data **out);
+-
+ struct dispatch_state {
+     loop_respond_fn respond;
+     void *arg;
+@@ -47,6 +44,41 @@ struct dispatch_state {
+     krb5_context kdc_err_context;
+ };
+ 
+
+static krb5_error_code
+make_too_big_error(krb5_context context, krb5_principal tgsprinc,
+                   krb5_data **out)
+{
+    krb5_error errpkt;
+    krb5_error_code retval;
+    krb5_data *scratch;
+
+    *out = NULL;
+    memset(&errpkt, 0, sizeof(errpkt));
+
+    retval = krb5_us_timeofday(context, &errpkt.stime, &errpkt.susec);
+    if (retval)
+        return retval;
+    errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
+    errpkt.server = tgsprinc;
+    errpkt.client = NULL;
+    errpkt.text.length = 0;
+    errpkt.text.data = 0;
+    errpkt.e_data.length = 0;
+    errpkt.e_data.data = 0;
+    scratch = malloc(sizeof(*scratch));
+    if (scratch == NULL)
+        return ENOMEM;
+    retval = krb5_mk_error(context, &errpkt, scratch);
+    if (retval) {
+        free(scratch);
+        return retval;
+    }
+
+    *out = scratch;
+    return 0;
+}
+
+ static void
+ finish_dispatch(struct dispatch_state *state, krb5_error_code code,
+                 krb5_data *response)
+@@ -54,12 +86,17 @@ finish_dispatch(struct dispatch_state *state, krb5_error_code code,
+     loop_respond_fn oldrespond = state->respond;
+     void *oldarg = state->arg;
+     kdc_realm_t *kdc_active_realm = state->active_realm;
+    krb5_principal tgsprinc = NULL;
+
+    if (kdc_active_realm != NULL)
+        tgsprinc = kdc_active_realm->realm_tgsprinc;
+ 
+     if (state->is_tcp == 0 && response &&
+         response->length > (unsigned int)max_dgram_reply_size) {
+-        krb5_free_data(kdc_context, response);
+        krb5_free_data(state->kdc_err_context, response);
+         response = NULL;
+-        code = make_too_big_error(kdc_active_realm, &response);
+        code = make_too_big_error(state->kdc_err_context, tgsprinc,
+                                  &response);
+         if (code)
+             krb5_klog_syslog(LOG_ERR, "error constructing "
+                              "KRB_ERR_RESPONSE_TOO_BIG error: %s",
+@@ -208,38 +245,6 @@ done:
+     finish_dispatch_cache(state, retval, response);
+ }
+ 
+-static krb5_error_code
+-make_too_big_error(kdc_realm_t *kdc_active_realm, krb5_data **out)
+-{
+-    krb5_error errpkt;
+-    krb5_error_code retval;
+-    krb5_data *scratch;
+-
+-    *out = NULL;
+-    memset(&errpkt, 0, sizeof(errpkt));
+-
+-    retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec);
+-    if (retval)
+-        return retval;
+-    errpkt.error = KRB_ERR_RESPONSE_TOO_BIG;
+-    errpkt.server = tgs_server;
+-    errpkt.client = NULL;
+-    errpkt.text.length = 0;
+-    errpkt.text.data = 0;
+-    errpkt.e_data.length = 0;
+-    errpkt.e_data.data = 0;
+-    scratch = malloc(sizeof(*scratch));
+-    if (scratch == NULL)
+-        return ENOMEM;
+-    retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+-    if (retval) {
+-        free(scratch);
+-        return retval;
+-    }
+-
+-    *out = scratch;
+-    return 0;
+-}
+ 
+ krb5_context get_context(void *handle)
+ {
--- a/Log-when-non-root-ksu-authorization-fails.patch
+++ b/Log-when-non-root-ksu-authorization-fails.patch
@ -0,0 +1,35 @@
+From 6b85df6c6f4bb0e61ba0913722317f4e2c3c23fc Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 7 May 2018 16:42:59 -0400
+Subject: [PATCH] Log when non-root ksu authorization fails
+
+If non-root user attempts to ksu but is denied by policy, log to
+syslog at LOG_WARNING in keeping with other failure messages.
+
+ticket: 8270
+(cherry picked from commit 6cfa5c113e981f14f70ccafa20abfa5c46b665ba)
+---
+ src/clients/ksu/main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
+index c6321c01b..35ff8978f 100644
+--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
+@@ -417,6 +417,16 @@ main (argc, argv)
+     if (hp){
+         if (gb_err) fprintf(stderr, "%s", gb_err);
+         fprintf(stderr, _("account %s: authorization failed\n"), target_user);
+
+        if (cmd != NULL) {
+            syslog(LOG_WARNING,
+                   "Account %s: authorization for %s for execution of %s failed",
+                   target_user, source_user, cmd);
+        } else {
+            syslog(LOG_WARNING, "Account %s: authorization of %s failed",
+                   target_user, source_user);
+        }
+
+         exit(1);
+     }
+ 
--- a/krb5.spec
+++ b/krb5.spec
@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.16.1
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 2%{?dist}
+Release: 3%{?dist}

 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -87,6 +87,8 @@ Patch64: Zap-data-when-freeing-krb5_spake_factor.patch
 Patch65: Be-more-careful-asking-for-AS-key-in-SPAKE-client.patch
 Patch68: Restrict-pre-authentication-fallback-cases.patch
 Patch69: Remove-nodes-option-from-make-certs-scripts.patch
+Patch70: Fix-segfault-in-finish_dispatch.patch
+Patch71: Log-when-non-root-ksu-authorization-fails.patch

 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@ -738,6 +740,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*

 %changelog
+* Fri Jun 01 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-3
+- Log when non-root ksu authorization fails
+- Resolves: #1575771
+
 * Fri May 04 2018 Robbie Harwood <rharwood@redhat.com> - 1.16.1-2
 - Remove "-nodes" option from make-certs scripts