pam_setcred() is called before the UID is set to the users own, and pam_krb5 on Solaris sets the owner of of the /tmp/krb5cc_xxx file to root. The pam_krb5 module should really check this, but it does not, and a simple workaround is to move the setcred call to after the UID setting. *** session.c-ORG Mon Feb 25 16:48:03 2002 --- session.c Mon Apr 22 03:48:01 2002 *************** *** 1135,1140 **** --- 1135,1145 ---- exit(1); } endgrent(); + # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) + irix_setusercontext(pw); + # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ + /* Permanently switch to the desired uid. */ + permanently_set_uid(pw); # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. *************** *** 1143,1153 **** */ do_pam_setcred(0); # endif /* USE_PAM */ - # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) - irix_setusercontext(pw); - # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ - /* Permanently switch to the desired uid. */ - permanently_set_uid(pw); #endif } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) --- 1148,1153 ----
Solaris PAM breaks in other ways if the PAM stuff is done after the fork+setuid. CVS -current contains built-in krbV support, can you try that instead?
This seems to be a better description of Bug #127 *** This bug has been marked as a duplicate of 127 ***
Mass change of RESOLVED bugs to CLOSED