Learn more about these different git repos.
Other Git URLs
when running sudo -i pam_sss still sets the KRB5CCNAME environment variable of the user that was used for authentication. It should not set the environment variable for sudo cases or should be optionally configurable by the admin.
Otherwise with sudo -i root is given the ccache of the user, a kdestroy will wipe the user's ccache and any operation as root may change the ccache permissions or otherwise race with user processes.
This is not a security issue as the user ccache is the cache of the originating user, so nothing is really leaked, but it may cause issues and should be fixed.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.13 beta rhbz: => todo
mark: => 0
milestone: SSSD 1.13 beta => SSSD 1.13 backlog priority: major => minor
Mass-moving tickets not planned for the next two releases.
Please reply with a comment if you disagree about the move..
milestone: SSSD 1.13 backlog => SSSD 1.15 beta
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1324486 (Red Hat Enterprise Linux 6)
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=1324486 1324486]
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1329378 (Red Hat Enterprise Linux 6)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=1324486 1324486] => [https://bugzilla.redhat.com/show_bug.cgi?id=1324486 1324486], [https://bugzilla.redhat.com/show_bug.cgi?id=1329378 1329378]
milestone: SSSD 1.16 beta => SSSD 1.13.5 owner: somebody => sbose sensitive: => 0
The solution proposed by Sumit is: - add a new option for the pam responder that would list the services that don't receive the KRB5CCNAME value - by default the option is empty for this release, affectd users can add sudo/sudo-i there manually - in future releases we can extend the option by default
patch: 0 => 1 status: new => assigned
resolution: => fixed status: assigned => closed
Metadata Update from @simo: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.13.5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3338
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.