From traister@manta.traister-one.org  Thu Jun 19 00:12:29 1997
Received: from manta.traister-one.org (root@dfbfl1-6.gate.net [198.206.135.133])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA12170
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Jun 1997 00:12:27 -0700 (PDT)
Received: (from traister@localhost)
	by manta.traister-one.org (8.8.5/8.8.5) id DAA09402;
	Thu, 19 Jun 1997 03:12:21 -0400 (EDT)
Message-Id: <199706190712.DAA09402@manta.traister-one.org>
Date: Thu, 19 Jun 1997 03:12:21 -0400 (EDT)
From: Joe Traister <traister@gate.net>
Reply-To: traister@gate.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: Kerberized su -l fails with segfault
X-Send-Pr-Version: 3.2

>Number:         3903
>Category:       bin
>Synopsis:       Kerberized su -l fails with segfault
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    markm
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 19 00:20:01 PDT 1997
>Closed-Date:    Sun Sep 28 02:37:40 PDT 1997
>Last-Modified:  Sun Sep 28 02:38:11 PDT 1997
>Originator:     Joe Traister
>Release:        FreeBSD 2.2.2-RELEASE i386
>Organization:
None
>Environment:

	FreeBSD 2.2.2 with Kerberos installed, configured and running.

>Description:

	su -l fails with a segfault when a Kerberos password is used.
	Because the kerberos() routine in su.c calls setenv(), setenv()
	sets it's static flag to indicate it's alloced memory already.
	When the environment is set to a fixed array and setusercontext()
	is called, the setenv()'s in that routine try to realloc() the array
	because the flag is set.

>How-To-Repeat:

	On a Kerberized machine, use su -l and then give a correct Kerberos
	password for a <user>.root principle.

>Fix:

--- /usr/src/usr.bin/su/su.c	Sat May 10 18:07:58 1997
+++ su.c	Thu Jun 19 02:51:46 1997
@@ -101,7 +101,7 @@
 	char *targetpass;
 	int iswheelsu;
 #endif /* WHEELSU */
-	char *p, **g, *user, *shell=NULL, *username, *cleanenv[20], **nargv, **np;
+	char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np;
 	struct group *gr;
 	uid_t ruid;
 	int asme, ch, asthem, fastlogin, prio, i;
@@ -371,6 +371,8 @@
 	if (!asme) {
 		if (asthem) {
 			p = getenv("TERM");
+			if ((cleanenv = calloc(20, sizeof(char*))) == NULL)
+				errx(1, "calloc");
 			cleanenv[0] = NULL;
 			environ = cleanenv;
 #ifdef LOGIN_CAP
>Release-Note:
>Audit-Trail:

From: Joe Traister <traister@gate.net>
To: freebsd-gnats-submit@freebsd.org
Cc:  Subject: Re: bin/3903: Kerberized su -l fails with segfault
Date: Fri, 20 Jun 1997 16:48:59 -0400

 This is a multi-part message in MIME format.
 
 --------------ABD322CFF6D5DF3F54BC7E
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 The previous patch did not propogate the KRBTKFILE environment variable
 into the new environment when -l is given to su, making it impossible
 for kdestroy to find the ticket file.  This patch corrects that problem
 as well as the original segfault problem.
 
 --------------ABD322CFF6D5DF3F54BC7E
 Content-Type: text/plain; charset=us-ascii; name="su.patch"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline; filename="su.patch"
 
 --- su.c.dist	Sat May 10 18:07:58 1997
 +++ su.c	Fri Jun 20 13:58:53 1997
 @@ -101,7 +101,7 @@
  	char *targetpass;
  	int iswheelsu;
  #endif /* WHEELSU */
 -	char *p, **g, *user, *shell=NULL, *username, *cleanenv[20], **nargv, **np;
 +	char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np;
  	struct group *gr;
  	uid_t ruid;
  	int asme, ch, asthem, fastlogin, prio, i;
 @@ -113,6 +113,9 @@
  	char *style, *approvep, *auth_method = NULL;
  #endif
  #endif
 +#ifdef KERBEROS
 +	char *k;
 +#endif
  	char shellbuf[MAXPATHLEN];
  
  #ifdef WHEELSU
 @@ -371,6 +374,11 @@
  	if (!asme) {
  		if (asthem) {
  			p = getenv("TERM");
 +#ifdef KERBEROS
 +			k = getenv("KRBTKFILE");
 +#endif
 +			if ((cleanenv = calloc(20, sizeof(char*))) == NULL)
 +				errx(1, "calloc");
  			cleanenv[0] = NULL;
  			environ = cleanenv;
  #ifdef LOGIN_CAP
 @@ -381,6 +389,10 @@
  #endif
  			if (p)
  				(void)setenv("TERM", p, 1);
 +#ifdef KERBEROS
 +			if (k)
 +				(void)setenv("KRBTKFILE", k, 1);
 +#endif
  			if (chdir(pwd->pw_dir) < 0)
  				errx(1, "no directory");
  		}
 
 --------------ABD322CFF6D5DF3F54BC7E--
 
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: markm 
Responsible-Changed-When: Sun Jun 22 23:35:07 PDT 1997 
Responsible-Changed-Why:  
Kerberos is my baby. 
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Sun Sep 28 02:37:40 PDT 1997 
State-Changed-Why:  
Committed, thanks! 
>Unformatted:
