The present code for the authorization type "k5login"
contains serious security issues, should it have been
possible to activate it. Fortunately, the code does
not even construct the path "$HOME/.k5login" correctly,
so the code will never get into action!
The present patch addresses "lib/authorize.c" on the following
points of importance:
* Correct format string for path assembly.
* No falling back to other authentication types, as this would
consitute a security breach in itself. In fact, the existing
fall back would lead to a segfault for any use case where the
remote client name differs from the local, acting user name.
* [Comment only] It can be argued that allowing root as owner
of "$HOME/.k5login" is an issue, albeit minor. BSD systems,
using MIT Kerberos or Heimdal, accept only the acting user
as file owner.
* The file must not be writeable by world, or group. Any other
situation is a grave security breach.
* The variable "linelength" contains the allocated space, not
the length of the read string. Thus the code could never perform
the intended comparison.
* The files "$HOME/.k5login" must contain qualified equivalence names
like "user@REALM", or "user/role@REALM", never only "username". Thus
it necessary to call shishi_encticketpart_clientrealm() in order to
fetch the qualified principal name, and to pass this on to
* The allocated space in "client" was never released.
* Ignore unknown authorization types, instead of aborting the parsing run,
i.e., accept as much as conclusively can be accepted.
This material is related to an issue in "lib/cfg.c", to be reported
by me in a second letter.