When logging in as <user>.root principle, the login is subjected to the same tty tests as root, allowed to login when /etc/nologin exists, the kerberos ticket file is created as /tmp/tkt_root_<uid>, and a root login is syslog'ed, but you don't become root. This is a problem only when LOGIN_CAP is defined during compile. The non-LOGIN_CAP code does everything as the user and then does the final setuid() to 0 if it's a root login, but the LOGIN_CAP code simply does a setusercontext() to the user. This is fixed very simply by including a check for rootlogin and passing setuserconext a 0 uid instead of the user's uid. Fix: change if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETALL) != 0 { to if (setusercontext(lc, pwd, rootlogin ? 0 : pwd->pw_uid, LOGIN_SETALL) != 0 { in login.c in the main() function. How-To-Repeat: login as a <user>.root principle on a kerberized box.
Responsible Changed From-To: freebsd-bugs->davidn I broke this, so I'll look into a fix. However, I'm not certain that the suggested fix is correct. After all, instances other than 'root' may be used, and if the root instance login is broken, then they all will be.
Try this patch: if(rootlogin){ pwd->pw-uid=0; } right before the call to setusercontext() in login.c. Lucas
Try this fix: if(rootlogin) pwd->pw_uid=0; right before the call to setusercontext() in login.c. Lucas
Responsible Changed From-To: davidn->freebsd-bugs davidn is no longer with us
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>