Type: Local Privilege Escalation

The k5login type is typically used to manage a file in the home directory of a user; the explicit purpose of this file is to allow access to other users.

This type previously wrote to the target file directly, as root, without doing anything to secure the file. If the .k5login file was replaced with a symlink, this would allow the owner of the home directory to replace any file on the system, including the .k5login file of a more privileged user, with the “correct” content of their own file.

This issue was discovered during a code audit following the report of the ssh_authorized_key vulnerability, and the fix was very similar.


  • Resolved in Puppet 2.6.11 and 2.7.5