- make PAM support for ksu also set PAM_RUSER

2009-05-11 18:19:08 +00:00 · 2009-05-11 18:19:08 +00:00 · 06c77ea1cd
commit 06c77ea1cd
parent df43b1e2b6
2 changed files with 31 additions and 12 deletions
--- a/krb5-1.6.1-pam.patch
+++ b/krb5-1.6.1-pam.patch
@ -84,7 +84,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 #ifdef KERBEROS
 
 #if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
-@@ -1151,11 +1148,50 @@ void doit(f, fromp)
+@@ -1151,11 +1148,51 @@ void doit(f, fromp)
 	goto signout_please;
     }
     
@ -97,6 +97,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +			       locuser,
 +			       "",
 +			       hostname,
+			       NULL,
 +			       do_encrypt ?
 +			       EKSHELL_PAM_SERVICE :
 +			       KSHELL_PAM_SERVICE) != 0) {
@ -224,7 +225,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 #ifdef KRB5_GET_TICKETS
     {"krb5_get_tickets", &login_krb5_get_tickets},
 #endif
-@@ -1292,6 +1300,19 @@ int main(argc, argv)
+@@ -1292,6 +1300,20 @@ int main(argc, argv)
 	if (!unix_needs_passwd())
 	    break;
 
@ -232,6 +233,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +	if (login_use_pam) {
 +	    if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
 +	                              hostname,
+	                              NULL,
 +				      ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
 +	        break;
 +	    } else {
@ -251,7 +253,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +#ifdef USE_PAM
 +    if (login_use_pam) {
 +	if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
-+			       hostname, ttyname(STDIN_FILENO)) != 0) {
+			       hostname, NULL, ttyname(STDIN_FILENO)) != 0) {
 +	    printf("Login incorrect\n");
 +	    sleepexit(1);
 +	}
@ -305,7 +307,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
     if (pwd->pw_uid == 0)
 --- /dev/null	2007-06-22 10:29:46.741860805 -0400
 +++ krb5-1.6.1/src/appl/bsd/pam.c	2007-06-22 14:22:10.000000000 -0400
-@@ -0,0 +1,424 @@
+@@ -0,0 +1,433 @@
 +/*
 + * src/appl/bsd/pam.c
 + *
@ -561,6 +563,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +	       const char *login_username,
 +	       const char *non_interactive_password,
 +	       const char *hostname,
+	       const char *ruser,
 +	       const char *tty)
 +{
 +	static int exit_handler_registered;
@ -595,6 +598,12 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +#endif
 +				pam_set_item(appl_pamh, PAM_RHOST, hostname);
 +			}
+			if (ruser != NULL) {
+#ifdef DEBUG
+				printf("Setting PAM_RUSER to \"%s\".\n", ruser);
+#endif
+				pam_set_item(appl_pamh, PAM_RUSER, ruser);
+			}
 +			if (tty != NULL) {
 +#ifdef DEBUG
 +				printf("Setting PAM_TTY to \"%s\".\n", tty);
@ -621,11 +630,12 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +		      const char *login_username,
 +		      const char *non_interactive_password,
 +		      const char *hostname,
+		      const char *ruser,
 +		      const char *tty)
 +{
 +	int ret;
 +	ret = appl_pam_start(service, interactive, login_username,
-+			     non_interactive_password, hostname, tty);
+			     non_interactive_password, hostname, ruser, tty);
 +	if (ret == 0) {
 +		ret = pam_authenticate(appl_pamh, 0);
 +	}
@ -636,12 +646,13 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +		   const char *login_username,
 +		   const char *non_interactive_password,
 +		   const char *hostname,
+		   const char *ruser,
 +		   const char *tty)
 +{
 +	int ret;
 +	appl_pam_pwchange_required = 0;
 +	ret = appl_pam_start(service, interactive, login_username,
-+			     non_interactive_password, hostname, tty);
+			     non_interactive_password, hostname, ruser, tty);
 +	if (ret == 0) {
 +#ifdef DEBUG
 +		printf("Calling pam_acct_mgmt().\n");
@ -732,7 +743,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +#endif
 --- /dev/null	2007-06-22 10:29:46.741860805 -0400
 +++ krb5-1.6.1/src/appl/bsd/pam.h	2007-06-22 14:27:05.000000000 -0400
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,65 @@
 +/*
 + * src/appl/bsd/pam.h
 + *
@ -782,11 +793,13 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +			  const char *local_username,
 +			  const char *non_interactive_password,
 +			  const char *hostname,
+			  const char *ruser,
 +			  const char *tty);
 +int appl_pam_acct_mgmt(const char *service, int interactive,
 +		       const char *local_username,
 +		       const char *non_interactive_password,
 +		       const char *hostname,
+		       const char *ruser,
 +		       const char *tty);
 +int appl_pam_requires_chauthtok(void);
 +int appl_pam_chauthtok(void);
@ -847,7 +860,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 #include <grp.h> 
 #include <setjmp.h>
 #ifndef POSIX_SETJMP
-@@ -803,6 +806,21 @@
+@@ -803,6 +806,22 @@
 		}
 #endif /* KRB5_KRB4_COMPAT */
 
@ -856,6 +869,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +			if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
 +					       pw->pw_name, "",
 +					       hostname,
+					       NULL,
 +					       FTP_PAM_SERVICE) != 0) {
 +				reply(530, "Login incorrect.");
 +				return;
@ -880,7 +894,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 	if (have_creds) {
 #ifdef GSSAPI
 		krb5_cc_destroy(kcontext, ccache);
-@@ -1073,9 +1095,18 @@ pass(passwd)
+@@ -1073,9 +1095,19 @@ pass(passwd)
 		 *   kpass fails and the user has no local password
 		 *   kpass fails and the provided password doesn't match pw
 		 */
@ -893,6 +907,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +		    (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
 +					   pw->pw_name, passwd,
 +					   hostname,
+					   NULL,
 +					   FTP_PAM_SERVICE) != 0) :
 +#endif
 +		    (!kpass(pw->pw_name, passwd) &&
@ -902,7 +917,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 			pw = NULL;
 			sleep(5);
 			if (++login_attempts >= 3) {
-@@ -1092,6 +1123,22 @@ pass(passwd)
+@@ -1092,6 +1123,23 @@ pass(passwd)
 	}
 	login_attempts = 0;		/* this time successful */
 
@ -911,6 +926,7 @@ When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
 +		if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
 +				       pw->pw_name, passwd,
 +				       hostname,
+				       NULL,
 +				       FTP_PAM_SERVICE) != 0) {
 +			reply(530, "Login incorrect.");
 +			return;
@ -1135,7 +1151,7 @@ diff -up krb5-1.6.1/src/clients/ksu/Makefile.in krb5-1.6.1/src/clients/ksu/Makef
 +#ifdef USE_PAM
 +    if (appl_pam_enabled(ksu_context, "ksu")) {
 +	if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
-+			       NULL, ttyname(STDERR_FILENO)) != 0) {
+			       NULL, source_user, ttyname(STDERR_FILENO)) != 0) {
 +	    fprintf(stderr, "Access denied for %s.\n", target_user);
 +	    sweep_up(ksu_context, cc_target);
 +	    exit(1);
--- a/krb5.spec
+++ b/krb5.spec
@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.6.3
-Release: 104%{?dist}
+Release: 105%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -228,6 +228,9 @@ to obtain initial credentials from a KDC using a private key and a
 certificate.

 %changelog
+* Mon May 11 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-105
+- make PAM support for ksu also set PAM_RUSER
+
 * Thu Apr 23 2009 Nalin Dahyabhai <nalin@redhat.com> 1.6.3-104
 - extend PAM support to ksu: perform account and session management for the
  target user