From 11389918936e78505288c4f1164ea2be933150d5 Mon Sep 17 00:00:00 2001 From: "Robbie Harwood (frozencemetery)" Date: Wed, 23 Sep 2015 19:43:55 +0000 Subject: [PATCH] New upstream version: krb5-1.14-alpha1 Drop patches that have since been applied. Create new patches as needed. --- .gitignore | 3 + krb5-1.11-run_user_0.patch | 34 - krb5-1.12-api.patch | 27 - krb5-1.12-ksu-path.patch | 12 - krb5-1.12-ktany.patch | 351 ------- krb5-1.13-dirsrv-accountlock.patch | 63 -- krb5-1.13-selinux-label.patch | 979 ------------------ ...ap_bug_triggering_selinux_avc_denial.patch | 32 - ...t-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch | 142 --- krb5-1.14-ss_execute_command-missing.patch | 13 + krb5-1.9-debuginfo.patch | 26 - krb5-kvno-230379.patch | 53 - krb5.spec | 43 +- sources | 6 +- 14 files changed, 32 insertions(+), 1752 deletions(-) delete mode 100644 krb5-1.11-run_user_0.patch delete mode 100644 krb5-1.12-api.patch delete mode 100644 krb5-1.12-ksu-path.patch delete mode 100644 krb5-1.12-ktany.patch delete mode 100644 krb5-1.13-dirsrv-accountlock.patch delete mode 100644 krb5-1.13-selinux-label.patch delete mode 100644 krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch delete mode 100644 krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch create mode 100644 krb5-1.14-ss_execute_command-missing.patch delete mode 100644 krb5-1.9-debuginfo.patch delete mode 100644 krb5-kvno-230379.patch diff --git a/.gitignore b/.gitignore index baaab88..94bc769 100644 --- a/.gitignore +++ b/.gitignore @@ -121,3 +121,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.13.2.tar.gz.asc /krb5-1.13.2-pdf.pax.xz /krb5-1.13.2-pdfs.tar +/krb5-1.14-alpha1.tar.gz.asc +/krb5-1.14-alpha1.tar.gz +/krb5-1.14-alpha1-pdfs.tar diff --git a/krb5-1.11-run_user_0.patch b/krb5-1.11-run_user_0.patch deleted file mode 100644 index 6be760a..0000000 --- a/krb5-1.11-run_user_0.patch +++ /dev/null @@ -1,34 +0,0 @@ -A hack: if we're looking at creating a ccache directory directly below -the /run/user/0 directory, and /run/user/0 doesn't exist, try to create -it, too. - ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c -@@ -61,6 +61,8 @@ - - #include - -+#define ROOT_SPECIAL_DCC_PARENT "/run/user/0" -+ - extern const krb5_cc_ops krb5_dcc_ops; - extern const krb5_cc_ops krb5_fcc_ops; - -@@ -239,6 +241,18 @@ - - if (stat(dirname, &st) < 0) { - if (errno == ENOENT) { -+ if (strncmp(dirname, ROOT_SPECIAL_DCC_PARENT "/", -+ sizeof(ROOT_SPECIAL_DCC_PARENT)) == 0 && -+ stat(ROOT_SPECIAL_DCC_PARENT, &st) < 0 && -+ errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(ROOT_SPECIAL_DCC_PARENT); -+#endif -+ status = mkdir(ROOT_SPECIAL_DCC_PARENT, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ } - #ifdef USE_SELINUX - selabel = krb5int_push_fscreatecon_for(dirname); - #endif diff --git a/krb5-1.12-api.patch b/krb5-1.12-api.patch deleted file mode 100644 index f5432a3..0000000 --- a/krb5-1.12-api.patch +++ /dev/null @@ -1,27 +0,0 @@ -Reference docs don't define what happens if you call krb5_realm_compare() with -malformed krb5_principal structures. Define a behavior which keeps it from -crashing if applications don't check ahead of time. - ---- krb5/src/lib/krb5/krb/princ_comp.c -+++ krb5/src/lib/krb5/krb/princ_comp.c -@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context - const krb5_data *realm1 = &princ1->realm; - const krb5_data *realm2 = &princ2->realm; - -+ if (princ1 == NULL || princ2 == NULL) -+ return FALSE; -+ if (realm1 == NULL || realm2 == NULL) -+ return FALSE; - if (realm1->length != realm2->length) - return FALSE; - if (realm1->length == 0) -@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex - krb5_principal upn2 = NULL; - krb5_boolean ret = FALSE; - -+ if (princ1 == NULL || princ2 == NULL) -+ return FALSE; -+ - if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { - /* Treat UPNs as if they were real principals */ - if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch deleted file mode 100644 index 65552c9..0000000 --- a/krb5-1.12-ksu-path.patch +++ /dev/null @@ -1,12 +0,0 @@ -Set the default PATH to the one set by login. - ---- krb5/src/clients/ksu/Makefile.in -+++ krb5/src/clients/ksu/Makefile.in -@@ -1,6 +1,6 @@ - mydir=clients$(S)ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' - - KSU_LIBS=@KSU_LIBS@ - PAM_LIBS=@PAM_LIBS@ diff --git a/krb5-1.12-ktany.patch b/krb5-1.12-ktany.patch deleted file mode 100644 index 88f1a7e..0000000 --- a/krb5-1.12-ktany.patch +++ /dev/null @@ -1,351 +0,0 @@ -Adds an "ANY" keytab type which is a list of other keytab locations to search -when searching for a specific entry. When iterated through, it only presents -the contents of the first keytab. - -diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c 2009-06-04 13:54:36.000000000 -0400 -@@ -0,0 +1,292 @@ -+/* -+ * lib/krb5/keytab/kt_any.c -+ * -+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology. -+ * All Rights Reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * -+ * krb5_kta_ops -+ */ -+ -+#include "k5-int.h" -+ -+typedef struct _krb5_ktany_data { -+ char *name; -+ krb5_keytab *choices; -+ int nchoices; -+} krb5_ktany_data; -+ -+typedef struct _krb5_ktany_cursor_data { -+ int which; -+ krb5_kt_cursor cursor; -+} krb5_ktany_cursor_data; -+ -+static krb5_error_code krb5_ktany_resolve -+ (krb5_context, -+ const char *, -+ krb5_keytab *); -+static krb5_error_code krb5_ktany_get_name -+ (krb5_context context, -+ krb5_keytab id, -+ char *name, -+ unsigned int len); -+static krb5_error_code krb5_ktany_close -+ (krb5_context context, -+ krb5_keytab id); -+static krb5_error_code krb5_ktany_get_entry -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_const_principal principal, -+ krb5_kvno kvno, -+ krb5_enctype enctype, -+ krb5_keytab_entry *entry); -+static krb5_error_code krb5_ktany_start_seq_get -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_kt_cursor *cursorp); -+static krb5_error_code krb5_ktany_next_entry -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_keytab_entry *entry, -+ krb5_kt_cursor *cursor); -+static krb5_error_code krb5_ktany_end_seq_get -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_kt_cursor *cursor); -+static void cleanup -+ (krb5_context context, -+ krb5_ktany_data *data, -+ int nchoices); -+ -+struct _krb5_kt_ops krb5_kta_ops = { -+ 0, -+ "ANY", /* Prefix -- this string should not appear anywhere else! */ -+ krb5_ktany_resolve, -+ krb5_ktany_get_name, -+ krb5_ktany_close, -+ krb5_ktany_get_entry, -+ krb5_ktany_start_seq_get, -+ krb5_ktany_next_entry, -+ krb5_ktany_end_seq_get, -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+static krb5_error_code -+krb5_ktany_resolve(context, name, id) -+ krb5_context context; -+ const char *name; -+ krb5_keytab *id; -+{ -+ const char *p, *q; -+ char *copy; -+ krb5_error_code kerror; -+ krb5_ktany_data *data; -+ int i; -+ -+ /* Allocate space for our data and remember a copy of the name. */ -+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL) -+ return(ENOMEM); -+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) { -+ free(data); -+ return(ENOMEM); -+ } -+ strcpy(data->name, name); -+ -+ /* Count the number of choices and allocate memory for them. */ -+ data->nchoices = 1; -+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) -+ data->nchoices++; -+ if ((data->choices = (krb5_keytab *) -+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) { -+ free(data->name); -+ free(data); -+ return(ENOMEM); -+ } -+ -+ /* Resolve each of the choices. */ -+ i = 0; -+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) { -+ /* Make a copy of the choice name so we can terminate it. */ -+ if ((copy = (char *)malloc(q - p + 1)) == NULL) { -+ cleanup(context, data, i); -+ return(ENOMEM); -+ } -+ memcpy(copy, p, q - p); -+ copy[q - p] = 0; -+ -+ /* Try resolving the choice name. */ -+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]); -+ free(copy); -+ if (kerror) { -+ cleanup(context, data, i); -+ return(kerror); -+ } -+ i++; -+ } -+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) { -+ cleanup(context, data, i); -+ return(kerror); -+ } -+ -+ /* Allocate and fill in an ID for the caller. */ -+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) { -+ cleanup(context, data, i); -+ return(ENOMEM); -+ } -+ (*id)->ops = &krb5_kta_ops; -+ (*id)->data = (krb5_pointer)data; -+ (*id)->magic = KV5M_KEYTAB; -+ -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_get_name(context, id, name, len) -+ krb5_context context; -+ krb5_keytab id; -+ char *name; -+ unsigned int len; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ -+ if (len < strlen(data->name) + 1) -+ return(KRB5_KT_NAME_TOOLONG); -+ strcpy(name, data->name); -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_close(context, id) -+ krb5_context context; -+ krb5_keytab id; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ -+ cleanup(context, data, data->nchoices); -+ id->ops = 0; -+ free(id); -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_const_principal principal; -+ krb5_kvno kvno; -+ krb5_enctype enctype; -+ krb5_keytab_entry *entry; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_error_code kerror = KRB5_KT_NOTFOUND; -+ int i; -+ -+ for (i = 0; i < data->nchoices; i++) { -+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal, -+ kvno, enctype, entry)) != ENOENT) -+ return kerror; -+ } -+ return kerror; -+} -+ -+static krb5_error_code -+krb5_ktany_start_seq_get(context, id, cursorp) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_kt_cursor *cursorp; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata; -+ krb5_error_code kerror = ENOENT; -+ int i; -+ -+ if ((cdata = (krb5_ktany_cursor_data *) -+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL) -+ return(ENOMEM); -+ -+ /* Find a choice which can handle the serialization request. */ -+ for (i = 0; i < data->nchoices; i++) { -+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i], -+ &cdata->cursor)) == 0) -+ break; -+ else if (kerror != ENOENT) { -+ free(cdata); -+ return(kerror); -+ } -+ } -+ -+ if (i == data->nchoices) { -+ /* Everyone returned ENOENT, so no go. */ -+ free(cdata); -+ return(kerror); -+ } -+ -+ cdata->which = i; -+ *cursorp = (krb5_kt_cursor)cdata; -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_next_entry(context, id, entry, cursor) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_keytab_entry *entry; -+ krb5_kt_cursor *cursor; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor; -+ krb5_keytab choice_id; -+ -+ choice_id = data->choices[cdata->which]; -+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor)); -+} -+ -+static krb5_error_code -+krb5_ktany_end_seq_get(context, id, cursor) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_kt_cursor *cursor; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor; -+ krb5_keytab choice_id; -+ krb5_error_code kerror; -+ -+ choice_id = data->choices[cdata->which]; -+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor); -+ free(cdata); -+ return(kerror); -+} -+ -+static void -+cleanup(context, data, nchoices) -+ krb5_context context; -+ krb5_ktany_data *data; -+ int nchoices; -+{ -+ int i; -+ -+ free(data->name); -+ for (i = 0; i < nchoices; i++) -+ krb5_kt_close(context, data->choices[i]); -+ free(data->choices); -+ free(data); -+} -diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c ---- krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-02-18 13:18:56.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-06-04 13:54:36.000000000 -0400 -@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops; - extern const krb5_kt_ops krb5_ktf_writable_ops; - extern const krb5_kt_ops krb5_kts_ops; - extern const krb5_kt_ops krb5_mkt_ops; -+extern const krb5_kt_ops krb5_kta_ops; - - struct krb5_kt_typelist { - const krb5_kt_ops *ops; - const struct krb5_kt_typelist *next; - }; -+static struct krb5_kt_typelist krb5_kt_typelist_any = { -+ &krb5_kta_ops, -+ NULL -+}; - const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = { - &krb5_kts_ops, -- NULL -+ &krb5_kt_typelist_any - }; - const static struct krb5_kt_typelist krb5_kt_typelist_memory = { - &krb5_mkt_ops, -diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in ---- krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-06-04 13:54:36.000000000 -0400 -@@ -19,6 +19,7 @@ STLIBOBJS= \ - ktfr_entry.o \ - ktremove.o \ - ktfns.o \ -+ kt_any.o \ - kt_file.o \ - kt_memory.o \ - kt_srvtab.o \ -@@ -31,6 +32,7 @@ OBJS= \ - $(OUTPRE)ktfr_entry.$(OBJEXT) \ - $(OUTPRE)ktremove.$(OBJEXT) \ - $(OUTPRE)ktfns.$(OBJEXT) \ -+ $(OUTPRE)kt_any.$(OBJEXT) \ - $(OUTPRE)kt_file.$(OBJEXT) \ - $(OUTPRE)kt_memory.$(OBJEXT) \ - $(OUTPRE)kt_srvtab.$(OBJEXT) \ -@@ -43,6 +45,7 @@ SRCS= \ - $(srcdir)/ktfr_entry.c \ - $(srcdir)/ktremove.c \ - $(srcdir)/ktfns.c \ -+ $(srcdir)/kt_any.c \ - $(srcdir)/kt_file.c \ - $(srcdir)/kt_memory.c \ - $(srcdir)/kt_srvtab.c \ diff --git a/krb5-1.13-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch deleted file mode 100644 index 0a6661c..0000000 --- a/krb5-1.13-dirsrv-accountlock.patch +++ /dev/null @@ -1,63 +0,0 @@ -Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from -original version filed as RT#5891. - -diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 ---- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500 -+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500 -@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then - AC_MSG_NOTICE(enabling OpenLDAP database backend module support) - OPENLDAP_PLUGIN=yes - fi -+AC_ARG_WITH([dirsrv-account-locking], -+[ --with-dirsrv-account-locking compile 389/Red Hat/Fedora/Netscape Directory Server database backend module], -+[case "$withval" in -+ yes | no) ;; -+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;; -+esac], with_dirsrv_account_locking=no) -+if test $with_dirsrv_account_locking = yes; then -+ AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.]) -+fi - ])dnl - dnl - dnl If libkeyutils exists (on Linux) include it and use keyring ccache -diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ---- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500 -@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont - ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); - if (ret) - goto cleanup; -+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING -+ { -+ krb5_timestamp expiretime=0; -+ char *is_login_disabled=NULL; -+ -+ /* LOGIN DISABLED */ -+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled, -+ &attr_present); -+ if (ret) -+ goto cleanup; -+ if (attr_present == TRUE) { -+ if (strcasecmp(is_login_disabled, "TRUE")== 0) -+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; -+ free (is_login_disabled); -+ } -+ } -+#endif - - ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); - if (ret) - goto cleanup; -diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ---- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500 -@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr - "krbLastFailedAuth", - "krbLoginFailedCount", - "krbLastSuccessfulAuth", -+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING -+ "nsAccountLock", -+#endif - "krbLastPwdChange", - "krbLastAdminUnlock", - "krbExtraData", diff --git a/krb5-1.13-selinux-label.patch b/krb5-1.13-selinux-label.patch deleted file mode 100644 index 1cd86c0..0000000 --- a/krb5-1.13-selinux-label.patch +++ /dev/null @@ -1,979 +0,0 @@ -SELinux bases access to files on the domain of the requesting process, -the operation being performed, and the context applied to the file. - -In many cases, applications needn't be SELinux aware to work properly, -because SELinux can apply a default label to a file based on the label -of the directory in which it's created. - -In the case of files such as /etc/krb5.keytab, however, this isn't -sufficient, as /etc/krb5.keytab will almost always need to be given a -label which differs from that of /etc/issue or /etc/resolv.conf. The -the kdb stash file needs a different label than the database for which -it's holding a master key, even though both typically live in the same -directory. - -To give the file the correct label, we can either force a "restorecon" -call to fix a file's label after it's created, or create the file with -the right label, as we attempt to do here. We lean on THREEPARAMOPEN -and define a similar macro named WRITABLEFOPEN with which we replace -several uses of fopen(). - -The file creation context that we're manipulating here is a process-wide -attribute. While for the most part, applications which need to label -files when they're created have tended to be single-threaded, there's -not much we can do to avoid interfering with an application that -manipulates the creation context directly. Right now we're mediating -access using a library-local mutex, but that can only work for consumers -that are part of this package -- an unsuspecting application will still -stomp all over us. - -The selabel APIs for looking up the context should be thread-safe (per -Red Hat #273081), so switching to using them instead of matchpathcon(), -which we used earlier, is some improvement. - ---- krb5/src/aclocal.m4 -+++ krb5/src/aclocal.m4 -@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) - dnl - KRB5_AC_PRAGMA_WEAK_REF - WITH_LDAP -+KRB5_WITH_SELINUX - KRB5_LIB_PARAMS - KRB5_AC_INITFINI - KRB5_AC_ENABLE_THREADS -@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+dnl -+dnl Use libselinux to set file contexts on newly-created files. -+dnl -+AC_DEFUN(KRB5_WITH_SELINUX,[ -+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], -+ withselinux="$withval",withselinux=auto) -+old_LIBS="$LIBS" -+if test "$withselinux" != no ; then -+ AC_MSG_RESULT([checking for libselinux...]) -+ SELINUX_LIBS= -+ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) -+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) -+ fi -+ fi -+ -+ LIBS= -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon selabel_open) -+ if test "x$ac_cv_func_setfscreatecon" = xno ; then -+ AC_CHECK_LIB(selinux,setfscreatecon) -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon selabel_open) -+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then -+ SELINUX_LIBS="$LIBS" -+ else -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate libselinux.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate libselinux.]) -+ fi -+ fi -+ fi -+ if test "$withselinux" != no ; then -+ AC_MSG_NOTICE([building with SELinux labeling support]) -+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) -+ SELINUX_LIBS="$LIBS" -+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" -+ fi -+fi -+LIBS="$old_LIBS" -+AC_SUBST(SELINUX_LIBS) -+])dnl ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ - KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include - LDFLAGS = @LDFLAGS@ - LIBS = @LIBS@ -+SELINUX_LIBS=@SELINUX_LIBS@ - - INSTALL=@INSTALL@ - INSTALL_STRIP= -@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) - # HESIOD_LIBS is -lhesiod... - HESIOD_LIBS = @HESIOD_LIBS@ - --KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) - GSS_LIBS = $(GSS_KRB5_LIB) - # needs fixing if ever used on Mac OS X! ---- krb5/src/configure.in -+++ krb5/src/configure.in -@@ -1053,6 +1053,8 @@ fi - - KRB5_WITH_PAM - -+KRB5_WITH_SELINUX -+ - # Make localedir work in autoconf 2.5x. - if test "${localedir+set}" != set; then - localedir='$(datadir)/locale' ---- krb5/src/include/k5-int.h -+++ krb5/src/include/k5-int.h -@@ -129,6 +129,7 @@ typedef unsigned char u_char; - - - #include "k5-platform.h" -+#include "k5-label.h" - - #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ - #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ ---- krb5/src/include/k5-label.h -+++ krb5/src/include/k5-label.h -@@ -0,0 +1,32 @@ -+#ifndef _KRB5_LABEL_H -+#define _KRB5_LABEL_H -+ -+#ifdef THREEPARAMOPEN -+#undef THREEPARAMOPEN -+#endif -+#ifdef WRITABLEFOPEN -+#undef WRITABLEFOPEN -+#endif -+ -+/* Wrapper functions which help us create files and directories with the right -+ * context labels. */ -+#ifdef USE_SELINUX -+#include -+#include -+#include -+#include -+#include -+FILE *krb5int_labeled_fopen(const char *path, const char *mode); -+int krb5int_labeled_creat(const char *path, mode_t mode); -+int krb5int_labeled_open(const char *path, int flags, ...); -+int krb5int_labeled_mkdir(const char *path, mode_t mode); -+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); -+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) -+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) -+void *krb5int_push_fscreatecon_for(const char *pathname); -+void krb5int_pop_fscreatecon(void *previous); -+#else -+#define WRITABLEFOPEN(x,y) fopen(x,y) -+#define THREEPARAMOPEN(x,y,z) open(x,y,z) -+#endif -+#endif ---- krb5/src/include/krb5/krb5.hin -+++ krb5/src/include/krb5/krb5.hin -@@ -87,6 +87,12 @@ - #define THREEPARAMOPEN(x,y,z) open(x,y,z) - #endif - -+#if KRB5_PRIVATE -+#ifndef WRITABLEFOPEN -+#define WRITABLEFOPEN(x,y) fopen(x,y) -+#endif -+#endif -+ - #define KRB5_OLD_CRYPTO - - #include ---- krb5/src/kadmin/dbutil/dump.c -+++ krb5/src/kadmin/dbutil/dump.c -@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname - { - int fd = -1; - FILE *f; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - *tmpname = NULL; - if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0) - goto error; - -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(ofile); -+#endif - fd = mkstemp(*tmpname); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd == -1) - goto error; - -@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char - return 0; - } - -- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); -+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (*fd == -1) { - com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); - exit_status++; ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' - DEFCCNAME='@DEFCCNAME@' - DEFKTNAME='@DEFKTNAME@' - DEFCKTNAME='@DEFCKTNAME@' -+SELINUX_LIBS='@SELINUX_LIBS@' - - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -218,7 +219,7 @@ - fi - - # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. - - echo $lib_flags ---- krb5/src/lib/kadm5/logger.c -+++ krb5/src/lib/kadm5/logger.c -@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch - * Check for append/overwrite, then open the file. - */ - if (cp[4] == ':' || cp[4] == '=') { -- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); -+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[i].lfu_filep = f; -@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) - * In case the old logfile did not get moved out of the - * way, open for append to prevent squashing the old logs. - */ -- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); -+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[lindex].lfu_filep = f; ---- krb5/src/lib/krb5/keytab/kt_file.c -+++ krb5/src/lib/krb5/keytab/kt_file.c -@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context - - KTCHECKLOCK(id); - errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); - if (!KTFILEP(id)) { -@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context - /* try making it first time around */ - k5_create_secure_file(context, KTFILENAME(id)); - errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); - if (!KTFILEP(id)) - goto report_errno; - writevno = 1; ---- krb5/src/plugins/kdb/db2/adb_openclose.c -+++ krb5/src/plugins/kdb/db2/adb_openclose.c -@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char - * POSIX systems - */ - lockp->lockinfo.filename = strdup(lockfilename); -- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { -+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { - /* - * maybe someone took away write permission so we could only - * get shared locks? ---- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "btree.h" - -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, - goto einval; - } - -- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) -+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - goto err; - - } else { ---- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 - #include - #endif - -+#include "k5-int.h" - #include "db-int.h" - #include "hash.h" - #include "page.h" -@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info - new_table = 1; - } - if (file) { -- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) -+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) - RETURN_ERROR(errno, error0); - (void)fcntl(hashp->fp, F_SETFD, 1); - } ---- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -179,7 +179,7 @@ done: - - /* set password in the file */ - old_mode = umask(0177); -- pfile = fopen(file_name, "a+"); -+ pfile = WRITABLEFOPEN(file_name, "a+"); - if (pfile == NULL) { - com_err(me, errno, _("Failed to open file %s: %s"), file_name, - strerror (errno)); -@@ -220,6 +220,9 @@ done: - * Delete the existing entry and add the new entry - */ - FILE *newfile; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - mode_t omask; - -@@ -231,7 +234,13 @@ done: - } - - omask = umask(077); -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(file_name); -+#endif - newfile = fopen(tmp_file, "w"); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - umask (omask); - if (newfile == NULL) { - com_err(me, errno, _("Error creating file %s"), tmp_file); ---- krb5/src/slave/kpropd.c -+++ krb5/src/slave/kpropd.c -@@ -437,6 +437,9 @@ void doit(fd) - krb5_enctype etype; - int database_fd; - char host[INET6_ADDRSTRLEN + 1]; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - signal_wrapper(SIGALRM, alarm_handler); - alarm(params.iprop_resync_timeout); -@@ -515,9 +518,15 @@ void doit(fd) - free(name); - exit(1); - } -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(file); -+#endif - omask = umask(077); - lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); - (void)umask(omask); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - retval = krb5_lock_file(kpropd_context, lock_fd, - KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); - if (retval) { ---- krb5/src/util/profile/prof_file.c -+++ krb5/src/util/profile/prof_file.c -@@ -30,6 +30,7 @@ - #endif - - #include "k5-platform.h" -+#include "k5-label.h" - - struct global_shared_profile_data { - /* This is the head of the global list of shared trees */ -@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ - - errno = 0; - -- f = fopen(new_file, "w"); -+ f = WRITABLEFOPEN(new_file, "w"); - if (!f) { - retval = errno; - if (retval == 0) ---- krb5/src/util/support/Makefile.in -+++ krb5/src/util/support/Makefile.in -@@ -54,6 +54,7 @@ IPC_SYMS= \ - - STLIBOBJS= \ - threads.o \ -+ selinux.o \ - init-addrinfo.o \ - plugins.o \ - errors.o \ -@@ -108,7 +109,7 @@ SRCS=\ - - SHLIB_EXPDEPS = - # Add -lm if dumping thread stats, for sqrt. --SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) -+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - - DEPLIBS= - ---- krb5/src/util/support/selinux.c -+++ krb5/src/util/support/selinux.c -@@ -0,0 +1,381 @@ -+/* -+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * File-opening wrappers for creating correctly-labeled files. So far, we can -+ * assume that this is Linux-specific, so we make many simplifying assumptions. -+ */ -+ -+#include "../../include/autoconf.h" -+ -+#ifdef USE_SELINUX -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef HAVE_SELINUX_LABEL_H -+#include -+#endif -+ -+/* #define DEBUG 1 */ -+ -+/* Mutex used to serialize use of the process-global file creation context. */ -+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; -+ -+/* Make sure we finish initializing that mutex before attempting to use it. */ -+k5_once_t labeled_once = K5_ONCE_INIT; -+static void -+label_mutex_init(void) -+{ -+ k5_mutex_finish_init(&labeled_mutex); -+} -+ -+#ifdef HAVE_SELINUX_LABEL_H -+static struct selabel_handle *selabel_ctx; -+static time_t selabel_last_changed; -+ -+MAKE_FINI_FUNCTION(cleanup_fscreatecon); -+ -+static void -+cleanup_fscreatecon(void) -+{ -+ if (selabel_ctx != NULL) { -+ selabel_close(selabel_ctx); -+ selabel_ctx = NULL; -+ } -+} -+#endif -+ -+static security_context_t -+push_fscreatecon(const char *pathname, mode_t mode) -+{ -+ security_context_t previous, configuredsc, currentsc, derivedsc; -+ context_t current, derived; -+ const char *fullpath, *currentuser; -+ -+ previous = NULL; -+ if (is_selinux_enabled()) { -+ if (getfscreatecon(&previous) == 0) { -+ char *genpath; -+ genpath = NULL; -+ if (pathname[0] != '/') { -+ char *wd; -+ size_t len; -+ len = 0; -+ wd = getcwd(NULL, len); -+ if (wd == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ len = strlen(wd) + 1 + strlen(pathname) + 1; -+ genpath = malloc(len); -+ if (genpath == NULL) { -+ free(wd); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ sprintf(genpath, "%s/%s", wd, pathname); -+ free(wd); -+ fullpath = genpath; -+ } else { -+ fullpath = pathname; -+ } -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Looking up context for " -+ "\"%s\"(%05o).\n", fullpath, mode); -+ } -+#endif -+ configuredsc = NULL; -+#ifdef HAVE_SELINUX_LABEL_H -+ if ((selabel_ctx != NULL) || -+ (selabel_last_changed == 0)) { -+ const char *cpath; -+ struct stat st; -+ int i = -1; -+ cpath = selinux_file_context_path(); -+ if ((cpath == NULL) || -+ ((i = stat(cpath, &st)) != 0) || -+ (st.st_mtime != selabel_last_changed)) { -+ if (selabel_ctx != NULL) { -+ selabel_close(selabel_ctx); -+ selabel_ctx = NULL; -+ } -+ selabel_last_changed = i ? -+ time(NULL) : -+ st.st_mtime; -+ } -+ } -+ if (selabel_ctx == NULL) { -+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, -+ NULL, 0); -+ } -+ if (selabel_ctx != NULL) { -+ if (selabel_lookup(selabel_ctx, &configuredsc, -+ fullpath, mode) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ } -+#else -+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+#endif -+ free(genpath); -+ if (configuredsc == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ currentsc = NULL; -+ getcon(¤tsc); -+ if (currentsc != NULL) { -+ derived = context_new(configuredsc); -+ if (derived != NULL) { -+ current = context_new(currentsc); -+ if (current != NULL) { -+ currentuser = context_user_get(current); -+ if (currentuser != NULL) { -+ if (context_user_set(derived, -+ currentuser) == 0) { -+ derivedsc = context_str(derived); -+ if (derivedsc != NULL) { -+ freecon(configuredsc); -+ configuredsc = strdup(derivedsc); -+ } -+ } -+ } -+ context_free(current); -+ } -+ context_free(derived); -+ } -+ freecon(currentsc); -+ } -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Setting file creation context " -+ "to \"%s\".\n", configuredsc); -+ } -+#endif -+ if (setfscreatecon(configuredsc) != 0) { -+ freecon(configuredsc); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ freecon(configuredsc); -+#ifdef DEBUG -+ } else { -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Unable to determine " -+ "current context.\n"); -+ } -+#endif -+ } -+ } -+ return previous; -+} -+ -+static void -+pop_fscreatecon(security_context_t previous) -+{ -+ if (is_selinux_enabled()) { -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ if (previous != NULL) { -+ fprintf(stderr, "Resetting file creation " -+ "context to \"%s\".\n", previous); -+ } else { -+ fprintf(stderr, "Resetting file creation " -+ "context to default.\n"); -+ } -+ } -+#endif -+ setfscreatecon(previous); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ } -+} -+ -+void * -+krb5int_push_fscreatecon_for(const char *pathname) -+{ -+ struct stat st; -+ void *retval; -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ if (stat(pathname, &st) != 0) { -+ st.st_mode = S_IRUSR | S_IWUSR; -+ } -+ retval = push_fscreatecon(pathname, st.st_mode); -+ return retval ? retval : (void *) -1; -+} -+ -+void -+krb5int_pop_fscreatecon(void *con) -+{ -+ if (con != NULL) { -+ pop_fscreatecon((con == (void *) -1) ? NULL : con); -+ k5_mutex_unlock(&labeled_mutex); -+ } -+} -+ -+FILE * -+krb5int_labeled_fopen(const char *path, const char *mode) -+{ -+ FILE *fp; -+ int errno_save; -+ security_context_t ctx; -+ -+ if ((strcmp(mode, "r") == 0) || -+ (strcmp(mode, "rb") == 0)) { -+ return fopen(path, mode); -+ } -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fp = fopen(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fp; -+} -+ -+int -+krb5int_labeled_creat(const char *path, mode_t mode) -+{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fd = creat(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fd; -+} -+ -+int -+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) -+{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, mode); -+ ret = mknod(path, mode, dev); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return ret; -+} -+ -+int -+krb5int_labeled_mkdir(const char *path, mode_t mode) -+{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, S_IFDIR); -+ ret = mkdir(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return ret; -+} -+ -+int -+krb5int_labeled_open(const char *path, int flags, ...) -+{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ mode_t mode; -+ va_list ap; -+ -+ if ((flags & O_CREAT) == 0) { -+ return open(path, flags); -+ } -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ va_end(ap); -+ -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fd; -+} -+ -+#endif ---- krb5/src/lib/krb5/rcache/rc_dfl.c -+++ krb5/src/lib/krb5/rcache/rc_dfl.c -@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c -@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p - char *newpath = NULL; - FILE *fp = NULL; - int fd = -1, status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) - return ENOMEM; -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(primary_path); -+#endif - fd = mkstemp(newpath); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd < 0) - goto cleanup; - #ifdef HAVE_CHMOD -@@ -223,10 +232,23 @@ - verify_dir(krb5_context context, const char *dirname) - { - struct stat st; -+ int status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (stat(dirname, &st) < 0) { -- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) -- return 0; -+ if (errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(dirname); -+#endif -+ status = mkdir(dirname, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ if (status == 0) -+ return 0; -+ } - k5_setmsg(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not exist"), - dirname); ---- krb5/src/lib/krb5/os/trace.c -+++ krb5/src/lib/krb5/os/trace.c -@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con - fd = malloc(sizeof(*fd)); - if (fd == NULL) - return ENOMEM; -- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); -+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (*fd == -1) { - free(fd); - return errno; ---- krb5/src/plugins/kdb/db2/kdb_db2.c -+++ krb5/src/plugins/kdb/db2/kdb_db2.c -@@ -683,8 +683,8 @@ - if (retval) - return retval; - -- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, -- 0600); -+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, -+ O_CREAT | O_RDWR | O_TRUNC, 0600); - if (dbc->db_lf_file < 0) { - retval = errno; - goto cleanup; ---- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,8 @@ - int rfd = -1, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && -+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { ---- krb5/src/kdc/main.c -+++ krb5/src/kdc/main.c -@@ -905,7 +905,7 @@ write_pid_file(const char *path) - FILE *file; - unsigned long pid; - -- file = fopen(path, "w"); -+ file = WRITABLEFOPEN(path, "w"); - if (file == NULL) - return errno; - pid = (unsigned long) getpid(); ---- krb5/src/lib/kdb/kdb_log.c -+++ krb5/src/lib/kdb/kdb_log.c -@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha - int ulogfd = -1; - - if (stat(logname, &st) == -1) { -- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); -+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; - ---- krb5/src/util/gss-kernel-lib/Makefile.in -+++ krb5/src/util/gss-kernel-lib/Makefile.in -@@ -60,6 +60,7 @@ HEADERS= \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ -+ k5-label.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ -@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ - gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ --k5-int.h: $(INCLUDE)/k5-int.h -+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h - $(CP) $(INCLUDE)/k5-int.h $@ - k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -+k5-label.h: $(INCLUDE)/k5-label.h -+ $(CP) $(INCLUDE)/k5-label.h $@ - k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ - k5-platform.h: $(INCLUDE)/k5-platform.h diff --git a/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch b/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch deleted file mode 100644 index fc3101f..0000000 --- a/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Tue, 19 May 2015 10:38:51 -0400 -Subject: [PATCH] Fix bindresvport_sa port byte swap bug - -The sa_setport() helper handles conversion to network byte order, so -bindresvport_sa() should not itself call htons() on the port argument. - -(This bug was introduced in commit -0d04b60d159ab83b943e43802b1449a3b074bc83 when adding -bindresvport_sa(). It was my fault, not Andreas Schneider's.) - -ticket: 8197 (new) -target_version: 1.13.3 -tags: pullup ---- - src/lib/rpc/bindresvport.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c -index ccc4d73..a421dd8 100644 ---- a/src/lib/rpc/bindresvport.c -+++ b/src/lib/rpc/bindresvport.c -@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa) - res = -1; - errno = EADDRINUSE; - for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) { -- sa_setport(sa, htons(port++)); -+ sa_setport(sa, port++); - if (port > ENDPORT) { - port = STARTPORT; - } diff --git a/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch b/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch deleted file mode 100644 index 7757885..0000000 --- a/krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Mon Sep 17 00:00:00 2001 -From: Nathaniel McCallum -Date: Sun, 25 Jan 2015 16:53:49 -0500 -Subject: [PATCH] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED - -Add support for multi-hop preauth mechs. - -In the KDC, allow kdcpreauth modules to return -KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113. - -In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth -modules can use the modreq parameter to distinguish between the first -and subsequent KDC messages. We assume that the error padata will -include an element of the preauth mech's type, or at least of a type -recognized by the clpreauth module. - -Also reset the list of previously attempted preauth types for both -kinds of errors. That list is really only appropriate for retrying -after a failed preauth attempt, which we don't currently do. Add an -intermediate variable for the reply code to avoid a long conditional -expression. - -[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper -function; clarify commit message] - -ticket: 8063 (new) ---- - doc/plugindev/clpreauth.rst | 6 +++--- - src/include/k5-int.h | 1 + - src/kdc/kdc_preauth.c | 2 ++ - src/lib/krb5/error_tables/krb5_err.et | 2 +- - src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++----- - 5 files changed, 15 insertions(+), 9 deletions(-) - -diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst -index c3e7298..38aa52e 100644 ---- a/doc/plugindev/clpreauth.rst -+++ b/doc/plugindev/clpreauth.rst -@@ -21,9 +21,9 @@ A clpreauth module is generally responsible for: - just returns ``PA_REAL``, indicating that it implements a normal - preauthentication type. - --* Examining the padata information included in the preauth_required -- error and producing padata values for the next AS request. This is -- done with the **process** method. -+* Examining the padata information included in a PREAUTH_REQUIRED or -+ MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the -+ next AS request. This is done with the **process** method. - - * Examining the padata information included in a successful ticket - reply, possibly verifying the KDC identity and computing a reply -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index a1ea25a..4868e7d 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -391,6 +391,7 @@ typedef unsigned char u_char; - not find a KDC */ - #define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond - to the IAKERB proxy */ -+#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */ - #define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */ - - /* -diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c -index 50cc252..dd83844 100644 ---- a/src/kdc/kdc_preauth.c -+++ b/src/kdc/kdc_preauth.c -@@ -1000,6 +1000,8 @@ finish_check_padata(struct padata_state *state, krb5_error_code code) - case KRB5KDC_ERR_DISCARD: - /* pkinit alg-agility */ - case KRB5KDC_ERR_NO_ACCEPTABLE_KDF: -+ /* rfc 6113 */ -+ case KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED: - (*oldrespond)(oldarg, code); - return; - default: -diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et -index 5c6f10b..7ba7c1e 100644 ---- a/src/lib/krb5/error_tables/krb5_err.et -+++ b/src/lib/krb5/error_tables/krb5_err.et -@@ -132,7 +132,7 @@ error_code KRB5PLACEHOLD_87, "KRB5 error code 87" - error_code KRB5PLACEHOLD_88, "KRB5 error code 88" - error_code KRB5PLACEHOLD_89, "KRB5 error code 89" - error_code KRB5PLACEHOLD_90, "KRB5 error code 90" --error_code KRB5PLACEHOLD_91, "KRB5 error code 91" -+error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required" - error_code KRB5PLACEHOLD_92, "KRB5 error code 92" - error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested" - error_code KRB5PLACEHOLD_94, "KRB5 error code 94" -diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c -index f9bc027..fa8afcc 100644 ---- a/src/lib/krb5/krb/get_in_tkt.c -+++ b/src/lib/krb5/krb/get_in_tkt.c -@@ -1239,7 +1239,8 @@ init_creds_step_request(krb5_context context, - clear_cc_config_out_data(context, ctx); - - if (ctx->err_reply == NULL) { -- /* either our first attempt, or retrying after PREAUTH_NEEDED */ -+ /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED -+ * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ - code = k5_preauth(context, ctx, ctx->preauth_to_use, - ctx->preauth_required, &ctx->request->padata, - &ctx->selected_preauth_type); -@@ -1408,6 +1409,7 @@ init_creds_step_reply(krb5_context context, - krb5_preauthtype kdc_pa_type; - krb5_boolean retry = FALSE; - int canon_flag = 0; -+ uint32_t reply_code; - krb5_keyblock *strengthen_key = NULL; - krb5_keyblock encrypting_key; - krb5_boolean fast_avail; -@@ -1431,6 +1433,7 @@ init_creds_step_reply(krb5_context context, - &retry); - if (code != 0) - goto cleanup; -+ reply_code = ctx->err_reply->error; - if (negotiation_requests_restart(context, ctx, ctx->err_padata)) { - ctx->have_restarted = 1; - k5_preauth_request_context_fini(context); -@@ -1441,9 +1444,10 @@ init_creds_step_reply(krb5_context context, - ctx->err_reply = NULL; - krb5_free_pa_data(context, ctx->err_padata); - ctx->err_padata = NULL; -- } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED && -- retry) { -+ } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED || -+ reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) { - /* reset the list of preauth types to try */ -+ k5_reset_preauth_types_tried(context); - krb5_free_pa_data(context, ctx->preauth_to_use); - ctx->preauth_to_use = ctx->err_padata; - ctx->err_padata = NULL; -@@ -1480,8 +1484,7 @@ init_creds_step_reply(krb5_context context, - code = 0; - } else { - /* error + no hints = give up */ -- code = (krb5_error_code)ctx->err_reply->error + -- ERROR_TABLE_BASE_krb5; -+ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5; - } - } - diff --git a/krb5-1.14-ss_execute_command-missing.patch b/krb5-1.14-ss_execute_command-missing.patch new file mode 100644 index 0000000..114689a --- /dev/null +++ b/krb5-1.14-ss_execute_command-missing.patch @@ -0,0 +1,13 @@ +e2fsprogs in is missing a declaration for this function. However, it is +present as a symbol. And we know its declaration internally. +--- krb5/src/kadmin/cli/ss_wrapper.c 2015-09-23 20:51:05.843606511 +0000 ++++ krb5/src/kadmin/cli/ss_wrapper.c 2015-09-23 20:52:03.783605671 +0000 +@@ -29,6 +29,8 @@ + #include + #include "kadmin.h" + ++int ss_execute_command(int sci_idx, char **); ++ + extern ss_request_table kadmin_cmds; + extern int exit_status; + extern char *whoami; diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch deleted file mode 100644 index ae81f7c..0000000 --- a/krb5-1.9-debuginfo.patch +++ /dev/null @@ -1,26 +0,0 @@ -We want to keep these y.tab.c files around because the debuginfo points to -them. It would be more elegant at the end to use symbolic links, but that -could mess up people working in the tree on other things. - ---- src/kadmin/cli/Makefile.in -+++ src/kadmin/cli/Makefile.in -@@ -43,3 +43,8 @@ clean-unix:: - # CC_LINK is not meant for compilation and this use may break in the future. - datetest: getdate.c - $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c -+ -+%.c: %.y -+ $(RM) y.tab.c $@ -+ $(YACC.y) $< -+ $(CP) y.tab.c $@ ---- src/plugins/kdb/ldap/ldap_util/Makefile.in -+++ src/plugins/kdb/ldap/ldap_util/Makefile.in -@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR - getdate.c: $(GETDATE) - $(RM) getdate.c y.tab.c - $(YACC) $(GETDATE) -- $(MV) y.tab.c getdate.c -+ $(CP) y.tab.c getdate.c - - install:: - $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) diff --git a/krb5-kvno-230379.patch b/krb5-kvno-230379.patch deleted file mode 100644 index ea9b69f..0000000 --- a/krb5-kvno-230379.patch +++ /dev/null @@ -1,53 +0,0 @@ -From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349, -at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted -as needed to apply to 1.10. FIXME: I'd like to better handle cases where we -have a new key with the right version stored later in the keytab file. -Currently, we're setting up to overlook that possibility. - -Note that this only affects the path taken when krb5_rd_rep() is passed a -server principal name, as without a server principal name it already tries -all of the keys it finds in the keytab, regardless of version numbers. - -Index: krb5/src/kadmin/ktutil/ktutil.c -=================================================================== ---- krb5/src/kadmin/ktutil/ktutil.c (revision 3367) -+++ krb5/src/kadmin/ktutil/ktutil.c (working copy) -@@ -155,7 +155,7 @@ - char *princ = NULL; - char *enctype = NULL; - krb5_kvno kvno = 0; -- int use_pass = 0, use_key = 0, i; -+ int use_pass = 0, use_key = 0, use_kvno = 0, i; - - for (i = 1; i < argc; i++) { - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { -@@ -164,6 +164,7 @@ - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { - kvno = (krb5_kvno) atoi(argv[++i]); -+ use_kvno++; - continue; - } - if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { -@@ -180,7 +181,7 @@ - } - } - -- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { -+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) { - fprintf(stderr, _("usage: %s (-key | -password) -p principal " - "-k kvno -e enctype\n"), argv[0]); - return; -Index: krb5/src/lib/krb5/keytab/kt_file.c -=================================================================== ---- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367) -+++ krb5/src/lib/krb5/keytab/kt_file.c (working copy) -@@ -349,7 +349,7 @@ - higher than that. Short-term workaround: only compare - the low 8 bits. */ - -- if (new_entry.vno == (kvno & 0xff)) { -+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - break; diff --git a/krb5.spec b/krb5.spec index e078473..99a701a 100644 --- a/krb5.spec +++ b/krb5.spec @@ -38,12 +38,12 @@ %global configured_default_ccache_name KEYRING:persistent:%%{uid} %endif -%global prerelease %{nil} +%global prerelease -alpha1 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.13.2 -Release: 11%{?dist} +Version: 1.14 +Release: 1%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -75,21 +75,12 @@ Source39: krb5-krb5kdc.conf # Carry this locally until it's available in a packaged form. Source100: noport.c -Patch6: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-ktany.patch Patch16: krb5-1.12-buildconf.patch Patch23: krb5-1.3.1-dns.patch -Patch39: krb5-1.12-api.patch Patch60: krb5-1.12.1-pam.patch -Patch63: krb5-1.13-selinux-label.patch -Patch71: krb5-1.13-dirsrv-accountlock.patch -Patch86: krb5-1.9-debuginfo.patch -Patch105: krb5-kvno-230379.patch -Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch -Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch Patch143: krb5-tests_use_libs_from_build.patch -Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch +Patch145: krb5-1.14-ss_execute_command-missing.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -255,27 +246,11 @@ certificate. ln NOTICE LICENSE %patch60 -p1 -b .pam - -%patch63 -p1 -b .selinux-label - -%patch6 -p1 -b .ksu-path -%patch12 -p1 -b .ktany %patch16 -p1 -b .buildconf %{?_rawbuild} %patch23 -p1 -b .dns %{?_rawbuild} -%patch39 -p1 -b .api -%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} -%patch86 -p0 -b .debuginfo -%patch105 -p1 -b .kvno - -# Apply when the hard-wired or configured default location is -# DIR:/run/user/%%{uid}/krb5cc. -%patch129 -p1 -b .run_user_0 - %patch134 -p1 -b .kpasswdtest - -%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required %patch143 -p1 -b .krb5-tests_use_libs_from_build -%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial +%patch145 -p1 -b .ss_execute_command # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -571,6 +546,9 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf" rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf" rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append" +# This is needed only for tests +rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so" + %find_lang %{gettext_domain} %clean @@ -882,6 +860,11 @@ exit 0 %changelog +* Wed Sep 23 2015 Robbie Harwood - 1.14-1 +- New upstream version; krb5-1.14-alpha1 +- Drop patches that have since been applied +- Work around an issue with ss_execute_command() not being available + * Wed Sep 23 2015 Robbie Harwood - 1.13.2-11 - Drop dependency on pax, ksh - Remove support for fedora < 20 diff --git a/sources b/sources index 487ed89..6010809 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -f9b9275c6ceb9e6c39fabecc00c6a059 krb5-1.13.2.tar.gz -b62135d2089349b571479feb39f049c9 krb5-1.13.2.tar.gz.asc -095ed64aa1d28f06db1d9b3d89bd8d6b krb5-1.13.2-pdfs.tar +5acb7f742232d83d79b08de80ff7ff5d krb5-1.14-alpha1-pdfs.tar +61a7f5ab611cb6fd8df88266941b5031 krb5-1.14-alpha1.tar.gz +f17871d721eef7ca56a61565f3176c43 krb5-1.14-alpha1.tar.gz.asc