rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- remove the krb5-appl bits (the -workstation-clients and

Browse Source 
-workstation-servers subpackages) now that krb5-appl is its own package
This commit is contained in:
Nalin Dahyabhai 2010-03-19 21:15:33 +00:00
parent 5d2ca1d225
commit 1f83fab4c7
30 changed files with 10 additions and 2779 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
eklogin.xinetd
View File

@ -1,13 +0,0 @@
# default: off
# description: The encrypting kerberized rlogin server accepts rlogin sessions \
# authenticated and encrypted with Kerberos 5.
service eklogin
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/klogind
server_args = -e
disable = yes
}

14
ekrb5-telnet.xinetd
View File

@ -1,14 +0,0 @@
# default: off
# description: The kerberized telnet server accepts only telnet sessions, \
# which use Kerberos 5 authentication and encryption.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
server_args = -e
log_on_failure += USERID
disable = yes
}

15
ekshell.pamd
View File

@ -1,15 +0,0 @@
#%PAM-1.0
# For root login to succeed here with pam_securetty, "ekshell" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_rhosts.so
account include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
# pam_selinux.so open should only be called for sessions to be executed in the user context
session required pam_loginuid.so
session required pam_selinux.so open

13
gssftp.pamd
View File

@ -1,13 +0,0 @@
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account required pam_nologin.so
account include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
# pam_selinux.so open should only be called for sessions to be executed in the user context
session required pam_loginuid.so
session required pam_selinux.so open

14
gssftp.xinetd
View File

@ -1,14 +0,0 @@
# default: off
# description: The kerberized FTP server accepts FTP connections \
# that can be authenticated with Kerberos 5.
service ftp
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l -a
log_on_failure += USERID
disable = yes
}

12
klogin.xinetd
View File

@ -1,12 +0,0 @@
# default: off
# description: The kerberized rlogin server accepts BSD-style rlogin sessions, \
# but uses Kerberos 5 authentication.
service klogin
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/klogind
disable = yes
}

32
krb5-1.2.1-passive.patch
View File

@ -1,32 +0,0 @@
We set all of the FTP clients to passive mode by default. Or at least that's
the intention.
--- krb5-1.2.1/src/appl/gssftp/ftp/main.c.passive Thu Jun 29 22:27:07 2000
+++ krb5-1.2.1/src/appl/gssftp/ftp/main.c Wed Aug 16 13:15:08 2000
@@ -178,7 +178,7 @@
cpend = 0; /* no pending replies */
proxy = 0; /* proxy not active */
#ifndef NO_PASSIVE_MODE
- passivemode = 0; /* passive mode not active */
+ passivemode = 1; /* passive mode active by default */
#endif
crflag = 1; /* strip c.r. on ascii gets */
sendport = -1; /* not using ports */
--- krb5-1.2.1/src/appl/gssftp/ftp/ftp.M.passive Wed Aug 16 13:15:26 2000
+++ krb5-1.2.1/src/appl/gssftp/ftp/ftp.M Wed Aug 16 13:17:19 2000
@@ -619,10 +619,11 @@
will forward a copy of the user's Kerberos tickets to the remote host.
.TP
.B passive
-Toggle passive data transfer mode. In passive mode, the client initiates
-the data connection by listening on the data port. Passive mode may
-be necessary for operation from behind firewalls which do not permit
-incoming connections.
+Toggle passive data transfer mode off. In passive mode, the client initiates
+the data connection by connecting to the data port. Passive mode is
+often necessary for operation from behind firewalls which do not permit
+incoming connections, but may need to be disabled if you connect to an
+FTP server which does not support passive operation.
.TP
.B private
Set the protection level on data transfers to ``private''. Data

273
krb5-1.3-ftp-glob.patch
View File

@ -1,273 +0,0 @@
--- krb5-1.3/src/appl/gssftp/ftp/cmds.c
+++ krb5-1.3/src/appl/gssftp/ftp/cmds.c
@@ -99,6 +99,62 @@
static void quote1 (char *, int, char **);
static char *dotrans (char *);
static char *domap (char *);
+static int checkglob(const char *filename, const char *pattern);
+
+/*
+ * pipeprotect: protect against "special" local filenames by prepending
+ * "./". Special local filenames are "-" and any "filename" which begins
+ * with either "|" or "/".
+ */
+static char *pipeprotect(char *name)
+{
+ static char nu[MAXPATHLEN];
+ if ((name == NULL) ||
+ ((strcmp(name, "-") != 0) && (*name != '|') && (*name != '/'))) {
+ return name;
+ }
+ strcpy(nu, ".");
+ if (*name != '/') strcat(nu, "/");
+ if (strlen(nu) + strlen(name) >= sizeof(nu)) {
+ return NULL;
+ }
+ strcat(nu, name);
+ return nu;
+}
+
+/*
+ * Look for embedded ".." in a pathname and change it to "!!", printing
+ * a warning.
+ */
+static char *pathprotect(char *name)
+{
+ int gotdots=0, i, len;
+
+ /* Convert null terminator to trailing / to catch a trailing ".." */
+ len = strlen(name)+1;
+ name[len-1] = '/';
+
+ /*
+ * State machine loop. gotdots is < 0 if not looking at dots,
+ * 0 if we just saw a / and thus might start getting dots,
+ * and the count of dots seen so far if we have seen some.
+ */
+ for (i=0; i<len; i++) {
+ if (name[i]=='.' && gotdots>=0) gotdots++;
+ else if (name[i]=='/' && gotdots<0) gotdots=0;
+ else if (name[i]=='/' && gotdots==2) {
+ printf("Warning: embedded .. in %.*s (changing to !!)\n",
+ len-1, name);
+ name[i-1] = '!';
+ name[i-2] = '!';
+ gotdots = 0;
+ }
+ else if (name[i]=='/') gotdots = 0;
+ else gotdots = -1;
+ }
+ name[len-1] = '\0';
+ return name;
+}
/*
* `Another' gets another argument, and stores the new argc and argv.
@@ -844,7 +900,15 @@
if (argc == 2) {
argc++;
- argv[2] = argv[1];
+ /*
+ * Protect the user from accidentally retrieving special
+ * local names.
+ */
+ argv[2] = pipeprotect(argv[1]);
+ if (!argv[2]) {
+ code = -1;
+ return 0;
+ }
loc++;
}
if (argc < 2 && !another(&argc, &argv, "remote-file"))
@@ -1016,8 +1080,19 @@
if (mapflag) {
tp = domap(tp);
}
- recvrequest("RETR", tp, cp, "w",
- tp != cp || !interactive, 1);
+
+ /* Reject embedded ".." */
+ tp = pathprotect(tp);
+
+ /* Prepend ./ to "-" or "!*" or leading "/" */
+ tp = pipeprotect(tp);
+ if (tp == NULL) {
+ /* hmm... how best to handle this? */
+ mflag = 0;
+ } else {
+ recvrequest("RETR", tp, cp, "w",
+ tp != cp || !interactive, 1);
+ }
if (!mflag && fromatty) {
ointer = interactive;
interactive = 1;
@@ -1045,8 +1120,8 @@
static char buf[MAXPATHLEN];
static FILE *ftemp = NULL;
static char **args;
- int oldverbose, oldhash;
- char *cp, *rmode;
+ int oldverbose, oldhash, badglob = 0;
+ char *cp;
if (!mflag) {
if (!doglob) {
@@ -1075,23 +1150,46 @@
return (NULL);
}
#else
- (void) strncpy(temp, _PATH_TMP, sizeof(temp) - 1);
- temp[sizeof(temp) - 1] = '\0';
- (void) mktemp(temp);
+ int fd;
+ mode_t oldumask;
+ (void) strcpy(temp, _PATH_TMP);
+
+ /* libc 5.2.18 creates with mode 0666, which is dumb */
+ oldumask = umask(077);
+ fd = mkstemp(temp);
+ umask(oldumask);
+
+ if (fd<0) {
+ printf("Error creating temporary file, oops\n");
+ return NULL;
+ }
+ close(fd);
#endif /* !_WIN32 */
oldverbose = verbose, verbose = 0;
oldhash = hash, hash = 0;
if (doswitch) {
pswitch(!proxy);
}
- for (rmode = "w"; *++argv != NULL; rmode = "a")
- recvrequest ("NLST", temp, *argv, rmode, 0, 0);
+
+ while (*++argv != NULL) {
+ recvrequest ("NLST", temp, *argv, "a", 0, 0);
+ if (!checkglob(temp, *argv)) {
+ badglob = 1;
+ break;
+ }
+ }
+
if (doswitch) {
pswitch(!proxy);
}
verbose = oldverbose; hash = oldhash;
ftemp = fopen(temp, "r");
(void) unlink(temp);
+ if (badglob) {
+ printf("Refusing to handle insecure file list\n");
+ fclose(ftemp);
+ return NULL;
+ }
#ifdef _WIN32
free(temp);
temp = NULL;
@@ -1110,6 +1208,105 @@
return (buf);
}
+/*
+ * Check whether given pattern matches `..'
+ * We assume only a glob pattern starting with a dot will match
+ * dot entries on the server.
+ */
+static int
+isdotdotglob(const char *pattern)
+{
+ int havedot = 0;
+ char c;
+
+ if (*pattern++ != '.')
+ return 0;
+ while ((c = *pattern++) != '\0' && c != '/') {
+ if (c == '*' || c == '?')
+ continue;
+ if (c == '.' && havedot++)
+ return 0;
+ }
+ return 1;
+}
+
+/*
+ * This function makes sure the list of globbed files returned from
+ * the server doesn't contain anything dangerous such as
+ * /home/<yourname>/.forward, or ../.forward,
+ * or |mail foe@doe </etc/passwd, etc.
+ * Covered areas:
+ * - returned name starts with / but glob pattern doesn't
+ * - glob pattern starts with / but returned name doesn't
+ * - returned name starts with |
+ * - returned name contains .. in a position where glob
+ * pattern doesn't match ..
+ * I.e. foo/.* allows foo/../bar but not foo/.bar/../fly
+ *
+ * Note that globbed names starting with / should really be stored
+ * under the current working directory; this is handled in mget above.
+ * --okir
+ */
+static int
+checkglob(const char *filename, const char *pattern)
+{
+ const char *sp;
+ char buffer[MAXPATHLEN], dotdot[MAXPATHLEN];
+ int okay = 1, nrslash, initial, nr;
+ FILE *fp;
+
+ /* Find slashes in glob pattern, and verify whether component
+ * matches `..'
+ */
+ initial = (pattern[0] == '/');
+ for (sp = pattern, nrslash = 0; sp != 0; sp = strchr(sp, '/')) {
+ while (*sp == '/')
+ sp++;
+ if (nrslash >= MAXPATHLEN) {
+ printf("Incredible pattern: %s\n", pattern);
+ return 0;
+ }
+ dotdot[nrslash++] = isdotdotglob(sp);
+ }
+
+ fp = fopen(filename, "r");
+ if (fp == NULL) {
+ perror("fopen");
+ return 0;
+ }
+
+ while (okay && fgets(buffer, sizeof(buffer), fp) != NULL) {
+ char *sp;
+
+ if ((sp = strchr(buffer, '\n')) != 0) {
+ *sp = '\0';
+ } else {
+ printf("Extremely long filename from server: %s",
+ buffer);
+ okay = 0;
+ break;
+ }
+ if (buffer[0] == '|'
+ || (buffer[0] != '/' && initial)
+ || (buffer[0] == '/' && !initial))
+ okay = 0;
+ for (sp = buffer, nr = 0; sp; sp = strchr(sp, '/'), nr++) {
+ while (*sp == '/')
+ sp++;
+ if (sp[0] == '.' && !strncmp(sp, "../", 3)
+ && (nr >= nrslash || !dotdot[nr]))
+ okay = 0;
+ }
+ }
+
+ if (!okay)
+ printf("Filename provided by server "
+ "doesn't match pattern `%s': %s\n", pattern, buffer);
+
+ fclose(fp);
+ return okay;
+}
+
static char *
onoff(bool)
int bool;

16
krb5-1.3-netkit-rsh.patch
View File

@ -1,16 +0,0 @@
We ship netkit rsh, which isn't smart enough to deal with the oddball case
where argv[0] is an option flag.
--- krb5-1.3/src/appl/bsd/krsh.c
+++ krb5-1.3/src/appl/bsd/krsh.c
@@ -616,8 +616,10 @@
else
host = argv[0];
+#ifdef BERKELEY_RSH
if (!strcmp(host, "rsh"))
argv++;
+#endif
fprintf(stderr,"trying normal rsh (%s)\n",
UCB_RSH);

164
krb5-1.4.1-telnet-environ.patch
View File

@ -1,164 +0,0 @@
Port of fixes originally made to the NetKit telnet client.
Previous behavior:
Well-defined or exported variables are sent to the server on initial connect.
The "environ list" command prints "*" before these variable names.
Other variables are sent to the server if it requests them.
The "environ list" command prints " " before these variable names.
New behavior:
Well-defined variables are sent to the server on initial connect.
The "environ list" command prints "*" before these variable names.
Exported variables are sent to the server on initial connect.
The "environ list" command prints "+" before these variable names.
Other variables are NOT sent to the server.
The "environ list" command prints " " before these variable names.
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/authenc.c krb5-1.4.1/src/appl/telnet/telnet/authenc.c
--- krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2002-11-15 15:21:34.000000000 -0500
+++ krb5-1.4.1/src/appl/telnet/telnet/authenc.c 2005-06-29 21:06:39.000000000 -0400
@@ -83,13 +83,6 @@
}
char *
-telnet_getenv(val)
- char *val;
-{
- return((char *)env_getvalue((unsigned char *)val));
-}
-
- char *
telnet_gets(tprompt, result, length, echo)
char *tprompt;
char *result;
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/commands.c krb5-1.4.1/src/appl/telnet/telnet/commands.c
--- krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-04-07 17:17:26.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/commands.c 2005-06-29 21:11:34.000000000 -0400
@@ -1889,8 +1889,9 @@
register struct env_lst *ep;
for (ep = envlisthead.next; ep; ep = ep->next) {
- printf("%c %-20s %s\r\n", ep->export ? '*' : ' ',
- ep->var, ep->value);
+ printf("%c %-20s %s\r\n",
+ " +*"[(ep->welldefined ? 2 : (ep->export > 0))],
+ ep->var, ep->value);
}
}
@@ -1914,13 +1915,15 @@
}
unsigned char *
-env_getvalue(var)
+env_getvalue(var, export_only)
unsigned char *var;
+ int export_only;
{
register struct env_lst *ep;
if ((ep = env_find(var)))
- return(ep->value);
+ if (ep->export || !export_only)
+ return(ep->value);
return(NULL);
}
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/externs.h krb5-1.4.1/src/appl/telnet/telnet/externs.h
--- krb5-1.4.1/src/appl/telnet/telnet/externs.h 2003-04-23 23:27:56.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/externs.h 2005-06-29 21:05:16.000000000 -0400
@@ -347,7 +347,7 @@
extern unsigned char
*env_default (int, int),
- *env_getvalue (unsigned char *);
+ *env_getvalue (unsigned char *, int);
extern int
env_is_exported (unsigned char *);
diff -uNr krb5-1.4.1/src/appl/telnet/telnet/telnet.c krb5-1.4.1/src/appl/telnet/telnet/telnet.c
--- krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:13:29.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.c 2005-06-29 21:09:13.000000000 -0400
@@ -552,7 +552,7 @@
#endif
case TELOPT_XDISPLOC: /* X Display location */
- if (env_getvalue((unsigned char *)"DISPLAY") &&
+ if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
env_is_exported((unsigned char *)"DISPLAY"))
new_state_ok = 1;
break;
@@ -813,7 +813,7 @@
resettermname = 0;
if (tnamep && tnamep != unknown)
free(tnamep);
- if ((tname = (char *)env_getvalue((unsigned char *)"TERM")) &&
+ if ((tname = (char *)env_getvalue((unsigned char *)"TERM", 0)) &&
(setupterm(tname, 1, &err) == 0)) {
tnamep = mklist(termbuf, tname);
} else {
@@ -988,7 +988,7 @@
unsigned char temp[50], *dp;
int len;
- if (((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) ||
+ if (((dp = env_getvalue((unsigned char *)"DISPLAY", 0)) == NULL) ||
(! env_is_exported((unsigned char *)"DISPLAY"))) {
/*
* Something happened, we no longer have a DISPLAY
@@ -1669,7 +1669,7 @@
env_opt_add(ep);
return;
}
- vp = env_getvalue(ep);
+ vp = env_getvalue(ep, 1);
elen = 2 * (vp ? strlen((char *)vp) : 0) +
2 * strlen((char *)ep) + 6;
if ((opt_replyend - opt_replyp) < elen)
@@ -2327,7 +2327,7 @@
send_will(TELOPT_LINEMODE, 1);
send_will(TELOPT_NEW_ENVIRON, 1);
send_do(TELOPT_STATUS, 1);
- if (env_getvalue((unsigned char *)"DISPLAY") &&
+ if (env_getvalue((unsigned char *)"DISPLAY", 0) &&
env_is_exported((unsigned char *)"DISPLAY"))
send_will(TELOPT_XDISPLOC, 1);
if (eight)
--- krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:09.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnetd/authenc.c 2005-06-29 21:25:13.000000000 -0400
@@ -67,14 +67,6 @@
}
char *
-telnet_getenv(val)
- char *val;
-{
- extern char *getenv();
- return(getenv(val));
-}
-
- char *
telnet_gets(prompt, result, length, echo)
char *prompt;
char *result;
--- krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:26:55.000000000 -0400
+++ krb5-1.4.1/src/appl/telnet/telnet/telnet.1 2005-06-29 21:29:05.000000000 -0400
@@ -401,7 +401,7 @@
.I variable
to have a value of
.IR value .
-Any variables defined by this command are automatically exported. The
+Variables defined by this command are not automatically exported. The
.I value
may be enclosed in single or double quotes so that tabs and spaces may
be included.
@@ -423,8 +423,8 @@
.TP
.B list
List the current set of environment variables. Those marked with a \&*
-will be sent automatically; other variables will only be sent if
-explicitly requested.
+will be sent automatically; those marked with a \&+ will be sent if the
+other end requests their values, and other variables will not be sent.
.TP
.B \&?
Prints out help information for the

67
krb5-1.6.3-ftp_fdleak.patch
View File

@ -1,67 +0,0 @@
Don't open a new socket without closing a possibly already-open one. RT#5597.
diff -uNr krb5/src/appl/gssftp/ftp/ftp.c krb5/src/appl/gssftp/ftp/ftp.c
--- krb5/src/appl/gssftp/ftp/ftp.c
+++ krb5/src/appl/gssftp/ftp/ftp.c
@@ -196,7 +196,7 @@ char *
hookup(char* host, int port)
{
register struct hostent *hp = 0;
- int s;
+ int s, t;
socklen_t len;
#ifdef IP_TOS
#ifdef IPTOS_LOWDELAY
@@ -274,8 +274,13 @@ hookup(char* host, int port)
}
#endif
#endif
+#ifndef _WIN32
+ t = dup(s);
+#else
+ t = s;
+#endif
cin = FDOPEN_SOCKET(s, "r");
- cout = FDOPEN_SOCKET(s, "w");
+ cout = FDOPEN_SOCKET(t, "w");
if (cin == NULL || cout == NULL) {
fprintf(stderr, "ftp: fdopen failed.\n");
if (cin) {
@@ -1448,6 +1453,8 @@
int a1,a2,a3,a4,p1,p2;
if (passivemode) {
+ if (data != INVALID_SOCKET)
+ (void) closesocket(data);
data = socket(AF_INET, SOCK_STREAM, 0);
if (data == INVALID_SOCKET) {
PERROR_SOCKET("ftp: socket");
@@ -2366,4 +2371,16 @@ FILE* fdopen_socket(SOCKET s, char* mode
return f;
}
+#else
+/* Non-Win32 case takes the address of the variable so that we can "take
+ * ownership" of the descriptor number. */
+FILE* fdopen_socket(int *s, char* mode)
+{
+ FILE *fp;
+ fp = fdopen(*s, mode);
+ if (fp) {
+ *s = INVALID_SOCKET;
+ }
+ return fp;
+}
#endif /* _WIN32 */
diff -up krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h
--- krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h 2007-08-03 00:53:35.000000000 -0400
+++ krb5-1.3.4/src/appl/gssftp/ftp/ftp_var.h 2007-08-03 00:53:39.000000000 -0400
@@ -48,7 +48,8 @@ FILE* fdopen_socket(SOCKET s, char* mode
#define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0)
#else
#define FCLOSE_SOCKET(f) fclose(f)
-#define FDOPEN_SOCKET(s, mode) fdopen(s, mode)
+FILE* fdopen_socket(int *s, char* mode);
+#define FDOPEN_SOCKET(s, mode) fdopen_socket(&s, mode)
#define SOCKETNO(fd) (fd)
#define PERROR_SOCKET(str) perror(str)
#endif

14
krb5-1.6.3-ftp_glob_runique.patch
View File

@ -1,14 +0,0 @@
Fix mget when runique is enabled and the globbing patch has been applied.
diff -up krb5/src/appl/gssftp/ftp/ftp.c krb5/src/appl/gssftp/ftp/ftp.c
--- krb5/src/appl/gssftp/ftp/ftp.c
+++ krb5/src/appl/gssftp/ftp/ftp.c
@@ -1188,7 +1188,8 @@ void recvrequest(char *cmd, char *volati
return;
}
}
- else if (runique && (local = gunique(local)) == NULL) {
+ else if (runique && strcmp(cmd, "NLST") &&
+ (local = gunique(local)) == NULL) {
(void) signal(SIGINT, oldintr);
code = -1;
return;

25
krb5-1.7-rcp-markus.patch
View File

@ -1,25 +0,0 @@
Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.
diff -up krb5-1.7/src/appl/bsd/krcp.c krb5-1.7/src/appl/bsd/krcp.c
--- krb5-1.7/src/appl/bsd/krcp.c 2009-06-04 14:27:20.000000000 -0400
+++ krb5-1.7/src/appl/bsd/krcp.c 2009-06-04 14:27:20.000000000 -0400
@@ -1038,6 +1038,10 @@ void sink(argc, argv)
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
SCREWUP("target name too long");
@@ -1051,6 +1055,8 @@ void sink(argc, argv)
nambuf[sizeof(nambuf) - 1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;

33
krb5-1.7-sizeof.patch
View File

@ -1,33 +0,0 @@
Surely "buf[strlen(buf)] = '\0'" doesn't do what we intend. RT#6521
diff -up krb5-1.7/src/appl/gssftp/ftp/ftp.c krb5-1.7/src/appl/gssftp/ftp/ftp.c
--- krb5-1.7/src/appl/gssftp/ftp/ftp.c 2009-06-22 16:03:48.000000000 -0400
+++ krb5-1.7/src/appl/gssftp/ftp/ftp.c 2009-06-22 16:06:28.000000000 -0400
@@ -1663,21 +1663,21 @@ void pswitch(int flag)
ip->ntflg = ntflag;
ntflag = op->ntflg;
(void) strncpy(ip->nti, ntin, sizeof(ip->nti) - 1);
- (ip->nti)[strlen(ip->nti)] = '\0';
+ (ip->nti)[sizeof(ip->nti) - 1] = '\0';
(void) strncpy(ntin, op->nti, sizeof(ntin) - 1);
ntin[sizeof(ntin) - 1] = '\0';
(void) strncpy(ip->nto, ntout, sizeof(ip->nto) - 1);
- (ip->nto)[strlen(ip->nto)] = '\0';
+ (ip->nto)[sizeof(ip->nto) - 1] = '\0';
(void) strncpy(ntout, op->nto, sizeof(ntout) - 1);
ntout[sizeof(ntout) - 1] = '\0';
ip->mapflg = mapflag;
mapflag = op->mapflg;
- (void) strncpy(ip->mi, mapin, MAXPATHLEN - 1);
- (ip->mi)[strlen(ip->mi)] = '\0';
+ (void) strncpy(ip->mi, mapin, sizeof(ip->mi) - 1);
+ (ip->mi)[sizeof(ip->mi) - 1] = '\0';
(void) strncpy(mapin, op->mi, sizeof(mapin) - 1);
mapin[sizeof(mapin) - 1] = '\0';
- (void) strncpy(ip->mo, mapout, MAXPATHLEN - 1);
- (ip->mo)[strlen(ip->mo)] = '\0';
+ (void) strncpy(ip->mo, mapout, sizeof(ip->mo) - 1);
+ (ip->mo)[sizeof(ip->mo) - 1] = '\0';
(void) strncpy(mapout, op->mo, sizeof(mapout) - 1);
mapout[sizeof(mapout) - 1] = '\0';
ip->authtype = auth_type;

251
krb5-appl-1.0-io.patch
View File

@ -1,251 +0,0 @@
We can get stuck if a write is going to block because both ends are writing and
neither end is reading. This is a port of a patch which aims to solve that
problem, but for now it's incomplete because we don't handle partial writes. A
proper non-blocking implementation would require a bit more work.
diff -up krb5-appl-1.0/bsd/defines.h.io krb5-appl-1.0/bsd/defines.h
--- krb5-appl-1.0/bsd/defines.h.io 2009-11-16 05:27:04.000000000 -0500
+++ krb5-appl-1.0/bsd/defines.h 2010-03-05 11:00:06.000000000 -0500
@@ -36,6 +36,7 @@ extern int kcmd (int *sock, char **ahost
enum kcmd_proto *protonum /* input and output */
);
+extern int rcmd_stream_has_unsent_data (void);
extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary);
extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary);
extern int getport (int * /* portnum */, int * /* addrfamily */);
diff -up krb5-appl-1.0/bsd/kcmd.c.io krb5-appl-1.0/bsd/kcmd.c
--- krb5-appl-1.0/bsd/kcmd.c.io 2009-11-16 05:27:04.000000000 -0500
+++ krb5-appl-1.0/bsd/kcmd.c 2010-03-05 11:00:06.000000000 -0500
@@ -767,6 +767,11 @@ void rcmd_stream_init_normal()
output = twrite;
}
+int rcmd_stream_has_unsent_data (void)
+{
+ return (nstored > 0);
+}
+
void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client,
protonum)
krb5_keyblock *in_keyblock;
@@ -927,7 +932,8 @@ static int v5_des_read(fd, buf, len, sec
cc = full_read(fd, &c, 1);
/* we should check for non-blocking here, but we'd have
to make it save partial reads as well. */
- if (cc <= 0) return cc; /* read error */
+ if (cc == 0) return nreturned; /* EOF */
+ if (cc < 0) return cc; /* read error */
if (cc == 1) {
if (c == 0 || !do_lencheck) break;
}
diff -up krb5-appl-1.0/bsd/krsh.c.io krb5-appl-1.0/bsd/krsh.c
--- krb5-appl-1.0/bsd/krsh.c.io 2010-03-05 11:00:05.000000000 -0500
+++ krb5-appl-1.0/bsd/krsh.c 2010-03-05 11:00:06.000000000 -0500
@@ -117,10 +117,11 @@ main(argc, argv0)
char **argv0;
{
int rem, pid = 0;
- char *host=0, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
+ char *host=0, **ap, buf[PIPE_BUF], *args, **argv = argv0, *user = 0;
register int cc;
struct passwd *pwd;
fd_set readfrom, ready;
+ fd_set writeto, ready_wr;
int one = 1;
struct servent *sp;
struct servent defaultservent;
@@ -510,9 +511,14 @@ main(argc, argv0)
FD_ZERO(&readfrom);
FD_SET(rfd2, &readfrom);
FD_SET(rem, &readfrom);
+ FD_ZERO(&writeto);
do {
+ int max_fd;
+ max_fd = (rfd2 > rem) ? rfd2 : rem;
+ max_fd = (max_fd > 2) ? max_fd : 2;
ready = readfrom;
- if (select(((rfd2 > rem) ? rfd2 : rem) + 1, &ready, 0, 0, 0) < 0) {
+ ready_wr = writeto;
+ if (select(max_fd + 1, &ready, &ready_wr, 0, 0) < 0) {
if (errno != EINTR) {
perror("select");
exit(1);
@@ -520,22 +526,38 @@ main(argc, argv0)
continue;
}
if (FD_ISSET(rfd2, &ready)) {
- errno = 0;
- cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1);
- if (cc <= 0) {
- if ((errno != EWOULDBLOCK) && (errno != EAGAIN))
- FD_CLR(rfd2, &readfrom);
- } else
- (void) write(2, buf, (unsigned) cc);
+ FD_SET(2, &writeto);
+ }
+ if (FD_ISSET(2, &ready_wr)) {
+ do {
+ errno = 0;
+ cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1);
+ if (cc <= 0) {
+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) {
+ FD_CLR(rfd2, &readfrom);
+ break;
+ }
+ } else
+ (void) write(2, buf, (unsigned) cc);
+ } while (rcmd_stream_has_unsent_data());
+ FD_CLR(2, &writeto);
}
if (FD_ISSET(rem, &ready)) {
- errno = 0;
- cc = rcmd_stream_read(rem, buf, sizeof buf, 0);
- if (cc <= 0) {
- if ((errno != EWOULDBLOCK) && (errno != EAGAIN))
- FD_CLR(rem, &readfrom);
- } else
- (void) write(1, buf, (unsigned) cc);
+ FD_SET(1, &writeto);
+ }
+ if (FD_ISSET(1, &ready_wr)) {
+ do {
+ errno = 0;
+ cc = rcmd_stream_read(rem, buf, sizeof buf, 0);
+ if (cc <= 0) {
+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) {
+ FD_CLR(rem, &readfrom);
+ break;
+ }
+ } else
+ (void) write(1, buf, (unsigned) cc);
+ } while (rcmd_stream_has_unsent_data());
+ FD_CLR(1, &writeto);
}
} while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom));
if (nflag == 0)
diff -up krb5-appl-1.0/bsd/krshd.c.io krb5-appl-1.0/bsd/krshd.c
--- krb5-appl-1.0/bsd/krshd.c.io 2010-03-05 11:00:05.000000000 -0500
+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 11:00:06.000000000 -0500
@@ -585,7 +585,8 @@ void doit(f, fromp)
short port;
int pv[2], pw[2], px[2], cc;
fd_set ready, readfrom;
- char buf[RCMD_BUFSIZ], sig;
+ fd_set ready_wr, writeto;
+ char buf[PIPE_BUF], sig;
struct sockaddr_storage localaddr;
#ifdef POSIX_SIGNALS
struct sigaction sa;
@@ -1216,6 +1217,10 @@ void doit(f, fromp)
if (pw[0] > maxfd)
maxfd = pw[0];
+ if (px[1] > maxfd)
+ maxfd = px[1];
+ FD_ZERO(&writeto);
+
/* read from f, write to px[1] -- child stdin */
/* read from s, signal child */
/* read from pv[0], write to s -- child stderr */
@@ -1223,36 +1228,47 @@ void doit(f, fromp)
do {
ready = readfrom;
- if (select(maxfd + 1, &ready, (fd_set *)0,
+ ready_wr = writeto;
+ if (select(maxfd + 1, &ready, &ready_wr,
(fd_set *)0, (struct timeval *)0) < 0) {
if (errno == EINTR) {
continue;
} else {
break;
- }
+ }
}
if (port&&FD_ISSET(pv[0], &ready)) {
+ FD_SET(s, &writeto);
+ FD_CLR(pv[0], &readfrom);
+ }
+ if (port&&FD_ISSET(s, &ready_wr)) {
/* read from the child stderr, write to the net */
errno = 0;
cc = read(pv[0], buf, sizeof (buf));
- if (cc <= 0) {
+ if ((cc <= 0) ||
+ (rcmd_stream_write(s, buf, (unsigned) cc, 1) != cc)) {
shutdown(s, 1+1);
- FD_CLR(pv[0], &readfrom);
} else {
- (void) rcmd_stream_write(s, buf, (unsigned) cc, 1);
+ FD_SET(pv[0], &readfrom);
}
+ FD_CLR(s, &writeto);
}
if (FD_ISSET(pw[0], &ready)) {
+ FD_SET(f, &writeto);
+ FD_CLR(pw[0], &readfrom);
+ }
+ if (FD_ISSET(f, &ready_wr)) {
/* read from the child stdout, write to the net */
errno = 0;
cc = read(pw[0], buf, sizeof (buf));
- if (cc <= 0) {
+ if ((cc <= 0) ||
+ (rcmd_stream_write(f, buf, (unsigned) cc, 0) != cc)) {
shutdown(f, 1+1);
- FD_CLR(pw[0], &readfrom);
} else {
- (void) rcmd_stream_write(f, buf, (unsigned) cc, 0);
+ FD_SET(pw[0], &readfrom);
}
+ FD_CLR(f, &writeto);
}
if (port&&FD_ISSET(s, &ready)) {
/* read from the alternate channel, signal the child */
@@ -1270,12 +1286,15 @@ void doit(f, fromp)
}
}
if (FD_ISSET(f, &ready)) {
+ FD_SET(px[1], &writeto);
+ FD_CLR(f, &readfrom);
+ }
+ if (FD_ISSET(px[1], &ready_wr)) {
/* read from the net, write to child stdin */
errno = 0;
cc = rcmd_stream_read(f, buf, sizeof(buf), 0);
if (cc <= 0) {
(void) close(px[1]);
- FD_CLR(f, &readfrom);
} else {
int wcc;
wcc = write(px[1], buf, (unsigned) cc);
@@ -1283,17 +1302,22 @@ void doit(f, fromp)
/* pipe closed, don't read any more */
/* might check for EPIPE */
(void) close(px[1]);
- FD_CLR(f, &readfrom);
- } else if (wcc != cc) {
- syslog(LOG_INFO, "only wrote %d/%d to child",
- wcc, cc);
+ } else {
+ if (wcc != cc)
+ syslog(LOG_INFO, "only wrote %d/%d to child",
+ wcc, cc);
+ FD_SET(f, &readfrom);
}
}
+ FD_CLR(px[1], &writeto);
}
} while ((port&&FD_ISSET(s, &readfrom)) ||
FD_ISSET(f, &readfrom) ||
(port&&FD_ISSET(pv[0], &readfrom) )||
- FD_ISSET(pw[0], &readfrom));
+ FD_ISSET(pw[0], &readfrom) ||
+ (port&&FD_ISSET(s, &writeto)) ||
+ FD_ISSET(f, &writeto) ||
+ FD_ISSET(px[1], &writeto));
ignore_signals();
#ifdef KERBEROS
syslog(LOG_INFO ,

276
krb5-appl-1.0-largefile.patch
View File

@ -1,276 +0,0 @@
* Turn on large file support in gssftp and rcp (and the rest of the bsd
applications) using AC_SYS_LARGEFILE.
* The size of off_t might now be greater than that of an int or a long, so
if we have a "long long" type, assume that format specifiers for it work
correctly and that we can cast off_t values to long long for displaying
and logging.
* Check for fseeko(), which takes an off_t, and if we find it, use it
instead of fseek(), which takes a long and might not handle the full
range of values.
RT#6524
diff -up krb5-appl-1.0/bsd/krcp.c.largefile krb5-appl-1.0/bsd/krcp.c
--- krb5-appl-1.0/bsd/krcp.c.largefile 2010-03-05 11:06:23.000000000 -0500
+++ krb5-appl-1.0/bsd/krcp.c 2010-03-05 11:06:24.000000000 -0500
@@ -748,8 +748,13 @@ void source(argc, argv)
continue;
}
}
+#ifdef HAVE_LONG_LONG_INT
+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n",
+ (int) stb.st_mode&07777, (long long) stb.st_size, last);
+#else
(void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
(int) stb.st_mode&07777, (long ) stb.st_size, last);
+#endif
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
(void) close(f);
diff -up krb5-appl-1.0/configure.ac.largefile krb5-appl-1.0/configure.ac
--- krb5-appl-1.0/configure.ac.largefile 2010-03-05 11:06:23.000000000 -0500
+++ krb5-appl-1.0/configure.ac 2010-03-05 11:06:24.000000000 -0500
@@ -103,6 +103,10 @@ case $host in
;;
esac
+AC_SYS_LARGEFILE
+AC_FUNC_FSEEKO
+AC_TYPE_LONG_LONG_INT
+AC_TYPE_UNSIGNED_LONG_LONG_INT
AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp)
AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
AC_CHECK_FUNCS(line_push logwtmp openpty ptsname revoke rmufile rresvport_af)
diff -up krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile krb5-appl-1.0/gssftp/ftpd/ftpcmd.y
--- krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile 2009-11-05 15:15:06.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpcmd.y 2010-03-05 11:06:24.000000000 -0500
@@ -1499,12 +1499,20 @@ char *filename;
(stbuf.st_mode&S_IFMT) != S_IFREG)
reply(550, "%s: not a plain file.", filename);
else
+#ifdef HAVE_LONG_LONG_INT
+ reply(213, "%llu", (long long) stbuf.st_size);
+#else
reply(213, "%lu", (long) stbuf.st_size);
+#endif
break;}
case TYPE_A: {
FILE *fin;
register int c;
+#ifdef HAVE_LONG_LONG_INT
+ register long long count;
+#else
register long count;
+#endif
struct stat stbuf;
fin = fopen(filename, "r");
if (fin == NULL) {
@@ -1526,7 +1534,11 @@ char *filename;
}
(void) fclose(fin);
+#ifdef HAVE_LONG_LONG_INT
+ reply(213, "%lld", count);
+#else
reply(213, "%ld", count);
+#endif
break;}
default:
reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile krb5-appl-1.0/gssftp/ftpd/ftpd.c
--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile 2010-03-05 11:06:23.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 11:06:24.000000000 -0500
@@ -1205,8 +1205,13 @@ retrieve(cmd, name)
done:
(*closefunc)(fin);
if (logging > 2 && !cmd) {
+#ifdef HAVE_UNSIGNED_LONG_LONG_INT
+ syslog(LOG_NOTICE, "get: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
syslog(LOG_NOTICE, "get: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
@@ -1252,7 +1257,7 @@ store_file(name, fmode, unique)
* because we are changing from reading to
* writing.
*/
- if (fseek(fout, 0L, L_INCR) < 0) {
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
perror_reply(550, name);
goto done;
}
@@ -1277,8 +1282,13 @@ store_file(name, fmode, unique)
done:
(*closefunc)(fout);
if (logging > 2) {
+#ifdef HAVE_UNSIGNED_LONG_LONG_INT
+ syslog(LOG_NOTICE, "put: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
syslog(LOG_NOTICE, "put: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
@@ -1341,8 +1351,13 @@ dataconn(name, size, fmode)
byte_count = 0;
if (size != (off_t) -1)
/* cast size to long in case sizeof(off_t) > sizeof(long) */
+#ifdef HAVE_LONG_LONG_INT
+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)",
+ (long long)size);
+#else
(void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)",
(long)size);
+#endif
else
sizebuf[0] = '\0';
if (pdata >= 0) {
@@ -2063,6 +2078,15 @@ myoob(sig)
siglongjmp(urgcatch, 1);
}
if (strcmp(cp, "STAT") == 0) {
+#ifdef HAVE_LONG_LONG_INT
+ if (file_size != (off_t) -1)
+ reply(213, "Status: %llu of %llu bytes transferred",
+ (unsigned long long) byte_count,
+ (unsigned long long) file_size);
+ else
+ reply(213, "Status: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
if (file_size != (off_t) -1)
reply(213, "Status: %lu of %lu bytes transferred",
(unsigned long) byte_count,
@@ -2070,6 +2094,7 @@ myoob(sig)
else
reply(213, "Status: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile krb5-appl-1.0/gssftp/ftpd/ftpd_var.h
--- krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile 2009-11-05 15:15:06.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd_var.h 2010-03-05 11:06:24.000000000 -0500
@@ -41,6 +41,12 @@
char *radix_error (int);
int radix_encode (unsigned char *, unsigned char *, size_t *, int);
+#ifdef HAVE_FSEEKO
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
+#else
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
+#endif
+
/* ftpd.c */
void ack(char *);
int auth_data(unsigned char *);
diff -up krb5-appl-1.0/gssftp/ftp/ftp.c.largefile krb5-appl-1.0/gssftp/ftp/ftp.c
--- krb5-appl-1.0/gssftp/ftp/ftp.c.largefile 2010-03-05 11:06:24.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftp/ftp.c 2010-03-05 11:06:24.000000000 -0500
@@ -156,7 +156,11 @@ void user_gss_error (OM_uint32, OM_uint3
static void proxtrans (char *, char *, char *);
static int initconn (void);
+#ifdef HAVE_LONG_LONG_INT
+static void ptransfer (char *, long long, struct timeval *, struct timeval *);
+#else
static void ptransfer (char *, long, struct timeval *, struct timeval *);
+#endif
static void abort_remote (FILE *);
static void tvsub (struct timeval *, struct timeval *, struct timeval *);
static char *gunique (char *);
@@ -787,7 +791,11 @@ void sendrequest(char *cmd, char *local,
FILE *volatile fin, *volatile dout = 0;
int (*volatile closefunc)();
volatile sig_t oldintr, oldintp;
+#ifdef HAVE_LONG_LONG_INT
+ volatile long long bytes = 0, hashbytes = HASHBYTES;
+#else
volatile long bytes = 0, hashbytes = HASHBYTES;
+#endif
char *volatile lmode;
char buf[FTP_BUFSIZ], *bufp;
@@ -884,7 +892,7 @@ void sendrequest(char *cmd, char *local,
if (restart_point &&
(strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) {
- if (fseek(fin, (long) restart_point, 0) < 0) {
+ if (FSEEK(fin, restart_point, 0) < 0) {
fprintf(stderr, "local: %s: %s\n", local,
strerror(errno));
restart_point = 0;
@@ -1279,7 +1287,7 @@ void recvrequest(char *cmd, char *volati
if (restart_point) {
register int i, n, ch;
- if (fseek(fout, 0L, L_SET) < 0)
+ if (FSEEK(fout, 0L, L_SET) < 0)
goto done;
n = restart_point;
for (i = 0; i++ < n;) {
@@ -1288,7 +1296,7 @@ void recvrequest(char *cmd, char *volati
if (ch == '\n')
i++;
}
- if (fseek(fout, 0L, L_INCR) < 0) {
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
done:
fprintf(stderr, "local: %s: %s\n", local,
strerror(errno));
@@ -1553,8 +1561,13 @@ dataconn(char *lmode)
return (FDOPEN_SOCKET(data, lmode));
}
+#ifdef HAVE_LONG_LONG_INT
+static void ptransfer(char *direction, long long bytes,
+ struct timeval *t0, struct timeval *t1)
+#else
static void ptransfer(char *direction, long bytes,
struct timeval *t0, struct timeval *t1)
+#endif
{
struct timeval td;
float s, kbs;
@@ -1564,8 +1577,13 @@ static void ptransfer(char *direction, l
s = td.tv_sec + (td.tv_usec / 1000000.);
#define nz(x) ((x) == 0 ? 1 : (x))
kbs = (bytes / nz(s))/1024.0;
+#ifdef HAVE_LONG_LONG_INT
+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
+ bytes, direction, s, kbs);
+#else
printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
bytes, direction, s, kbs);
+#endif
}
}
diff -up krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile krb5-appl-1.0/gssftp/ftp/ftp_var.h
--- krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile 2010-03-05 11:06:24.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftp/ftp_var.h 2010-03-05 11:06:24.000000000 -0500
@@ -46,12 +46,18 @@ FILE* fdopen_socket(SOCKET s, char* mode
#define FDOPEN_SOCKET(s, mode) fdopen_socket(s, mode)
#define SOCKETNO(fd) _get_osfhandle(fd)
#define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0)
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
#else
#define FCLOSE_SOCKET(f) fclose(f)
FILE* fdopen_socket(int *s, char* mode);
#define FDOPEN_SOCKET(s, mode) fdopen_socket(&s, mode)
#define SOCKETNO(fd) (fd)
#define PERROR_SOCKET(str) perror(str)
+#ifdef HAVE_FSEEKO
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
+#else
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
+#endif
#endif
#ifdef _WIN32

107
krb5-appl-1.0-manpaths.patch
View File

@ -1,107 +0,0 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
diff -up krb5-appl-1.0/aclocal.m4.manpaths krb5-appl-1.0/aclocal.m4
--- krb5-appl-1.0/aclocal.m4.manpaths 2010-03-05 10:55:58.000000000 -0500
+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:55:58.000000000 -0500
@@ -565,3 +565,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
diff -up krb5-appl-1.0/bsd/klogind.M.manpaths krb5-appl-1.0/bsd/klogind.M
--- krb5-appl-1.0/bsd/klogind.M.manpaths 2008-12-15 15:29:01.000000000 -0500
+++ krb5-appl-1.0/bsd/klogind.M 2010-03-05 10:55:58.000000000 -0500
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
diff -up krb5-appl-1.0/bsd/kshd.M.manpaths krb5-appl-1.0/bsd/kshd.M
--- krb5-appl-1.0/bsd/kshd.M.manpaths 2006-06-12 14:19:26.000000000 -0400
+++ krb5-appl-1.0/bsd/kshd.M 2010-03-05 10:55:58.000000000 -0500
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B @mansbindir@/kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
When a service request is received, the following protocol is initiated:
diff -up krb5-appl-1.0/configure.ac.manpaths krb5-appl-1.0/configure.ac
--- krb5-appl-1.0/configure.ac.manpaths 2010-03-05 10:55:58.000000000 -0500
+++ krb5-appl-1.0/configure.ac 2010-03-05 10:55:58.000000000 -0500
@@ -412,6 +412,13 @@ else
fi
AC_SUBST(HAVE_RUNTEST)
+V5_AC_OUTPUT_MANPAGE([
+ gssftp/ftpd/ftpd.M
+ bsd/klogind.M
+ bsd/kshd.M
+ telnet/telnetd/telnetd.8
+])
+
V5_AC_OUTPUT_MAKEFILE(. bsd libmissing libpty
gssftp gssftp/ftp gssftp/ftpd
telnet telnet/libtelnet telnet/telnet telnet/telnetd
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths krb5-appl-1.0/gssftp/ftpd/ftpd.M
--- krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths 2009-01-28 00:42:11.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.M 2010-03-05 10:55:58.000000000 -0500
@@ -35,7 +35,7 @@
.SH NAME
ftpd \- DARPA Internet File Transfer Protocol server
.SH SYNOPSIS
-.B ftpd
+.B @mansbindir@/ftpd
[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
diff -up krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths krb5-appl-1.0/telnet/telnetd/telnetd.8
--- krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths 2004-11-15 16:25:41.000000000 -0500
+++ krb5-appl-1.0/telnet/telnetd/telnetd.8 2010-03-05 10:55:58.000000000 -0500
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B @mansbindir@/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]

4
krb5-appl-1.0-manpaths.txt
View File

@ -1,4 +0,0 @@
bsd/klogind.M
bsd/kshd.M
telnet/telnetd/telnetd.8
gssftp/ftpd/ftpd.M

1066
krb5-appl-1.0-pam.patch
View File

File diff suppressed because it is too large Load Diff

53
krb5-appl-1.0-rlogind-environ.patch
View File

@ -1,53 +0,0 @@
Start with only TERM defined in the environment, like NetKit rlogind does, and
KRB5CCNAME, which we set ourselves.
diff -up krb5-appl-1.0/bsd/krlogind.c.rlogind-environ krb5-appl-1.0/bsd/krlogind.c
--- krb5-appl-1.0/bsd/krlogind.c.rlogind-environ 2009-11-21 15:29:19.000000000 -0500
+++ krb5-appl-1.0/bsd/krlogind.c 2010-03-05 11:07:34.000000000 -0500
@@ -667,6 +667,9 @@ void doit(f, fromp)
#else
struct sgttyb b;
#endif /* POSIX_TERMIOS */
+ char environ_term[sizeof(term) + 6], environ_ccname[sizeof(environ_term)];
+ char *bare_environ[] = {environ_term, environ_ccname, NULL};
+
if ((retval = pty_open_slave(line, &t))) {
fatal(f, pty_error_message(retval));
exit(1);
@@ -773,11 +776,15 @@ void doit(f, fromp)
/* use the vendors login, which has -p and -f. Tested on
* AIX 4.1.4 and HPUX 10
*/
+ memset(environ_term, '\0', sizeof(environ_term));
+ memset(environ_ccname, '\0', sizeof(environ_ccname));
+ if (getenv("KRB5CCNAME") != NULL)
+ snprintf(environ_ccname, sizeof(environ_ccname) - 1, "KRB5CCNAME=%s", getenv("KRB5CCNAME"));
{
char *cp;
- if ((cp = strchr(term,'/')))
+ snprintf(environ_term, sizeof(environ_term) - 1, "TERM=%s", term);
+ if ((cp = strchr(environ_term,'/')))
*cp = '\0';
- setenv("TERM",term, 1);
}
retval = pty_make_sane_hostname((struct sockaddr *) fromp, maxhostlen,
@@ -786,13 +793,13 @@ void doit(f, fromp)
if (retval)
fatalperror(f, "failed make_sane_hostname");
if (passwd_req)
- execl(login_program, "login", "-p", "-h", rhost_sane,
- lusername, (char *)NULL);
+ execle(login_program, "login", "-p", "-h", rhost_sane,
+ lusername, NULL, bare_environ);
else
- execl(login_program, "login", "-p", "-h", rhost_sane,
- "-f", lusername, (char *)NULL);
+ execle(login_program, "login", "-p", "-h", rhost_sane,
+ "-f", lusername, NULL, bare_environ);
#else /* USE_LOGIN_F */
- execl(login_program, "login", "-r", rhost_sane, (char *)NULL);
+ execle(login_program, "login", "-r", rhost_sane, NULL, bare_environ);
#endif /* USE_LOGIN_F */
syslog(LOG_ERR, "failed exec of %s: %s",
login_program, error_message(errno));

13
krb5-telnet.xinetd
View File

@ -1,13 +0,0 @@
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = yes
}

19
krb5-trunk-ftp_mget_case.patch
View File

@ -1,19 +0,0 @@
When "case" is enabled, we've been setting the target filename to the buffer
in which we'd store the lower-cased version of the name, even if we ended up
not generating a lower-cased version of the name, causing the client to store
the incoming data in whichever file whose name we'd last generated. ITS#5940.
diff -up src/appl/gssftp/ftp/cmds.c src/appl/gssftp/ftp/cmds.c
--- src/appl/gssftp/ftp/cmds.c 2008-04-16 10:36:13.000000000 -0400
+++ src/appl/gssftp/ftp/cmds.c 2008-04-16 10:36:16.000000000 -0400
@@ -1013,8 +1013,10 @@ void mget(argc, argv)
tp++;
tp2++;
}
+ tp = tmpbuf;
+ } else {
+ tp = cp;
}
- tp = tmpbuf;
}
if (ntflag) {
tp = dotrans(tp);

6
krb5.csh
View File

@ -1,6 +0,0 @@
if ( "${path}" !~ */usr/kerberos/bin* ) then
set path = ( /usr/kerberos/bin $path )
endif
if ( "${path}" !~ */usr/kerberos/sbin* ) then
set path = ( /usr/kerberos/sbin $path )
endif

6
krb5.sh
View File

@ -1,6 +0,0 @@
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/bin ; then
PATH=/usr/kerberos/bin:${PATH}
fi
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
PATH=/usr/kerberos/sbin:${PATH}
fi

249
krb5.spec
View File

@ -2,8 +2,6 @@
%global WITH_OPENSSL 1
%global WITH_DIRSRV 1
%global krb5prefix %{_prefix}/kerberos
# For consistency with regular login.
%global login_pam_service remote
@ -13,80 +11,46 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.8
Release: 3%{?dist}
Release: 4%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar
Source0: krb5-%{version}.tar.gz
Source1: krb5-%{version}.tar.gz.asc
# Everything that needs a krb5-appl counterpart will have it with number + 100
# until we get the package split done, else the telnet/ftp/rcmd stuff will just
# "vanish".
Source100: krb5-appl-%{appl_version}.tar.gz
Source101: krb5-appl-%{appl_version}.tar.gz.asc
Source2: kpropd.init
Source4: kadmind.init
Source5: krb5kdc.init
Source6: krb5.conf
Source7: krb5.sh
Source8: krb5.csh
Source10: kdc.conf
Source11: kadm5.acl
Source12: krsh
Source13: krlogin
Source14: eklogin.xinetd
Source15: klogin.xinetd
Source16: kshell.xinetd
Source17: krb5-telnet.xinetd
Source18: gssftp.xinetd
Source19: krb5kdc.sysconfig
Source20: kadmin.sysconfig
Source22: ekrb5-telnet.xinetd
# The same source files we "check", generated with "krb5-tex-pdf.sh create"
# and tarred up.
Source23: krb5-%{version}-pdf.tar.gz
Source24: krb5-tex-pdf.sh
Source25: krb5-1.8-manpaths.txt
Source125: krb5-appl-1.0-manpaths.txt
Source26: gssftp.pamd
Source27: kshell.pamd
Source28: ekshell.pamd
Source29: ksu.pamd
Source30: kerberos-iv.portreserve
Source31: kerberos-adm.portreserve
Source32: krb5_prop.portreserve
Patch3: krb5-1.3-netkit-rsh.patch
Patch4: krb5-appl-1.0-rlogind-environ.patch
Patch5: krb5-1.8-ksu-access.patch
Patch6: krb5-1.8-ksu-path.patch
Patch11: krb5-1.2.1-passive.patch
Patch12: krb5-1.7-ktany.patch
Patch14: krb5-1.3-ftp-glob.patch
Patch16: krb5-1.7-buildconf.patch
Patch23: krb5-1.3.1-dns.patch
Patch29: krb5-1.8-kprop-mktemp.patch
Patch30: krb5-1.3.4-send-pr-tempfile.patch
Patch33: krb5-appl-1.0-io.patch
Patch36: krb5-1.7-rcp-markus.patch
Patch39: krb5-1.8-api.patch
Patch40: krb5-1.4.1-telnet-environ.patch
Patch53: krb5-1.7-nodeplibs.patch
Patch56: krb5-1.7-doublelog.patch
Patch57: krb5-appl-1.0-login_chdir.patch
Patch58: krb5-1.8-key_exp.patch
Patch59: krb5-1.8-kpasswd_tcp.patch
Patch60: krb5-1.8-pam.patch
Patch160: krb5-appl-1.0-pam.patch
Patch61: krb5-1.8-manpaths.patch
Patch161: krb5-appl-1.0-manpaths.patch
Patch63: krb5-1.8-selinux-label.patch
Patch70: krb5-trunk-kpasswd_tcp2.patch
Patch71: krb5-1.8-dirsrv-accountlock.patch
Patch72: krb5-1.6.3-ftp_fdleak.patch
Patch73: krb5-1.6.3-ftp_glob_runique.patch
Patch79: krb5-trunk-ftp_mget_case.patch
Patch88: krb5-1.7-sizeof.patch
Patch89: krb5-appl-1.0-largefile.patch
Patch95: krb5-1.8-opte.patch
Patch96: krb5-1.8-exp_warn.patch
Patch98: krb5-1.8-kpasswd_ccache.patch
@ -191,32 +155,6 @@ package contains the basic Kerberos programs (kinit, klist, kdestroy,
kpasswd). If your network uses Kerberos, this package should be
installed on every workstation.
%package workstation-clients
Summary: Kerberos 5 clients for use on workstations
Group: System Environment/Base
Requires: %{name}-workstation = %{version}-%{release}
%description workstation-clients
Kerberos is a network authentication system. The krb5-workstation-clients
package contains kerberized versions of Telnet, FTP, and rsh/rlogin
clients. If your network uses these services this package should be
installed on systems which expect to connect to servers which provide
these services.
%package workstation-servers
Summary: Kerberos 5 servers for use on workstations
Group: System Environment/Base
Requires: %{name}-workstation = %{version}-%{release}
Requires(post): initscripts
Requires(postun): initscripts
Requires: xinetd, /etc/pam.d/%{login_pam_service}
%description workstation-servers
Kerberos is a network authentication system. The krb5-workstation-servers
package contains kerberized versions of Telnet, FTP, and rsh/rlogin
servers. If your network uses Kerberos, this package should be
installed on systems which are meant provide these services.
%package pkinit-openssl
Summary: The PKINIT module for Kerberos 5
Group: System Environment/Libraries
@ -229,65 +167,32 @@ to obtain initial credentials from a KDC using a private key and a
certificate.
%prep
%setup -q -a 23 -a 100
%setup -q -a 23
ln -s NOTICE LICENSE
%patch60 -p1 -b .pam
pushd krb5-appl-%{appl_version}
%patch160 -p1 -b .pam
popd
%patch61 -p1 -b .manpaths
pushd krb5-appl-%{appl_version}
%patch161 -p1 -b .manpaths
popd
%patch63 -p1 -b .selinux-label
pushd krb5-appl-%{appl_version}
%patch3 -p3 -b .netkit-rsh
%patch4 -p1 -b .rlogind-environ
popd
%patch5 -p1 -b .ksu-access
%patch6 -p1 -b .ksu-path
pushd krb5-appl-%{appl_version}
%patch11 -p3 -b .passive
popd
%patch12 -p1 -b .ktany
pushd krb5-appl-%{appl_version}
%patch14 -p3 -b .ftp-glob
popd
%patch16 -p1 -b .buildconf
%patch23 -p1 -b .dns
%patch29 -p1 -b .kprop-mktemp
%patch30 -p1 -b .send-pr-tempfile
pushd krb5-appl-%{appl_version}
%patch33 -p1 -b .io
%patch36 -p3 -b .rcp-markus
popd
%patch39 -p1 -b .api
pushd krb5-appl-%{appl_version}
%patch40 -p3 -b .telnet-environ
popd
%patch53 -p1 -b .nodeplibs
%patch56 -p1 -b .doublelog
pushd krb5-appl-%{appl_version}
%patch57 -p1 -b .login_chdir
popd
%patch58 -p1 -b .key_exp
%patch59 -p1 -b .kpasswd_tcp
#%patch70 -p0 -b .kpasswd_tcp2
%patch71 -p1 -b .dirsrv-accountlock
pushd krb5-appl-%{appl_version}
%patch72 -p3 -b .ftp_fdleak
%patch73 -p3 -b .ftp_glob_runique
%patch79 -p2 -b .ftp_mget_case
%patch88 -p3 -b .sizeof
%patch89 -p1 -b .largefile
popd
%patch95 -p1 -b .opte
%patch96 -p1 -b .exp_warn
%patch98 -p1 -b .kpasswd-ccache
%patch98 -p0 -b .kpasswd-ccache
%patch99 -p0 -b .kpasswd-ipv6
%patch100 -p0 -b .tktlifetime
gzip doc/*.ps
@ -310,11 +215,6 @@ cat %{SOURCE25} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
pushd krb5-appl-%{appl_version}
cat %{SOURCE125} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
# Check that the PDFs we built earlier match this source tree, using the
# "krb5-tex-pdf.sh" source file.
@ -342,11 +242,6 @@ autoheader
autoconf
popd
pushd krb5-appl-%{appl_version}
autoheader
autoconf
popd
%build
pushd src
# Work out the CFLAGS and CPPFLAGS which we intend to use.
@ -388,35 +283,12 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
make %{?_smp_mflags}
popd
# The applications, too. Build everything position-independent. We only get
# away with this if our build dependencies drag an older krb5-devel onto the
# system.
pushd krb5-appl-%{appl_version}
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIE -fno-strict-aliasing`"
LDFLAGS="-pie"
%configure \
CFLAGS="$CFLAGS" \
LDFLAGS="$LDFLAGS" \
--bindir=%{krb5prefix}/bin \
--mandir=%{krb5prefix}/man \
--sbindir=%{krb5prefix}/sbin \
--datadir=%{krb5prefix}/share \
--with-pam \
--with-pam-login-service=%{login_pam_service}
make %{?_smp_mflags}
popd
# Run the test suite. We can't actually do this in the build system.
: make -C src check TMPDIR=%{_tmppath}
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Shell scripts wrappers for Kerberized rsh and rlogin (source files).
mkdir -p $RPM_BUILD_ROOT%{krb5prefix}/{bin,man/man{1,5,8},sbin,share}
install -m 755 %{SOURCE12} $RPM_BUILD_ROOT/%{krb5prefix}/bin/
install -m 755 %{SOURCE13} $RPM_BUILD_ROOT/%{krb5prefix}/bin/
# Info docs.
mkdir -p $RPM_BUILD_ROOT%{_infodir}
install -m 644 doc/*.info* $RPM_BUILD_ROOT%{_infodir}/
@ -434,15 +306,6 @@ install -pm 600 %{SOURCE11} $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/
mkdir -p $RPM_BUILD_ROOT/etc
install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf
# Login-time scriptlets (krb5.sh, krb5.csh) to fix the PATH variable.
mkdir -p $RPM_BUILD_ROOT/etc/profile.d
for subpackage in workstation-clients workstation-servers ; do
install -pm 644 %{SOURCE7} \
$RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.sh
install -pm 644 %{SOURCE8} \
$RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.csh
done
# Server init scripts (krb5kdc,kadmind,kpropd) and their sysconfig files.
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
for init in \
@ -474,25 +337,10 @@ for portreserve in \
$RPM_BUILD_ROOT/etc/portreserve/`basename ${portreserve} .portreserve`
done
# Xinetd configuration files.
mkdir -p $RPM_BUILD_ROOT/etc/xinetd.d/
for xinetd in \
%{SOURCE14} \
%{SOURCE15} \
%{SOURCE16} \
%{SOURCE17} \
%{SOURCE18} \
%{SOURCE22} ; do
install -pm 644 ${xinetd} \
$RPM_BUILD_ROOT/etc/xinetd.d/`basename ${xinetd} .xinetd`
done
# PAM configuration files.
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
for pam in \
%{SOURCE26} \
%{SOURCE27} \
%{SOURCE28} \
%{SOURCE29} ; do
install -pm 644 ${pam} \
$RPM_BUILD_ROOT/etc/pam.d/`basename ${pam} .pamd`
@ -505,7 +353,6 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
# The rest of the binaries, headers, libraries, and docs.
make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/examples install
make -C krb5-appl-%{appl_version} DESTDIR=$RPM_BUILD_ROOT install
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
@ -579,21 +426,6 @@ if [ "$2" -eq "0" ] ; then
fi
exit 0
%triggerun workstation-servers -- krb5-workstation-servers < 1.6.3-100
if [ "$2" -eq "0" ] ; then
/sbin/service krb524 stop > /dev/null 2>&1 || :
/sbin/chkconfig --del krb524 > /dev/null 2>&1 || :
fi
exit 0
%post workstation-servers
/sbin/service xinetd reload > /dev/null 2>&1 || :
exit 0
%postun workstation-servers
/sbin/service xinetd reload > /dev/null 2>&1 || :
exit 0
%post workstation
/sbin/install-info %{_infodir}/krb5-user.info %{_infodir}/dir
exit 0
@ -643,73 +475,6 @@ exit 0
%{_datadir}/gnats/mit
%{_mandir}/man1/krb5-send-pr.1*
%files workstation-clients
%defattr(-,root,root,-)
%docdir %{krb5prefix}/man
%attr(0755,root,root) %doc src/config-files/convert-config-files
%config(noreplace) /etc/profile.d/krb5-workstation-clients.sh
%config(noreplace) /etc/profile.d/krb5-workstation-clients.csh
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man1
# Used by both clients and servers.
%{krb5prefix}/bin/rcp
%{krb5prefix}/man/man1/rcp.1*
# Client network bits.
%{krb5prefix}/bin/ftp
%{krb5prefix}/man/man1/ftp.1*
%{krb5prefix}/bin/krlogin
%{krb5prefix}/bin/rlogin
%{krb5prefix}/man/man1/rlogin.1*
%{krb5prefix}/bin/krsh
%{krb5prefix}/bin/rsh
%{krb5prefix}/man/man1/rsh.1*
%{krb5prefix}/bin/telnet
%{krb5prefix}/man/man1/telnet.1*
%{krb5prefix}/man/man1/tmac.doc*
%files workstation-servers
%defattr(-,root,root,-)
%docdir %{krb5prefix}/man
%config(noreplace) /etc/profile.d/krb5-workstation-servers.sh
%config(noreplace) /etc/profile.d/krb5-workstation-servers.csh
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man1
%dir %{krb5prefix}/man/man8
%dir %{krb5prefix}/sbin
# Used by both clients and servers.
%{krb5prefix}/bin/rcp
%{krb5prefix}/man/man1/rcp.1*
%config(noreplace) /etc/xinetd.d/*
%config(noreplace) /etc/pam.d/kshell
%config(noreplace) /etc/pam.d/ekshell
%config(noreplace) /etc/pam.d/gssftp
# Login is used by telnetd and klogind.
%{krb5prefix}/sbin/login.krb5
%{krb5prefix}/man/man8/login.krb5.8*
# Application servers.
%{krb5prefix}/sbin/ftpd
%{krb5prefix}/man/man8/ftpd.8*
%{krb5prefix}/sbin/klogind
%{krb5prefix}/man/man8/klogind.8*
%{krb5prefix}/sbin/kshd
%{krb5prefix}/man/man8/kshd.8*
%{krb5prefix}/sbin/telnetd
%{krb5prefix}/man/man8/telnetd.8*
%files server
%defattr(-,root,root,-)
%docdir %{_mandir}
@ -810,7 +575,6 @@ exit 0
%dir %{_libdir}/krb5/plugins/*
%{_libdir}/krb5/plugins/preauth/encrypted_challenge.so
%{_libdir}/krb5/plugins/kdb/db2.so
%{krb5prefix}/share
%if %{WITH_OPENSSL}
%files pkinit-openssl
@ -864,6 +628,13 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Fri Mar 19 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-4
- remove the krb5-appl bits (the -workstation-clients and -workstation-servers
subpackages) now that krb5-appl is its own package
- replace our patch for #563431 (kpasswd doesn't fall back to guessing your
principal name using your user name if you don't have a ccache) with the
on upstream uses
* Fri Mar 12 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-3
- add documentation for the ticket_lifetime option (#561174)

2
krlogin
View File

@ -1,2 +0,0 @@
#!/bin/sh
/usr/kerberos/bin/rlogin -x "$@"

2
krsh
View File

@ -1,2 +0,0 @@
#!/bin/sh
/usr/kerberos/bin/rsh -x "$@"

15
kshell.pamd
View File

@ -1,15 +0,0 @@
#%PAM-1.0
# For root login to succeed here with pam_securetty, "kshell" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_rhosts.so
account include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
# pam_selinux.so open should only be called for sessions to be executed in the user context
session required pam_loginuid.so
session required pam_selinux.so open

13
kshell.xinetd
View File

@ -1,13 +0,0 @@
# default: off
# description: The kerberized rshell server accepts rshell commands \
# authenticated and encrypted with Kerberos 5.
service kshell
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/kshd
server_args = -e
disable = yes
}

2
sources
View File

@ -1,5 +1,3 @@
a3391a739009efa9734db720d34f4c07 krb5-1.8.tar.gz
f923ec08f24df9e5a284be74895a6daa krb5-1.8.tar.gz.asc
4ecf03dad0df7f2ded49f0cfd9786157 krb5-appl-1.0.tar.gz
33056e617e2cbad7c8e8b732aa0fdd91 krb5-appl-1.0.tar.gz.asc
32f8238d4553c44ecdc41205c3cb0333 krb5-1.8-pdf.tar.gz