rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- update to 1.8

Browse Source 
- temporarily bundling the krb5-appl package (split upstream as of 1.8)
    until its package review is complete
- profile.d scriptlets are now only needed by -workstation-clients
- adjust paths in init scripts
- drop upstreamed fix for KDC denial of service (CVE-2010-0283)
- drop patch to check the user's password correctly using crypt(), which
    isn't a code path we hit when we're using PAM
This commit is contained in:
Nalin Dahyabhai 2010-03-05 22:19:38 +00:00
parent 9c84ef7b56
commit 75b08040ff
37 changed files with 2020 additions and 1679 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.cvsignore
View File

@ -31,3 +31,8 @@ krb5-1.7-pdf.tar.gz
krb5-1.7.1.tar.gz
krb5-1.7.1.tar.gz.asc
krb5-1.7.1-pdf.tar.gz
krb5-1.8.tar.gz
krb5-1.8.tar.gz.asc
krb5-appl-1.0.tar.gz
krb5-appl-1.0.tar.gz.asc
krb5-1.8-pdf.tar.gz

42
2010-001-patch.txt
View File

@ -1,42 +0,0 @@
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 52fbda5..680e6a1 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;
+ if (request->msg_type != KRB5_AS_REQ) {
+ status = "msg_type mismatch";
+ errcode = KRB5_BADMSGTYPE;
+ goto errout;
+ }
errcode = kdc_make_rstate(&state);
if (errcode != 0) {
status = "constructing state";
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 12180ff..c8cf692 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
return retval;
+ if (request->msg_type != KRB5_TGS_REQ)
+ return KRB5_BADMSGTYPE;
/*
* setup_server_realm() sets up the global realm-specific data pointer.
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index d88e0cb..2639047 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
krb5_data *encoded_e_data = NULL;
memset(outer_pa, 0, sizeof(outer_pa));
- if (!state->armor_key)
+ if (!state || !state->armor_key)
return 0;
fx_error = *err;
fx_error.e_data.data = NULL;

2
kadmind.init
View File

@ -33,7 +33,7 @@
# Source function library.
. /etc/init.d/functions
prog="Kerberos 5 Admin Server"
kadmind=/usr/kerberos/sbin/kadmind
kadmind=/usr/sbin/kadmind
RETVAL=0

2
kpropd.init
View File

@ -29,7 +29,7 @@
RETVAL=0
prog="Kerberos 5 Propagation Server"
kpropd=/usr/kerberos/sbin/kpropd
kpropd=/usr/sbin/kpropd
# Shell functions to cut down on useless shell instances.
start() {

45
krb5-1.3-ksu-access.patch
View File

@ -1,45 +0,0 @@
The idea is to not complain about problems in the default ticket file if we
couldn't read it, because the client would be able to tell if it's there or
not. Still needs work, I think.
--- krb5-1.3/src/clients/ksu/ccache.c
+++ krb5-1.3/src/clients/ksu/ccache.c
@@ -77,7 +77,7 @@
cc_def_name = krb5_cc_get_name(context, cc_def);
cc_other_name = krb5_cc_get_name(context, *cc_other);
- if ( ! stat(cc_def_name, &st_temp)){
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
--- krb5-1.3/src/clients/ksu/heuristic.c
+++ krb5-1.3/src/clients/ksu/heuristic.c
@@ -412,7 +412,7 @@
cc_source_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_source_name, &st_temp)){
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -572,7 +572,7 @@
cc_source_name = krb5_cc_get_name(context, cc_source);
- if (! stat(cc_source_name, &st_temp)) {
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
--- krb5-1.3/src/clients/ksu/main.c
+++ krb5-1.3/src/clients/ksu/main.c
@@ -263,7 +263,7 @@
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
com_err (prog_name, errno,
"while looking for credentials file %s",
cc_source_tag_tmp);

14
krb5-1.5-ksu-path.patch
View File

@ -1,14 +0,0 @@
Set the default PATH to the one set by login, with the addition of the
/usr/X11R6/bin to the end of the list.
--- krb5-1.5/src/clients/ksu/Makefile.in 2006-05-24 17:19:23.000000000 -0400
+++ krb5-1.5/src/clients/ksu/Makefile.in 2006-07-05 14:24:41.000000000 -0400
@@ -2,7 +2,7 @@
myfulldir=clients/ksu
mydir=clients/ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin /usr/X11R6/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)

28
krb5-1.6.3-login-lpass.patch
View File

@ -1,28 +0,0 @@
The local crypt() may support hash types which use more than the first 8
characters. It also doesn't modify the input string, so we should just
stop truncating it. Are there platforms where the input string *is* modified?
--- krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:34.000000000 -0500
+++ krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:29.000000000 -0500
@@ -461,17 +461,14 @@
static int unix_passwd_okay (pass)
char *pass;
{
- char user_pwcopy[9], *namep;
+ char *namep;
char *crypt ();
assert (pwd != 0);
- /* copy the first 8 chars of the password for unix crypt */
- strncpy(user_pwcopy, pass, sizeof(user_pwcopy));
- user_pwcopy[sizeof(user_pwcopy) - 1]='\0';
- namep = crypt(user_pwcopy, salt);
- memset (user_pwcopy, 0, sizeof(user_pwcopy));
- /* ... and wipe the copy now that we have the string */
+ namep = crypt(pass, salt);
+ if (strlen(namep) < 13)
+ return 0;
/* verify the local password string */
#ifdef HAVE_SHADOW

69
krb5-1.7-dirsrv-accountlock.patch
View File

@ -1,69 +0,0 @@
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
--- krb5-1.7/src/aclocal.m4 2009-06-04 14:38:07.000000000 -0400
+++ krb5-1.7/src/aclocal.m4 2009-06-04 14:38:07.000000000 -0400
@@ -1746,6 +1746,12 @@ AC_ARG_WITH([edirectory],
yes | no) ;;
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
if test $with_ldap = yes; then
if test $with_edirectory = yes; then
@@ -1757,6 +1763,10 @@ elif test $with_edirectory = yes; then
AC_MSG_NOTICE(enabling eDirectory database backend module support)
OPENLDAP_PLUGIN=yes
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
+ OPENLDAP_PLUGIN=yes
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
else
: # neither enabled
dnl AC_MSG_NOTICE(disabling ldap backend module support)
diff -up krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-02-18 13:14:48.000000000 -0500
+++ krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-06-04 14:38:07.000000000 -0400
@@ -2157,6 +2157,22 @@ populate_krb5_db_entry (krb5_context con
}
}
#endif
+#ifdef HAVE_DIRSRV
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+ &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
diff -up krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-04-14 17:07:34.000000000 -0400
+++ krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-06-04 14:38:07.000000000 -0400
@@ -58,6 +58,9 @@ char *principal_attributes[] = { "kr
"loginexpirationtime",
"logindisabled",
#endif
+#ifdef HAVE_DIRSRV
+ "nsaccountlock",
+#endif
"krbLastPwdChange",
"krbExtraData",
"krbObjectReferences",

17
krb5-1.7-exp_warn.patch
View File

@ -1,17 +0,0 @@
Don't warn of expiration reported the new way if it's more than a week from
now, for consistency with the code that handles expiration times reported the
old way.
diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:12:02.000000000 -0500
+++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:11:50.000000000 -0500
@@ -389,7 +389,8 @@ cleanup:
delta / 86400, ts);
/* ignore an error here */
/* PROMPTER_INVOCATION */
- (*prompter)(context, data, 0, banner, 0, 0);
+ if (delta < 86400 * 7)
+ (*prompter)(context, data, 0, banner, 0, 0);
}
}
}

29
krb5-1.7-kprop-mktemp.patch
View File

@ -1,29 +0,0 @@
Use an in-memory ccache to silence a compiler warning.
diff -up krb5-1.7/src/slave/kprop.c krb5-1.7/src/slave/kprop.c
--- krb5-1.7/src/slave/kprop.c 2008-12-01 12:09:59.000000000 -0500
+++ krb5-1.7/src/slave/kprop.c 2009-06-04 14:14:10.000000000 -0400
@@ -211,9 +211,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ];
+ char buf[] = "MEMORY:_kproptkt";
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -238,11 +237,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, "while opening credential cache %s",

17
krb5-1.7-openssl-1.0.patch
View File

@ -1,17 +0,0 @@
This isn't a proper fix (it doesn't actually switch to using the new API),
but it'll do for now.
diff -up src/plugins/preauth/pkinit/pkinit_crypto_openssl.c src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.openssl-1.0 2009-01-23 01:51:03.000000000 -0500
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-08-24 11:19:35.000000000 -0400
@@ -3652,7 +3652,11 @@ decode_data(unsigned char **out_data, un
if (buf == NULL)
goto cleanup;
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey);
+#else
+ retval = EVP_PKEY_decrypt_old(buf, data, (int)data_len, pkey);
+#endif
if (retval <= 0) {
pkiDebug("unable to decrypt received data (len=%d)\n", data_len);
goto cleanup;

14
krb5-1.7-opte.patch
View File

@ -1,14 +0,0 @@
Check opte->flags instead of options->flags, because we know that opte has
been initialized to the library defaults if options was NULL.
diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:52.000000000 -0500
+++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:56.000000000 -0500
@@ -200,7 +200,7 @@ krb5_get_init_creds_password(krb5_contex
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances

66
krb5-1.7-time_t_size.patch
View File

@ -1,66 +0,0 @@
Handle ut_tv not always being a struct timeval. RT#6520
Index: krb5/src/appl/libpty/update_utmp.c
===================================================================
--- krb5/src/appl/libpty/update_utmp.c (revision 22423)
+++ krb5/src/appl/libpty/update_utmp.c (working copy)
@@ -291,6 +291,12 @@
* The ut_exit field seems to exist in utmp, but not utmpx. The files
* utmp and wtmp seem to exist, but not utmpx, or wtmpx.
*
+ * glibc:
+ *
+ * The ut_tv field of struct utmp/utmpx may be an anonymous structure
+ * containing 32-bit values on systems where time_t is 64 bits. Its
+ * fields have the same names, though.
+ *
* libpty Implementation Decisions:
* --------------------------------
*
@@ -505,6 +511,8 @@
const char *line, const char *host, int flags)
{
PTY_STRUCT_UTMPX utx, *utxtmp, utx2;
+ struct timeval ut_tv;
+ time_t login_time;
const char *cp;
size_t len;
char utmp_id[5];
@@ -577,10 +585,13 @@
utxtmp = best_utxent(&utx);
#ifdef HAVE_SETUTXENT
- if (gettimeofday(&utx.ut_tv, NULL))
+ if (gettimeofday(&ut_tv, NULL))
return errno;
+ utx.ut_tv.tv_sec = ut_tv.tv_sec;
+ utx.ut_tv.tv_usec = ut_tv.tv_usec;
#else
- (void)time(&utx.ut_time);
+ (void)time(&login_time);
+ utx.ut_time = login_time;
#endif
/*
* On what system is there not ut_host? Unix98 doesn't mandate
Index: krb5/src/appl/bsd/login.c
===================================================================
--- krb5/src/appl/bsd/login.c (revision 22423)
+++ krb5/src/appl/bsd/login.c (working copy)
@@ -719,7 +719,6 @@
char *domain, **envinit, *ttyn, *tty;
char tbuf[MAXPATHLEN + 2];
char *ttyname(), *crypt(), *getpass();
- time_t login_time;
int retval;
int rewrite_ccache = 1; /*try to write out ccache*/
#ifdef KRB5_GET_TICKETS
@@ -1071,9 +1070,6 @@
/* nothing else left to fail -- really log in */
{
- struct utmp utmp;
-
- login_time = time(&utmp.ut_time);
if ((retval = pty_update_utmp(PTY_USER_PROCESS, getpid(), username,
ttyn, hostname,
PTY_TTYSLOT_USABLE)) < 0)

32
krb5-1.7.1-kpasswd_ccache.patch
View File

@ -1,32 +0,0 @@
If we encounter any errors reading the user's principal name from the default
ccache, fall back to the default of using the current user's name.
--- krb5/src/clients/kpasswd/kpasswd.c
+++ krb5/src/clients/kpasswd/kpasswd.c
@@ -84,21 +84,23 @@ int main(int argc, char *argv[])
exit(1);
}
} else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
+ princ = NULL;
+
if (ret) {
com_err(argv[0], ret, "opening default ccache");
- exit(1);
}
+ else
if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
com_err(argv[0], ret, "getting principal from ccache");
- exit(1);
}
+ else
if ((ret = krb5_cc_close(context, ccache))) {
com_err(argv[0], ret, "closing ccache");
- exit(1);
}
- } else {
+ }
+ if (princ == NULL) {
get_name_from_passwd_file(argv[0], context, &princ);
}

22
krb5-1.7-api.patch → krb5-1.8-api.patch
View File

@ -2,29 +2,29 @@ Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
diff -up krb5-1.7/src/lib/krb5/krb/princ_comp.c krb5-1.7/src/lib/krb5/krb/princ_comp.c
--- krb5-1.7/src/lib/krb5/krb/princ_comp.c 2009-01-03 18:19:42.000000000 -0500
+++ krb5-1.7/src/lib/krb5/krb/princ_comp.c 2009-06-04 14:31:26.000000000 -0400
@@ -40,6 +40,12 @@ realm_compare_flags(krb5_context context
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+ return FALSE;
+
+ if ((realm1 == NULL) || (realm2 == NULL))
+ return FALSE;
+ return FALSE;
+
if (realm1->length != realm2->length)
return FALSE;
return FALSE;
@@ -91,6 +97,9 @@ krb5_principal_compare_flags(krb5_contex
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {

69
krb5-1.8-dirsrv-accountlock.patch Normal file
View File

@ -0,0 +1,69 @@
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500
@@ -1678,6 +1678,12 @@ AC_ARG_WITH([edirectory],
yes | no) ;;
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
if test $with_ldap = yes; then
if test $with_edirectory = yes; then
@@ -1689,6 +1695,10 @@ elif test $with_edirectory = yes; then
AC_MSG_NOTICE(enabling eDirectory database backend module support)
OPENLDAP_PLUGIN=yes
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
+ OPENLDAP_PLUGIN=yes
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
else
: # neither enabled
dnl AC_MSG_NOTICE(disabling ldap backend module support)
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500
@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont
}
}
#endif
+#ifdef HAVE_DIRSRV
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+ &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500
@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr
"loginexpirationtime",
"logindisabled",
#endif
+#ifdef HAVE_DIRSRV
+ "nsaccountlock",
+#endif
"krbLastPwdChange",
"krbExtraData",
"krbObjectReferences",

17
krb5-1.8-exp_warn.patch Normal file
View File

@ -0,0 +1,17 @@
Don't warn of expiration reported the new way if it's more than a week from
now, for consistency with the code that handles expiration times reported the
old way.
diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.exp_warn krb5-1.8/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.exp_warn 2010-03-05 11:04:10.000000000 -0500
+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:04:10.000000000 -0500
@@ -407,7 +407,8 @@ cleanup:
delta / 86400, ts);
/* ignore an error here */
/* PROMPTER_INVOCATION */
- (*prompter)(context, data, 0, banner, 0, 0);
+ if (delta < 86400 * 7)
+ (*prompter)(context, data, 0, banner, 0, 0);
}
}
}

10
krb5-1.6.2-key_exp.patch → krb5-1.8-key_exp.patch
View File

@ -1,9 +1,11 @@
Sadique Puthen notes that the warning on the client side seems to be correspond
to the wrong attribute on the KDC. Do what RFC4120 says we should do. RT#5755.
--- krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:06.000000000 -0400
+++ krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:08.000000000 -0400
@@ -371,7 +371,14 @@ process_as_req(krb5_kdc_req *request, kr
goto errout;
diff -up krb5-1.8/src/kdc/do_as_req.c.key_exp krb5-1.8/src/kdc/do_as_req.c
--- krb5-1.8/src/kdc/do_as_req.c.key_exp 2010-02-16 17:21:08.000000000 -0500
+++ krb5-1.8/src/kdc/do_as_req.c 2010-03-05 11:02:06.000000000 -0500
@@ -555,7 +555,14 @@ process_as_req(krb5_kdc_req *request, kr
goto errout;
}
reply_encpart.nonce = request->nonce;
- reply_encpart.key_exp = client.expiration;

34
krb5-1.8-kpasswd_ccache.patch Normal file
View File

@ -0,0 +1,34 @@
If we encounter any errors reading the user's principal name from the default
ccache, fall back to the default of using the current user's name.
diff -up krb5-1.8/src/clients/kpasswd/kpasswd.c.kpasswd-ccache krb5-1.8/src/clients/kpasswd/kpasswd.c
--- krb5-1.8/src/clients/kpasswd/kpasswd.c.kpasswd-ccache 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/clients/kpasswd/kpasswd.c 2010-03-05 11:04:42.000000000 -0500
@@ -85,21 +85,23 @@ int main(int argc, char *argv[])
exit(1);
}
} else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
+ princ = NULL;
+
if (ret) {
com_err(argv[0], ret, "opening default ccache");
- exit(1);
}
+ else
if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
com_err(argv[0], ret, "getting principal from ccache");
- exit(1);
}
+ else
if ((ret = krb5_cc_close(context, ccache))) {
com_err(argv[0], ret, "closing ccache");
- exit(1);
}
- } else {
+ }
+ if (princ == NULL) {
get_name_from_passwd_file(argv[0], context, &princ);
}

34
krb5-1.8-kpasswd_tcp.patch Normal file
View File

@ -0,0 +1,34 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
diff -up krb5-1.8/src/lib/krb5/os/changepw.c.kpasswd_tcp krb5-1.8/src/lib/krb5/os/changepw.c
--- krb5-1.8/src/lib/krb5/os/changepw.c.kpasswd_tcp 2009-12-02 13:06:19.000000000 -0500
+++ krb5-1.8/src/lib/krb5/os/changepw.c 2010-03-05 11:02:39.000000000 -0500
@@ -270,11 +270,22 @@ change_set_password(krb5_context context
NULL,
NULL
))) {
-
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

29
krb5-1.8-kprop-mktemp.patch Normal file
View File

@ -0,0 +1,29 @@
Use an in-memory ccache to silence a compiler warning.
diff -up krb5-1.8/src/slave/kprop.c.kprop-mktemp krb5-1.8/src/slave/kprop.c
--- krb5-1.8/src/slave/kprop.c.kprop-mktemp 2009-11-06 18:29:12.000000000 -0500
+++ krb5-1.8/src/slave/kprop.c 2010-03-05 10:59:06.000000000 -0500
@@ -202,9 +202,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ];
+ char buf[] = "MEMORY:_kproptkt";
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, "while opening credential cache %s",

49
krb5-1.8-ksu-access.patch Normal file
View File

@ -0,0 +1,49 @@
The idea is to not complain about problems in the default ticket file if we
couldn't read it, because the client would be able to tell if it's there or
not. Still needs work, I think.
diff -up krb5-1.8/src/clients/ksu/ccache.c.ksu-access krb5-1.8/src/clients/ksu/ccache.c
--- krb5-1.8/src/clients/ksu/ccache.c.ksu-access 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/clients/ksu/ccache.c 2010-03-05 10:57:56.000000000 -0500
@@ -78,7 +78,7 @@ krb5_error_code krb5_ccache_copy (contex
cc_def_name = krb5_cc_get_name(context, cc_def);
cc_other_name = krb5_cc_get_name(context, *cc_other);
- if ( ! stat(cc_def_name, &st_temp)){
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
diff -up krb5-1.8/src/clients/ksu/heuristic.c.ksu-access krb5-1.8/src/clients/ksu/heuristic.c
--- krb5-1.8/src/clients/ksu/heuristic.c.ksu-access 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/clients/ksu/heuristic.c 2010-03-05 10:57:56.000000000 -0500
@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont
cc_source_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_source_name, &st_temp)){
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe
cc_source_name = krb5_cc_get_name(context, cc_source);
- if (! stat(cc_source_name, &st_temp)) {
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
diff -up krb5-1.8/src/clients/ksu/main.c.ksu-access krb5-1.8/src/clients/ksu/main.c
--- krb5-1.8/src/clients/ksu/main.c.ksu-access 2010-03-05 10:57:55.000000000 -0500
+++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:57:56.000000000 -0500
@@ -270,7 +270,7 @@ main (argc, argv)
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
com_err (prog_name, errno,
"while looking for credentials file %s",
cc_source_tag_tmp);

13
krb5-1.8-ksu-path.patch Normal file
View File

@ -0,0 +1,13 @@
Set the default PATH to the one set by login.
diff -up krb5-1.8/src/clients/ksu/Makefile.in.ksu-path krb5-1.8/src/clients/ksu/Makefile.in
--- krb5-1.8/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500
+++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500
@@ -1,6 +1,6 @@
mydir=clients/ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)

290
krb5-trunk-manpaths.patch → krb5-1.8-manpaths.patch
View File

@ -1,77 +1,12 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. RT#6525
configure scripts should be rebuilt. Originally RT#6525
Index: configure.in
===================================================================
--- configure.in (revision 22425)
+++ configure.in (working copy)
@@ -1043,6 +1043,16 @@
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: appl/gssftp/configure.in
===================================================================
--- appl/gssftp/configure.in (revision 22425)
+++ appl/gssftp/configure.in (working copy)
@@ -65,4 +65,9 @@
dnl
dnl
KRB5_BUILD_PROGRAM
+
+V5_AC_OUTPUT_MANPAGE([
+ ftpd/ftpd.M
+])
+
V5_AC_OUTPUT_MAKEFILE(. ftp ftpd)
Index: appl/bsd/configure.in
===================================================================
--- appl/bsd/configure.in (revision 22425)
+++ appl/bsd/configure.in (working copy)
@@ -156,4 +156,10 @@
KRB5_AC_LIBUTIL
KRB5_BUILD_PROGRAM
+
+V5_AC_OUTPUT_MANPAGE([
+ klogind.M
+ kshd.M
+])
+
V5_AC_OUTPUT_MAKEFILE
Index: appl/telnet/configure.in
===================================================================
--- appl/telnet/configure.in (revision 22425)
+++ appl/telnet/configure.in (working copy)
@@ -161,4 +161,9 @@
LIBS="$old_LIBS"
dnl
KRB5_AC_LIBUTIL
+
+V5_AC_OUTPUT_MANPAGE([
+ telnetd/telnetd.8
+])
+
V5_AC_OUTPUT_MAKEFILE(. libtelnet telnet telnetd)
Index: aclocal.m4
===================================================================
--- aclocal.m4 (revision 22425)
+++ aclocal.m4 (working copy)
@@ -1854,3 +1854,24 @@
diff -up krb5-1.8/src/aclocal.m4.manpaths krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.manpaths 2010-03-05 10:55:28.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:55:29.000000000 -0500
@@ -1770,3 +1770,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -96,11 +31,10 @@ Index: aclocal.m4
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: appl/sample/sserver/sserver.M
===================================================================
--- appl/sample/sserver/sserver.M (revision 22425)
+++ appl/sample/sserver/sserver.M (working copy)
@@ -59,7 +59,7 @@
diff -up krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths krb5-1.8/src/appl/sample/sserver/sserver.M
--- krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths 1999-09-24 17:20:59.000000000 -0400
+++ krb5-1.8/src/appl/sample/sserver/sserver.M 2010-03-05 10:55:29.000000000 -0500
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
@ -109,97 +43,10 @@ Index: appl/sample/sserver/sserver.M
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: appl/bsd/klogind.M
===================================================================
--- appl/bsd/klogind.M (revision 22425)
+++ appl/bsd/klogind.M (working copy)
@@ -27,7 +27,7 @@
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
Index: appl/bsd/kshd.M
===================================================================
--- appl/bsd/kshd.M (revision 22425)
+++ appl/bsd/kshd.M (working copy)
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B @mansbindir@/kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
When a service request is received, the following protocol is initiated:
Index: appl/telnet/telnetd/telnetd.8
===================================================================
--- appl/telnet/telnetd/telnetd.8 (revision 22425)
+++ appl/telnet/telnetd/telnetd.8 (working copy)
@@ -37,7 +37,7 @@
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B @mansbindir@/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
Index: appl/gssftp/ftpd/ftpd.M
===================================================================
--- appl/gssftp/ftpd/ftpd.M (revision 22425)
+++ appl/gssftp/ftpd/ftpd.M (working copy)
@@ -35,7 +35,7 @@
.SH NAME
ftpd \- DARPA Internet File Transfer Protocol server
.SH SYNOPSIS
-.B ftpd
+.B @mansbindir@/ftpd
[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
Index: kadmin/cli/kadmin.M
===================================================================
--- kadmin/cli/kadmin.M (revision 22425)
+++ kadmin/cli/kadmin.M (working copy)
@@ -850,9 +850,9 @@
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
@@ -894,7 +894,7 @@
.SH HISTORY
The
.B kadmin
-prorgam was originally written by Tom Yu at MIT, as an interface to the
+program was originally written by Tom Yu at MIT, as an interface to the
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: config-files/kdc.conf.M
===================================================================
--- config-files/kdc.conf.M (revision 22425)
+++ config-files/kdc.conf.M (working copy)
@@ -82,14 +82,14 @@
diff -up krb5-1.8/src/config-files/kdc.conf.M.manpaths krb5-1.8/src/config-files/kdc.conf.M
--- krb5-1.8/src/config-files/kdc.conf.M.manpaths 2010-01-04 14:34:33.000000000 -0500
+++ krb5-1.8/src/config-files/kdc.conf.M 2010-03-05 10:55:29.000000000 -0500
@@ -82,14 +82,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
@ -216,7 +63,7 @@ Index: config-files/kdc.conf.M
.IP database_name
This
@@ -257,7 +257,7 @@
@@ -254,7 +254,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
@ -225,11 +72,10 @@ Index: config-files/kdc.conf.M
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: config-files/krb5.conf.M
===================================================================
--- config-files/krb5.conf.M (revision 22425)
+++ config-files/krb5.conf.M (working copy)
@@ -643,6 +643,6 @@
diff -up krb5-1.8/src/config-files/krb5.conf.M.manpaths krb5-1.8/src/config-files/krb5.conf.M
--- krb5-1.8/src/config-files/krb5.conf.M.manpaths 2010-02-25 15:14:21.000000000 -0500
+++ krb5-1.8/src/config-files/krb5.conf.M 2010-03-05 10:55:29.000000000 -0500
@@ -651,6 +651,6 @@ is whitespace-separated. The LDAP server
This LDAP specific tag indicates the number of connections to be maintained per
LDAP server.
.SH FILES
@ -237,42 +83,63 @@ Index: config-files/krb5.conf.M
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: slave/kprop.M
===================================================================
--- slave/kprop.M (revision 22425)
+++ slave/kprop.M (working copy)
@@ -39,7 +39,7 @@
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
diff -up krb5-1.8/src/configure.in.manpaths krb5-1.8/src/configure.in
--- krb5-1.8/src/configure.in.manpaths 2010-03-05 10:55:29.000000000 -0500
+++ krb5-1.8/src/configure.in 2010-03-05 10:55:29.000000000 -0500
@@ -1054,6 +1054,16 @@ fi
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
diff -up krb5-1.8/src/kadmin/cli/kadmin.M.manpaths krb5-1.8/src/kadmin/cli/kadmin.M
--- krb5-1.8/src/kadmin/cli/kadmin.M.manpaths 2010-01-04 14:59:25.000000000 -0500
+++ krb5-1.8/src/kadmin/cli/kadmin.M 2010-03-05 10:55:29.000000000 -0500
@@ -869,9 +869,9 @@ option is specified, less verbose status
.RS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
Index: slave/kpropd.M
===================================================================
--- slave/kpropd.M (revision 22425)
+++ slave/kpropd.M (working copy)
@@ -74,7 +74,7 @@
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
@@ -913,7 +913,7 @@ passwords.
.SH HISTORY
The
.B kadmin
-prorgam was originally written by Tom Yu at MIT, as an interface to the
+program was originally written by Tom Yu at MIT, as an interface to the
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
diff -up krb5-1.8/src/slave/kpropd.M.manpaths krb5-1.8/src/slave/kpropd.M
--- krb5-1.8/src/slave/kpropd.M.manpaths 2009-12-30 23:21:34.000000000 -0500
+++ krb5-1.8/src/slave/kpropd.M 2010-03-05 10:55:29.000000000 -0500
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone deamon, if the
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
@ -288,7 +155,7 @@ Index: slave/kpropd.M
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
@ -305,3 +172,24 @@ Index: slave/kpropd.M
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
diff -up krb5-1.8/src/slave/kprop.M.manpaths krb5-1.8/src/slave/kprop.M
--- krb5-1.8/src/slave/kprop.M.manpaths 1999-09-24 17:20:59.000000000 -0400
+++ krb5-1.8/src/slave/kprop.M 2010-03-05 10:55:29.000000000 -0500
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the

33
krb5-1.8-opte.patch Normal file
View File

@ -0,0 +1,33 @@
Fall back to the library default for whether or not to prompt for a password-
change during authentication, if we weren't passed any options.
diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte 2009-12-23 11:00:05.000000000 -0500
+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:03:42.000000000 -0500
@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex
int tries;
krb5_creds chpw_creds;
krb5_get_init_creds_opt *chpw_opts = NULL;
+ krb5_gic_opt_ext *opte = NULL;
krb5_data pw0, pw1;
char banner[1024], pw0array[1024], pw1array[1024];
krb5_prompt prompt[2];
@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances
@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex
&use_master, &as_reply);
cleanup:
+ if (opte != options)
+ krb5_get_init_creds_opt_free(context, opte);
krb5int_set_prompt_types(context, 0);
/* if getting the password was successful, then check to see if the
password is about to expire, and warn if so */

724
krb5-1.8-pam.patch Normal file
View File

@ -0,0 +1,724 @@
Modify ksu so that it performs account and session management for the
target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam.
Originally RT#5939, needs updating for 1.8.
diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500
@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
+dnl appropriate.
+dnl
+AC_DEFUN(KRB5_WITH_PAM,[
+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
+ withpam="$withval",withpam=auto)
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
+ withksupamservice="$withval",withksupamservice=ksu)
+old_LIBS="$LIBS"
+if test "$withpam" != no ; then
+ AC_MSG_RESULT([checking for PAM...])
+ PAM_LIBS=
+
+ AC_CHECK_HEADERS(security/pam_appl.h)
+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
+ if test "$withpam" = auto ; then
+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
+ withpam=no
+ else
+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_pam_start
+ AC_CHECK_FUNCS(putenv pam_start)
+ if test "x$ac_cv_func_pam_start" = xno ; then
+ unset ac_cv_func_pam_start
+ AC_CHECK_LIB(dl,dlopen)
+ AC_CHECK_FUNCS(pam_start)
+ if test "x$ac_cv_func_pam_start" = xno ; then
+ AC_CHECK_LIB(pam,pam_start)
+ unset ac_cv_func_pam_start
+ unset ac_cv_func_pam_getenvlist
+ AC_CHECK_FUNCS(pam_start pam_getenvlist)
+ if test "x$ac_cv_func_pam_start" = xyes ; then
+ PAM_LIBS="$LIBS"
+ else
+ if test "$withpam" = auto ; then
+ AC_MSG_RESULT([Unable to locate libpam.])
+ withpam=no
+ else
+ AC_MSG_ERROR([Unable to locate libpam.])
+ fi
+ fi
+ fi
+ fi
+ if test "$withpam" != no ; then
+ AC_MSG_NOTICE([building with PAM support])
+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
+ [Define to the name of the PAM service name to be used by ksu.])
+ PAM_LIBS="$LIBS"
+ NON_PAM_MAN=".\\\" "
+ PAM_MAN=
+ else
+ PAM_MAN=".\\\" "
+ NON_PAM_MAN=
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(PAM_LIBS)
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
--- krb5-1.8/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500
+++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
+#include "autoconf.h"
#include "ksu.h"
#include "adm_proto.h"
#include <sys/types.h>
@@ -33,6 +34,10 @@
#include <signal.h>
#include <grp.h>
+#ifdef USE_PAM
+#include "pam.h"
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
char k5users_path[MAXPATHLEN];
char * gb_err = NULL;
int quiet = 0;
+int force_fork = 0;
/***********/
#define _DEF_CSH "/bin/csh"
@@ -586,6 +592,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
+
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, "while switching to target for authorization check");
@@ -792,7 +817,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -800,6 +825,33 @@ main (argc, argv)
exit(1);
}else{
statusp = 1;
+
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Opened PAM session.\n");
+ }
+#endif
+ if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Initialized PAM credentials.\n");
+ }
+#endif
+ }
+#endif
+
switch ((child_pid = fork())) {
default:
if (auth_debug){
@@ -823,15 +875,34 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid");
}
- sweep_up(ksu_context, cc_target);
+ if( !keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (statusp);
case -1:
com_err(prog_name, errno, "while trying to fork.");
sweep_up(ksu_context, cc_target);
exit (1);
case 0:
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_setenv() != 0) {
+ fprintf(stderr, "Error setting up environment for %s.\n",
+ target_user);
+ exit (1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Set up PAM environment.\n");
+ }
+#endif
+ }
+#endif
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s", params[0]);
+ if( keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (1);
}
}
diff -up krb5-1.8/src/clients/ksu/Makefile.in.pam krb5-1.8/src/clients/ksu/Makefile.in
--- krb5-1.8/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500
+++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500
@@ -7,12 +7,14 @@
PROG_RPATH=$(KRB5_LIBDIR)
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -21,13 +23,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
diff -up krb5-1.8/src/clients/ksu/pam.c.pam krb5-1.8/src/clients/ksu/pam.c
--- krb5-1.8/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500
+++ krb5-1.8/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
+ *
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Convenience wrappers for using PAM.
+ */
+
+#include "autoconf.h"
+#ifdef USE_PAM
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "k5-int.h"
+#include "pam.h"
+
+#ifndef MAXPWSIZE
+#define MAXPWSIZE 128
+#endif
+
+static int appl_pam_started;
+static pid_t appl_pam_starter = -1;
+static int appl_pam_session_opened;
+static int appl_pam_creds_initialized;
+static int appl_pam_pwchange_required;
+static pam_handle_t *appl_pamh;
+static struct pam_conv appl_pam_conv;
+static char *appl_pam_user;
+struct appl_pam_non_interactive_args {
+ const char *user;
+ const char *password;
+};
+
+int
+appl_pam_enabled(krb5_context context, const char *section)
+{
+ int enabled = 1;
+ if ((context != NULL) && (context->profile != NULL)) {
+ if (profile_get_boolean(context->profile,
+ section,
+ USE_PAM_CONFIGURATION_KEYWORD,
+ NULL,
+ enabled, &enabled) != 0) {
+ enabled = 1;
+ }
+ }
+ return enabled;
+}
+
+void
+appl_pam_cleanup(void)
+{
+ if (getpid() != appl_pam_starter) {
+ return;
+ }
+#ifdef DEBUG
+ printf("Called to clean up PAM.\n");
+#endif
+ if (appl_pam_creds_initialized) {
+#ifdef DEBUG
+ printf("Deleting PAM credentials.\n");
+#endif
+ pam_setcred(appl_pamh, PAM_DELETE_CRED);
+ appl_pam_creds_initialized = 0;
+ }
+ if (appl_pam_session_opened) {
+#ifdef DEBUG
+ printf("Closing PAM session.\n");
+#endif
+ pam_close_session(appl_pamh, 0);
+ appl_pam_session_opened = 0;
+ }
+ appl_pam_pwchange_required = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Shutting down PAM.\n");
+#endif
+ pam_end(appl_pamh, 0);
+ appl_pam_started = 0;
+ appl_pam_starter = -1;
+ free(appl_pam_user);
+ appl_pam_user = NULL;
+ }
+}
+static int
+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
+ struct pam_response **presp, void *appdata_ptr)
+{
+ const struct pam_message *message;
+ struct pam_response *resp;
+ int i, code;
+ char *pwstring, pwbuf[MAXPWSIZE];
+ unsigned int pwsize;
+ resp = malloc(sizeof(struct pam_response) * num_msg);
+ if (resp == NULL) {
+ return PAM_BUF_ERR;
+ }
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
+ code = PAM_SUCCESS;
+ for (i = 0; i < num_msg; i++) {
+ message = &(msg[0][i]); /* XXX */
+ message = msg[i]; /* XXX */
+ pwstring = NULL;
+ switch (message->msg_style) {
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ printf("[%s]\n", message->msg ? message->msg : "");
+ fflush(stdout);
+ resp[i].resp = NULL;
+ resp[i].resp_retcode = PAM_SUCCESS;
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
+ if (fgets(pwbuf, sizeof(pwbuf),
+ stdin) != NULL) {
+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
+ pwstring = pwbuf;
+ }
+ } else {
+ pwstring = getpass(message->msg ?
+ message->msg :
+ "");
+ }
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
+ pwsize = strlen(pwstring);
+ resp[i].resp = malloc(pwsize + 1);
+ if (resp[i].resp == NULL) {
+ resp[i].resp_retcode = PAM_BUF_ERR;
+ } else {
+ memcpy(resp[i].resp, pwstring, pwsize);
+ resp[i].resp[pwsize] = '\0';
+ resp[i].resp_retcode = PAM_SUCCESS;
+ }
+ } else {
+ resp[i].resp_retcode = PAM_CONV_ERR;
+ code = PAM_CONV_ERR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ *presp = resp;
+ return code;
+}
+static int
+appl_pam_non_interactive_converse(int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **presp,
+ void *appdata_ptr)
+{
+ const struct pam_message *message;
+ struct pam_response *resp;
+ int i, code;
+ unsigned int pwsize;
+ struct appl_pam_non_interactive_args *args;
+ const char *pwstring;
+ resp = malloc(sizeof(struct pam_response) * num_msg);
+ if (resp == NULL) {
+ return PAM_BUF_ERR;
+ }
+ args = appdata_ptr;
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
+ code = PAM_SUCCESS;
+ for (i = 0; i < num_msg; i++) {
+ message = &((*msg)[i]);
+ message = msg[i];
+ pwstring = NULL;
+ switch (message->msg_style) {
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
+ /* assume "user" */
+ pwstring = args->user;
+ } else {
+ /* assume "password" */
+ pwstring = args->password;
+ }
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
+ pwsize = strlen(pwstring);
+ resp[i].resp = malloc(pwsize + 1);
+ if (resp[i].resp == NULL) {
+ resp[i].resp_retcode = PAM_BUF_ERR;
+ } else {
+ memcpy(resp[i].resp, pwstring, pwsize);
+ resp[i].resp[pwsize] = '\0';
+ resp[i].resp_retcode = PAM_SUCCESS;
+ }
+ } else {
+ resp[i].resp_retcode = PAM_CONV_ERR;
+ code = PAM_CONV_ERR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ *presp = resp;
+ return code;
+}
+static int
+appl_pam_start(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty)
+{
+ static int exit_handler_registered;
+ static struct appl_pam_non_interactive_args args;
+ int ret = 0;
+ if (appl_pam_started &&
+ (strcmp(login_username, appl_pam_user) != 0)) {
+ appl_pam_cleanup();
+ appl_pam_user = NULL;
+ }
+ if (!appl_pam_started) {
+#ifdef DEBUG
+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
+ service, login_username);
+#endif
+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
+ appl_pam_conv.conv = interactive ?
+ &appl_pam_interactive_converse :
+ &appl_pam_non_interactive_converse;
+ memset(&args, 0, sizeof(args));
+ args.user = strdup(login_username);
+ args.password = non_interactive_password ?
+ strdup(non_interactive_password) :
+ NULL;
+ appl_pam_conv.appdata_ptr = &args;
+ ret = pam_start(service, login_username,
+ &appl_pam_conv, &appl_pamh);
+ if (ret == 0) {
+ if (hostname != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
+#endif
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
+ }
+ if (ruser != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RUSER to \"%s\".\n", ruser);
+#endif
+ pam_set_item(appl_pamh, PAM_RUSER, ruser);
+ }
+ if (tty != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
+#endif
+ pam_set_item(appl_pamh, PAM_TTY, tty);
+ }
+ if (!exit_handler_registered &&
+ (atexit(appl_pam_cleanup) != 0)) {
+ pam_end(appl_pamh, 0);
+ appl_pamh = NULL;
+ ret = -1;
+ } else {
+ appl_pam_started = 1;
+ appl_pam_starter = getpid();
+ appl_pam_user = strdup(login_username);
+ exit_handler_registered = 1;
+ }
+ }
+ }
+ return ret;
+}
+int
+appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty)
+{
+ int ret;
+ appl_pam_pwchange_required = 0;
+ ret = appl_pam_start(service, interactive, login_username,
+ non_interactive_password, hostname, ruser, tty);
+ if (ret == 0) {
+#ifdef DEBUG
+ printf("Calling pam_acct_mgmt().\n");
+#endif
+ ret = pam_acct_mgmt(appl_pamh, 0);
+ switch (ret) {
+ case PAM_IGNORE:
+ ret = 0;
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ appl_pam_pwchange_required = 1;
+ ret = 0;
+ break;
+ default:
+ break;
+ }
+ }
+ return ret;
+}
+int
+appl_pam_requires_chauthtok(void)
+{
+ return appl_pam_pwchange_required;
+}
+int
+appl_pam_session_open(void)
+{
+ int ret = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Opening PAM session.\n");
+#endif
+ ret = pam_open_session(appl_pamh, 0);
+ if (ret == 0) {
+ appl_pam_session_opened = 1;
+ }
+ }
+ return ret;
+}
+int
+appl_pam_setenv(void)
+{
+ int ret = 0;
+#ifdef HAVE_PAM_GETENVLIST
+#ifdef HAVE_PUTENV
+ int i;
+ char **list;
+ if (appl_pam_started) {
+ list = pam_getenvlist(appl_pamh);
+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
+#ifdef DEBUG
+ printf("Setting \"%s\" in environment.\n", list[i]);
+#endif
+ putenv(list[i]);
+ }
+ }
+#endif
+#endif
+ return ret;
+}
+int
+appl_pam_cred_init(void)
+{
+ int ret = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Initializing PAM credentials.\n");
+#endif
+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
+ if (ret == 0) {
+ appl_pam_creds_initialized = 1;
+ }
+ }
+ return ret;
+}
+#endif
diff -up krb5-1.8/src/clients/ksu/pam.h.pam krb5-1.8/src/clients/ksu/pam.h
--- krb5-1.8/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500
+++ krb5-1.8/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
+ *
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Convenience wrappers for using PAM.
+ */
+
+#include <krb5.h>
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+
+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
+
+#ifdef USE_PAM
+int appl_pam_enabled(krb5_context context, const char *section);
+int appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty);
+int appl_pam_requires_chauthtok(void);
+int appl_pam_session_open(void);
+int appl_pam_setenv(void);
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff -up krb5-1.8/src/configure.in.pam krb5-1.8/src/configure.in
--- krb5-1.8/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500
+++ krb5-1.8/src/configure.in 2010-03-05 10:48:08.000000000 -0500
@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0])
fi
+KRB5_WITH_PAM
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MAKEFILE(.

448
krb5-1.7-selinux-label.patch → krb5-1.8-selinux-label.patch
View File

@ -31,9 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
--- krb5-1.7/src/aclocal.m4 2009-06-04 13:47:20.000000000 -0400
+++ krb5-1.7/src/aclocal.m4 2009-06-04 13:47:20.000000000 -0400
diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:57:23.000000000 -0500
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
@ -42,7 +42,7 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1876,3 +1877,53 @@ AC_SUBST(PAM_LIBS)
@@ -1791,3 +1792,53 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
@ -96,51 +96,18 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in
--- krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:47:20.000000000 -0400
+++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:47:20.000000000 -0400
@@ -25,6 +25,7 @@ AC_CHECK_LIB(odm,main,
LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
)))
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
dnl
dnl Make our operating system-specific security checks and definitions for
dnl login.
diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in
--- krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:47:20.000000000 -0400
+++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:47:20.000000000 -0400
@@ -18,6 +18,7 @@ AC_REPLACE_FUNCS(getdtablesize)
AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv)
AC_CHECK_LIB(crypt,crypt) dnl
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
KRB5_AC_LIBUTIL
dnl
dnl copied from appl/bsd/configure.in
diff -up krb5-1.7/src/appl/telnet/configure.in krb5-1.7/src/appl/telnet/configure.in
--- krb5-1.7/src/appl/telnet/configure.in 2008-12-15 15:31:53.000000000 -0500
+++ krb5-1.7/src/appl/telnet/configure.in 2009-06-04 13:47:20.000000000 -0400
@@ -151,6 +151,7 @@ AC_MSG_RESULT($krb5_cv_sys_setpgrp_two)
if test $krb5_cv_sys_setpgrp_two = yes; then
AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments])
fi
+KRB5_WITH_SELINUX
dnl
KRB5_NEED_PROTO([#include <stdlib.h>],unsetenv,1)
dnl KRB5_NEED_PROTO([#include <stdlib.h>],setenv,1)
diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in
--- krb5-1.7/src/config/pre.in 2009-06-04 13:47:20.000000000 -0400
+++ krb5-1.7/src/config/pre.in 2009-06-04 13:47:20.000000000 -0400
@@ -182,6 +182,7 @@ LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX
diff -up krb5-1.8/src/config/pre.in.selinux-label krb5-1.8/src/config/pre.in
--- krb5-1.8/src/config/pre.in.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/config/pre.in 2010-03-05 10:57:23.000000000 -0500
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
PAM_LIBS = @PAM_LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -149,10 +116,10 @@ diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in
--- krb5-1.7/src/configure.in 2009-06-04 13:47:20.000000000 -0400
+++ krb5-1.7/src/configure.in 2009-06-04 13:47:20.000000000 -0400
@@ -1042,6 +1042,8 @@ AC_CONFIG_SUBDIRS(appl/libpty appl/bsd a
diff -up krb5-1.8/src/configure.in.selinux-label krb5-1.8/src/configure.in
--- krb5-1.8/src/configure.in.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/configure.in 2010-03-05 10:57:23.000000000 -0500
@@ -1053,6 +1053,8 @@ fi
KRB5_WITH_PAM
@ -161,47 +128,10 @@ diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MANPAGE([
diff -up krb5-1.7/src/include/autoconf.h.in krb5-1.7/src/include/autoconf.h.in
--- krb5-1.7/src/include/autoconf.h.in 2009-06-01 20:58:35.000000000 -0400
+++ krb5-1.7/src/include/autoconf.h.in 2009-06-04 13:47:20.000000000 -0400
@@ -389,6 +389,12 @@
/* Define to 1 if you have the `sched_yield' function. */
#undef HAVE_SCHED_YIELD
+/* Define to 1 if you have the <selinux/label.h> header file. */
+#undef HAVE_SELINUX_LABEL_H
+
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
/* Define to 1 if you have the <semaphore.h> header file. */
#undef HAVE_SEMAPHORE_H
@@ -401,6 +407,9 @@
/* Define to 1 if you have the `setegid' function. */
#undef HAVE_SETEGID
+/* Define to 1 if you have the `setfscreatecon' function. */
+#undef HAVE_SETFSCREATECON
+
/* Define to 1 if you have the `setenv' function. */
#undef HAVE_SETENV
@@ -768,6 +777,10 @@
/* Define if the KDC should use a replay cache */
#undef USE_RCACHE
+/* Define if Kerberos-aware tools should set SELinux file contexts when
+ creating files. */
+#undef USE_SELINUX
+
/* Define if sigprocmask should be used */
#undef USE_SIGPROCMASK
diff -up krb5-1.7/src/include/k5-int.h krb5-1.7/src/include/k5-int.h
--- krb5-1.7/src/include/k5-int.h 2009-05-11 16:56:53.000000000 -0400
+++ krb5-1.7/src/include/k5-int.h 2009-06-04 13:47:20.000000000 -0400
@@ -132,6 +132,7 @@ typedef unsigned char u_char;
diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int.h
--- krb5-1.8/src/include/k5-int.h.selinux-label 2010-01-04 14:59:16.000000000 -0500
+++ krb5-1.8/src/include/k5-int.h 2010-03-05 10:57:23.000000000 -0500
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
@ -209,16 +139,19 @@ diff -up krb5-1.7/src/include/k5-int.h krb5-1.7/src/include/k5-int.h
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
diff -up /dev/null krb5-1.7/src/include/k5-label.h
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/include/k5-label.h 2009-06-04 13:47:20.000000000 -0400
@@ -0,0 +1,27 @@
diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-label.h
--- krb5-1.8/src/include/k5-label.h.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/include/k5-label.h 2010-03-05 10:57:23.000000000 -0500
@@ -0,0 +1,30 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
+#ifdef THREEPARAMOPEN
+#undef THREEPARAMOPEN
+#endif
+#ifdef WRITABLEFOPEN
+#undef WRITABLEFOPEN
+#endif
+
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
@ -240,9 +173,9 @@ diff -up /dev/null krb5-1.7/src/include/k5-label.h
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
diff -up krb5-1.7/src/include/krb5/krb5.hin krb5-1.7/src/include/krb5/krb5.hin
--- krb5-1.7/src/include/krb5/krb5.hin 2009-04-15 16:07:03.000000000 -0400
+++ krb5-1.7/src/include/krb5/krb5.hin 2009-06-04 13:47:20.000000000 -0400
diff -up krb5-1.8/src/include/krb5/krb5.hin.selinux-label krb5-1.8/src/include/krb5/krb5.hin
--- krb5-1.8/src/include/krb5/krb5.hin.selinux-label 2010-01-21 17:49:07.000000000 -0500
+++ krb5-1.8/src/include/krb5/krb5.hin 2010-03-05 10:57:23.000000000 -0500
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -256,21 +189,21 @@ diff -up krb5-1.7/src/include/krb5/krb5.hin krb5-1.7/src/include/krb5/krb5.hin
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
diff -up krb5-1.7/src/kadmin/dbutil/dump.c krb5-1.7/src/kadmin/dbutil/dump.c
--- krb5-1.7/src/kadmin/dbutil/dump.c 2009-01-30 18:55:14.000000000 -0500
+++ krb5-1.7/src/kadmin/dbutil/dump.c 2009-06-04 13:47:20.000000000 -0400
@@ -1219,7 +1219,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
--- krb5-1.7/src/krb5-config.in 2008-12-18 13:31:16.000000000 -0500
+++ krb5-1.7/src/krb5-config.in 2009-06-04 13:47:20.000000000 -0400
diff -up krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label krb5-1.8/src/kadmin/dbutil/dump.c
--- krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/kadmin/dbutil/dump.c 2010-03-05 10:57:23.000000000 -0500
@@ -1274,7 +1274,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
diff -up krb5-1.8/src/krb5-config.in.selinux-label krb5-1.8/src/krb5-config.in
--- krb5-1.8/src/krb5-config.in.selinux-label 2010-01-21 17:49:01.000000000 -0500
+++ krb5-1.8/src/krb5-config.in 2010-03-05 10:57:23.000000000 -0500
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
@ -288,95 +221,95 @@ diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
fi
echo $lib_flags
diff -up krb5-1.7/src/lib/kadm5/logger.c krb5-1.7/src/lib/kadm5/logger.c
--- krb5-1.7/src/lib/kadm5/logger.c 2008-12-29 18:01:15.000000000 -0500
+++ krb5-1.7/src/lib/kadm5/logger.c 2009-06-04 13:47:20.000000000 -0400
@@ -421,7 +421,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -954,7 +954,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
diff -up krb5-1.7/src/lib/krb5/keytab/kt_file.c krb5-1.7/src/lib/krb5/keytab/kt_file.c
--- krb5-1.7/src/lib/krb5/keytab/kt_file.c 2009-05-11 16:55:22.000000000 -0400
+++ krb5-1.7/src/lib/krb5/keytab/kt_file.c 2009-06-04 13:47:20.000000000 -0400
@@ -1094,7 +1094,7 @@ krb5_ktfileint_open(krb5_context context
diff -up krb5-1.8/src/lib/kadm5/logger.c.selinux-label krb5-1.8/src/lib/kadm5/logger.c
--- krb5-1.8/src/lib/kadm5/logger.c.selinux-label 2009-12-28 21:42:51.000000000 -0500
+++ krb5-1.8/src/lib/kadm5/logger.c 2010-03-05 10:57:23.000000000 -0500
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
diff -up krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label krb5-1.8/src/lib/krb5/keytab/kt_file.c
--- krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label 2009-11-10 14:59:39.000000000 -0500
+++ krb5-1.8/src/lib/krb5/keytab/kt_file.c 2010-03-05 10:57:23.000000000 -0500
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1102,7 +1102,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
diff -up krb5-1.7/src/plugins/kdb/db2/adb_openclose.c krb5-1.7/src/plugins/kdb/db2/adb_openclose.c
--- krb5-1.7/src/plugins/kdb/db2/adb_openclose.c 2007-10-22 15:18:53.000000000 -0400
+++ krb5-1.7/src/plugins/kdb/db2/adb_openclose.c 2009-06-04 13:47:20.000000000 -0400
@@ -198,7 +198,7 @@ krb5_error_code osa_adb_init_db(osa_adb_
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/*
* maybe someone took away write permission so we could only
* get shared locks?
diff -up krb5-1.7/src/plugins/kdb/db2/kdb_db2.c krb5-1.7/src/plugins/kdb/db2/kdb_db2.c
--- krb5-1.7/src/plugins/kdb/db2/kdb_db2.c 2009-01-30 20:07:04.000000000 -0500
+++ krb5-1.7/src/plugins/kdb/db2/kdb_db2.c 2009-06-04 13:47:20.000000000 -0400
@@ -327,8 +327,8 @@ krb5_db2_db_init(krb5_context context)
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
diff -up krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label krb5-1.8/src/plugins/kdb/db2/adb_openclose.c
--- krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/db2/adb_openclose.c 2010-03-05 10:57:23.000000000 -0500
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/*
* maybe someone took away write permission so we could only
* get shared locks?
diff -up krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label krb5-1.8/src/plugins/kdb/db2/kdb_db2.c
--- krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label 2009-11-25 09:36:05.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/db2/kdb_db2.c 2010-03-05 10:57:23.000000000 -0500
@@ -326,8 +326,8 @@ krb5_db2_db_init(krb5_context context)
* should be opened read/write so that write locking can work with
* POSIX systems
*/
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
retval = errno;
goto err_out;
}
@@ -754,7 +754,7 @@ krb5_db2_db_create(krb5_context context,
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
retval = errno;
goto err_out;
}
@@ -745,7 +745,7 @@ krb5_db2_db_create(krb5_context context,
if (!okname)
retval = ENOMEM;
retval = ENOMEM;
else {
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
if (fd < 0)
retval = errno;
else
@@ -1795,7 +1795,7 @@ krb5_db2_db_rename(context, from, to)
retval = ENOMEM;
goto errout;
- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600);
if (fd < 0)
retval = errno;
else
@@ -1925,7 +1925,7 @@ krb5_db2_db_rename(context, from, to, me
retval = ENOMEM;
goto errout;
}
- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600);
if (db_ctx->db_lf_file < 0) {
retval = errno;
goto errout;
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-10-22 15:18:53.000000000 -0400
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2009-06-04 13:47:20.000000000 -0400
retval = errno;
goto errout;
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2010-03-05 10:57:23.000000000 -0500
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
@ -388,15 +321,15 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.7/src/plugin
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
goto einval;
}
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c 2009-01-23 13:04:08.000000000 -0500
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c 2009-06-04 13:47:20.000000000 -0400
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c 2010-03-05 10:57:23.000000000 -0500
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
@ -414,9 +347,9 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.7/src/plugins/kd
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c
--- krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-10-22 15:18:53.000000000 -0400
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2009-06-04 13:47:20.000000000 -0400
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c
--- krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label 2007-10-22 15:18:53.000000000 -0400
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2010-03-05 10:57:23.000000000 -0500
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
@ -434,10 +367,10 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.7/src/plugi
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in
--- krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in 2008-08-25 19:08:16.000000000 -0400
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-06-04 13:47:20.000000000 -0400
@@ -14,7 +14,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in
--- krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label 2009-11-22 13:13:29.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in 2010-03-05 10:57:23.000000000 -0500
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
@ -447,19 +380,19 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in krb5-1.7/src/plugi
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
--- krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-12-01 12:09:59.000000000 -0500
+++ krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-06-04 13:47:20.000000000 -0400
@@ -1096,7 +1096,7 @@ rem_service_entry_from_file(argc, argv,
diff -up krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
--- krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2010-03-05 10:57:23.000000000 -0500
@@ -1091,7 +1091,7 @@
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1113,7 +1113,7 @@ rem_service_entry_from_file(argc, argv,
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1108,7 +1108,7 @@
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
@ -467,79 +400,88 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (tmpfd == -1) {
com_err(me, errno, "while deleting entry from file\n");
@@ -1767,7 +1767,7 @@ kdb5_ldap_set_service_password(argc, arg
com_err(me, errno, "while deleting entry from file\n");
@@ -1728,7 +1728,7 @@
printf("File does not exist. Creating the file %s...\n", file_name);
omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (fd == -1) {
com_err(me, errno, "Error creating file %s", file_name);
@@ -1756,7 +1756,7 @@
/* TODO: file lock for the service password file */
/* set password in the file */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1808,7 +1808,7 @@ kdb5_ldap_set_service_password(argc, arg
}
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1797,7 +1797,7 @@
}
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2032,7 +2032,7 @@ done:
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2019,7 +2019,7 @@
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s: %s", file_name,
strerror (errno));
@@ -2082,7 +2082,7 @@ done:
}
com_err(me, errno, "Failed to open file %s: %s", file_name,
strerror (errno));
@@ -2069,7 +2069,7 @@
}
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
diff -up krb5-1.7/src/slave/kpropd.c krb5-1.7/src/slave/kpropd.c
--- krb5-1.7/src/slave/kpropd.c 2008-12-30 00:45:06.000000000 -0500
+++ krb5-1.7/src/slave/kpropd.c 2009-06-04 13:47:20.000000000 -0400
@@ -346,7 +346,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
diff -up krb5-1.8/src/slave/kpropd.c.selinux-label krb5-1.8/src/slave/kpropd.c
--- krb5-1.8/src/slave/kpropd.c.selinux-label 2009-12-31 17:25:11.000000000 -0500
+++ krb5-1.8/src/slave/kpropd.c 2010-03-05 10:57:23.000000000 -0500
@@ -328,7 +328,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
#ifdef PID_FILE
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
diff -up krb5-1.7/src/util/profile/prof_file.c krb5-1.7/src/util/profile/prof_file.c
--- krb5-1.7/src/util/profile/prof_file.c 2008-11-05 11:19:01.000000000 -0500
+++ krb5-1.7/src/util/profile/prof_file.c 2009-06-04 13:47:20.000000000 -0400
@@ -29,6 +29,7 @@
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
diff -up krb5-1.8/src/util/profile/prof_file.c.selinux-label krb5-1.8/src/util/profile/prof_file.c
--- krb5-1.8/src/util/profile/prof_file.c.selinux-label 2009-12-27 19:21:20.000000000 -0500
+++ krb5-1.8/src/util/profile/prof_file.c 2010-03-05 10:57:23.000000000 -0500
@@ -30,6 +30,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -422,7 +423,7 @@ static errcode_t write_data_to_file(prf_
/* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
errno = 0;
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefile.in
--- krb5-1.7/src/util/support/Makefile.in 2009-01-05 15:27:53.000000000 -0500
+++ krb5-1.7/src/util/support/Makefile.in 2009-06-04 13:47:20.000000000 -0400
@@ -38,6 +38,7 @@ PRINTF_OBJ= @PRINTF_OBJ@
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/support/Makefile.in
--- krb5-1.8/src/util/support/Makefile.in.selinux-label 2009-11-23 20:25:10.000000000 -0500
+++ krb5-1.8/src/util/support/Makefile.in 2010-03-05 10:57:23.000000000 -0500
@@ -54,6 +54,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -547,7 +489,7 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
init-addrinfo.o \
plugins.o \
errors.o \
@@ -86,7 +87,7 @@ SRCS=\
@@ -108,7 +109,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -556,9 +498,9 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
diff -up /dev/null krb5-1.7/src/util/support/selinux.c
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/util/support/selinux.c 2009-06-04 13:47:20.000000000 -0400
diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c
--- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500
@@ -0,0 +1,346 @@
+/*
+ * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved.

48
krb5-1.7-io.patch → krb5-appl-1.0-io.patch
View File

@ -3,10 +3,10 @@ neither end is reading. This is a port of a patch which aims to solve that
problem, but for now it's incomplete because we don't handle partial writes. A
proper non-blocking implementation would require a bit more work.
diff -up krb5-1.7/src/appl/bsd/defines.h krb5-1.7/src/appl/bsd/defines.h
--- krb5-1.7/src/appl/bsd/defines.h 2008-12-15 15:29:01.000000000 -0500
+++ krb5-1.7/src/appl/bsd/defines.h 2009-06-04 14:18:48.000000000 -0400
@@ -34,6 +34,7 @@ extern int kcmd (int *sock, char **ahost
diff -up krb5-appl-1.0/bsd/defines.h.io krb5-appl-1.0/bsd/defines.h
--- krb5-appl-1.0/bsd/defines.h.io 2009-11-16 05:27:04.000000000 -0500
+++ krb5-appl-1.0/bsd/defines.h 2010-03-05 11:00:06.000000000 -0500
@@ -36,6 +36,7 @@ extern int kcmd (int *sock, char **ahost
enum kcmd_proto *protonum /* input and output */
);
@ -14,10 +14,10 @@ diff -up krb5-1.7/src/appl/bsd/defines.h krb5-1.7/src/appl/bsd/defines.h
extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary);
extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary);
extern int getport (int * /* portnum */, int * /* addrfamily */);
diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c
--- krb5-1.7/src/appl/bsd/kcmd.c 2009-04-15 16:07:15.000000000 -0400
+++ krb5-1.7/src/appl/bsd/kcmd.c 2009-06-04 14:18:48.000000000 -0400
@@ -686,6 +686,11 @@ void rcmd_stream_init_normal()
diff -up krb5-appl-1.0/bsd/kcmd.c.io krb5-appl-1.0/bsd/kcmd.c
--- krb5-appl-1.0/bsd/kcmd.c.io 2009-11-16 05:27:04.000000000 -0500
+++ krb5-appl-1.0/bsd/kcmd.c 2010-03-05 11:00:06.000000000 -0500
@@ -767,6 +767,11 @@ void rcmd_stream_init_normal()
output = twrite;
}
@ -29,8 +29,8 @@ diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c
void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client,
protonum)
krb5_keyblock *in_keyblock;
@@ -846,7 +851,8 @@ static int v5_des_read(fd, buf, len, sec
cc = krb5_net_read(bsd_context, fd, &c, 1);
@@ -927,7 +932,8 @@ static int v5_des_read(fd, buf, len, sec
cc = full_read(fd, &c, 1);
/* we should check for non-blocking here, but we'd have
to make it save partial reads as well. */
- if (cc <= 0) return cc; /* read error */
@ -39,10 +39,10 @@ diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c
if (cc == 1) {
if (c == 0 || !do_lencheck) break;
}
diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
--- krb5-1.7/src/appl/bsd/krsh.c 2009-06-04 14:18:47.000000000 -0400
+++ krb5-1.7/src/appl/bsd/krsh.c 2009-06-04 14:18:48.000000000 -0400
@@ -115,10 +115,11 @@ main(argc, argv0)
diff -up krb5-appl-1.0/bsd/krsh.c.io krb5-appl-1.0/bsd/krsh.c
--- krb5-appl-1.0/bsd/krsh.c.io 2010-03-05 11:00:05.000000000 -0500
+++ krb5-appl-1.0/bsd/krsh.c 2010-03-05 11:00:06.000000000 -0500
@@ -117,10 +117,11 @@ main(argc, argv0)
char **argv0;
{
int rem, pid = 0;
@ -55,7 +55,7 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
int one = 1;
struct servent *sp;
struct servent defaultservent;
@@ -508,9 +509,14 @@ main(argc, argv0)
@@ -510,9 +511,14 @@ main(argc, argv0)
FD_ZERO(&readfrom);
FD_SET(rfd2, &readfrom);
FD_SET(rem, &readfrom);
@ -71,7 +71,7 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
if (errno != EINTR) {
perror("select");
exit(1);
@@ -518,22 +524,38 @@ main(argc, argv0)
@@ -520,22 +526,38 @@ main(argc, argv0)
continue;
}
if (FD_ISSET(rfd2, &ready)) {
@ -124,10 +124,10 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
}
} while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom));
if (nflag == 0)
diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
--- krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 14:18:47.000000000 -0400
+++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 14:18:48.000000000 -0400
@@ -583,7 +583,8 @@ void doit(f, fromp)
diff -up krb5-appl-1.0/bsd/krshd.c.io krb5-appl-1.0/bsd/krshd.c
--- krb5-appl-1.0/bsd/krshd.c.io 2010-03-05 11:00:05.000000000 -0500
+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 11:00:06.000000000 -0500
@@ -585,7 +585,8 @@ void doit(f, fromp)
short port;
int pv[2], pw[2], px[2], cc;
fd_set ready, readfrom;
@ -137,7 +137,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
struct sockaddr_storage localaddr;
#ifdef POSIX_SIGNALS
struct sigaction sa;
@@ -1214,6 +1215,10 @@ void doit(f, fromp)
@@ -1216,6 +1217,10 @@ void doit(f, fromp)
if (pw[0] > maxfd)
maxfd = pw[0];
@ -148,7 +148,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
/* read from f, write to px[1] -- child stdin */
/* read from s, signal child */
/* read from pv[0], write to s -- child stderr */
@@ -1221,36 +1226,47 @@ void doit(f, fromp)
@@ -1223,36 +1228,47 @@ void doit(f, fromp)
do {
ready = readfrom;
@ -204,7 +204,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
}
if (port&&FD_ISSET(s, &ready)) {
/* read from the alternate channel, signal the child */
@@ -1268,12 +1284,15 @@ void doit(f, fromp)
@@ -1270,12 +1286,15 @@ void doit(f, fromp)
}
}
if (FD_ISSET(f, &ready)) {
@ -221,7 +221,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
} else {
int wcc;
wcc = write(px[1], buf, (unsigned) cc);
@@ -1281,17 +1300,22 @@ void doit(f, fromp)
@@ -1283,17 +1302,22 @@ void doit(f, fromp)
/* pipe closed, don't read any more */
/* might check for EPIPE */
(void) close(px[1]);

512
krb5-1.7-largefile.patch → krb5-appl-1.0-largefile.patch
View File

@ -8,25 +8,254 @@
instead of fseek(), which takes a long and might not handle the full
range of values.
RT#6524
Index: krb5/src/appl/gssftp/configure.in
===================================================================
--- krb5/src/appl/gssftp/configure.in (revision 22425)
+++ krb5/src/appl/gssftp/configure.in (working copy)
@@ -12,6 +12,9 @@
AC_HEADER_STDARG
AC_CHECK_HEADER(termios.h,[AC_CHECK_FUNC(cfsetispeed,AC_DEFINE(POSIX_TERMIOS,1,[Define if POSIX termios interface found]))])
AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/select.h sys/sockio.h paths.h)
diff -up krb5-appl-1.0/bsd/krcp.c.largefile krb5-appl-1.0/bsd/krcp.c
--- krb5-appl-1.0/bsd/krcp.c.largefile 2010-03-05 11:06:23.000000000 -0500
+++ krb5-appl-1.0/bsd/krcp.c 2010-03-05 11:06:24.000000000 -0500
@@ -748,8 +748,13 @@ void source(argc, argv)
continue;
}
}
+#ifdef HAVE_LONG_LONG_INT
+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n",
+ (int) stb.st_mode&07777, (long long) stb.st_size, last);
+#else
(void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
(int) stb.st_mode&07777, (long ) stb.st_size, last);
+#endif
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
(void) close(f);
diff -up krb5-appl-1.0/configure.ac.largefile krb5-appl-1.0/configure.ac
--- krb5-appl-1.0/configure.ac.largefile 2010-03-05 11:06:23.000000000 -0500
+++ krb5-appl-1.0/configure.ac 2010-03-05 11:06:24.000000000 -0500
@@ -103,6 +103,10 @@ case $host in
;;
esac
+AC_SYS_LARGEFILE
+AC_FUNC_FSEEKO
+AC_CHECK_TYPES([long long])
CHECK_UTMP
DECLARE_SYS_ERRLIST
AC_REPLACE_FUNCS(getdtablesize)
Index: krb5/src/appl/gssftp/ftp/ftp_var.h
===================================================================
--- krb5/src/appl/gssftp/ftp/ftp_var.h (revision 22425)
+++ krb5/src/appl/gssftp/ftp/ftp_var.h (working copy)
@@ -46,13 +46,19 @@
+AC_TYPE_LONG_LONG_INT
+AC_TYPE_UNSIGNED_LONG_LONG_INT
AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp)
AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
AC_CHECK_FUNCS(line_push logwtmp openpty ptsname revoke rmufile rresvport_af)
diff -up krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile krb5-appl-1.0/gssftp/ftpd/ftpcmd.y
--- krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile 2009-11-05 15:15:06.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpcmd.y 2010-03-05 11:06:24.000000000 -0500
@@ -1499,12 +1499,20 @@ char *filename;
(stbuf.st_mode&S_IFMT) != S_IFREG)
reply(550, "%s: not a plain file.", filename);
else
+#ifdef HAVE_LONG_LONG_INT
+ reply(213, "%llu", (long long) stbuf.st_size);
+#else
reply(213, "%lu", (long) stbuf.st_size);
+#endif
break;}
case TYPE_A: {
FILE *fin;
register int c;
+#ifdef HAVE_LONG_LONG_INT
+ register long long count;
+#else
register long count;
+#endif
struct stat stbuf;
fin = fopen(filename, "r");
if (fin == NULL) {
@@ -1526,7 +1534,11 @@ char *filename;
}
(void) fclose(fin);
+#ifdef HAVE_LONG_LONG_INT
+ reply(213, "%lld", count);
+#else
reply(213, "%ld", count);
+#endif
break;}
default:
reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile krb5-appl-1.0/gssftp/ftpd/ftpd.c
--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile 2010-03-05 11:06:23.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 11:06:24.000000000 -0500
@@ -1205,8 +1205,13 @@ retrieve(cmd, name)
done:
(*closefunc)(fin);
if (logging > 2 && !cmd) {
+#ifdef HAVE_UNSIGNED_LONG_LONG_INT
+ syslog(LOG_NOTICE, "get: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
syslog(LOG_NOTICE, "get: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
@@ -1252,7 +1257,7 @@ store_file(name, fmode, unique)
* because we are changing from reading to
* writing.
*/
- if (fseek(fout, 0L, L_INCR) < 0) {
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
perror_reply(550, name);
goto done;
}
@@ -1277,8 +1282,13 @@ store_file(name, fmode, unique)
done:
(*closefunc)(fout);
if (logging > 2) {
+#ifdef HAVE_UNSIGNED_LONG_LONG_INT
+ syslog(LOG_NOTICE, "put: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
syslog(LOG_NOTICE, "put: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
@@ -1341,8 +1351,13 @@ dataconn(name, size, fmode)
byte_count = 0;
if (size != (off_t) -1)
/* cast size to long in case sizeof(off_t) > sizeof(long) */
+#ifdef HAVE_LONG_LONG_INT
+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)",
+ (long long)size);
+#else
(void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)",
(long)size);
+#endif
else
sizebuf[0] = '\0';
if (pdata >= 0) {
@@ -2063,6 +2078,15 @@ myoob(sig)
siglongjmp(urgcatch, 1);
}
if (strcmp(cp, "STAT") == 0) {
+#ifdef HAVE_LONG_LONG_INT
+ if (file_size != (off_t) -1)
+ reply(213, "Status: %llu of %llu bytes transferred",
+ (unsigned long long) byte_count,
+ (unsigned long long) file_size);
+ else
+ reply(213, "Status: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
if (file_size != (off_t) -1)
reply(213, "Status: %lu of %lu bytes transferred",
(unsigned long) byte_count,
@@ -2070,6 +2094,7 @@ myoob(sig)
else
reply(213, "Status: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile krb5-appl-1.0/gssftp/ftpd/ftpd_var.h
--- krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile 2009-11-05 15:15:06.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd_var.h 2010-03-05 11:06:24.000000000 -0500
@@ -41,6 +41,12 @@
char *radix_error (int);
int radix_encode (unsigned char *, unsigned char *, size_t *, int);
+#ifdef HAVE_FSEEKO
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
+#else
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
+#endif
+
/* ftpd.c */
void ack(char *);
int auth_data(unsigned char *);
diff -up krb5-appl-1.0/gssftp/ftp/ftp.c.largefile krb5-appl-1.0/gssftp/ftp/ftp.c
--- krb5-appl-1.0/gssftp/ftp/ftp.c.largefile 2010-03-05 11:06:24.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftp/ftp.c 2010-03-05 11:06:24.000000000 -0500
@@ -156,7 +156,11 @@ void user_gss_error (OM_uint32, OM_uint3
static void proxtrans (char *, char *, char *);
static int initconn (void);
+#ifdef HAVE_LONG_LONG_INT
+static void ptransfer (char *, long long, struct timeval *, struct timeval *);
+#else
static void ptransfer (char *, long, struct timeval *, struct timeval *);
+#endif
static void abort_remote (FILE *);
static void tvsub (struct timeval *, struct timeval *, struct timeval *);
static char *gunique (char *);
@@ -787,7 +791,11 @@ void sendrequest(char *cmd, char *local,
FILE *volatile fin, *volatile dout = 0;
int (*volatile closefunc)();
volatile sig_t oldintr, oldintp;
+#ifdef HAVE_LONG_LONG_INT
+ volatile long long bytes = 0, hashbytes = HASHBYTES;
+#else
volatile long bytes = 0, hashbytes = HASHBYTES;
+#endif
char *volatile lmode;
char buf[FTP_BUFSIZ], *bufp;
@@ -884,7 +892,7 @@ void sendrequest(char *cmd, char *local,
if (restart_point &&
(strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) {
- if (fseek(fin, (long) restart_point, 0) < 0) {
+ if (FSEEK(fin, restart_point, 0) < 0) {
fprintf(stderr, "local: %s: %s\n", local,
strerror(errno));
restart_point = 0;
@@ -1279,7 +1287,7 @@ void recvrequest(char *cmd, char *volati
if (restart_point) {
register int i, n, ch;
- if (fseek(fout, 0L, L_SET) < 0)
+ if (FSEEK(fout, 0L, L_SET) < 0)
goto done;
n = restart_point;
for (i = 0; i++ < n;) {
@@ -1288,7 +1296,7 @@ void recvrequest(char *cmd, char *volati
if (ch == '\n')
i++;
}
- if (fseek(fout, 0L, L_INCR) < 0) {
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
done:
fprintf(stderr, "local: %s: %s\n", local,
strerror(errno));
@@ -1553,8 +1561,13 @@ dataconn(char *lmode)
return (FDOPEN_SOCKET(data, lmode));
}
+#ifdef HAVE_LONG_LONG_INT
+static void ptransfer(char *direction, long long bytes,
+ struct timeval *t0, struct timeval *t1)
+#else
static void ptransfer(char *direction, long bytes,
struct timeval *t0, struct timeval *t1)
+#endif
{
struct timeval td;
float s, kbs;
@@ -1564,8 +1577,13 @@ static void ptransfer(char *direction, l
s = td.tv_sec + (td.tv_usec / 1000000.);
#define nz(x) ((x) == 0 ? 1 : (x))
kbs = (bytes / nz(s))/1024.0;
+#ifdef HAVE_LONG_LONG_INT
+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
+ bytes, direction, s, kbs);
+#else
printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
bytes, direction, s, kbs);
+#endif
}
}
diff -up krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile krb5-appl-1.0/gssftp/ftp/ftp_var.h
--- krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile 2010-03-05 11:06:24.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftp/ftp_var.h 2010-03-05 11:06:24.000000000 -0500
@@ -46,12 +46,18 @@ FILE* fdopen_socket(SOCKET s, char* mode
#define FDOPEN_SOCKET(s, mode) fdopen_socket(s, mode)
#define SOCKETNO(fd) _get_osfhandle(fd)
#define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0)
@ -41,254 +270,7 @@ Index: krb5/src/appl/gssftp/ftp/ftp_var.h
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
+#else
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
#endif
+#endif
#endif
#ifdef _WIN32
typedef void (*sig_t)(int);
Index: krb5/src/appl/gssftp/ftp/ftp.c
===================================================================
--- krb5/src/appl/gssftp/ftp/ftp.c (revision 22425)
+++ krb5/src/appl/gssftp/ftp/ftp.c (working copy)
@@ -150,7 +150,11 @@
static void proxtrans (char *, char *, char *);
static int initconn (void);
+#ifdef HAVE_LONG_LONG
+static void ptransfer (char *, long long, struct timeval *, struct timeval *);
+#else
static void ptransfer (char *, long, struct timeval *, struct timeval *);
+#endif
static void abort_remote (FILE *);
static void tvsub (struct timeval *, struct timeval *, struct timeval *);
static char *gunique (char *);
@@ -775,7 +779,11 @@
FILE *volatile fin, *volatile dout = 0;
int (*volatile closefunc)();
volatile sig_t oldintr, oldintp;
+#ifdef HAVE_LONG_LONG
+ volatile long long bytes = 0, hashbytes = HASHBYTES;
+#else
volatile long bytes = 0, hashbytes = HASHBYTES;
+#endif
char *volatile lmode;
unsigned char buf[FTP_BUFSIZ], *bufp;
@@ -872,7 +880,7 @@
if (restart_point &&
(strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) {
- if (fseek(fin, (long) restart_point, 0) < 0) {
+ if (FSEEK(fin, restart_point, 0) < 0) {
fprintf(stderr, "local: %s: %s\n", local,
strerror(errno));
restart_point = 0;
@@ -1266,7 +1274,7 @@
if (restart_point) {
register int i, n, ch;
- if (fseek(fout, 0L, L_SET) < 0)
+ if (FSEEK(fout, 0L, L_SET) < 0)
goto done;
n = restart_point;
for (i = 0; i++ < n;) {
@@ -1275,7 +1283,7 @@
if (ch == '\n')
i++;
}
- if (fseek(fout, 0L, L_INCR) < 0) {
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
done:
fprintf(stderr, "local: %s: %s\n", local,
strerror(errno));
@@ -1538,8 +1546,13 @@
return (FDOPEN_SOCKET(data, lmode));
}
+#ifdef HAVE_LONG_LONG
+static void ptransfer(char *direction, long long bytes,
+ struct timeval *t0, struct timeval *t1)
+#else
static void ptransfer(char *direction, long bytes,
struct timeval *t0, struct timeval *t1)
+#endif
{
struct timeval td;
float s, kbs;
@@ -1549,8 +1562,13 @@
s = td.tv_sec + (td.tv_usec / 1000000.);
#define nz(x) ((x) == 0 ? 1 : (x))
kbs = (bytes / nz(s))/1024.0;
+#ifdef HAVE_LONG_LONG
+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
+ bytes, direction, s, kbs);
+#else
printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
bytes, direction, s, kbs);
+#endif
}
}
Index: krb5/src/appl/gssftp/ftpd/ftpcmd.y
===================================================================
--- krb5/src/appl/gssftp/ftpd/ftpcmd.y (revision 22425)
+++ krb5/src/appl/gssftp/ftpd/ftpcmd.y (working copy)
@@ -1497,12 +1497,20 @@
(stbuf.st_mode&S_IFMT) != S_IFREG)
reply(550, "%s: not a plain file.", filename);
else
+#ifdef HAVE_LONG_LONG
+ reply(213, "%llu", (long long) stbuf.st_size);
+#else
reply(213, "%lu", (long) stbuf.st_size);
+#endif
break;}
case TYPE_A: {
FILE *fin;
register int c;
+#ifdef HAVE_LONG_LONG
+ register long long count;
+#else
register long count;
+#endif
struct stat stbuf;
fin = fopen(filename, "r");
if (fin == NULL) {
@@ -1524,7 +1532,11 @@
}
(void) fclose(fin);
+#ifdef HAVE_LONG_LONG
+ reply(213, "%lld", count);
+#else
reply(213, "%ld", count);
+#endif
break;}
default:
reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
Index: krb5/src/appl/gssftp/ftpd/ftpd_var.h
===================================================================
--- krb5/src/appl/gssftp/ftpd/ftpd_var.h (revision 22425)
+++ krb5/src/appl/gssftp/ftpd/ftpd_var.h (working copy)
@@ -41,6 +41,12 @@
char *radix_error (int);
int radix_encode (unsigned char *, unsigned char *, int *, int);
+#ifdef HAVE_FSEEKO
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
+#else
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
+#endif
+
/* ftpd.c */
void ack(char *);
int auth_data(char *);
Index: krb5/src/appl/gssftp/ftpd/ftpd.c
===================================================================
--- krb5/src/appl/gssftp/ftpd/ftpd.c (revision 22425)
+++ krb5/src/appl/gssftp/ftpd/ftpd.c (working copy)
@@ -1146,7 +1146,11 @@
done:
(*closefunc)(fin);
if (logging > 2 && !cmd)
- syslog(LOG_NOTICE, "get: %i bytes transferred", byte_count);
+#ifdef HAVE_LONG_LONG
+ syslog(LOG_NOTICE, "get: %lld bytes transferred", (long long) byte_count);
+#else
+ syslog(LOG_NOTICE, "get: %ld bytes transferred", (long) byte_count);
+#endif
}
void
@@ -1191,7 +1195,7 @@
* because we are changing from reading to
* writing.
*/
- if (fseek(fout, 0L, L_INCR) < 0) {
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
perror_reply(550, name);
goto done;
}
@@ -1216,7 +1220,11 @@
done:
(*closefunc)(fout);
if (logging > 2)
- syslog(LOG_NOTICE, "put: %i bytes transferred", byte_count);
+#ifdef HAVE_LONG_LONG
+ syslog(LOG_NOTICE, "get: %lld bytes transferred", byte_count);
+#else
+ syslog(LOG_NOTICE, "get: %ld bytes transferred", (long) byte_count);
+#endif
}
FILE *
@@ -1278,8 +1286,13 @@
byte_count = 0;
if (size != (off_t) -1)
/* cast size to long in case sizeof(off_t) > sizeof(long) */
+#ifdef HAVE_LONG_LONG
+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)",
+ (long long)size);
+#else
(void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)",
(long)size);
+#endif
else
sizebuf[0] = '\0';
if (pdata >= 0) {
@@ -1991,13 +2004,23 @@
siglongjmp(urgcatch, 1);
}
if (strcmp(cp, "STAT") == 0) {
+#ifdef HAVE_LONG_LONG
if (file_size != (off_t) -1)
+ reply(213, "Status: %llu of %llu bytes transferred",
+ (unsigned long long) byte_count,
+ (unsigned long long) file_size);
+ else
+ reply(213, "Status: %llu bytes transferred",
+ (unsigned long long) byte_count);
+#else
+ if (file_size != (off_t) -1)
reply(213, "Status: %lu of %lu bytes transferred",
(unsigned long) byte_count,
(unsigned long) file_size);
else
reply(213, "Status: %lu bytes transferred",
(unsigned long) byte_count);
+#endif
}
}
Index: krb5/src/appl/bsd/configure.in
===================================================================
--- krb5/src/appl/bsd/configure.in (revision 22425)
+++ krb5/src/appl/bsd/configure.in (working copy)
@@ -51,6 +51,9 @@
AC_TYPE_MODE_T
AC_CHECK_FUNCS(isatty inet_aton getenv gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes rmufile rresvport_af)
AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h sys/ioctl_compat.h paths.h arpa/nameser.h)
+AC_SYS_LARGEFILE
+AC_FUNC_FSEEKO
+AC_CHECK_TYPES([long long])
AC_HEADER_STDARG
AC_REPLACE_FUNCS(getdtablesize)
dnl
Index: krb5/src/appl/bsd/krcp.c
===================================================================
--- krb5/src/appl/bsd/krcp.c (revision 22425)
+++ krb5/src/appl/bsd/krcp.c (working copy)
@@ -764,8 +764,13 @@
continue;
}
}
+#ifdef HAVE_LONG_LONG
+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n",
+ (int) stb.st_mode&07777, (long long) stb.st_size, last);
+#else
(void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
(int) stb.st_mode&07777, (long ) stb.st_size, last);
+#endif
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
(void) close(f);

12
krb5-1.6.2-login_chdir.patch → krb5-appl-1.0-login_chdir.patch
View File

@ -2,10 +2,10 @@ Change to the user's directory after dropping privileges, in case it is only
accessible to the user (for example, if it's in NFS with root squashing).
Incomplete - we probably need to do the same for rshd and ftpd.
diff -up krb5/src/appl/bsd/login.c krb5/src/appl/bsd/login.c
--- krb5/src/appl/bsd/login.c 2007-07-11 13:50:34.000000000 -0400
+++ krb5/src/appl/bsd/login.c 2007-07-11 13:50:36.000000000 -0400
@@ -1497,13 +1497,8 @@ int main(argc, argv)
diff -up krb5-appl-1.0/bsd/login.c.login_chdir krb5-appl-1.0/bsd/login.c
--- krb5-appl-1.0/bsd/login.c.login_chdir 2010-03-05 11:01:23.000000000 -0500
+++ krb5-appl-1.0/bsd/login.c 2010-03-05 11:01:23.000000000 -0500
@@ -1115,13 +1115,8 @@ int main(argc, argv)
}
#endif /* USE_PAM */
@ -20,8 +20,8 @@ diff -up krb5/src/appl/bsd/login.c krb5/src/appl/bsd/login.c
+ exit(0);
/* nothing else left to fail -- really log in */
{
@@ -1710,6 +1705,14 @@ int main(argc, argv)
login_time = time(NULL);
@@ -1293,6 +1288,14 @@ int main(argc, argv)
sleepexit(1);
}

107
krb5-appl-1.0-manpaths.patch Normal file
View File

@ -0,0 +1,107 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
diff -up krb5-appl-1.0/aclocal.m4.manpaths krb5-appl-1.0/aclocal.m4
--- krb5-appl-1.0/aclocal.m4.manpaths 2010-03-05 10:55:58.000000000 -0500
+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:55:58.000000000 -0500
@@ -565,3 +565,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
diff -up krb5-appl-1.0/bsd/klogind.M.manpaths krb5-appl-1.0/bsd/klogind.M
--- krb5-appl-1.0/bsd/klogind.M.manpaths 2008-12-15 15:29:01.000000000 -0500
+++ krb5-appl-1.0/bsd/klogind.M 2010-03-05 10:55:58.000000000 -0500
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
diff -up krb5-appl-1.0/bsd/kshd.M.manpaths krb5-appl-1.0/bsd/kshd.M
--- krb5-appl-1.0/bsd/kshd.M.manpaths 2006-06-12 14:19:26.000000000 -0400
+++ krb5-appl-1.0/bsd/kshd.M 2010-03-05 10:55:58.000000000 -0500
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B @mansbindir@/kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
When a service request is received, the following protocol is initiated:
diff -up krb5-appl-1.0/configure.ac.manpaths krb5-appl-1.0/configure.ac
--- krb5-appl-1.0/configure.ac.manpaths 2010-03-05 10:55:58.000000000 -0500
+++ krb5-appl-1.0/configure.ac 2010-03-05 10:55:58.000000000 -0500
@@ -412,6 +412,13 @@ else
fi
AC_SUBST(HAVE_RUNTEST)
+V5_AC_OUTPUT_MANPAGE([
+ gssftp/ftpd/ftpd.M
+ bsd/klogind.M
+ bsd/kshd.M
+ telnet/telnetd/telnetd.8
+])
+
V5_AC_OUTPUT_MAKEFILE(. bsd libmissing libpty
gssftp gssftp/ftp gssftp/ftpd
telnet telnet/libtelnet telnet/telnet telnet/telnetd
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths krb5-appl-1.0/gssftp/ftpd/ftpd.M
--- krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths 2009-01-28 00:42:11.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.M 2010-03-05 10:55:58.000000000 -0500
@@ -35,7 +35,7 @@
.SH NAME
ftpd \- DARPA Internet File Transfer Protocol server
.SH SYNOPSIS
-.B ftpd
+.B @mansbindir@/ftpd
[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
diff -up krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths krb5-appl-1.0/telnet/telnetd/telnetd.8
--- krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths 2004-11-15 16:25:41.000000000 -0500
+++ krb5-appl-1.0/telnet/telnetd/telnetd.8 2010-03-05 10:55:58.000000000 -0500
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B @mansbindir@/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]

413
krb5-1.7-pam.patch → krb5-appl-1.0-pam.patch
View File

@ -17,7 +17,7 @@ At run-time, krshd's behavior can be reset to the earlier, non-PAM
behavior by setting "use_pam" to false in the [ftpd] section of
/etc/krb5.conf.
Modify login so that instead of directly obtaining v5 or v4 credentials
Modify login so that instead of directly obtaining v5 credentials
or running aklog, it calls PAM for authentication if strong
authentication hasn't already been performed, so that it performs
account management using PAM (prompting for a password change if need
@ -28,24 +28,16 @@ is pretty much always going to be there. At run-time, login's behavior
can be reset to the earlier, non-PAM behavior by setting "use_pam" to
false in the [login] section of /etc/krb5.conf.
Modify ksu so that it performs account and session management for the
target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
section of /etc/krb5.conf.
When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
Originally filed as RT#5939.
When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
RT#5939.
diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
--- krb5-1.7/src/aclocal.m4 2009-02-18 19:38:17.000000000 -0500
+++ krb5-1.7/src/aclocal.m4 2009-06-04 13:45:57.000000000 -0400
@@ -1771,3 +1771,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
diff -up krb5-appl-1.0/aclocal.m4.pam krb5-appl-1.0/aclocal.m4
--- krb5-appl-1.0/aclocal.m4.pam 2009-11-21 15:29:19.000000000 -0500
+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:48:50.000000000 -0500
@@ -486,3 +486,82 @@ AC_DEFUN([KRB5_AC_LIBUTIL],
UTIL_LIB=-lutil])dnl
AC_SUBST(UTIL_LIB)
])dnl
dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
@ -62,8 +54,6 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
+ withekshellpamservice="$withval",withekshellpamservice=ekshell)
+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
+ withftppamservice="$withval",withftppamservice=gssftp)
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
+ withksupamservice="$withval",withksupamservice=ksu)
+old_LIBS="$LIBS"
+if test "$withpam" != no ; then
+ AC_MSG_RESULT([checking for PAM...])
@ -114,8 +104,6 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
+ [Define to the name of the PAM service name to be used by ftpd.])
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
+ [Define to the name of the PAM service name to be used by ksu.])
+ PAM_LIBS="$LIBS"
+ NON_PAM_MAN=".\\\" "
+ PAM_MAN=
@ -129,21 +117,10 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in
--- krb5-1.7/src/appl/bsd/configure.in 2008-12-15 15:29:01.000000000 -0500
+++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:45:57.000000000 -0400
@@ -24,6 +24,7 @@ AC_CHECK_LIB(odm,main,
AC_CHECK_LIB(cfg,main,
LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
)))
+KRB5_WITH_PAM
dnl
dnl Make our operating system-specific security checks and definitions for
dnl login.
diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
--- krb5-1.7/src/appl/bsd/krshd.c 2009-04-15 16:07:15.000000000 -0400
+++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 13:45:57.000000000 -0400
@@ -161,6 +161,10 @@ char copyright[] =
diff -up krb5-appl-1.0/bsd/krshd.c.pam krb5-appl-1.0/bsd/krshd.c
--- krb5-appl-1.0/bsd/krshd.c.pam 2009-11-16 05:27:04.000000000 -0500
+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 10:48:50.000000000 -0500
@@ -163,6 +163,10 @@ char copyright[] =
#include <arpa/nameser.h>
#endif
@ -154,7 +131,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
#ifndef MAXDNAME
#define MAXDNAME 256 /*per the rfc*/
#endif
@@ -181,6 +185,7 @@ void fatal(int, const char *);
@@ -183,6 +187,7 @@ void fatal(int, const char *);
int require_encrypt = 0;
int do_encrypt = 0;
@ -162,7 +139,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
int anyport = 0;
char *kprogdir = KPROGDIR;
int netf;
@@ -1030,14 +1035,6 @@ void doit(f, fromp)
@@ -1032,14 +1037,6 @@ void doit(f, fromp)
}
#endif /*CRAY*/
@ -177,7 +154,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
#ifdef KERBEROS
/* krb5_kuserok returns 1 if OK */
if (!krb5_kuserok(bsd_context, client, locuser)){
@@ -1067,11 +1064,51 @@ void doit(f, fromp)
@@ -1069,11 +1066,51 @@ void doit(f, fromp)
goto signout_please;
}
@ -229,7 +206,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
/* Log access to account */
pwd = (struct passwd *) getpwnam(locuser);
if (pwd && (pwd->pw_uid == 0)) {
@@ -1111,7 +1148,7 @@ void doit(f, fromp)
@@ -1113,7 +1150,7 @@ void doit(f, fromp)
(void) write(2, "", 1);
@ -238,7 +215,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
if (port&&(pipe(pv) < 0)) {
error("Can't make pipe.\n");
goto signout_please;
@@ -1416,6 +1453,15 @@ void doit(f, fromp)
@@ -1418,6 +1455,15 @@ void doit(f, fromp)
environ = envinit;
@ -254,11 +231,11 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
#ifdef KERBEROS
/* To make Kerberos rcp work correctly, we must ensure that we
invoke Kerberos rcp on this end, not normal rcp, even if the
diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
--- krb5-1.7/src/appl/bsd/login.c 2008-12-15 15:29:01.000000000 -0500
+++ krb5-1.7/src/appl/bsd/login.c 2009-06-04 13:45:57.000000000 -0400
@@ -145,6 +145,11 @@ typedef sigtype (*handler)();
#include "osconf.h"
diff -up krb5-appl-1.0/bsd/login.c.pam krb5-appl-1.0/bsd/login.c
--- krb5-appl-1.0/bsd/login.c.pam 2009-11-21 15:29:19.000000000 -0500
+++ krb5-appl-1.0/bsd/login.c 2010-03-05 10:48:50.000000000 -0500
@@ -148,6 +148,11 @@ typedef sigtype (*handler)();
#define KRB5_ENV_CCNAME "KRB5CCNAME"
#endif /* KRB5_GET_TICKETS */
+#ifdef USE_PAM
@ -269,7 +246,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
#ifndef __STDC__
#ifndef volatile
#define volatile
@@ -294,6 +299,9 @@ static struct login_confs {
@@ -293,6 +298,9 @@ static struct login_confs {
char *flagname;
int *flag;
} login_conf_set[] = {
@ -279,7 +256,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
#ifdef KRB5_GET_TICKETS
{"krb5_get_tickets", &login_krb5_get_tickets},
{"krb_run_aklog", &login_krb_run_aklog},
@@ -933,6 +941,21 @@ int main(argc, argv)
@@ -934,6 +942,21 @@ int main(argc, argv)
if (!unix_needs_passwd())
break;
@ -301,7 +278,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
#ifdef KRB5_GET_TICKETS
if (login_krb5_get_tickets) {
/* rename these to something more verbose */
@@ -1020,6 +1043,24 @@ int main(argc, argv)
@@ -1021,6 +1044,24 @@ int main(argc, argv)
/* committed to login -- turn off timeout */
(void) alarm((u_int) 0);
@ -326,7 +303,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
/*
* If valid so far and root is logging in, see if root logins on
* this terminal are permitted.
@@ -1060,6 +1101,21 @@ int main(argc, argv)
@@ -1061,6 +1102,21 @@ int main(argc, argv)
sleepexit(0);
}
#endif
@ -348,7 +325,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
if (chdir(pwd->pw_dir) < 0) {
printf("No directory %s!\n", pwd->pw_dir);
@@ -1347,6 +1403,11 @@ int main(argc, argv)
@@ -1343,6 +1399,11 @@ int main(argc, argv)
}
#endif /* KRB5_GET_TICKETS */
@ -360,54 +337,55 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
if (tty[sizeof("tty")-1] == 'd')
syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
if (pwd->pw_uid == 0)
diff -up krb5-1.7/src/appl/bsd/Makefile.in krb5-1.7/src/appl/bsd/Makefile.in
--- krb5-1.7/src/appl/bsd/Makefile.in 2009-01-05 15:27:53.000000000 -0500
+++ krb5-1.7/src/appl/bsd/Makefile.in 2009-06-04 13:45:57.000000000 -0400
@@ -11,12 +11,13 @@ SETENVOBJ=@SETENVOBJ@
diff -up krb5-appl-1.0/bsd/Makefile.in.pam krb5-appl-1.0/bsd/Makefile.in
--- krb5-appl-1.0/bsd/Makefile.in.pam 2009-11-05 15:10:37.000000000 -0500
+++ krb5-appl-1.0/bsd/Makefile.in 2010-03-05 10:48:50.000000000 -0500
@@ -3,11 +3,14 @@ BUILDTOP=$(REL)..
LOGINLIBS=@LOGINLIBS@
LIBOBJS=@LIBOBJS@
KRSHDLIBS=@KRSHDLIBS@
+PAMOBJS=pam.o
+PAM_LIBS=@PAM_LIBS@
SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \
$(srcdir)/forward.c $(srcdir)/login.c $(srcdir)/krshd.c \
$(srcdir)/krlogind.c
OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o $(SETENVOBJ) login.o krshd.o \
- krlogind.o $(LIBOBJS)
+ krlogind.o $(LIBOBJS) $(PAMOBJS)
-OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o
+OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o \
+ $(PAMOBJS)
UCB_RLOGIN = @UCB_RLOGIN@
UCB_RSH = @UCB_RSH@
@@ -53,8 +54,8 @@ install::
@@ -50,8 +53,8 @@ install::
) || exit 1; \
done
-kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
+kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(APPUTILS_LIB)
-kshd: krshd.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB)
- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS)
+kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB)
+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(LIBS)
klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
$(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
@@ -71,8 +72,8 @@ install::
klogind: krlogind.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB)
$(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS)
@@ -68,8 +71,8 @@ install::
# No program name transformation is done with login.krb5 since it is directly
# referenced by klogind.
#
-login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS)
+login.krb5: login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS)
+ $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS)
-login.krb5: login.o $(PTY_DEPLIB) $(MISSING_DEPLIB)
- $(CC_LINK) -o login.krb5 login.o $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(LIBS)
+login.krb5: login.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB)
+ $(CC_LINK) -o login.krb5 login.o $(PAMOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(PAM_LIBS) $(LIBS)
install::
$(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5
diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/appl/bsd/pam.c 2009-06-04 13:45:57.000000000 -0400
@@ -0,0 +1,433 @@
diff -up krb5-appl-1.0/bsd/pam.c.pam krb5-appl-1.0/bsd/pam.c
--- krb5-appl-1.0/bsd/pam.c.pam 2010-03-05 10:48:50.000000000 -0500
+++ krb5-appl-1.0/bsd/pam.c 2010-03-05 10:48:50.000000000 -0500
@@ -0,0 +1,438 @@
+/*
+ * src/appl/bsd/pam.c
+ *
+ * Copyright 2007,2009 Red Hat, Inc.
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
@ -447,13 +425,17 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "k5-int.h"
+#include <profile.h>
+#include "pam.h"
+
+#ifndef MAXPWSIZE
+#define MAXPWSIZE 128
+#endif
+
+#ifndef KRB5_ENV_CCNAME
+#define KRB5_ENV_CCNAME "KRB5CCNAME"
+#endif
+
+static int appl_pam_started;
+static pid_t appl_pam_starter = -1;
+static int appl_pam_session_opened;
@ -471,8 +453,9 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
+appl_pam_enabled(krb5_context context, const char *section)
+{
+ int enabled = 1;
+ if ((context != NULL) && (context->profile != NULL)) {
+ if (profile_get_boolean(context->profile,
+ profile_t profile = NULL;
+ if ((context != NULL) && (krb5_get_profile(context, &profile) == 0)) {
+ if (profile_get_boolean(profile,
+ section,
+ USE_PAM_CONFIGURATION_KEYWORD,
+ NULL,
@ -837,9 +820,9 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
+ return ret;
+}
+#endif
diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/appl/bsd/pam.h 2009-06-04 13:45:57.000000000 -0400
diff -up krb5-appl-1.0/bsd/pam.h.pam krb5-appl-1.0/bsd/pam.h
--- krb5-appl-1.0/bsd/pam.h.pam 2010-03-05 10:48:50.000000000 -0500
+++ krb5-appl-1.0/bsd/pam.h 2010-03-05 10:48:50.000000000 -0500
@@ -0,0 +1,65 @@
+/*
+ * src/appl/bsd/pam.h
@ -906,21 +889,22 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in
--- krb5-1.7/src/appl/gssftp/configure.in 2006-03-31 16:00:40.000000000 -0500
+++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:45:57.000000000 -0400
@@ -17,6 +17,7 @@ DECLARE_SYS_ERRLIST
AC_REPLACE_FUNCS(getdtablesize)
AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv)
AC_CHECK_LIB(crypt,crypt) dnl
diff -up krb5-appl-1.0/configure.ac.pam krb5-appl-1.0/configure.ac
--- krb5-appl-1.0/configure.ac.pam 2009-11-21 16:46:39.000000000 -0500
+++ krb5-appl-1.0/configure.ac 2010-03-05 10:48:50.000000000 -0500
@@ -156,6 +156,8 @@ AC_CHECK_FUNC(tgetent, ,
[AC_MSG_ERROR([Could not find tgetent; are you missing a curses/ncurses library?])])
LIBS="$old_LIBS"
+KRB5_WITH_PAM
KRB5_AC_LIBUTIL
dnl
dnl copied from appl/bsd/configure.in
diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd.c
--- krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-01-28 00:42:11.000000000 -0500
+++ krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-06-04 13:45:57.000000000 -0400
@@ -67,6 +67,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40
+
# Make our operating system-specific security checks and definitions
# for libpty, login, and ftpd. The following code decides what
# streams modules will be pushed onto a pty. In particular, if
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam krb5-appl-1.0/gssftp/ftpd/ftpd.c
--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam 2009-11-18 00:07:46.000000000 -0500
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 10:48:50.000000000 -0500
@@ -69,6 +69,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40
#ifdef HAVE_SHADOW
#include <shadow.h>
#endif
@ -930,7 +914,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
#include <grp.h>
#include <setjmp.h>
#ifndef POSIX_SETJMP
@@ -745,6 +748,22 @@ user(name)
@@ -743,6 +746,22 @@ user(name)
name);
}
#endif /* GSSAPI */
@ -953,7 +937,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
strncat(buf, "; Access denied.",
@@ -846,6 +865,10 @@ end_login()
@@ -843,6 +862,10 @@ end_login()
(void) krb5_seteuid((uid_t)0);
if (logged_in)
pty_logwtmp(ttyline, "", "");
@ -964,7 +948,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
if (have_creds) {
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
@@ -954,9 +977,19 @@ pass(passwd)
@@ -951,9 +974,19 @@ pass(passwd)
* kpass fails and the user has no local password
* kpass fails and the provided password doesn't match pw
*/
@ -987,7 +971,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
pw = NULL;
sleep(5);
if (++login_attempts >= 3) {
@@ -973,6 +1006,23 @@ pass(passwd)
@@ -970,6 +1003,23 @@ pass(passwd)
}
login_attempts = 0; /* this time successful */
@ -1011,7 +995,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
login(passwd, 0);
return;
}
@@ -988,6 +1038,18 @@ login(passwd, logincode)
@@ -985,6 +1035,18 @@ login(passwd, logincode)
chown(ccname, pw->pw_uid, pw->pw_gid);
#endif
}
@ -1030,7 +1014,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
(void) krb5_setegid((gid_t)pw->pw_gid);
(void) initgroups(pw->pw_name, pw->pw_gid);
@@ -1960,6 +2022,10 @@ dologout(status)
@@ -1966,6 +2028,10 @@ dologout(status)
krb5_cc_destroy(kcontext, ccache);
#endif
}
@ -1041,12 +1025,12 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
/* beware of flushing buffers after a SIGPIPE */
_exit(status);
}
diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd/Makefile.in
--- krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-01-05 15:27:53.000000000 -0500
+++ krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-06-04 13:45:57.000000000 -0400
@@ -14,23 +14,25 @@ SETENVOBJ=@SETENVOBJ@
LIBOBJS=@LIBOBJS@
COMERRLIB=$(BUILDTOP)/util/et/libcom_err.a
diff -up krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam krb5-appl-1.0/gssftp/ftpd/Makefile.in
--- krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam 2009-07-20 13:21:24.000000000 -0400
+++ krb5-appl-1.0/gssftp/ftpd/Makefile.in 2010-03-05 10:48:50.000000000 -0500
@@ -6,22 +6,24 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
FTPD_LIBS=@FTPD_LIBS@
+PAM_LIBS=@PAM_LIBS@
@ -1054,218 +1038,29 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd
$(srcdir)/vers.c \
$(srcdir)/../ftp/glob.c \
$(srcdir)/../ftp/radix.c \
$(srcdir)/../ftp/secure.c \
+ $(srcdir)/../../bsd/pam.c \
$(srcdir)/../../bsd/getdtablesize.c $(SETENVSRC)
- $(srcdir)/../ftp/secure.c
+ $(srcdir)/../ftp/secure.c \
+ $(srcdir)/../../bsd/pam.c
OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \
- secure.o $(LIBOBJS) $(SETENVOBJ)
+ secure.o pam.o getdtablesize.o $(LIBOBJS) $(SETENVOBJ)
- secure.o
+ secure.o pam.o
LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
all:: ftpd
ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) $(PAM_LIBS)
ftpd: $(OBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB)
- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(PAM_LIBS) $(LIBS)
generate-files-mac: ftpcmd.c
@@ -62,6 +64,8 @@ secure.o: $(srcdir)/../ftp/secure.c
@@ -61,4 +63,7 @@ ftpcmd.o: ftpcmd.c
popen.o: $(srcdir)/popen.c
vers.o: $(srcdir)/vers.c
getdtablesize.o: $(srcdir)/../../bsd/getdtablesize.c
$(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/getdtablesize.c
+pam.o: $(srcdir)/../../bsd/pam.c
+ $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/pam.c
setenv.o: $(srcdir)/../../bsd/setenv.c
$(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/setenv.c
diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c
--- krb5-1.7/src/clients/ksu/main.c 2008-12-01 12:09:59.000000000 -0500
+++ krb5-1.7/src/clients/ksu/main.c 2009-06-04 13:45:57.000000000 -0400
@@ -25,6 +25,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
+#include "autoconf.h"
#include "ksu.h"
#include "adm_proto.h"
#include <sys/types.h>
@@ -32,6 +33,10 @@
#include <signal.h>
#include <grp.h>
+#ifdef USE_PAM
+#include "../../appl/bsd/pam.h"
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -39,6 +44,7 @@
char k5users_path[MAXPATHLEN];
char * gb_err = NULL;
int quiet = 0;
+int force_fork = 0;
/***********/
#define _DEF_CSH "/bin/csh"
@@ -585,6 +591,25 @@
prog_name,target_user,client_name,
source_user,ontty());
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
+
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, "while switching to target for authorization check");
@@ -791,7 +816,7 @@
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -799,6 +824,33 @@
exit(1);
}else{
statusp = 1;
+
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Opened PAM session.\n");
+ }
+#endif
+ if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Initialized PAM credentials.\n");
+ }
+#endif
+ }
+#endif
+
switch ((child_pid = fork())) {
default:
if (auth_debug){
@@ -822,15 +874,34 @@
if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid");
}
- sweep_up(ksu_context, cc_target);
+ if( !keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (statusp);
case -1:
com_err(prog_name, errno, "while trying to fork.");
sweep_up(ksu_context, cc_target);
exit (1);
case 0:
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_setenv() != 0) {
+ fprintf(stderr, "Error setting up environment for %s.\n",
+ target_user);
+ exit (1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Set up PAM environment.\n");
+ }
+#endif
+ }
+#endif
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s", params[0]);
+ if( keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (1);
}
}
diff -up krb5-1.7/src/clients/ksu/Makefile.in krb5-1.7/src/clients/ksu/Makefile.in
--- krb5-1.7/src/clients/ksu/Makefile.in 2009-01-05 15:27:53.000000000 -0500
+++ krb5-1.7/src/clients/ksu/Makefile.in 2009-06-04 13:45:57.000000000 -0400
@@ -15,6 +15,7 @@ SRCS = \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/../../appl/bsd/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -23,13 +24,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: $(srcdir)/../../appl/bsd/pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in
--- krb5-1.7/src/config/pre.in 2009-04-15 16:06:35.000000000 -0400
+++ krb5-1.7/src/config/pre.in 2009-06-04 13:45:57.000000000 -0400
@@ -181,6 +181,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
+PAM_LIBS = @PAM_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in
--- krb5-1.7/src/configure.in 2009-04-15 16:07:03.000000000 -0400
+++ krb5-1.7/src/configure.in 2009-06-04 13:45:57.000000000 -0400
@@ -1040,6 +1040,8 @@ fi
dnl
AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
+KRB5_WITH_PAM
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MAKEFILE(.
# NOPOSTFIX

19
krb5-1.3-rlogind-environ.patch → krb5-appl-1.0-rlogind-environ.patch
View File

@ -1,8 +1,10 @@
Start with only TERM defined in the environment, like NetKit rlogind does, and
KRB5CCNAME, which we set ourselves.
--- krb5-1.3/src/appl/bsd/krlogind.c
+++ krb5-1.3/src/appl/bsd/krlogind.c
@@ -713,6 +713,9 @@
diff -up krb5-appl-1.0/bsd/krlogind.c.rlogind-environ krb5-appl-1.0/bsd/krlogind.c
--- krb5-appl-1.0/bsd/krlogind.c.rlogind-environ 2009-11-21 15:29:19.000000000 -0500
+++ krb5-appl-1.0/bsd/krlogind.c 2010-03-05 11:07:34.000000000 -0500
@@ -667,6 +667,9 @@ void doit(f, fromp)
#else
struct sgttyb b;
#endif /* POSIX_TERMIOS */
@ -10,9 +12,9 @@ KRB5CCNAME, which we set ourselves.
+ char *bare_environ[] = {environ_term, environ_ccname, NULL};
+
if ((retval = pty_open_slave(line, &t))) {
fatal(f, error_message(retval));
fatal(f, pty_error_message(retval));
exit(1);
@@ -819,11 +822,15 @@
@@ -773,11 +776,15 @@ void doit(f, fromp)
/* use the vendors login, which has -p and -f. Tested on
* AIX 4.1.4 and HPUX 10
*/
@ -23,15 +25,14 @@ KRB5CCNAME, which we set ourselves.
{
char *cp;
- if ((cp = strchr(term,'/')))
- *cp = '\0';
- setenv("TERM",term, 1);
+ snprintf(environ_term, sizeof(environ_term) - 1, "TERM=%s", term);
+ if ((cp = strchr(environ_term,'/')))
+ *cp = '\0';
*cp = '\0';
- setenv("TERM",term, 1);
}
retval = pty_make_sane_hostname((struct sockaddr *) fromp, maxhostlen,
@@ -832,13 +839,13 @@
@@ -786,13 +793,13 @@ void doit(f, fromp)
if (retval)
fatalperror(f, "failed make_sane_hostname");
if (passwd_req)

35
krb5-trunk-kpasswd_tcp.patch
View File

@ -1,35 +0,0 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (revision 20199)
+++ src/lib/krb5/os/changepw.c (working copy)
@@ -251,11 +251,22 @@
NULL,
NULL
))) {
-
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

389
krb5.spec
View File

@ -12,14 +12,18 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.7.1
Release: 6%{?dist}
Version: 1.8
Release: 1%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar
Source0: krb5-%{version}.tar.gz
Source1: krb5-%{version}.tar.gz.asc
# Everything that needs a krb5-appl counterpart will have it with number + 100
# until we get the package split done, else the telnet/ftp/rcmd stuff will just
# "vanish".
Source100: krb5-appl-%{appl_version}.tar.gz
Source101: krb5-appl-%{appl_version}.tar.gz.asc
Source2: kpropd.init
Source3: krb5-appl-%{appl_version}.tar.gz
Source4: kadmind.init
Source5: krb5kdc.init
Source6: krb5.conf
@ -41,7 +45,8 @@ Source22: ekrb5-telnet.xinetd
# and tarred up.
Source23: krb5-%{version}-pdf.tar.gz
Source24: krb5-tex-pdf.sh
Source25: krb5-trunk-manpaths.txt
Source25: krb5-1.8-manpaths.txt
Source125: krb5-appl-1.0-manpaths.txt
Source26: gssftp.pamd
Source27: kshell.pamd
Source28: ekshell.pamd
@ -51,45 +56,43 @@ Source31: kerberos-adm.portreserve
Source32: krb5_prop.portreserve
Patch3: krb5-1.3-netkit-rsh.patch
Patch4: krb5-1.3-rlogind-environ.patch
Patch5: krb5-1.3-ksu-access.patch
Patch6: krb5-1.5-ksu-path.patch
Patch4: krb5-appl-1.0-rlogind-environ.patch
Patch5: krb5-1.8-ksu-access.patch
Patch6: krb5-1.8-ksu-path.patch
Patch11: krb5-1.2.1-passive.patch
Patch12: krb5-1.7-ktany.patch
Patch14: krb5-1.3-ftp-glob.patch
Patch16: krb5-1.7-buildconf.patch
Patch23: krb5-1.3.1-dns.patch
Patch26: krb5-1.3.2-efence.patch
Patch29: krb5-1.7-kprop-mktemp.patch
Patch29: krb5-1.8-kprop-mktemp.patch
Patch30: krb5-1.3.4-send-pr-tempfile.patch
Patch33: krb5-1.7-io.patch
Patch33: krb5-appl-1.0-io.patch
Patch36: krb5-1.7-rcp-markus.patch
Patch39: krb5-1.7-api.patch
Patch39: krb5-1.8-api.patch
Patch40: krb5-1.4.1-telnet-environ.patch
Patch41: krb5-1.6.3-login-lpass.patch
Patch53: krb5-1.7-nodeplibs.patch
Patch55: krb5-1.6.1-empty.patch
Patch56: krb5-1.7-doublelog.patch
Patch57: krb5-1.6.2-login_chdir.patch
Patch58: krb5-1.6.2-key_exp.patch
Patch59: krb5-trunk-kpasswd_tcp.patch
Patch60: krb5-1.7-pam.patch
Patch61: krb5-trunk-manpaths.patch
Patch63: krb5-1.7-selinux-label.patch
Patch57: krb5-appl-1.0-login_chdir.patch
Patch58: krb5-1.8-key_exp.patch
Patch59: krb5-1.8-kpasswd_tcp.patch
Patch60: krb5-1.8-pam.patch
Patch160: krb5-appl-1.0-pam.patch
Patch61: krb5-1.8-manpaths.patch
Patch161: krb5-appl-1.0-manpaths.patch
Patch63: krb5-1.8-selinux-label.patch
Patch70: krb5-trunk-kpasswd_tcp2.patch
Patch71: krb5-1.7-dirsrv-accountlock.patch
Patch71: krb5-1.8-dirsrv-accountlock.patch
Patch72: krb5-1.6.3-ftp_fdleak.patch
Patch73: krb5-1.6.3-ftp_glob_runique.patch
Patch79: krb5-trunk-ftp_mget_case.patch
Patch86: krb5-1.7-time_t_size.patch
Patch88: krb5-1.7-sizeof.patch
Patch89: krb5-1.7-largefile.patch
Patch90: krb5-1.7-openssl-1.0.patch
Patch89: krb5-appl-1.0-largefile.patch
Patch93: krb5-1.7-create_on_load.patch
Patch95: krb5-1.7-opte.patch
Patch96: krb5-1.7-exp_warn.patch
Patch97: http://web.mit.edu/kerberos/advisories/2010-001-patch.txt
Patch98: krb5-1.7.1-kpasswd_ccache.patch
Patch95: krb5-1.8-opte.patch
Patch96: krb5-1.8-exp_warn.patch
Patch98: krb5-1.8-kpasswd_ccache.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -207,8 +210,7 @@ Group: System Environment/Base
Requires: %{name}-workstation = %{version}-%{release}
Requires(post): initscripts
Requires(postun): initscripts
# mktemp is used by krb5-send-pr
Requires: mktemp, xinetd, /etc/pam.d/%{login_pam_service}
Requires: xinetd, /etc/pam.d/%{login_pam_service}
%description workstation-servers
Kerberos is a network authentication system. The krb5-workstation-servers
@ -228,50 +230,69 @@ to obtain initial credentials from a KDC using a private key and a
certificate.
%prep
%setup -q -a 3 -a 23
ln -s README LICENSE
pushd src
%patch60 -p2 -b .pam
%patch61 -p0 -b .manpaths
%setup -q -a 23 -a 100
ln -s NOTICE LICENSE
%patch60 -p1 -b .pam
pushd krb5-appl-%{appl_version}
%patch160 -p1 -b .pam
popd
%patch61 -p1 -b .manpaths
pushd krb5-appl-%{appl_version}
%patch161 -p1 -b .manpaths
popd
%patch63 -p1 -b .selinux-label
%patch3 -p1 -b .netkit-rsh
pushd krb5-appl-%{appl_version}
%patch3 -p3 -b .netkit-rsh
%patch4 -p1 -b .rlogind-environ
popd
%patch5 -p1 -b .ksu-access
%patch6 -p1 -b .ksu-path
%patch11 -p1 -b .passive
pushd krb5-appl-%{appl_version}
%patch11 -p3 -b .passive
popd
%patch12 -p1 -b .ktany
%patch14 -p1 -b .ftp-glob
pushd krb5-appl-%{appl_version}
%patch14 -p3 -b .ftp-glob
popd
%patch16 -p1 -b .buildconf
%patch23 -p1 -b .dns
# Removes a malloc(0) case, nothing more.
# %patch26 -p1 -b .efence
%patch29 -p1 -b .kprop-mktemp
%patch30 -p1 -b .send-pr-tempfile
pushd krb5-appl-%{appl_version}
%patch33 -p1 -b .io
%patch36 -p1 -b .rcp-markus
%patch36 -p3 -b .rcp-markus
popd
%patch39 -p1 -b .api
%patch40 -p1 -b .telnet-environ
%patch41 -p1 -b .login-lpass
pushd krb5-appl-%{appl_version}
%patch40 -p3 -b .telnet-environ
popd
%patch53 -p1 -b .nodeplibs
#%patch55 -p1 -b .empty
%patch56 -p1 -b .doublelog
#%patch57 -p1 -b .login_chdir
pushd krb5-appl-%{appl_version}
%patch57 -p1 -b .login_chdir
popd
%patch58 -p1 -b .key_exp
%patch59 -p0 -b .kpasswd_tcp
%patch59 -p1 -b .kpasswd_tcp
#%patch70 -p0 -b .kpasswd_tcp2
%patch71 -p1 -b .dirsrv-accountlock
%patch72 -p1 -b .ftp_fdleak
%patch73 -p1 -b .ftp_glob_runique
%patch79 -p0 -b .ftp_mget_case
%patch86 -p1 -b .time_t_size
%patch88 -p1 -b .sizeof
pushd krb5-appl-%{appl_version}
%patch72 -p3 -b .ftp_fdleak
%patch73 -p3 -b .ftp_glob_runique
%patch79 -p2 -b .ftp_mget_case
%patch88 -p3 -b .sizeof
%patch89 -p1 -b .largefile
%patch90 -p0 -b .openssl-1.0
%patch93 -p1 -b .create_on_load
popd
# Shouldn't be necessary in 1.8.
##%patch93 -p1 -b .create_on_load
%patch95 -p1 -b .opte
%patch96 -p1 -b .exp_warn
%patch97 -p1 -b .2010-001
%patch98 -p1 -b .kpasswd-ccache
gzip doc/*.ps
@ -284,7 +305,7 @@ sed -i -e '1c\
\\usepackage{hyperref}' doc/implement/implement.tex
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/*.html
chmod -x doc/krb5-protocol/*.txt doc/*.html doc/*/*.html
# Rename the man pages so that they'll get generated correctly. Uses the
# "krb5-trunk-manpaths.txt" source file.
@ -293,6 +314,11 @@ cat %{SOURCE25} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
pushd krb5-appl-%{appl_version}
cat %{SOURCE125} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
# Check that the PDFs we built earlier match this source tree, using the
# "krb5-tex-pdf.sh" source file.
@ -315,20 +341,21 @@ egrep -iv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif
touch -r $inldif 60kerberos.ldif
# Rebuild the configure scripts.
cd src
top=`pwd`
for configurein in `find -name configure.in -type f` ; do
pushd `dirname $configurein`
grep -q A._CONFIG_HEADER configure.in && autoheader -I "$top"
autoconf -I "$top"
popd
done
pushd src
autoheader
autoconf
popd
pushd krb5-appl-%{appl_version}
autoheader
autoconf
popd
%build
cd src
INCLUDES=-I%{_includedir}/et
# Work out the CFLAGS and CPPFLAGS which we intend to use.
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing`"
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`"
CPPFLAGS="`echo $DEFINES $INCLUDES`"
%configure \
CC="%{__cc}" \
@ -340,10 +367,6 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
SS_LIB="-lss -lncurses" \
%endif
--enable-shared \
--bindir=%{krb5prefix}/bin \
--mandir=%{krb5prefix}/man \
--sbindir=%{krb5prefix}/sbin \
--datadir=%{krb5prefix}/share \
--localstatedir=%{_var}/kerberos \
--disable-rpath \
--with-system-et \
@ -364,11 +387,28 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
--disable-pkinit \
%endif
--with-pam \
--with-pam-login-service=%{login_pam_service} \
--with-selinux
# Now build it.
make %{?_smp_mflags}
# The applications, too. Build everything position-independent. We only get
# away with this if our build dependencies drag an older krb5-devel onto the
# system.
pushd ../krb5-appl-%{appl_version}
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIE -fno-strict-aliasing`"
LDFLAGS="-pie"
%configure \
CFLAGS="$CFLAGS" \
LDFLAGS="$LDFLAGS" \
--bindir=%{krb5prefix}/bin \
--mandir=%{krb5prefix}/man \
--sbindir=%{krb5prefix}/sbin \
--datadir=%{krb5prefix}/share \
--with-pam \
--with-pam-login-service=%{login_pam_service}
make %{?_smp_mflags}
popd
# Run the test suite. We can't actually do this in the build system.
: make check TMPDIR=%{_tmppath}
@ -399,7 +439,7 @@ install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf
# Login-time scriptlets (krb5.sh, krb5.csh) to fix the PATH variable.
mkdir -p $RPM_BUILD_ROOT/etc/profile.d
for subpackage in devel workstation ; do
for subpackage in workstation-clients workstation-servers ; do
install -pm 644 %{SOURCE7} \
$RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.sh
install -pm 644 %{SOURCE8} \
@ -467,12 +507,13 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
# The rest of the binaries, headers, libraries, and docs.
make -C src DESTDIR=$RPM_BUILD_ROOT install
make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/examples install
make -C krb5-appl-%{appl_version} DESTDIR=$RPM_BUILD_ROOT install
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{krb5prefix}/bin/krb5-config
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config
# Move specific libraries from %{_libdir} to /%{_lib}, and fixup the symlinks.
touch $RPM_BUILD_ROOT/rootfile
@ -489,13 +530,6 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do
popd
done
# Move man pages which will be in the -libs subpackage into %%{_mandir}'s tree.
for man in man1/tmac.doc man1/kerberos.1 man5/.k5login.5 man5/krb5.conf.5 ; do
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/${man%%/*}
mv $RPM_BUILD_ROOT/%{krb5prefix}/man/${man} \
$RPM_BUILD_ROOT/%{_mandir}/${man%%/*}/
done
%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
@ -574,62 +608,56 @@ fi
exit 0
%files workstation
%defattr(-,root,root)
%docdir %{krb5prefix}/man
%config(noreplace) /etc/profile.d/krb5-workstation.sh
%config(noreplace) /etc/profile.d/krb5-workstation.csh
%defattr(-,root,root,-)
%doc doc/user*.ps.gz src/config-files/services.append
%doc doc/{kdestroy,kinit,klist,kpasswd,ksu}.html
%doc doc/krb5-user.html
%attr(0755,root,root) %doc src/config-files/convert-config-files
%{_infodir}/krb5-user.info*
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man1
%dir %{krb5prefix}/man/man8
%dir %{krb5prefix}/sbin
# Clients of the KDC, including tools you're likely to need if you're running
# app servers other than those built from this source package.
%{krb5prefix}/bin/kdestroy
%{krb5prefix}/man/man1/kdestroy.1*
%{krb5prefix}/bin/kinit
%{krb5prefix}/man/man1/kinit.1*
%{krb5prefix}/bin/klist
%{krb5prefix}/man/man1/klist.1*
%{krb5prefix}/bin/kpasswd
%{krb5prefix}/man/man1/kpasswd.1*
%{_bindir}/kdestroy
%{_mandir}/man1/kdestroy.1*
%{_bindir}/kinit
%{_mandir}/man1/kinit.1*
%{_bindir}/klist
%{_mandir}/man1/klist.1*
%{_bindir}/kpasswd
%{_mandir}/man1/kpasswd.1*
%{krb5prefix}/bin/kvno
%{krb5prefix}/man/man1/kvno.1*
%{krb5prefix}/bin/kadmin
%{krb5prefix}/man/man1/kadmin.1*
%{krb5prefix}/bin/k5srvutil
%{krb5prefix}/man/man1/k5srvutil.1*
%{krb5prefix}/bin/ktutil
%{krb5prefix}/man/man1/ktutil.1*
%{_bindir}/kvno
%{_mandir}/man1/kvno.1*
%{_bindir}/kadmin
%{_mandir}/man1/kadmin.1*
%{_bindir}/k5srvutil
%{_mandir}/man1/k5srvutil.1*
%{_bindir}/ktutil
%{_mandir}/man1/ktutil.1*
# Doesn't really fit anywhere else.
%attr(4755,root,root) %{krb5prefix}/bin/ksu
%{krb5prefix}/man/man1/ksu.1*
%attr(4755,root,root) %{_bindir}/ksu
%{_mandir}/man1/ksu.1*
%config(noreplace) /etc/pam.d/ksu
# Problem-reporting tool.
%{krb5prefix}/sbin/krb5-send-pr
%{krb5prefix}/man/man1/krb5-send-pr.1*
%{_sbindir}/krb5-send-pr
%dir %{_datadir}/gnats
%{_datadir}/gnats/mit
%{_mandir}/man1/krb5-send-pr.1*
%files workstation-clients
%defattr(-,root,root)
%defattr(-,root,root,-)
%docdir %{krb5prefix}/man
%doc doc/{ftp,rcp,rlogin,rsh,telnet}.html
%attr(0755,root,root) %doc src/config-files/convert-config-files
%config(noreplace) /etc/profile.d/krb5-workstation-clients.sh
%config(noreplace) /etc/profile.d/krb5-workstation-clients.csh
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man1
%dir %{krb5prefix}/sbin
# Used by both clients and servers.
%{krb5prefix}/bin/rcp
@ -646,11 +674,15 @@ exit 0
%{krb5prefix}/man/man1/rsh.1*
%{krb5prefix}/bin/telnet
%{krb5prefix}/man/man1/telnet.1*
%{krb5prefix}/man/man1/tmac.doc*
%files workstation-servers
%defattr(-,root,root)
%defattr(-,root,root,-)
%docdir %{krb5prefix}/man
%config(noreplace) /etc/profile.d/krb5-workstation-servers.sh
%config(noreplace) /etc/profile.d/krb5-workstation-servers.csh
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{krb5prefix}/man
@ -658,10 +690,6 @@ exit 0
%dir %{krb5prefix}/man/man8
%dir %{krb5prefix}/sbin
# Problem-reporting tool.
%{krb5prefix}/sbin/krb5-send-pr
%{krb5prefix}/man/man1/krb5-send-pr.1*
# Used by both clients and servers.
%{krb5prefix}/bin/rcp
%{krb5prefix}/man/man1/rcp.1*
@ -686,8 +714,8 @@ exit 0
%{krb5prefix}/man/man8/telnetd.8*
%files server
%defattr(-,root,root)
%docdir %{krb5prefix}/man
%defattr(-,root,root,-)
%docdir %{_mandir}
/etc/rc.d/init.d/krb5kdc
/etc/rc.d/init.d/kadmin
@ -700,6 +728,8 @@ exit 0
%doc doc/admin*.ps.gz
%doc doc/install*.ps.gz
%doc doc/krb5-admin.html
%doc doc/krb5-install.html
%{_infodir}/krb5-admin.info*
%{_infodir}/krb5-install.info*
@ -709,82 +739,72 @@ exit 0
%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf
%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/authdata
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man1
%dir %{krb5prefix}/man/man5
%dir %{krb5prefix}/man/man8
%dir %{krb5prefix}/sbin
# Problem-reporting tool.
%{krb5prefix}/sbin/krb5-send-pr
%{krb5prefix}/man/man1/krb5-send-pr.1*
%{_sbindir}/krb5-send-pr
%dir %{_datadir}/gnats
%{_datadir}/gnats/mit
%{_mandir}/man1/krb5-send-pr.1*
# KDC binaries.
%{krb5prefix}/man/man5/kdc.conf.5*
%{krb5prefix}/sbin/kadmin.local
%{krb5prefix}/man/man8/kadmin.local.8*
%{krb5prefix}/sbin/kadmind
%{krb5prefix}/man/man8/kadmind.8*
%{krb5prefix}/sbin/kdb5_util
%{krb5prefix}/man/man8/kdb5_util.8*
%{krb5prefix}/sbin/kprop
%{krb5prefix}/man/man8/kprop.8*
%{krb5prefix}/sbin/kpropd
%{krb5prefix}/man/man8/kpropd.8*
%{krb5prefix}/sbin/kproplog
%{krb5prefix}/man/man8/kproplog.8*
%{krb5prefix}/sbin/krb5kdc
%{krb5prefix}/man/man8/krb5kdc.8*
# KDC binaries and configuration.
%{_mandir}/man5/kdc.conf.5*
%{_sbindir}/kadmin.local
%{_mandir}/man8/kadmin.local.8*
%{_sbindir}/kadmind
%{_mandir}/man8/kadmind.8*
%{_sbindir}/kdb5_util
%{_mandir}/man8/kdb5_util.8*
%{_sbindir}/kprop
%{_mandir}/man8/kprop.8*
%{_sbindir}/kpropd
%{_mandir}/man8/kpropd.8*
%{_sbindir}/kproplog
%{_mandir}/man8/kproplog.8*
%{_sbindir}/krb5kdc
%{_mandir}/man8/krb5kdc.8*
# This is here for people who want to test their server, and also
# included in devel package for similar reasons.
%{krb5prefix}/bin/sclient
%{krb5prefix}/man/man1/sclient.1*
%{krb5prefix}/sbin/sserver
%{krb5prefix}/man/man8/sserver.8*
%{_bindir}/sclient
%{_mandir}/man1/sclient.1*
%{_sbindir}/sserver
%{_mandir}/man8/sserver.8*
%if %{WITH_LDAP}
%files server-ldap
%defattr(-,root,root)
%docdir %{krb5prefix}/man
%defattr(-,root,root,-)
%docdir %{_mandir}
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
%doc 60kerberos.ldif
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{krb5prefix}
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man8
%dir %{krb5prefix}/sbin
%{_libdir}/krb5/plugins/kdb/kldap.so
%{_libdir}/libkdb_ldap.so
%{_libdir}/libkdb_ldap.so.*
%{krb5prefix}/man/man8/kdb5_ldap_util.8.gz
%{krb5prefix}/sbin/kdb5_ldap_util
%{_mandir}/man8/kdb5_ldap_util.8.gz
%{_sbindir}/kdb5_ldap_util
%endif
%files libs
%defattr(-,root,root)
%doc README LICENSE
%docdir %{krb5prefix}/man
%defattr(-,root,root,-)
%doc README NOTICE LICENSE
%docdir %{_mandir}
%verify(not md5 size mtime) %config(noreplace) /etc/krb5.conf
/%{_mandir}/man1/tmac.doc*
/%{_mandir}/man1/kerberos.1*
/%{_mandir}/man5/.k5login.5*
/%{_mandir}/man5/krb5.conf.5*
/%{_lib}/libgssapi_krb5.so.*
/%{_lib}/libgssrpc.so.*
/%{_lib}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
/%{_lib}/libkrb5.so.*
/%{_lib}/libkrb5support.so.*
@ -797,7 +817,7 @@ exit 0
%if %{WITH_OPENSSL}
%files pkinit-openssl
%defattr(-,root,root)
%defattr(-,root,root,-)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
@ -805,55 +825,58 @@ exit 0
%endif
%files devel
%defattr(-,root,root)
%config(noreplace) /etc/profile.d/krb5-devel.sh
%config(noreplace) /etc/profile.d/krb5-devel.csh
%docdir %{krb5prefix}/man
%defattr(-,root,root,-)
%docdir %{_mandir}
%doc doc/api/*.pdf
%doc doc/ccapi
%doc doc/implement/*.pdf
%doc doc/kadm5/*.pdf
%doc doc/kadmin
%doc doc/kim
%doc doc/krb5-protocol
%doc doc/rpc
%doc doc/threads.txt
%dir %{krb5prefix}
%dir %{krb5prefix}/bin
%dir %{krb5prefix}/man
%dir %{krb5prefix}/man/man1
%dir %{krb5prefix}/man/man8
%dir %{krb5prefix}/sbin
%{_includedir}/*
%{_libdir}/libgssapi_krb5.so
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{krb5prefix}/bin/krb5-config
%{krb5prefix}/bin/sclient
%{krb5prefix}/man/man1/krb5-config.1*
%{krb5prefix}/man/man1/sclient.1*
%{krb5prefix}/man/man8/sserver.8*
%{krb5prefix}/sbin/sserver
%{_bindir}/krb5-config
%{_bindir}/sclient
%{_mandir}/man1/krb5-config.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man8/sserver.8*
%{_sbindir}/sserver
# Protocol test clients.
%{krb5prefix}/bin/sim_client
%{krb5prefix}/bin/gss-client
%{krb5prefix}/bin/uuclient
%{_bindir}/sim_client
%{_bindir}/gss-client
%{_bindir}/uuclient
# Protocol test servers.
%{krb5prefix}/sbin/sim_server
%{krb5prefix}/sbin/gss-server
%{krb5prefix}/sbin/uuserver
%{_sbindir}/sim_server
%{_sbindir}/gss-server
%{_sbindir}/uuserver
%changelog
* Fri Mar 5 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-1
- update to 1.8
- temporarily bundling the krb5-appl package (split upstream as of 1.8)
until its package review is complete
- profile.d scriptlets are now only needed by -workstation-clients
- adjust paths in init scripts
- drop upstreamed fix for KDC denial of service (CVE-2010-0283)
- drop patch to check the user's password correctly using crypt(), which
isn't a code path we hit when we're using PAM
* Wed Mar 3 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.7.1-6
- fix a null pointer dereference and crash introduced in our PAM patch that
would happen if ftpd was given the name of a user who wasn't known to the

2
krb5kdc.init
View File

@ -33,7 +33,7 @@
RETVAL=0
prog="Kerberos 5 KDC"
krb5kdc=/usr/kerberos/sbin/krb5kdc
krb5kdc=/usr/sbin/krb5kdc
# Shell functions to cut down on useless shell instances.
start() {

8
sources
View File

@ -1,3 +1,5 @@
9d79efba57423008e65efc5ff75405d6 krb5-1.7.1.tar.gz
2197cc65ed90f00f92e5a27bd514b53b krb5-1.7.1.tar.gz.asc
309139729539cf5ef403bb0dc7ae455b krb5-1.7.1-pdf.tar.gz
a3391a739009efa9734db720d34f4c07 krb5-1.8.tar.gz
f923ec08f24df9e5a284be74895a6daa krb5-1.8.tar.gz.asc
4ecf03dad0df7f2ded49f0cfd9786157 krb5-appl-1.0.tar.gz
33056e617e2cbad7c8e8b732aa0fdd91 krb5-appl-1.0.tar.gz.asc
32f8238d4553c44ecdc41205c3cb0333 krb5-1.8-pdf.tar.gz