From 75b08040ff34c6bce1a92797661b3e3ab1a14deb Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 5 Mar 2010 22:19:38 +0000 Subject: [PATCH] - update to 1.8 - temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete - profile.d scriptlets are now only needed by -workstation-clients - adjust paths in init scripts - drop upstreamed fix for KDC denial of service (CVE-2010-0283) - drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM --- .cvsignore | 5 + 2010-001-patch.txt | 42 - kadmind.init | 2 +- kpropd.init | 2 +- krb5-1.3-ksu-access.patch | 45 -- krb5-1.5-ksu-path.patch | 14 - krb5-1.6.3-login-lpass.patch | 28 - krb5-1.7-dirsrv-accountlock.patch | 69 -- krb5-1.7-exp_warn.patch | 17 - krb5-1.7-kprop-mktemp.patch | 29 - krb5-1.7-openssl-1.0.patch | 17 - krb5-1.7-opte.patch | 14 - krb5-1.7-time_t_size.patch | 66 -- krb5-1.7.1-kpasswd_ccache.patch | 32 - krb5-1.7-api.patch => krb5-1.8-api.patch | 22 +- krb5-1.8-dirsrv-accountlock.patch | 69 ++ krb5-1.8-exp_warn.patch | 17 + ....2-key_exp.patch => krb5-1.8-key_exp.patch | 10 +- krb5-1.8-kpasswd_ccache.patch | 34 + krb5-1.8-kpasswd_tcp.patch | 34 + krb5-1.8-kprop-mktemp.patch | 29 + krb5-1.8-ksu-access.patch | 49 ++ krb5-1.8-ksu-path.patch | 13 + ...-manpaths.patch => krb5-1.8-manpaths.patch | 290 +++---- krb5-1.8-opte.patch | 33 + krb5-1.8-pam.patch | 724 ++++++++++++++++++ ...abel.patch => krb5-1.8-selinux-label.patch | 448 +++++------ krb5-1.7-io.patch => krb5-appl-1.0-io.patch | 48 +- ...ile.patch => krb5-appl-1.0-largefile.patch | 512 ++++++------- ...r.patch => krb5-appl-1.0-login_chdir.patch | 12 +- krb5-appl-1.0-manpaths.patch | 107 +++ krb5-1.7-pam.patch => krb5-appl-1.0-pam.patch | 413 +++------- ...tch => krb5-appl-1.0-rlogind-environ.patch | 19 +- krb5-trunk-kpasswd_tcp.patch | 35 - krb5.spec | 389 +++++----- krb5kdc.init | 2 +- sources | 8 +- 37 files changed, 2020 insertions(+), 1679 deletions(-) delete mode 100644 2010-001-patch.txt delete mode 100644 krb5-1.3-ksu-access.patch delete mode 100644 krb5-1.5-ksu-path.patch delete mode 100644 krb5-1.6.3-login-lpass.patch delete mode 100644 krb5-1.7-dirsrv-accountlock.patch delete mode 100644 krb5-1.7-exp_warn.patch delete mode 100644 krb5-1.7-kprop-mktemp.patch delete mode 100644 krb5-1.7-openssl-1.0.patch delete mode 100644 krb5-1.7-opte.patch delete mode 100644 krb5-1.7-time_t_size.patch delete mode 100644 krb5-1.7.1-kpasswd_ccache.patch rename krb5-1.7-api.patch => krb5-1.8-api.patch (53%) create mode 100644 krb5-1.8-dirsrv-accountlock.patch create mode 100644 krb5-1.8-exp_warn.patch rename krb5-1.6.2-key_exp.patch => krb5-1.8-key_exp.patch (69%) create mode 100644 krb5-1.8-kpasswd_ccache.patch create mode 100644 krb5-1.8-kpasswd_tcp.patch create mode 100644 krb5-1.8-kprop-mktemp.patch create mode 100644 krb5-1.8-ksu-access.patch create mode 100644 krb5-1.8-ksu-path.patch rename krb5-trunk-manpaths.patch => krb5-1.8-manpaths.patch (52%) create mode 100644 krb5-1.8-opte.patch create mode 100644 krb5-1.8-pam.patch rename krb5-1.7-selinux-label.patch => krb5-1.8-selinux-label.patch (60%) rename krb5-1.7-io.patch => krb5-appl-1.0-io.patch (82%) rename krb5-1.7-largefile.patch => krb5-appl-1.0-largefile.patch (58%) rename krb5-1.6.2-login_chdir.patch => krb5-appl-1.0-login_chdir.patch (71%) create mode 100644 krb5-appl-1.0-manpaths.patch rename krb5-1.7-pam.patch => krb5-appl-1.0-pam.patch (70%) rename krb5-1.3-rlogind-environ.patch => krb5-appl-1.0-rlogind-environ.patch (80%) delete mode 100644 krb5-trunk-kpasswd_tcp.patch diff --git a/.cvsignore b/.cvsignore index a38c156..6d90815 100644 --- a/.cvsignore +++ b/.cvsignore @@ -31,3 +31,8 @@ krb5-1.7-pdf.tar.gz krb5-1.7.1.tar.gz krb5-1.7.1.tar.gz.asc krb5-1.7.1-pdf.tar.gz +krb5-1.8.tar.gz +krb5-1.8.tar.gz.asc +krb5-appl-1.0.tar.gz +krb5-appl-1.0.tar.gz.asc +krb5-1.8-pdf.tar.gz diff --git a/2010-001-patch.txt b/2010-001-patch.txt deleted file mode 100644 index e14c722..0000000 --- a/2010-001-patch.txt +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c -index 52fbda5..680e6a1 100644 ---- a/src/kdc/do_as_req.c -+++ b/src/kdc/do_as_req.c -@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - session_key.contents = 0; - enc_tkt_reply.authorization_data = NULL; - -+ if (request->msg_type != KRB5_AS_REQ) { -+ status = "msg_type mismatch"; -+ errcode = KRB5_BADMSGTYPE; -+ goto errout; -+ } - errcode = kdc_make_rstate(&state); - if (errcode != 0) { - status = "constructing state"; -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 12180ff..c8cf692 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, - retval = decode_krb5_tgs_req(pkt, &request); - if (retval) - return retval; -+ if (request->msg_type != KRB5_TGS_REQ) -+ return KRB5_BADMSGTYPE; - - /* - * setup_server_realm() sets up the global realm-specific data pointer. -diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c -index d88e0cb..2639047 100644 ---- a/src/kdc/fast_util.c -+++ b/src/kdc/fast_util.c -@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error - krb5_data *encoded_e_data = NULL; - - memset(outer_pa, 0, sizeof(outer_pa)); -- if (!state->armor_key) -+ if (!state || !state->armor_key) - return 0; - fx_error = *err; - fx_error.e_data.data = NULL; diff --git a/kadmind.init b/kadmind.init index b33668e..87f4702 100755 --- a/kadmind.init +++ b/kadmind.init @@ -33,7 +33,7 @@ # Source function library. . /etc/init.d/functions prog="Kerberos 5 Admin Server" -kadmind=/usr/kerberos/sbin/kadmind +kadmind=/usr/sbin/kadmind RETVAL=0 diff --git a/kpropd.init b/kpropd.init index 2f0f623..7c8c73d 100755 --- a/kpropd.init +++ b/kpropd.init @@ -29,7 +29,7 @@ RETVAL=0 prog="Kerberos 5 Propagation Server" -kpropd=/usr/kerberos/sbin/kpropd +kpropd=/usr/sbin/kpropd # Shell functions to cut down on useless shell instances. start() { diff --git a/krb5-1.3-ksu-access.patch b/krb5-1.3-ksu-access.patch deleted file mode 100644 index 59c23c2..0000000 --- a/krb5-1.3-ksu-access.patch +++ /dev/null @@ -1,45 +0,0 @@ -The idea is to not complain about problems in the default ticket file if we -couldn't read it, because the client would be able to tell if it's there or -not. Still needs work, I think. ---- krb5-1.3/src/clients/ksu/ccache.c -+++ krb5-1.3/src/clients/ksu/ccache.c -@@ -77,7 +77,7 @@ - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); - -- if ( ! stat(cc_def_name, &st_temp)){ -+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } ---- krb5-1.3/src/clients/ksu/heuristic.c -+++ krb5-1.3/src/clients/ksu/heuristic.c -@@ -412,7 +412,7 @@ - - cc_source_name = krb5_cc_get_name(context, cc); - -- if ( ! stat(cc_source_name, &st_temp)){ -+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){ - - retval = find_ticket(context, cc, client, end_server, &temp_found); - if (retval) -@@ -572,7 +572,7 @@ - cc_source_name = krb5_cc_get_name(context, cc_source); - - -- if (! stat(cc_source_name, &st_temp)) { -+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) { - retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); - if (retval) - return retval; ---- krb5-1.3/src/clients/ksu/main.c -+++ krb5-1.3/src/clients/ksu/main.c -@@ -263,7 +263,7 @@ - if ( strchr(cc_source_tag, ':')){ - cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; - -- if( stat( cc_source_tag_tmp, &st_temp)){ -+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){ - com_err (prog_name, errno, - "while looking for credentials file %s", - cc_source_tag_tmp); diff --git a/krb5-1.5-ksu-path.patch b/krb5-1.5-ksu-path.patch deleted file mode 100644 index 93aaede..0000000 --- a/krb5-1.5-ksu-path.patch +++ /dev/null @@ -1,14 +0,0 @@ -Set the default PATH to the one set by login, with the addition of the -/usr/X11R6/bin to the end of the list. - ---- krb5-1.5/src/clients/ksu/Makefile.in 2006-05-24 17:19:23.000000000 -0400 -+++ krb5-1.5/src/clients/ksu/Makefile.in 2006-07-05 14:24:41.000000000 -0400 -@@ -2,7 +2,7 @@ - myfulldir=clients/ksu - mydir=clients/ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin /usr/X11R6/bin"' - DEFS= - - PROG_LIBPATH=-L$(TOPLIBD) diff --git a/krb5-1.6.3-login-lpass.patch b/krb5-1.6.3-login-lpass.patch deleted file mode 100644 index 4677d49..0000000 --- a/krb5-1.6.3-login-lpass.patch +++ /dev/null @@ -1,28 +0,0 @@ -The local crypt() may support hash types which use more than the first 8 -characters. It also doesn't modify the input string, so we should just -stop truncating it. Are there platforms where the input string *is* modified? - ---- krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:34.000000000 -0500 -+++ krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:29.000000000 -0500 -@@ -461,17 +461,14 @@ - static int unix_passwd_okay (pass) - char *pass; - { -- char user_pwcopy[9], *namep; -+ char *namep; - char *crypt (); - - assert (pwd != 0); - -- /* copy the first 8 chars of the password for unix crypt */ -- strncpy(user_pwcopy, pass, sizeof(user_pwcopy)); -- user_pwcopy[sizeof(user_pwcopy) - 1]='\0'; -- namep = crypt(user_pwcopy, salt); -- memset (user_pwcopy, 0, sizeof(user_pwcopy)); -- /* ... and wipe the copy now that we have the string */ -+ namep = crypt(pass, salt); -+ if (strlen(namep) < 13) -+ return 0; - - /* verify the local password string */ - #ifdef HAVE_SHADOW diff --git a/krb5-1.7-dirsrv-accountlock.patch b/krb5-1.7-dirsrv-accountlock.patch deleted file mode 100644 index 1bb6ae4..0000000 --- a/krb5-1.7-dirsrv-accountlock.patch +++ /dev/null @@ -1,69 +0,0 @@ -Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from -original version filed as RT#5891. - -diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 ---- krb5-1.7/src/aclocal.m4 2009-06-04 14:38:07.000000000 -0400 -+++ krb5-1.7/src/aclocal.m4 2009-06-04 14:38:07.000000000 -0400 -@@ -1746,6 +1746,12 @@ AC_ARG_WITH([edirectory], - yes | no) ;; - *) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;; - esac], with_edirectory=no)dnl -+AC_ARG_WITH([dirsrv], -+[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module], -+[case "$withval" in -+ yes | no) ;; -+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;; -+esac], with_dirsrv=no)dnl - - if test $with_ldap = yes; then - if test $with_edirectory = yes; then -@@ -1757,6 +1763,10 @@ elif test $with_edirectory = yes; then - AC_MSG_NOTICE(enabling eDirectory database backend module support) - OPENLDAP_PLUGIN=yes - AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.]) -+elif test $with_dirsrv = yes; then -+ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support) -+ OPENLDAP_PLUGIN=yes -+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.]) - else - : # neither enabled - dnl AC_MSG_NOTICE(disabling ldap backend module support) -diff -up krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ---- krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-02-18 13:14:48.000000000 -0500 -+++ krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-06-04 14:38:07.000000000 -0400 -@@ -2157,6 +2157,22 @@ populate_krb5_db_entry (krb5_context con - } - } - #endif -+#ifdef HAVE_DIRSRV -+ { -+ krb5_timestamp expiretime=0; -+ char *is_login_disabled=NULL; -+ -+ /* LOGIN DISABLED */ -+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled, -+ &attr_present)) != 0) -+ goto cleanup; -+ if (attr_present == TRUE) { -+ if (strcasecmp(is_login_disabled, "TRUE")== 0) -+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; -+ free (is_login_disabled); -+ } -+ } -+#endif - - if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) - goto cleanup; -diff -up krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ---- krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-04-14 17:07:34.000000000 -0400 -+++ krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-06-04 14:38:07.000000000 -0400 -@@ -58,6 +58,9 @@ char *principal_attributes[] = { "kr - "loginexpirationtime", - "logindisabled", - #endif -+#ifdef HAVE_DIRSRV -+ "nsaccountlock", -+#endif - "krbLastPwdChange", - "krbExtraData", - "krbObjectReferences", diff --git a/krb5-1.7-exp_warn.patch b/krb5-1.7-exp_warn.patch deleted file mode 100644 index 1e0743d..0000000 --- a/krb5-1.7-exp_warn.patch +++ /dev/null @@ -1,17 +0,0 @@ -Don't warn of expiration reported the new way if it's more than a week from -now, for consistency with the code that handles expiration times reported the -old way. - -diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c ---- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:12:02.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:11:50.000000000 -0500 -@@ -389,7 +389,8 @@ cleanup: - delta / 86400, ts); - /* ignore an error here */ - /* PROMPTER_INVOCATION */ -- (*prompter)(context, data, 0, banner, 0, 0); -+ if (delta < 86400 * 7) -+ (*prompter)(context, data, 0, banner, 0, 0); - } - } - } diff --git a/krb5-1.7-kprop-mktemp.patch b/krb5-1.7-kprop-mktemp.patch deleted file mode 100644 index ee8b32c..0000000 --- a/krb5-1.7-kprop-mktemp.patch +++ /dev/null @@ -1,29 +0,0 @@ -Use an in-memory ccache to silence a compiler warning. - -diff -up krb5-1.7/src/slave/kprop.c krb5-1.7/src/slave/kprop.c ---- krb5-1.7/src/slave/kprop.c 2008-12-01 12:09:59.000000000 -0500 -+++ krb5-1.7/src/slave/kprop.c 2009-06-04 14:14:10.000000000 -0400 -@@ -211,9 +211,8 @@ void PRS(argc, argv) - void get_tickets(context) - krb5_context context; - { -- char buf[BUFSIZ]; -+ char buf[] = "MEMORY:_kproptkt"; - krb5_error_code retval; -- static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; - - /* -@@ -238,11 +237,8 @@ void get_tickets(context) - #endif - - /* -- * Initialize cache file which we're going to be using -+ * Initialize an in-memory cache for temporary use - */ -- (void) mktemp(tkstring); -- snprintf(buf, sizeof(buf), "FILE:%s", tkstring); -- - retval = krb5_cc_resolve(context, buf, &ccache); - if (retval) { - com_err(progname, retval, "while opening credential cache %s", diff --git a/krb5-1.7-openssl-1.0.patch b/krb5-1.7-openssl-1.0.patch deleted file mode 100644 index 19aa774..0000000 --- a/krb5-1.7-openssl-1.0.patch +++ /dev/null @@ -1,17 +0,0 @@ -This isn't a proper fix (it doesn't actually switch to using the new API), -but it'll do for now. -diff -up src/plugins/preauth/pkinit/pkinit_crypto_openssl.c src/plugins/preauth/pkinit/pkinit_crypto_openssl.c ---- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.openssl-1.0 2009-01-23 01:51:03.000000000 -0500 -+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-08-24 11:19:35.000000000 -0400 -@@ -3652,7 +3652,11 @@ decode_data(unsigned char **out_data, un - if (buf == NULL) - goto cleanup; - -+#if OPENSSL_VERSION_NUMBER < 0x10000000L - retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey); -+#else -+ retval = EVP_PKEY_decrypt_old(buf, data, (int)data_len, pkey); -+#endif - if (retval <= 0) { - pkiDebug("unable to decrypt received data (len=%d)\n", data_len); - goto cleanup; diff --git a/krb5-1.7-opte.patch b/krb5-1.7-opte.patch deleted file mode 100644 index 538a19e..0000000 --- a/krb5-1.7-opte.patch +++ /dev/null @@ -1,14 +0,0 @@ -Check opte->flags instead of options->flags, because we know that opte has -been initialized to the library defaults if options was NULL. -diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c ---- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:52.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:56.000000000 -0500 -@@ -200,7 +200,7 @@ krb5_get_init_creds_password(krb5_contex - * to prompt. Prompting is only disabled if the option has been set - * and the value has been set to false. - */ -- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) -+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; - - /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-1.7-time_t_size.patch b/krb5-1.7-time_t_size.patch deleted file mode 100644 index 0b64783..0000000 --- a/krb5-1.7-time_t_size.patch +++ /dev/null @@ -1,66 +0,0 @@ -Handle ut_tv not always being a struct timeval. RT#6520 - -Index: krb5/src/appl/libpty/update_utmp.c -=================================================================== ---- krb5/src/appl/libpty/update_utmp.c (revision 22423) -+++ krb5/src/appl/libpty/update_utmp.c (working copy) -@@ -291,6 +291,12 @@ - * The ut_exit field seems to exist in utmp, but not utmpx. The files - * utmp and wtmp seem to exist, but not utmpx, or wtmpx. - * -+ * glibc: -+ * -+ * The ut_tv field of struct utmp/utmpx may be an anonymous structure -+ * containing 32-bit values on systems where time_t is 64 bits. Its -+ * fields have the same names, though. -+ * - * libpty Implementation Decisions: - * -------------------------------- - * -@@ -505,6 +511,8 @@ - const char *line, const char *host, int flags) - { - PTY_STRUCT_UTMPX utx, *utxtmp, utx2; -+ struct timeval ut_tv; -+ time_t login_time; - const char *cp; - size_t len; - char utmp_id[5]; -@@ -577,10 +585,13 @@ - utxtmp = best_utxent(&utx); - - #ifdef HAVE_SETUTXENT -- if (gettimeofday(&utx.ut_tv, NULL)) -+ if (gettimeofday(&ut_tv, NULL)) - return errno; -+ utx.ut_tv.tv_sec = ut_tv.tv_sec; -+ utx.ut_tv.tv_usec = ut_tv.tv_usec; - #else -- (void)time(&utx.ut_time); -+ (void)time(&login_time); -+ utx.ut_time = login_time; - #endif - /* - * On what system is there not ut_host? Unix98 doesn't mandate -Index: krb5/src/appl/bsd/login.c -=================================================================== ---- krb5/src/appl/bsd/login.c (revision 22423) -+++ krb5/src/appl/bsd/login.c (working copy) -@@ -719,7 +719,6 @@ - char *domain, **envinit, *ttyn, *tty; - char tbuf[MAXPATHLEN + 2]; - char *ttyname(), *crypt(), *getpass(); -- time_t login_time; - int retval; - int rewrite_ccache = 1; /*try to write out ccache*/ - #ifdef KRB5_GET_TICKETS -@@ -1071,9 +1070,6 @@ - - /* nothing else left to fail -- really log in */ - { -- struct utmp utmp; -- -- login_time = time(&utmp.ut_time); - if ((retval = pty_update_utmp(PTY_USER_PROCESS, getpid(), username, - ttyn, hostname, - PTY_TTYSLOT_USABLE)) < 0) diff --git a/krb5-1.7.1-kpasswd_ccache.patch b/krb5-1.7.1-kpasswd_ccache.patch deleted file mode 100644 index 959c6ee..0000000 --- a/krb5-1.7.1-kpasswd_ccache.patch +++ /dev/null @@ -1,32 +0,0 @@ -If we encounter any errors reading the user's principal name from the default -ccache, fall back to the default of using the current user's name. ---- krb5/src/clients/kpasswd/kpasswd.c -+++ krb5/src/clients/kpasswd/kpasswd.c -@@ -84,21 +84,23 @@ int main(int argc, char *argv[]) - exit(1); - } - } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { -+ princ = NULL; -+ - if (ret) { - com_err(argv[0], ret, "opening default ccache"); -- exit(1); - } -+ else - - if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { - com_err(argv[0], ret, "getting principal from ccache"); -- exit(1); - } -+ else - - if ((ret = krb5_cc_close(context, ccache))) { - com_err(argv[0], ret, "closing ccache"); -- exit(1); - } -- } else { -+ } -+ if (princ == NULL) { - get_name_from_passwd_file(argv[0], context, &princ); - } - diff --git a/krb5-1.7-api.patch b/krb5-1.8-api.patch similarity index 53% rename from krb5-1.7-api.patch rename to krb5-1.8-api.patch index 99d24cd..9cc9cd2 100644 --- a/krb5-1.7-api.patch +++ b/krb5-1.8-api.patch @@ -2,29 +2,29 @@ Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. -diff -up krb5-1.7/src/lib/krb5/krb/princ_comp.c krb5-1.7/src/lib/krb5/krb/princ_comp.c ---- krb5-1.7/src/lib/krb5/krb/princ_comp.c 2009-01-03 18:19:42.000000000 -0500 -+++ krb5-1.7/src/lib/krb5/krb/princ_comp.c 2009-06-04 14:31:26.000000000 -0400 -@@ -40,6 +40,12 @@ realm_compare_flags(krb5_context context +diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c +--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500 +@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); + if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; ++ return FALSE; + + if ((realm1 == NULL) || (realm2 == NULL)) -+ return FALSE; ++ return FALSE; + if (realm1->length != realm2->length) - return FALSE; + return FALSE; -@@ -91,6 +97,9 @@ krb5_principal_compare_flags(krb5_contex +@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; + if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; ++ return FALSE; + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { - /* Treat UPNs as if they were real principals */ - if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + /* Treat UPNs as if they were real principals */ + if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { diff --git a/krb5-1.8-dirsrv-accountlock.patch b/krb5-1.8-dirsrv-accountlock.patch new file mode 100644 index 0000000..09629a1 --- /dev/null +++ b/krb5-1.8-dirsrv-accountlock.patch @@ -0,0 +1,69 @@ +Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from +original version filed as RT#5891. + +diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 +--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500 ++++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500 +@@ -1678,6 +1678,12 @@ AC_ARG_WITH([edirectory], + yes | no) ;; + *) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;; + esac], with_edirectory=no)dnl ++AC_ARG_WITH([dirsrv], ++[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module], ++[case "$withval" in ++ yes | no) ;; ++ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;; ++esac], with_dirsrv=no)dnl + + if test $with_ldap = yes; then + if test $with_edirectory = yes; then +@@ -1689,6 +1695,10 @@ elif test $with_edirectory = yes; then + AC_MSG_NOTICE(enabling eDirectory database backend module support) + OPENLDAP_PLUGIN=yes + AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.]) ++elif test $with_dirsrv = yes; then ++ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support) ++ OPENLDAP_PLUGIN=yes ++ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.]) + else + : # neither enabled + dnl AC_MSG_NOTICE(disabling ldap backend module support) +diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 ++++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500 +@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont + } + } + #endif ++#ifdef HAVE_DIRSRV ++ { ++ krb5_timestamp expiretime=0; ++ char *is_login_disabled=NULL; ++ ++ /* LOGIN DISABLED */ ++ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled, ++ &attr_present)) != 0) ++ goto cleanup; ++ if (attr_present == TRUE) { ++ if (strcasecmp(is_login_disabled, "TRUE")== 0) ++ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; ++ free (is_login_disabled); ++ } ++ } ++#endif + + if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) + goto cleanup; +diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c +--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 ++++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500 +@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr + "loginexpirationtime", + "logindisabled", + #endif ++#ifdef HAVE_DIRSRV ++ "nsaccountlock", ++#endif + "krbLastPwdChange", + "krbExtraData", + "krbObjectReferences", diff --git a/krb5-1.8-exp_warn.patch b/krb5-1.8-exp_warn.patch new file mode 100644 index 0000000..d96a1e7 --- /dev/null +++ b/krb5-1.8-exp_warn.patch @@ -0,0 +1,17 @@ +Don't warn of expiration reported the new way if it's more than a week from +now, for consistency with the code that handles expiration times reported the +old way. + +diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.exp_warn krb5-1.8/src/lib/krb5/krb/gic_pwd.c +--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.exp_warn 2010-03-05 11:04:10.000000000 -0500 ++++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:04:10.000000000 -0500 +@@ -407,7 +407,8 @@ cleanup: + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ +- (*prompter)(context, data, 0, banner, 0, 0); ++ if (delta < 86400 * 7) ++ (*prompter)(context, data, 0, banner, 0, 0); + } + } + } diff --git a/krb5-1.6.2-key_exp.patch b/krb5-1.8-key_exp.patch similarity index 69% rename from krb5-1.6.2-key_exp.patch rename to krb5-1.8-key_exp.patch index c0e7705..6961c1e 100644 --- a/krb5-1.6.2-key_exp.patch +++ b/krb5-1.8-key_exp.patch @@ -1,9 +1,11 @@ Sadique Puthen notes that the warning on the client side seems to be correspond to the wrong attribute on the KDC. Do what RFC4120 says we should do. RT#5755. ---- krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:06.000000000 -0400 -+++ krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:08.000000000 -0400 -@@ -371,7 +371,14 @@ process_as_req(krb5_kdc_req *request, kr - goto errout; + +diff -up krb5-1.8/src/kdc/do_as_req.c.key_exp krb5-1.8/src/kdc/do_as_req.c +--- krb5-1.8/src/kdc/do_as_req.c.key_exp 2010-02-16 17:21:08.000000000 -0500 ++++ krb5-1.8/src/kdc/do_as_req.c 2010-03-05 11:02:06.000000000 -0500 +@@ -555,7 +555,14 @@ process_as_req(krb5_kdc_req *request, kr + goto errout; } reply_encpart.nonce = request->nonce; - reply_encpart.key_exp = client.expiration; diff --git a/krb5-1.8-kpasswd_ccache.patch b/krb5-1.8-kpasswd_ccache.patch new file mode 100644 index 0000000..d6a4964 --- /dev/null +++ b/krb5-1.8-kpasswd_ccache.patch @@ -0,0 +1,34 @@ +If we encounter any errors reading the user's principal name from the default +ccache, fall back to the default of using the current user's name. + +diff -up krb5-1.8/src/clients/kpasswd/kpasswd.c.kpasswd-ccache krb5-1.8/src/clients/kpasswd/kpasswd.c +--- krb5-1.8/src/clients/kpasswd/kpasswd.c.kpasswd-ccache 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/clients/kpasswd/kpasswd.c 2010-03-05 11:04:42.000000000 -0500 +@@ -85,21 +85,23 @@ int main(int argc, char *argv[]) + exit(1); + } + } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { ++ princ = NULL; ++ + if (ret) { + com_err(argv[0], ret, "opening default ccache"); +- exit(1); + } ++ else + + if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { + com_err(argv[0], ret, "getting principal from ccache"); +- exit(1); + } ++ else + + if ((ret = krb5_cc_close(context, ccache))) { + com_err(argv[0], ret, "closing ccache"); +- exit(1); + } +- } else { ++ } ++ if (princ == NULL) { + get_name_from_passwd_file(argv[0], context, &princ); + } + diff --git a/krb5-1.8-kpasswd_tcp.patch b/krb5-1.8-kpasswd_tcp.patch new file mode 100644 index 0000000..6cc611a --- /dev/null +++ b/krb5-1.8-kpasswd_tcp.patch @@ -0,0 +1,34 @@ +Fall back to TCP on kdc-unresolvable/unreachable errors. We still have +to wait for UDP to fail, so this might not be ideal. RT #5868. + +diff -up krb5-1.8/src/lib/krb5/os/changepw.c.kpasswd_tcp krb5-1.8/src/lib/krb5/os/changepw.c +--- krb5-1.8/src/lib/krb5/os/changepw.c.kpasswd_tcp 2009-12-02 13:06:19.000000000 -0500 ++++ krb5-1.8/src/lib/krb5/os/changepw.c 2010-03-05 11:02:39.000000000 -0500 +@@ -270,11 +270,22 @@ change_set_password(krb5_context context + NULL, + NULL + ))) { +- +- /* +- * Here we may want to switch to TCP on some errors. +- * right? +- */ ++ /* if we're not using a stream socket, and it's an error which ++ * might reasonably be specific to a datagram "connection", try ++ * again with a stream socket */ ++ if (!useTcp) { ++ switch (code) { ++ case KRB5_KDC_UNREACH: ++ case KRB5_REALM_CANT_RESOLVE: ++ case KRB5KRB_ERR_RESPONSE_TOO_BIG: ++ /* should we do this for more result codes than these? */ ++ krb5int_free_addrlist (&al); ++ useTcp = 1; ++ continue; ++ default: ++ break; ++ } ++ } + break; + } + diff --git a/krb5-1.8-kprop-mktemp.patch b/krb5-1.8-kprop-mktemp.patch new file mode 100644 index 0000000..9012c94 --- /dev/null +++ b/krb5-1.8-kprop-mktemp.patch @@ -0,0 +1,29 @@ +Use an in-memory ccache to silence a compiler warning. + +diff -up krb5-1.8/src/slave/kprop.c.kprop-mktemp krb5-1.8/src/slave/kprop.c +--- krb5-1.8/src/slave/kprop.c.kprop-mktemp 2009-11-06 18:29:12.000000000 -0500 ++++ krb5-1.8/src/slave/kprop.c 2010-03-05 10:59:06.000000000 -0500 +@@ -202,9 +202,8 @@ void PRS(argc, argv) + void get_tickets(context) + krb5_context context; + { +- char buf[BUFSIZ]; ++ char buf[] = "MEMORY:_kproptkt"; + krb5_error_code retval; +- static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; + + /* +@@ -229,11 +228,8 @@ void get_tickets(context) + #endif + + /* +- * Initialize cache file which we're going to be using ++ * Initialize an in-memory cache for temporary use + */ +- (void) mktemp(tkstring); +- snprintf(buf, sizeof(buf), "FILE:%s", tkstring); +- + retval = krb5_cc_resolve(context, buf, &ccache); + if (retval) { + com_err(progname, retval, "while opening credential cache %s", diff --git a/krb5-1.8-ksu-access.patch b/krb5-1.8-ksu-access.patch new file mode 100644 index 0000000..75f7755 --- /dev/null +++ b/krb5-1.8-ksu-access.patch @@ -0,0 +1,49 @@ +The idea is to not complain about problems in the default ticket file if we +couldn't read it, because the client would be able to tell if it's there or +not. Still needs work, I think. + +diff -up krb5-1.8/src/clients/ksu/ccache.c.ksu-access krb5-1.8/src/clients/ksu/ccache.c +--- krb5-1.8/src/clients/ksu/ccache.c.ksu-access 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/clients/ksu/ccache.c 2010-03-05 10:57:56.000000000 -0500 +@@ -78,7 +78,7 @@ krb5_error_code krb5_ccache_copy (contex + cc_def_name = krb5_cc_get_name(context, cc_def); + cc_other_name = krb5_cc_get_name(context, *cc_other); + +- if ( ! stat(cc_def_name, &st_temp)){ ++ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){ + if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ + return retval; + } +diff -up krb5-1.8/src/clients/ksu/heuristic.c.ksu-access krb5-1.8/src/clients/ksu/heuristic.c +--- krb5-1.8/src/clients/ksu/heuristic.c.ksu-access 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/clients/ksu/heuristic.c 2010-03-05 10:57:56.000000000 -0500 +@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont + + cc_source_name = krb5_cc_get_name(context, cc); + +- if ( ! stat(cc_source_name, &st_temp)){ ++ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){ + + retval = find_ticket(context, cc, client, end_server, &temp_found); + if (retval) +@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe + cc_source_name = krb5_cc_get_name(context, cc_source); + + +- if (! stat(cc_source_name, &st_temp)) { ++ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) { + retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); + if (retval) + return retval; +diff -up krb5-1.8/src/clients/ksu/main.c.ksu-access krb5-1.8/src/clients/ksu/main.c +--- krb5-1.8/src/clients/ksu/main.c.ksu-access 2010-03-05 10:57:55.000000000 -0500 ++++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:57:56.000000000 -0500 +@@ -270,7 +270,7 @@ main (argc, argv) + if ( strchr(cc_source_tag, ':')){ + cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; + +- if( stat( cc_source_tag_tmp, &st_temp)){ ++ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){ + com_err (prog_name, errno, + "while looking for credentials file %s", + cc_source_tag_tmp); diff --git a/krb5-1.8-ksu-path.patch b/krb5-1.8-ksu-path.patch new file mode 100644 index 0000000..0f4611a --- /dev/null +++ b/krb5-1.8-ksu-path.patch @@ -0,0 +1,13 @@ +Set the default PATH to the one set by login. + +diff -up krb5-1.8/src/clients/ksu/Makefile.in.ksu-path krb5-1.8/src/clients/ksu/Makefile.in +--- krb5-1.8/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500 ++++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500 +@@ -1,6 +1,6 @@ + mydir=clients/ksu + BUILDTOP=$(REL)..$(S).. +-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' ++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"' + DEFS= + + PROG_LIBPATH=-L$(TOPLIBD) diff --git a/krb5-trunk-manpaths.patch b/krb5-1.8-manpaths.patch similarity index 52% rename from krb5-trunk-manpaths.patch rename to krb5-1.8-manpaths.patch index ecd8ca8..60254a4 100644 --- a/krb5-trunk-manpaths.patch +++ b/krb5-1.8-manpaths.patch @@ -1,77 +1,12 @@ Change the absolute paths included in the man pages so that the correct values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the -configure scripts should be rebuilt. RT#6525 +configure scripts should be rebuilt. Originally RT#6525 -Index: configure.in -=================================================================== ---- configure.in (revision 22425) -+++ configure.in (working copy) -@@ -1043,6 +1043,16 @@ - KRB5_WITH_PAM - - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) -+ -+V5_AC_OUTPUT_MANPAGE([ -+ appl/sample/sserver/sserver.M -+ config-files/kdc.conf.M -+ config-files/krb5.conf.M -+ kadmin/cli/kadmin.M -+ slave/kpropd.M -+ slave/kprop.M -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. - - util util/support util/profile util/send-pr -Index: appl/gssftp/configure.in -=================================================================== ---- appl/gssftp/configure.in (revision 22425) -+++ appl/gssftp/configure.in (working copy) -@@ -65,4 +65,9 @@ - dnl - dnl - KRB5_BUILD_PROGRAM -+ -+V5_AC_OUTPUT_MANPAGE([ -+ ftpd/ftpd.M -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. ftp ftpd) -Index: appl/bsd/configure.in -=================================================================== ---- appl/bsd/configure.in (revision 22425) -+++ appl/bsd/configure.in (working copy) -@@ -156,4 +156,10 @@ - - KRB5_AC_LIBUTIL - KRB5_BUILD_PROGRAM -+ -+V5_AC_OUTPUT_MANPAGE([ -+ klogind.M -+ kshd.M -+]) -+ - V5_AC_OUTPUT_MAKEFILE -Index: appl/telnet/configure.in -=================================================================== ---- appl/telnet/configure.in (revision 22425) -+++ appl/telnet/configure.in (working copy) -@@ -161,4 +161,9 @@ - LIBS="$old_LIBS" - dnl - KRB5_AC_LIBUTIL -+ -+V5_AC_OUTPUT_MANPAGE([ -+ telnetd/telnetd.8 -+]) -+ - V5_AC_OUTPUT_MAKEFILE(. libtelnet telnet telnetd) -Index: aclocal.m4 -=================================================================== ---- aclocal.m4 (revision 22425) -+++ aclocal.m4 (working copy) -@@ -1854,3 +1854,24 @@ +diff -up krb5-1.8/src/aclocal.m4.manpaths krb5-1.8/src/aclocal.m4 +--- krb5-1.8/src/aclocal.m4.manpaths 2010-03-05 10:55:28.000000000 -0500 ++++ krb5-1.8/src/aclocal.m4 2010-03-05 10:55:29.000000000 -0500 +@@ -1770,3 +1770,24 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -96,11 +31,10 @@ Index: aclocal.m4 +AC_SUBST(manlibexecdir) +AC_CONFIG_FILES($1) +]) -Index: appl/sample/sserver/sserver.M -=================================================================== ---- appl/sample/sserver/sserver.M (revision 22425) -+++ appl/sample/sserver/sserver.M (working copy) -@@ -59,7 +59,7 @@ +diff -up krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths krb5-1.8/src/appl/sample/sserver/sserver.M +--- krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths 1999-09-24 17:20:59.000000000 -0400 ++++ krb5-1.8/src/appl/sample/sserver/sserver.M 2010-03-05 10:55:29.000000000 -0500 +@@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: .PP @@ -109,97 +43,10 @@ Index: appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: appl/bsd/klogind.M -=================================================================== ---- appl/bsd/klogind.M (revision 22425) -+++ appl/bsd/klogind.M (working copy) -@@ -27,7 +27,7 @@ - the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIklogind\fP might be: - --klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c -+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c - - When a service request is received, the following protocol is initiated: - -Index: appl/bsd/kshd.M -=================================================================== ---- appl/bsd/kshd.M (revision 22425) -+++ appl/bsd/kshd.M (working copy) -@@ -8,7 +8,7 @@ - .SH NAME - kshd \- kerberized remote shell server - .SH SYNOPSIS --.B /usr/local/sbin/kshd -+.B @mansbindir@/kshd - [ - .B \-kr45ec - ] -@@ -30,7 +30,7 @@ - on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIkrshd\fP might be: - --kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c - - When a service request is received, the following protocol is initiated: - -Index: appl/telnet/telnetd/telnetd.8 -=================================================================== ---- appl/telnet/telnetd/telnetd.8 (revision 22425) -+++ appl/telnet/telnetd/telnetd.8 (working copy) -@@ -37,7 +37,7 @@ - .SM DARPA TELNET - protocol server - .SH SYNOPSIS --.B /usr/libexec/telnetd -+.B @mansbindir@/telnetd - [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] - [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] - [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] -Index: appl/gssftp/ftpd/ftpd.M -=================================================================== ---- appl/gssftp/ftpd/ftpd.M (revision 22425) -+++ appl/gssftp/ftpd/ftpd.M (working copy) -@@ -35,7 +35,7 @@ - .SH NAME - ftpd \- DARPA Internet File Transfer Protocol server - .SH SYNOPSIS --.B ftpd -+.B @mansbindir@/ftpd - [\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP] - [\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP] - [\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP] -Index: kadmin/cli/kadmin.M -=================================================================== ---- kadmin/cli/kadmin.M (revision 22425) -+++ kadmin/cli/kadmin.M (working copy) -@@ -850,9 +850,9 @@ - .RS - .TP - EXAMPLE: --kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin -+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin - Entry for principal kadmin/admin with kvno 3 removed -- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. - kadmin: - .RE - .fi -@@ -894,7 +894,7 @@ - .SH HISTORY - The - .B kadmin --prorgam was originally written by Tom Yu at MIT, as an interface to the -+program was originally written by Tom Yu at MIT, as an interface to the - OpenVision Kerberos administration program. - .SH SEE ALSO - .IR kerberos (1), -Index: config-files/kdc.conf.M -=================================================================== ---- config-files/kdc.conf.M (revision 22425) -+++ config-files/kdc.conf.M (working copy) -@@ -82,14 +82,14 @@ +diff -up krb5-1.8/src/config-files/kdc.conf.M.manpaths krb5-1.8/src/config-files/kdc.conf.M +--- krb5-1.8/src/config-files/kdc.conf.M.manpaths 2010-01-04 14:34:33.000000000 -0500 ++++ krb5-1.8/src/config-files/kdc.conf.M 2010-03-05 10:55:29.000000000 -0500 +@@ -82,14 +82,14 @@ This .B string specifies the location of the access control list (acl) file that kadmin uses to determine which principals are allowed which permissions @@ -216,7 +63,7 @@ Index: config-files/kdc.conf.M .IP database_name This -@@ -257,7 +257,7 @@ +@@ -254,7 +254,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES @@ -225,11 +72,10 @@ Index: config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: config-files/krb5.conf.M -=================================================================== ---- config-files/krb5.conf.M (revision 22425) -+++ config-files/krb5.conf.M (working copy) -@@ -643,6 +643,6 @@ +diff -up krb5-1.8/src/config-files/krb5.conf.M.manpaths krb5-1.8/src/config-files/krb5.conf.M +--- krb5-1.8/src/config-files/krb5.conf.M.manpaths 2010-02-25 15:14:21.000000000 -0500 ++++ krb5-1.8/src/config-files/krb5.conf.M 2010-03-05 10:55:29.000000000 -0500 +@@ -651,6 +651,6 @@ is whitespace-separated. The LDAP server This LDAP specific tag indicates the number of connections to be maintained per LDAP server. .SH FILES @@ -237,42 +83,63 @@ Index: config-files/krb5.conf.M +@mansysconfdir@/krb5.conf .SH SEE ALSO syslog(3) -Index: slave/kprop.M -=================================================================== ---- slave/kprop.M (revision 22425) -+++ slave/kprop.M (working copy) -@@ -39,7 +39,7 @@ - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(@manlocalstatedir@/krb5kdc/slave_datatrans). - .SH OPTIONS +diff -up krb5-1.8/src/configure.in.manpaths krb5-1.8/src/configure.in +--- krb5-1.8/src/configure.in.manpaths 2010-03-05 10:55:29.000000000 -0500 ++++ krb5-1.8/src/configure.in 2010-03-05 10:55:29.000000000 -0500 +@@ -1054,6 +1054,16 @@ fi + KRB5_WITH_PAM + + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) ++ ++V5_AC_OUTPUT_MANPAGE([ ++ appl/sample/sserver/sserver.M ++ config-files/kdc.conf.M ++ config-files/krb5.conf.M ++ kadmin/cli/kadmin.M ++ slave/kpropd.M ++ slave/kprop.M ++]) ++ + V5_AC_OUTPUT_MAKEFILE(. + + util util/support util/profile util/send-pr +diff -up krb5-1.8/src/kadmin/cli/kadmin.M.manpaths krb5-1.8/src/kadmin/cli/kadmin.M +--- krb5-1.8/src/kadmin/cli/kadmin.M.manpaths 2010-01-04 14:59:25.000000000 -0500 ++++ krb5-1.8/src/kadmin/cli/kadmin.M 2010-03-05 10:55:29.000000000 -0500 +@@ -869,9 +869,9 @@ option is specified, less verbose status + .RS .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally @manlocalstatedir@/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the -Index: slave/kpropd.M -=================================================================== ---- slave/kpropd.M (revision 22425) -+++ slave/kpropd.M (working copy) -@@ -74,7 +74,7 @@ + EXAMPLE: +-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin ++kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin + Entry for principal kadmin/admin with kvno 3 removed +- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. ++ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. + kadmin: + .RE + .fi +@@ -913,7 +913,7 @@ passwords. + .SH HISTORY + The + .B kadmin +-prorgam was originally written by Tom Yu at MIT, as an interface to the ++program was originally written by Tom Yu at MIT, as an interface to the + OpenVision Kerberos administration program. + .SH SEE ALSO + .IR kerberos (1), +diff -up krb5-1.8/src/slave/kpropd.M.manpaths krb5-1.8/src/slave/kpropd.M +--- krb5-1.8/src/slave/kpropd.M.manpaths 2009-12-30 23:21:34.000000000 -0500 ++++ krb5-1.8/src/slave/kpropd.M 2010-03-05 10:55:29.000000000 -0500 +@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd - However, kpropd can also run as a standalone deamon, if the + However, kpropd can also run as a standalone daemon, if the .B \-S -@@ -111,13 +111,13 @@ +@@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is KPROPD_DEFAULT_FILE @@ -288,7 +155,7 @@ Index: slave/kpropd.M .TP .B \-S turn on standalone mode. Normally, kpropd is invoked out of -@@ -148,14 +148,14 @@ +@@ -148,14 +148,14 @@ mode. allows the user to specify the path to the kpropd.acl file; by default the path used is KPROPD_ACL_FILE @@ -305,3 +172,24 @@ Index: slave/kpropd.M Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. .SH SEE ALSO +diff -up krb5-1.8/src/slave/kprop.M.manpaths krb5-1.8/src/slave/kprop.M +--- krb5-1.8/src/slave/kprop.M.manpaths 1999-09-24 17:20:59.000000000 -0400 ++++ krb5-1.8/src/slave/kprop.M 2010-03-05 10:55:29.000000000 -0500 +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB\-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB\-P\fP \fIport\fP + specifies the port to use to contact the diff --git a/krb5-1.8-opte.patch b/krb5-1.8-opte.patch new file mode 100644 index 0000000..97aa7be --- /dev/null +++ b/krb5-1.8-opte.patch @@ -0,0 +1,33 @@ +Fall back to the library default for whether or not to prompt for a password- +change during authentication, if we weren't passed any options. + +diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c +--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte 2009-12-23 11:00:05.000000000 -0500 ++++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:03:42.000000000 -0500 +@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex + int tries; + krb5_creds chpw_creds; + krb5_get_init_creds_opt *chpw_opts = NULL; ++ krb5_gic_opt_ext *opte = NULL; + krb5_data pw0, pw1; + char banner[1024], pw0array[1024], pw1array[1024]; + krb5_prompt prompt[2]; +@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL); ++ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances +@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex + &use_master, &as_reply); + + cleanup: ++ if (opte != options) ++ krb5_get_init_creds_opt_free(context, opte); + krb5int_set_prompt_types(context, 0); + /* if getting the password was successful, then check to see if the + password is about to expire, and warn if so */ diff --git a/krb5-1.8-pam.patch b/krb5-1.8-pam.patch new file mode 100644 index 0000000..508beb8 --- /dev/null +++ b/krb5-1.8-pam.patch @@ -0,0 +1,724 @@ +Modify ksu so that it performs account and session management for the +target user account, mimicking the action of regular su. The default +service name is "ksu", because on Fedora at least the configuration used +is determined by whether or not a login shell is being opened, and so +this may need to vary, too. At run-time, ksu's behavior can be reset to +the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] +section of /etc/krb5.conf. + +When enabled, ksu gains a dependency on libpam. + +Originally RT#5939, needs updating for 1.8. + +diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4 +--- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 ++++ krb5-1.8/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500 +@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ + ])) + ])dnl + dnl ++dnl ++dnl Use PAM instead of local crypt() compare for checking local passwords, ++dnl and perform PAM account, session management, and password-changing where ++dnl appropriate. ++dnl ++AC_DEFUN(KRB5_WITH_PAM,[ ++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], ++ withpam="$withval",withpam=auto) ++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], ++ withksupamservice="$withval",withksupamservice=ksu) ++old_LIBS="$LIBS" ++if test "$withpam" != no ; then ++ AC_MSG_RESULT([checking for PAM...]) ++ PAM_LIBS= ++ ++ AC_CHECK_HEADERS(security/pam_appl.h) ++ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_pam_start ++ AC_CHECK_FUNCS(putenv pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ unset ac_cv_func_pam_start ++ AC_CHECK_LIB(dl,dlopen) ++ AC_CHECK_FUNCS(pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ AC_CHECK_LIB(pam,pam_start) ++ unset ac_cv_func_pam_start ++ unset ac_cv_func_pam_getenvlist ++ AC_CHECK_FUNCS(pam_start pam_getenvlist) ++ if test "x$ac_cv_func_pam_start" = xyes ; then ++ PAM_LIBS="$LIBS" ++ else ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate libpam.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate libpam.]) ++ fi ++ fi ++ fi ++ fi ++ if test "$withpam" != no ; then ++ AC_MSG_NOTICE([building with PAM support]) ++ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) ++ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", ++ [Define to the name of the PAM service name to be used by ksu.]) ++ PAM_LIBS="$LIBS" ++ NON_PAM_MAN=".\\\" " ++ PAM_MAN= ++ else ++ PAM_MAN=".\\\" " ++ NON_PAM_MAN= ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(PAM_LIBS) ++AC_SUBST(PAM_MAN) ++AC_SUBST(NON_PAM_MAN) ++])dnl +diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c +--- krb5-1.8/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500 ++++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500 +@@ -26,6 +26,7 @@ + * KSU was writen by: Ari Medvinsky, ari@isi.edu + */ + ++#include "autoconf.h" + #include "ksu.h" + #include "adm_proto.h" + #include +@@ -33,6 +34,10 @@ + #include + #include + ++#ifdef USE_PAM ++#include "pam.h" ++#endif ++ + /* globals */ + char * prog_name; + int auth_debug =0; +@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; + char k5users_path[MAXPATHLEN]; + char * gb_err = NULL; + int quiet = 0; ++int force_fork = 0; + /***********/ + + #define _DEF_CSH "/bin/csh" +@@ -586,6 +592,25 @@ main (argc, argv) + prog_name,target_user,client_name, + source_user,ontty()); + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif ++ + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, "while switching to target for authorization check"); +@@ -792,7 +817,7 @@ main (argc, argv) + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { ++ if( keep_target_cache && !force_fork ) { + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", + params[0]); +@@ -800,6 +825,33 @@ main (argc, argv) + exit(1); + }else{ + statusp = 1; ++ ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_session_open() != 0) { ++ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Opened PAM session.\n"); ++ } ++#endif ++ if (appl_pam_cred_init()) { ++ fprintf(stderr, "Error initializing credentials for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Initialized PAM credentials.\n"); ++ } ++#endif ++ } ++#endif ++ + switch ((child_pid = fork())) { + default: + if (auth_debug){ +@@ -823,15 +875,34 @@ main (argc, argv) + if (ret_pid == -1) { + com_err(prog_name, errno, "while calling waitpid"); + } +- sweep_up(ksu_context, cc_target); ++ if( !keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (statusp); + case -1: + com_err(prog_name, errno, "while trying to fork."); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_setenv() != 0) { ++ fprintf(stderr, "Error setting up environment for %s.\n", ++ target_user); ++ exit (1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Set up PAM environment.\n"); ++ } ++#endif ++ } ++#endif + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", params[0]); ++ if( keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (1); + } + } +diff -up krb5-1.8/src/clients/ksu/Makefile.in.pam krb5-1.8/src/clients/ksu/Makefile.in +--- krb5-1.8/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500 ++++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500 +@@ -7,12 +7,14 @@ + PROG_RPATH=$(KRB5_LIBDIR) + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -21,13 +23,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all:: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean:: + $(RM) ksu +diff -up krb5-1.8/src/clients/ksu/pam.c.pam krb5-1.8/src/clients/ksu/pam.c +--- krb5-1.8/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500 ++++ krb5-1.8/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500 +@@ -0,0 +1,389 @@ ++/* ++ * src/clients/ksu/pam.c ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include "autoconf.h" ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#include "k5-int.h" ++#include "pam.h" ++ ++#ifndef MAXPWSIZE ++#define MAXPWSIZE 128 ++#endif ++ ++static int appl_pam_started; ++static pid_t appl_pam_starter = -1; ++static int appl_pam_session_opened; ++static int appl_pam_creds_initialized; ++static int appl_pam_pwchange_required; ++static pam_handle_t *appl_pamh; ++static struct pam_conv appl_pam_conv; ++static char *appl_pam_user; ++struct appl_pam_non_interactive_args { ++ const char *user; ++ const char *password; ++}; ++ ++int ++appl_pam_enabled(krb5_context context, const char *section) ++{ ++ int enabled = 1; ++ if ((context != NULL) && (context->profile != NULL)) { ++ if (profile_get_boolean(context->profile, ++ section, ++ USE_PAM_CONFIGURATION_KEYWORD, ++ NULL, ++ enabled, &enabled) != 0) { ++ enabled = 1; ++ } ++ } ++ return enabled; ++} ++ ++void ++appl_pam_cleanup(void) ++{ ++ if (getpid() != appl_pam_starter) { ++ return; ++ } ++#ifdef DEBUG ++ printf("Called to clean up PAM.\n"); ++#endif ++ if (appl_pam_creds_initialized) { ++#ifdef DEBUG ++ printf("Deleting PAM credentials.\n"); ++#endif ++ pam_setcred(appl_pamh, PAM_DELETE_CRED); ++ appl_pam_creds_initialized = 0; ++ } ++ if (appl_pam_session_opened) { ++#ifdef DEBUG ++ printf("Closing PAM session.\n"); ++#endif ++ pam_close_session(appl_pamh, 0); ++ appl_pam_session_opened = 0; ++ } ++ appl_pam_pwchange_required = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Shutting down PAM.\n"); ++#endif ++ pam_end(appl_pamh, 0); ++ appl_pam_started = 0; ++ appl_pam_starter = -1; ++ free(appl_pam_user); ++ appl_pam_user = NULL; ++ } ++} ++static int ++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, ++ struct pam_response **presp, void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ char *pwstring, pwbuf[MAXPWSIZE]; ++ unsigned int pwsize; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &(msg[0][i]); /* XXX */ ++ message = msg[i]; /* XXX */ ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ printf("[%s]\n", message->msg ? message->msg : ""); ++ fflush(stdout); ++ resp[i].resp = NULL; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ if (fgets(pwbuf, sizeof(pwbuf), ++ stdin) != NULL) { ++ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; ++ pwstring = pwbuf; ++ } ++ } else { ++ pwstring = getpass(message->msg ? ++ message->msg : ++ ""); ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_non_interactive_converse(int num_msg, ++ const struct pam_message **msg, ++ struct pam_response **presp, ++ void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ unsigned int pwsize; ++ struct appl_pam_non_interactive_args *args; ++ const char *pwstring; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ args = appdata_ptr; ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &((*msg)[i]); ++ message = msg[i]; ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ /* assume "user" */ ++ pwstring = args->user; ++ } else { ++ /* assume "password" */ ++ pwstring = args->password; ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_start(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ static int exit_handler_registered; ++ static struct appl_pam_non_interactive_args args; ++ int ret = 0; ++ if (appl_pam_started && ++ (strcmp(login_username, appl_pam_user) != 0)) { ++ appl_pam_cleanup(); ++ appl_pam_user = NULL; ++ } ++ if (!appl_pam_started) { ++#ifdef DEBUG ++ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", ++ service, login_username); ++#endif ++ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); ++ appl_pam_conv.conv = interactive ? ++ &appl_pam_interactive_converse : ++ &appl_pam_non_interactive_converse; ++ memset(&args, 0, sizeof(args)); ++ args.user = strdup(login_username); ++ args.password = non_interactive_password ? ++ strdup(non_interactive_password) : ++ NULL; ++ appl_pam_conv.appdata_ptr = &args; ++ ret = pam_start(service, login_username, ++ &appl_pam_conv, &appl_pamh); ++ if (ret == 0) { ++ if (hostname != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RHOST to \"%s\".\n", hostname); ++#endif ++ pam_set_item(appl_pamh, PAM_RHOST, hostname); ++ } ++ if (ruser != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RUSER to \"%s\".\n", ruser); ++#endif ++ pam_set_item(appl_pamh, PAM_RUSER, ruser); ++ } ++ if (tty != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_TTY to \"%s\".\n", tty); ++#endif ++ pam_set_item(appl_pamh, PAM_TTY, tty); ++ } ++ if (!exit_handler_registered && ++ (atexit(appl_pam_cleanup) != 0)) { ++ pam_end(appl_pamh, 0); ++ appl_pamh = NULL; ++ ret = -1; ++ } else { ++ appl_pam_started = 1; ++ appl_pam_starter = getpid(); ++ appl_pam_user = strdup(login_username); ++ exit_handler_registered = 1; ++ } ++ } ++ } ++ return ret; ++} ++int ++appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ int ret; ++ appl_pam_pwchange_required = 0; ++ ret = appl_pam_start(service, interactive, login_username, ++ non_interactive_password, hostname, ruser, tty); ++ if (ret == 0) { ++#ifdef DEBUG ++ printf("Calling pam_acct_mgmt().\n"); ++#endif ++ ret = pam_acct_mgmt(appl_pamh, 0); ++ switch (ret) { ++ case PAM_IGNORE: ++ ret = 0; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ appl_pam_pwchange_required = 1; ++ ret = 0; ++ break; ++ default: ++ break; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_requires_chauthtok(void) ++{ ++ return appl_pam_pwchange_required; ++} ++int ++appl_pam_session_open(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Opening PAM session.\n"); ++#endif ++ ret = pam_open_session(appl_pamh, 0); ++ if (ret == 0) { ++ appl_pam_session_opened = 1; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_setenv(void) ++{ ++ int ret = 0; ++#ifdef HAVE_PAM_GETENVLIST ++#ifdef HAVE_PUTENV ++ int i; ++ char **list; ++ if (appl_pam_started) { ++ list = pam_getenvlist(appl_pamh); ++ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { ++#ifdef DEBUG ++ printf("Setting \"%s\" in environment.\n", list[i]); ++#endif ++ putenv(list[i]); ++ } ++ } ++#endif ++#endif ++ return ret; ++} ++int ++appl_pam_cred_init(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Initializing PAM credentials.\n"); ++#endif ++ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); ++ if (ret == 0) { ++ appl_pam_creds_initialized = 1; ++ } ++ } ++ return ret; ++} ++#endif +diff -up krb5-1.8/src/clients/ksu/pam.h.pam krb5-1.8/src/clients/ksu/pam.h +--- krb5-1.8/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500 ++++ krb5-1.8/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500 +@@ -0,0 +1,57 @@ ++/* ++ * src/clients/ksu/pam.h ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include ++#ifdef HAVE_SECURITY_PAM_APPL_H ++#include ++#endif ++ ++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" ++ ++#ifdef USE_PAM ++int appl_pam_enabled(krb5_context context, const char *section); ++int appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *local_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty); ++int appl_pam_requires_chauthtok(void); ++int appl_pam_session_open(void); ++int appl_pam_setenv(void); ++int appl_pam_cred_init(void); ++void appl_pam_cleanup(void); ++#endif +diff -up krb5-1.8/src/configure.in.pam krb5-1.8/src/configure.in +--- krb5-1.8/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500 ++++ krb5-1.8/src/configure.in 2010-03-05 10:48:08.000000000 -0500 +@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a " + AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0]) + fi + ++KRB5_WITH_PAM ++ + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + V5_AC_OUTPUT_MAKEFILE(. + diff --git a/krb5-1.7-selinux-label.patch b/krb5-1.8-selinux-label.patch similarity index 60% rename from krb5-1.7-selinux-label.patch rename to krb5-1.8-selinux-label.patch index 0e967a6..f06f837 100644 --- a/krb5-1.7-selinux-label.patch +++ b/krb5-1.8-selinux-label.patch @@ -31,9 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. -diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 ---- krb5-1.7/src/aclocal.m4 2009-06-04 13:47:20.000000000 -0400 -+++ krb5-1.7/src/aclocal.m4 2009-06-04 13:47:20.000000000 -0400 +diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4 +--- krb5-1.8/src/aclocal.m4.selinux-label 2010-03-05 10:57:23.000000000 -0500 ++++ krb5-1.8/src/aclocal.m4 2010-03-05 10:57:23.000000000 -0500 @@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF @@ -42,7 +42,7 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1876,3 +1877,53 @@ AC_SUBST(PAM_LIBS) +@@ -1791,3 +1792,53 @@ AC_SUBST(manlocalstatedir) AC_SUBST(manlibexecdir) AC_CONFIG_FILES($1) ]) @@ -96,51 +96,18 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in ---- krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:47:20.000000000 -0400 -+++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:47:20.000000000 -0400 -@@ -25,6 +25,7 @@ AC_CHECK_LIB(odm,main, - LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg" - ))) - KRB5_WITH_PAM -+KRB5_WITH_SELINUX - dnl - dnl Make our operating system-specific security checks and definitions for - dnl login. -diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in ---- krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:47:20.000000000 -0400 -+++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:47:20.000000000 -0400 -@@ -18,6 +18,7 @@ AC_REPLACE_FUNCS(getdtablesize) - AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv) - AC_CHECK_LIB(crypt,crypt) dnl - KRB5_WITH_PAM -+KRB5_WITH_SELINUX - KRB5_AC_LIBUTIL - dnl - dnl copied from appl/bsd/configure.in -diff -up krb5-1.7/src/appl/telnet/configure.in krb5-1.7/src/appl/telnet/configure.in ---- krb5-1.7/src/appl/telnet/configure.in 2008-12-15 15:31:53.000000000 -0500 -+++ krb5-1.7/src/appl/telnet/configure.in 2009-06-04 13:47:20.000000000 -0400 -@@ -151,6 +151,7 @@ AC_MSG_RESULT($krb5_cv_sys_setpgrp_two) - if test $krb5_cv_sys_setpgrp_two = yes; then - AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments]) - fi -+KRB5_WITH_SELINUX - dnl - KRB5_NEED_PROTO([#include ],unsetenv,1) - dnl KRB5_NEED_PROTO([#include ],setenv,1) -diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in ---- krb5-1.7/src/config/pre.in 2009-06-04 13:47:20.000000000 -0400 -+++ krb5-1.7/src/config/pre.in 2009-06-04 13:47:20.000000000 -0400 -@@ -182,6 +182,7 @@ LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX +diff -up krb5-1.8/src/config/pre.in.selinux-label krb5-1.8/src/config/pre.in +--- krb5-1.8/src/config/pre.in.selinux-label 2010-03-05 10:57:23.000000000 -0500 ++++ krb5-1.8/src/config/pre.in 2010-03-05 10:57:23.000000000 -0500 +@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ + LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ LDARGS = @LDARGS@ LIBS = @LIBS@ - PAM_LIBS = @PAM_LIBS@ +SELINUX_LIBS=@SELINUX_LIBS@ INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -149,10 +116,10 @@ diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! -diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in ---- krb5-1.7/src/configure.in 2009-06-04 13:47:20.000000000 -0400 -+++ krb5-1.7/src/configure.in 2009-06-04 13:47:20.000000000 -0400 -@@ -1042,6 +1042,8 @@ AC_CONFIG_SUBDIRS(appl/libpty appl/bsd a +diff -up krb5-1.8/src/configure.in.selinux-label krb5-1.8/src/configure.in +--- krb5-1.8/src/configure.in.selinux-label 2010-03-05 10:57:23.000000000 -0500 ++++ krb5-1.8/src/configure.in 2010-03-05 10:57:23.000000000 -0500 +@@ -1053,6 +1053,8 @@ fi KRB5_WITH_PAM @@ -161,47 +128,10 @@ diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) V5_AC_OUTPUT_MANPAGE([ -diff -up krb5-1.7/src/include/autoconf.h.in krb5-1.7/src/include/autoconf.h.in ---- krb5-1.7/src/include/autoconf.h.in 2009-06-01 20:58:35.000000000 -0400 -+++ krb5-1.7/src/include/autoconf.h.in 2009-06-04 13:47:20.000000000 -0400 -@@ -389,6 +389,12 @@ - /* Define to 1 if you have the `sched_yield' function. */ - #undef HAVE_SCHED_YIELD - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_SELINUX_LABEL_H -+ -+/* Define to 1 if you have the header file. */ -+#undef HAVE_SELINUX_SELINUX_H -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_SEMAPHORE_H - -@@ -401,6 +407,9 @@ - /* Define to 1 if you have the `setegid' function. */ - #undef HAVE_SETEGID - -+/* Define to 1 if you have the `setfscreatecon' function. */ -+#undef HAVE_SETFSCREATECON -+ - /* Define to 1 if you have the `setenv' function. */ - #undef HAVE_SETENV - -@@ -768,6 +777,10 @@ - /* Define if the KDC should use a replay cache */ - #undef USE_RCACHE - -+/* Define if Kerberos-aware tools should set SELinux file contexts when -+ creating files. */ -+#undef USE_SELINUX -+ - /* Define if sigprocmask should be used */ - #undef USE_SIGPROCMASK - -diff -up krb5-1.7/src/include/k5-int.h krb5-1.7/src/include/k5-int.h ---- krb5-1.7/src/include/k5-int.h 2009-05-11 16:56:53.000000000 -0400 -+++ krb5-1.7/src/include/k5-int.h 2009-06-04 13:47:20.000000000 -0400 -@@ -132,6 +132,7 @@ typedef unsigned char u_char; +diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int.h +--- krb5-1.8/src/include/k5-int.h.selinux-label 2010-01-04 14:59:16.000000000 -0500 ++++ krb5-1.8/src/include/k5-int.h 2010-03-05 10:57:23.000000000 -0500 +@@ -133,6 +133,7 @@ typedef unsigned char u_char; typedef UINT64_TYPE krb5_ui_8; typedef INT64_TYPE krb5_int64; @@ -209,16 +139,19 @@ diff -up krb5-1.7/src/include/k5-int.h krb5-1.7/src/include/k5-int.h #define DEFAULT_PWD_STRING1 "Enter password" #define DEFAULT_PWD_STRING2 "Re-enter password for verification" -diff -up /dev/null krb5-1.7/src/include/k5-label.h ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/include/k5-label.h 2009-06-04 13:47:20.000000000 -0400 -@@ -0,0 +1,27 @@ +diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-label.h +--- krb5-1.8/src/include/k5-label.h.selinux-label 2010-03-05 10:57:23.000000000 -0500 ++++ krb5-1.8/src/include/k5-label.h 2010-03-05 10:57:23.000000000 -0500 +@@ -0,0 +1,30 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H + +#ifdef THREEPARAMOPEN +#undef THREEPARAMOPEN +#endif ++#ifdef WRITABLEFOPEN ++#undef WRITABLEFOPEN ++#endif + +/* Wrapper functions which help us create files and directories with the right + * context labels. */ @@ -240,9 +173,9 @@ diff -up /dev/null krb5-1.7/src/include/k5-label.h +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -diff -up krb5-1.7/src/include/krb5/krb5.hin krb5-1.7/src/include/krb5/krb5.hin ---- krb5-1.7/src/include/krb5/krb5.hin 2009-04-15 16:07:03.000000000 -0400 -+++ krb5-1.7/src/include/krb5/krb5.hin 2009-06-04 13:47:20.000000000 -0400 +diff -up krb5-1.8/src/include/krb5/krb5.hin.selinux-label krb5-1.8/src/include/krb5/krb5.hin +--- krb5-1.8/src/include/krb5/krb5.hin.selinux-label 2010-01-21 17:49:07.000000000 -0500 ++++ krb5-1.8/src/include/krb5/krb5.hin 2010-03-05 10:57:23.000000000 -0500 @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -256,21 +189,21 @@ diff -up krb5-1.7/src/include/krb5/krb5.hin krb5-1.7/src/include/krb5/krb5.hin #define KRB5_OLD_CRYPTO #include -diff -up krb5-1.7/src/kadmin/dbutil/dump.c krb5-1.7/src/kadmin/dbutil/dump.c ---- krb5-1.7/src/kadmin/dbutil/dump.c 2009-01-30 18:55:14.000000000 -0500 -+++ krb5-1.7/src/kadmin/dbutil/dump.c 2009-06-04 13:47:20.000000000 -0400 -@@ -1219,7 +1219,7 @@ dump_db(argc, argv) - * want to get into. - */ - unlink(ofile); -- if (!(f = fopen(ofile, "w"))) { -+ if (!(f = WRITABLEFOPEN(ofile, "w"))) { - fprintf(stderr, ofopen_error, - progname, ofile, error_message(errno)); - exit_status++; -diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in ---- krb5-1.7/src/krb5-config.in 2008-12-18 13:31:16.000000000 -0500 -+++ krb5-1.7/src/krb5-config.in 2009-06-04 13:47:20.000000000 -0400 +diff -up krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label krb5-1.8/src/kadmin/dbutil/dump.c +--- krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/kadmin/dbutil/dump.c 2010-03-05 10:57:23.000000000 -0500 +@@ -1274,7 +1274,7 @@ dump_db(argc, argv) + * want to get into. + */ + unlink(ofile); +- if (!(f = fopen(ofile, "w"))) { ++ if (!(f = WRITABLEFOPEN(ofile, "w"))) { + fprintf(stderr, ofopen_error, + progname, ofile, error_message(errno)); + exit_status++; +diff -up krb5-1.8/src/krb5-config.in.selinux-label krb5-1.8/src/krb5-config.in +--- krb5-1.8/src/krb5-config.in.selinux-label 2010-01-21 17:49:01.000000000 -0500 ++++ krb5-1.8/src/krb5-config.in 2010-03-05 10:57:23.000000000 -0500 @@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' @@ -288,95 +221,95 @@ diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in fi echo $lib_flags -diff -up krb5-1.7/src/lib/kadm5/logger.c krb5-1.7/src/lib/kadm5/logger.c ---- krb5-1.7/src/lib/kadm5/logger.c 2008-12-29 18:01:15.000000000 -0500 -+++ krb5-1.7/src/lib/kadm5/logger.c 2009-06-04 13:47:20.000000000 -0400 -@@ -421,7 +421,7 @@ krb5_klog_init(krb5_context kcontext, ch - * Check for append/overwrite, then open the file. - */ - if (cp[4] == ':' || cp[4] == '=') { -- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); -+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[i].lfu_filep = f; -@@ -954,7 +954,7 @@ krb5_klog_reopen(krb5_context kcontext) - * In case the old logfile did not get moved out of the - * way, open for append to prevent squashing the old logs. - */ -- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); -+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); - if (f) { - set_cloexec_file(f); - log_control.log_entries[lindex].lfu_filep = f; -diff -up krb5-1.7/src/lib/krb5/keytab/kt_file.c krb5-1.7/src/lib/krb5/keytab/kt_file.c ---- krb5-1.7/src/lib/krb5/keytab/kt_file.c 2009-05-11 16:55:22.000000000 -0400 -+++ krb5-1.7/src/lib/krb5/keytab/kt_file.c 2009-06-04 13:47:20.000000000 -0400 -@@ -1094,7 +1094,7 @@ krb5_ktfileint_open(krb5_context context +diff -up krb5-1.8/src/lib/kadm5/logger.c.selinux-label krb5-1.8/src/lib/kadm5/logger.c +--- krb5-1.8/src/lib/kadm5/logger.c.selinux-label 2009-12-28 21:42:51.000000000 -0500 ++++ krb5-1.8/src/lib/kadm5/logger.c 2010-03-05 10:57:23.000000000 -0500 +@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch + * Check for append/overwrite, then open the file. + */ + if (cp[4] == ':' || cp[4] == '=') { +- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); ++ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[i].lfu_filep = f; +@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +diff -up krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label krb5-1.8/src/lib/krb5/keytab/kt_file.c +--- krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label 2009-11-10 14:59:39.000000000 -0500 ++++ krb5-1.8/src/lib/krb5/keytab/kt_file.c 2010-03-05 10:57:23.000000000 -0500 +@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context KTCHECKLOCK(id); errno = 0; - KTFILEP(id) = fopen(KTFILENAME(id), + KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? + fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { -@@ -1102,7 +1102,7 @@ krb5_ktfileint_open(krb5_context context - /* try making it first time around */ +@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context + /* try making it first time around */ krb5_create_secure_file(context, KTFILENAME(id)); - errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); - if (!KTFILEP(id)) - goto report_errno; - writevno = 1; -diff -up krb5-1.7/src/plugins/kdb/db2/adb_openclose.c krb5-1.7/src/plugins/kdb/db2/adb_openclose.c ---- krb5-1.7/src/plugins/kdb/db2/adb_openclose.c 2007-10-22 15:18:53.000000000 -0400 -+++ krb5-1.7/src/plugins/kdb/db2/adb_openclose.c 2009-06-04 13:47:20.000000000 -0400 -@@ -198,7 +198,7 @@ krb5_error_code osa_adb_init_db(osa_adb_ - * POSIX systems - */ - lockp->lockinfo.filename = strdup(lockfilename); -- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { -+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { - /* - * maybe someone took away write permission so we could only - * get shared locks? -diff -up krb5-1.7/src/plugins/kdb/db2/kdb_db2.c krb5-1.7/src/plugins/kdb/db2/kdb_db2.c ---- krb5-1.7/src/plugins/kdb/db2/kdb_db2.c 2009-01-30 20:07:04.000000000 -0500 -+++ krb5-1.7/src/plugins/kdb/db2/kdb_db2.c 2009-06-04 13:47:20.000000000 -0400 -@@ -327,8 +327,8 @@ krb5_db2_db_init(krb5_context context) + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; +diff -up krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label krb5-1.8/src/plugins/kdb/db2/adb_openclose.c +--- krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label 2009-11-24 18:52:25.000000000 -0500 ++++ krb5-1.8/src/plugins/kdb/db2/adb_openclose.c 2010-03-05 10:57:23.000000000 -0500 +@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char + * POSIX systems + */ + lockp->lockinfo.filename = strdup(lockfilename); +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? +diff -up krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label krb5-1.8/src/plugins/kdb/db2/kdb_db2.c +--- krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label 2009-11-25 09:36:05.000000000 -0500 ++++ krb5-1.8/src/plugins/kdb/db2/kdb_db2.c 2010-03-05 10:57:23.000000000 -0500 +@@ -326,8 +326,8 @@ krb5_db2_db_init(krb5_context context) * should be opened read/write so that write locking can work with * POSIX systems */ - if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) { -- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { +- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { + if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) { - retval = errno; - goto err_out; - } -@@ -754,7 +754,7 @@ krb5_db2_db_create(krb5_context context, ++ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) { + retval = errno; + goto err_out; + } +@@ -745,7 +745,7 @@ krb5_db2_db_create(krb5_context context, if (!okname) - retval = ENOMEM; + retval = ENOMEM; else { -- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); -+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); - if (fd < 0) - retval = errno; - else -@@ -1795,7 +1795,7 @@ krb5_db2_db_rename(context, from, to) - retval = ENOMEM; - goto errout; +- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); + if (fd < 0) + retval = errno; + else +@@ -1925,7 +1925,7 @@ krb5_db2_db_rename(context, from, to, me + retval = ENOMEM; + goto errout; } - db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); + db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); if (db_ctx->db_lf_file < 0) { - retval = errno; - goto errout; -diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c ---- krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-10-22 15:18:53.000000000 -0400 -+++ krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2009-06-04 13:47:20.000000000 -0400 + retval = errno; + goto errout; +diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c +--- krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2010-03-05 10:57:23.000000000 -0500 @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. #include "k5-platform.h" /* mkstemp? */ @@ -388,15 +321,15 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.7/src/plugin @@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, goto einval; } - + - if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) + if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) goto err; } else { -diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c ---- krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c 2009-01-23 13:04:08.000000000 -0500 -+++ krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c 2009-06-04 13:47:20.000000000 -0400 +diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c +--- krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label 2009-10-30 20:48:38.000000000 -0400 ++++ krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c 2010-03-05 10:57:23.000000000 -0500 @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 #include #endif @@ -414,9 +347,9 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.7/src/plugins/kd RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c ---- krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-10-22 15:18:53.000000000 -0400 -+++ krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2009-06-04 13:47:20.000000000 -0400 +diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c +--- krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label 2007-10-22 15:18:53.000000000 -0400 ++++ krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2010-03-05 10:57:23.000000000 -0500 @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 #include #include @@ -434,10 +367,10 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.7/src/plugi return (NULL); if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in ---- krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in 2008-08-25 19:08:16.000000000 -0400 -+++ krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-06-04 13:47:20.000000000 -0400 -@@ -14,7 +14,8 @@ PROG_RPATH=$(KRB5_LIBDIR) +diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in +--- krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label 2009-11-22 13:13:29.000000000 -0500 ++++ krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in 2010-03-05 10:57:23.000000000 -0500 +@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) KRB5_RUN_ENV= @KRB5_RUN_ENV@ @@ -447,19 +380,19 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in krb5-1.7/src/plugi DB_DEPLIB = ../libdb$(DEPLIBEXT) all:: -diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ---- krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-12-01 12:09:59.000000000 -0500 -+++ krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-06-04 13:47:20.000000000 -0400 -@@ -1096,7 +1096,7 @@ rem_service_entry_from_file(argc, argv, +diff -up krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +--- krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label 2009-11-24 18:52:25.000000000 -0500 ++++ krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2010-03-05 10:57:23.000000000 -0500 +@@ -1091,7 +1091,7 @@ /* Create a temporary file which contains all the entries except the entry for the given service dn */ - pfile = fopen(file_name, "r+"); + pfile = WRITABLEFOPEN(file_name, "r+"); if (pfile == NULL) { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; -@@ -1113,7 +1113,7 @@ rem_service_entry_from_file(argc, argv, + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; +@@ -1108,7 +1108,7 @@ snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); @@ -467,79 +400,88 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s + tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); umask(omask); if (tmpfd == -1) { - com_err(me, errno, "while deleting entry from file\n"); -@@ -1767,7 +1767,7 @@ kdb5_ldap_set_service_password(argc, arg + com_err(me, errno, "while deleting entry from file\n"); +@@ -1728,7 +1728,7 @@ + + printf("File does not exist. Creating the file %s...\n", file_name); + omask = umask(077); +- fd = creat(file_name, S_IRUSR|S_IWUSR); ++ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); + umask(omask); + if (fd == -1) { + com_err(me, errno, "Error creating file %s", file_name); +@@ -1756,7 +1756,7 @@ /* TODO: file lock for the service password file */ /* set password in the file */ - pfile = fopen(file_name, "r+"); + pfile = WRITABLEFOPEN(file_name, "r+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s", file_name); - goto cleanup; -@@ -1808,7 +1808,7 @@ kdb5_ldap_set_service_password(argc, arg - } + com_err(me, errno, "Failed to open file %s", file_name); + goto cleanup; +@@ -1797,7 +1797,7 @@ + } - omask = umask(077); -- newfile = fopen(tmp_file, "w+"); -+ newfile = WRITABLEFOPEN(tmp_file, "w+"); - umask(omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); -@@ -2032,7 +2032,7 @@ done: + omask = umask(077); +- newfile = fopen(tmp_file, "w+"); ++ newfile = WRITABLEFOPEN(tmp_file, "w+"); + umask(omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +@@ -2019,7 +2019,7 @@ /* set password in the file */ old_mode = umask(0177); - pfile = fopen(file_name, "a+"); + pfile = WRITABLEFOPEN(file_name, "a+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s: %s", file_name, - strerror (errno)); -@@ -2082,7 +2082,7 @@ done: - } + com_err(me, errno, "Failed to open file %s: %s", file_name, + strerror (errno)); +@@ -2069,7 +2069,7 @@ + } - omask = umask(077); -- newfile = fopen(tmp_file, "w"); -+ newfile = WRITABLEFOPEN(tmp_file, "w"); - umask (omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); -diff -up krb5-1.7/src/slave/kpropd.c krb5-1.7/src/slave/kpropd.c ---- krb5-1.7/src/slave/kpropd.c 2008-12-30 00:45:06.000000000 -0500 -+++ krb5-1.7/src/slave/kpropd.c 2009-06-04 13:47:20.000000000 -0400 -@@ -346,7 +346,7 @@ retry: - if (!debug && iproprole != IPROP_SLAVE) - daemon(1, 0); + omask = umask(077); +- newfile = fopen(tmp_file, "w"); ++ newfile = WRITABLEFOPEN(tmp_file, "w"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +diff -up krb5-1.8/src/slave/kpropd.c.selinux-label krb5-1.8/src/slave/kpropd.c +--- krb5-1.8/src/slave/kpropd.c.selinux-label 2009-12-31 17:25:11.000000000 -0500 ++++ krb5-1.8/src/slave/kpropd.c 2010-03-05 10:57:23.000000000 -0500 +@@ -328,7 +328,7 @@ retry: + if (!debug && iproprole != IPROP_SLAVE) + daemon(1, 0); #ifdef PID_FILE -- if ((pidfile = fopen(PID_FILE, "w")) != NULL) { -+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) { - fprintf(pidfile, "%d\n", getpid()); - fclose(pidfile); - } else -diff -up krb5-1.7/src/util/profile/prof_file.c krb5-1.7/src/util/profile/prof_file.c ---- krb5-1.7/src/util/profile/prof_file.c 2008-11-05 11:19:01.000000000 -0500 -+++ krb5-1.7/src/util/profile/prof_file.c 2009-06-04 13:47:20.000000000 -0400 -@@ -29,6 +29,7 @@ +- if ((pidfile = fopen(PID_FILE, "w")) != NULL) { ++ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) { + fprintf(pidfile, "%d\n", getpid()); + fclose(pidfile); + } else +diff -up krb5-1.8/src/util/profile/prof_file.c.selinux-label krb5-1.8/src/util/profile/prof_file.c +--- krb5-1.8/src/util/profile/prof_file.c.selinux-label 2009-12-27 19:21:20.000000000 -0500 ++++ krb5-1.8/src/util/profile/prof_file.c 2010-03-05 10:57:23.000000000 -0500 +@@ -30,6 +30,7 @@ #endif #include "k5-platform.h" +#include "k5-label.h" struct global_shared_profile_data { - /* This is the head of the global list of shared trees */ -@@ -422,7 +423,7 @@ static errcode_t write_data_to_file(prf_ + /* This is the head of the global list of shared trees */ +@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ - errno = 0; + errno = 0; -- f = fopen(new_file, "w"); -+ f = WRITABLEFOPEN(new_file, "w"); - if (!f) { - retval = errno; - if (retval == 0) -diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefile.in ---- krb5-1.7/src/util/support/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/util/support/Makefile.in 2009-06-04 13:47:20.000000000 -0400 -@@ -38,6 +38,7 @@ PRINTF_OBJ= @PRINTF_OBJ@ +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/support/Makefile.in +--- krb5-1.8/src/util/support/Makefile.in.selinux-label 2009-11-23 20:25:10.000000000 -0500 ++++ krb5-1.8/src/util/support/Makefile.in 2010-03-05 10:57:23.000000000 -0500 +@@ -54,6 +54,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -547,7 +489,7 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil init-addrinfo.o \ plugins.o \ errors.o \ -@@ -86,7 +87,7 @@ SRCS=\ +@@ -108,7 +109,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -556,9 +498,9 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil SHLIB_DIRS= SHLIB_RDIRS=$(KRB5_LIBDIR) -diff -up /dev/null krb5-1.7/src/util/support/selinux.c ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/util/support/selinux.c 2009-06-04 13:47:20.000000000 -0400 +diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c +--- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500 ++++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500 @@ -0,0 +1,346 @@ +/* + * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved. diff --git a/krb5-1.7-io.patch b/krb5-appl-1.0-io.patch similarity index 82% rename from krb5-1.7-io.patch rename to krb5-appl-1.0-io.patch index d3605eb..1bfe217 100644 --- a/krb5-1.7-io.patch +++ b/krb5-appl-1.0-io.patch @@ -3,10 +3,10 @@ neither end is reading. This is a port of a patch which aims to solve that problem, but for now it's incomplete because we don't handle partial writes. A proper non-blocking implementation would require a bit more work. -diff -up krb5-1.7/src/appl/bsd/defines.h krb5-1.7/src/appl/bsd/defines.h ---- krb5-1.7/src/appl/bsd/defines.h 2008-12-15 15:29:01.000000000 -0500 -+++ krb5-1.7/src/appl/bsd/defines.h 2009-06-04 14:18:48.000000000 -0400 -@@ -34,6 +34,7 @@ extern int kcmd (int *sock, char **ahost +diff -up krb5-appl-1.0/bsd/defines.h.io krb5-appl-1.0/bsd/defines.h +--- krb5-appl-1.0/bsd/defines.h.io 2009-11-16 05:27:04.000000000 -0500 ++++ krb5-appl-1.0/bsd/defines.h 2010-03-05 11:00:06.000000000 -0500 +@@ -36,6 +36,7 @@ extern int kcmd (int *sock, char **ahost enum kcmd_proto *protonum /* input and output */ ); @@ -14,10 +14,10 @@ diff -up krb5-1.7/src/appl/bsd/defines.h krb5-1.7/src/appl/bsd/defines.h extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary); extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary); extern int getport (int * /* portnum */, int * /* addrfamily */); -diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c ---- krb5-1.7/src/appl/bsd/kcmd.c 2009-04-15 16:07:15.000000000 -0400 -+++ krb5-1.7/src/appl/bsd/kcmd.c 2009-06-04 14:18:48.000000000 -0400 -@@ -686,6 +686,11 @@ void rcmd_stream_init_normal() +diff -up krb5-appl-1.0/bsd/kcmd.c.io krb5-appl-1.0/bsd/kcmd.c +--- krb5-appl-1.0/bsd/kcmd.c.io 2009-11-16 05:27:04.000000000 -0500 ++++ krb5-appl-1.0/bsd/kcmd.c 2010-03-05 11:00:06.000000000 -0500 +@@ -767,6 +767,11 @@ void rcmd_stream_init_normal() output = twrite; } @@ -29,8 +29,8 @@ diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client, protonum) krb5_keyblock *in_keyblock; -@@ -846,7 +851,8 @@ static int v5_des_read(fd, buf, len, sec - cc = krb5_net_read(bsd_context, fd, &c, 1); +@@ -927,7 +932,8 @@ static int v5_des_read(fd, buf, len, sec + cc = full_read(fd, &c, 1); /* we should check for non-blocking here, but we'd have to make it save partial reads as well. */ - if (cc <= 0) return cc; /* read error */ @@ -39,10 +39,10 @@ diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c if (cc == 1) { if (c == 0 || !do_lencheck) break; } -diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c ---- krb5-1.7/src/appl/bsd/krsh.c 2009-06-04 14:18:47.000000000 -0400 -+++ krb5-1.7/src/appl/bsd/krsh.c 2009-06-04 14:18:48.000000000 -0400 -@@ -115,10 +115,11 @@ main(argc, argv0) +diff -up krb5-appl-1.0/bsd/krsh.c.io krb5-appl-1.0/bsd/krsh.c +--- krb5-appl-1.0/bsd/krsh.c.io 2010-03-05 11:00:05.000000000 -0500 ++++ krb5-appl-1.0/bsd/krsh.c 2010-03-05 11:00:06.000000000 -0500 +@@ -117,10 +117,11 @@ main(argc, argv0) char **argv0; { int rem, pid = 0; @@ -55,7 +55,7 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c int one = 1; struct servent *sp; struct servent defaultservent; -@@ -508,9 +509,14 @@ main(argc, argv0) +@@ -510,9 +511,14 @@ main(argc, argv0) FD_ZERO(&readfrom); FD_SET(rfd2, &readfrom); FD_SET(rem, &readfrom); @@ -71,7 +71,7 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c if (errno != EINTR) { perror("select"); exit(1); -@@ -518,22 +524,38 @@ main(argc, argv0) +@@ -520,22 +526,38 @@ main(argc, argv0) continue; } if (FD_ISSET(rfd2, &ready)) { @@ -124,10 +124,10 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c } } while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom)); if (nflag == 0) -diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c ---- krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 14:18:47.000000000 -0400 -+++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 14:18:48.000000000 -0400 -@@ -583,7 +583,8 @@ void doit(f, fromp) +diff -up krb5-appl-1.0/bsd/krshd.c.io krb5-appl-1.0/bsd/krshd.c +--- krb5-appl-1.0/bsd/krshd.c.io 2010-03-05 11:00:05.000000000 -0500 ++++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 11:00:06.000000000 -0500 +@@ -585,7 +585,8 @@ void doit(f, fromp) short port; int pv[2], pw[2], px[2], cc; fd_set ready, readfrom; @@ -137,7 +137,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c struct sockaddr_storage localaddr; #ifdef POSIX_SIGNALS struct sigaction sa; -@@ -1214,6 +1215,10 @@ void doit(f, fromp) +@@ -1216,6 +1217,10 @@ void doit(f, fromp) if (pw[0] > maxfd) maxfd = pw[0]; @@ -148,7 +148,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c /* read from f, write to px[1] -- child stdin */ /* read from s, signal child */ /* read from pv[0], write to s -- child stderr */ -@@ -1221,36 +1226,47 @@ void doit(f, fromp) +@@ -1223,36 +1228,47 @@ void doit(f, fromp) do { ready = readfrom; @@ -204,7 +204,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c } if (port&&FD_ISSET(s, &ready)) { /* read from the alternate channel, signal the child */ -@@ -1268,12 +1284,15 @@ void doit(f, fromp) +@@ -1270,12 +1286,15 @@ void doit(f, fromp) } } if (FD_ISSET(f, &ready)) { @@ -221,7 +221,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c } else { int wcc; wcc = write(px[1], buf, (unsigned) cc); -@@ -1281,17 +1300,22 @@ void doit(f, fromp) +@@ -1283,17 +1302,22 @@ void doit(f, fromp) /* pipe closed, don't read any more */ /* might check for EPIPE */ (void) close(px[1]); diff --git a/krb5-1.7-largefile.patch b/krb5-appl-1.0-largefile.patch similarity index 58% rename from krb5-1.7-largefile.patch rename to krb5-appl-1.0-largefile.patch index 91b28dd..be50103 100644 --- a/krb5-1.7-largefile.patch +++ b/krb5-appl-1.0-largefile.patch @@ -8,25 +8,254 @@ instead of fseek(), which takes a long and might not handle the full range of values. RT#6524 -Index: krb5/src/appl/gssftp/configure.in -=================================================================== ---- krb5/src/appl/gssftp/configure.in (revision 22425) -+++ krb5/src/appl/gssftp/configure.in (working copy) -@@ -12,6 +12,9 @@ - AC_HEADER_STDARG - AC_CHECK_HEADER(termios.h,[AC_CHECK_FUNC(cfsetispeed,AC_DEFINE(POSIX_TERMIOS,1,[Define if POSIX termios interface found]))]) - AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/select.h sys/sockio.h paths.h) + +diff -up krb5-appl-1.0/bsd/krcp.c.largefile krb5-appl-1.0/bsd/krcp.c +--- krb5-appl-1.0/bsd/krcp.c.largefile 2010-03-05 11:06:23.000000000 -0500 ++++ krb5-appl-1.0/bsd/krcp.c 2010-03-05 11:06:24.000000000 -0500 +@@ -748,8 +748,13 @@ void source(argc, argv) + continue; + } + } ++#ifdef HAVE_LONG_LONG_INT ++ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n", ++ (int) stb.st_mode&07777, (long long) stb.st_size, last); ++#else + (void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n", + (int) stb.st_mode&07777, (long ) stb.st_size, last); ++#endif + (void) rcmd_stream_write(rem, buf, strlen(buf), 0); + if (response() < 0) { + (void) close(f); +diff -up krb5-appl-1.0/configure.ac.largefile krb5-appl-1.0/configure.ac +--- krb5-appl-1.0/configure.ac.largefile 2010-03-05 11:06:23.000000000 -0500 ++++ krb5-appl-1.0/configure.ac 2010-03-05 11:06:24.000000000 -0500 +@@ -103,6 +103,10 @@ case $host in + ;; + esac + +AC_SYS_LARGEFILE +AC_FUNC_FSEEKO -+AC_CHECK_TYPES([long long]) - CHECK_UTMP - DECLARE_SYS_ERRLIST - AC_REPLACE_FUNCS(getdtablesize) -Index: krb5/src/appl/gssftp/ftp/ftp_var.h -=================================================================== ---- krb5/src/appl/gssftp/ftp/ftp_var.h (revision 22425) -+++ krb5/src/appl/gssftp/ftp/ftp_var.h (working copy) -@@ -46,13 +46,19 @@ ++AC_TYPE_LONG_LONG_INT ++AC_TYPE_UNSIGNED_LONG_LONG_INT + AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp) + AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg) + AC_CHECK_FUNCS(line_push logwtmp openpty ptsname revoke rmufile rresvport_af) +diff -up krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile krb5-appl-1.0/gssftp/ftpd/ftpcmd.y +--- krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile 2009-11-05 15:15:06.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftpd/ftpcmd.y 2010-03-05 11:06:24.000000000 -0500 +@@ -1499,12 +1499,20 @@ char *filename; + (stbuf.st_mode&S_IFMT) != S_IFREG) + reply(550, "%s: not a plain file.", filename); + else ++#ifdef HAVE_LONG_LONG_INT ++ reply(213, "%llu", (long long) stbuf.st_size); ++#else + reply(213, "%lu", (long) stbuf.st_size); ++#endif + break;} + case TYPE_A: { + FILE *fin; + register int c; ++#ifdef HAVE_LONG_LONG_INT ++ register long long count; ++#else + register long count; ++#endif + struct stat stbuf; + fin = fopen(filename, "r"); + if (fin == NULL) { +@@ -1526,7 +1534,11 @@ char *filename; + } + (void) fclose(fin); + ++#ifdef HAVE_LONG_LONG_INT ++ reply(213, "%lld", count); ++#else + reply(213, "%ld", count); ++#endif + break;} + default: + reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]); +diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile krb5-appl-1.0/gssftp/ftpd/ftpd.c +--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile 2010-03-05 11:06:23.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 11:06:24.000000000 -0500 +@@ -1205,8 +1205,13 @@ retrieve(cmd, name) + done: + (*closefunc)(fin); + if (logging > 2 && !cmd) { ++#ifdef HAVE_UNSIGNED_LONG_LONG_INT ++ syslog(LOG_NOTICE, "get: %llu bytes transferred", ++ (unsigned long long) byte_count); ++#else + syslog(LOG_NOTICE, "get: %lu bytes transferred", + (unsigned long) byte_count); ++#endif + } + } + +@@ -1252,7 +1257,7 @@ store_file(name, fmode, unique) + * because we are changing from reading to + * writing. + */ +- if (fseek(fout, 0L, L_INCR) < 0) { ++ if (FSEEK(fout, 0L, L_INCR) < 0) { + perror_reply(550, name); + goto done; + } +@@ -1277,8 +1282,13 @@ store_file(name, fmode, unique) + done: + (*closefunc)(fout); + if (logging > 2) { ++#ifdef HAVE_UNSIGNED_LONG_LONG_INT ++ syslog(LOG_NOTICE, "put: %llu bytes transferred", ++ (unsigned long long) byte_count); ++#else + syslog(LOG_NOTICE, "put: %lu bytes transferred", + (unsigned long) byte_count); ++#endif + } + } + +@@ -1341,8 +1351,13 @@ dataconn(name, size, fmode) + byte_count = 0; + if (size != (off_t) -1) + /* cast size to long in case sizeof(off_t) > sizeof(long) */ ++#ifdef HAVE_LONG_LONG_INT ++ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)", ++ (long long)size); ++#else + (void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)", + (long)size); ++#endif + else + sizebuf[0] = '\0'; + if (pdata >= 0) { +@@ -2063,6 +2078,15 @@ myoob(sig) + siglongjmp(urgcatch, 1); + } + if (strcmp(cp, "STAT") == 0) { ++#ifdef HAVE_LONG_LONG_INT ++ if (file_size != (off_t) -1) ++ reply(213, "Status: %llu of %llu bytes transferred", ++ (unsigned long long) byte_count, ++ (unsigned long long) file_size); ++ else ++ reply(213, "Status: %llu bytes transferred", ++ (unsigned long long) byte_count); ++#else + if (file_size != (off_t) -1) + reply(213, "Status: %lu of %lu bytes transferred", + (unsigned long) byte_count, +@@ -2070,6 +2094,7 @@ myoob(sig) + else + reply(213, "Status: %lu bytes transferred", + (unsigned long) byte_count); ++#endif + } + } + +diff -up krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile krb5-appl-1.0/gssftp/ftpd/ftpd_var.h +--- krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile 2009-11-05 15:15:06.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftpd/ftpd_var.h 2010-03-05 11:06:24.000000000 -0500 +@@ -41,6 +41,12 @@ + char *radix_error (int); + int radix_encode (unsigned char *, unsigned char *, size_t *, int); + ++#ifdef HAVE_FSEEKO ++#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence) ++#else ++#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence) ++#endif ++ + /* ftpd.c */ + void ack(char *); + int auth_data(unsigned char *); +diff -up krb5-appl-1.0/gssftp/ftp/ftp.c.largefile krb5-appl-1.0/gssftp/ftp/ftp.c +--- krb5-appl-1.0/gssftp/ftp/ftp.c.largefile 2010-03-05 11:06:24.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftp/ftp.c 2010-03-05 11:06:24.000000000 -0500 +@@ -156,7 +156,11 @@ void user_gss_error (OM_uint32, OM_uint3 + + static void proxtrans (char *, char *, char *); + static int initconn (void); ++#ifdef HAVE_LONG_LONG_INT ++static void ptransfer (char *, long long, struct timeval *, struct timeval *); ++#else + static void ptransfer (char *, long, struct timeval *, struct timeval *); ++#endif + static void abort_remote (FILE *); + static void tvsub (struct timeval *, struct timeval *, struct timeval *); + static char *gunique (char *); +@@ -787,7 +791,11 @@ void sendrequest(char *cmd, char *local, + FILE *volatile fin, *volatile dout = 0; + int (*volatile closefunc)(); + volatile sig_t oldintr, oldintp; ++#ifdef HAVE_LONG_LONG_INT ++ volatile long long bytes = 0, hashbytes = HASHBYTES; ++#else + volatile long bytes = 0, hashbytes = HASHBYTES; ++#endif + char *volatile lmode; + char buf[FTP_BUFSIZ], *bufp; + +@@ -884,7 +892,7 @@ void sendrequest(char *cmd, char *local, + + if (restart_point && + (strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) { +- if (fseek(fin, (long) restart_point, 0) < 0) { ++ if (FSEEK(fin, restart_point, 0) < 0) { + fprintf(stderr, "local: %s: %s\n", local, + strerror(errno)); + restart_point = 0; +@@ -1279,7 +1287,7 @@ void recvrequest(char *cmd, char *volati + if (restart_point) { + register int i, n, ch; + +- if (fseek(fout, 0L, L_SET) < 0) ++ if (FSEEK(fout, 0L, L_SET) < 0) + goto done; + n = restart_point; + for (i = 0; i++ < n;) { +@@ -1288,7 +1296,7 @@ void recvrequest(char *cmd, char *volati + if (ch == '\n') + i++; + } +- if (fseek(fout, 0L, L_INCR) < 0) { ++ if (FSEEK(fout, 0L, L_INCR) < 0) { + done: + fprintf(stderr, "local: %s: %s\n", local, + strerror(errno)); +@@ -1553,8 +1561,13 @@ dataconn(char *lmode) + return (FDOPEN_SOCKET(data, lmode)); + } + ++#ifdef HAVE_LONG_LONG_INT ++static void ptransfer(char *direction, long long bytes, ++ struct timeval *t0, struct timeval *t1) ++#else + static void ptransfer(char *direction, long bytes, + struct timeval *t0, struct timeval *t1) ++#endif + { + struct timeval td; + float s, kbs; +@@ -1564,8 +1577,13 @@ static void ptransfer(char *direction, l + s = td.tv_sec + (td.tv_usec / 1000000.); + #define nz(x) ((x) == 0 ? 1 : (x)) + kbs = (bytes / nz(s))/1024.0; ++#ifdef HAVE_LONG_LONG_INT ++ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n", ++ bytes, direction, s, kbs); ++#else + printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n", + bytes, direction, s, kbs); ++#endif + } + } + +diff -up krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile krb5-appl-1.0/gssftp/ftp/ftp_var.h +--- krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile 2010-03-05 11:06:24.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftp/ftp_var.h 2010-03-05 11:06:24.000000000 -0500 +@@ -46,12 +46,18 @@ FILE* fdopen_socket(SOCKET s, char* mode #define FDOPEN_SOCKET(s, mode) fdopen_socket(s, mode) #define SOCKETNO(fd) _get_osfhandle(fd) #define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0) @@ -41,254 +270,7 @@ Index: krb5/src/appl/gssftp/ftp/ftp_var.h +#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence) +#else +#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence) - #endif +#endif + #endif #ifdef _WIN32 - typedef void (*sig_t)(int); -Index: krb5/src/appl/gssftp/ftp/ftp.c -=================================================================== ---- krb5/src/appl/gssftp/ftp/ftp.c (revision 22425) -+++ krb5/src/appl/gssftp/ftp/ftp.c (working copy) -@@ -150,7 +150,11 @@ - - static void proxtrans (char *, char *, char *); - static int initconn (void); -+#ifdef HAVE_LONG_LONG -+static void ptransfer (char *, long long, struct timeval *, struct timeval *); -+#else - static void ptransfer (char *, long, struct timeval *, struct timeval *); -+#endif - static void abort_remote (FILE *); - static void tvsub (struct timeval *, struct timeval *, struct timeval *); - static char *gunique (char *); -@@ -775,7 +779,11 @@ - FILE *volatile fin, *volatile dout = 0; - int (*volatile closefunc)(); - volatile sig_t oldintr, oldintp; -+#ifdef HAVE_LONG_LONG -+ volatile long long bytes = 0, hashbytes = HASHBYTES; -+#else - volatile long bytes = 0, hashbytes = HASHBYTES; -+#endif - char *volatile lmode; - unsigned char buf[FTP_BUFSIZ], *bufp; - -@@ -872,7 +880,7 @@ - - if (restart_point && - (strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) { -- if (fseek(fin, (long) restart_point, 0) < 0) { -+ if (FSEEK(fin, restart_point, 0) < 0) { - fprintf(stderr, "local: %s: %s\n", local, - strerror(errno)); - restart_point = 0; -@@ -1266,7 +1274,7 @@ - if (restart_point) { - register int i, n, ch; - -- if (fseek(fout, 0L, L_SET) < 0) -+ if (FSEEK(fout, 0L, L_SET) < 0) - goto done; - n = restart_point; - for (i = 0; i++ < n;) { -@@ -1275,7 +1283,7 @@ - if (ch == '\n') - i++; - } -- if (fseek(fout, 0L, L_INCR) < 0) { -+ if (FSEEK(fout, 0L, L_INCR) < 0) { - done: - fprintf(stderr, "local: %s: %s\n", local, - strerror(errno)); -@@ -1538,8 +1546,13 @@ - return (FDOPEN_SOCKET(data, lmode)); - } - -+#ifdef HAVE_LONG_LONG -+static void ptransfer(char *direction, long long bytes, -+ struct timeval *t0, struct timeval *t1) -+#else - static void ptransfer(char *direction, long bytes, - struct timeval *t0, struct timeval *t1) -+#endif - { - struct timeval td; - float s, kbs; -@@ -1549,8 +1562,13 @@ - s = td.tv_sec + (td.tv_usec / 1000000.); - #define nz(x) ((x) == 0 ? 1 : (x)) - kbs = (bytes / nz(s))/1024.0; -+#ifdef HAVE_LONG_LONG -+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n", -+ bytes, direction, s, kbs); -+#else - printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n", - bytes, direction, s, kbs); -+#endif - } - } - -Index: krb5/src/appl/gssftp/ftpd/ftpcmd.y -=================================================================== ---- krb5/src/appl/gssftp/ftpd/ftpcmd.y (revision 22425) -+++ krb5/src/appl/gssftp/ftpd/ftpcmd.y (working copy) -@@ -1497,12 +1497,20 @@ - (stbuf.st_mode&S_IFMT) != S_IFREG) - reply(550, "%s: not a plain file.", filename); - else -+#ifdef HAVE_LONG_LONG -+ reply(213, "%llu", (long long) stbuf.st_size); -+#else - reply(213, "%lu", (long) stbuf.st_size); -+#endif - break;} - case TYPE_A: { - FILE *fin; - register int c; -+#ifdef HAVE_LONG_LONG -+ register long long count; -+#else - register long count; -+#endif - struct stat stbuf; - fin = fopen(filename, "r"); - if (fin == NULL) { -@@ -1524,7 +1532,11 @@ - } - (void) fclose(fin); - -+#ifdef HAVE_LONG_LONG -+ reply(213, "%lld", count); -+#else - reply(213, "%ld", count); -+#endif - break;} - default: - reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]); -Index: krb5/src/appl/gssftp/ftpd/ftpd_var.h -=================================================================== ---- krb5/src/appl/gssftp/ftpd/ftpd_var.h (revision 22425) -+++ krb5/src/appl/gssftp/ftpd/ftpd_var.h (working copy) -@@ -41,6 +41,12 @@ - char *radix_error (int); - int radix_encode (unsigned char *, unsigned char *, int *, int); - -+#ifdef HAVE_FSEEKO -+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence) -+#else -+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence) -+#endif -+ - /* ftpd.c */ - void ack(char *); - int auth_data(char *); -Index: krb5/src/appl/gssftp/ftpd/ftpd.c -=================================================================== ---- krb5/src/appl/gssftp/ftpd/ftpd.c (revision 22425) -+++ krb5/src/appl/gssftp/ftpd/ftpd.c (working copy) -@@ -1146,7 +1146,11 @@ - done: - (*closefunc)(fin); - if (logging > 2 && !cmd) -- syslog(LOG_NOTICE, "get: %i bytes transferred", byte_count); -+#ifdef HAVE_LONG_LONG -+ syslog(LOG_NOTICE, "get: %lld bytes transferred", (long long) byte_count); -+#else -+ syslog(LOG_NOTICE, "get: %ld bytes transferred", (long) byte_count); -+#endif - } - - void -@@ -1191,7 +1195,7 @@ - * because we are changing from reading to - * writing. - */ -- if (fseek(fout, 0L, L_INCR) < 0) { -+ if (FSEEK(fout, 0L, L_INCR) < 0) { - perror_reply(550, name); - goto done; - } -@@ -1216,7 +1220,11 @@ - done: - (*closefunc)(fout); - if (logging > 2) -- syslog(LOG_NOTICE, "put: %i bytes transferred", byte_count); -+#ifdef HAVE_LONG_LONG -+ syslog(LOG_NOTICE, "get: %lld bytes transferred", byte_count); -+#else -+ syslog(LOG_NOTICE, "get: %ld bytes transferred", (long) byte_count); -+#endif - } - - FILE * -@@ -1278,8 +1286,13 @@ - byte_count = 0; - if (size != (off_t) -1) - /* cast size to long in case sizeof(off_t) > sizeof(long) */ -+#ifdef HAVE_LONG_LONG -+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)", -+ (long long)size); -+#else - (void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)", - (long)size); -+#endif - else - sizebuf[0] = '\0'; - if (pdata >= 0) { -@@ -1991,13 +2004,23 @@ - siglongjmp(urgcatch, 1); - } - if (strcmp(cp, "STAT") == 0) { -+#ifdef HAVE_LONG_LONG - if (file_size != (off_t) -1) -+ reply(213, "Status: %llu of %llu bytes transferred", -+ (unsigned long long) byte_count, -+ (unsigned long long) file_size); -+ else -+ reply(213, "Status: %llu bytes transferred", -+ (unsigned long long) byte_count); -+#else -+ if (file_size != (off_t) -1) - reply(213, "Status: %lu of %lu bytes transferred", - (unsigned long) byte_count, - (unsigned long) file_size); - else - reply(213, "Status: %lu bytes transferred", - (unsigned long) byte_count); -+#endif - } - } - -Index: krb5/src/appl/bsd/configure.in -=================================================================== ---- krb5/src/appl/bsd/configure.in (revision 22425) -+++ krb5/src/appl/bsd/configure.in (working copy) -@@ -51,6 +51,9 @@ - AC_TYPE_MODE_T - AC_CHECK_FUNCS(isatty inet_aton getenv gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes rmufile rresvport_af) - AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h sys/ioctl_compat.h paths.h arpa/nameser.h) -+AC_SYS_LARGEFILE -+AC_FUNC_FSEEKO -+AC_CHECK_TYPES([long long]) - AC_HEADER_STDARG - AC_REPLACE_FUNCS(getdtablesize) - dnl -Index: krb5/src/appl/bsd/krcp.c -=================================================================== ---- krb5/src/appl/bsd/krcp.c (revision 22425) -+++ krb5/src/appl/bsd/krcp.c (working copy) -@@ -764,8 +764,13 @@ - continue; - } - } -+#ifdef HAVE_LONG_LONG -+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n", -+ (int) stb.st_mode&07777, (long long) stb.st_size, last); -+#else - (void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n", - (int) stb.st_mode&07777, (long ) stb.st_size, last); -+#endif - (void) rcmd_stream_write(rem, buf, strlen(buf), 0); - if (response() < 0) { - (void) close(f); diff --git a/krb5-1.6.2-login_chdir.patch b/krb5-appl-1.0-login_chdir.patch similarity index 71% rename from krb5-1.6.2-login_chdir.patch rename to krb5-appl-1.0-login_chdir.patch index 93f7adc..972a704 100644 --- a/krb5-1.6.2-login_chdir.patch +++ b/krb5-appl-1.0-login_chdir.patch @@ -2,10 +2,10 @@ Change to the user's directory after dropping privileges, in case it is only accessible to the user (for example, if it's in NFS with root squashing). Incomplete - we probably need to do the same for rshd and ftpd. -diff -up krb5/src/appl/bsd/login.c krb5/src/appl/bsd/login.c ---- krb5/src/appl/bsd/login.c 2007-07-11 13:50:34.000000000 -0400 -+++ krb5/src/appl/bsd/login.c 2007-07-11 13:50:36.000000000 -0400 -@@ -1497,13 +1497,8 @@ int main(argc, argv) +diff -up krb5-appl-1.0/bsd/login.c.login_chdir krb5-appl-1.0/bsd/login.c +--- krb5-appl-1.0/bsd/login.c.login_chdir 2010-03-05 11:01:23.000000000 -0500 ++++ krb5-appl-1.0/bsd/login.c 2010-03-05 11:01:23.000000000 -0500 +@@ -1115,13 +1115,8 @@ int main(argc, argv) } #endif /* USE_PAM */ @@ -20,8 +20,8 @@ diff -up krb5/src/appl/bsd/login.c krb5/src/appl/bsd/login.c + exit(0); /* nothing else left to fail -- really log in */ - { -@@ -1710,6 +1705,14 @@ int main(argc, argv) + login_time = time(NULL); +@@ -1293,6 +1288,14 @@ int main(argc, argv) sleepexit(1); } diff --git a/krb5-appl-1.0-manpaths.patch b/krb5-appl-1.0-manpaths.patch new file mode 100644 index 0000000..0820c69 --- /dev/null +++ b/krb5-appl-1.0-manpaths.patch @@ -0,0 +1,107 @@ +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 + +diff -up krb5-appl-1.0/aclocal.m4.manpaths krb5-appl-1.0/aclocal.m4 +--- krb5-appl-1.0/aclocal.m4.manpaths 2010-03-05 10:55:58.000000000 -0500 ++++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:55:58.000000000 -0500 +@@ -565,3 +565,24 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_CONFIG_FILES($1) ++]) +diff -up krb5-appl-1.0/bsd/klogind.M.manpaths krb5-appl-1.0/bsd/klogind.M +--- krb5-appl-1.0/bsd/klogind.M.manpaths 2008-12-15 15:29:01.000000000 -0500 ++++ krb5-appl-1.0/bsd/klogind.M 2010-03-05 10:55:58.000000000 -0500 +@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when + the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIklogind\fP might be: + +-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c ++klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c + + When a service request is received, the following protocol is initiated: + +diff -up krb5-appl-1.0/bsd/kshd.M.manpaths krb5-appl-1.0/bsd/kshd.M +--- krb5-appl-1.0/bsd/kshd.M.manpaths 2006-06-12 14:19:26.000000000 -0400 ++++ krb5-appl-1.0/bsd/kshd.M 2010-03-05 10:55:58.000000000 -0500 +@@ -8,7 +8,7 @@ + .SH NAME + kshd \- kerberized remote shell server + .SH SYNOPSIS +-.B /usr/local/sbin/kshd ++.B @mansbindir@/kshd + [ + .B \-kr45ec + ] +@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe + on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf + configuration line for \fIkrshd\fP might be: + +-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c ++kshell stream tcp nowait root @mansbindir@/kshd kshd -5c + + When a service request is received, the following protocol is initiated: + +diff -up krb5-appl-1.0/configure.ac.manpaths krb5-appl-1.0/configure.ac +--- krb5-appl-1.0/configure.ac.manpaths 2010-03-05 10:55:58.000000000 -0500 ++++ krb5-appl-1.0/configure.ac 2010-03-05 10:55:58.000000000 -0500 +@@ -412,6 +412,13 @@ else + fi + AC_SUBST(HAVE_RUNTEST) + ++V5_AC_OUTPUT_MANPAGE([ ++ gssftp/ftpd/ftpd.M ++ bsd/klogind.M ++ bsd/kshd.M ++ telnet/telnetd/telnetd.8 ++]) ++ + V5_AC_OUTPUT_MAKEFILE(. bsd libmissing libpty + gssftp gssftp/ftp gssftp/ftpd + telnet telnet/libtelnet telnet/telnet telnet/telnetd +diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths krb5-appl-1.0/gssftp/ftpd/ftpd.M +--- krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths 2009-01-28 00:42:11.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftpd/ftpd.M 2010-03-05 10:55:58.000000000 -0500 +@@ -35,7 +35,7 @@ + .SH NAME + ftpd \- DARPA Internet File Transfer Protocol server + .SH SYNOPSIS +-.B ftpd ++.B @mansbindir@/ftpd + [\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP] + [\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP] + [\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP] +diff -up krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths krb5-appl-1.0/telnet/telnetd/telnetd.8 +--- krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths 2004-11-15 16:25:41.000000000 -0500 ++++ krb5-appl-1.0/telnet/telnetd/telnetd.8 2010-03-05 10:55:58.000000000 -0500 +@@ -37,7 +37,7 @@ telnetd \- + .SM DARPA TELNET + protocol server + .SH SYNOPSIS +-.B /usr/libexec/telnetd ++.B @mansbindir@/telnetd + [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] + [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] + [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] diff --git a/krb5-1.7-pam.patch b/krb5-appl-1.0-pam.patch similarity index 70% rename from krb5-1.7-pam.patch rename to krb5-appl-1.0-pam.patch index 33331da..cc38621 100644 --- a/krb5-1.7-pam.patch +++ b/krb5-appl-1.0-pam.patch @@ -17,7 +17,7 @@ At run-time, krshd's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [ftpd] section of /etc/krb5.conf. -Modify login so that instead of directly obtaining v5 or v4 credentials +Modify login so that instead of directly obtaining v5 credentials or running aklog, it calls PAM for authentication if strong authentication hasn't already been performed, so that it performs account management using PAM (prompting for a password change if need @@ -28,24 +28,16 @@ is pretty much always going to be there. At run-time, login's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [login] section of /etc/krb5.conf. -Modify ksu so that it performs account and session management for the -target user account, mimicking the action of regular su. The default -service name is "ksu", because on Fedora at least the configuration used -is determined by whether or not a login shell is being opened, and so -this may need to vary, too. At run-time, ksu's behavior can be reset to -the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] -section of /etc/krb5.conf. +When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam. +Originally filed as RT#5939. -When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam. -RT#5939. - -diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 ---- krb5-1.7/src/aclocal.m4 2009-02-18 19:38:17.000000000 -0500 -+++ krb5-1.7/src/aclocal.m4 2009-06-04 13:45:57.000000000 -0400 -@@ -1771,3 +1771,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ - ])) +diff -up krb5-appl-1.0/aclocal.m4.pam krb5-appl-1.0/aclocal.m4 +--- krb5-appl-1.0/aclocal.m4.pam 2009-11-21 15:29:19.000000000 -0500 ++++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:48:50.000000000 -0500 +@@ -486,3 +486,82 @@ AC_DEFUN([KRB5_AC_LIBUTIL], + UTIL_LIB=-lutil])dnl + AC_SUBST(UTIL_LIB) ])dnl - dnl +dnl +dnl Use PAM instead of local crypt() compare for checking local passwords, +dnl and perform PAM account, session management, and password-changing where @@ -62,8 +54,6 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 + withekshellpamservice="$withval",withekshellpamservice=ekshell) +AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])], + withftppamservice="$withval",withftppamservice=gssftp) -+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], -+ withksupamservice="$withval",withksupamservice=ksu) +old_LIBS="$LIBS" +if test "$withpam" != no ; then + AC_MSG_RESULT([checking for PAM...]) @@ -114,8 +104,6 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 + [Define to the name of the PAM service name to be used by rshd for encrypted sessions.]) + AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice", + [Define to the name of the PAM service name to be used by ftpd.]) -+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", -+ [Define to the name of the PAM service name to be used by ksu.]) + PAM_LIBS="$LIBS" + NON_PAM_MAN=".\\\" " + PAM_MAN= @@ -129,21 +117,10 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in ---- krb5-1.7/src/appl/bsd/configure.in 2008-12-15 15:29:01.000000000 -0500 -+++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:45:57.000000000 -0400 -@@ -24,6 +24,7 @@ AC_CHECK_LIB(odm,main, - AC_CHECK_LIB(cfg,main, - LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg" - ))) -+KRB5_WITH_PAM - dnl - dnl Make our operating system-specific security checks and definitions for - dnl login. -diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c ---- krb5-1.7/src/appl/bsd/krshd.c 2009-04-15 16:07:15.000000000 -0400 -+++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 13:45:57.000000000 -0400 -@@ -161,6 +161,10 @@ char copyright[] = +diff -up krb5-appl-1.0/bsd/krshd.c.pam krb5-appl-1.0/bsd/krshd.c +--- krb5-appl-1.0/bsd/krshd.c.pam 2009-11-16 05:27:04.000000000 -0500 ++++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 10:48:50.000000000 -0500 +@@ -163,6 +163,10 @@ char copyright[] = #include #endif @@ -154,7 +131,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c #ifndef MAXDNAME #define MAXDNAME 256 /*per the rfc*/ #endif -@@ -181,6 +185,7 @@ void fatal(int, const char *); +@@ -183,6 +187,7 @@ void fatal(int, const char *); int require_encrypt = 0; int do_encrypt = 0; @@ -162,7 +139,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c int anyport = 0; char *kprogdir = KPROGDIR; int netf; -@@ -1030,14 +1035,6 @@ void doit(f, fromp) +@@ -1032,14 +1037,6 @@ void doit(f, fromp) } #endif /*CRAY*/ @@ -177,7 +154,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c #ifdef KERBEROS /* krb5_kuserok returns 1 if OK */ if (!krb5_kuserok(bsd_context, client, locuser)){ -@@ -1067,11 +1064,51 @@ void doit(f, fromp) +@@ -1069,11 +1066,51 @@ void doit(f, fromp) goto signout_please; } @@ -229,7 +206,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c /* Log access to account */ pwd = (struct passwd *) getpwnam(locuser); if (pwd && (pwd->pw_uid == 0)) { -@@ -1111,7 +1148,7 @@ void doit(f, fromp) +@@ -1113,7 +1150,7 @@ void doit(f, fromp) (void) write(2, "", 1); @@ -238,7 +215,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c if (port&&(pipe(pv) < 0)) { error("Can't make pipe.\n"); goto signout_please; -@@ -1416,6 +1453,15 @@ void doit(f, fromp) +@@ -1418,6 +1455,15 @@ void doit(f, fromp) environ = envinit; @@ -254,11 +231,11 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c #ifdef KERBEROS /* To make Kerberos rcp work correctly, we must ensure that we invoke Kerberos rcp on this end, not normal rcp, even if the -diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c ---- krb5-1.7/src/appl/bsd/login.c 2008-12-15 15:29:01.000000000 -0500 -+++ krb5-1.7/src/appl/bsd/login.c 2009-06-04 13:45:57.000000000 -0400 -@@ -145,6 +145,11 @@ typedef sigtype (*handler)(); - #include "osconf.h" +diff -up krb5-appl-1.0/bsd/login.c.pam krb5-appl-1.0/bsd/login.c +--- krb5-appl-1.0/bsd/login.c.pam 2009-11-21 15:29:19.000000000 -0500 ++++ krb5-appl-1.0/bsd/login.c 2010-03-05 10:48:50.000000000 -0500 +@@ -148,6 +148,11 @@ typedef sigtype (*handler)(); + #define KRB5_ENV_CCNAME "KRB5CCNAME" #endif /* KRB5_GET_TICKETS */ +#ifdef USE_PAM @@ -269,7 +246,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c #ifndef __STDC__ #ifndef volatile #define volatile -@@ -294,6 +299,9 @@ static struct login_confs { +@@ -293,6 +298,9 @@ static struct login_confs { char *flagname; int *flag; } login_conf_set[] = { @@ -279,7 +256,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c #ifdef KRB5_GET_TICKETS {"krb5_get_tickets", &login_krb5_get_tickets}, {"krb_run_aklog", &login_krb_run_aklog}, -@@ -933,6 +941,21 @@ int main(argc, argv) +@@ -934,6 +942,21 @@ int main(argc, argv) if (!unix_needs_passwd()) break; @@ -301,7 +278,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c #ifdef KRB5_GET_TICKETS if (login_krb5_get_tickets) { /* rename these to something more verbose */ -@@ -1020,6 +1043,24 @@ int main(argc, argv) +@@ -1021,6 +1044,24 @@ int main(argc, argv) /* committed to login -- turn off timeout */ (void) alarm((u_int) 0); @@ -326,7 +303,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c /* * If valid so far and root is logging in, see if root logins on * this terminal are permitted. -@@ -1060,6 +1101,21 @@ int main(argc, argv) +@@ -1061,6 +1102,21 @@ int main(argc, argv) sleepexit(0); } #endif @@ -348,7 +325,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c if (chdir(pwd->pw_dir) < 0) { printf("No directory %s!\n", pwd->pw_dir); -@@ -1347,6 +1403,11 @@ int main(argc, argv) +@@ -1343,6 +1399,11 @@ int main(argc, argv) } #endif /* KRB5_GET_TICKETS */ @@ -360,54 +337,55 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c if (tty[sizeof("tty")-1] == 'd') syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); if (pwd->pw_uid == 0) -diff -up krb5-1.7/src/appl/bsd/Makefile.in krb5-1.7/src/appl/bsd/Makefile.in ---- krb5-1.7/src/appl/bsd/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/appl/bsd/Makefile.in 2009-06-04 13:45:57.000000000 -0400 -@@ -11,12 +11,13 @@ SETENVOBJ=@SETENVOBJ@ +diff -up krb5-appl-1.0/bsd/Makefile.in.pam krb5-appl-1.0/bsd/Makefile.in +--- krb5-appl-1.0/bsd/Makefile.in.pam 2009-11-05 15:10:37.000000000 -0500 ++++ krb5-appl-1.0/bsd/Makefile.in 2010-03-05 10:48:50.000000000 -0500 +@@ -3,11 +3,14 @@ BUILDTOP=$(REL).. + LOGINLIBS=@LOGINLIBS@ - LIBOBJS=@LIBOBJS@ KRSHDLIBS=@KRSHDLIBS@ +PAMOBJS=pam.o ++PAM_LIBS=@PAM_LIBS@ SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \ $(srcdir)/forward.c $(srcdir)/login.c $(srcdir)/krshd.c \ $(srcdir)/krlogind.c - OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o $(SETENVOBJ) login.o krshd.o \ -- krlogind.o $(LIBOBJS) -+ krlogind.o $(LIBOBJS) $(PAMOBJS) +-OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o ++OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o \ ++ $(PAMOBJS) UCB_RLOGIN = @UCB_RLOGIN@ UCB_RSH = @UCB_RSH@ -@@ -53,8 +54,8 @@ install:: +@@ -50,8 +53,8 @@ install:: ) || exit 1; \ done --kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) -- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB) -+kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) -+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(APPUTILS_LIB) +-kshd: krshd.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB) +- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS) ++kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB) ++ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(LIBS) - klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) - $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB) -@@ -71,8 +72,8 @@ install:: + klogind: krlogind.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB) + $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS) +@@ -68,8 +71,8 @@ install:: # No program name transformation is done with login.krb5 since it is directly # referenced by klogind. # --login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) -+login.krb5: login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) -+ $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) +-login.krb5: login.o $(PTY_DEPLIB) $(MISSING_DEPLIB) +- $(CC_LINK) -o login.krb5 login.o $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(LIBS) ++login.krb5: login.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB) ++ $(CC_LINK) -o login.krb5 login.o $(PAMOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(PAM_LIBS) $(LIBS) install:: $(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5 -diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/appl/bsd/pam.c 2009-06-04 13:45:57.000000000 -0400 -@@ -0,0 +1,433 @@ +diff -up krb5-appl-1.0/bsd/pam.c.pam krb5-appl-1.0/bsd/pam.c +--- krb5-appl-1.0/bsd/pam.c.pam 2010-03-05 10:48:50.000000000 -0500 ++++ krb5-appl-1.0/bsd/pam.c 2010-03-05 10:48:50.000000000 -0500 +@@ -0,0 +1,438 @@ +/* + * src/appl/bsd/pam.c + * -+ * Copyright 2007,2009 Red Hat, Inc. ++ * Copyright 2007,2009,2010 Red Hat, Inc. + * + * All Rights Reserved. + * @@ -447,13 +425,17 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c +#include +#include +#include -+#include "k5-int.h" ++#include +#include "pam.h" + +#ifndef MAXPWSIZE +#define MAXPWSIZE 128 +#endif + ++#ifndef KRB5_ENV_CCNAME ++#define KRB5_ENV_CCNAME "KRB5CCNAME" ++#endif ++ +static int appl_pam_started; +static pid_t appl_pam_starter = -1; +static int appl_pam_session_opened; @@ -471,8 +453,9 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c +appl_pam_enabled(krb5_context context, const char *section) +{ + int enabled = 1; -+ if ((context != NULL) && (context->profile != NULL)) { -+ if (profile_get_boolean(context->profile, ++ profile_t profile = NULL; ++ if ((context != NULL) && (krb5_get_profile(context, &profile) == 0)) { ++ if (profile_get_boolean(profile, + section, + USE_PAM_CONFIGURATION_KEYWORD, + NULL, @@ -837,9 +820,9 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c + return ret; +} +#endif -diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h ---- /dev/null 2009-06-04 10:34:55.169007373 -0400 -+++ krb5-1.7/src/appl/bsd/pam.h 2009-06-04 13:45:57.000000000 -0400 +diff -up krb5-appl-1.0/bsd/pam.h.pam krb5-appl-1.0/bsd/pam.h +--- krb5-appl-1.0/bsd/pam.h.pam 2010-03-05 10:48:50.000000000 -0500 ++++ krb5-appl-1.0/bsd/pam.h 2010-03-05 10:48:50.000000000 -0500 @@ -0,0 +1,65 @@ +/* + * src/appl/bsd/pam.h @@ -906,21 +889,22 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in ---- krb5-1.7/src/appl/gssftp/configure.in 2006-03-31 16:00:40.000000000 -0500 -+++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:45:57.000000000 -0400 -@@ -17,6 +17,7 @@ DECLARE_SYS_ERRLIST - AC_REPLACE_FUNCS(getdtablesize) - AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv) - AC_CHECK_LIB(crypt,crypt) dnl +diff -up krb5-appl-1.0/configure.ac.pam krb5-appl-1.0/configure.ac +--- krb5-appl-1.0/configure.ac.pam 2009-11-21 16:46:39.000000000 -0500 ++++ krb5-appl-1.0/configure.ac 2010-03-05 10:48:50.000000000 -0500 +@@ -156,6 +156,8 @@ AC_CHECK_FUNC(tgetent, , + [AC_MSG_ERROR([Could not find tgetent; are you missing a curses/ncurses library?])]) + LIBS="$old_LIBS" + +KRB5_WITH_PAM - KRB5_AC_LIBUTIL - dnl - dnl copied from appl/bsd/configure.in -diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd.c ---- krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-01-28 00:42:11.000000000 -0500 -+++ krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-06-04 13:45:57.000000000 -0400 -@@ -67,6 +67,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40 ++ + # Make our operating system-specific security checks and definitions + # for libpty, login, and ftpd. The following code decides what + # streams modules will be pushed onto a pty. In particular, if +diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam krb5-appl-1.0/gssftp/ftpd/ftpd.c +--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam 2009-11-18 00:07:46.000000000 -0500 ++++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 10:48:50.000000000 -0500 +@@ -69,6 +69,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40 #ifdef HAVE_SHADOW #include #endif @@ -930,7 +914,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd #include #include #ifndef POSIX_SETJMP -@@ -745,6 +748,22 @@ user(name) +@@ -743,6 +746,22 @@ user(name) name); } #endif /* GSSAPI */ @@ -953,7 +937,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) { strncat(buf, "; Access denied.", -@@ -846,6 +865,10 @@ end_login() +@@ -843,6 +862,10 @@ end_login() (void) krb5_seteuid((uid_t)0); if (logged_in) pty_logwtmp(ttyline, "", ""); @@ -964,7 +948,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd if (have_creds) { #ifdef GSSAPI krb5_cc_destroy(kcontext, ccache); -@@ -954,9 +977,19 @@ pass(passwd) +@@ -951,9 +974,19 @@ pass(passwd) * kpass fails and the user has no local password * kpass fails and the provided password doesn't match pw */ @@ -987,7 +971,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd pw = NULL; sleep(5); if (++login_attempts >= 3) { -@@ -973,6 +1006,23 @@ pass(passwd) +@@ -970,6 +1003,23 @@ pass(passwd) } login_attempts = 0; /* this time successful */ @@ -1011,7 +995,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd login(passwd, 0); return; } -@@ -988,6 +1038,18 @@ login(passwd, logincode) +@@ -985,6 +1035,18 @@ login(passwd, logincode) chown(ccname, pw->pw_uid, pw->pw_gid); #endif } @@ -1030,7 +1014,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd (void) krb5_setegid((gid_t)pw->pw_gid); (void) initgroups(pw->pw_name, pw->pw_gid); -@@ -1960,6 +2022,10 @@ dologout(status) +@@ -1966,6 +2028,10 @@ dologout(status) krb5_cc_destroy(kcontext, ccache); #endif } @@ -1041,12 +1025,12 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd /* beware of flushing buffers after a SIGPIPE */ _exit(status); } -diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd/Makefile.in ---- krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-06-04 13:45:57.000000000 -0400 -@@ -14,23 +14,25 @@ SETENVOBJ=@SETENVOBJ@ - LIBOBJS=@LIBOBJS@ - COMERRLIB=$(BUILDTOP)/util/et/libcom_err.a +diff -up krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam krb5-appl-1.0/gssftp/ftpd/Makefile.in +--- krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam 2009-07-20 13:21:24.000000000 -0400 ++++ krb5-appl-1.0/gssftp/ftpd/Makefile.in 2010-03-05 10:48:50.000000000 -0500 +@@ -6,22 +6,24 @@ PROG_LIBPATH=-L$(TOPLIBD) + PROG_RPATH=$(KRB5_LIBDIR) + FTPD_LIBS=@FTPD_LIBS@ +PAM_LIBS=@PAM_LIBS@ @@ -1054,218 +1038,29 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd $(srcdir)/vers.c \ $(srcdir)/../ftp/glob.c \ $(srcdir)/../ftp/radix.c \ - $(srcdir)/../ftp/secure.c \ -+ $(srcdir)/../../bsd/pam.c \ - $(srcdir)/../../bsd/getdtablesize.c $(SETENVSRC) +- $(srcdir)/../ftp/secure.c ++ $(srcdir)/../ftp/secure.c \ ++ $(srcdir)/../../bsd/pam.c OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \ -- secure.o $(LIBOBJS) $(SETENVOBJ) -+ secure.o pam.o getdtablesize.o $(LIBOBJS) $(SETENVOBJ) +- secure.o ++ secure.o pam.o LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) all:: ftpd - ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) $(PAM_LIBS) + ftpd: $(OBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB) +- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(PAM_LIBS) $(LIBS) generate-files-mac: ftpcmd.c -@@ -62,6 +64,8 @@ secure.o: $(srcdir)/../ftp/secure.c +@@ -61,4 +63,7 @@ ftpcmd.o: ftpcmd.c + popen.o: $(srcdir)/popen.c + vers.o: $(srcdir)/vers.c - getdtablesize.o: $(srcdir)/../../bsd/getdtablesize.c - $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/getdtablesize.c +pam.o: $(srcdir)/../../bsd/pam.c + $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/pam.c - - setenv.o: $(srcdir)/../../bsd/setenv.c - $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/setenv.c -diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c ---- krb5-1.7/src/clients/ksu/main.c 2008-12-01 12:09:59.000000000 -0500 -+++ krb5-1.7/src/clients/ksu/main.c 2009-06-04 13:45:57.000000000 -0400 -@@ -25,6 +25,7 @@ - * KSU was writen by: Ari Medvinsky, ari@isi.edu - */ - -+#include "autoconf.h" - #include "ksu.h" - #include "adm_proto.h" - #include -@@ -32,6 +33,10 @@ - #include - #include - -+#ifdef USE_PAM -+#include "../../appl/bsd/pam.h" -+#endif + - /* globals */ - char * prog_name; - int auth_debug =0; -@@ -39,6 +44,7 @@ - char k5users_path[MAXPATHLEN]; - char * gb_err = NULL; - int quiet = 0; -+int force_fork = 0; - /***********/ - - #define _DEF_CSH "/bin/csh" -@@ -585,6 +591,25 @@ - prog_name,target_user,client_name, - source_user,ontty()); - -+#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, -+ NULL, source_user, -+ ttyname(STDERR_FILENO)) != 0) { -+ fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+ if (appl_pam_requires_chauthtok()) { -+ fprintf(stderr, "Password change required for %s.\n", -+ target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+ force_fork++; -+ } -+#endif -+ - /* Run authorization as target.*/ - if (krb5_seteuid(target_uid)) { - com_err(prog_name, errno, "while switching to target for authorization check"); -@@ -791,7 +816,7 @@ - fprintf(stderr, "program to be execed %s\n",params[0]); - } - -- if( keep_target_cache ) { -+ if( keep_target_cache && !force_fork ) { - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", - params[0]); -@@ -799,6 +824,33 @@ - exit(1); - }else{ - statusp = 1; -+ -+#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_session_open() != 0) { -+ fprintf(stderr, "Error opening session for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Opened PAM session.\n"); -+ } -+#endif -+ if (appl_pam_cred_init()) { -+ fprintf(stderr, "Error initializing credentials for %s.\n", -+ target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Initialized PAM credentials.\n"); -+ } -+#endif -+ } -+#endif -+ - switch ((child_pid = fork())) { - default: - if (auth_debug){ -@@ -822,15 +874,34 @@ - if (ret_pid == -1) { - com_err(prog_name, errno, "while calling waitpid"); - } -- sweep_up(ksu_context, cc_target); -+ if( !keep_target_cache ) { -+ sweep_up(ksu_context, cc_target); -+ } - exit (statusp); - case -1: - com_err(prog_name, errno, "while trying to fork."); - sweep_up(ksu_context, cc_target); - exit (1); - case 0: -+#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_setenv() != 0) { -+ fprintf(stderr, "Error setting up environment for %s.\n", -+ target_user); -+ exit (1); -+ } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Set up PAM environment.\n"); -+ } -+#endif -+ } -+#endif - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", params[0]); -+ if( keep_target_cache ) { -+ sweep_up(ksu_context, cc_target); -+ } - exit (1); - } - } -diff -up krb5-1.7/src/clients/ksu/Makefile.in krb5-1.7/src/clients/ksu/Makefile.in ---- krb5-1.7/src/clients/ksu/Makefile.in 2009-01-05 15:27:53.000000000 -0500 -+++ krb5-1.7/src/clients/ksu/Makefile.in 2009-06-04 13:45:57.000000000 -0400 -@@ -15,6 +15,7 @@ SRCS = \ - $(srcdir)/ccache.c \ - $(srcdir)/authorization.c \ - $(srcdir)/main.c \ -+ $(srcdir)/../../appl/bsd/pam.c \ - $(srcdir)/heuristic.c \ - $(srcdir)/xmalloc.c \ - $(srcdir)/setenv.c -@@ -23,13 +24,17 @@ OBJS = \ - ccache.o \ - authorization.o \ - main.o \ -+ pam.o \ - heuristic.o \ - xmalloc.o @SETENVOBJ@ - - all:: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) -+ -+pam.o: $(srcdir)/../../appl/bsd/pam.c -+ $(CC) $(ALL_CFLAGS) -c $< - - clean:: - $(RM) ksu -diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in ---- krb5-1.7/src/config/pre.in 2009-04-15 16:06:35.000000000 -0400 -+++ krb5-1.7/src/config/pre.in 2009-06-04 13:45:57.000000000 -0400 -@@ -181,6 +181,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR - LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ - LDARGS = @LDARGS@ - LIBS = @LIBS@ -+PAM_LIBS = @PAM_LIBS@ - - INSTALL=@INSTALL@ - INSTALL_STRIP= -diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in ---- krb5-1.7/src/configure.in 2009-04-15 16:07:03.000000000 -0400 -+++ krb5-1.7/src/configure.in 2009-06-04 13:45:57.000000000 -0400 -@@ -1040,6 +1040,8 @@ fi - dnl - AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) - -+KRB5_WITH_PAM -+ - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - V5_AC_OUTPUT_MAKEFILE(. - + # NOPOSTFIX diff --git a/krb5-1.3-rlogind-environ.patch b/krb5-appl-1.0-rlogind-environ.patch similarity index 80% rename from krb5-1.3-rlogind-environ.patch rename to krb5-appl-1.0-rlogind-environ.patch index e50cbbe..1034dcf 100644 --- a/krb5-1.3-rlogind-environ.patch +++ b/krb5-appl-1.0-rlogind-environ.patch @@ -1,8 +1,10 @@ Start with only TERM defined in the environment, like NetKit rlogind does, and KRB5CCNAME, which we set ourselves. ---- krb5-1.3/src/appl/bsd/krlogind.c -+++ krb5-1.3/src/appl/bsd/krlogind.c -@@ -713,6 +713,9 @@ + +diff -up krb5-appl-1.0/bsd/krlogind.c.rlogind-environ krb5-appl-1.0/bsd/krlogind.c +--- krb5-appl-1.0/bsd/krlogind.c.rlogind-environ 2009-11-21 15:29:19.000000000 -0500 ++++ krb5-appl-1.0/bsd/krlogind.c 2010-03-05 11:07:34.000000000 -0500 +@@ -667,6 +667,9 @@ void doit(f, fromp) #else struct sgttyb b; #endif /* POSIX_TERMIOS */ @@ -10,9 +12,9 @@ KRB5CCNAME, which we set ourselves. + char *bare_environ[] = {environ_term, environ_ccname, NULL}; + if ((retval = pty_open_slave(line, &t))) { - fatal(f, error_message(retval)); + fatal(f, pty_error_message(retval)); exit(1); -@@ -819,11 +822,15 @@ +@@ -773,11 +776,15 @@ void doit(f, fromp) /* use the vendors login, which has -p and -f. Tested on * AIX 4.1.4 and HPUX 10 */ @@ -23,15 +25,14 @@ KRB5CCNAME, which we set ourselves. { char *cp; - if ((cp = strchr(term,'/'))) -- *cp = '\0'; -- setenv("TERM",term, 1); + snprintf(environ_term, sizeof(environ_term) - 1, "TERM=%s", term); + if ((cp = strchr(environ_term,'/'))) -+ *cp = '\0'; + *cp = '\0'; +- setenv("TERM",term, 1); } retval = pty_make_sane_hostname((struct sockaddr *) fromp, maxhostlen, -@@ -832,13 +839,13 @@ +@@ -786,13 +793,13 @@ void doit(f, fromp) if (retval) fatalperror(f, "failed make_sane_hostname"); if (passwd_req) diff --git a/krb5-trunk-kpasswd_tcp.patch b/krb5-trunk-kpasswd_tcp.patch deleted file mode 100644 index 8c9fd4f..0000000 --- a/krb5-trunk-kpasswd_tcp.patch +++ /dev/null @@ -1,35 +0,0 @@ -Fall back to TCP on kdc-unresolvable/unreachable errors. We still have -to wait for UDP to fail, so this might not be ideal. RT #5868. - -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c (revision 20199) -+++ src/lib/krb5/os/changepw.c (working copy) -@@ -251,11 +251,22 @@ - NULL, - NULL - ))) { -- -- /* -- * Here we may want to switch to TCP on some errors. -- * right? -- */ -+ /* if we're not using a stream socket, and it's an error which -+ * might reasonably be specific to a datagram "connection", try -+ * again with a stream socket */ -+ if (!useTcp) { -+ switch (code) { -+ case KRB5_KDC_UNREACH: -+ case KRB5_REALM_CANT_RESOLVE: -+ case KRB5KRB_ERR_RESPONSE_TOO_BIG: -+ /* should we do this for more result codes than these? */ -+ krb5int_free_addrlist (&al); -+ useTcp = 1; -+ continue; -+ default: -+ break; -+ } -+ } - break; - } - diff --git a/krb5.spec b/krb5.spec index 3facd41..a2d4e0d 100644 --- a/krb5.spec +++ b/krb5.spec @@ -12,14 +12,18 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.7.1 -Release: 6%{?dist} +Version: 1.8 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc +# Everything that needs a krb5-appl counterpart will have it with number + 100 +# until we get the package split done, else the telnet/ftp/rcmd stuff will just +# "vanish". +Source100: krb5-appl-%{appl_version}.tar.gz +Source101: krb5-appl-%{appl_version}.tar.gz.asc Source2: kpropd.init -Source3: krb5-appl-%{appl_version}.tar.gz Source4: kadmind.init Source5: krb5kdc.init Source6: krb5.conf @@ -41,7 +45,8 @@ Source22: ekrb5-telnet.xinetd # and tarred up. Source23: krb5-%{version}-pdf.tar.gz Source24: krb5-tex-pdf.sh -Source25: krb5-trunk-manpaths.txt +Source25: krb5-1.8-manpaths.txt +Source125: krb5-appl-1.0-manpaths.txt Source26: gssftp.pamd Source27: kshell.pamd Source28: ekshell.pamd @@ -51,45 +56,43 @@ Source31: kerberos-adm.portreserve Source32: krb5_prop.portreserve Patch3: krb5-1.3-netkit-rsh.patch -Patch4: krb5-1.3-rlogind-environ.patch -Patch5: krb5-1.3-ksu-access.patch -Patch6: krb5-1.5-ksu-path.patch +Patch4: krb5-appl-1.0-rlogind-environ.patch +Patch5: krb5-1.8-ksu-access.patch +Patch6: krb5-1.8-ksu-path.patch Patch11: krb5-1.2.1-passive.patch Patch12: krb5-1.7-ktany.patch Patch14: krb5-1.3-ftp-glob.patch Patch16: krb5-1.7-buildconf.patch Patch23: krb5-1.3.1-dns.patch Patch26: krb5-1.3.2-efence.patch -Patch29: krb5-1.7-kprop-mktemp.patch +Patch29: krb5-1.8-kprop-mktemp.patch Patch30: krb5-1.3.4-send-pr-tempfile.patch -Patch33: krb5-1.7-io.patch +Patch33: krb5-appl-1.0-io.patch Patch36: krb5-1.7-rcp-markus.patch -Patch39: krb5-1.7-api.patch +Patch39: krb5-1.8-api.patch Patch40: krb5-1.4.1-telnet-environ.patch -Patch41: krb5-1.6.3-login-lpass.patch Patch53: krb5-1.7-nodeplibs.patch Patch55: krb5-1.6.1-empty.patch Patch56: krb5-1.7-doublelog.patch -Patch57: krb5-1.6.2-login_chdir.patch -Patch58: krb5-1.6.2-key_exp.patch -Patch59: krb5-trunk-kpasswd_tcp.patch -Patch60: krb5-1.7-pam.patch -Patch61: krb5-trunk-manpaths.patch -Patch63: krb5-1.7-selinux-label.patch +Patch57: krb5-appl-1.0-login_chdir.patch +Patch58: krb5-1.8-key_exp.patch +Patch59: krb5-1.8-kpasswd_tcp.patch +Patch60: krb5-1.8-pam.patch +Patch160: krb5-appl-1.0-pam.patch +Patch61: krb5-1.8-manpaths.patch +Patch161: krb5-appl-1.0-manpaths.patch +Patch63: krb5-1.8-selinux-label.patch Patch70: krb5-trunk-kpasswd_tcp2.patch -Patch71: krb5-1.7-dirsrv-accountlock.patch +Patch71: krb5-1.8-dirsrv-accountlock.patch Patch72: krb5-1.6.3-ftp_fdleak.patch Patch73: krb5-1.6.3-ftp_glob_runique.patch Patch79: krb5-trunk-ftp_mget_case.patch -Patch86: krb5-1.7-time_t_size.patch Patch88: krb5-1.7-sizeof.patch -Patch89: krb5-1.7-largefile.patch -Patch90: krb5-1.7-openssl-1.0.patch +Patch89: krb5-appl-1.0-largefile.patch Patch93: krb5-1.7-create_on_load.patch -Patch95: krb5-1.7-opte.patch -Patch96: krb5-1.7-exp_warn.patch -Patch97: http://web.mit.edu/kerberos/advisories/2010-001-patch.txt -Patch98: krb5-1.7.1-kpasswd_ccache.patch +Patch95: krb5-1.8-opte.patch +Patch96: krb5-1.8-exp_warn.patch +Patch98: krb5-1.8-kpasswd_ccache.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -207,8 +210,7 @@ Group: System Environment/Base Requires: %{name}-workstation = %{version}-%{release} Requires(post): initscripts Requires(postun): initscripts -# mktemp is used by krb5-send-pr -Requires: mktemp, xinetd, /etc/pam.d/%{login_pam_service} +Requires: xinetd, /etc/pam.d/%{login_pam_service} %description workstation-servers Kerberos is a network authentication system. The krb5-workstation-servers @@ -228,50 +230,69 @@ to obtain initial credentials from a KDC using a private key and a certificate. %prep -%setup -q -a 3 -a 23 -ln -s README LICENSE -pushd src -%patch60 -p2 -b .pam -%patch61 -p0 -b .manpaths +%setup -q -a 23 -a 100 +ln -s NOTICE LICENSE + +%patch60 -p1 -b .pam +pushd krb5-appl-%{appl_version} +%patch160 -p1 -b .pam popd + +%patch61 -p1 -b .manpaths +pushd krb5-appl-%{appl_version} +%patch161 -p1 -b .manpaths +popd + %patch63 -p1 -b .selinux-label -%patch3 -p1 -b .netkit-rsh +pushd krb5-appl-%{appl_version} +%patch3 -p3 -b .netkit-rsh %patch4 -p1 -b .rlogind-environ +popd + %patch5 -p1 -b .ksu-access %patch6 -p1 -b .ksu-path -%patch11 -p1 -b .passive +pushd krb5-appl-%{appl_version} +%patch11 -p3 -b .passive +popd %patch12 -p1 -b .ktany -%patch14 -p1 -b .ftp-glob +pushd krb5-appl-%{appl_version} +%patch14 -p3 -b .ftp-glob +popd %patch16 -p1 -b .buildconf %patch23 -p1 -b .dns # Removes a malloc(0) case, nothing more. # %patch26 -p1 -b .efence %patch29 -p1 -b .kprop-mktemp %patch30 -p1 -b .send-pr-tempfile +pushd krb5-appl-%{appl_version} %patch33 -p1 -b .io -%patch36 -p1 -b .rcp-markus +%patch36 -p3 -b .rcp-markus +popd %patch39 -p1 -b .api -%patch40 -p1 -b .telnet-environ -%patch41 -p1 -b .login-lpass +pushd krb5-appl-%{appl_version} +%patch40 -p3 -b .telnet-environ +popd %patch53 -p1 -b .nodeplibs #%patch55 -p1 -b .empty %patch56 -p1 -b .doublelog -#%patch57 -p1 -b .login_chdir +pushd krb5-appl-%{appl_version} +%patch57 -p1 -b .login_chdir +popd %patch58 -p1 -b .key_exp -%patch59 -p0 -b .kpasswd_tcp +%patch59 -p1 -b .kpasswd_tcp #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock -%patch72 -p1 -b .ftp_fdleak -%patch73 -p1 -b .ftp_glob_runique -%patch79 -p0 -b .ftp_mget_case -%patch86 -p1 -b .time_t_size -%patch88 -p1 -b .sizeof +pushd krb5-appl-%{appl_version} +%patch72 -p3 -b .ftp_fdleak +%patch73 -p3 -b .ftp_glob_runique +%patch79 -p2 -b .ftp_mget_case +%patch88 -p3 -b .sizeof %patch89 -p1 -b .largefile -%patch90 -p0 -b .openssl-1.0 -%patch93 -p1 -b .create_on_load +popd +# Shouldn't be necessary in 1.8. +##%patch93 -p1 -b .create_on_load %patch95 -p1 -b .opte %patch96 -p1 -b .exp_warn -%patch97 -p1 -b .2010-001 %patch98 -p1 -b .kpasswd-ccache gzip doc/*.ps @@ -284,7 +305,7 @@ sed -i -e '1c\ \\usepackage{hyperref}' doc/implement/implement.tex # Take the execute bit off of documentation. -chmod -x doc/krb5-protocol/*.txt doc/*.html +chmod -x doc/krb5-protocol/*.txt doc/*.html doc/*/*.html # Rename the man pages so that they'll get generated correctly. Uses the # "krb5-trunk-manpaths.txt" source file. @@ -293,6 +314,11 @@ cat %{SOURCE25} | while read manpage ; do mv "$manpage" "$manpage".in done popd +pushd krb5-appl-%{appl_version} +cat %{SOURCE125} | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd # Check that the PDFs we built earlier match this source tree, using the # "krb5-tex-pdf.sh" source file. @@ -315,20 +341,21 @@ egrep -iv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif touch -r $inldif 60kerberos.ldif # Rebuild the configure scripts. -cd src -top=`pwd` -for configurein in `find -name configure.in -type f` ; do - pushd `dirname $configurein` - grep -q A._CONFIG_HEADER configure.in && autoheader -I "$top" - autoconf -I "$top" - popd -done +pushd src +autoheader +autoconf +popd + +pushd krb5-appl-%{appl_version} +autoheader +autoconf +popd %build cd src INCLUDES=-I%{_includedir}/et # Work out the CFLAGS and CPPFLAGS which we intend to use. -CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing`" +CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`" CPPFLAGS="`echo $DEFINES $INCLUDES`" %configure \ CC="%{__cc}" \ @@ -340,10 +367,6 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" SS_LIB="-lss -lncurses" \ %endif --enable-shared \ - --bindir=%{krb5prefix}/bin \ - --mandir=%{krb5prefix}/man \ - --sbindir=%{krb5prefix}/sbin \ - --datadir=%{krb5prefix}/share \ --localstatedir=%{_var}/kerberos \ --disable-rpath \ --with-system-et \ @@ -364,11 +387,28 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --disable-pkinit \ %endif --with-pam \ - --with-pam-login-service=%{login_pam_service} \ --with-selinux # Now build it. make %{?_smp_mflags} +# The applications, too. Build everything position-independent. We only get +# away with this if our build dependencies drag an older krb5-devel onto the +# system. +pushd ../krb5-appl-%{appl_version} +CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIE -fno-strict-aliasing`" +LDFLAGS="-pie" +%configure \ + CFLAGS="$CFLAGS" \ + LDFLAGS="$LDFLAGS" \ + --bindir=%{krb5prefix}/bin \ + --mandir=%{krb5prefix}/man \ + --sbindir=%{krb5prefix}/sbin \ + --datadir=%{krb5prefix}/share \ + --with-pam \ + --with-pam-login-service=%{login_pam_service} +make %{?_smp_mflags} +popd + # Run the test suite. We can't actually do this in the build system. : make check TMPDIR=%{_tmppath} @@ -399,7 +439,7 @@ install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf # Login-time scriptlets (krb5.sh, krb5.csh) to fix the PATH variable. mkdir -p $RPM_BUILD_ROOT/etc/profile.d -for subpackage in devel workstation ; do +for subpackage in workstation-clients workstation-servers ; do install -pm 644 %{SOURCE7} \ $RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.sh install -pm 644 %{SOURCE8} \ @@ -467,12 +507,13 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata # The rest of the binaries, headers, libraries, and docs. -make -C src DESTDIR=$RPM_BUILD_ROOT install +make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/examples install +make -C krb5-appl-%{appl_version} DESTDIR=$RPM_BUILD_ROOT install # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/ from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{krb5prefix}/bin/krb5-config +sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config # Move specific libraries from %{_libdir} to /%{_lib}, and fixup the symlinks. touch $RPM_BUILD_ROOT/rootfile @@ -489,13 +530,6 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do popd done -# Move man pages which will be in the -libs subpackage into %%{_mandir}'s tree. -for man in man1/tmac.doc man1/kerberos.1 man5/.k5login.5 man5/krb5.conf.5 ; do - mkdir -p $RPM_BUILD_ROOT/%{_mandir}/${man%%/*} - mv $RPM_BUILD_ROOT/%{krb5prefix}/man/${man} \ - $RPM_BUILD_ROOT/%{_mandir}/${man%%/*}/ -done - %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT @@ -574,62 +608,56 @@ fi exit 0 %files workstation -%defattr(-,root,root) -%docdir %{krb5prefix}/man -%config(noreplace) /etc/profile.d/krb5-workstation.sh -%config(noreplace) /etc/profile.d/krb5-workstation.csh +%defattr(-,root,root,-) %doc doc/user*.ps.gz src/config-files/services.append %doc doc/{kdestroy,kinit,klist,kpasswd,ksu}.html +%doc doc/krb5-user.html %attr(0755,root,root) %doc src/config-files/convert-config-files %{_infodir}/krb5-user.info* -%dir %{krb5prefix} -%dir %{krb5prefix}/bin -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man1 -%dir %{krb5prefix}/man/man8 -%dir %{krb5prefix}/sbin - # Clients of the KDC, including tools you're likely to need if you're running # app servers other than those built from this source package. -%{krb5prefix}/bin/kdestroy -%{krb5prefix}/man/man1/kdestroy.1* -%{krb5prefix}/bin/kinit -%{krb5prefix}/man/man1/kinit.1* -%{krb5prefix}/bin/klist -%{krb5prefix}/man/man1/klist.1* -%{krb5prefix}/bin/kpasswd -%{krb5prefix}/man/man1/kpasswd.1* +%{_bindir}/kdestroy +%{_mandir}/man1/kdestroy.1* +%{_bindir}/kinit +%{_mandir}/man1/kinit.1* +%{_bindir}/klist +%{_mandir}/man1/klist.1* +%{_bindir}/kpasswd +%{_mandir}/man1/kpasswd.1* -%{krb5prefix}/bin/kvno -%{krb5prefix}/man/man1/kvno.1* -%{krb5prefix}/bin/kadmin -%{krb5prefix}/man/man1/kadmin.1* -%{krb5prefix}/bin/k5srvutil -%{krb5prefix}/man/man1/k5srvutil.1* -%{krb5prefix}/bin/ktutil -%{krb5prefix}/man/man1/ktutil.1* +%{_bindir}/kvno +%{_mandir}/man1/kvno.1* +%{_bindir}/kadmin +%{_mandir}/man1/kadmin.1* +%{_bindir}/k5srvutil +%{_mandir}/man1/k5srvutil.1* +%{_bindir}/ktutil +%{_mandir}/man1/ktutil.1* # Doesn't really fit anywhere else. -%attr(4755,root,root) %{krb5prefix}/bin/ksu -%{krb5prefix}/man/man1/ksu.1* +%attr(4755,root,root) %{_bindir}/ksu +%{_mandir}/man1/ksu.1* %config(noreplace) /etc/pam.d/ksu # Problem-reporting tool. -%{krb5prefix}/sbin/krb5-send-pr -%{krb5prefix}/man/man1/krb5-send-pr.1* +%{_sbindir}/krb5-send-pr +%dir %{_datadir}/gnats +%{_datadir}/gnats/mit +%{_mandir}/man1/krb5-send-pr.1* %files workstation-clients -%defattr(-,root,root) +%defattr(-,root,root,-) %docdir %{krb5prefix}/man -%doc doc/{ftp,rcp,rlogin,rsh,telnet}.html %attr(0755,root,root) %doc src/config-files/convert-config-files +%config(noreplace) /etc/profile.d/krb5-workstation-clients.sh +%config(noreplace) /etc/profile.d/krb5-workstation-clients.csh + %dir %{krb5prefix} %dir %{krb5prefix}/bin %dir %{krb5prefix}/man %dir %{krb5prefix}/man/man1 -%dir %{krb5prefix}/sbin # Used by both clients and servers. %{krb5prefix}/bin/rcp @@ -646,11 +674,15 @@ exit 0 %{krb5prefix}/man/man1/rsh.1* %{krb5prefix}/bin/telnet %{krb5prefix}/man/man1/telnet.1* +%{krb5prefix}/man/man1/tmac.doc* %files workstation-servers -%defattr(-,root,root) +%defattr(-,root,root,-) %docdir %{krb5prefix}/man +%config(noreplace) /etc/profile.d/krb5-workstation-servers.sh +%config(noreplace) /etc/profile.d/krb5-workstation-servers.csh + %dir %{krb5prefix} %dir %{krb5prefix}/bin %dir %{krb5prefix}/man @@ -658,10 +690,6 @@ exit 0 %dir %{krb5prefix}/man/man8 %dir %{krb5prefix}/sbin -# Problem-reporting tool. -%{krb5prefix}/sbin/krb5-send-pr -%{krb5prefix}/man/man1/krb5-send-pr.1* - # Used by both clients and servers. %{krb5prefix}/bin/rcp %{krb5prefix}/man/man1/rcp.1* @@ -686,8 +714,8 @@ exit 0 %{krb5prefix}/man/man8/telnetd.8* %files server -%defattr(-,root,root) -%docdir %{krb5prefix}/man +%defattr(-,root,root,-) +%docdir %{_mandir} /etc/rc.d/init.d/krb5kdc /etc/rc.d/init.d/kadmin @@ -700,6 +728,8 @@ exit 0 %doc doc/admin*.ps.gz %doc doc/install*.ps.gz +%doc doc/krb5-admin.html +%doc doc/krb5-install.html %{_infodir}/krb5-admin.info* %{_infodir}/krb5-install.info* @@ -709,82 +739,72 @@ exit 0 %config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf %config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl -%dir %{krb5prefix} -%dir %{krb5prefix}/bin %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb %dir %{_libdir}/krb5/plugins/preauth %dir %{_libdir}/krb5/plugins/authdata -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man1 -%dir %{krb5prefix}/man/man5 -%dir %{krb5prefix}/man/man8 -%dir %{krb5prefix}/sbin # Problem-reporting tool. -%{krb5prefix}/sbin/krb5-send-pr -%{krb5prefix}/man/man1/krb5-send-pr.1* +%{_sbindir}/krb5-send-pr +%dir %{_datadir}/gnats +%{_datadir}/gnats/mit +%{_mandir}/man1/krb5-send-pr.1* -# KDC binaries. -%{krb5prefix}/man/man5/kdc.conf.5* -%{krb5prefix}/sbin/kadmin.local -%{krb5prefix}/man/man8/kadmin.local.8* -%{krb5prefix}/sbin/kadmind -%{krb5prefix}/man/man8/kadmind.8* -%{krb5prefix}/sbin/kdb5_util -%{krb5prefix}/man/man8/kdb5_util.8* -%{krb5prefix}/sbin/kprop -%{krb5prefix}/man/man8/kprop.8* -%{krb5prefix}/sbin/kpropd -%{krb5prefix}/man/man8/kpropd.8* -%{krb5prefix}/sbin/kproplog -%{krb5prefix}/man/man8/kproplog.8* -%{krb5prefix}/sbin/krb5kdc -%{krb5prefix}/man/man8/krb5kdc.8* +# KDC binaries and configuration. +%{_mandir}/man5/kdc.conf.5* +%{_sbindir}/kadmin.local +%{_mandir}/man8/kadmin.local.8* +%{_sbindir}/kadmind +%{_mandir}/man8/kadmind.8* +%{_sbindir}/kdb5_util +%{_mandir}/man8/kdb5_util.8* +%{_sbindir}/kprop +%{_mandir}/man8/kprop.8* +%{_sbindir}/kpropd +%{_mandir}/man8/kpropd.8* +%{_sbindir}/kproplog +%{_mandir}/man8/kproplog.8* +%{_sbindir}/krb5kdc +%{_mandir}/man8/krb5kdc.8* # This is here for people who want to test their server, and also # included in devel package for similar reasons. -%{krb5prefix}/bin/sclient -%{krb5prefix}/man/man1/sclient.1* -%{krb5prefix}/sbin/sserver -%{krb5prefix}/man/man8/sserver.8* +%{_bindir}/sclient +%{_mandir}/man1/sclient.1* +%{_sbindir}/sserver +%{_mandir}/man8/sserver.8* %if %{WITH_LDAP} %files server-ldap -%defattr(-,root,root) -%docdir %{krb5prefix}/man +%defattr(-,root,root,-) +%docdir %{_mandir} %doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %doc 60kerberos.ldif %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb -%dir %{krb5prefix} -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man8 -%dir %{krb5prefix}/sbin %{_libdir}/krb5/plugins/kdb/kldap.so %{_libdir}/libkdb_ldap.so %{_libdir}/libkdb_ldap.so.* -%{krb5prefix}/man/man8/kdb5_ldap_util.8.gz -%{krb5prefix}/sbin/kdb5_ldap_util +%{_mandir}/man8/kdb5_ldap_util.8.gz +%{_sbindir}/kdb5_ldap_util %endif %files libs -%defattr(-,root,root) -%doc README LICENSE -%docdir %{krb5prefix}/man +%defattr(-,root,root,-) +%doc README NOTICE LICENSE +%docdir %{_mandir} %verify(not md5 size mtime) %config(noreplace) /etc/krb5.conf -/%{_mandir}/man1/tmac.doc* /%{_mandir}/man1/kerberos.1* /%{_mandir}/man5/.k5login.5* /%{_mandir}/man5/krb5.conf.5* /%{_lib}/libgssapi_krb5.so.* /%{_lib}/libgssrpc.so.* /%{_lib}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* /%{_lib}/libkrb5.so.* /%{_lib}/libkrb5support.so.* @@ -797,7 +817,7 @@ exit 0 %if %{WITH_OPENSSL} %files pkinit-openssl -%defattr(-,root,root) +%defattr(-,root,root,-) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth @@ -805,55 +825,58 @@ exit 0 %endif %files devel -%defattr(-,root,root) - -%config(noreplace) /etc/profile.d/krb5-devel.sh -%config(noreplace) /etc/profile.d/krb5-devel.csh - -%docdir %{krb5prefix}/man +%defattr(-,root,root,-) +%docdir %{_mandir} %doc doc/api/*.pdf +%doc doc/ccapi %doc doc/implement/*.pdf %doc doc/kadm5/*.pdf %doc doc/kadmin +%doc doc/kim %doc doc/krb5-protocol %doc doc/rpc %doc doc/threads.txt -%dir %{krb5prefix} -%dir %{krb5prefix}/bin -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man1 -%dir %{krb5prefix}/man/man8 -%dir %{krb5prefix}/sbin - %{_includedir}/* %{_libdir}/libgssapi_krb5.so %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so %{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5srv.so +%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so -%{krb5prefix}/bin/krb5-config -%{krb5prefix}/bin/sclient -%{krb5prefix}/man/man1/krb5-config.1* -%{krb5prefix}/man/man1/sclient.1* -%{krb5prefix}/man/man8/sserver.8* -%{krb5prefix}/sbin/sserver +%{_bindir}/krb5-config +%{_bindir}/sclient +%{_mandir}/man1/krb5-config.1* +%{_mandir}/man1/sclient.1* +%{_mandir}/man8/sserver.8* +%{_sbindir}/sserver # Protocol test clients. -%{krb5prefix}/bin/sim_client -%{krb5prefix}/bin/gss-client -%{krb5prefix}/bin/uuclient +%{_bindir}/sim_client +%{_bindir}/gss-client +%{_bindir}/uuclient # Protocol test servers. -%{krb5prefix}/sbin/sim_server -%{krb5prefix}/sbin/gss-server -%{krb5prefix}/sbin/uuserver +%{_sbindir}/sim_server +%{_sbindir}/gss-server +%{_sbindir}/uuserver %changelog +* Fri Mar 5 2010 Nalin Dahyabhai - 1.8-1 +- update to 1.8 + - temporarily bundling the krb5-appl package (split upstream as of 1.8) + until its package review is complete + - profile.d scriptlets are now only needed by -workstation-clients + - adjust paths in init scripts + - drop upstreamed fix for KDC denial of service (CVE-2010-0283) + - drop patch to check the user's password correctly using crypt(), which + isn't a code path we hit when we're using PAM + * Wed Mar 3 2010 Nalin Dahyabhai - 1.7.1-6 - fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasn't known to the diff --git a/krb5kdc.init b/krb5kdc.init index 9a174bc..5f641cc 100755 --- a/krb5kdc.init +++ b/krb5kdc.init @@ -33,7 +33,7 @@ RETVAL=0 prog="Kerberos 5 KDC" -krb5kdc=/usr/kerberos/sbin/krb5kdc +krb5kdc=/usr/sbin/krb5kdc # Shell functions to cut down on useless shell instances. start() { diff --git a/sources b/sources index b1436e8..f69edfc 100644 --- a/sources +++ b/sources @@ -1,3 +1,5 @@ -9d79efba57423008e65efc5ff75405d6 krb5-1.7.1.tar.gz -2197cc65ed90f00f92e5a27bd514b53b krb5-1.7.1.tar.gz.asc -309139729539cf5ef403bb0dc7ae455b krb5-1.7.1-pdf.tar.gz +a3391a739009efa9734db720d34f4c07 krb5-1.8.tar.gz +f923ec08f24df9e5a284be74895a6daa krb5-1.8.tar.gz.asc +4ecf03dad0df7f2ded49f0cfd9786157 krb5-appl-1.0.tar.gz +33056e617e2cbad7c8e8b732aa0fdd91 krb5-appl-1.0.tar.gz.asc +32f8238d4553c44ecdc41205c3cb0333 krb5-1.8-pdf.tar.gz