rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Updating to 1.13 alpha1

Browse Source
This commit is contained in:
Nalin Dahyabhai 2014-08-22 13:39:24 -04:00
parent c48fd0f0bc
commit 8563ebea46
24 changed files with 53 additions and 2858 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -110,3 +110,6 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.12.2.tar.gz
/krb5-1.12.2.tar.gz.asc
/krb5-1.12.2-pdf.tar.xz
/krb5-1.13-alpha1.tar.gz
/krb5-1.13-alpha1.tar.gz.asc
/krb5-1.13-alpha1-pdf.tar.xz

230
0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch
View File

@ -1,230 +0,0 @@
From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 24 Jul 2014 15:39:53 -0400
Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted()
Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do. Merge them.
---
src/clients/ksu/ccache.c | 106 ++++++-----------------------------------------
src/clients/ksu/ksu.h | 6 +--
src/clients/ksu/main.c | 27 ++++--------
3 files changed, 22 insertions(+), 117 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 9916c75..118fc53 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,12 +47,14 @@ void show_credential();
*/
krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, cc_out, stored, target_uid)
+ primary_principal, restrict_creds, cc_out,
+ stored, target_uid)
/* IN */
krb5_context context;
krb5_ccache cc_def;
char *cc_other_tag;
krb5_principal primary_principal;
+ krb5_boolean restrict_creds;
uid_t target_uid;
/* OUT */
krb5_ccache *cc_out;
@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
}
}
- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
- primary_principal);
-
if (!lstat( cc_other_name, &st_temp))
return EINVAL;
@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
return retval;
}
- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr,
- cc_other_creds_arr);
+ if (restrict_creds) {
+ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+ cc_other_creds_arr, primary_principal,
+ stored);
+ } else {
+ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
+ primary_principal);
+ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+ cc_other_creds_arr);
+ }
if (cc_def_creds_arr){
while (cc_def_creds_arr[i]){
@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst,
*stored = temp_stored;
return 0;
}
-/******************************************************************
-krb5_cache_copy_restricted
-
-gets rid of any expired tickets in the secondary cache,
-copies the default cache into the secondary cache,
-only credentials that are for prst are copied.
-
-the algorithm may look a bit funny,
-but I had to do it this way, since cc_remove function did not come
-with k5 beta 3 release.
-************************************************************************/
-
-krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag,
- prst, cc_out, stored, target_uid)
- krb5_context context;
- krb5_ccache cc_def;
- char *cc_other_tag;
- krb5_principal prst;
- uid_t target_uid;
- /* OUT */
- krb5_ccache *cc_out;
- krb5_boolean *stored;
-{
-
- int i=0;
- krb5_ccache * cc_other;
- const char * cc_def_name;
- const char * cc_other_name;
- krb5_error_code retval=0;
- krb5_creds ** cc_def_creds_arr = NULL;
- krb5_creds ** cc_other_creds_arr = NULL;
- struct stat st_temp;
-
- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
-
- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
- return retval;
- }
-
- cc_def_name = krb5_cc_get_name(context, cc_def);
- cc_other_name = krb5_cc_get_name(context, *cc_other);
-
- if ( ! stat(cc_def_name, &st_temp)){
- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
- return retval;
- }
-
- }
-
- if (!lstat( cc_other_name, &st_temp)) {
- return EINVAL;
- }
-
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
- return errno;
- }
-
-
- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){
- return retval;
- }
-
- retval = krb5_store_some_creds(context, * cc_other,
- cc_def_creds_arr, cc_other_creds_arr, prst, stored);
-
-
-
- if (cc_def_creds_arr){
- while (cc_def_creds_arr[i]){
- krb5_free_creds(context, cc_def_creds_arr[i]);
- i++;
- }
- }
-
- i=0;
-
- if(cc_other_creds_arr){
- while (cc_other_creds_arr[i]){
- krb5_free_creds(context, cc_other_creds_arr[i]);
- i++;
- }
- }
-
- *cc_out = *cc_other;
- return retval;
-}
krb5_error_code krb5_ccache_filter (context, cc, prst)
krb5_context context;
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index f2c0811..9e0c613 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
krb5_principal, krb5_boolean *);
-extern krb5_error_code krb5_ccache_copy_restricted
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_ccache *, krb5_boolean *, uid_t);
-
extern krb5_error_code krb5_ccache_refresh
(krb5_context, krb5_ccache);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 233eb52..62f3bc0 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -117,6 +117,7 @@ main (argc, argv)
krb5_principal kdc_server;
krb5_boolean zero_password;
char * dir_of_cc_target;
+ krb5_boolean restrict_creds;
options.opt = KRB5_DEFAULT_OPTIONS;
options.lifetime = KRB5_DEFAULT_TKT_LIFE;
@@ -464,25 +465,13 @@ main (argc, argv)
then only the credentials for that particular user
should be copied */
- if ((source_uid == 0) && (target_uid != 0)) {
-
- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source,
- cc_target_tag, client,
- &cc_target, &stored,
- target_uid))){
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
- exit(1);
- }
-
- } else {
- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
- client,&cc_target, &stored, target_uid))) {
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
- exit(1);
- }
-
+ restrict_creds = (source_uid == 0) && (target_uid != 0);
+ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
+ restrict_creds, &cc_target, &stored, target_uid);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+ exit(1);
}
/* Become root for authentication*/
--
2.0.4

369
0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch
View File

@ -1,369 +0,0 @@
From 9ebae7cb434b9b177c0af85c67a6d6267f46bc68 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 1 Nov 2013 09:48:13 -0400
Subject: [PATCH 2/7] In ksu, don't stat() not-on-disk ccache residuals
Don't assume that ccache residual names are filenames which we can
stat() usefully. Instead, use helper functions to call the library
routines to try to read the default principal name from caches, and
use whether or not that succeeds as an indication of whether or not
there's a ccache in a given location.
ticket: 7728
---
src/clients/ksu/ccache.c | 60 ++++++++++++++++++++--------------
src/clients/ksu/heuristic.c | 13 ++------
src/clients/ksu/ksu.h | 8 +++--
src/clients/ksu/main.c | 79 +++++++++------------------------------------
4 files changed, 60 insertions(+), 100 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 118fc53..5f57279 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -62,12 +62,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
{
int i=0;
krb5_ccache * cc_other;
- const char * cc_def_name;
- const char * cc_other_name;
krb5_error_code retval=0;
krb5_creds ** cc_def_creds_arr = NULL;
krb5_creds ** cc_other_creds_arr = NULL;
- struct stat st_temp;
cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
@@ -76,16 +73,13 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
return retval;
}
- cc_def_name = krb5_cc_get_name(context, cc_def);
- cc_other_name = krb5_cc_get_name(context, *cc_other);
-
- if ( ! stat(cc_def_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc_def)) {
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
}
- if (!lstat( cc_other_name, &st_temp))
+ if (ks_ccache_name_is_initialized(context, cc_other_tag))
return EINVAL;
if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
@@ -540,24 +534,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
krb5_ccache cct;
krb5_principal primary_principal;
{
- const char * cct_name;
- const char * ccs_name;
krb5_error_code retval=0;
krb5_principal temp_principal;
krb5_creds ** ccs_creds_arr = NULL;
int i=0;
- struct stat st_temp;
- ccs_name = krb5_cc_get_name(context, ccs);
- cct_name = krb5_cc_get_name(context, cct);
-
- if ( ! stat(ccs_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, ccs)) {
if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){
return retval;
}
}
- if ( ! stat(cct_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cct)) {
if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){
return retval;
}
@@ -643,12 +631,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst)
krb5_creds ** cc_creds_arr = NULL;
const char * cc_name;
krb5_boolean stored;
- struct stat st_temp;
cc_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_name, &st_temp)){
-
+ if (ks_ccache_is_initialized(context, cc)) {
if (auth_debug) {
fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name);
}
@@ -713,12 +699,8 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
{
krb5_error_code retval;
krb5_creds ** creds_list = NULL;
- const char * cc_name;
- struct stat st_temp;
-
- cc_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc)) {
if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){
return retval;
}
@@ -727,3 +709,33 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found)
*found = krb5_find_princ_in_cred_list(context, creds_list, princ);
return 0;
}
+
+krb5_boolean
+ks_ccache_name_is_initialized(krb5_context context, const char *cctag)
+{
+ krb5_boolean result;
+ krb5_ccache cc;
+
+ if (krb5_cc_resolve(context, cctag, &cc) != 0)
+ return FALSE;
+ result = ks_ccache_is_initialized(context, cc);
+ krb5_cc_close(context, cc);
+
+ return result;
+}
+
+krb5_boolean
+ks_ccache_is_initialized(krb5_context context, krb5_ccache cc)
+{
+ krb5_principal princ;
+ krb5_error_code retval;
+
+ if (cc == NULL)
+ return FALSE;
+
+ retval = krb5_cc_get_principal(context, cc, &princ);
+ if (retval == 0)
+ krb5_free_principal(context, princ);
+
+ return retval == 0;
+}
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index 99b54e5..f73b8eb 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -397,12 +397,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found)
krb5_principal kdc_server;
krb5_error_code retval;
krb5_boolean temp_found = FALSE;
- const char * cc_source_name;
- struct stat st_temp;
- cc_source_name = krb5_cc_get_name(context, cc);
-
- if ( ! stat(cc_source_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc)) {
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -539,7 +535,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
{
princ_info princ_trials[10];
- const char * cc_source_name;
krb5_principal cc_def_princ = NULL;
krb5_principal temp_client;
krb5_principal target_client;
@@ -551,7 +546,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
struct stat tb;
int count =0;
int i;
- struct stat st_temp;
*path_out = 0;
@@ -559,10 +553,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid,
if (options->princ)
return 0;
- cc_source_name = krb5_cc_get_name(context, cc_source);
-
-
- if (! stat(cc_source_name, &st_temp)) {
+ if (ks_ccache_is_initialized(context, cc_source)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 9e0c613..e1e34f1 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **,
krb5_principal, krb5_boolean *);
+extern krb5_boolean ks_ccache_name_is_initialized
+(krb5_context, const char *);
+
+extern krb5_boolean ks_ccache_is_initialized
+(krb5_context, krb5_ccache);
+
extern krb5_error_code krb5_ccache_refresh
(krb5_context, krb5_ccache);
@@ -198,8 +204,6 @@ extern int standard_shell (char *);
extern krb5_error_code get_params (int *, int, char **, char ***);
-extern char *get_dir_of_file (const char *);
-
/* heuristic.c */
extern krb5_error_code get_all_princ_from_file (FILE *, char ***);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 62f3bc0..8c49f94 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -51,7 +51,6 @@ static void print_status( const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 1, 2)))
#endif
;
-char * get_dir_of_file();
/* Note -e and -a options are mutually exclusive */
/* insure the proper specification of target user as well as catching
@@ -96,7 +95,6 @@ main (argc, argv)
const char * cc_source_tag = NULL;
uid_t source_gid;
const char * cc_source_tag_tmp = NULL;
- char * cc_target_tag_tmp=NULL;
char * cmd = NULL, * exec_cmd = NULL;
int errflg = 0;
krb5_boolean auth_val;
@@ -112,11 +110,9 @@ main (argc, argv)
extern char * getpass(), *crypt();
int pargc;
char ** pargv;
- struct stat st_temp;
krb5_boolean stored = FALSE;
krb5_principal kdc_server;
krb5_boolean zero_password;
- char * dir_of_cc_target;
krb5_boolean restrict_creds;
options.opt = KRB5_DEFAULT_OPTIONS;
@@ -266,9 +262,10 @@ main (argc, argv)
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if (!ks_ccache_name_is_initialized(ksu_context,
+ cc_source_tag)) {
com_err(prog_name, errno,
- _("while looking for credentials file %s"),
+ _("while looking for credentials cache %s"),
cc_source_tag_tmp);
exit (1);
}
@@ -419,32 +416,18 @@ main (argc, argv)
exit(1);
}
- if (cc_target_tag == NULL) {
-
- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
- /* make sure that the new ticket file does not already exist
- This is run as source_uid because it is reasonable to
- require the source user to have write to where the target
- cache will be created.*/
-
- do {
- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long) target_uid, gen_sym());
- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1;
-
- }while ( !stat ( cc_target_tag_tmp, &st_temp));
- }
-
-
- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
-
- if (access(dir_of_cc_target, R_OK | W_OK )){
- fprintf(stderr,
- _("%s does not have correct permissions for %s\n"),
- source_user, cc_target_tag);
- exit(1);
- }
+ /*
+ * Make sure that the new ticket file does not already exist.
+ * This is run as source_uid because it is reasonable to
+ * require the source user to have write to where the target
+ * cache will be created.
+ */
+ cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
+ do {
+ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
+ KRB5_SECONDARY_CACHE,
+ (long)target_uid, gen_sym());
+ } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
if (auth_debug){
fprintf(stderr, " source cache = %s\n", cc_source_tag);
@@ -747,13 +730,6 @@ main (argc, argv)
exit(1);
}
- if (access( cc_target_tag_tmp, R_OK | W_OK )){
- com_err(prog_name, errno,
- _("%s does not have correct permissions for %s, %s aborted"),
- target_user, cc_target_tag_tmp, prog_name);
- exit(1);
- }
-
if ( cc_source)
krb5_cc_close(ksu_context, cc_source);
@@ -873,8 +849,6 @@ static void sweep_up(context, cc)
krb5_ccache cc;
{
krb5_error_code retval;
- const char * cc_name;
- struct stat st_temp;
krb5_seteuid(0);
if (krb5_seteuid(target_uid) < 0) {
@@ -883,8 +857,7 @@ static void sweep_up(context, cc)
exit(1);
}
- cc_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_name, &st_temp)){
+ if (ks_ccache_is_initialized(context, cc)) {
if ((retval = krb5_cc_destroy(context, cc)))
com_err(prog_name, retval, _("while destroying cache"));
}
@@ -937,26 +910,6 @@ void print_status(const char *fmt, ...)
}
}
-
-char *get_dir_of_file(path)
- const char *path;
-{
- char * temp_path;
- char * ptr;
-
- temp_path = xstrdup(path);
-
- if ((ptr = strrchr( temp_path, '/'))) {
- *ptr = '\0';
- } else {
- free (temp_path);
- temp_path = xmalloc(MAXPATHLEN);
- if (temp_path)
- getcwd(temp_path, MAXPATHLEN);
- }
- return temp_path;
-}
-
krb5_error_code
ksu_tgtname(context, server, client, tgtprinc)
krb5_context context;
--
2.0.4

417
0003-Use-an-intermediate-memory-cache-in-ksu.patch
View File

@ -1,417 +0,0 @@
From dccc80a469b1925fcfe7697406a69912efe4baa1 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:45:35 -0400
Subject: [PATCH 3/7] Use an intermediate memory cache in ksu
Instead of copying source or obtained creds into the target cache and
changing ownership if everything succeeds, copy them into a MEMORY:
cache and then, if everything succeeds, create the target cache as the
target user.
We no longer need to clean up the temporary ccache when exiting in
most error cases.
Use a fake principal name ("_ksu/_ksu@_ksu") as the primary holder of
the temporary cache so that we won't accidentally select it when we
make a subsequent call to krb5_cc_cache_match() (to be added in a
later patch) to find the target location where the creds should be
stored for use while running as the target user.
---
src/clients/ksu/ccache.c | 10 +--
src/clients/ksu/ksu.h | 4 +-
src/clients/ksu/main.c | 156 ++++++++++++++++++++++++-----------------------
3 files changed, 87 insertions(+), 83 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 5f57279..d0fc389 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -47,14 +47,15 @@ void show_credential();
*/
krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, restrict_creds, cc_out,
- stored, target_uid)
+ primary_principal, restrict_creds,
+ target_principal, cc_out, stored, target_uid)
/* IN */
krb5_context context;
krb5_ccache cc_def;
char *cc_other_tag;
krb5_principal primary_principal;
krb5_boolean restrict_creds;
+ krb5_principal target_principal;
uid_t target_uid;
/* OUT */
krb5_ccache *cc_out;
@@ -86,10 +87,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
return errno;
}
-
- if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){
+ retval = krb5_cc_initialize(context, *cc_other, target_principal);
+ if (retval)
return retval;
- }
if (restrict_creds) {
retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index e1e34f1..08bf01b 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -106,8 +106,8 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
-(krb5_context, krb5_ccache, char *, krb5_principal,
- krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t);
+(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean,
+ krb5_principal, krb5_ccache *, krb5_boolean *, uid_t);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 8c49f94..d1bb8ca 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -42,10 +42,13 @@ char * gb_err = NULL;
int quiet = 0;
/***********/
+#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
+#define KS_TEMPORARY_PRINC "_ksu/_ksu@_ksu"
#define _DEF_CSH "/bin/csh"
static int set_env_var (char *, char *);
static void sweep_up (krb5_context, krb5_ccache);
static char * ontty (void);
+static krb5_error_code set_ccname_env(krb5_context, krb5_ccache);
static void print_status( const char *fmt, ...)
#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7)
__attribute__ ((__format__ (__printf__, 1, 2)))
@@ -84,8 +87,8 @@ main (argc, argv)
int option=0;
int statusp=0;
krb5_error_code retval = 0;
- krb5_principal client = NULL;
- krb5_ccache cc_target = NULL;
+ krb5_principal client = NULL, tmp_princ = NULL;
+ krb5_ccache cc_tmp = NULL, cc_target = NULL;
krb5_context ksu_context;
char * cc_target_tag = NULL;
char * target_user = NULL;
@@ -93,7 +96,6 @@ main (argc, argv)
krb5_ccache cc_source = NULL;
const char * cc_source_tag = NULL;
- uid_t source_gid;
const char * cc_source_tag_tmp = NULL;
char * cmd = NULL, * exec_cmd = NULL;
int errflg = 0;
@@ -342,8 +344,6 @@ main (argc, argv)
/* allocate space and copy the usernamane there */
source_user = xstrdup(pwd->pw_name);
source_uid = pwd->pw_uid;
- source_gid = pwd->pw_gid;
-
if (!strcmp(SOURCE_USER_LOGIN, target_user)){
target_user = xstrdup (source_user);
@@ -435,25 +435,32 @@ main (argc, argv)
}
/*
- Only when proper authentication and authorization
- takes place, the target user becomes the owner of the cache.
- */
-
- /* we continue to run as source uid until
- the middle of the copy, when becomewe become the target user
- The cache is owned by the target user.*/
+ * After proper authentication and authorization, populate a cache for the
+ * target user.
+ */
+ /*
+ * We read the set of creds we want to copy from the source ccache as the
+ * source uid, become root for authentication, and then become the target
+ * user to handle authorization and creating the target user's cache.
+ */
/* if root ksu's to a regular user, then
then only the credentials for that particular user
should be copied */
restrict_creds = (source_uid == 0) && (target_uid != 0);
- retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client,
- restrict_creds, &cc_target, &stored, target_uid);
+ retval = krb5_parse_name(ksu_context, KS_TEMPORARY_PRINC, &tmp_princ);
+ if (retval) {
+ com_err(prog_name, retval, _("while parsing temporary name"));
+ exit(1);
+ }
+ retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE,
+ client, restrict_creds, tmp_princ, &cc_tmp,
+ &stored, 0);
if (retval) {
com_err(prog_name, retval, _("while copying cache %s to %s"),
- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag);
+ krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE);
exit(1);
}
@@ -473,7 +480,6 @@ main (argc, argv)
&kdc_server))){
com_err(prog_name, retval,
_("while creating tgt for local realm"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -481,13 +487,12 @@ main (argc, argv)
"enter it here and are logged\n"));
fprintf(stderr, _(" in remotely using an unsecure "
"(non-encrypted) channel.\n"));
- if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client,
- kdc_server, &options,
- &zero_password) == FALSE){
+ if (krb5_get_tkt_via_passwd(ksu_context, &cc_tmp, client,
+ kdc_server, &options,
+ &zero_password) == FALSE){
if (zero_password == FALSE){
fprintf(stderr, _("Goodbye\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -506,48 +511,20 @@ main (argc, argv)
if (source_uid && (source_uid != target_uid)) {
char * client_name;
- auth_val = krb5_auth_check(ksu_context, client, localhostname, &options,
- target_user,cc_target, &path_passwd, target_uid);
+ auth_val = krb5_auth_check(ksu_context, client, localhostname,
+ &options, target_user, cc_tmp,
+ &path_passwd, target_uid);
/* if Kerberos authentication failed then exit */
if (auth_val ==FALSE){
fprintf(stderr, _("Authentication failed.\n"));
syslog(LOG_WARNING, "'%s %s' authentication failed for %s%s",
prog_name,target_user,source_user,ontty());
- sweep_up(ksu_context, cc_target);
exit(1);
}
-#if 0
- /* At best, this avoids a single kdc request
- It is hard to implement dealing with file permissions and
- is unnecessary. It is important
- to properly handle races in chown if this code is ever re-enabled.
- */
- /* cache the tickets if possible in the source cache */
- if (!path_passwd){
-
- if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source,
- client))){
- com_err (prog_name, retval,
- "while copying cache %s to %s",
- krb5_cc_get_name(ksu_context, cc_target),
- krb5_cc_get_name(ksu_context, cc_source));
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
- if (chown(cc_source_tag_tmp, source_uid, source_gid)){
- com_err(prog_name, errno,
- "while changing owner for %s",
- cc_source_tag_tmp);
- exit(1);
- }
- }
-#endif /*0*/
-
if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
com_err(prog_name, retval, _("When unparsing name"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -560,7 +537,6 @@ main (argc, argv)
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
"authorization check"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -568,14 +544,12 @@ main (argc, argv)
cmd, &authorization_val, &exec_cmd))){
com_err(prog_name,retval, _("while checking authorization"));
krb5_seteuid(0); /*So we have some chance of sweeping up*/
- sweep_up(ksu_context, cc_target);
exit(1);
}
if (krb5_seteuid(0)) {
com_err(prog_name, errno, _("while switching back from target "
"after authorization check"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
if (authorization_val == TRUE){
@@ -617,25 +591,25 @@ main (argc, argv)
}
- sweep_up(ksu_context, cc_target);
exit(1);
}
}
if( some_rest_copy){
- if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){
+ retval = krb5_ccache_filter(ksu_context, cc_tmp, client);
+ if (retval) {
com_err(prog_name,retval, _("while calling cc_filter"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
}
if (all_rest_copy){
- if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){
+ retval = krb5_cc_initialize(ksu_context, cc_tmp, tmp_princ);
+ if (retval) {
com_err(prog_name, retval, _("while erasing target cache"));
exit(1);
}
-
+ stored = FALSE;
}
/* get the shell of the user, this will be the shell used by su */
@@ -653,7 +627,6 @@ main (argc, argv)
if (!standard_shell(target_pwd->pw_shell) && source_uid) {
fprintf(stderr, _("ksu: permission denied (shell).\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
#endif /* HAVE_GETUSERSHELL */
@@ -663,43 +636,28 @@ main (argc, argv)
if(set_env_var("USER", target_pwd->pw_name)){
fprintf(stderr,
_("ksu: couldn't set environment variable USER\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
}
if(set_env_var( "HOME", target_pwd->pw_dir)){
fprintf(stderr, _("ksu: couldn't set environment variable HOME\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
if(set_env_var( "SHELL", shell)){
fprintf(stderr, _("ksu: couldn't set environment variable SHELL\n"));
- sweep_up(ksu_context, cc_target);
- exit(1);
- }
-
- /* set the cc env name to target */
-
- if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
- fprintf(stderr, _("ksu: couldn't set environment variable %s\n"),
- KRB5_ENV_CCNAME);
- sweep_up(ksu_context, cc_target);
exit(1);
}
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
- sweep_up(ksu_context, cc_target);
exit(1);
}
-
if (initgroups(target_user, target_pwd->pw_gid)) {
fprintf(stderr, _("ksu: initgroups failed.\n"));
- sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -719,13 +677,36 @@ main (argc, argv)
*/
if (setluid((uid_t) pwd->pw_uid) < 0) {
perror("setluid");
- sweep_up(ksu_context, cc_target);
exit(1);
}
#endif /* HAVE_SETLUID */
if (setuid(target_pwd->pw_uid) < 0) {
perror("ksu: setuid");
+ exit(1);
+ }
+
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
+ client, FALSE, client, &cc_target, &stored,
+ target_pwd->pw_uid);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ KS_TEMPORARY_CACHE, cc_target_tag);
+ exit(1);
+ }
+
+ if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) {
+ com_err(prog_name, errno,
+ _("%s does not have correct permissions for %s, %s aborted"),
+ target_user, cc_target_tag, prog_name);
+ exit(1);
+ }
+
+ free(cc_target_tag);
+
+ /* Set the cc env name to target. */
+ retval = set_ccname_env(ksu_context, cc_target);
+ if (retval != 0) {
sweep_up(ksu_context, cc_target);
exit(1);
}
@@ -799,6 +780,29 @@ main (argc, argv)
}
}
+/* Set KRB5CCNAME in the environment to point to ccache. Print an error
+ * message on failure. */
+static krb5_error_code
+set_ccname_env(krb5_context ksu_context, krb5_ccache ccache)
+{
+ krb5_error_code retval;
+ char *ccname;
+
+ retval = krb5_cc_get_full_name(ksu_context, ccache, &ccname);
+ if (retval) {
+ com_err(prog_name, retval, _("while reading cache name from ccache"));
+ return retval;
+ }
+ if (set_env_var(KRB5_ENV_CCNAME, ccname)) {
+ retval = errno;
+ fprintf(stderr,
+ _("ksu: couldn't set environment variable %s\n"),
+ KRB5_ENV_CCNAME);
+ }
+ krb5_free_string(ksu_context, ccname);
+ return retval;
+}
+
#ifdef HAVE_GETUSERSHELL
int standard_shell(sh)
--
2.0.4

378
0004-Make-ksu-respect-the-default_ccache_name-setting.patch
View File

@ -1,378 +0,0 @@
From 3a456898af626dcab4e1ab0749ca2ccb9ad6162b Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Wed, 30 Oct 2013 21:47:14 -0400
Subject: [PATCH 4/7] Make ksu respect the default_ccache_name setting
Move the logic for resolving and initializing a cache that we're
copying creds into out of krb5_ccache_copy(), and let the caller deal
with it. Add a helper functions to select/resolve an output ccache in
the default location for the target user after we've switched to the
target user's privileges. If the destination is a collection, take
care not to change which subsidiary is its primary, and reuse a
subsidiary cache if we can. If the destination is not a collection,
append a unique value to its name to make a new ccache.
[ghudson@mit.edu: some changes to variable names and comments; move
responsibility for getting target ccache name from
resolve_target_ccache to main]
ticket: 7984 (new)
---
src/clients/ksu/ccache.c | 35 +++------
src/clients/ksu/ksu.h | 6 +-
src/clients/ksu/main.c | 181 ++++++++++++++++++++++++++++++++++++++---------
3 files changed, 157 insertions(+), 65 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index d0fc389..4693bd4 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -46,59 +46,41 @@ void show_credential();
with k5 beta 3 release.
*/
-krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
- primary_principal, restrict_creds,
- target_principal, cc_out, stored, target_uid)
+krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target,
+ restrict_creds, primary_principal, stored)
/* IN */
krb5_context context;
krb5_ccache cc_def;
- char *cc_other_tag;
- krb5_principal primary_principal;
- krb5_boolean restrict_creds;
krb5_principal target_principal;
- uid_t target_uid;
+ krb5_ccache cc_target;
+ krb5_boolean restrict_creds;
+ krb5_principal primary_principal;
/* OUT */
- krb5_ccache *cc_out;
krb5_boolean *stored;
{
int i=0;
- krb5_ccache * cc_other;
krb5_error_code retval=0;
krb5_creds ** cc_def_creds_arr = NULL;
krb5_creds ** cc_other_creds_arr = NULL;
- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache));
-
- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){
- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag);
- return retval;
- }
-
if (ks_ccache_is_initialized(context, cc_def)) {
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
}
- if (ks_ccache_name_is_initialized(context, cc_other_tag))
- return EINVAL;
-
- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
- return errno;
- }
-
- retval = krb5_cc_initialize(context, *cc_other, target_principal);
+ retval = krb5_cc_initialize(context, cc_target, target_principal);
if (retval)
return retval;
if (restrict_creds) {
- retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr,
+ retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr,
cc_other_creds_arr, primary_principal,
stored);
} else {
*stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr,
primary_principal);
- retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr,
+ retval = krb5_store_all_creds(context, cc_target, cc_def_creds_arr,
cc_other_creds_arr);
}
@@ -118,7 +100,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag,
}
}
- *cc_out = *cc_other;
return retval;
}
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index 08bf01b..fbbf217 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -44,8 +44,6 @@
#define KRB5_DEFAULT_OPTIONS 0
#define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */
-#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_"
-
#define KRB5_LOGIN_NAME ".k5login"
#define KRB5_USERS_NAME ".k5users"
#define USE_DEFAULT_REALM_NAME "."
@@ -106,8 +104,8 @@ extern krb5_error_code get_best_principal
/* ccache.c */
extern krb5_error_code krb5_ccache_copy
-(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean,
- krb5_principal, krb5_ccache *, krb5_boolean *, uid_t);
+(krb5_context, krb5_ccache, krb5_principal, krb5_ccache,
+ krb5_boolean, krb5_principal, krb5_boolean *);
extern krb5_error_code krb5_store_all_creds
(krb5_context, krb5_ccache, krb5_creds **, krb5_creds **);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d1bb8ca..41a3bf8 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -54,6 +54,10 @@ static void print_status( const char *fmt, ...)
__attribute__ ((__format__ (__printf__, 1, 2)))
#endif
;
+static krb5_error_code resolve_target_cache(krb5_context ksu_context,
+ krb5_principal princ,
+ krb5_ccache *ccache_out,
+ krb5_boolean *ccache_reused);
/* Note -e and -a options are mutually exclusive */
/* insure the proper specification of target user as well as catching
@@ -112,7 +116,7 @@ main (argc, argv)
extern char * getpass(), *crypt();
int pargc;
char ** pargv;
- krb5_boolean stored = FALSE;
+ krb5_boolean stored = FALSE, cc_reused = FALSE;
krb5_principal kdc_server;
krb5_boolean zero_password;
krb5_boolean restrict_creds;
@@ -416,23 +420,8 @@ main (argc, argv)
exit(1);
}
- /*
- * Make sure that the new ticket file does not already exist.
- * This is run as source_uid because it is reasonable to
- * require the source user to have write to where the target
- * cache will be created.
- */
- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char));
- do {
- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d",
- KRB5_SECONDARY_CACHE,
- (long)target_uid, gen_sym());
- } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag));
-
- if (auth_debug){
+ if (auth_debug)
fprintf(stderr, " source cache = %s\n", cc_source_tag);
- fprintf(stderr, " target cache = %s\n", cc_target_tag);
- }
/*
* After proper authentication and authorization, populate a cache for the
@@ -455,14 +444,19 @@ main (argc, argv)
com_err(prog_name, retval, _("while parsing temporary name"));
exit(1);
}
- retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE,
- client, restrict_creds, tmp_princ, &cc_tmp,
- &stored, 0);
+ retval = krb5_cc_resolve(ksu_context, KS_TEMPORARY_CACHE, &cc_tmp);
+ if (retval) {
+ com_err(prog_name, retval, _("while creating temporary cache"));
+ exit(1);
+ }
+ retval = krb5_ccache_copy(ksu_context, cc_source, tmp_princ, cc_tmp,
+ restrict_creds, client, &stored);
if (retval) {
com_err(prog_name, retval, _("while copying cache %s to %s"),
krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE);
exit(1);
}
+ krb5_cc_close(ksu_context, cc_source);
/* Become root for authentication*/
@@ -686,23 +680,38 @@ main (argc, argv)
exit(1);
}
- retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag,
- client, FALSE, client, &cc_target, &stored,
- target_pwd->pw_uid);
+ retval = resolve_target_cache(ksu_context, client, &cc_target, &cc_reused);
+ if (retval)
+ exit(1);
+ retval = krb5_cc_get_full_name(ksu_context, cc_target, &cc_target_tag);
if (retval) {
- com_err(prog_name, retval, _("while copying cache %s to %s"),
- KS_TEMPORARY_CACHE, cc_target_tag);
+ com_err(prog_name, retval, _("while getting name of target ccache"));
+ sweep_up(ksu_context, cc_target);
exit(1);
}
+ if (auth_debug)
+ fprintf(stderr, " target cache = %s\n", cc_target_tag);
+ if (cc_reused)
+ keep_target_cache = TRUE;
- if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) {
- com_err(prog_name, errno,
- _("%s does not have correct permissions for %s, %s aborted"),
- target_user, cc_target_tag, prog_name);
- exit(1);
+ if (stored) {
+ retval = krb5_ccache_copy(ksu_context, cc_tmp, client, cc_target,
+ FALSE, client, &stored);
+ if (retval) {
+ com_err(prog_name, retval, _("while copying cache %s to %s"),
+ KS_TEMPORARY_CACHE, cc_target_tag);
+ exit(1);
+ }
+
+ if (!ks_ccache_is_initialized(ksu_context, cc_target)) {
+ com_err(prog_name, errno,
+ _("%s does not have correct permissions for %s, "
+ "%s aborted"), target_user, cc_target_tag, prog_name);
+ exit(1);
+ }
}
- free(cc_target_tag);
+ krb5_free_string(ksu_context, cc_target_tag);
/* Set the cc env name to target. */
retval = set_ccname_env(ksu_context, cc_target);
@@ -711,9 +720,6 @@ main (argc, argv)
exit(1);
}
- if ( cc_source)
- krb5_cc_close(ksu_context, cc_source);
-
if (cmd){
if ((source_uid == 0) || (source_uid == target_uid )){
exec_cmd = cmd;
@@ -803,6 +809,113 @@ set_ccname_env(krb5_context ksu_context, krb5_ccache ccache)
return retval;
}
+/*
+ * Get the configured default ccache name. Unset KRB5CCNAME and force a
+ * recomputation so we don't use values for the source user. Print an error
+ * message on failure.
+ */
+static krb5_error_code
+get_configured_defccname(krb5_context context, char **target_out)
+{
+ krb5_error_code retval;
+ const char *defname;
+ char *target;
+
+ *target_out = NULL;
+
+ if (unsetenv(KRB5_ENV_CCNAME) != 0) {
+ retval = errno;
+ com_err(prog_name, retval, _("while clearing the value of %s"),
+ KRB5_ENV_CCNAME);
+ return retval;
+ }
+
+ /* Make sure we don't have a cached value for a different uid. */
+ retval = krb5_cc_set_default_name(context, NULL);
+ if (retval != 0) {
+ com_err(prog_name, retval, _("while resetting target ccache name"));
+ return retval;
+ }
+
+ defname = krb5_cc_default_name(context);
+ target = (defname == NULL) ? NULL : strdup(defname);
+ if (target == NULL) {
+ com_err(prog_name, ENOMEM, _("while determining target ccache name"));
+ return ENOMEM;
+ }
+ *target_out = target;
+ return 0;
+}
+
+/* Determine where the target user's creds should be stored. Print an error
+ * message on failure. */
+static krb5_error_code
+resolve_target_cache(krb5_context context, krb5_principal princ,
+ krb5_ccache *ccache_out, krb5_boolean *ccache_reused)
+{
+ krb5_error_code retval;
+ krb5_boolean switchable, reused = FALSE;
+ krb5_ccache ccache = NULL;
+ char *sep, *ccname = NULL, *target;
+
+ *ccache_out = NULL;
+ *ccache_reused = FALSE;
+
+ retval = get_configured_defccname(context, &target);
+ if (retval != 0)
+ return retval;
+
+ /* Check if the configured default name uses a switchable type. */
+ sep = strchr(target, ':');
+ *sep = '\0';
+ switchable = krb5_cc_support_switch(context, target);
+ *sep = ':';
+
+ if (!switchable) {
+ /* Try to avoid destroying an in-use target ccache by coming up with
+ * the name of a cache that doesn't exist yet. */
+ do {
+ free(ccname);
+ if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) {
+ retval = ENOMEM;
+ com_err(prog_name, ENOMEM,
+ _("while allocating memory for target ccache name"));
+ goto cleanup;
+ }
+ } while (ks_ccache_name_is_initialized(context, ccname));
+ retval = krb5_cc_resolve(context, ccname, &ccache);
+ } else {
+ /* Look for a cache in the collection that we can reuse. */
+ retval = krb5_cc_cache_match(context, princ, &ccache);
+ if (retval == 0) {
+ reused = TRUE;
+ } else {
+ /* There isn't one, so create a new one. */
+ *sep = '\0';
+ retval = krb5_cc_new_unique(context, target, NULL, &ccache);
+ *sep = ':';
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while creating new target ccache"));
+ goto cleanup;
+ }
+ retval = krb5_cc_initialize(context, ccache, princ);
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while initializing target cache"));
+ goto cleanup;
+ }
+ }
+ }
+
+ *ccache_out = ccache;
+ *ccache_reused = reused;
+
+cleanup:
+ free(target);
+ return retval;
+}
+
#ifdef HAVE_GETUSERSHELL
int standard_shell(sh)
--
2.0.4

30
0005-Copy-config-entries-to-the-ksu-target-ccache.patch
View File

@ -1,30 +0,0 @@
From 297496f0938955ba4aaf0ebecf4e393e527b8cbf Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Tue, 29 Oct 2013 16:27:20 -0400
Subject: [PATCH 5/7] Copy config entries to the ksu target ccache
When we try to screen out expired creds while reading them from one
ccache to eventually store in another, also keep configuration entries.
ticket: 7986 (new)
---
src/clients/ksu/ccache.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 4693bd4..0f9e042 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -219,7 +219,8 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array)
while (!(retval = krb5_cc_next_cred(context, cc, &cur, &creds))){
- if ((retval = krb5_check_exp(context, creds.times))){
+ if (!krb5_is_config_principal(context, creds.server) &&
+ (retval = krb5_check_exp(context, creds.times))){
if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){
return retval;
}
--
2.0.4

115
0006-Use-more-randomness-for-ksu-secondary-cache-names.patch
View File

@ -1,115 +0,0 @@
From 69c8e20b18577781e17c5959e23514134dfb5755 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Thu, 24 Jul 2014 16:43:21 -0400
Subject: [PATCH 6/7] Use more randomness for ksu secondary cache names
When generating a suffix to append to a ccache name that will hold the
credentials for a ksu-invoked process, instead of using integers
counting up from 1, use the result of base64-encoding six randomly-
generated octets. Tweak the output alphabet just a bit to avoid using
'+' or '/' in the generated names, the latter of which could really
confuse things.
---
src/clients/ksu/ccache.c | 27 +++++++++++++++++++++++----
src/clients/ksu/ksu.h | 2 +-
src/clients/ksu/main.c | 16 ++++++++++++----
3 files changed, 36 insertions(+), 9 deletions(-)
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index 0f9e042..a0736f2 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -27,6 +27,7 @@
*/
#include "ksu.h"
+#include "k5-base64.h"
#include "adm_proto.h"
#include <sys/types.h>
#include <sys/stat.h>
@@ -504,10 +505,28 @@ show_credential(context, cred, cc)
free(sname);
}
-int gen_sym(){
- static int i = 0;
- i ++;
- return i;
+/* Create a random string suitable for a filename extension. */
+krb5_error_code
+gen_sym(krb5_context context, char **sym_out)
+{
+ krb5_error_code retval;
+ char bytes[6], *p, *sym;
+ krb5_data data = make_data(bytes, sizeof(bytes));
+
+ *sym_out = NULL;
+ retval = krb5_c_random_make_octets(context, &data);
+ if (retval)
+ return retval;
+ sym = k5_base64_encode(data.data, data.length);
+ if (sym == NULL)
+ return ENOMEM;
+ /* Tweak the output alphabet just a bit. */
+ while ((p = strchr(sym, '/')) != NULL)
+ *p = '_';
+ while ((p = strchr(sym, '+')) != NULL)
+ *p = '-';
+ *sym_out = sym;
+ return 0;
}
krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal)
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
index fbbf217..5ba5ceb 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -130,7 +130,7 @@ extern krb5_error_code krb5_get_login_princ
extern void show_credential
(krb5_context, krb5_creds *, krb5_ccache);
-extern int gen_sym (void);
+krb5_error_code gen_sym(krb5_context context, char **sym);
extern krb5_error_code krb5_ccache_overwrite
(krb5_context, krb5_ccache, krb5_ccache, krb5_principal);
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 41a3bf8..47fa820 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -856,7 +856,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
krb5_error_code retval;
krb5_boolean switchable, reused = FALSE;
krb5_ccache ccache = NULL;
- char *sep, *ccname = NULL, *target;
+ char *sep, *ccname = NULL, *sym = NULL, *target;
*ccache_out = NULL;
*ccache_reused = FALSE;
@@ -876,12 +876,20 @@ resolve_target_cache(krb5_context context, krb5_principal princ,
* the name of a cache that doesn't exist yet. */
do {
free(ccname);
- if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) {
+ retval = gen_sym(context, &sym);
+ if (retval) {
+ com_err(prog_name, retval,
+ _("while generating part of the target ccache name"));
+ return retval;
+ }
+ if (asprintf(&ccname, "%s.%s", target, sym) < 0) {
retval = ENOMEM;
- com_err(prog_name, ENOMEM,
- _("while allocating memory for target ccache name"));
+ free(sym);
+ com_err(prog_name, retval, _("while allocating memory for the "
+ "target ccache name"));
goto cleanup;
}
+ free(sym);
} while (ks_ccache_name_is_initialized(context, ccname));
retval = krb5_cc_resolve(context, ccname, &ccache);
} else {
--
2.0.4

37
0007-Make-krb5_cc_new_unique-create-DIR-directories.patch
View File

@ -1,37 +0,0 @@
Context tweaked to apply to 1.12.1.
From bca1191210eb582fe09e94486e2631d72b8a5ca5 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Fri, 8 Aug 2014 16:58:03 -0400
Subject: [PATCH 7/7] Make krb5_cc_new_unique create DIR: directories
When we use krb5_cc_new_unique to create a new cache in a directory
cache collection, we will fail if the directory doesn't exist yet.
Go ahead and preemptively create it, as we do during krb5_cc_resolve,
before attempting to create a new file under it.
ticket: 7988 (new)
target_version: 1.13
tags: pullup
---
src/lib/krb5/ccache/cc_dir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index d82f335..b00a6bb 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -401,6 +401,9 @@ dcc_gen_new(krb5_context context, krb5_ccache *cache_out)
"collection"));
return KRB5_DCC_CANNOT_CREATE;
}
+ ret = verify_dir(context, dirname);
+ if (ret)
+ goto cleanup;
ret = k5_path_join(dirname, "tktXXXXXX", &template);
if (ret)
goto cleanup;
--
2.0.4

32
krb5-1.10-kpasswd_tcp.patch
View File

@ -1,32 +0,0 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
--- krb5/src/lib/krb5/os/changepw.c
+++ krb5/src/lib/krb5/os/changepw.c
@@ -270,10 +270,22 @@ change_set_password(krb5_context context
&callback_info, &chpw_rep, ss2sa(&remote_addr),
&addrlen, NULL, NULL, NULL);
if (code) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!use_tcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ k5_free_serverlist (&sl);
+ use_tcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

28
krb5-1.10-kprop-mktemp.patch
View File

@ -1,28 +0,0 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
--- krb5/src/slave/kprop.c
+++ krb5/src/slave/kprop.c
@@ -202,9 +202,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ], *def_realm;
+ char buf[] = "MEMORY:_kproptkt", *def_realm;
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, _("while opening credential cache %s"), buf);

176
krb5-1.12-pwdch-fast.patch
View File

@ -1,176 +0,0 @@
From 230858394d2dded001ef3d2029daa6c468aca097 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 28 Feb 2014 14:49:35 -0500
Subject: [PATCH] Use preauth options when changing password
If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket. Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.
ticket: 7868
npmccallum:
* include tests from 06817686bfdef99523f300464bcbb0c8b037a27d
---
src/lib/krb5/krb/gic_pwd.c | 63 +++++++++++++++++++++++++++++++++++++---------
src/tests/Makefile.in | 1 +
src/tests/t_changepw.py | 37 +++++++++++++++++++++++++++
3 files changed, 89 insertions(+), 12 deletions(-)
create mode 100644 src/tests/t_changepw.py
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index a97823f6b51b7393755e82f36612c30b64096754..6aec7c3a71f99d2194b09374b296327174e6d4b8 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -242,6 +242,54 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options,
(*prompter)(context, data, 0, banner, 0, 0);
}
+/*
+ * Create a temporary options structure for getting a kadmin/changepw ticket,
+ * based on the appplication-specified options. Propagate all application
+ * options which affect preauthentication, but not options which affect the
+ * resulting ticket or how it is stored. Set lifetime and flags appropriate
+ * for a ticket which we will use immediately and then discard.
+ *
+ * storage1 and storage2 will be used to hold the temporary options. The
+ * caller must not free the result, as it will contain aliases into the
+ * application options.
+ */
+static krb5_get_init_creds_opt *
+make_chpw_options(krb5_get_init_creds_opt *in, krb5_gic_opt_ext *storage1,
+ gic_opt_private *storage2)
+{
+ krb5_gic_opt_ext *in_ext;
+ krb5_get_init_creds_opt *opt;
+
+ /* Copy the application's options to storage. */
+ if (in == NULL) {
+ storage1->flags = 0;
+ } else if (gic_opt_is_extended(in)) {
+ in_ext = (krb5_gic_opt_ext *)in;
+ *storage1 = *in_ext;
+ *storage2 = *in_ext->opt_private;
+ storage1->opt_private = storage2;
+ } else {
+ *(krb5_get_init_creds_opt *)storage1 = *in;
+ }
+
+ /* Get a non-forwardable, non-proxiable, short-lifetime ticket. */
+ opt = (krb5_get_init_creds_opt *)storage1;
+ krb5_get_init_creds_opt_set_tkt_life(opt, 5 * 60);
+ krb5_get_init_creds_opt_set_renew_life(opt, 0);
+ krb5_get_init_creds_opt_set_forwardable(opt, 0);
+ krb5_get_init_creds_opt_set_proxiable(opt, 0);
+
+ /* Unset options which should only apply to the actual ticket. */
+ opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST;
+ opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_ANONYMOUS;
+
+ /* The output ccache should only be used for the actual ticket. */
+ if (gic_opt_is_extended(opt))
+ storage2->out_ccache = NULL;
+
+ return opt;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_password(krb5_context context,
krb5_creds *creds,
@@ -259,6 +307,8 @@ krb5_get_init_creds_password(krb5_context context,
int tries;
krb5_creds chpw_creds;
krb5_get_init_creds_opt *chpw_opts = NULL;
+ krb5_gic_opt_ext storage1;
+ gic_opt_private storage2;
struct gak_password gakpw;
krb5_data pw0, pw1;
char banner[1024], pw0array[1024], pw1array[1024];
@@ -345,16 +395,7 @@ krb5_get_init_creds_password(krb5_context context,
/* ok, we have an expired password. Give the user a few chances
to change it */
- /* use a minimal set of options */
-
- ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts);
- if (ret)
- goto cleanup;
- krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60);
- krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0);
- krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0);
- krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0);
-
+ chpw_opts = make_chpw_options(options, &storage1, &storage2);
ret = k5_get_init_creds(context, &chpw_creds, client, prompter, data,
start_time, "kadmin/changepw", chpw_opts,
krb5_get_as_key_password, &gakpw, &use_master,
@@ -471,8 +512,6 @@ cleanup:
warn_pw_expiry(context, options, prompter, data, in_tkt_service,
as_reply);
- if (chpw_opts)
- krb5_get_init_creds_opt_free(context, chpw_opts);
zapfree(gakpw.storage.data, gakpw.storage.length);
memset(pw0array, 0, sizeof(pw0array));
memset(pw1array, 0, sizeof(pw1array));
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 62523895d53da24844141a6ada6cab23e77dd9e6..55f1d6419f8d924a6f9a2971d36f1eac6d293d32 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -94,6 +94,7 @@ check-pytests:: t_init_creds t_localauth
$(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_changepw.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_pkinit.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
diff --git a/src/tests/t_changepw.py b/src/tests/t_changepw.py
new file mode 100644
index 0000000000000000000000000000000000000000..0b9832668e618b3db8d88cf388ec918898bb4df3
--- /dev/null
+++ b/src/tests/t_changepw.py
@@ -0,0 +1,37 @@
+#!/usr/bin/python
+from k5test import *
+
+# This file is intended to cover any password-changing mechanism. For
+# now it only contains a regression test for #7868.
+
+realm = K5Realm(create_host=False, get_creds=False, start_kadmind=True)
+
+# Mark a principal as expired and change its password through kinit.
+realm.run_kadminl('modprinc -pwexpire "1 day ago" user')
+pwinput = password('user') + '\nabcd\nabcd\n'
+realm.run([kinit, realm.user_princ], input=pwinput)
+
+# Do the same thing with FAST, with tracing turned on.
+realm.run_kadminl('modprinc -pwexpire "1 day ago" user')
+pwinput = 'abcd\nefgh\nefgh\n'
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-T', realm.ccache,
+ realm.user_princ], input=pwinput)
+
+# Read the trace and check that FAST was used when getting the
+# kadmin/changepw ticket.
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+getting_changepw = fast_used_for_changepw = False
+for line in trace.splitlines():
+ if 'Getting initial credentials for user@' in line:
+ getting_changepw_ticket = False
+ if 'Setting initial creds service to kadmin/changepw' in line:
+ getting_changepw_ticket = True
+ if getting_changepw_ticket and 'Using FAST' in line:
+ fast_used_for_changepw = True
+if not fast_used_for_changepw:
+ fail('FAST was not used to get kadmin/changepw ticket')
+
+success('Password change tests')
--
1.8.5.3

14
krb5-1.11-dirsrv-accountlock.patch → krb5-1.13-dirsrv-accountlock.patch
View File

@ -23,9 +23,9 @@ diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500
@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont
goto cleanup;
if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0)
@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
if (ret)
goto cleanup;
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+ {
@ -33,8 +33,9 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present)) != 0)
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present);
+ if (ret)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
@ -44,7 +45,8 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc
+ }
+#endif
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret)
goto cleanup;
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500

30
krb5-1.12-selinux-label.patch → krb5-1.13-selinux-label.patch
View File

@ -125,10 +125,10 @@ which we used earlier, is some improvement.
localedir='$(datadir)/locale'
--- krb5/src/include/k5-int.h
+++ krb5/src/include/k5-int.h
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
@@ -129,6 +129,7 @@ typedef unsigned char u_char;
#include "k5-platform.h"
+#include "k5-label.h"
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
@ -289,8 +289,8 @@ which we used earlier, is some improvement.
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
#include <string.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
@ -364,7 +364,7 @@ which we used earlier, is some improvement.
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
char host[INET6_ADDRSTRLEN + 1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
@ -379,13 +379,13 @@ which we used earlier, is some improvement.
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
(void) umask(omask);
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
(void)umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
--- krb5/src/util/profile/prof_file.c
+++ krb5/src/util/profile/prof_file.c
@ -884,9 +884,9 @@ which we used earlier, is some improvement.
+ if (status == 0)
+ return 0;
+ }
krb5_set_error_message(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not "
"exist"), dirname);
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
--- krb5/src/lib/krb5/os/trace.c
+++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
@ -944,10 +944,10 @@ which we used earlier, is some improvement.
pid = (unsigned long) getpid();
--- krb5/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
if (caller == FKPROPLOG)
return errno;
@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha
int ulogfd = -1;
if (stat(logname, &st) == -1) {
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)

41
krb5-1.3.4-send-pr-tempfile.patch
View File

@ -1,41 +0,0 @@
Use mktemp to create our temporary files instead of basing them on our PID.
Only portable if you assume the presence of a mktemp helper.
diff -ur krb5-1.3.4/src/util/send-pr/send-pr.sh krb5-1.3.4/src/util/send-pr/send-pr.sh
--- krb5-1.3.4/src/util/send-pr/send-pr.sh 1997-03-20 01:13:56.000000000 +0100
+++ krb5-1.3.4/src/util/send-pr/send-pr.sh 2004-09-20 11:28:56.000000000 +0200
@@ -96,9 +96,9 @@
fi
fi
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp "$TMPDIR"/p.XXXXXX` || exit 1
+BAD=`mktemp "$TMPDIR"/pbad.XXXXXX` || exit 1
+REF=`mktemp "$TMPDIR"/pf.XXXXXX` || exit 1
# find a user name
if [ "$LOGNAME" = "" ]; then
@@ -122,9 +122,10 @@
else
# Must use temp file due to incompatibilities in quoting behavior
# and to protect shell metacharacters in the expansion of $LOGNAME
- $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
- ORIGINATOR="`cat $TEMP`"
- rm -f $TEMP
+ TEMP2=`mktemp "$TMPDIR"/plogname.XXXXXX` || exit 1
+ $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP2
+ ORIGINATOR="`cat $TEMP2`"
+ rm -f $TEMP2
fi
if [ -n "$ORGANIZATION" ]; then
@@ -280,7 +281,7 @@
# Catch some signals. ($xs kludge needed by Sun /bin/sh)
xs=0
trap 'rm -f $REF $TEMP; exit $xs' 0
-trap 'echo "$COMMAND: Aborting ..."; rm -f $REF $TEMP; xs=1; exit' 1 2 3 13 15
+trap 'echo "$COMMAND: Aborting ..."; rm -f "$REF" "$BAD" "$TEMP"; xs=1; exit' 1 2 3 13 15
# If they told us to use a specific file, then do so.
if [ -n "$IN_FILE" ]; then

41
krb5-keyring-strtol.patch
View File

@ -1,41 +0,0 @@
commit 5ac159e220297a8f62dd5edcec6f9b988b0627ea
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon Nov 11 13:10:08 2013 -0500
Catch more strtol() failures when using KEYRINGs
When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number. In addition to
checking errno, pass in and check the value of an "endptr".
[ghudson@mit.edu: simplified slightly]
ticket: 7764 (new)
target_version: 1.12
tags: pullup
diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c
index 795ccd6..a07a0dc 100644
--- a/src/lib/krb5/ccache/cc_keyring.c
+++ b/src/lib/krb5/ccache/cc_keyring.c
@@ -593,7 +593,7 @@ get_collection(const char *anchor_name, const char *collection_name,
{
krb5_error_code ret;
key_serial_t persistent_id, anchor_id, possess_id = 0;
- char *ckname;
+ char *ckname, *cnend;
long uidnum;
*collection_id_out = 0;
@@ -607,8 +607,8 @@ get_collection(const char *anchor_name, const char *collection_name,
*/
if (*collection_name != '\0') {
errno = 0;
- uidnum = strtol(collection_name, NULL, 10);
- if (errno)
+ uidnum = strtol(collection_name, &cnend, 10);
+ if (errno || *cnend != '\0')
return KRB5_KCC_INVALID_UID;
} else {
uidnum = geteuid();

275
krb5-master-mechd.patch
View File

@ -1,275 +0,0 @@
commit 123c14fd8862ee8f11f6084d25958cb380655f35
Author: Günther Deschner <gdeschner@redhat.com>
Date: Wed Mar 5 16:21:55 2014 +0100
Remove dead code from the mechglue initialization
The stat check in gss_indicate_mechs had no consequent and would have
been redundant with logic in updateMechList if it did.
[ghudson@mit.edu: elaborated commit message; removed unused
g_mechSetTime and now-irrelevant comment]
diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
index 48a825e..c6904e0 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -91,7 +91,6 @@ static gss_mech_info g_mechListTail = NULL;
static k5_mutex_t g_mechListLock = K5_MUTEX_PARTIAL_INITIALIZER;
static time_t g_confFileModTime = (time_t)0;
-static time_t g_mechSetTime = (time_t)0;
static gss_OID_set_desc g_mechSet = { 0, NULL };
static k5_mutex_t g_mechSetLock = K5_MUTEX_PARTIAL_INITIALIZER;
@@ -213,8 +212,6 @@ gss_indicate_mechs(minorStatus, mechSet_out)
OM_uint32 *minorStatus;
gss_OID_set *mechSet_out;
{
- char *fileName;
- struct stat fileInfo;
OM_uint32 status;
/* Initialize outputs. */
@@ -233,16 +230,6 @@ gss_OID_set *mechSet_out;
if (*minorStatus != 0)
return (GSS_S_FAILURE);
- fileName = MECH_CONF;
-
- /*
- * If we have already computed the mechanisms supported and if it
- * is still valid; make a copy and return to caller,
- * otherwise build it first.
- */
- if ((stat(fileName, &fileInfo) == 0 &&
- fileInfo.st_mtime > g_mechSetTime)) {
- } /* if g_mechSet is out of date or not initialized */
if (build_mechSet())
return GSS_S_FAILURE;
@@ -289,20 +276,6 @@ build_mechSet(void)
*/
k5_mutex_lock(&g_mechListLock);
-#if 0
- /*
- * this checks for the case when we need to re-construct the
- * g_mechSet structure, but the mechanism list is upto date
- * (because it has been read by someone calling
- * gssint_get_mechanism)
- */
- if (fileInfo.st_mtime > g_confFileModTime)
- {
- g_confFileModTime = fileInfo.st_mtime;
- loadConfigFile(fileName);
- }
-#endif
-
updateMechList();
/*
commit 05cbef80d53f49d30a5d0563501226dc173734d4
Author: Günther Deschner <gdeschner@redhat.com>
Date: Wed Mar 5 15:25:43 2014 +0100
Load mechglue config files from /etc/gss/mech.d
In addition to loading /etc/gss/mech, glob for *.conf files in
/etc/gss/mech.d. Load only config files which have changed since the
highest mtime we saw in the previous scan. Scan at most once per
second to avoid excessive numbers of filesystem syscalls for busy
GSSAPI applications.
[ghudson@mit.edu: rewrote commit message; style changes; added
once-per-second throttle on glob/stat calls]
ticket: 7882 (new)
diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
index c6904e0..f0acf1a 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -41,6 +41,7 @@
#include <string.h>
#include <ctype.h>
#include <errno.h>
+#include <glob.h>
#define M_DEFAULT "default"
@@ -58,6 +59,7 @@
#ifndef MECH_CONF
#define MECH_CONF "/etc/gss/mech"
#endif
+#define MECH_CONF_PATTERN MECH_CONF ".d/*.conf"
/* Local functions */
static void addConfigEntry(const char *oidStr, const char *oid,
@@ -90,6 +92,7 @@ static gss_mech_info g_mechList = NULL;
static gss_mech_info g_mechListTail = NULL;
static k5_mutex_t g_mechListLock = K5_MUTEX_PARTIAL_INITIALIZER;
static time_t g_confFileModTime = (time_t)0;
+static time_t g_confLastCall = (time_t)0;
static gss_OID_set_desc g_mechSet = { 0, NULL };
static k5_mutex_t g_mechSetLock = K5_MUTEX_PARTIAL_INITIALIZER;
@@ -383,6 +386,56 @@ const gss_OID oid;
return (modOptions);
} /* gssint_get_modOptions */
+/* Return the mtime of filename or its eventual symlink target (if it is a
+ * symlink), whichever is larger. Return (time_t)-1 if lstat or stat fails. */
+static time_t
+check_link_mtime(const char *filename, time_t *mtime_out)
+{
+ struct stat st1, st2;
+
+ if (lstat(filename, &st1) != 0)
+ return (time_t)-1;
+ if (!S_ISLNK(st1.st_mode))
+ return st1.st_mtime;
+ if (stat(filename, &st2) != 0)
+ return (time_t)-1;
+ return (st1.st_mtime > st2.st_mtime) ? st1.st_mtime : st2.st_mtime;
+}
+
+/* Try to load any config files which have changed since the last call. Config
+ * files are MECH_CONF and any files matching MECH_CONF_PATTERN. */
+static void
+loadConfigFiles()
+{
+ glob_t globbuf;
+ time_t highest_mtime = 0, mtime, now;
+ char **pathptr;
+
+ /* Don't glob and stat more than once per second. */
+ if (time(&now) == (time_t)-1 || now == g_confLastCall)
+ return;
+ g_confLastCall = now;
+
+ globbuf.gl_offs = 1;
+ if (glob(MECH_CONF_PATTERN, GLOB_DOOFFS, NULL, &globbuf) != 0)
+ return;
+ globbuf.gl_pathv[0] = MECH_CONF;
+
+ for (pathptr = globbuf.gl_pathv; *pathptr != NULL; pathptr++) {
+ mtime = check_link_mtime(*pathptr, &mtime);
+ if (mtime == (time_t)-1)
+ continue;
+ if (mtime > highest_mtime)
+ highest_mtime = mtime;
+ if (mtime > g_confFileModTime)
+ loadConfigFile(*pathptr);
+ }
+ g_confFileModTime = highest_mtime;
+
+ globbuf.gl_pathv[0] = NULL;
+ globfree(&globbuf);
+}
+
/*
* determines if the mechList needs to be updated from file
* and performs the update.
@@ -401,17 +454,7 @@ updateMechList(void)
loadConfigFromRegistry(HKEY_CURRENT_USER, MECH_KEY);
loadConfigFromRegistry(HKEY_LOCAL_MACHINE, MECH_KEY);
#else /* _WIN32 */
- char *fileName;
- struct stat fileInfo;
-
- fileName = MECH_CONF;
-
- /* check if mechList needs updating */
- if (stat(fileName, &fileInfo) != 0 ||
- g_confFileModTime >= fileInfo.st_mtime)
- return;
- g_confFileModTime = fileInfo.st_mtime;
- loadConfigFile(fileName);
+ loadConfigFiles();
#endif /* !_WIN32 */
/* Load any unloaded interposer mechanisms immediately, to make sure we
commit ac98187641f6943ae571606c0b6a97f236f9b60c
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed May 28 23:51:49 2014 -0400
Read /etc/gss/mech if no mech.d/*.conf found
Always read /etc/gss/mech, even if globbing /etc/gss/mech.d/*.conf
doesn't work. Doing this using GLOB_DOOFFS proved error-prone, so use
a simpler approach: factor out the per-pathname handling into a helper
function load_if_changed, call it with MECH_CONF before the glob, then
pass each glob result through the helper.
ticket: 7925
diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c
index f0acf1a..8bce14c 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -402,38 +402,45 @@ check_link_mtime(const char *filename, time_t *mtime_out)
return (st1.st_mtime > st2.st_mtime) ? st1.st_mtime : st2.st_mtime;
}
+/* Load pathname if it is newer than last. Update *highest to the maximum of
+ * its current value and pathname's mod time. */
+static void
+load_if_changed(const char *pathname, time_t last, time_t *highest)
+{
+ time_t mtime;
+
+ mtime = check_link_mtime(pathname, &mtime);
+ if (mtime == (time_t)-1)
+ return;
+ if (mtime > *highest)
+ *highest = mtime;
+ if (mtime > last)
+ loadConfigFile(pathname);
+}
+
/* Try to load any config files which have changed since the last call. Config
* files are MECH_CONF and any files matching MECH_CONF_PATTERN. */
static void
loadConfigFiles()
{
glob_t globbuf;
- time_t highest_mtime = 0, mtime, now;
- char **pathptr;
+ time_t highest = 0, now;
+ char **path;
/* Don't glob and stat more than once per second. */
if (time(&now) == (time_t)-1 || now == g_confLastCall)
return;
g_confLastCall = now;
- globbuf.gl_offs = 1;
- if (glob(MECH_CONF_PATTERN, GLOB_DOOFFS, NULL, &globbuf) != 0)
- return;
- globbuf.gl_pathv[0] = MECH_CONF;
+ load_if_changed(MECH_CONF, g_confFileModTime, &highest);
- for (pathptr = globbuf.gl_pathv; *pathptr != NULL; pathptr++) {
- mtime = check_link_mtime(*pathptr, &mtime);
- if (mtime == (time_t)-1)
- continue;
- if (mtime > highest_mtime)
- highest_mtime = mtime;
- if (mtime > g_confFileModTime)
- loadConfigFile(*pathptr);
+ if (glob(MECH_CONF_PATTERN, 0, NULL, &globbuf) == 0) {
+ for (path = globbuf.gl_pathv; *path != NULL; path++)
+ load_if_changed(*path, g_confFileModTime, &highest);
+ globfree(&globbuf);
}
- g_confFileModTime = highest_mtime;
- globbuf.gl_pathv[0] = NULL;
- globfree(&globbuf);
+ g_confFileModTime = highest;
}
/*

203
krb5-master-move-otp-sockets.patch
View File

@ -1,203 +0,0 @@
Adjusted to apply to 1.12.2.
commit 1e4bdcfed2c7bda94d5c135cc32a5993ca032501
Author: Nathaniel McCallum <npmccallum@redhat.com>
Date: Wed Feb 5 10:59:46 2014 -0500
Move OTP sockets to KDC_RUN_DIR
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst
index 0abd5ff..f12c36d 100644
--- a/doc/admin/otp.rst
+++ b/doc/admin/otp.rst
@@ -23,7 +23,7 @@ the following format::
[otp]
<name> = {
- server = <host:port or filename> (default: $KDCDIR/<name>.socket)
+ server = <host:port or filename> (default: see below)
secret = <filename>
timeout = <integer> (default: 5 [seconds])
retries = <integer> (default: 3)
@@ -33,7 +33,8 @@ the following format::
If the server field begins with '/', it will be interpreted as a UNIX
socket. Otherwise, it is assumed to be in the format host:port. When
a UNIX domain socket is specified, the secret field is optional and an
-empty secret is used by default.
+empty secret is used by default. If the server field is not
+specified, it defaults to |kdcrundir|\ ``/<name>.socket``.
When forwarding the request over RADIUS, by default the principal is
used in the User-Name attribute of the RADIUS packet. The strip_realm
diff --git a/doc/conf.py b/doc/conf.py
index f015fc8..bc8b2bd 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -231,6 +231,7 @@ if 'mansubs' in tags:
sbindir = '``@SBINDIR@``'
libdir = '``@LIBDIR@``'
localstatedir = '``@LOCALSTATEDIR@``'
+ runstatedir = '``@RUNSTATEDIR@``'
sysconfdir = '``@SYSCONFDIR@``'
ccache = '``@CCNAME@``'
keytab = '``@KTNAME@``'
@@ -243,6 +244,7 @@ else:
sbindir = ':ref:`SBINDIR <paths>`'
libdir = ':ref:`LIBDIR <paths>`'
localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
+ runstatedir = ':ref:`RUNSTATEDIR <paths>`'
sysconfdir = ':ref:`SYSCONFDIR <paths>`'
ccache = ':ref:`DEFCCNAME <paths>`'
keytab = ':ref:`DEFKTNAME <paths>`'
@@ -262,6 +264,7 @@ else:
rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir
rst_epilog += '.. |libdir| replace:: %s\n' % libdir
rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir
+ rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir
rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
index 89b8f4c..838dabb 100644
--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
@@ -17,6 +17,7 @@ KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB
KDC database path (DB2) |kdcdir|\ ``/principal``
Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm*
Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl``
+OTP socket directory |kdcrundir|
Plugin base directory |libdir|\ ``/krb5/plugins``
:ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR**
Master key default enctype |defmkey|
@@ -64,6 +65,7 @@ Description Symbolic name Custom build path Typical
User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
diff --git a/src/Makefile.in b/src/Makefile.in
index a8bc990..1725093 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -64,6 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
$(KRB5_AD_MODULE_DIR) \
$(KRB5_LIBKRB5_MODULE_DIR) \
@localstatedir@ @localstatedir@/krb5kdc \
+ @runstatedir@ @runstatedir@/krb5kdc \
$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
$(PKGCONFIG_DIR)
diff --git a/src/configure.in b/src/configure.in
index 2145d54..c2eaf78 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -9,6 +9,12 @@
fi
AC_SUBST(SYSCONFCONF)
+# If $runstatedir isn't set by autoconf (<2.70), set it manually.
+if test x"$runstatedir" == x; then
+ runstatedir=$localstatedir/run
+fi
+AC_SUBST(runstatedir)
+
CONFIG_RULES
KRB5_VERSION=K5_VERSION
AC_SUBST(KRB5_VERSION)
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
index a6bb7c5..b07e16a 100644
--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
@@ -7,6 +7,7 @@ DOXYGEN=doxygen
docsrc=$(top_srcdir)/../doc
localstatedir=@localstatedir@
+runstatedir=@runstatedir@
sysconfdir=@sysconfdir@
DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
@@ -113,6 +114,7 @@ paths.py:
echo 'sbindir = "``$(SERVER_BINDIR)``"' >> $@
echo 'libdir = "``$(KRB5_LIBDIR)``"' >> $@
echo 'localstatedir = "``$(localstatedir)``"' >> $@
+ echo 'runstatedir = "``$(runstatedir)``"' >> $@
echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index e13042a..f83ff4e 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -53,6 +53,7 @@ autoconf.stamp: $(srcdir)/autoconf.h.in $(BUILDTOP)/config.status
SYSCONFDIR = @sysconfdir@
LOCALSTATEDIR = @localstatedir@
+RUNSTATEDIR = @runstatedir@
BINDIR = @bindir@
SBINDIR = @sbindir@
LIBDIR = @libdir@
@@ -66,6 +67,7 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(KRB5RCTMPDIR)+" \
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
+ -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \
-e 's+@SYSCONFCONF+$(SYSCONFCONF)+'
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index 90ab86d..871503a 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -59,6 +59,7 @@
#define PLUGIN_EXT "@DYNOBJEXT"
#define KDC_DIR "@LOCALSTATEDIR/krb5kdc"
+#define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc"
#define DEFAULT_KDB_FILE KDC_DIR "/principal"
#define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5."
#define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl"
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 4dd2448..2b9c892 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -5,6 +5,7 @@ SPHINX_BUILD=sphinx-build
GROFF=@GROFF@
GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c
localstatedir=@localstatedir@
+runstatedir=@runstatedir@
sysconfdir=@sysconfdir@
DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
@@ -44,6 +45,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
-e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \
-e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \
-e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
+ -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
index a4d7e3b..4643dff 100644
--- a/src/plugins/preauth/otp/otp_state.c
+++ b/src/plugins/preauth/otp/otp_state.c
@@ -40,7 +40,7 @@
#endif
#define DEFAULT_TYPE_NAME "DEFAULT"
-#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket"
+#define DEFAULT_SOCKET_FMT KDC_RUN_DIR "/%s.socket"
#define DEFAULT_TIMEOUT 5
#define DEFAULT_RETRIES 3
#define MAX_SECRET_LEN 1024

105
krb5-master-rcache-acquirecred-cleanup.patch
View File

@ -1,105 +0,0 @@
commit ef8e19af863158e4c1abc15fc710aa8cfad38406
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Jan 15 12:51:42 2014 -0500
Clean up GSS krb5 acquire_accept_cred
Use a cleanup handler instead of releasing kt in multiple error
clauses. Wrap a long line and fix a comment with a missing word.
Rewrap the function arguments to use fewer lines.
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 9547207..37cc6b5 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -179,13 +179,13 @@ cleanup:
*/
static OM_uint32
-acquire_accept_cred(krb5_context context,
- OM_uint32 *minor_status,
- krb5_keytab req_keytab,
- krb5_gss_cred_id_rec *cred)
+acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
+ krb5_keytab req_keytab, krb5_gss_cred_id_rec *cred)
{
+ OM_uint32 major;
krb5_error_code code;
- krb5_keytab kt;
+ krb5_keytab kt = NULL;
+ krb5_rcache rc = NULL;
assert(cred->keytab == NULL);
@@ -202,46 +202,54 @@ acquire_accept_cred(krb5_context context,
}
}
if (code) {
- *minor_status = code;
- return GSS_S_CRED_UNAVAIL;
+ major = GSS_S_CRED_UNAVAIL;
+ goto cleanup;
}
if (cred->name != NULL) {
- /* Make sure we keys matching the desired name in the keytab. */
+ /* Make sure we have keys matching the desired name in the keytab. */
code = check_keytab(context, kt, cred->name);
if (code) {
- krb5_kt_close(context, kt);
if (code == KRB5_KT_NOTFOUND) {
char *errstr = (char *)krb5_get_error_message(context, code);
- krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr);
+ krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s",
+ errstr);
krb5_free_error_message(context, errstr);
- *minor_status = KG_KEYTAB_NOMATCH;
- } else
- *minor_status = code;
- return GSS_S_CRED_UNAVAIL;
+ code = KG_KEYTAB_NOMATCH;
+ }
+ major = GSS_S_CRED_UNAVAIL;
+ goto cleanup;
}
/* Open the replay cache for this principal. */
code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
- &cred->rcache);
+ &rc);
if (code) {
- krb5_kt_close(context, kt);
- *minor_status = code;
- return GSS_S_FAILURE;
+ major = GSS_S_FAILURE;
+ goto cleanup;
}
} else {
/* Make sure we have a keytab with keys in it. */
code = krb5_kt_have_content(context, kt);
if (code) {
- krb5_kt_close(context, kt);
- *minor_status = code;
- return GSS_S_CRED_UNAVAIL;
+ major = GSS_S_CRED_UNAVAIL;
+ goto cleanup;
}
}
cred->keytab = kt;
+ kt = NULL;
+ cred->rcache = rc;
+ rc = NULL;
+ major = GSS_S_COMPLETE;
- return GSS_S_COMPLETE;
+cleanup:
+ if (kt != NULL)
+ krb5_kt_close(context, kt);
+ if (rc != NULL)
+ krb5_rc_close(context, rc);
+ *minor_status = code;
+ return major;
}
#endif /* LEAN_CLIENT */

136
krb5-master-rcache-acquirecred-source.patch
View File

@ -1,136 +0,0 @@
commit 7dad0bee30fbbde8cfc0eacd2d1487c198a004a1
Author: Simo Sorce <simo@redhat.com>
Date: Thu Dec 26 19:05:34 2013 -0500
Add rcache feature to gss_acquire_cred_from
The "rcache" cred store entry can specify a replay cache type and name
to be used with the credentials being acquired.
[ghudson@mit.edu: split up, simplified, and altered to fit preparatory
commits]
ticket: 7819 (new)
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index f625c0c..5d680f9 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -180,7 +180,8 @@ cleanup:
static OM_uint32
acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
- krb5_keytab req_keytab, krb5_gss_cred_id_rec *cred)
+ krb5_keytab req_keytab, const char *rcname,
+ krb5_gss_cred_id_rec *cred)
{
OM_uint32 major;
krb5_error_code code;
@@ -189,6 +190,20 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
assert(cred->keytab == NULL);
+ /* If we have an explicit rcache name, open it. */
+ if (rcname != NULL) {
+ code = krb5_rc_resolve_full(context, &rc, rcname);
+ if (code) {
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
+ code = krb5_rc_recover_or_initialize(context, rc, context->clockskew);
+ if (code) {
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
+ }
+
if (req_keytab != NULL) {
code = krb5_kt_dup(context, req_keytab, &kt);
} else {
@@ -221,12 +236,14 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status,
goto cleanup;
}
- /* Open the replay cache for this principal. */
- code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
- &rc);
- if (code) {
- major = GSS_S_FAILURE;
- goto cleanup;
+ if (rc == NULL) {
+ /* Open the replay cache for this principal. */
+ code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+ &rc);
+ if (code) {
+ major = GSS_S_FAILURE;
+ goto cleanup;
+ }
}
} else {
/* Make sure we have a keytab with keys in it. */
@@ -718,8 +735,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
gss_name_t desired_name, gss_buffer_t password,
OM_uint32 time_req, gss_cred_usage_t cred_usage,
krb5_ccache ccache, krb5_keytab client_keytab,
- krb5_keytab keytab, krb5_boolean iakerb,
- gss_cred_id_t *output_cred_handle,
+ krb5_keytab keytab, const char *rcname,
+ krb5_boolean iakerb, gss_cred_id_t *output_cred_handle,
OM_uint32 *time_rec)
{
krb5_gss_cred_id_t cred = NULL;
@@ -775,7 +792,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status,
* in cred->name if desired_princ is specified.
*/
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
- ret = acquire_accept_cred(context, minor_status, keytab, cred);
+ ret = acquire_accept_cred(context, minor_status, keytab, rcname, cred);
if (ret != GSS_S_COMPLETE)
goto error_out;
}
@@ -867,7 +884,7 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name,
ret = acquire_cred_context(context, minor_status, desired_name, password,
time_req, cred_usage, ccache, NULL, keytab,
- iakerb, output_cred_handle, time_rec);
+ NULL, iakerb, output_cred_handle, time_rec);
out:
krb5_free_context(context);
@@ -1135,7 +1152,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
krb5_keytab client_keytab = NULL;
krb5_keytab keytab = NULL;
krb5_ccache ccache = NULL;
- const char *value;
+ const char *rcname, *value;
OM_uint32 ret;
code = gss_krb5int_initialize_library();
@@ -1191,9 +1208,14 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status,
}
}
+ ret = kg_value_from_cred_store(cred_store, KRB5_CS_RCACHE_URN, &rcname);
+ if (GSS_ERROR(ret))
+ goto out;
+
ret = acquire_cred_context(context, minor_status, desired_name, NULL,
time_req, cred_usage, ccache, client_keytab,
- keytab, 0, output_cred_handle, time_rec);
+ keytab, rcname, 0, output_cred_handle,
+ time_rec);
out:
if (ccache != NULL)
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 0167816..8e4f6d9 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1260,6 +1260,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer)
#define KRB5_CS_CLI_KEYTAB_URN "client_keytab"
#define KRB5_CS_KEYTAB_URN "keytab"
#define KRB5_CS_CCACHE_URN "ccache"
+#define KRB5_CS_RCACHE_URN "rcache"
OM_uint32
kg_value_from_cred_store(gss_const_key_value_set_t cred_store,

82
krb5-master-rcache-acquirecred-test.patch
View File

@ -1,82 +0,0 @@
commit 6f8d5135334c9ddb674f9824e750872b3b0642ea
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jan 16 11:49:55 2014 -0500
Add test for gss_acquire_cred_from rcache feature
diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c
index 575f96d..e28f5d0 100644
--- a/src/tests/gssapi/t_credstore.c
+++ b/src/tests/gssapi/t_credstore.c
@@ -46,7 +46,9 @@ main(int argc, char *argv[])
gss_cred_usage_t cred_usage = GSS_C_BOTH;
gss_OID_set mechs = GSS_C_NO_OID_SET;
gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
- krb5_boolean store_creds = FALSE;
+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT;
+ gss_buffer_desc itok, atok;
+ krb5_boolean store_creds = FALSE, replay = FALSE;
char opt;
/* Parse options. */
@@ -54,6 +56,8 @@ main(int argc, char *argv[])
opt = (*argv)[1];
if (opt == 's')
store_creds = TRUE;
+ else if (opt == 'r')
+ replay = TRUE;
else if (opt == 'a')
cred_usage = GSS_C_ACCEPT;
else if (opt == 'b')
@@ -101,6 +105,31 @@ main(int argc, char *argv[])
&store, &cred, NULL, NULL);
check_gsserr("gss_acquire_cred_from", major, minor);
+ if (replay) {
+ /* Induce a replay using cred as the acceptor cred, to test the replay
+ * cache indicated by the store. */
+ major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, name,
+ &mech_krb5, 0, GSS_C_INDEFINITE,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ GSS_C_NO_BUFFER, NULL, &itok, NULL, NULL);
+ check_gsserr("gss_init_sec_context", major, minor);
+ (void)gss_delete_sec_context(&minor, &ictx, NULL);
+
+ major = gss_accept_sec_context(&minor, &actx, cred, &itok,
+ GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+ &atok, NULL, NULL, NULL);
+ check_gsserr("gss_accept_sec_context(1)", major, minor);
+ (void)gss_release_buffer(&minor, &atok);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+
+ major = gss_accept_sec_context(&minor, &actx, cred, &itok,
+ GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL,
+ &atok, NULL, NULL, NULL);
+ check_gsserr("gss_accept_sec_context(2)", major, minor);
+ (void)gss_release_buffer(&minor, &atok);
+ (void)gss_delete_sec_context(&minor, &actx, NULL);
+ }
+
gss_release_name(&minor, &name);
gss_release_cred(&minor, &cred);
free(store.elements);
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index 74139e4..106910d 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -91,6 +91,15 @@ realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache,
'keytab', servicekeytab])
+# Test rcache feature of cred stores. t_credstore -r should produce a
+# replay error normally, but not with rcache set to "none:".
+output = realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ],
+ expected_code=1)
+if 'gss_accept_sec_context(2): Request is a replay' not in output:
+ fail('Expected replay error not seen in t_credstore output')
+realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ,
+ 'rcache', 'none:'])
+
# Verify that we can't acquire acceptor creds without a keytab.
os.remove(realm.keytab)
output = realm.run(['./t_accname', 'p:abc'], expected_code=1)

46
krb5-master-rcache-internal-const.patch
View File

@ -1,46 +0,0 @@
commit 74ff6c4accb68bd1d6c652c55e66519720db9fc4
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Jan 15 12:31:41 2014 -0500
Make rcache resolve functions take const char *
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index bbc7fab..b4757a9 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1887,8 +1887,10 @@ krb5_error_code KRB5_CALLCONV
krb5int_cc_user_set_default_name(krb5_context context, const char *name);
krb5_error_code krb5_rc_default(krb5_context, krb5_rcache *);
-krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *,char *);
-krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *,char *);
+krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *,
+ const char *);
+krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *,
+ const char *);
char *krb5_rc_get_type(krb5_context, krb5_rcache);
char *krb5_rc_default_type(krb5_context);
char *krb5_rc_default_name(krb5_context);
diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c
index 2fc96c5..373ac30 100644
--- a/src/lib/krb5/rcache/rc_base.c
+++ b/src/lib/krb5/rcache/rc_base.c
@@ -65,7 +65,8 @@ krb5_rc_register_type(krb5_context context, const krb5_rc_ops *ops)
}
krb5_error_code
-krb5_rc_resolve_type(krb5_context context, krb5_rcache *idptr, char *type)
+krb5_rc_resolve_type(krb5_context context, krb5_rcache *idptr,
+ const char *type)
{
struct krb5_rc_typelist *t;
krb5_error_code err;
@@ -146,7 +147,7 @@ krb5_rc_default(krb5_context context, krb5_rcache *idptr)
krb5_error_code
krb5_rc_resolve_full(krb5_context context, krb5_rcache *idptr,
- char *string_name)
+ const char *string_name)
{
char *type;
char *residual;

23
krb5-master-strdupcheck.patch
View File

@ -1,23 +0,0 @@
commit b6810da129512b6d0200580d78d22d38cc214e21
Author: Lukas Slebodnik <lslebodn@redhat.com>
Date: Sat Jun 21 17:09:31 2014 +0200
Fix error check in krb5_ldap_parse_principal_name
Test the correct variable for NULL to detect a strdup failure.
[ghudson@mit.edu: clarified commit message]
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
index 21695a9..44bf339 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
@@ -412,7 +412,7 @@ krb5_ldap_parse_principal_name(char *i_princ_name, char **o_princ_name)
at_rlm_name = strrchr(i_princ_name, '@');
if (!at_rlm_name) {
*o_princ_name = strdup(i_princ_name);
- if (!o_princ_name)
+ if (!*o_princ_name)
return ENOMEM;
} else {
k5_buf_init_dynamic(&buf);

94
krb5.spec
View File

@ -37,19 +37,20 @@
%global configure_default_ccache_name 1
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
%endif
%global prerelease -alpha1
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.12.2
Release: 3%{?dist}
Version: 1.13
Release: 0%{?dist}.alpha1.1
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar
Source0: krb5-%{version}.tar.gz
Source1: krb5-%{version}.tar.gz.asc
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-alpha1-signed.tar
Source0: krb5-%{version}%{prerelease}.tar.gz
Source1: krb5-%{version}%{prerelease}.tar.gz.asc
# Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then
# tar cvJf $RPM_SOURCE_DIR/krb5-%%{version}-pdf.tar.xz build-pdf/*.pdf
# after the build phase finishes.
Source3: krb5-%{version}-pdf.tar.xz
Source3: krb5-%{version}%{prerelease}-pdf.tar.xz
Source2: kprop.service
Source4: kadmin.service
Source5: krb5kdc.service
@ -76,36 +77,18 @@ Source100: nss_wrapper-0.0-20140204195100.git3d58327.tar.xz
Source101: noport.c
Source102: socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz
Patch1: krb5-1.12-pwdch-fast.patch
Patch6: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-ktany.patch
Patch16: krb5-1.12-buildconf.patch
Patch23: krb5-1.3.1-dns.patch
Patch29: krb5-1.10-kprop-mktemp.patch
Patch30: krb5-1.3.4-send-pr-tempfile.patch
Patch39: krb5-1.12-api.patch
Patch59: krb5-1.10-kpasswd_tcp.patch
Patch60: krb5-1.12.1-pam.patch
Patch63: krb5-1.12-selinux-label.patch
Patch71: krb5-1.11-dirsrv-accountlock.patch
Patch63: krb5-1.13-selinux-label.patch
Patch71: krb5-1.13-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch
Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch136: krb5-master-rcache-internal-const.patch
Patch137: krb5-master-rcache-acquirecred-cleanup.patch
Patch139: krb5-master-rcache-acquirecred-source.patch
Patch141: krb5-master-rcache-acquirecred-test.patch
Patch142: krb5-master-move-otp-sockets.patch
Patch145: krb5-master-mechd.patch
Patch146: krb5-master-strdupcheck.patch
Patch201: 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch
Patch202: 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch
Patch203: 0003-Use-an-intermediate-memory-cache-in-ksu.patch
Patch204: 0004-Make-ksu-respect-the-default_ccache_name-setting.patch
Patch205: 0005-Copy-config-entries-to-the-ksu-target-ccache.patch
Patch206: 0006-Use-more-randomness-for-ksu-secondary-cache-names.patch
Patch207: 0007-Make-krb5_cc_new_unique-create-DIR-directories.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -238,8 +221,6 @@ Requires: chkconfig
# we drop files in its directory, but we don't want to own that directory
Requires: logrotate
Requires(preun): initscripts
# mktemp is used by krb5-send-pr
Requires: coreutils
# we specify /usr/share/dict/words as the default dict_file in kdc.conf
Requires: /usr/share/dict/words
%if %{WITH_SYSVERTO}
@ -272,8 +253,6 @@ realm, you need to install this package.
Summary: Kerberos 5 programs for use on workstations
Group: System Environment/Base
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
# mktemp is used by krb5-send-pr
Requires: coreutils
%description workstation
Kerberos is a network authentication system. The krb5-workstation
@ -305,19 +284,9 @@ to obtain initial credentials from a KDC using a private key and a
certificate.
%prep
%setup -q -a 3 -a 100 -a 102
%setup -q -n %{name}-%{version}%{prerelease} -a 3 -a 100 -a 102
ln -s NOTICE LICENSE
%patch201 -p1 -b .In-ksu-merge-krb5_ccache_copy-and-_restricted
%patch202 -p1 -b .In-ksu-don-t-stat-not-on-disk-ccache-residuals
%patch203 -p1 -b .Use-an-intermediate-memory-cache-in-ksu
%patch204 -p1 -b .Make-ksu-respect-the-default_ccache_name-setting
%patch205 -p1 -b .Copy-config-entries-to-the-ksu-target-ccache
%patch206 -p1 -b .Use-more-randomness-for-ksu-secondary-cache-names
%patch207 -p1 -b .Make-krb5_cc_new_unique-create-DIR-directories
%patch1 -p1 -b .pwdch-fast
%patch60 -p1 -b .pam
%patch63 -p1 -b .selinux-label
@ -326,10 +295,7 @@ ln -s NOTICE LICENSE
%patch12 -p1 -b .ktany
%patch16 -p1 -b .buildconf %{?_rawbuild}
%patch23 -p1 -b .dns %{?_rawbuild}
%patch29 -p1 -b .kprop-mktemp
%patch30 -p1 -b .send-pr-tempfile
%patch39 -p1 -b .api
%patch59 -p1 -b .kpasswd_tcp
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
%patch86 -p0 -b .debuginfo
%patch105 -p1 -b .kvno
@ -340,14 +306,6 @@ ln -s NOTICE LICENSE
%patch134 -p1 -b .kpasswdtest
%patch136 -p1 -b .rcache-internal-const
%patch137 -p1 -b .rcache-acquirecred-cleanup
%patch139 -p1 -b .rcache-acquirecred-source
%patch141 -p1 -b .rcache-acquirecred-test
%patch142 -p1 -b .move-otp-sockets
%patch145 -p1 -b .master-mechd
%patch146 -p1 -b .master-strdupcheck
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -364,8 +322,6 @@ touch -r $inldif 60kerberos.ldif
# Rebuild the configure scripts.
pushd src
#autoheader
#autoconf
./util/reconf --verbose
popd
@ -378,9 +334,7 @@ mkdir -p socket_wrapper/build
cfg="src/kadmin/testing/proto/kdc.conf.proto \
src/kadmin/testing/proto/krb5.conf.proto \
src/lib/kadm5/unit-test/api.current/init-v2.exp \
src/util/k5test.py \
src/tests/mk_migr/ldap_backend/input_conf/*.conf \
src/tests/mk_migr/db2_backend/input_conf/*.conf"
src/util/k5test.py"
LONG_BIT=`getconf LONG_BIT`
PORT=`expr 61000 + $LONG_BIT - 48`
sed -i -e s,61000,`expr "$PORT" + 0`,g $cfg
@ -442,9 +396,11 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
%endif
%if %{WITH_OPENSSL}
--with-pkinit-crypto-impl=openssl \
--with-tls-impl=openssl \
%endif
%if %{WITH_NSS}
--with-crypto-impl=nss \
--without-tls-impl \
%endif
%if %{WITH_SYSVERTO}
--with-system-verto \
@ -656,6 +612,10 @@ for section in 1 5 8 ; do
$RPM_BUILD_ROOT/%{_mandir}/man${section}/
done
# This script just tells you to send bug reports to krb5-bugs@mit.edu, but
# since we don't have a man page for it, just drop it.
rm $RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr
%find_lang %{gettext_domain}
%clean
@ -831,12 +791,6 @@ exit 0
%{_mandir}/man1/ksu.1*
%config(noreplace) /etc/pam.d/ksu
# Problem-reporting tool.
%{_sbindir}/krb5-send-pr
%dir %{_datadir}/gnats
%{_datadir}/gnats/mit
%{_mandir}/man1/krb5-send-pr.1*
%files server
%defattr(-,root,root,-)
%docdir %{_mandir}
@ -871,13 +825,6 @@ exit 0
%dir %{_libdir}/krb5/plugins/authdata
%{_libdir}/krb5/plugins/preauth/otp.so
# Problem-reporting tool.
%{_sbindir}/krb5-send-pr
%dir %{_datadir}/gnats
%{_datadir}/gnats/mit
%{_mandir}/man1/krb5-send-pr.1*
# KDC binaries and configuration.
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man5/kdc.conf.5*
@ -961,6 +908,9 @@ exit 0
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/*
%{_libdir}/krb5/plugins/kdb/db2.so
%if %{WITH_OPENSSL}
%{_libdir}/krb5/plugins/tls/k5tls.so
%endif
%dir %{_var}/kerberos
%dir %{_var}/kerberos/krb5
%dir %{_var}/kerberos/krb5/user
@ -1023,6 +973,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Fri Aug 22 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-4
- update to 1.13 alpha1
- drop upstreamed and backported patches
* Wed Aug 20 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.2-3
- pull in upstream fix for an incorrect check on the value returned by a
strdup() call (#1132062)

6
sources
View File

@ -1,5 +1,5 @@
8777a835ae84f7d2f5872bf388bc6d76 krb5-1.12.2.tar.gz
5a45834367bda0a037d1b8f5a8912002 krb5-1.12.2.tar.gz.asc
c4dca109bc4d480ae4b05d1430671c77 krb5-1.12.2-pdf.tar.xz
c0b597b78cd13be105aff29c600883b9 krb5-1.13-alpha1.tar.gz
49a891e6007a42a7e6f82e5943899a2c krb5-1.13-alpha1.tar.gz.asc
d3c480887984f14ecd8d93fd30a11896 krb5-1.13-alpha1-pdf.tar.xz
142c7f3f8d2b08936d2cee3de743133e nss_wrapper-0.0-20140204195100.git3d58327.tar.xz
d8e42cf537192765463c3f1bad870250 socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz