diff --git a/.gitignore b/.gitignore index 294595c..05b535a 100644 --- a/.gitignore +++ b/.gitignore @@ -110,3 +110,6 @@ krb5-1.8.3-pdf.tar.gz /krb5-1.12.2.tar.gz /krb5-1.12.2.tar.gz.asc /krb5-1.12.2-pdf.tar.xz +/krb5-1.13-alpha1.tar.gz +/krb5-1.13-alpha1.tar.gz.asc +/krb5-1.13-alpha1-pdf.tar.xz diff --git a/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch b/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch deleted file mode 100644 index ac7baa1..0000000 --- a/0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 74e775ac6d937c9d22be4fc1d429e5e62705fb7d Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Thu, 24 Jul 2014 15:39:53 -0400 -Subject: [PATCH 1/7] In ksu, merge krb5_ccache_copy() and _restricted() - -Other than whether or not they limit the creds it stores to the new -ccache based on the principal name of the client for whom the creds were -issued, there's no meaningful difference between what these two -functions do. Merge them. ---- - src/clients/ksu/ccache.c | 106 ++++++----------------------------------------- - src/clients/ksu/ksu.h | 6 +-- - src/clients/ksu/main.c | 27 ++++-------- - 3 files changed, 22 insertions(+), 117 deletions(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index 9916c75..118fc53 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -47,12 +47,14 @@ void show_credential(); - */ - - krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, -- primary_principal, cc_out, stored, target_uid) -+ primary_principal, restrict_creds, cc_out, -+ stored, target_uid) - /* IN */ - krb5_context context; - krb5_ccache cc_def; - char *cc_other_tag; - krb5_principal primary_principal; -+ krb5_boolean restrict_creds; - uid_t target_uid; - /* OUT */ - krb5_ccache *cc_out; -@@ -83,9 +85,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - } - } - -- *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, -- primary_principal); -- - if (!lstat( cc_other_name, &st_temp)) - return EINVAL; - -@@ -98,8 +97,16 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - return retval; - } - -- retval = krb5_store_all_creds(context, * cc_other, cc_def_creds_arr, -- cc_other_creds_arr); -+ if (restrict_creds) { -+ retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr, -+ cc_other_creds_arr, primary_principal, -+ stored); -+ } else { -+ *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, -+ primary_principal); -+ retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr, -+ cc_other_creds_arr); -+ } - - if (cc_def_creds_arr){ - while (cc_def_creds_arr[i]){ -@@ -623,93 +630,6 @@ krb5_error_code krb5_store_some_creds(context, cc, creds_def, creds_other, prst, - *stored = temp_stored; - return 0; - } --/****************************************************************** --krb5_cache_copy_restricted -- --gets rid of any expired tickets in the secondary cache, --copies the default cache into the secondary cache, --only credentials that are for prst are copied. -- --the algorithm may look a bit funny, --but I had to do it this way, since cc_remove function did not come --with k5 beta 3 release. --************************************************************************/ -- --krb5_error_code krb5_ccache_copy_restricted (context, cc_def, cc_other_tag, -- prst, cc_out, stored, target_uid) -- krb5_context context; -- krb5_ccache cc_def; -- char *cc_other_tag; -- krb5_principal prst; -- uid_t target_uid; -- /* OUT */ -- krb5_ccache *cc_out; -- krb5_boolean *stored; --{ -- -- int i=0; -- krb5_ccache * cc_other; -- const char * cc_def_name; -- const char * cc_other_name; -- krb5_error_code retval=0; -- krb5_creds ** cc_def_creds_arr = NULL; -- krb5_creds ** cc_other_creds_arr = NULL; -- struct stat st_temp; -- -- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); -- -- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ -- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag); -- return retval; -- } -- -- cc_def_name = krb5_cc_get_name(context, cc_def); -- cc_other_name = krb5_cc_get_name(context, *cc_other); -- -- if ( ! stat(cc_def_name, &st_temp)){ -- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ -- return retval; -- } -- -- } -- -- if (!lstat( cc_other_name, &st_temp)) { -- return EINVAL; -- } -- -- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { -- return errno; -- } -- -- -- if ((retval = krb5_cc_initialize(context, *cc_other, prst))){ -- return retval; -- } -- -- retval = krb5_store_some_creds(context, * cc_other, -- cc_def_creds_arr, cc_other_creds_arr, prst, stored); -- -- -- -- if (cc_def_creds_arr){ -- while (cc_def_creds_arr[i]){ -- krb5_free_creds(context, cc_def_creds_arr[i]); -- i++; -- } -- } -- -- i=0; -- -- if(cc_other_creds_arr){ -- while (cc_other_creds_arr[i]){ -- krb5_free_creds(context, cc_other_creds_arr[i]); -- i++; -- } -- } -- -- *cc_out = *cc_other; -- return retval; --} - - krb5_error_code krb5_ccache_filter (context, cc, prst) - krb5_context context; -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index f2c0811..9e0c613 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -107,7 +107,7 @@ extern krb5_error_code get_best_principal - /* ccache.c */ - extern krb5_error_code krb5_ccache_copy - (krb5_context, krb5_ccache, char *, krb5_principal, -- krb5_ccache *, krb5_boolean *, uid_t); -+ krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t); - - extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); -@@ -141,10 +141,6 @@ extern krb5_error_code krb5_store_some_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, - krb5_principal, krb5_boolean *); - --extern krb5_error_code krb5_ccache_copy_restricted --(krb5_context, krb5_ccache, char *, krb5_principal, -- krb5_ccache *, krb5_boolean *, uid_t); -- - extern krb5_error_code krb5_ccache_refresh - (krb5_context, krb5_ccache); - -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 233eb52..62f3bc0 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -117,6 +117,7 @@ main (argc, argv) - krb5_principal kdc_server; - krb5_boolean zero_password; - char * dir_of_cc_target; -+ krb5_boolean restrict_creds; - - options.opt = KRB5_DEFAULT_OPTIONS; - options.lifetime = KRB5_DEFAULT_TKT_LIFE; -@@ -464,25 +465,13 @@ main (argc, argv) - then only the credentials for that particular user - should be copied */ - -- if ((source_uid == 0) && (target_uid != 0)) { -- -- if ((retval = krb5_ccache_copy_restricted(ksu_context, cc_source, -- cc_target_tag, client, -- &cc_target, &stored, -- target_uid))){ -- com_err(prog_name, retval, _("while copying cache %s to %s"), -- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -- exit(1); -- } -- -- } else { -- if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, -- client,&cc_target, &stored, target_uid))) { -- com_err(prog_name, retval, _("while copying cache %s to %s"), -- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -- exit(1); -- } -- -+ restrict_creds = (source_uid == 0) && (target_uid != 0); -+ retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client, -+ restrict_creds, &cc_target, &stored, target_uid); -+ if (retval) { -+ com_err(prog_name, retval, _("while copying cache %s to %s"), -+ krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -+ exit(1); - } - - /* Become root for authentication*/ --- -2.0.4 - diff --git a/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch b/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch deleted file mode 100644 index 262e7c7..0000000 --- a/0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch +++ /dev/null @@ -1,369 +0,0 @@ -From 9ebae7cb434b9b177c0af85c67a6d6267f46bc68 Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Fri, 1 Nov 2013 09:48:13 -0400 -Subject: [PATCH 2/7] In ksu, don't stat() not-on-disk ccache residuals - -Don't assume that ccache residual names are filenames which we can -stat() usefully. Instead, use helper functions to call the library -routines to try to read the default principal name from caches, and -use whether or not that succeeds as an indication of whether or not -there's a ccache in a given location. - -ticket: 7728 ---- - src/clients/ksu/ccache.c | 60 ++++++++++++++++++++-------------- - src/clients/ksu/heuristic.c | 13 ++------ - src/clients/ksu/ksu.h | 8 +++-- - src/clients/ksu/main.c | 79 +++++++++------------------------------------ - 4 files changed, 60 insertions(+), 100 deletions(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index 118fc53..5f57279 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -62,12 +62,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - { - int i=0; - krb5_ccache * cc_other; -- const char * cc_def_name; -- const char * cc_other_name; - krb5_error_code retval=0; - krb5_creds ** cc_def_creds_arr = NULL; - krb5_creds ** cc_other_creds_arr = NULL; -- struct stat st_temp; - - cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); - -@@ -76,16 +73,13 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - return retval; - } - -- cc_def_name = krb5_cc_get_name(context, cc_def); -- cc_other_name = krb5_cc_get_name(context, *cc_other); -- -- if ( ! stat(cc_def_name, &st_temp)){ -+ if (ks_ccache_is_initialized(context, cc_def)) { - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } - } - -- if (!lstat( cc_other_name, &st_temp)) -+ if (ks_ccache_name_is_initialized(context, cc_other_tag)) - return EINVAL; - - if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { -@@ -540,24 +534,18 @@ krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) - krb5_ccache cct; - krb5_principal primary_principal; - { -- const char * cct_name; -- const char * ccs_name; - krb5_error_code retval=0; - krb5_principal temp_principal; - krb5_creds ** ccs_creds_arr = NULL; - int i=0; -- struct stat st_temp; - -- ccs_name = krb5_cc_get_name(context, ccs); -- cct_name = krb5_cc_get_name(context, cct); -- -- if ( ! stat(ccs_name, &st_temp)){ -+ if (ks_ccache_is_initialized(context, ccs)) { - if ((retval = krb5_get_nonexp_tkts(context, ccs, &ccs_creds_arr))){ - return retval; - } - } - -- if ( ! stat(cct_name, &st_temp)){ -+ if (ks_ccache_is_initialized(context, cct)) { - if ((retval = krb5_cc_get_principal(context, cct, &temp_principal))){ - return retval; - } -@@ -643,12 +631,10 @@ krb5_error_code krb5_ccache_filter (context, cc, prst) - krb5_creds ** cc_creds_arr = NULL; - const char * cc_name; - krb5_boolean stored; -- struct stat st_temp; - - cc_name = krb5_cc_get_name(context, cc); - -- if ( ! stat(cc_name, &st_temp)){ -- -+ if (ks_ccache_is_initialized(context, cc)) { - if (auth_debug) { - fprintf(stderr,"putting cache %s through a filter for -z option\n", cc_name); - } -@@ -713,12 +699,8 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) - { - krb5_error_code retval; - krb5_creds ** creds_list = NULL; -- const char * cc_name; -- struct stat st_temp; -- -- cc_name = krb5_cc_get_name(context, cc); - -- if ( ! stat(cc_name, &st_temp)){ -+ if (ks_ccache_is_initialized(context, cc)) { - if ((retval = krb5_get_nonexp_tkts(context, cc, &creds_list))){ - return retval; - } -@@ -727,3 +709,33 @@ krb5_error_code krb5_find_princ_in_cache (context, cc, princ, found) - *found = krb5_find_princ_in_cred_list(context, creds_list, princ); - return 0; - } -+ -+krb5_boolean -+ks_ccache_name_is_initialized(krb5_context context, const char *cctag) -+{ -+ krb5_boolean result; -+ krb5_ccache cc; -+ -+ if (krb5_cc_resolve(context, cctag, &cc) != 0) -+ return FALSE; -+ result = ks_ccache_is_initialized(context, cc); -+ krb5_cc_close(context, cc); -+ -+ return result; -+} -+ -+krb5_boolean -+ks_ccache_is_initialized(krb5_context context, krb5_ccache cc) -+{ -+ krb5_principal princ; -+ krb5_error_code retval; -+ -+ if (cc == NULL) -+ return FALSE; -+ -+ retval = krb5_cc_get_principal(context, cc, &princ); -+ if (retval == 0) -+ krb5_free_principal(context, princ); -+ -+ return retval == 0; -+} -diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c -index 99b54e5..f73b8eb 100644 ---- a/src/clients/ksu/heuristic.c -+++ b/src/clients/ksu/heuristic.c -@@ -397,12 +397,8 @@ krb5_error_code find_either_ticket (context, cc, client, end_server, found) - krb5_principal kdc_server; - krb5_error_code retval; - krb5_boolean temp_found = FALSE; -- const char * cc_source_name; -- struct stat st_temp; - -- cc_source_name = krb5_cc_get_name(context, cc); -- -- if ( ! stat(cc_source_name, &st_temp)){ -+ if (ks_ccache_is_initialized(context, cc)) { - - retval = find_ticket(context, cc, client, end_server, &temp_found); - if (retval) -@@ -539,7 +535,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, - { - - princ_info princ_trials[10]; -- const char * cc_source_name; - krb5_principal cc_def_princ = NULL; - krb5_principal temp_client; - krb5_principal target_client; -@@ -551,7 +546,6 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, - struct stat tb; - int count =0; - int i; -- struct stat st_temp; - - *path_out = 0; - -@@ -559,10 +553,7 @@ krb5_error_code get_best_princ_for_target(context, source_uid, target_uid, - if (options->princ) - return 0; - -- cc_source_name = krb5_cc_get_name(context, cc_source); -- -- -- if (! stat(cc_source_name, &st_temp)) { -+ if (ks_ccache_is_initialized(context, cc_source)) { - retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); - if (retval) - return retval; -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index 9e0c613..e1e34f1 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -141,6 +141,12 @@ extern krb5_error_code krb5_store_some_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **, - krb5_principal, krb5_boolean *); - -+extern krb5_boolean ks_ccache_name_is_initialized -+(krb5_context, const char *); -+ -+extern krb5_boolean ks_ccache_is_initialized -+(krb5_context, krb5_ccache); -+ - extern krb5_error_code krb5_ccache_refresh - (krb5_context, krb5_ccache); - -@@ -198,8 +204,6 @@ extern int standard_shell (char *); - - extern krb5_error_code get_params (int *, int, char **, char ***); - --extern char *get_dir_of_file (const char *); -- - /* heuristic.c */ - extern krb5_error_code get_all_princ_from_file (FILE *, char ***); - -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 62f3bc0..8c49f94 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -51,7 +51,6 @@ static void print_status( const char *fmt, ...) - __attribute__ ((__format__ (__printf__, 1, 2))) - #endif - ; --char * get_dir_of_file(); - - /* Note -e and -a options are mutually exclusive */ - /* insure the proper specification of target user as well as catching -@@ -96,7 +95,6 @@ main (argc, argv) - const char * cc_source_tag = NULL; - uid_t source_gid; - const char * cc_source_tag_tmp = NULL; -- char * cc_target_tag_tmp=NULL; - char * cmd = NULL, * exec_cmd = NULL; - int errflg = 0; - krb5_boolean auth_val; -@@ -112,11 +110,9 @@ main (argc, argv) - extern char * getpass(), *crypt(); - int pargc; - char ** pargv; -- struct stat st_temp; - krb5_boolean stored = FALSE; - krb5_principal kdc_server; - krb5_boolean zero_password; -- char * dir_of_cc_target; - krb5_boolean restrict_creds; - - options.opt = KRB5_DEFAULT_OPTIONS; -@@ -266,9 +262,10 @@ main (argc, argv) - if ( strchr(cc_source_tag, ':')){ - cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; - -- if( stat( cc_source_tag_tmp, &st_temp)){ -+ if (!ks_ccache_name_is_initialized(ksu_context, -+ cc_source_tag)) { - com_err(prog_name, errno, -- _("while looking for credentials file %s"), -+ _("while looking for credentials cache %s"), - cc_source_tag_tmp); - exit (1); - } -@@ -419,32 +416,18 @@ main (argc, argv) - exit(1); - } - -- if (cc_target_tag == NULL) { -- -- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char)); -- /* make sure that the new ticket file does not already exist -- This is run as source_uid because it is reasonable to -- require the source user to have write to where the target -- cache will be created.*/ -- -- do { -- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", -- KRB5_SECONDARY_CACHE, -- (long) target_uid, gen_sym()); -- cc_target_tag_tmp = strchr(cc_target_tag, ':') + 1; -- -- }while ( !stat ( cc_target_tag_tmp, &st_temp)); -- } -- -- -- dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp); -- -- if (access(dir_of_cc_target, R_OK | W_OK )){ -- fprintf(stderr, -- _("%s does not have correct permissions for %s\n"), -- source_user, cc_target_tag); -- exit(1); -- } -+ /* -+ * Make sure that the new ticket file does not already exist. -+ * This is run as source_uid because it is reasonable to -+ * require the source user to have write to where the target -+ * cache will be created. -+ */ -+ cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char)); -+ do { -+ snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", -+ KRB5_SECONDARY_CACHE, -+ (long)target_uid, gen_sym()); -+ } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag)); - - if (auth_debug){ - fprintf(stderr, " source cache = %s\n", cc_source_tag); -@@ -747,13 +730,6 @@ main (argc, argv) - exit(1); - } - -- if (access( cc_target_tag_tmp, R_OK | W_OK )){ -- com_err(prog_name, errno, -- _("%s does not have correct permissions for %s, %s aborted"), -- target_user, cc_target_tag_tmp, prog_name); -- exit(1); -- } -- - if ( cc_source) - krb5_cc_close(ksu_context, cc_source); - -@@ -873,8 +849,6 @@ static void sweep_up(context, cc) - krb5_ccache cc; - { - krb5_error_code retval; -- const char * cc_name; -- struct stat st_temp; - - krb5_seteuid(0); - if (krb5_seteuid(target_uid) < 0) { -@@ -883,8 +857,7 @@ static void sweep_up(context, cc) - exit(1); - } - -- cc_name = krb5_cc_get_name(context, cc); -- if ( ! stat(cc_name, &st_temp)){ -+ if (ks_ccache_is_initialized(context, cc)) { - if ((retval = krb5_cc_destroy(context, cc))) - com_err(prog_name, retval, _("while destroying cache")); - } -@@ -937,26 +910,6 @@ void print_status(const char *fmt, ...) - } - } - -- --char *get_dir_of_file(path) -- const char *path; --{ -- char * temp_path; -- char * ptr; -- -- temp_path = xstrdup(path); -- -- if ((ptr = strrchr( temp_path, '/'))) { -- *ptr = '\0'; -- } else { -- free (temp_path); -- temp_path = xmalloc(MAXPATHLEN); -- if (temp_path) -- getcwd(temp_path, MAXPATHLEN); -- } -- return temp_path; --} -- - krb5_error_code - ksu_tgtname(context, server, client, tgtprinc) - krb5_context context; --- -2.0.4 - diff --git a/0003-Use-an-intermediate-memory-cache-in-ksu.patch b/0003-Use-an-intermediate-memory-cache-in-ksu.patch deleted file mode 100644 index 4bef600..0000000 --- a/0003-Use-an-intermediate-memory-cache-in-ksu.patch +++ /dev/null @@ -1,417 +0,0 @@ -From dccc80a469b1925fcfe7697406a69912efe4baa1 Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Wed, 30 Oct 2013 21:45:35 -0400 -Subject: [PATCH 3/7] Use an intermediate memory cache in ksu - -Instead of copying source or obtained creds into the target cache and -changing ownership if everything succeeds, copy them into a MEMORY: -cache and then, if everything succeeds, create the target cache as the -target user. - -We no longer need to clean up the temporary ccache when exiting in -most error cases. - -Use a fake principal name ("_ksu/_ksu@_ksu") as the primary holder of -the temporary cache so that we won't accidentally select it when we -make a subsequent call to krb5_cc_cache_match() (to be added in a -later patch) to find the target location where the creds should be -stored for use while running as the target user. ---- - src/clients/ksu/ccache.c | 10 +-- - src/clients/ksu/ksu.h | 4 +- - src/clients/ksu/main.c | 156 ++++++++++++++++++++++++----------------------- - 3 files changed, 87 insertions(+), 83 deletions(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index 5f57279..d0fc389 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -47,14 +47,15 @@ void show_credential(); - */ - - krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, -- primary_principal, restrict_creds, cc_out, -- stored, target_uid) -+ primary_principal, restrict_creds, -+ target_principal, cc_out, stored, target_uid) - /* IN */ - krb5_context context; - krb5_ccache cc_def; - char *cc_other_tag; - krb5_principal primary_principal; - krb5_boolean restrict_creds; -+ krb5_principal target_principal; - uid_t target_uid; - /* OUT */ - krb5_ccache *cc_out; -@@ -86,10 +87,9 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - return errno; - } - -- -- if ((retval = krb5_cc_initialize(context, *cc_other, primary_principal))){ -+ retval = krb5_cc_initialize(context, *cc_other, target_principal); -+ if (retval) - return retval; -- } - - if (restrict_creds) { - retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr, -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index e1e34f1..08bf01b 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -106,8 +106,8 @@ extern krb5_error_code get_best_principal - - /* ccache.c */ - extern krb5_error_code krb5_ccache_copy --(krb5_context, krb5_ccache, char *, krb5_principal, -- krb5_boolean, krb5_ccache *, krb5_boolean *, uid_t); -+(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean, -+ krb5_principal, krb5_ccache *, krb5_boolean *, uid_t); - - extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 8c49f94..d1bb8ca 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -42,10 +42,13 @@ char * gb_err = NULL; - int quiet = 0; - /***********/ - -+#define KS_TEMPORARY_CACHE "MEMORY:_ksu" -+#define KS_TEMPORARY_PRINC "_ksu/_ksu@_ksu" - #define _DEF_CSH "/bin/csh" - static int set_env_var (char *, char *); - static void sweep_up (krb5_context, krb5_ccache); - static char * ontty (void); -+static krb5_error_code set_ccname_env(krb5_context, krb5_ccache); - static void print_status( const char *fmt, ...) - #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 7) - __attribute__ ((__format__ (__printf__, 1, 2))) -@@ -84,8 +87,8 @@ main (argc, argv) - int option=0; - int statusp=0; - krb5_error_code retval = 0; -- krb5_principal client = NULL; -- krb5_ccache cc_target = NULL; -+ krb5_principal client = NULL, tmp_princ = NULL; -+ krb5_ccache cc_tmp = NULL, cc_target = NULL; - krb5_context ksu_context; - char * cc_target_tag = NULL; - char * target_user = NULL; -@@ -93,7 +96,6 @@ main (argc, argv) - - krb5_ccache cc_source = NULL; - const char * cc_source_tag = NULL; -- uid_t source_gid; - const char * cc_source_tag_tmp = NULL; - char * cmd = NULL, * exec_cmd = NULL; - int errflg = 0; -@@ -342,8 +344,6 @@ main (argc, argv) - /* allocate space and copy the usernamane there */ - source_user = xstrdup(pwd->pw_name); - source_uid = pwd->pw_uid; -- source_gid = pwd->pw_gid; -- - - if (!strcmp(SOURCE_USER_LOGIN, target_user)){ - target_user = xstrdup (source_user); -@@ -435,25 +435,32 @@ main (argc, argv) - } - - /* -- Only when proper authentication and authorization -- takes place, the target user becomes the owner of the cache. -- */ -- -- /* we continue to run as source uid until -- the middle of the copy, when becomewe become the target user -- The cache is owned by the target user.*/ -+ * After proper authentication and authorization, populate a cache for the -+ * target user. -+ */ - -+ /* -+ * We read the set of creds we want to copy from the source ccache as the -+ * source uid, become root for authentication, and then become the target -+ * user to handle authorization and creating the target user's cache. -+ */ - - /* if root ksu's to a regular user, then - then only the credentials for that particular user - should be copied */ - - restrict_creds = (source_uid == 0) && (target_uid != 0); -- retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag, client, -- restrict_creds, &cc_target, &stored, target_uid); -+ retval = krb5_parse_name(ksu_context, KS_TEMPORARY_PRINC, &tmp_princ); -+ if (retval) { -+ com_err(prog_name, retval, _("while parsing temporary name")); -+ exit(1); -+ } -+ retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE, -+ client, restrict_creds, tmp_princ, &cc_tmp, -+ &stored, 0); - if (retval) { - com_err(prog_name, retval, _("while copying cache %s to %s"), -- krb5_cc_get_name(ksu_context, cc_source), cc_target_tag); -+ krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE); - exit(1); - } - -@@ -473,7 +480,6 @@ main (argc, argv) - &kdc_server))){ - com_err(prog_name, retval, - _("while creating tgt for local realm")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - -@@ -481,13 +487,12 @@ main (argc, argv) - "enter it here and are logged\n")); - fprintf(stderr, _(" in remotely using an unsecure " - "(non-encrypted) channel.\n")); -- if (krb5_get_tkt_via_passwd (ksu_context, &cc_target, client, -- kdc_server, &options, -- &zero_password) == FALSE){ -+ if (krb5_get_tkt_via_passwd(ksu_context, &cc_tmp, client, -+ kdc_server, &options, -+ &zero_password) == FALSE){ - - if (zero_password == FALSE){ - fprintf(stderr, _("Goodbye\n")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - -@@ -506,48 +511,20 @@ main (argc, argv) - if (source_uid && (source_uid != target_uid)) { - char * client_name; - -- auth_val = krb5_auth_check(ksu_context, client, localhostname, &options, -- target_user,cc_target, &path_passwd, target_uid); -+ auth_val = krb5_auth_check(ksu_context, client, localhostname, -+ &options, target_user, cc_tmp, -+ &path_passwd, target_uid); - - /* if Kerberos authentication failed then exit */ - if (auth_val ==FALSE){ - fprintf(stderr, _("Authentication failed.\n")); - syslog(LOG_WARNING, "'%s %s' authentication failed for %s%s", - prog_name,target_user,source_user,ontty()); -- sweep_up(ksu_context, cc_target); - exit(1); - } - --#if 0 -- /* At best, this avoids a single kdc request -- It is hard to implement dealing with file permissions and -- is unnecessary. It is important -- to properly handle races in chown if this code is ever re-enabled. -- */ -- /* cache the tickets if possible in the source cache */ -- if (!path_passwd){ -- -- if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source, -- client))){ -- com_err (prog_name, retval, -- "while copying cache %s to %s", -- krb5_cc_get_name(ksu_context, cc_target), -- krb5_cc_get_name(ksu_context, cc_source)); -- sweep_up(ksu_context, cc_target); -- exit(1); -- } -- if (chown(cc_source_tag_tmp, source_uid, source_gid)){ -- com_err(prog_name, errno, -- "while changing owner for %s", -- cc_source_tag_tmp); -- exit(1); -- } -- } --#endif /*0*/ -- - if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) { - com_err(prog_name, retval, _("When unparsing name")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - -@@ -560,7 +537,6 @@ main (argc, argv) - if (krb5_seteuid(target_uid)) { - com_err(prog_name, errno, _("while switching to target for " - "authorization check")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - -@@ -568,14 +544,12 @@ main (argc, argv) - cmd, &authorization_val, &exec_cmd))){ - com_err(prog_name,retval, _("while checking authorization")); - krb5_seteuid(0); /*So we have some chance of sweeping up*/ -- sweep_up(ksu_context, cc_target); - exit(1); - } - - if (krb5_seteuid(0)) { - com_err(prog_name, errno, _("while switching back from target " - "after authorization check")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - if (authorization_val == TRUE){ -@@ -617,25 +591,25 @@ main (argc, argv) - - } - -- sweep_up(ksu_context, cc_target); - exit(1); - } - } - - if( some_rest_copy){ -- if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ -+ retval = krb5_ccache_filter(ksu_context, cc_tmp, client); -+ if (retval) { - com_err(prog_name,retval, _("while calling cc_filter")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - } - - if (all_rest_copy){ -- if ((retval = krb5_cc_initialize(ksu_context, cc_target, client))){ -+ retval = krb5_cc_initialize(ksu_context, cc_tmp, tmp_princ); -+ if (retval) { - com_err(prog_name, retval, _("while erasing target cache")); - exit(1); - } -- -+ stored = FALSE; - } - - /* get the shell of the user, this will be the shell used by su */ -@@ -653,7 +627,6 @@ main (argc, argv) - - if (!standard_shell(target_pwd->pw_shell) && source_uid) { - fprintf(stderr, _("ksu: permission denied (shell).\n")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - #endif /* HAVE_GETUSERSHELL */ -@@ -663,43 +636,28 @@ main (argc, argv) - if(set_env_var("USER", target_pwd->pw_name)){ - fprintf(stderr, - _("ksu: couldn't set environment variable USER\n")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - } - - if(set_env_var( "HOME", target_pwd->pw_dir)){ - fprintf(stderr, _("ksu: couldn't set environment variable HOME\n")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - - if(set_env_var( "SHELL", shell)){ - fprintf(stderr, _("ksu: couldn't set environment variable SHELL\n")); -- sweep_up(ksu_context, cc_target); -- exit(1); -- } -- -- /* set the cc env name to target */ -- -- if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){ -- fprintf(stderr, _("ksu: couldn't set environment variable %s\n"), -- KRB5_ENV_CCNAME); -- sweep_up(ksu_context, cc_target); - exit(1); - } - - /* set permissions */ - if (setgid(target_pwd->pw_gid) < 0) { - perror("ksu: setgid"); -- sweep_up(ksu_context, cc_target); - exit(1); - } - -- - if (initgroups(target_user, target_pwd->pw_gid)) { - fprintf(stderr, _("ksu: initgroups failed.\n")); -- sweep_up(ksu_context, cc_target); - exit(1); - } - -@@ -719,13 +677,36 @@ main (argc, argv) - */ - if (setluid((uid_t) pwd->pw_uid) < 0) { - perror("setluid"); -- sweep_up(ksu_context, cc_target); - exit(1); - } - #endif /* HAVE_SETLUID */ - - if (setuid(target_pwd->pw_uid) < 0) { - perror("ksu: setuid"); -+ exit(1); -+ } -+ -+ retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag, -+ client, FALSE, client, &cc_target, &stored, -+ target_pwd->pw_uid); -+ if (retval) { -+ com_err(prog_name, retval, _("while copying cache %s to %s"), -+ KS_TEMPORARY_CACHE, cc_target_tag); -+ exit(1); -+ } -+ -+ if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) { -+ com_err(prog_name, errno, -+ _("%s does not have correct permissions for %s, %s aborted"), -+ target_user, cc_target_tag, prog_name); -+ exit(1); -+ } -+ -+ free(cc_target_tag); -+ -+ /* Set the cc env name to target. */ -+ retval = set_ccname_env(ksu_context, cc_target); -+ if (retval != 0) { - sweep_up(ksu_context, cc_target); - exit(1); - } -@@ -799,6 +780,29 @@ main (argc, argv) - } - } - -+/* Set KRB5CCNAME in the environment to point to ccache. Print an error -+ * message on failure. */ -+static krb5_error_code -+set_ccname_env(krb5_context ksu_context, krb5_ccache ccache) -+{ -+ krb5_error_code retval; -+ char *ccname; -+ -+ retval = krb5_cc_get_full_name(ksu_context, ccache, &ccname); -+ if (retval) { -+ com_err(prog_name, retval, _("while reading cache name from ccache")); -+ return retval; -+ } -+ if (set_env_var(KRB5_ENV_CCNAME, ccname)) { -+ retval = errno; -+ fprintf(stderr, -+ _("ksu: couldn't set environment variable %s\n"), -+ KRB5_ENV_CCNAME); -+ } -+ krb5_free_string(ksu_context, ccname); -+ return retval; -+} -+ - #ifdef HAVE_GETUSERSHELL - - int standard_shell(sh) --- -2.0.4 - diff --git a/0004-Make-ksu-respect-the-default_ccache_name-setting.patch b/0004-Make-ksu-respect-the-default_ccache_name-setting.patch deleted file mode 100644 index cb45f1b..0000000 --- a/0004-Make-ksu-respect-the-default_ccache_name-setting.patch +++ /dev/null @@ -1,378 +0,0 @@ -From 3a456898af626dcab4e1ab0749ca2ccb9ad6162b Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Wed, 30 Oct 2013 21:47:14 -0400 -Subject: [PATCH 4/7] Make ksu respect the default_ccache_name setting - -Move the logic for resolving and initializing a cache that we're -copying creds into out of krb5_ccache_copy(), and let the caller deal -with it. Add a helper functions to select/resolve an output ccache in -the default location for the target user after we've switched to the -target user's privileges. If the destination is a collection, take -care not to change which subsidiary is its primary, and reuse a -subsidiary cache if we can. If the destination is not a collection, -append a unique value to its name to make a new ccache. - -[ghudson@mit.edu: some changes to variable names and comments; move -responsibility for getting target ccache name from -resolve_target_ccache to main] - -ticket: 7984 (new) ---- - src/clients/ksu/ccache.c | 35 +++------ - src/clients/ksu/ksu.h | 6 +- - src/clients/ksu/main.c | 181 ++++++++++++++++++++++++++++++++++++++--------- - 3 files changed, 157 insertions(+), 65 deletions(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index d0fc389..4693bd4 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -46,59 +46,41 @@ void show_credential(); - with k5 beta 3 release. - */ - --krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, -- primary_principal, restrict_creds, -- target_principal, cc_out, stored, target_uid) -+krb5_error_code krb5_ccache_copy(context, cc_def, target_principal, cc_target, -+ restrict_creds, primary_principal, stored) - /* IN */ - krb5_context context; - krb5_ccache cc_def; -- char *cc_other_tag; -- krb5_principal primary_principal; -- krb5_boolean restrict_creds; - krb5_principal target_principal; -- uid_t target_uid; -+ krb5_ccache cc_target; -+ krb5_boolean restrict_creds; -+ krb5_principal primary_principal; - /* OUT */ -- krb5_ccache *cc_out; - krb5_boolean *stored; - { - int i=0; -- krb5_ccache * cc_other; - krb5_error_code retval=0; - krb5_creds ** cc_def_creds_arr = NULL; - krb5_creds ** cc_other_creds_arr = NULL; - -- cc_other = (krb5_ccache *) xcalloc(1, sizeof (krb5_ccache)); -- -- if ((retval = krb5_cc_resolve(context, cc_other_tag, cc_other))){ -- com_err(prog_name, retval, _("resolving ccache %s"), cc_other_tag); -- return retval; -- } -- - if (ks_ccache_is_initialized(context, cc_def)) { - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } - } - -- if (ks_ccache_name_is_initialized(context, cc_other_tag)) -- return EINVAL; -- -- if (krb5_seteuid(0)||krb5_seteuid(target_uid)) { -- return errno; -- } -- -- retval = krb5_cc_initialize(context, *cc_other, target_principal); -+ retval = krb5_cc_initialize(context, cc_target, target_principal); - if (retval) - return retval; - - if (restrict_creds) { -- retval = krb5_store_some_creds(context, *cc_other, cc_def_creds_arr, -+ retval = krb5_store_some_creds(context, cc_target, cc_def_creds_arr, - cc_other_creds_arr, primary_principal, - stored); - } else { - *stored = krb5_find_princ_in_cred_list(context, cc_def_creds_arr, - primary_principal); -- retval = krb5_store_all_creds(context, *cc_other, cc_def_creds_arr, -+ retval = krb5_store_all_creds(context, cc_target, cc_def_creds_arr, - cc_other_creds_arr); - } - -@@ -118,7 +100,6 @@ krb5_error_code krb5_ccache_copy (context, cc_def, cc_other_tag, - } - } - -- *cc_out = *cc_other; - return retval; - } - -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index 08bf01b..fbbf217 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -44,8 +44,6 @@ - #define KRB5_DEFAULT_OPTIONS 0 - #define KRB5_DEFAULT_TKT_LIFE 60*60*12 /* 12 hours */ - --#define KRB5_SECONDARY_CACHE "FILE:/tmp/krb5cc_" -- - #define KRB5_LOGIN_NAME ".k5login" - #define KRB5_USERS_NAME ".k5users" - #define USE_DEFAULT_REALM_NAME "." -@@ -106,8 +104,8 @@ extern krb5_error_code get_best_principal - - /* ccache.c */ - extern krb5_error_code krb5_ccache_copy --(krb5_context, krb5_ccache, char *, krb5_principal, krb5_boolean, -- krb5_principal, krb5_ccache *, krb5_boolean *, uid_t); -+(krb5_context, krb5_ccache, krb5_principal, krb5_ccache, -+ krb5_boolean, krb5_principal, krb5_boolean *); - - extern krb5_error_code krb5_store_all_creds - (krb5_context, krb5_ccache, krb5_creds **, krb5_creds **); -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index d1bb8ca..41a3bf8 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -54,6 +54,10 @@ static void print_status( const char *fmt, ...) - __attribute__ ((__format__ (__printf__, 1, 2))) - #endif - ; -+static krb5_error_code resolve_target_cache(krb5_context ksu_context, -+ krb5_principal princ, -+ krb5_ccache *ccache_out, -+ krb5_boolean *ccache_reused); - - /* Note -e and -a options are mutually exclusive */ - /* insure the proper specification of target user as well as catching -@@ -112,7 +116,7 @@ main (argc, argv) - extern char * getpass(), *crypt(); - int pargc; - char ** pargv; -- krb5_boolean stored = FALSE; -+ krb5_boolean stored = FALSE, cc_reused = FALSE; - krb5_principal kdc_server; - krb5_boolean zero_password; - krb5_boolean restrict_creds; -@@ -416,23 +420,8 @@ main (argc, argv) - exit(1); - } - -- /* -- * Make sure that the new ticket file does not already exist. -- * This is run as source_uid because it is reasonable to -- * require the source user to have write to where the target -- * cache will be created. -- */ -- cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE, sizeof(char)); -- do { -- snprintf(cc_target_tag, KRB5_SEC_BUFFSIZE, "%s%ld.%d", -- KRB5_SECONDARY_CACHE, -- (long)target_uid, gen_sym()); -- } while (ks_ccache_name_is_initialized(ksu_context, cc_target_tag)); -- -- if (auth_debug){ -+ if (auth_debug) - fprintf(stderr, " source cache = %s\n", cc_source_tag); -- fprintf(stderr, " target cache = %s\n", cc_target_tag); -- } - - /* - * After proper authentication and authorization, populate a cache for the -@@ -455,14 +444,19 @@ main (argc, argv) - com_err(prog_name, retval, _("while parsing temporary name")); - exit(1); - } -- retval = krb5_ccache_copy(ksu_context, cc_source, KS_TEMPORARY_CACHE, -- client, restrict_creds, tmp_princ, &cc_tmp, -- &stored, 0); -+ retval = krb5_cc_resolve(ksu_context, KS_TEMPORARY_CACHE, &cc_tmp); -+ if (retval) { -+ com_err(prog_name, retval, _("while creating temporary cache")); -+ exit(1); -+ } -+ retval = krb5_ccache_copy(ksu_context, cc_source, tmp_princ, cc_tmp, -+ restrict_creds, client, &stored); - if (retval) { - com_err(prog_name, retval, _("while copying cache %s to %s"), - krb5_cc_get_name(ksu_context, cc_source), KS_TEMPORARY_CACHE); - exit(1); - } -+ krb5_cc_close(ksu_context, cc_source); - - /* Become root for authentication*/ - -@@ -686,23 +680,38 @@ main (argc, argv) - exit(1); - } - -- retval = krb5_ccache_copy(ksu_context, cc_tmp, cc_target_tag, -- client, FALSE, client, &cc_target, &stored, -- target_pwd->pw_uid); -+ retval = resolve_target_cache(ksu_context, client, &cc_target, &cc_reused); -+ if (retval) -+ exit(1); -+ retval = krb5_cc_get_full_name(ksu_context, cc_target, &cc_target_tag); - if (retval) { -- com_err(prog_name, retval, _("while copying cache %s to %s"), -- KS_TEMPORARY_CACHE, cc_target_tag); -+ com_err(prog_name, retval, _("while getting name of target ccache")); -+ sweep_up(ksu_context, cc_target); - exit(1); - } -+ if (auth_debug) -+ fprintf(stderr, " target cache = %s\n", cc_target_tag); -+ if (cc_reused) -+ keep_target_cache = TRUE; - -- if (stored && !ks_ccache_is_initialized(ksu_context, cc_target)) { -- com_err(prog_name, errno, -- _("%s does not have correct permissions for %s, %s aborted"), -- target_user, cc_target_tag, prog_name); -- exit(1); -+ if (stored) { -+ retval = krb5_ccache_copy(ksu_context, cc_tmp, client, cc_target, -+ FALSE, client, &stored); -+ if (retval) { -+ com_err(prog_name, retval, _("while copying cache %s to %s"), -+ KS_TEMPORARY_CACHE, cc_target_tag); -+ exit(1); -+ } -+ -+ if (!ks_ccache_is_initialized(ksu_context, cc_target)) { -+ com_err(prog_name, errno, -+ _("%s does not have correct permissions for %s, " -+ "%s aborted"), target_user, cc_target_tag, prog_name); -+ exit(1); -+ } - } - -- free(cc_target_tag); -+ krb5_free_string(ksu_context, cc_target_tag); - - /* Set the cc env name to target. */ - retval = set_ccname_env(ksu_context, cc_target); -@@ -711,9 +720,6 @@ main (argc, argv) - exit(1); - } - -- if ( cc_source) -- krb5_cc_close(ksu_context, cc_source); -- - if (cmd){ - if ((source_uid == 0) || (source_uid == target_uid )){ - exec_cmd = cmd; -@@ -803,6 +809,113 @@ set_ccname_env(krb5_context ksu_context, krb5_ccache ccache) - return retval; - } - -+/* -+ * Get the configured default ccache name. Unset KRB5CCNAME and force a -+ * recomputation so we don't use values for the source user. Print an error -+ * message on failure. -+ */ -+static krb5_error_code -+get_configured_defccname(krb5_context context, char **target_out) -+{ -+ krb5_error_code retval; -+ const char *defname; -+ char *target; -+ -+ *target_out = NULL; -+ -+ if (unsetenv(KRB5_ENV_CCNAME) != 0) { -+ retval = errno; -+ com_err(prog_name, retval, _("while clearing the value of %s"), -+ KRB5_ENV_CCNAME); -+ return retval; -+ } -+ -+ /* Make sure we don't have a cached value for a different uid. */ -+ retval = krb5_cc_set_default_name(context, NULL); -+ if (retval != 0) { -+ com_err(prog_name, retval, _("while resetting target ccache name")); -+ return retval; -+ } -+ -+ defname = krb5_cc_default_name(context); -+ target = (defname == NULL) ? NULL : strdup(defname); -+ if (target == NULL) { -+ com_err(prog_name, ENOMEM, _("while determining target ccache name")); -+ return ENOMEM; -+ } -+ *target_out = target; -+ return 0; -+} -+ -+/* Determine where the target user's creds should be stored. Print an error -+ * message on failure. */ -+static krb5_error_code -+resolve_target_cache(krb5_context context, krb5_principal princ, -+ krb5_ccache *ccache_out, krb5_boolean *ccache_reused) -+{ -+ krb5_error_code retval; -+ krb5_boolean switchable, reused = FALSE; -+ krb5_ccache ccache = NULL; -+ char *sep, *ccname = NULL, *target; -+ -+ *ccache_out = NULL; -+ *ccache_reused = FALSE; -+ -+ retval = get_configured_defccname(context, &target); -+ if (retval != 0) -+ return retval; -+ -+ /* Check if the configured default name uses a switchable type. */ -+ sep = strchr(target, ':'); -+ *sep = '\0'; -+ switchable = krb5_cc_support_switch(context, target); -+ *sep = ':'; -+ -+ if (!switchable) { -+ /* Try to avoid destroying an in-use target ccache by coming up with -+ * the name of a cache that doesn't exist yet. */ -+ do { -+ free(ccname); -+ if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) { -+ retval = ENOMEM; -+ com_err(prog_name, ENOMEM, -+ _("while allocating memory for target ccache name")); -+ goto cleanup; -+ } -+ } while (ks_ccache_name_is_initialized(context, ccname)); -+ retval = krb5_cc_resolve(context, ccname, &ccache); -+ } else { -+ /* Look for a cache in the collection that we can reuse. */ -+ retval = krb5_cc_cache_match(context, princ, &ccache); -+ if (retval == 0) { -+ reused = TRUE; -+ } else { -+ /* There isn't one, so create a new one. */ -+ *sep = '\0'; -+ retval = krb5_cc_new_unique(context, target, NULL, &ccache); -+ *sep = ':'; -+ if (retval) { -+ com_err(prog_name, retval, -+ _("while creating new target ccache")); -+ goto cleanup; -+ } -+ retval = krb5_cc_initialize(context, ccache, princ); -+ if (retval) { -+ com_err(prog_name, retval, -+ _("while initializing target cache")); -+ goto cleanup; -+ } -+ } -+ } -+ -+ *ccache_out = ccache; -+ *ccache_reused = reused; -+ -+cleanup: -+ free(target); -+ return retval; -+} -+ - #ifdef HAVE_GETUSERSHELL - - int standard_shell(sh) --- -2.0.4 - diff --git a/0005-Copy-config-entries-to-the-ksu-target-ccache.patch b/0005-Copy-config-entries-to-the-ksu-target-ccache.patch deleted file mode 100644 index e004136..0000000 --- a/0005-Copy-config-entries-to-the-ksu-target-ccache.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 297496f0938955ba4aaf0ebecf4e393e527b8cbf Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Tue, 29 Oct 2013 16:27:20 -0400 -Subject: [PATCH 5/7] Copy config entries to the ksu target ccache - -When we try to screen out expired creds while reading them from one -ccache to eventually store in another, also keep configuration entries. - -ticket: 7986 (new) ---- - src/clients/ksu/ccache.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index 4693bd4..0f9e042 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -219,7 +219,8 @@ krb5_error_code krb5_get_nonexp_tkts(context, cc, creds_array) - - while (!(retval = krb5_cc_next_cred(context, cc, &cur, &creds))){ - -- if ((retval = krb5_check_exp(context, creds.times))){ -+ if (!krb5_is_config_principal(context, creds.server) && -+ (retval = krb5_check_exp(context, creds.times))){ - if (retval != KRB5KRB_AP_ERR_TKT_EXPIRED){ - return retval; - } --- -2.0.4 - diff --git a/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch b/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch deleted file mode 100644 index da8a32a..0000000 --- a/0006-Use-more-randomness-for-ksu-secondary-cache-names.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 69c8e20b18577781e17c5959e23514134dfb5755 Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Thu, 24 Jul 2014 16:43:21 -0400 -Subject: [PATCH 6/7] Use more randomness for ksu secondary cache names - -When generating a suffix to append to a ccache name that will hold the -credentials for a ksu-invoked process, instead of using integers -counting up from 1, use the result of base64-encoding six randomly- -generated octets. Tweak the output alphabet just a bit to avoid using -'+' or '/' in the generated names, the latter of which could really -confuse things. ---- - src/clients/ksu/ccache.c | 27 +++++++++++++++++++++++---- - src/clients/ksu/ksu.h | 2 +- - src/clients/ksu/main.c | 16 ++++++++++++---- - 3 files changed, 36 insertions(+), 9 deletions(-) - -diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c -index 0f9e042..a0736f2 100644 ---- a/src/clients/ksu/ccache.c -+++ b/src/clients/ksu/ccache.c -@@ -27,6 +27,7 @@ - */ - - #include "ksu.h" -+#include "k5-base64.h" - #include "adm_proto.h" - #include - #include -@@ -504,10 +505,28 @@ show_credential(context, cred, cc) - free(sname); - } - --int gen_sym(){ -- static int i = 0; -- i ++; -- return i; -+/* Create a random string suitable for a filename extension. */ -+krb5_error_code -+gen_sym(krb5_context context, char **sym_out) -+{ -+ krb5_error_code retval; -+ char bytes[6], *p, *sym; -+ krb5_data data = make_data(bytes, sizeof(bytes)); -+ -+ *sym_out = NULL; -+ retval = krb5_c_random_make_octets(context, &data); -+ if (retval) -+ return retval; -+ sym = k5_base64_encode(data.data, data.length); -+ if (sym == NULL) -+ return ENOMEM; -+ /* Tweak the output alphabet just a bit. */ -+ while ((p = strchr(sym, '/')) != NULL) -+ *p = '_'; -+ while ((p = strchr(sym, '+')) != NULL) -+ *p = '-'; -+ *sym_out = sym; -+ return 0; - } - - krb5_error_code krb5_ccache_overwrite(context, ccs, cct, primary_principal) -diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h -index fbbf217..5ba5ceb 100644 ---- a/src/clients/ksu/ksu.h -+++ b/src/clients/ksu/ksu.h -@@ -130,7 +130,7 @@ extern krb5_error_code krb5_get_login_princ - extern void show_credential - (krb5_context, krb5_creds *, krb5_ccache); - --extern int gen_sym (void); -+krb5_error_code gen_sym(krb5_context context, char **sym); - - extern krb5_error_code krb5_ccache_overwrite - (krb5_context, krb5_ccache, krb5_ccache, krb5_principal); -diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index 41a3bf8..47fa820 100644 ---- a/src/clients/ksu/main.c -+++ b/src/clients/ksu/main.c -@@ -856,7 +856,7 @@ resolve_target_cache(krb5_context context, krb5_principal princ, - krb5_error_code retval; - krb5_boolean switchable, reused = FALSE; - krb5_ccache ccache = NULL; -- char *sep, *ccname = NULL, *target; -+ char *sep, *ccname = NULL, *sym = NULL, *target; - - *ccache_out = NULL; - *ccache_reused = FALSE; -@@ -876,12 +876,20 @@ resolve_target_cache(krb5_context context, krb5_principal princ, - * the name of a cache that doesn't exist yet. */ - do { - free(ccname); -- if (asprintf(&ccname, "%s.%d", target, gen_sym()) < 0) { -+ retval = gen_sym(context, &sym); -+ if (retval) { -+ com_err(prog_name, retval, -+ _("while generating part of the target ccache name")); -+ return retval; -+ } -+ if (asprintf(&ccname, "%s.%s", target, sym) < 0) { - retval = ENOMEM; -- com_err(prog_name, ENOMEM, -- _("while allocating memory for target ccache name")); -+ free(sym); -+ com_err(prog_name, retval, _("while allocating memory for the " -+ "target ccache name")); - goto cleanup; - } -+ free(sym); - } while (ks_ccache_name_is_initialized(context, ccname)); - retval = krb5_cc_resolve(context, ccname, &ccache); - } else { --- -2.0.4 - diff --git a/0007-Make-krb5_cc_new_unique-create-DIR-directories.patch b/0007-Make-krb5_cc_new_unique-create-DIR-directories.patch deleted file mode 100644 index c0b8778..0000000 --- a/0007-Make-krb5_cc_new_unique-create-DIR-directories.patch +++ /dev/null @@ -1,37 +0,0 @@ -Context tweaked to apply to 1.12.1. - -From bca1191210eb582fe09e94486e2631d72b8a5ca5 Mon Sep 17 00:00:00 2001 -From: Nalin Dahyabhai -Date: Fri, 8 Aug 2014 16:58:03 -0400 -Subject: [PATCH 7/7] Make krb5_cc_new_unique create DIR: directories - -When we use krb5_cc_new_unique to create a new cache in a directory -cache collection, we will fail if the directory doesn't exist yet. - -Go ahead and preemptively create it, as we do during krb5_cc_resolve, -before attempting to create a new file under it. - -ticket: 7988 (new) -target_version: 1.13 -tags: pullup ---- - src/lib/krb5/ccache/cc_dir.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c -index d82f335..b00a6bb 100644 ---- a/src/lib/krb5/ccache/cc_dir.c -+++ b/src/lib/krb5/ccache/cc_dir.c -@@ -401,6 +401,9 @@ dcc_gen_new(krb5_context context, krb5_ccache *cache_out) - "collection")); - return KRB5_DCC_CANNOT_CREATE; - } -+ ret = verify_dir(context, dirname); -+ if (ret) -+ goto cleanup; - ret = k5_path_join(dirname, "tktXXXXXX", &template); - if (ret) - goto cleanup; --- -2.0.4 - diff --git a/krb5-1.10-kpasswd_tcp.patch b/krb5-1.10-kpasswd_tcp.patch deleted file mode 100644 index fd8da8e..0000000 --- a/krb5-1.10-kpasswd_tcp.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fall back to TCP on kdc-unresolvable/unreachable errors. We still have -to wait for UDP to fail, so this might not be ideal. RT #5868. - ---- krb5/src/lib/krb5/os/changepw.c -+++ krb5/src/lib/krb5/os/changepw.c -@@ -270,10 +270,22 @@ change_set_password(krb5_context context - &callback_info, &chpw_rep, ss2sa(&remote_addr), - &addrlen, NULL, NULL, NULL); - if (code) { -- /* -- * Here we may want to switch to TCP on some errors. -- * right? -- */ -+ /* if we're not using a stream socket, and it's an error which -+ * might reasonably be specific to a datagram "connection", try -+ * again with a stream socket */ -+ if (!use_tcp) { -+ switch (code) { -+ case KRB5_KDC_UNREACH: -+ case KRB5_REALM_CANT_RESOLVE: -+ case KRB5KRB_ERR_RESPONSE_TOO_BIG: -+ /* should we do this for more result codes than these? */ -+ k5_free_serverlist (&sl); -+ use_tcp = 1; -+ continue; -+ default: -+ break; -+ } -+ } - break; - } - diff --git a/krb5-1.10-kprop-mktemp.patch b/krb5-1.10-kprop-mktemp.patch deleted file mode 100644 index 62178df..0000000 --- a/krb5-1.10-kprop-mktemp.patch +++ /dev/null @@ -1,28 +0,0 @@ -Use an in-memory ccache to silence a compiler warning, for RT#6414. - ---- krb5/src/slave/kprop.c -+++ krb5/src/slave/kprop.c -@@ -202,9 +202,8 @@ void PRS(argc, argv) - void get_tickets(context) - krb5_context context; - { -- char buf[BUFSIZ], *def_realm; -+ char buf[] = "MEMORY:_kproptkt", *def_realm; - krb5_error_code retval; -- static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; - - /* -@@ -229,11 +228,8 @@ void get_tickets(context) - #endif - - /* -- * Initialize cache file which we're going to be using -+ * Initialize an in-memory cache for temporary use - */ -- (void) mktemp(tkstring); -- snprintf(buf, sizeof(buf), "FILE:%s", tkstring); -- - retval = krb5_cc_resolve(context, buf, &ccache); - if (retval) { - com_err(progname, retval, _("while opening credential cache %s"), buf); diff --git a/krb5-1.12-pwdch-fast.patch b/krb5-1.12-pwdch-fast.patch deleted file mode 100644 index 3b7d4bb..0000000 --- a/krb5-1.12-pwdch-fast.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 230858394d2dded001ef3d2029daa6c468aca097 Mon Sep 17 00:00:00 2001 -From: Greg Hudson -Date: Fri, 28 Feb 2014 14:49:35 -0500 -Subject: [PATCH] Use preauth options when changing password - -If we try to change the password in rb5_get_init_creds_password, we -must use all application-specified gic options which affect -preauthentication when getting the kadmin/changepw ticket. Create a -helper function make_chpw_options which copies the application's -options, unsets the options we don't want, and sets options -appropriate for a temporary ticket. - -ticket: 7868 - -npmccallum: - * include tests from 06817686bfdef99523f300464bcbb0c8b037a27d ---- - src/lib/krb5/krb/gic_pwd.c | 63 +++++++++++++++++++++++++++++++++++++--------- - src/tests/Makefile.in | 1 + - src/tests/t_changepw.py | 37 +++++++++++++++++++++++++++ - 3 files changed, 89 insertions(+), 12 deletions(-) - create mode 100644 src/tests/t_changepw.py - -diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c -index a97823f6b51b7393755e82f36612c30b64096754..6aec7c3a71f99d2194b09374b296327174e6d4b8 100644 ---- a/src/lib/krb5/krb/gic_pwd.c -+++ b/src/lib/krb5/krb/gic_pwd.c -@@ -242,6 +242,54 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, - (*prompter)(context, data, 0, banner, 0, 0); - } - -+/* -+ * Create a temporary options structure for getting a kadmin/changepw ticket, -+ * based on the appplication-specified options. Propagate all application -+ * options which affect preauthentication, but not options which affect the -+ * resulting ticket or how it is stored. Set lifetime and flags appropriate -+ * for a ticket which we will use immediately and then discard. -+ * -+ * storage1 and storage2 will be used to hold the temporary options. The -+ * caller must not free the result, as it will contain aliases into the -+ * application options. -+ */ -+static krb5_get_init_creds_opt * -+make_chpw_options(krb5_get_init_creds_opt *in, krb5_gic_opt_ext *storage1, -+ gic_opt_private *storage2) -+{ -+ krb5_gic_opt_ext *in_ext; -+ krb5_get_init_creds_opt *opt; -+ -+ /* Copy the application's options to storage. */ -+ if (in == NULL) { -+ storage1->flags = 0; -+ } else if (gic_opt_is_extended(in)) { -+ in_ext = (krb5_gic_opt_ext *)in; -+ *storage1 = *in_ext; -+ *storage2 = *in_ext->opt_private; -+ storage1->opt_private = storage2; -+ } else { -+ *(krb5_get_init_creds_opt *)storage1 = *in; -+ } -+ -+ /* Get a non-forwardable, non-proxiable, short-lifetime ticket. */ -+ opt = (krb5_get_init_creds_opt *)storage1; -+ krb5_get_init_creds_opt_set_tkt_life(opt, 5 * 60); -+ krb5_get_init_creds_opt_set_renew_life(opt, 0); -+ krb5_get_init_creds_opt_set_forwardable(opt, 0); -+ krb5_get_init_creds_opt_set_proxiable(opt, 0); -+ -+ /* Unset options which should only apply to the actual ticket. */ -+ opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; -+ opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; -+ -+ /* The output ccache should only be used for the actual ticket. */ -+ if (gic_opt_is_extended(opt)) -+ storage2->out_ccache = NULL; -+ -+ return opt; -+} -+ - krb5_error_code KRB5_CALLCONV - krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, -@@ -259,6 +307,8 @@ krb5_get_init_creds_password(krb5_context context, - int tries; - krb5_creds chpw_creds; - krb5_get_init_creds_opt *chpw_opts = NULL; -+ krb5_gic_opt_ext storage1; -+ gic_opt_private storage2; - struct gak_password gakpw; - krb5_data pw0, pw1; - char banner[1024], pw0array[1024], pw1array[1024]; -@@ -345,16 +395,7 @@ krb5_get_init_creds_password(krb5_context context, - /* ok, we have an expired password. Give the user a few chances - to change it */ - -- /* use a minimal set of options */ -- -- ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); -- if (ret) -- goto cleanup; -- krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); -- krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); -- krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); -- krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); -- -+ chpw_opts = make_chpw_options(options, &storage1, &storage2); - ret = k5_get_init_creds(context, &chpw_creds, client, prompter, data, - start_time, "kadmin/changepw", chpw_opts, - krb5_get_as_key_password, &gakpw, &use_master, -@@ -471,8 +512,6 @@ cleanup: - warn_pw_expiry(context, options, prompter, data, in_tkt_service, - as_reply); - -- if (chpw_opts) -- krb5_get_init_creds_opt_free(context, chpw_opts); - zapfree(gakpw.storage.data, gakpw.storage.length); - memset(pw0array, 0, sizeof(pw0array)); - memset(pw1array, 0, sizeof(pw1array)); -diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in -index 62523895d53da24844141a6ada6cab23e77dd9e6..55f1d6419f8d924a6f9a2971d36f1eac6d293d32 100644 ---- a/src/tests/Makefile.in -+++ b/src/tests/Makefile.in -@@ -94,6 +94,7 @@ check-pytests:: t_init_creds t_localauth - $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS) -+ $(RUNPYTEST) $(srcdir)/t_changepw.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_pkinit.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS) - $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS) -diff --git a/src/tests/t_changepw.py b/src/tests/t_changepw.py -new file mode 100644 -index 0000000000000000000000000000000000000000..0b9832668e618b3db8d88cf388ec918898bb4df3 ---- /dev/null -+++ b/src/tests/t_changepw.py -@@ -0,0 +1,37 @@ -+#!/usr/bin/python -+from k5test import * -+ -+# This file is intended to cover any password-changing mechanism. For -+# now it only contains a regression test for #7868. -+ -+realm = K5Realm(create_host=False, get_creds=False, start_kadmind=True) -+ -+# Mark a principal as expired and change its password through kinit. -+realm.run_kadminl('modprinc -pwexpire "1 day ago" user') -+pwinput = password('user') + '\nabcd\nabcd\n' -+realm.run([kinit, realm.user_princ], input=pwinput) -+ -+# Do the same thing with FAST, with tracing turned on. -+realm.run_kadminl('modprinc -pwexpire "1 day ago" user') -+pwinput = 'abcd\nefgh\nefgh\n' -+tracefile = os.path.join(realm.testdir, 'trace') -+realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, '-T', realm.ccache, -+ realm.user_princ], input=pwinput) -+ -+# Read the trace and check that FAST was used when getting the -+# kadmin/changepw ticket. -+f = open(tracefile, 'r') -+trace = f.read() -+f.close() -+getting_changepw = fast_used_for_changepw = False -+for line in trace.splitlines(): -+ if 'Getting initial credentials for user@' in line: -+ getting_changepw_ticket = False -+ if 'Setting initial creds service to kadmin/changepw' in line: -+ getting_changepw_ticket = True -+ if getting_changepw_ticket and 'Using FAST' in line: -+ fast_used_for_changepw = True -+if not fast_used_for_changepw: -+ fail('FAST was not used to get kadmin/changepw ticket') -+ -+success('Password change tests') --- -1.8.5.3 - diff --git a/krb5-1.11-dirsrv-accountlock.patch b/krb5-1.13-dirsrv-accountlock.patch similarity index 87% rename from krb5-1.11-dirsrv-accountlock.patch rename to krb5-1.13-dirsrv-accountlock.patch index 12d201d..0a6661c 100644 --- a/krb5-1.11-dirsrv-accountlock.patch +++ b/krb5-1.13-dirsrv-accountlock.patch @@ -23,9 +23,9 @@ diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4 diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c --- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 +++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500 -@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont - goto cleanup; - if ((st=krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data)) != 0) +@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont + ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data); + if (ret) goto cleanup; +#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING + { @@ -33,8 +33,9 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc + char *is_login_disabled=NULL; + + /* LOGIN DISABLED */ -+ if ((st=krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled, -+ &attr_present)) != 0) ++ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled, ++ &attr_present); ++ if (ret) + goto cleanup; + if (attr_present == TRUE) { + if (strcasecmp(is_login_disabled, "TRUE")== 0) @@ -44,7 +45,8 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountloc + } +#endif - if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) + ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname); + if (ret) goto cleanup; diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c --- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500 diff --git a/krb5-1.12-selinux-label.patch b/krb5-1.13-selinux-label.patch similarity index 97% rename from krb5-1.12-selinux-label.patch rename to krb5-1.13-selinux-label.patch index 395f5f7..1cd86c0 100644 --- a/krb5-1.12-selinux-label.patch +++ b/krb5-1.13-selinux-label.patch @@ -125,10 +125,10 @@ which we used earlier, is some improvement. localedir='$(datadir)/locale' --- krb5/src/include/k5-int.h +++ krb5/src/include/k5-int.h -@@ -133,6 +133,7 @@ typedef unsigned char u_char; - typedef UINT64_TYPE krb5_ui_8; - typedef INT64_TYPE krb5_int64; +@@ -129,6 +129,7 @@ typedef unsigned char u_char; + + #include "k5-platform.h" +#include "k5-label.h" #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ @@ -289,8 +289,8 @@ which we used earlier, is some improvement. --- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c +++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. - - #include "k5-platform.h" /* mkstemp? */ + #include + #include +#include "k5-int.h" #include "db-int.h" @@ -364,7 +364,7 @@ which we used earlier, is some improvement. @@ -437,6 +437,9 @@ void doit(fd) krb5_enctype etype; int database_fd; - char host[INET6_ADDRSTRLEN+1]; + char host[INET6_ADDRSTRLEN + 1]; +#ifdef USE_SELINUX + void *selabel; +#endif @@ -379,13 +379,13 @@ which we used earlier, is some improvement. + selabel = krb5int_push_fscreatecon_for(file); +#endif omask = umask(077); - lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600); - (void) umask(omask); + lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); + (void)umask(omask); +#ifdef USE_SELINUX + krb5int_pop_fscreatecon(selabel); +#endif retval = krb5_lock_file(kpropd_context, lock_fd, - KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK); + KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { --- krb5/src/util/profile/prof_file.c +++ krb5/src/util/profile/prof_file.c @@ -884,9 +884,9 @@ which we used earlier, is some improvement. + if (status == 0) + return 0; + } - krb5_set_error_message(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not " - "exist"), dirname); + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); --- krb5/src/lib/krb5/os/trace.c +++ krb5/src/lib/krb5/os/trace.c @@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con @@ -944,10 +944,10 @@ which we used earlier, is some improvement. pid = (unsigned long) getpid(); --- krb5/src/lib/kdb/kdb_log.c +++ krb5/src/lib/kdb/kdb_log.c -@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha - if (caller == FKPROPLOG) - return errno; +@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha + int ulogfd = -1; + if (stat(logname, &st) == -1) { - ulogfd = open(logname, O_RDWR | O_CREAT, 0600); + ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); if (ulogfd == -1) diff --git a/krb5-1.3.4-send-pr-tempfile.patch b/krb5-1.3.4-send-pr-tempfile.patch deleted file mode 100644 index a9ffa31..0000000 --- a/krb5-1.3.4-send-pr-tempfile.patch +++ /dev/null @@ -1,41 +0,0 @@ -Use mktemp to create our temporary files instead of basing them on our PID. -Only portable if you assume the presence of a mktemp helper. -diff -ur krb5-1.3.4/src/util/send-pr/send-pr.sh krb5-1.3.4/src/util/send-pr/send-pr.sh ---- krb5-1.3.4/src/util/send-pr/send-pr.sh 1997-03-20 01:13:56.000000000 +0100 -+++ krb5-1.3.4/src/util/send-pr/send-pr.sh 2004-09-20 11:28:56.000000000 +0200 -@@ -96,9 +96,9 @@ - fi - fi - --TEMP=$TMPDIR/p$$ --BAD=$TMPDIR/pbad$$ --REF=$TMPDIR/pf$$ -+TEMP=`mktemp "$TMPDIR"/p.XXXXXX` || exit 1 -+BAD=`mktemp "$TMPDIR"/pbad.XXXXXX` || exit 1 -+REF=`mktemp "$TMPDIR"/pf.XXXXXX` || exit 1 - - # find a user name - if [ "$LOGNAME" = "" ]; then -@@ -122,9 +122,10 @@ - else - # Must use temp file due to incompatibilities in quoting behavior - # and to protect shell metacharacters in the expansion of $LOGNAME -- $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP -- ORIGINATOR="`cat $TEMP`" -- rm -f $TEMP -+ TEMP2=`mktemp "$TMPDIR"/plogname.XXXXXX` || exit 1 -+ $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP2 -+ ORIGINATOR="`cat $TEMP2`" -+ rm -f $TEMP2 - fi - - if [ -n "$ORGANIZATION" ]; then -@@ -280,7 +281,7 @@ - # Catch some signals. ($xs kludge needed by Sun /bin/sh) - xs=0 - trap 'rm -f $REF $TEMP; exit $xs' 0 --trap 'echo "$COMMAND: Aborting ..."; rm -f $REF $TEMP; xs=1; exit' 1 2 3 13 15 -+trap 'echo "$COMMAND: Aborting ..."; rm -f "$REF" "$BAD" "$TEMP"; xs=1; exit' 1 2 3 13 15 - - # If they told us to use a specific file, then do so. - if [ -n "$IN_FILE" ]; then diff --git a/krb5-keyring-strtol.patch b/krb5-keyring-strtol.patch deleted file mode 100644 index 790bbc1..0000000 --- a/krb5-keyring-strtol.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit 5ac159e220297a8f62dd5edcec6f9b988b0627ea -Author: Nalin Dahyabhai -Date: Mon Nov 11 13:10:08 2013 -0500 - - Catch more strtol() failures when using KEYRINGs - - When parsing what should be a UID while resolving a KEYRING ccache - name, don't just depend on strtol() to set errno when the residual - that we pass to it can't be parsed as a number. In addition to - checking errno, pass in and check the value of an "endptr". - - [ghudson@mit.edu: simplified slightly] - - ticket: 7764 (new) - target_version: 1.12 - tags: pullup - -diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c -index 795ccd6..a07a0dc 100644 ---- a/src/lib/krb5/ccache/cc_keyring.c -+++ b/src/lib/krb5/ccache/cc_keyring.c -@@ -593,7 +593,7 @@ get_collection(const char *anchor_name, const char *collection_name, - { - krb5_error_code ret; - key_serial_t persistent_id, anchor_id, possess_id = 0; -- char *ckname; -+ char *ckname, *cnend; - long uidnum; - - *collection_id_out = 0; -@@ -607,8 +607,8 @@ get_collection(const char *anchor_name, const char *collection_name, - */ - if (*collection_name != '\0') { - errno = 0; -- uidnum = strtol(collection_name, NULL, 10); -- if (errno) -+ uidnum = strtol(collection_name, &cnend, 10); -+ if (errno || *cnend != '\0') - return KRB5_KCC_INVALID_UID; - } else { - uidnum = geteuid(); diff --git a/krb5-master-mechd.patch b/krb5-master-mechd.patch deleted file mode 100644 index 965a436..0000000 --- a/krb5-master-mechd.patch +++ /dev/null @@ -1,275 +0,0 @@ -commit 123c14fd8862ee8f11f6084d25958cb380655f35 -Author: Günther Deschner -Date: Wed Mar 5 16:21:55 2014 +0100 - - Remove dead code from the mechglue initialization - - The stat check in gss_indicate_mechs had no consequent and would have - been redundant with logic in updateMechList if it did. - - [ghudson@mit.edu: elaborated commit message; removed unused - g_mechSetTime and now-irrelevant comment] - -diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c -index 48a825e..c6904e0 100644 ---- a/src/lib/gssapi/mechglue/g_initialize.c -+++ b/src/lib/gssapi/mechglue/g_initialize.c -@@ -91,7 +91,6 @@ static gss_mech_info g_mechListTail = NULL; - static k5_mutex_t g_mechListLock = K5_MUTEX_PARTIAL_INITIALIZER; - static time_t g_confFileModTime = (time_t)0; - --static time_t g_mechSetTime = (time_t)0; - static gss_OID_set_desc g_mechSet = { 0, NULL }; - static k5_mutex_t g_mechSetLock = K5_MUTEX_PARTIAL_INITIALIZER; - -@@ -213,8 +212,6 @@ gss_indicate_mechs(minorStatus, mechSet_out) - OM_uint32 *minorStatus; - gss_OID_set *mechSet_out; - { -- char *fileName; -- struct stat fileInfo; - OM_uint32 status; - - /* Initialize outputs. */ -@@ -233,16 +230,6 @@ gss_OID_set *mechSet_out; - if (*minorStatus != 0) - return (GSS_S_FAILURE); - -- fileName = MECH_CONF; -- -- /* -- * If we have already computed the mechanisms supported and if it -- * is still valid; make a copy and return to caller, -- * otherwise build it first. -- */ -- if ((stat(fileName, &fileInfo) == 0 && -- fileInfo.st_mtime > g_mechSetTime)) { -- } /* if g_mechSet is out of date or not initialized */ - if (build_mechSet()) - return GSS_S_FAILURE; - -@@ -289,20 +276,6 @@ build_mechSet(void) - */ - k5_mutex_lock(&g_mechListLock); - --#if 0 -- /* -- * this checks for the case when we need to re-construct the -- * g_mechSet structure, but the mechanism list is upto date -- * (because it has been read by someone calling -- * gssint_get_mechanism) -- */ -- if (fileInfo.st_mtime > g_confFileModTime) -- { -- g_confFileModTime = fileInfo.st_mtime; -- loadConfigFile(fileName); -- } --#endif -- - updateMechList(); - - /* - -commit 05cbef80d53f49d30a5d0563501226dc173734d4 -Author: Günther Deschner -Date: Wed Mar 5 15:25:43 2014 +0100 - - Load mechglue config files from /etc/gss/mech.d - - In addition to loading /etc/gss/mech, glob for *.conf files in - /etc/gss/mech.d. Load only config files which have changed since the - highest mtime we saw in the previous scan. Scan at most once per - second to avoid excessive numbers of filesystem syscalls for busy - GSSAPI applications. - - [ghudson@mit.edu: rewrote commit message; style changes; added - once-per-second throttle on glob/stat calls] - - ticket: 7882 (new) - -diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c -index c6904e0..f0acf1a 100644 ---- a/src/lib/gssapi/mechglue/g_initialize.c -+++ b/src/lib/gssapi/mechglue/g_initialize.c -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include - - #define M_DEFAULT "default" - -@@ -58,6 +59,7 @@ - #ifndef MECH_CONF - #define MECH_CONF "/etc/gss/mech" - #endif -+#define MECH_CONF_PATTERN MECH_CONF ".d/*.conf" - - /* Local functions */ - static void addConfigEntry(const char *oidStr, const char *oid, -@@ -90,6 +92,7 @@ static gss_mech_info g_mechList = NULL; - static gss_mech_info g_mechListTail = NULL; - static k5_mutex_t g_mechListLock = K5_MUTEX_PARTIAL_INITIALIZER; - static time_t g_confFileModTime = (time_t)0; -+static time_t g_confLastCall = (time_t)0; - - static gss_OID_set_desc g_mechSet = { 0, NULL }; - static k5_mutex_t g_mechSetLock = K5_MUTEX_PARTIAL_INITIALIZER; -@@ -383,6 +386,56 @@ const gss_OID oid; - return (modOptions); - } /* gssint_get_modOptions */ - -+/* Return the mtime of filename or its eventual symlink target (if it is a -+ * symlink), whichever is larger. Return (time_t)-1 if lstat or stat fails. */ -+static time_t -+check_link_mtime(const char *filename, time_t *mtime_out) -+{ -+ struct stat st1, st2; -+ -+ if (lstat(filename, &st1) != 0) -+ return (time_t)-1; -+ if (!S_ISLNK(st1.st_mode)) -+ return st1.st_mtime; -+ if (stat(filename, &st2) != 0) -+ return (time_t)-1; -+ return (st1.st_mtime > st2.st_mtime) ? st1.st_mtime : st2.st_mtime; -+} -+ -+/* Try to load any config files which have changed since the last call. Config -+ * files are MECH_CONF and any files matching MECH_CONF_PATTERN. */ -+static void -+loadConfigFiles() -+{ -+ glob_t globbuf; -+ time_t highest_mtime = 0, mtime, now; -+ char **pathptr; -+ -+ /* Don't glob and stat more than once per second. */ -+ if (time(&now) == (time_t)-1 || now == g_confLastCall) -+ return; -+ g_confLastCall = now; -+ -+ globbuf.gl_offs = 1; -+ if (glob(MECH_CONF_PATTERN, GLOB_DOOFFS, NULL, &globbuf) != 0) -+ return; -+ globbuf.gl_pathv[0] = MECH_CONF; -+ -+ for (pathptr = globbuf.gl_pathv; *pathptr != NULL; pathptr++) { -+ mtime = check_link_mtime(*pathptr, &mtime); -+ if (mtime == (time_t)-1) -+ continue; -+ if (mtime > highest_mtime) -+ highest_mtime = mtime; -+ if (mtime > g_confFileModTime) -+ loadConfigFile(*pathptr); -+ } -+ g_confFileModTime = highest_mtime; -+ -+ globbuf.gl_pathv[0] = NULL; -+ globfree(&globbuf); -+} -+ - /* - * determines if the mechList needs to be updated from file - * and performs the update. -@@ -401,17 +454,7 @@ updateMechList(void) - loadConfigFromRegistry(HKEY_CURRENT_USER, MECH_KEY); - loadConfigFromRegistry(HKEY_LOCAL_MACHINE, MECH_KEY); - #else /* _WIN32 */ -- char *fileName; -- struct stat fileInfo; -- -- fileName = MECH_CONF; -- -- /* check if mechList needs updating */ -- if (stat(fileName, &fileInfo) != 0 || -- g_confFileModTime >= fileInfo.st_mtime) -- return; -- g_confFileModTime = fileInfo.st_mtime; -- loadConfigFile(fileName); -+ loadConfigFiles(); - #endif /* !_WIN32 */ - - /* Load any unloaded interposer mechanisms immediately, to make sure we - -commit ac98187641f6943ae571606c0b6a97f236f9b60c -Author: Greg Hudson -Date: Wed May 28 23:51:49 2014 -0400 - - Read /etc/gss/mech if no mech.d/*.conf found - - Always read /etc/gss/mech, even if globbing /etc/gss/mech.d/*.conf - doesn't work. Doing this using GLOB_DOOFFS proved error-prone, so use - a simpler approach: factor out the per-pathname handling into a helper - function load_if_changed, call it with MECH_CONF before the glob, then - pass each glob result through the helper. - - ticket: 7925 - -diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c -index f0acf1a..8bce14c 100644 ---- a/src/lib/gssapi/mechglue/g_initialize.c -+++ b/src/lib/gssapi/mechglue/g_initialize.c -@@ -402,38 +402,45 @@ check_link_mtime(const char *filename, time_t *mtime_out) - return (st1.st_mtime > st2.st_mtime) ? st1.st_mtime : st2.st_mtime; - } - -+/* Load pathname if it is newer than last. Update *highest to the maximum of -+ * its current value and pathname's mod time. */ -+static void -+load_if_changed(const char *pathname, time_t last, time_t *highest) -+{ -+ time_t mtime; -+ -+ mtime = check_link_mtime(pathname, &mtime); -+ if (mtime == (time_t)-1) -+ return; -+ if (mtime > *highest) -+ *highest = mtime; -+ if (mtime > last) -+ loadConfigFile(pathname); -+} -+ - /* Try to load any config files which have changed since the last call. Config - * files are MECH_CONF and any files matching MECH_CONF_PATTERN. */ - static void - loadConfigFiles() - { - glob_t globbuf; -- time_t highest_mtime = 0, mtime, now; -- char **pathptr; -+ time_t highest = 0, now; -+ char **path; - - /* Don't glob and stat more than once per second. */ - if (time(&now) == (time_t)-1 || now == g_confLastCall) - return; - g_confLastCall = now; - -- globbuf.gl_offs = 1; -- if (glob(MECH_CONF_PATTERN, GLOB_DOOFFS, NULL, &globbuf) != 0) -- return; -- globbuf.gl_pathv[0] = MECH_CONF; -+ load_if_changed(MECH_CONF, g_confFileModTime, &highest); - -- for (pathptr = globbuf.gl_pathv; *pathptr != NULL; pathptr++) { -- mtime = check_link_mtime(*pathptr, &mtime); -- if (mtime == (time_t)-1) -- continue; -- if (mtime > highest_mtime) -- highest_mtime = mtime; -- if (mtime > g_confFileModTime) -- loadConfigFile(*pathptr); -+ if (glob(MECH_CONF_PATTERN, 0, NULL, &globbuf) == 0) { -+ for (path = globbuf.gl_pathv; *path != NULL; path++) -+ load_if_changed(*path, g_confFileModTime, &highest); -+ globfree(&globbuf); - } -- g_confFileModTime = highest_mtime; - -- globbuf.gl_pathv[0] = NULL; -- globfree(&globbuf); -+ g_confFileModTime = highest; - } - - /* diff --git a/krb5-master-move-otp-sockets.patch b/krb5-master-move-otp-sockets.patch deleted file mode 100644 index 350a818..0000000 --- a/krb5-master-move-otp-sockets.patch +++ /dev/null @@ -1,203 +0,0 @@ -Adjusted to apply to 1.12.2. - -commit 1e4bdcfed2c7bda94d5c135cc32a5993ca032501 -Author: Nathaniel McCallum -Date: Wed Feb 5 10:59:46 2014 -0500 - - Move OTP sockets to KDC_RUN_DIR - - Some system configurations expect Unix-domain sockets to live under - /run or /var/run, and not other parts of /var where persistent - application state lives. Define a new directory KDC_RUN_DIR using - $runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run - if it's not set) and use that for the default socket path. - - [ghudson@mit.edu: commit message, otp.rst formatting fix] - - ticket: 7859 (new) - -diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst -index 0abd5ff..f12c36d 100644 ---- a/doc/admin/otp.rst -+++ b/doc/admin/otp.rst -@@ -23,7 +23,7 @@ the following format:: - - [otp] - = { -- server = (default: $KDCDIR/.socket) -+ server = (default: see below) - secret = - timeout = (default: 5 [seconds]) - retries = (default: 3) -@@ -33,7 +33,8 @@ the following format:: - If the server field begins with '/', it will be interpreted as a UNIX - socket. Otherwise, it is assumed to be in the format host:port. When - a UNIX domain socket is specified, the secret field is optional and an --empty secret is used by default. -+empty secret is used by default. If the server field is not -+specified, it defaults to |kdcrundir|\ ``/.socket``. - - When forwarding the request over RADIUS, by default the principal is - used in the User-Name attribute of the RADIUS packet. The strip_realm -diff --git a/doc/conf.py b/doc/conf.py -index f015fc8..bc8b2bd 100644 ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -231,6 +231,7 @@ if 'mansubs' in tags: - sbindir = '``@SBINDIR@``' - libdir = '``@LIBDIR@``' - localstatedir = '``@LOCALSTATEDIR@``' -+ runstatedir = '``@RUNSTATEDIR@``' - sysconfdir = '``@SYSCONFDIR@``' - ccache = '``@CCNAME@``' - keytab = '``@KTNAME@``' -@@ -243,6 +244,7 @@ else: - sbindir = ':ref:`SBINDIR `' - libdir = ':ref:`LIBDIR `' - localstatedir = ':ref:`LOCALSTATEDIR `' -+ runstatedir = ':ref:`RUNSTATEDIR `' - sysconfdir = ':ref:`SYSCONFDIR `' - ccache = ':ref:`DEFCCNAME `' - keytab = ':ref:`DEFKTNAME `' -@@ -262,6 +264,7 @@ else: - rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir - rst_epilog += '.. |libdir| replace:: %s\n' % libdir - rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir -+ rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir - rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir - rst_epilog += '.. |ccache| replace:: %s\n' % ccache - rst_epilog += '.. |keytab| replace:: %s\n' % keytab -diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst -index 89b8f4c..838dabb 100644 ---- a/doc/mitK5defaults.rst -+++ b/doc/mitK5defaults.rst -@@ -17,6 +17,7 @@ KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB - KDC database path (DB2) |kdcdir|\ ``/principal`` - Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* - Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` -+OTP socket directory |kdcrundir| - Plugin base directory |libdir|\ ``/krb5/plugins`` - :ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** - Master key default enctype |defmkey| -@@ -64,6 +65,7 @@ Description Symbolic name Custom build path Typical - User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` - Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` - Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` -+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` - Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` - Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` - Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` -diff --git a/src/Makefile.in b/src/Makefile.in -index a8bc990..1725093 100644 ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -64,6 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \ - $(KRB5_AD_MODULE_DIR) \ - $(KRB5_LIBKRB5_MODULE_DIR) \ - @localstatedir@ @localstatedir@/krb5kdc \ -+ @runstatedir@ @runstatedir@/krb5kdc \ - $(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \ - $(PKGCONFIG_DIR) - -diff --git a/src/configure.in b/src/configure.in -index 2145d54..c2eaf78 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -9,6 +9,12 @@ - fi - AC_SUBST(SYSCONFCONF) - -+# If $runstatedir isn't set by autoconf (<2.70), set it manually. -+if test x"$runstatedir" == x; then -+ runstatedir=$localstatedir/run -+fi -+AC_SUBST(runstatedir) -+ - CONFIG_RULES - KRB5_VERSION=K5_VERSION - AC_SUBST(KRB5_VERSION) -diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in -index a6bb7c5..b07e16a 100644 ---- a/src/doc/Makefile.in -+++ b/src/doc/Makefile.in -@@ -7,6 +7,7 @@ DOXYGEN=doxygen - - docsrc=$(top_srcdir)/../doc - localstatedir=@localstatedir@ -+runstatedir=@runstatedir@ - sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ -@@ -113,6 +114,7 @@ paths.py: - echo 'sbindir = "``$(SERVER_BINDIR)``"' >> $@ - echo 'libdir = "``$(KRB5_LIBDIR)``"' >> $@ - echo 'localstatedir = "``$(localstatedir)``"' >> $@ -+ echo 'runstatedir = "``$(runstatedir)``"' >> $@ - echo 'sysconfdir = "``$(sysconfdir)``"' >> $@ - echo 'ccache = "``$(DEFCCNAME)``"' >> $@ - echo 'keytab = "``$(DEFKTNAME)``"' >> $@ -diff --git a/src/include/Makefile.in b/src/include/Makefile.in -index e13042a..f83ff4e 100644 ---- a/src/include/Makefile.in -+++ b/src/include/Makefile.in -@@ -53,6 +53,7 @@ autoconf.stamp: $(srcdir)/autoconf.h.in $(BUILDTOP)/config.status - - SYSCONFDIR = @sysconfdir@ - LOCALSTATEDIR = @localstatedir@ -+RUNSTATEDIR = @runstatedir@ - BINDIR = @bindir@ - SBINDIR = @sbindir@ - LIBDIR = @libdir@ -@@ -66,6 +67,7 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(KRB5RCTMPDIR)+" \ - -e "s+@MODULEDIR+$(MODULE_DIR)+" \ - -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ - -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ -+ -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \ - -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ - -e 's+@DYNOBJEXT+$(DYNOBJEXT)+' \ - -e 's+@SYSCONFCONF+$(SYSCONFCONF)+' -diff --git a/src/include/osconf.hin b/src/include/osconf.hin -index 90ab86d..871503a 100644 ---- a/src/include/osconf.hin -+++ b/src/include/osconf.hin -@@ -59,6 +59,7 @@ - #define PLUGIN_EXT "@DYNOBJEXT" - - #define KDC_DIR "@LOCALSTATEDIR/krb5kdc" -+#define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc" - #define DEFAULT_KDB_FILE KDC_DIR "/principal" - #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5." - #define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl" -diff --git a/src/man/Makefile.in b/src/man/Makefile.in -index 4dd2448..2b9c892 100644 ---- a/src/man/Makefile.in -+++ b/src/man/Makefile.in -@@ -5,6 +5,7 @@ SPHINX_BUILD=sphinx-build - GROFF=@GROFF@ - GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c - localstatedir=@localstatedir@ -+runstatedir=@runstatedir@ - sysconfdir=@sysconfdir@ - DEFCCNAME=@DEFCCNAME@ - DEFKTNAME=@DEFKTNAME@ -@@ -44,6 +45,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h - -e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \ - -e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \ - -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \ -+ -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \ - -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ - -e 's|@CCNAME@|$(DEFCCNAME)|g' \ - -e 's|@KTNAME@|$(DEFKTNAME)|g' \ -diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c -index a4d7e3b..4643dff 100644 ---- a/src/plugins/preauth/otp/otp_state.c -+++ b/src/plugins/preauth/otp/otp_state.c -@@ -40,7 +40,7 @@ - #endif - - #define DEFAULT_TYPE_NAME "DEFAULT" --#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket" -+#define DEFAULT_SOCKET_FMT KDC_RUN_DIR "/%s.socket" - #define DEFAULT_TIMEOUT 5 - #define DEFAULT_RETRIES 3 - #define MAX_SECRET_LEN 1024 diff --git a/krb5-master-rcache-acquirecred-cleanup.patch b/krb5-master-rcache-acquirecred-cleanup.patch deleted file mode 100644 index 72b97d3..0000000 --- a/krb5-master-rcache-acquirecred-cleanup.patch +++ /dev/null @@ -1,105 +0,0 @@ -commit ef8e19af863158e4c1abc15fc710aa8cfad38406 -Author: Greg Hudson -Date: Wed Jan 15 12:51:42 2014 -0500 - - Clean up GSS krb5 acquire_accept_cred - - Use a cleanup handler instead of releasing kt in multiple error - clauses. Wrap a long line and fix a comment with a missing word. - Rewrap the function arguments to use fewer lines. - -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index 9547207..37cc6b5 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -179,13 +179,13 @@ cleanup: - */ - - static OM_uint32 --acquire_accept_cred(krb5_context context, -- OM_uint32 *minor_status, -- krb5_keytab req_keytab, -- krb5_gss_cred_id_rec *cred) -+acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, -+ krb5_keytab req_keytab, krb5_gss_cred_id_rec *cred) - { -+ OM_uint32 major; - krb5_error_code code; -- krb5_keytab kt; -+ krb5_keytab kt = NULL; -+ krb5_rcache rc = NULL; - - assert(cred->keytab == NULL); - -@@ -202,46 +202,54 @@ acquire_accept_cred(krb5_context context, - } - } - if (code) { -- *minor_status = code; -- return GSS_S_CRED_UNAVAIL; -+ major = GSS_S_CRED_UNAVAIL; -+ goto cleanup; - } - - if (cred->name != NULL) { -- /* Make sure we keys matching the desired name in the keytab. */ -+ /* Make sure we have keys matching the desired name in the keytab. */ - code = check_keytab(context, kt, cred->name); - if (code) { -- krb5_kt_close(context, kt); - if (code == KRB5_KT_NOTFOUND) { - char *errstr = (char *)krb5_get_error_message(context, code); -- krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", errstr); -+ krb5_set_error_message(context, KG_KEYTAB_NOMATCH, "%s", -+ errstr); - krb5_free_error_message(context, errstr); -- *minor_status = KG_KEYTAB_NOMATCH; -- } else -- *minor_status = code; -- return GSS_S_CRED_UNAVAIL; -+ code = KG_KEYTAB_NOMATCH; -+ } -+ major = GSS_S_CRED_UNAVAIL; -+ goto cleanup; - } - - /* Open the replay cache for this principal. */ - code = krb5_get_server_rcache(context, &cred->name->princ->data[0], -- &cred->rcache); -+ &rc); - if (code) { -- krb5_kt_close(context, kt); -- *minor_status = code; -- return GSS_S_FAILURE; -+ major = GSS_S_FAILURE; -+ goto cleanup; - } - } else { - /* Make sure we have a keytab with keys in it. */ - code = krb5_kt_have_content(context, kt); - if (code) { -- krb5_kt_close(context, kt); -- *minor_status = code; -- return GSS_S_CRED_UNAVAIL; -+ major = GSS_S_CRED_UNAVAIL; -+ goto cleanup; - } - } - - cred->keytab = kt; -+ kt = NULL; -+ cred->rcache = rc; -+ rc = NULL; -+ major = GSS_S_COMPLETE; - -- return GSS_S_COMPLETE; -+cleanup: -+ if (kt != NULL) -+ krb5_kt_close(context, kt); -+ if (rc != NULL) -+ krb5_rc_close(context, rc); -+ *minor_status = code; -+ return major; - } - #endif /* LEAN_CLIENT */ - diff --git a/krb5-master-rcache-acquirecred-source.patch b/krb5-master-rcache-acquirecred-source.patch deleted file mode 100644 index 71c3876..0000000 --- a/krb5-master-rcache-acquirecred-source.patch +++ /dev/null @@ -1,136 +0,0 @@ -commit 7dad0bee30fbbde8cfc0eacd2d1487c198a004a1 -Author: Simo Sorce -Date: Thu Dec 26 19:05:34 2013 -0500 - - Add rcache feature to gss_acquire_cred_from - - The "rcache" cred store entry can specify a replay cache type and name - to be used with the credentials being acquired. - - [ghudson@mit.edu: split up, simplified, and altered to fit preparatory - commits] - - ticket: 7819 (new) - -diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c -index f625c0c..5d680f9 100644 ---- a/src/lib/gssapi/krb5/acquire_cred.c -+++ b/src/lib/gssapi/krb5/acquire_cred.c -@@ -180,7 +180,8 @@ cleanup: - - static OM_uint32 - acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, -- krb5_keytab req_keytab, krb5_gss_cred_id_rec *cred) -+ krb5_keytab req_keytab, const char *rcname, -+ krb5_gss_cred_id_rec *cred) - { - OM_uint32 major; - krb5_error_code code; -@@ -189,6 +190,20 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, - - assert(cred->keytab == NULL); - -+ /* If we have an explicit rcache name, open it. */ -+ if (rcname != NULL) { -+ code = krb5_rc_resolve_full(context, &rc, rcname); -+ if (code) { -+ major = GSS_S_FAILURE; -+ goto cleanup; -+ } -+ code = krb5_rc_recover_or_initialize(context, rc, context->clockskew); -+ if (code) { -+ major = GSS_S_FAILURE; -+ goto cleanup; -+ } -+ } -+ - if (req_keytab != NULL) { - code = krb5_kt_dup(context, req_keytab, &kt); - } else { -@@ -221,12 +236,14 @@ acquire_accept_cred(krb5_context context, OM_uint32 *minor_status, - goto cleanup; - } - -- /* Open the replay cache for this principal. */ -- code = krb5_get_server_rcache(context, &cred->name->princ->data[0], -- &rc); -- if (code) { -- major = GSS_S_FAILURE; -- goto cleanup; -+ if (rc == NULL) { -+ /* Open the replay cache for this principal. */ -+ code = krb5_get_server_rcache(context, &cred->name->princ->data[0], -+ &rc); -+ if (code) { -+ major = GSS_S_FAILURE; -+ goto cleanup; -+ } - } - } else { - /* Make sure we have a keytab with keys in it. */ -@@ -718,8 +735,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - gss_name_t desired_name, gss_buffer_t password, - OM_uint32 time_req, gss_cred_usage_t cred_usage, - krb5_ccache ccache, krb5_keytab client_keytab, -- krb5_keytab keytab, krb5_boolean iakerb, -- gss_cred_id_t *output_cred_handle, -+ krb5_keytab keytab, const char *rcname, -+ krb5_boolean iakerb, gss_cred_id_t *output_cred_handle, - OM_uint32 *time_rec) - { - krb5_gss_cred_id_t cred = NULL; -@@ -775,7 +792,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, - * in cred->name if desired_princ is specified. - */ - if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) { -- ret = acquire_accept_cred(context, minor_status, keytab, cred); -+ ret = acquire_accept_cred(context, minor_status, keytab, rcname, cred); - if (ret != GSS_S_COMPLETE) - goto error_out; - } -@@ -867,7 +884,7 @@ acquire_cred(OM_uint32 *minor_status, gss_name_t desired_name, - - ret = acquire_cred_context(context, minor_status, desired_name, password, - time_req, cred_usage, ccache, NULL, keytab, -- iakerb, output_cred_handle, time_rec); -+ NULL, iakerb, output_cred_handle, time_rec); - - out: - krb5_free_context(context); -@@ -1135,7 +1152,7 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, - krb5_keytab client_keytab = NULL; - krb5_keytab keytab = NULL; - krb5_ccache ccache = NULL; -- const char *value; -+ const char *rcname, *value; - OM_uint32 ret; - - code = gss_krb5int_initialize_library(); -@@ -1191,9 +1208,14 @@ krb5_gss_acquire_cred_from(OM_uint32 *minor_status, - } - } - -+ ret = kg_value_from_cred_store(cred_store, KRB5_CS_RCACHE_URN, &rcname); -+ if (GSS_ERROR(ret)) -+ goto out; -+ - ret = acquire_cred_context(context, minor_status, desired_name, NULL, - time_req, cred_usage, ccache, client_keytab, -- keytab, 0, output_cred_handle, time_rec); -+ keytab, rcname, 0, output_cred_handle, -+ time_rec); - - out: - if (ccache != NULL) -diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h -index 0167816..8e4f6d9 100644 ---- a/src/lib/gssapi/krb5/gssapiP_krb5.h -+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h -@@ -1260,6 +1260,7 @@ data_to_gss(krb5_data *input_k5data, gss_buffer_t output_buffer) - #define KRB5_CS_CLI_KEYTAB_URN "client_keytab" - #define KRB5_CS_KEYTAB_URN "keytab" - #define KRB5_CS_CCACHE_URN "ccache" -+#define KRB5_CS_RCACHE_URN "rcache" - - OM_uint32 - kg_value_from_cred_store(gss_const_key_value_set_t cred_store, diff --git a/krb5-master-rcache-acquirecred-test.patch b/krb5-master-rcache-acquirecred-test.patch deleted file mode 100644 index e8eef5e..0000000 --- a/krb5-master-rcache-acquirecred-test.patch +++ /dev/null @@ -1,82 +0,0 @@ -commit 6f8d5135334c9ddb674f9824e750872b3b0642ea -Author: Greg Hudson -Date: Thu Jan 16 11:49:55 2014 -0500 - - Add test for gss_acquire_cred_from rcache feature - -diff --git a/src/tests/gssapi/t_credstore.c b/src/tests/gssapi/t_credstore.c -index 575f96d..e28f5d0 100644 ---- a/src/tests/gssapi/t_credstore.c -+++ b/src/tests/gssapi/t_credstore.c -@@ -46,7 +46,9 @@ main(int argc, char *argv[]) - gss_cred_usage_t cred_usage = GSS_C_BOTH; - gss_OID_set mechs = GSS_C_NO_OID_SET; - gss_cred_id_t cred = GSS_C_NO_CREDENTIAL; -- krb5_boolean store_creds = FALSE; -+ gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT; -+ gss_buffer_desc itok, atok; -+ krb5_boolean store_creds = FALSE, replay = FALSE; - char opt; - - /* Parse options. */ -@@ -54,6 +56,8 @@ main(int argc, char *argv[]) - opt = (*argv)[1]; - if (opt == 's') - store_creds = TRUE; -+ else if (opt == 'r') -+ replay = TRUE; - else if (opt == 'a') - cred_usage = GSS_C_ACCEPT; - else if (opt == 'b') -@@ -101,6 +105,31 @@ main(int argc, char *argv[]) - &store, &cred, NULL, NULL); - check_gsserr("gss_acquire_cred_from", major, minor); - -+ if (replay) { -+ /* Induce a replay using cred as the acceptor cred, to test the replay -+ * cache indicated by the store. */ -+ major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &ictx, name, -+ &mech_krb5, 0, GSS_C_INDEFINITE, -+ GSS_C_NO_CHANNEL_BINDINGS, -+ GSS_C_NO_BUFFER, NULL, &itok, NULL, NULL); -+ check_gsserr("gss_init_sec_context", major, minor); -+ (void)gss_delete_sec_context(&minor, &ictx, NULL); -+ -+ major = gss_accept_sec_context(&minor, &actx, cred, &itok, -+ GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, -+ &atok, NULL, NULL, NULL); -+ check_gsserr("gss_accept_sec_context(1)", major, minor); -+ (void)gss_release_buffer(&minor, &atok); -+ (void)gss_delete_sec_context(&minor, &actx, NULL); -+ -+ major = gss_accept_sec_context(&minor, &actx, cred, &itok, -+ GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, -+ &atok, NULL, NULL, NULL); -+ check_gsserr("gss_accept_sec_context(2)", major, minor); -+ (void)gss_release_buffer(&minor, &atok); -+ (void)gss_delete_sec_context(&minor, &actx, NULL); -+ } -+ - gss_release_name(&minor, &name); - gss_release_cred(&minor, &cred); - free(store.elements); -diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py -index 74139e4..106910d 100755 ---- a/src/tests/gssapi/t_gssapi.py -+++ b/src/tests/gssapi/t_gssapi.py -@@ -91,6 +91,15 @@ realm.kinit(service_cs, None, ['-k', '-t', servicekeytab]) - realm.run(['./t_credstore', '-s', 'p:' + service_cs, 'ccache', storagecache, - 'keytab', servicekeytab]) - -+# Test rcache feature of cred stores. t_credstore -r should produce a -+# replay error normally, but not with rcache set to "none:". -+output = realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ], -+ expected_code=1) -+if 'gss_accept_sec_context(2): Request is a replay' not in output: -+ fail('Expected replay error not seen in t_credstore output') -+realm.run(['./t_credstore', '-r', '-a', 'p:' + realm.host_princ, -+ 'rcache', 'none:']) -+ - # Verify that we can't acquire acceptor creds without a keytab. - os.remove(realm.keytab) - output = realm.run(['./t_accname', 'p:abc'], expected_code=1) diff --git a/krb5-master-rcache-internal-const.patch b/krb5-master-rcache-internal-const.patch deleted file mode 100644 index 5cb1108..0000000 --- a/krb5-master-rcache-internal-const.patch +++ /dev/null @@ -1,46 +0,0 @@ -commit 74ff6c4accb68bd1d6c652c55e66519720db9fc4 -Author: Greg Hudson -Date: Wed Jan 15 12:31:41 2014 -0500 - - Make rcache resolve functions take const char * - -diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index bbc7fab..b4757a9 100644 ---- a/src/include/k5-int.h -+++ b/src/include/k5-int.h -@@ -1887,8 +1887,10 @@ krb5_error_code KRB5_CALLCONV - krb5int_cc_user_set_default_name(krb5_context context, const char *name); - - krb5_error_code krb5_rc_default(krb5_context, krb5_rcache *); --krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *,char *); --krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *,char *); -+krb5_error_code krb5_rc_resolve_type(krb5_context, krb5_rcache *, -+ const char *); -+krb5_error_code krb5_rc_resolve_full(krb5_context, krb5_rcache *, -+ const char *); - char *krb5_rc_get_type(krb5_context, krb5_rcache); - char *krb5_rc_default_type(krb5_context); - char *krb5_rc_default_name(krb5_context); -diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c -index 2fc96c5..373ac30 100644 ---- a/src/lib/krb5/rcache/rc_base.c -+++ b/src/lib/krb5/rcache/rc_base.c -@@ -65,7 +65,8 @@ krb5_rc_register_type(krb5_context context, const krb5_rc_ops *ops) - } - - krb5_error_code --krb5_rc_resolve_type(krb5_context context, krb5_rcache *idptr, char *type) -+krb5_rc_resolve_type(krb5_context context, krb5_rcache *idptr, -+ const char *type) - { - struct krb5_rc_typelist *t; - krb5_error_code err; -@@ -146,7 +147,7 @@ krb5_rc_default(krb5_context context, krb5_rcache *idptr) - - krb5_error_code - krb5_rc_resolve_full(krb5_context context, krb5_rcache *idptr, -- char *string_name) -+ const char *string_name) - { - char *type; - char *residual; diff --git a/krb5-master-strdupcheck.patch b/krb5-master-strdupcheck.patch deleted file mode 100644 index 4c9d0c1..0000000 --- a/krb5-master-strdupcheck.patch +++ /dev/null @@ -1,23 +0,0 @@ -commit b6810da129512b6d0200580d78d22d38cc214e21 -Author: Lukas Slebodnik -Date: Sat Jun 21 17:09:31 2014 +0200 - - Fix error check in krb5_ldap_parse_principal_name - - Test the correct variable for NULL to detect a strdup failure. - - [ghudson@mit.edu: clarified commit message] - -diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -index 21695a9..44bf339 100644 ---- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c -@@ -412,7 +412,7 @@ krb5_ldap_parse_principal_name(char *i_princ_name, char **o_princ_name) - at_rlm_name = strrchr(i_princ_name, '@'); - if (!at_rlm_name) { - *o_princ_name = strdup(i_princ_name); -- if (!o_princ_name) -+ if (!*o_princ_name) - return ENOMEM; - } else { - k5_buf_init_dynamic(&buf); diff --git a/krb5.spec b/krb5.spec index cb919d8..4c4c03f 100644 --- a/krb5.spec +++ b/krb5.spec @@ -37,19 +37,20 @@ %global configure_default_ccache_name 1 %global configured_default_ccache_name KEYRING:persistent:%%{uid} %endif +%global prerelease -alpha1 Summary: The Kerberos network authentication system Name: krb5 -Version: 1.12.2 -Release: 3%{?dist} +Version: 1.13 +Release: 0%{?dist}.alpha1.1 # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.2-signed.tar -Source0: krb5-%{version}.tar.gz -Source1: krb5-%{version}.tar.gz.asc +# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-alpha1-signed.tar +Source0: krb5-%{version}%{prerelease}.tar.gz +Source1: krb5-%{version}%{prerelease}.tar.gz.asc # Use a dummy krb5-%{version}-pdf.tar.xz the first time through, then # tar cvJf $RPM_SOURCE_DIR/krb5-%%{version}-pdf.tar.xz build-pdf/*.pdf # after the build phase finishes. -Source3: krb5-%{version}-pdf.tar.xz +Source3: krb5-%{version}%{prerelease}-pdf.tar.xz Source2: kprop.service Source4: kadmin.service Source5: krb5kdc.service @@ -76,36 +77,18 @@ Source100: nss_wrapper-0.0-20140204195100.git3d58327.tar.xz Source101: noport.c Source102: socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz -Patch1: krb5-1.12-pwdch-fast.patch Patch6: krb5-1.12-ksu-path.patch Patch12: krb5-1.12-ktany.patch Patch16: krb5-1.12-buildconf.patch Patch23: krb5-1.3.1-dns.patch -Patch29: krb5-1.10-kprop-mktemp.patch -Patch30: krb5-1.3.4-send-pr-tempfile.patch Patch39: krb5-1.12-api.patch -Patch59: krb5-1.10-kpasswd_tcp.patch Patch60: krb5-1.12.1-pam.patch -Patch63: krb5-1.12-selinux-label.patch -Patch71: krb5-1.11-dirsrv-accountlock.patch +Patch63: krb5-1.13-selinux-label.patch +Patch71: krb5-1.13-dirsrv-accountlock.patch Patch86: krb5-1.9-debuginfo.patch Patch105: krb5-kvno-230379.patch Patch129: krb5-1.11-run_user_0.patch Patch134: krb5-1.11-kpasswdtest.patch -Patch136: krb5-master-rcache-internal-const.patch -Patch137: krb5-master-rcache-acquirecred-cleanup.patch -Patch139: krb5-master-rcache-acquirecred-source.patch -Patch141: krb5-master-rcache-acquirecred-test.patch -Patch142: krb5-master-move-otp-sockets.patch -Patch145: krb5-master-mechd.patch -Patch146: krb5-master-strdupcheck.patch -Patch201: 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted.patch -Patch202: 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals.patch -Patch203: 0003-Use-an-intermediate-memory-cache-in-ksu.patch -Patch204: 0004-Make-ksu-respect-the-default_ccache_name-setting.patch -Patch205: 0005-Copy-config-entries-to-the-ksu-target-ccache.patch -Patch206: 0006-Use-more-randomness-for-ksu-secondary-cache-names.patch -Patch207: 0007-Make-krb5_cc_new_unique-create-DIR-directories.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -238,8 +221,6 @@ Requires: chkconfig # we drop files in its directory, but we don't want to own that directory Requires: logrotate Requires(preun): initscripts -# mktemp is used by krb5-send-pr -Requires: coreutils # we specify /usr/share/dict/words as the default dict_file in kdc.conf Requires: /usr/share/dict/words %if %{WITH_SYSVERTO} @@ -272,8 +253,6 @@ realm, you need to install this package. Summary: Kerberos 5 programs for use on workstations Group: System Environment/Base Requires: %{name}-libs%{?_isa} = %{version}-%{release} -# mktemp is used by krb5-send-pr -Requires: coreutils %description workstation Kerberos is a network authentication system. The krb5-workstation @@ -305,19 +284,9 @@ to obtain initial credentials from a KDC using a private key and a certificate. %prep -%setup -q -a 3 -a 100 -a 102 +%setup -q -n %{name}-%{version}%{prerelease} -a 3 -a 100 -a 102 ln -s NOTICE LICENSE -%patch201 -p1 -b .In-ksu-merge-krb5_ccache_copy-and-_restricted -%patch202 -p1 -b .In-ksu-don-t-stat-not-on-disk-ccache-residuals -%patch203 -p1 -b .Use-an-intermediate-memory-cache-in-ksu -%patch204 -p1 -b .Make-ksu-respect-the-default_ccache_name-setting -%patch205 -p1 -b .Copy-config-entries-to-the-ksu-target-ccache -%patch206 -p1 -b .Use-more-randomness-for-ksu-secondary-cache-names -%patch207 -p1 -b .Make-krb5_cc_new_unique-create-DIR-directories - -%patch1 -p1 -b .pwdch-fast - %patch60 -p1 -b .pam %patch63 -p1 -b .selinux-label @@ -326,10 +295,7 @@ ln -s NOTICE LICENSE %patch12 -p1 -b .ktany %patch16 -p1 -b .buildconf %{?_rawbuild} %patch23 -p1 -b .dns %{?_rawbuild} -%patch29 -p1 -b .kprop-mktemp -%patch30 -p1 -b .send-pr-tempfile %patch39 -p1 -b .api -%patch59 -p1 -b .kpasswd_tcp %patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild} %patch86 -p0 -b .debuginfo %patch105 -p1 -b .kvno @@ -340,14 +306,6 @@ ln -s NOTICE LICENSE %patch134 -p1 -b .kpasswdtest -%patch136 -p1 -b .rcache-internal-const -%patch137 -p1 -b .rcache-acquirecred-cleanup -%patch139 -p1 -b .rcache-acquirecred-source -%patch141 -p1 -b .rcache-acquirecred-test -%patch142 -p1 -b .move-otp-sockets -%patch145 -p1 -b .master-mechd -%patch146 -p1 -b .master-strdupcheck - # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -364,8 +322,6 @@ touch -r $inldif 60kerberos.ldif # Rebuild the configure scripts. pushd src -#autoheader -#autoconf ./util/reconf --verbose popd @@ -378,9 +334,7 @@ mkdir -p socket_wrapper/build cfg="src/kadmin/testing/proto/kdc.conf.proto \ src/kadmin/testing/proto/krb5.conf.proto \ src/lib/kadm5/unit-test/api.current/init-v2.exp \ - src/util/k5test.py \ - src/tests/mk_migr/ldap_backend/input_conf/*.conf \ - src/tests/mk_migr/db2_backend/input_conf/*.conf" + src/util/k5test.py" LONG_BIT=`getconf LONG_BIT` PORT=`expr 61000 + $LONG_BIT - 48` sed -i -e s,61000,`expr "$PORT" + 0`,g $cfg @@ -442,9 +396,11 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" %endif %if %{WITH_OPENSSL} --with-pkinit-crypto-impl=openssl \ + --with-tls-impl=openssl \ %endif %if %{WITH_NSS} --with-crypto-impl=nss \ + --without-tls-impl \ %endif %if %{WITH_SYSVERTO} --with-system-verto \ @@ -656,6 +612,10 @@ for section in 1 5 8 ; do $RPM_BUILD_ROOT/%{_mandir}/man${section}/ done +# This script just tells you to send bug reports to krb5-bugs@mit.edu, but +# since we don't have a man page for it, just drop it. +rm $RPM_BUILD_ROOT/%{_sbindir}/krb5-send-pr + %find_lang %{gettext_domain} %clean @@ -831,12 +791,6 @@ exit 0 %{_mandir}/man1/ksu.1* %config(noreplace) /etc/pam.d/ksu -# Problem-reporting tool. -%{_sbindir}/krb5-send-pr -%dir %{_datadir}/gnats -%{_datadir}/gnats/mit -%{_mandir}/man1/krb5-send-pr.1* - %files server %defattr(-,root,root,-) %docdir %{_mandir} @@ -871,13 +825,6 @@ exit 0 %dir %{_libdir}/krb5/plugins/authdata %{_libdir}/krb5/plugins/preauth/otp.so - -# Problem-reporting tool. -%{_sbindir}/krb5-send-pr -%dir %{_datadir}/gnats -%{_datadir}/gnats/mit -%{_mandir}/man1/krb5-send-pr.1* - # KDC binaries and configuration. %{_mandir}/man5/kadm5.acl.5* %{_mandir}/man5/kdc.conf.5* @@ -961,6 +908,9 @@ exit 0 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/* %{_libdir}/krb5/plugins/kdb/db2.so +%if %{WITH_OPENSSL} +%{_libdir}/krb5/plugins/tls/k5tls.so +%endif %dir %{_var}/kerberos %dir %{_var}/kerberos/krb5 %dir %{_var}/kerberos/krb5/user @@ -1023,6 +973,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Aug 22 2014 Nalin Dahyabhai - 1.12.2-4 +- update to 1.13 alpha1 + - drop upstreamed and backported patches + * Wed Aug 20 2014 Nalin Dahyabhai - 1.12.2-3 - pull in upstream fix for an incorrect check on the value returned by a strdup() call (#1132062) diff --git a/sources b/sources index e06d894..67a793e 100644 --- a/sources +++ b/sources @@ -1,5 +1,5 @@ -8777a835ae84f7d2f5872bf388bc6d76 krb5-1.12.2.tar.gz -5a45834367bda0a037d1b8f5a8912002 krb5-1.12.2.tar.gz.asc -c4dca109bc4d480ae4b05d1430671c77 krb5-1.12.2-pdf.tar.xz +c0b597b78cd13be105aff29c600883b9 krb5-1.13-alpha1.tar.gz +49a891e6007a42a7e6f82e5943899a2c krb5-1.13-alpha1.tar.gz.asc +d3c480887984f14ecd8d93fd30a11896 krb5-1.13-alpha1-pdf.tar.xz 142c7f3f8d2b08936d2cee3de743133e nss_wrapper-0.0-20140204195100.git3d58327.tar.xz d8e42cf537192765463c3f1bad870250 socket_wrapper-0.0-20140204194748.gitf3b2ece.tar.xz