Robbie Harwood
parent
892fe9b7b5
commit
93772ec156
63
krb5-1.14.1-log_file_permissions.patch
Normal file
63
krb5-1.14.1-log_file_permissions.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 9914b93516bbce9b1123ed5f9f796b7028944892 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Robbie Harwood <rharwood@redhat.com>
|
||||||
|
Date: Thu, 17 Dec 2015 13:31:39 -0500
|
||||||
|
Subject: [PATCH] Create KDC and kadmind log files with mode 0640
|
||||||
|
|
||||||
|
In krb5_klog_init(), use open() and fdopen() to open log files so that
|
||||||
|
we can specify a mode. Specify a mode which doesn't include the
|
||||||
|
group-write, other-read, or other-write bits even if the process umask
|
||||||
|
allows them.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: wrote commit message, de-indented post-open setup
|
||||||
|
code]
|
||||||
|
[rharwood@redhat.com: backport not clean for some reason?]
|
||||||
|
|
||||||
|
ticket: 8344 (new)
|
||||||
|
---
|
||||||
|
src/lib/kadm5/logger.c | 21 ++++++++++++---------
|
||||||
|
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||||
|
index 19c4355..f4a9387 100644
|
||||||
|
|
||||||
|
--- a/src/lib/kadm5/logger.c 2016-01-21 18:52:52.529544902 +0000
|
||||||
|
+++ b/src/lib/kadm5/logger.c 2016-01-21 18:57:22.923972419 +0000
|
||||||
|
@@ -354,7 +354,7 @@
|
||||||
|
const char *logging_profent[3];
|
||||||
|
const char *logging_defent[3];
|
||||||
|
char **logging_specs;
|
||||||
|
- int i, ngood;
|
||||||
|
+ int i, ngood, fd, append;
|
||||||
|
char *cp, *cp2;
|
||||||
|
char savec = '\0';
|
||||||
|
int error;
|
||||||
|
@@ -422,18 +422,21 @@
|
||||||
|
/*
|
||||||
|
* Check for append/overwrite, then open the file.
|
||||||
|
*/
|
||||||
|
- if (cp[4] == ':' || cp[4] == '=') {
|
||||||
|
- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
|
||||||
|
- if (f) {
|
||||||
|
- set_cloexec_file(f);
|
||||||
|
- log_control.log_entries[i].lfu_filep = f;
|
||||||
|
- log_control.log_entries[i].log_type = K_LOG_FILE;
|
||||||
|
- log_control.log_entries[i].lfu_fname = &cp[5];
|
||||||
|
- } else {
|
||||||
|
+ append = (cp[4] == ':') ? O_APPEND : 0;
|
||||||
|
+ if (append || cp[4] == '=') {
|
||||||
|
+ fd = open(&cp[5], O_CREAT | O_WRONLY | append,
|
||||||
|
+ S_IRUSR | S_IWUSR | S_IRGRP);
|
||||||
|
+ if (fd != -1)
|
||||||
|
+ f = fdopen(fd, append ? "a" : "w");
|
||||||
|
+ if (fd == -1 || f == NULL) {
|
||||||
|
fprintf(stderr,"Couldn't open log file %s: %s\n",
|
||||||
|
&cp[5], error_message(errno));
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ set_cloexec_file(f);
|
||||||
|
+ log_control.log_entries[i].lfu_filep = f;
|
||||||
|
+ log_control.log_entries[i].log_type = K_LOG_FILE;
|
||||||
|
+ log_control.log_entries[i].lfu_fname = &cp[5];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#ifdef HAVE_SYSLOG
|
||||||
@ -13,7 +13,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.14
|
Version: 1.14
|
||||||
Release: 16%{?dist}
|
Release: 17%{?dist}
|
||||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||||
# - The sources below are stored in a lookaside cache. Upload with
|
# - The sources below are stored in a lookaside cache. Upload with
|
||||||
@ -60,6 +60,7 @@ Patch148: krb5-disable_ofd_locks.patch
|
|||||||
Patch150: krb5-fix_interposer.patch
|
Patch150: krb5-fix_interposer.patch
|
||||||
Patch151: krb5-mechglue_inqure_attrs.patch
|
Patch151: krb5-mechglue_inqure_attrs.patch
|
||||||
Patch152: krb5-init_context_null_spnego.patch
|
Patch152: krb5-init_context_null_spnego.patch
|
||||||
|
Patch153: krb5-1.14.1-log_file_permissions.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -236,6 +237,7 @@ ln NOTICE LICENSE
|
|||||||
%patch150 -p1 -b .fix_interposer
|
%patch150 -p1 -b .fix_interposer
|
||||||
%patch151 -p1 -b .mechglue_inqure_attrs
|
%patch151 -p1 -b .mechglue_inqure_attrs
|
||||||
%patch152 -p1 -b .init_context_null_spnego
|
%patch152 -p1 -b .init_context_null_spnego
|
||||||
|
%patch153 -p1 -b .log_file_permissions
|
||||||
|
|
||||||
# Take the execute bit off of documentation.
|
# Take the execute bit off of documentation.
|
||||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||||
@ -766,6 +768,10 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-17
|
||||||
|
- Make krb5kdc.log not world-readable by default
|
||||||
|
- Resolves: #1276484
|
||||||
|
|
||||||
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-16
|
* Thu Jan 21 2016 Robbie Harwood <rharwood@redhat.com> - 1.14-16
|
||||||
- Allow verification of attributes on krb5.conf
|
- Allow verification of attributes on krb5.conf
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user