rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Add proposed ksu KEYRING+default_ccache_name patch

Browse Source 
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)
This commit is contained in:
Nalin Dahyabhai 2014-01-31 16:48:40 -05:00
parent 2eb0567065
commit 9b18d26ce3
2 changed files with 29 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
krb5-1.12-pam.patch → krb5-1.12.1-pam.patch
View File

@ -9,7 +9,8 @@ section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam. When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges. and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4 diff -up krb5/src/aclocal.m4.pam krb5/src/aclocal.m4
--- krb5/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 --- krb5/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500
@ -95,7 +96,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
+#include "autoconf.h" +#include "autoconf.h"
#include "ksu.h" #include "ksu.h"
#include "adm_proto.h" #include "adm_proto.h"
#include <sys/types.h> #include "../../lib/krb5/os/os-proto.h"
@@ -33,6 +34,10 @@ @@ -33,6 +34,10 @@
#include <signal.h> #include <signal.h>
#include <grp.h> #include <grp.h>
@ -125,13 +126,13 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
+ NULL, source_user, + NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) { + ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user); + fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target); + sweep_up(ksu_context, cc_tmp);
+ exit(1); + exit(1);
+ } + }
+ if (appl_pam_requires_chauthtok()) { + if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n", + fprintf(stderr, "Password change required for %s.\n",
+ target_user); + target_user);
+ sweep_up(ksu_context, cc_target); + sweep_up(ksu_context, cc_tmp);
+ exit(1); + exit(1);
+ } + }
+ force_fork++; + force_fork++;
@ -142,7 +143,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
if (krb5_seteuid(target_uid)) { if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for " com_err(prog_name, errno, _("while switching to target for "
@@ -651,6 +676,26 @@ @@ -651,6 +676,26 @@
sweep_up(ksu_context, cc_target); sweep_up(ksu_context, cc_tmp);
exit(1); exit(1);
} }
+#ifdef USE_PAM +#ifdef USE_PAM
@ -153,13 +154,13 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
+ NULL, source_user, + NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) { + ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user); + fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target); + sweep_up(ksu_context, cc_tmp);
+ exit(1); + exit(1);
+ } + }
+ if (appl_pam_requires_chauthtok()) { + if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n", + fprintf(stderr, "Password change required for %s.\n",
+ target_user); + target_user);
+ sweep_up(ksu_context, cc_target); + sweep_up(ksu_context, cc_tmp);
+ exit(1); + exit(1);
+ } + }
+ force_fork++; + force_fork++;
@ -176,7 +177,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
+ if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) { + if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user); + fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target); + sweep_up(ksu_context, cc_tmp);
+ exit(1); + exit(1);
+ } + }
+#ifdef DEBUG +#ifdef DEBUG
@ -187,7 +188,7 @@ diff -up krb5/src/clients/ksu/main.c.pam krb5/src/clients/ksu/main.c
+ if (appl_pam_cred_init()) { + if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n", + fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user); + target_user);
+ sweep_up(ksu_context, cc_target); + sweep_up(ksu_context, cc_tmp);
+ exit(1); + exit(1);
+ } + }
+#ifdef DEBUG +#ifdef DEBUG

21
krb5.spec
View File

@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.12.1 Version: 1.12.1
Release: 2%{?dist} Release: 3%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -83,7 +83,7 @@ Patch30: krb5-1.3.4-send-pr-tempfile.patch
Patch39: krb5-1.12-api.patch Patch39: krb5-1.12-api.patch
Patch56: krb5-1.10-doublelog.patch Patch56: krb5-1.10-doublelog.patch
Patch59: krb5-1.10-kpasswd_tcp.patch Patch59: krb5-1.10-kpasswd_tcp.patch
Patch60: krb5-1.12-pam.patch Patch60: krb5-1.12.1-pam.patch
Patch63: krb5-1.12-selinux-label.patch Patch63: krb5-1.12-selinux-label.patch
Patch71: krb5-1.11-dirsrv-accountlock.patch Patch71: krb5-1.11-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch Patch86: krb5-1.9-debuginfo.patch
@ -97,6 +97,12 @@ Patch138: krb5-master-rcache-acquirecred-leak.patch
Patch139: krb5-master-rcache-acquirecred-source.patch Patch139: krb5-master-rcache-acquirecred-source.patch
Patch140: krb5-master-empty-credstore.patch Patch140: krb5-master-empty-credstore.patch
Patch141: krb5-master-rcache-acquirecred-test.patch Patch141: krb5-master-rcache-acquirecred-test.patch
Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
Patch204: 0004-Try-to-use-the-default_ccache_name-d-as-the-target.patch
Patch205: 0005-Be-more-careful-of-target-ccache-collections.patch
Patch206: 0006-Copy-config-entries-to-the-target-ccache.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -299,6 +305,13 @@ certificate.
%setup -q -a 3 -a 100 %setup -q -a 3 -a 100
ln -s NOTICE LICENSE ln -s NOTICE LICENSE
%patch201 -p1 -b .Don-t-try-to-stat-not-on-disk-ccache-residuals
%patch202 -p1 -b .Use-an-in-memory-cache-until-we-need-the-target-s
%patch203 -p1 -b .Learn-to-destroy-the-ccache-we-re-copying-from
%patch204 -p1 -b .Try-to-use-the-default_ccache_name-d-as-the-target
%patch205 -p1 -b .Be-more-careful-of-target-ccache-collections
%patch206 -p1 -b .Copy-config-entries-to-the-target-ccache
%patch60 -p1 -b .pam %patch60 -p1 -b .pam
%patch63 -p1 -b .selinux-label %patch63 -p1 -b .selinux-label
@ -978,6 +991,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-3
- add currently-proposed changes to teach ksu about credential cache
collections and the default_ccache_name setting (#1015559,#1026099)
* Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-2 * Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-2
- pull in multiple changes to allow replay caches to be added to a GSS - pull in multiple changes to allow replay caches to be added to a GSS
credential store as "rcache"-type credentials (RT#7818/#7819/#7836, credential store as "rcache"-type credentials (RT#7818/#7819/#7836,