diff --git a/krb5-1.10-ksu-access.patch b/krb5-1.10-ksu-access.patch deleted file mode 100644 index ca155f7..0000000 --- a/krb5-1.10-ksu-access.patch +++ /dev/null @@ -1,47 +0,0 @@ -The idea is to not complain about problems in the default ticket file if we -couldn't read it, because the client would be able to tell if it's there or -not, and we're implicitly letting the client tell us where it is. Still needs -work, I think. - ---- krb5/src/clients/ksu/ccache.c -+++ krb5/src/clients/ksu/ccache.c -@@ -78,7 +78,7 @@ krb5_error_code krb5_ccache_copy (contex - cc_def_name = krb5_cc_get_name(context, cc_def); - cc_other_name = krb5_cc_get_name(context, *cc_other); - -- if ( ! stat(cc_def_name, &st_temp)){ -+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){ - if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){ - return retval; - } ---- krb5/src/clients/ksu/heuristic.c -+++ krb5/src/clients/ksu/heuristic.c -@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont - - cc_source_name = krb5_cc_get_name(context, cc); - -- if ( ! stat(cc_source_name, &st_temp)){ -+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){ - - retval = find_ticket(context, cc, client, end_server, &temp_found); - if (retval) -@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe - cc_source_name = krb5_cc_get_name(context, cc_source); - - -- if (! stat(cc_source_name, &st_temp)) { -+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) { - retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ); - if (retval) - return retval; ---- krb5/src/clients/ksu/main.c -+++ krb5/src/clients/ksu/main.c -@@ -270,7 +270,7 @@ main (argc, argv) - if ( strchr(cc_source_tag, ':')){ - cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1; - -- if( stat( cc_source_tag_tmp, &st_temp)){ -+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){ - com_err(prog_name, errno, - _("while looking for credentials file %s"), - cc_source_tag_tmp); diff --git a/krb5.spec b/krb5.spec index 44cd41b..bbb1a38 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.3 -Release: 27%{?dist} +Release: 28%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -74,7 +74,6 @@ BuildRequires: cmake Source100: nss_wrapper-0.0-20130719153839Z.git6cb59864.bz2 Source101: noport.c -Patch5: krb5-1.10-ksu-access.patch Patch6: krb5-1.10-ksu-path.patch Patch12: krb5-1.7-ktany.patch Patch16: krb5-1.10-buildconf.patch @@ -318,7 +317,6 @@ ln -s NOTICE LICENSE %patch63 -p1 -b .selinux-label -%patch5 -p1 -b .ksu-access %patch6 -p1 -b .ksu-path %patch12 -p1 -b .ktany %patch16 -p1 -b .buildconf %{?_rawbuild} @@ -1006,6 +1004,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Nov 4 2013 Nalin Dahyabhai - 1.11.3-28 +- drop patch to add additional access() checks to ksu - they add to breakage + when non-FILE: caches are in use (#1026099), shouldn't be resulting in any + benefit, and clash with proposed changes to fix its cache handling + * Tue Oct 22 2013 Nalin Dahyabhai - 1.11.3-27 - add some minimal description to the top of the wrapper scripts we use when starting krb5kdc and kadmind to describe why they exist (tooling)