rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- ksu: move session management calls to before we drop privileges, like su

Browse Source 
does (#596887)
This commit is contained in:
Nalin Dahyabhai 2010-05-27 20:01:43 +00:00
parent b60e63ef2b
commit ccdc4a4228
2 changed files with 41 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
krb5-1.8-pam.patch
View File

@ -1,5 +1,5 @@
Modify ksu so that it performs account and session management for the Modify ksu so that it performs account and session management on behalf of
target user account, mimicking the action of regular su. The default the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to this may need to vary, too. At run-time, ksu's behavior can be reset to
@ -8,7 +8,8 @@ section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam. When enabled, ksu gains a dependency on libpam.
Originally RT#5939. Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4 diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 --- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500
@ -140,20 +141,10 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
/* Run authorization as target.*/ /* Run authorization as target.*/
if (krb5_seteuid(target_uid)) { if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, "while switching to target for authorization check"); com_err(prog_name, errno, "while switching to target for authorization check");
@@ -792,7 +817,7 @@ main (argc, argv) @@ -720,6 +745,32 @@
fprintf(stderr, "program to be execed %s\n",params[0]); exit(1);
} }
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -800,6 +825,33 @@ main (argc, argv)
exit(1);
}else{
statusp = 1;
+
+#ifdef USE_PAM +#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) { + if (appl_pam_session_open() != 0) {
@ -180,9 +171,18 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
+ } + }
+#endif +#endif
+ +
switch ((child_pid = fork())) { /* set permissions */
default: if (setgid(target_pwd->pw_gid) < 0) {
if (auth_debug){ perror("ksu: setgid");
@@ -792,7 +817,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, "while trying to execv %s",
params[0]);
@@ -823,15 +875,34 @@ main (argc, argv) @@ -823,15 +875,34 @@ main (argc, argv)
if (ret_pid == -1) { if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid"); com_err(prog_name, errno, "while calling waitpid");

4
krb5.spec
View File

@ -625,6 +625,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com>
- ksu: move session management calls to before we drop privileges, like
su does (#596887)
* Mon May 24 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.1-6 * Mon May 24 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.1-6
- make krb5-server-ldap also depend on the same version-release of krb5-libs, - make krb5-server-ldap also depend on the same version-release of krb5-libs,
as the other subpackages do, if only to make it clearer than it is when we as the other subpackages do, if only to make it clearer than it is when we