diff --git a/_kadmind b/_kadmind deleted file mode 100644 index b073cfb..0000000 --- a/_kadmind +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# -# Check for error conditions which the init system expects us to check and -# for other common errors, and exit with the expected status codes. -# -kadmind=/usr/sbin/kadmind -if test -f /var/kerberos/krb5kdc/kpropd.acl ; then - echo $"Error. This appears to be a slave server, found kpropd.acl" - exit 6 -fi -if ! test -x "$kadmind" ; then - exit 5 -fi -exec "$kadmind" "$@" diff --git a/_kpropd b/_kpropd deleted file mode 100644 index 1808368..0000000 --- a/_kpropd +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh -# -# Check for error conditions which the init system expects us to check and -# for other common errors, and exit with the expected status codes. -# -kpropd=/usr/sbin/kpropd -if ! test -f /var/kerberos/krb5kdc/kpropd.acl ; then - echo $"Error. This does not appear to be a slave server, kpropd.acl not found" - exit 6 -fi -if ! test -x "$kpropd" ; then - exit 5 -fi -exec "$kpropd" "$@" diff --git a/kadmin.service b/kadmin.service index ede159e..49657f6 100644 --- a/kadmin.service +++ b/kadmin.service @@ -1,12 +1,13 @@ [Unit] Description=Kerberos 5 Password-changing and Administration After=syslog.target network.target +AssertPathExists=!/var/kerberos/krb5kdc/kpropd.acl [Service] Type=forking PIDFile=/var/run/kadmind.pid EnvironmentFile=-/etc/sysconfig/kadmin -ExecStart=/usr/sbin/_kadmind -P /var/run/kadmind.pid $KADMIND_ARGS +ExecStart=/usr/sbin/kadmind -P /var/run/kadmind.pid $KADMIND_ARGS ExecReload=/bin/kill -HUP $MAINPID [Install] diff --git a/kadmind.init b/kadmind.init deleted file mode 100755 index 8915e2b..0000000 --- a/kadmind.init +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash -# -# kadmind Start and stop the Kerberos 5 administrative server. -# -# chkconfig: - 35 65 -# description: Kerberos 5 is a trusted third-party authentication system. \ -# This script starts and stops the Kerberos 5 administrative \ -# server, which should only be run on the master server for a \ -# realm. -# processname: kadmind -# config: /etc/sysconfig/kadmin -# pidfile: /var/run/kadmind.pid -# - -### BEGIN INIT INFO -# Provides: kadmin -# Required-Start: $local_fs $network -# Required-Stop: $local_fs $network -# Should-Start: portreserve -# Default-Start: -# Default-Stop: 0 1 2 3 4 5 6 -# Short-Description: start and stop the Kerberos 5 admin server -# Description: The kadmind service allows administrators to remotely manage \ -# the Kerberos 5 realm database. It should only be run on a \ -# master KDC. -### END INIT INFO - -# Get config. -. /etc/sysconfig/network - -# Get config. -[ -r /etc/sysconfig/kadmin ] && . /etc/sysconfig/kadmin - -# Source function library. -. /etc/init.d/functions -prog="Kerberos 5 Admin Server" -kadmind=/usr/sbin/kadmind -pidfile=/var/run/kadmind.pid - -RETVAL=0 - -# Shell functions to cut down on useless shell instances. -start() { - if [ -f /var/kerberos/krb5kdc/kpropd.acl ] ; then - echo $"Error. This appears to be a slave server, found kpropd.acl" - exit 6 - else - [ -x $kadmind ] || exit 5 - fi - echo -n $"Starting $prog: " - # tell portreserve to release the kerberos-adm port - [ -x /sbin/portrelease ] && /sbin/portrelease kerberos-adm &>/dev/null || : - daemon ${kadmind} ${KRB5REALM:+-r ${KRB5REALM}} -P $pidfile $KADMIND_ARGS - RETVAL=$? - echo - if test $RETVAL -ne 0 ; then - if status -l kadmin ${kadmind} > /dev/null ; then - RETVAL=0 - fi - fi - [ $RETVAL = 0 ] && touch /var/lock/subsys/kadmin -} -stop() { - echo -n $"Stopping $prog: " - killproc ${kadmind} - RETVAL=$? - echo - [ $RETVAL = 0 ] && rm -f /var/lock/subsys/kadmin -} -reload() { - echo -n $"Reopening $prog log file: " - killproc ${kadmind} -HUP - RETVAL=$? - echo -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - start - ;; - status) - status -l kadmin ${kadmind} - RETVAL=$? - ;; - reload) - reload - ;; - condrestart) - if [ -f /var/lock/subsys/kadmin ] ; then - stop - start - fi - ;; - *) - echo $"Usage: $0 {start|stop|status|condrestart|reload|restart}" - RETVAL=2 - ;; -esac - -exit $RETVAL diff --git a/kprop.service b/kprop.service index 4ed2247..64d5de1 100644 --- a/kprop.service +++ b/kprop.service @@ -1,10 +1,11 @@ [Unit] Description=Kerberos 5 Propagation After=syslog.target network.target +AssertPathExists=!/var/kerberos/krb5kdc/kpropd.acl [Service] Type=forking -ExecStart=/usr/sbin/_kpropd +ExecStart=/usr/sbin/kpropd [Install] WantedBy=multi-user.target diff --git a/kpropd.init b/kpropd.init deleted file mode 100755 index b872ee3..0000000 --- a/kpropd.init +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash -# -# kpropd.init Start and stop the Kerberos 5 propagation client. -# -# chkconfig: - 35 65 -# description: Kerberos 5 is a trusted third-party authentication system. \ -# This script starts and stops the service that allows this \ -# KDC to receive updates from your master KDC. -# processname: kpropd -# - -### BEGIN INIT INFO -# Provides: kprop -# Required-Start: $local_fs $network -# Required-Stop: $local_fs $network -# Should-Start: portreserve -# Default-Start: -# Default-Stop: 0 1 2 3 4 5 6 -# Short-Description: start and stop the Kerberos 5 propagation client -# Description: The kpropd service accepts database updates pushed to it from \ -# the master KDC. It will never be needed on a master KDC. -### END INIT INFO - -# Get config. -. /etc/sysconfig/network - -# Source function library. -. /etc/init.d/functions - -RETVAL=0 -prog="Kerberos 5 Propagation Server" -kpropd=/usr/sbin/kpropd - -# Shell functions to cut down on useless shell instances. -start() { - [ -f /var/kerberos/krb5kdc/kpropd.acl ] || exit 6 - [ -x $kpropd ] || exit 5 - echo -n $"Starting $prog: " - # tell portreserve to release the krb5_prop port - [ -x /sbin/portrelease ] && /sbin/portrelease krb5_prop &>/dev/null || : - daemon ${kpropd} -S - RETVAL=$? - echo - if test $RETVAL -ne 0 ; then - if status -l kprop ${kpropd} > /dev/null ; then - RETVAL=0 - fi - fi - [ $RETVAL = 0 ] && touch /var/lock/subsys/kprop -} -stop() { - echo -n $"Stopping $prog: " - killproc ${kpropd} - RETVAL=$? - echo - [ $RETVAL = 0 ] && rm -f /var/lock/subsys/kprop -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - # We don't really "do" reload, so treat it as a restart. - restart|force-reload) - stop - start - ;; - reload) - echo "can't reload configuration, you have to restart it" - RETVAL=3 - ;; - status) - status -l kprop ${kpropd} - RETVAL=$? - ;; - condrestart) - if [ -f /var/lock/subsys/kprop ] ; then - stop - start - fi - ;; - *) - echo $"Usage: $0 {start|stop|restart|condrestart|reload|status|force-reload}" - RETVAL=2 - ;; -esac - -exit $RETVAL diff --git a/krb5.spec b/krb5.spec index 32c1bdf..31c8b28 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14 -Release: 18%{?dist} +Release: 19%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -26,8 +26,8 @@ Source2: kprop.service Source4: kadmin.service Source5: krb5kdc.service Source6: krb5.conf -Source7: _kpropd -Source8: _kadmind +#Source7: _kpropd +#Source8: _kadmind Source10: kdc.conf Source11: kadm5.acl Source19: krb5kdc.sysconfig @@ -37,9 +37,9 @@ Source31: kerberos-adm.portreserve Source32: krb5_prop.portreserve Source33: krb5kdc.logrotate Source34: kadmind.logrotate -Source36: kpropd.init -Source37: kadmind.init -Source38: krb5kdc.init +#Source36: kpropd.init +#Source37: kadmind.init +#Source38: krb5kdc.init Source39: krb5-krb5kdc.conf # Carry this locally until it's available in a packaged form. @@ -432,12 +432,6 @@ for unit in \ # is an upgrade-time problem I'm in no hurry to deal with. install -pm 644 ${unit} $RPM_BUILD_ROOT%{_unitdir} done -mkdir -p $RPM_BUILD_ROOT%{_sbindir} -for wrapper in \ - %{SOURCE7} \ - %{SOURCE8} ; do - install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/ -done mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir} install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/ mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc @@ -658,14 +652,12 @@ exit 0 %{_sbindir}/kadmin.local %{_mandir}/man8/kadmin.local.8* %{_sbindir}/kadmind -%{_sbindir}/_kadmind %{_mandir}/man8/kadmind.8* %{_sbindir}/kdb5_util %{_mandir}/man8/kdb5_util.8* %{_sbindir}/kprop %{_mandir}/man8/kprop.8* %{_sbindir}/kpropd -%{_sbindir}/_kpropd %{_mandir}/man8/kpropd.8* %{_sbindir}/kproplog %{_mandir}/man8/kproplog.8* @@ -775,6 +767,11 @@ exit 0 %changelog +* Thu Jan 28 2016 Robbie Harwood - 1.14-19 +- Replace _kadmin/_kprop with systemd macros +- Remove traces of upstart from fedora package per policy +- Resolves: #1290185 + * Wed Jan 27 2016 Robbie Harwood - 1.14-18 - Fix CVE-2015-8629, CVE-2015-8630, CVE-2015-8631 diff --git a/krb5kdc.init b/krb5kdc.init deleted file mode 100755 index 3462ca6..0000000 --- a/krb5kdc.init +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/bash -# -# krb5kdc Start and stop the Kerberos 5 servers. -# -# chkconfig: - 35 65 -# description: Kerberos 5 is a trusted third-party authentication system. \ -# This script starts and stops the server that Kerberos 5 \ -# clients need to connect to in order to obtain credentials. -# processname: krb5kdc -# config: /etc/sysconfig/krb5kdc -# pidfile: /var/run/krb5kdc.pid -# - -### BEGIN INIT INFO -# Provides: krb5kdc -# Required-Start: $local_fs $network -# Required-Stop: $local_fs $network -# Should-Start: portreserve -# Default-Start: -# Default-Stop: 0 1 2 3 4 5 6 -# Short-Description: start and stop the Kerberos 5 KDC -# Description: The krb5kdc is the Kerberos 5 key distribution center, which \ -# issues credentials to Kerberos 5 clients. -### END INIT INFO - -# Get config. -. /etc/sysconfig/network - -# Get config. -[ -r /etc/sysconfig/krb5kdc ] && . /etc/sysconfig/krb5kdc - -# Source function library. -. /etc/rc.d/init.d/functions - -RETVAL=0 -prog="Kerberos 5 KDC" -krb5kdc=/usr/sbin/krb5kdc -pidfile=/var/run/krb5kdc.pid -PATH=/usr/lib64/krb5:/usr/lib/krb5:"$PATH" - -# Shell functions to cut down on useless shell instances. -start() { - [ -x $krb5kdc ] || exit 5 - echo -n $"Starting $prog: " - # tell portreserve to release the kerberos-iv port - [ -x /sbin/portrelease ] && /sbin/portrelease kerberos-iv &>/dev/null || : - daemon ${krb5kdc} ${KRB5REALM:+-r ${KRB5REALM}} -P $pidfile $KRB5KDC_ARGS - RETVAL=$? - echo - if test $RETVAL -ne 0 ; then - if status ${krb5kdc} > /dev/null ; then - RETVAL=0 - fi - fi - [ $RETVAL = 0 ] && touch /var/lock/subsys/krb5kdc -} -stop() { - echo -n $"Stopping $prog: " - killproc ${krb5kdc} - RETVAL=$? - echo - [ $RETVAL = 0 ] && rm -f /var/lock/subsys/krb5kdc -} -reload() { - echo -n $"Reopening $prog log file: " - killproc ${krb5kdc} -HUP - RETVAL=$? - echo -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart) - stop - start - ;; - reload) - reload - ;; - status) - status ${krb5kdc} - RETVAL=$? - ;; - condrestart) - if [ -f /var/lock/subsys/krb5kdc ] ; then - stop - start - fi - ;; - *) - echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}" - RETVAL=2 - ;; -esac - -exit $RETVAL