Sync from SUSE:SLFO:Main krb5 revision 287230d9275888820e67bb25d4c53c40
This commit is contained in:
commit
7ef60b02c2
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
776
0001-ksu-pam-integration.patch
Normal file
776
0001-ksu-pam-integration.patch
Normal file
@ -0,0 +1,776 @@
|
||||
From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:29:58 -0400
|
||||
Subject: [PATCH 1/8] ksu pam integration
|
||||
|
||||
Modify ksu so that it performs account and session management on behalf of
|
||||
the target user account, mimicking the action of regular su. The default
|
||||
service name is "ksu", because on Fedora at least the configuration used
|
||||
is determined by whether or not a login shell is being opened, and so
|
||||
this may need to vary, too. At run-time, ksu's behavior can be reset to
|
||||
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
|
||||
section of /etc/krb5.conf.
|
||||
|
||||
When enabled, ksu gains a dependency on libpam.
|
||||
|
||||
Originally RT#5939, though it's changed since then to perform the account
|
||||
and session management before dropping privileges, and to apply on top of
|
||||
changes we're proposing for how it handles cache collections.
|
||||
|
||||
Last-updated: krb5-1.18-beta1
|
||||
---
|
||||
src/aclocal.m4 | 68 +++++++
|
||||
src/clients/ksu/Makefile.in | 8 +-
|
||||
src/clients/ksu/main.c | 88 +++++++-
|
||||
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
|
||||
src/clients/ksu/pam.h | 57 ++++++
|
||||
src/configure.ac | 2 +
|
||||
6 files changed, 609 insertions(+), 3 deletions(-)
|
||||
create mode 100644 src/clients/ksu/pam.c
|
||||
create mode 100644 src/clients/ksu/pam.h
|
||||
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index 024d6370c..43eed3b87 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
|
||||
OPENLDAP_PLUGIN=yes
|
||||
fi
|
||||
])dnl
|
||||
+dnl
|
||||
+dnl
|
||||
+dnl Use PAM instead of local crypt() compare for checking local passwords,
|
||||
+dnl and perform PAM account, session management, and password-changing where
|
||||
+dnl appropriate.
|
||||
+dnl
|
||||
+AC_DEFUN(KRB5_WITH_PAM,[
|
||||
+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
|
||||
+ withpam="$withval",withpam=auto)
|
||||
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
|
||||
+ withksupamservice="$withval",withksupamservice=ksu)
|
||||
+old_LIBS="$LIBS"
|
||||
+if test "$withpam" != no ; then
|
||||
+ AC_MSG_RESULT([checking for PAM...])
|
||||
+ PAM_LIBS=
|
||||
+
|
||||
+ AC_CHECK_HEADERS(security/pam_appl.h)
|
||||
+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
|
||||
+ if test "$withpam" = auto ; then
|
||||
+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
|
||||
+ withpam=no
|
||||
+ else
|
||||
+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ LIBS=
|
||||
+ unset ac_cv_func_pam_start
|
||||
+ AC_CHECK_FUNCS(putenv pam_start)
|
||||
+ if test "x$ac_cv_func_pam_start" = xno ; then
|
||||
+ unset ac_cv_func_pam_start
|
||||
+ AC_CHECK_LIB(dl,dlopen)
|
||||
+ AC_CHECK_FUNCS(pam_start)
|
||||
+ if test "x$ac_cv_func_pam_start" = xno ; then
|
||||
+ AC_CHECK_LIB(pam,pam_start)
|
||||
+ unset ac_cv_func_pam_start
|
||||
+ unset ac_cv_func_pam_getenvlist
|
||||
+ AC_CHECK_FUNCS(pam_start pam_getenvlist)
|
||||
+ if test "x$ac_cv_func_pam_start" = xyes ; then
|
||||
+ PAM_LIBS="$LIBS"
|
||||
+ else
|
||||
+ if test "$withpam" = auto ; then
|
||||
+ AC_MSG_RESULT([Unable to locate libpam.])
|
||||
+ withpam=no
|
||||
+ else
|
||||
+ AC_MSG_ERROR([Unable to locate libpam.])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test "$withpam" != no ; then
|
||||
+ AC_MSG_NOTICE([building with PAM support])
|
||||
+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
|
||||
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
|
||||
+ [Define to the name of the PAM service name to be used by ksu.])
|
||||
+ PAM_LIBS="$LIBS"
|
||||
+ NON_PAM_MAN=".\\\" "
|
||||
+ PAM_MAN=
|
||||
+ else
|
||||
+ PAM_MAN=".\\\" "
|
||||
+ NON_PAM_MAN=
|
||||
+ fi
|
||||
+fi
|
||||
+LIBS="$old_LIBS"
|
||||
+AC_SUBST(PAM_LIBS)
|
||||
+AC_SUBST(PAM_MAN)
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
|
||||
index 8b4edce4d..9d58f29b5 100644
|
||||
--- a/src/clients/ksu/Makefile.in
|
||||
+++ b/src/clients/ksu/Makefile.in
|
||||
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
|
||||
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
|
||||
|
||||
KSU_LIBS=@KSU_LIBS@
|
||||
+PAM_LIBS=@PAM_LIBS@
|
||||
|
||||
SRCS = \
|
||||
$(srcdir)/krb_auth_su.c \
|
||||
$(srcdir)/ccache.c \
|
||||
$(srcdir)/authorization.c \
|
||||
$(srcdir)/main.c \
|
||||
+ $(srcdir)/pam.c \
|
||||
$(srcdir)/heuristic.c \
|
||||
$(srcdir)/xmalloc.c \
|
||||
$(srcdir)/setenv.c
|
||||
@@ -17,13 +19,17 @@ OBJS = \
|
||||
ccache.o \
|
||||
authorization.o \
|
||||
main.o \
|
||||
+ pam.o \
|
||||
heuristic.o \
|
||||
xmalloc.o @SETENVOBJ@
|
||||
|
||||
all: ksu
|
||||
|
||||
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
|
||||
+
|
||||
+pam.o: pam.c
|
||||
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||
|
||||
clean:
|
||||
$(RM) ksu
|
||||
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
||||
index af1286172..931f05404 100644
|
||||
--- a/src/clients/ksu/main.c
|
||||
+++ b/src/clients/ksu/main.c
|
||||
@@ -26,6 +26,7 @@
|
||||
* KSU was written by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
|
||||
+#include "autoconf.h"
|
||||
#include "ksu.h"
|
||||
#include "adm_proto.h"
|
||||
#include <sys/types.h>
|
||||
@@ -33,6 +34,10 @@
|
||||
#include <signal.h>
|
||||
#include <grp.h>
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+#include "pam.h"
|
||||
+#endif
|
||||
+
|
||||
/* globals */
|
||||
char * prog_name;
|
||||
int auth_debug =0;
|
||||
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
|
||||
char k5users_path[MAXPATHLEN];
|
||||
char * gb_err = NULL;
|
||||
int quiet = 0;
|
||||
+int force_fork = 0;
|
||||
/***********/
|
||||
|
||||
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
|
||||
@@ -536,6 +542,23 @@ main (argc, argv)
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
|
||||
+ NULL, source_user,
|
||||
+ ttyname(STDERR_FILENO)) != 0) {
|
||||
+ fprintf(stderr, "Access denied for %s.\n", target_user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if (appl_pam_requires_chauthtok()) {
|
||||
+ fprintf(stderr, "Password change required for %s.\n",
|
||||
+ target_user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ force_fork++;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, _("while switching to target for "
|
||||
@@ -596,6 +619,24 @@ main (argc, argv)
|
||||
|
||||
exit(1);
|
||||
}
|
||||
+#ifdef USE_PAM
|
||||
+ } else {
|
||||
+ /* we always do PAM account management, even for root */
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
|
||||
+ NULL, source_user,
|
||||
+ ttyname(STDERR_FILENO)) != 0) {
|
||||
+ fprintf(stderr, "Access denied for %s.\n", target_user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if (appl_pam_requires_chauthtok()) {
|
||||
+ fprintf(stderr, "Password change required for %s.\n",
|
||||
+ target_user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ force_fork++;
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
if( some_rest_copy){
|
||||
@@ -653,6 +694,30 @@ main (argc, argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_session_open() != 0) {
|
||||
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Opened PAM session.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ if (appl_pam_cred_init()) {
|
||||
+ fprintf(stderr, "Error initializing credentials for %s.\n",
|
||||
+ target_user);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Initialized PAM credentials.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* set permissions */
|
||||
if (setgid(target_pwd->pw_gid) < 0) {
|
||||
perror("ksu: setgid");
|
||||
@@ -750,7 +815,7 @@ main (argc, argv)
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
- if( keep_target_cache ) {
|
||||
+ if( keep_target_cache && !force_fork ) {
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
|
||||
sweep_up(ksu_context, cc_target);
|
||||
@@ -780,16 +845,35 @@ main (argc, argv)
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, _("while calling waitpid"));
|
||||
}
|
||||
- sweep_up(ksu_context, cc_target);
|
||||
+ if( !keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (statusp);
|
||||
case -1:
|
||||
com_err(prog_name, errno, _("while trying to fork."));
|
||||
sweep_up(ksu_context, cc_target);
|
||||
exit (1);
|
||||
case 0:
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_setenv() != 0) {
|
||||
+ fprintf(stderr, "Error setting up environment for %s.\n",
|
||||
+ target_user);
|
||||
+ exit (1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Set up PAM environment.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, _("while trying to execv %s"),
|
||||
params[0]);
|
||||
+ if( keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
|
||||
new file mode 100644
|
||||
index 000000000..eb5d03bbf
|
||||
--- /dev/null
|
||||
+++ b/src/clients/ksu/pam.c
|
||||
@@ -0,0 +1,389 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.c
|
||||
+ *
|
||||
+ * Copyright 2007,2009,2010 Red Hat, Inc.
|
||||
+ *
|
||||
+ * All Rights Reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions are met:
|
||||
+ *
|
||||
+ * Redistributions of source code must retain the above copyright notice, this
|
||||
+ * list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * Redistributions in binary form must reproduce the above copyright notice,
|
||||
+ * this list of conditions and the following disclaimer in the documentation
|
||||
+ * and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
|
||||
+ * used to endorse or promote products derived from this software without
|
||||
+ * specific prior written permission.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
+ * POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Convenience wrappers for using PAM.
|
||||
+ */
|
||||
+
|
||||
+#include "autoconf.h"
|
||||
+#ifdef USE_PAM
|
||||
+#include <sys/types.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include "k5-int.h"
|
||||
+#include "pam.h"
|
||||
+
|
||||
+#ifndef MAXPWSIZE
|
||||
+#define MAXPWSIZE 128
|
||||
+#endif
|
||||
+
|
||||
+static int appl_pam_started;
|
||||
+static pid_t appl_pam_starter = -1;
|
||||
+static int appl_pam_session_opened;
|
||||
+static int appl_pam_creds_initialized;
|
||||
+static int appl_pam_pwchange_required;
|
||||
+static pam_handle_t *appl_pamh;
|
||||
+static struct pam_conv appl_pam_conv;
|
||||
+static char *appl_pam_user;
|
||||
+struct appl_pam_non_interactive_args {
|
||||
+ const char *user;
|
||||
+ const char *password;
|
||||
+};
|
||||
+
|
||||
+int
|
||||
+appl_pam_enabled(krb5_context context, const char *section)
|
||||
+{
|
||||
+ int enabled = 1;
|
||||
+ if ((context != NULL) && (context->profile != NULL)) {
|
||||
+ if (profile_get_boolean(context->profile,
|
||||
+ section,
|
||||
+ USE_PAM_CONFIGURATION_KEYWORD,
|
||||
+ NULL,
|
||||
+ enabled, &enabled) != 0) {
|
||||
+ enabled = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return enabled;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+appl_pam_cleanup(void)
|
||||
+{
|
||||
+ if (getpid() != appl_pam_starter) {
|
||||
+ return;
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ printf("Called to clean up PAM.\n");
|
||||
+#endif
|
||||
+ if (appl_pam_creds_initialized) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Deleting PAM credentials.\n");
|
||||
+#endif
|
||||
+ pam_setcred(appl_pamh, PAM_DELETE_CRED);
|
||||
+ appl_pam_creds_initialized = 0;
|
||||
+ }
|
||||
+ if (appl_pam_session_opened) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Closing PAM session.\n");
|
||||
+#endif
|
||||
+ pam_close_session(appl_pamh, 0);
|
||||
+ appl_pam_session_opened = 0;
|
||||
+ }
|
||||
+ appl_pam_pwchange_required = 0;
|
||||
+ if (appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Shutting down PAM.\n");
|
||||
+#endif
|
||||
+ pam_end(appl_pamh, 0);
|
||||
+ appl_pam_started = 0;
|
||||
+ appl_pam_starter = -1;
|
||||
+ free(appl_pam_user);
|
||||
+ appl_pam_user = NULL;
|
||||
+ }
|
||||
+}
|
||||
+static int
|
||||
+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
|
||||
+ struct pam_response **presp, void *appdata_ptr)
|
||||
+{
|
||||
+ const struct pam_message *message;
|
||||
+ struct pam_response *resp;
|
||||
+ int i, code;
|
||||
+ char *pwstring, pwbuf[MAXPWSIZE];
|
||||
+ unsigned int pwsize;
|
||||
+ resp = malloc(sizeof(struct pam_response) * num_msg);
|
||||
+ if (resp == NULL) {
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
|
||||
+ code = PAM_SUCCESS;
|
||||
+ for (i = 0; i < num_msg; i++) {
|
||||
+ message = &(msg[0][i]); /* XXX */
|
||||
+ message = msg[i]; /* XXX */
|
||||
+ pwstring = NULL;
|
||||
+ switch (message->msg_style) {
|
||||
+ case PAM_TEXT_INFO:
|
||||
+ case PAM_ERROR_MSG:
|
||||
+ printf("[%s]\n", message->msg ? message->msg : "");
|
||||
+ fflush(stdout);
|
||||
+ resp[i].resp = NULL;
|
||||
+ resp[i].resp_retcode = PAM_SUCCESS;
|
||||
+ break;
|
||||
+ case PAM_PROMPT_ECHO_ON:
|
||||
+ case PAM_PROMPT_ECHO_OFF:
|
||||
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
|
||||
+ if (fgets(pwbuf, sizeof(pwbuf),
|
||||
+ stdin) != NULL) {
|
||||
+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
|
||||
+ pwstring = pwbuf;
|
||||
+ }
|
||||
+ } else {
|
||||
+ pwstring = getpass(message->msg ?
|
||||
+ message->msg :
|
||||
+ "");
|
||||
+ }
|
||||
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
|
||||
+ pwsize = strlen(pwstring);
|
||||
+ resp[i].resp = malloc(pwsize + 1);
|
||||
+ if (resp[i].resp == NULL) {
|
||||
+ resp[i].resp_retcode = PAM_BUF_ERR;
|
||||
+ } else {
|
||||
+ memcpy(resp[i].resp, pwstring, pwsize);
|
||||
+ resp[i].resp[pwsize] = '\0';
|
||||
+ resp[i].resp_retcode = PAM_SUCCESS;
|
||||
+ }
|
||||
+ } else {
|
||||
+ resp[i].resp_retcode = PAM_CONV_ERR;
|
||||
+ code = PAM_CONV_ERR;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ *presp = resp;
|
||||
+ return code;
|
||||
+}
|
||||
+static int
|
||||
+appl_pam_non_interactive_converse(int num_msg,
|
||||
+ const struct pam_message **msg,
|
||||
+ struct pam_response **presp,
|
||||
+ void *appdata_ptr)
|
||||
+{
|
||||
+ const struct pam_message *message;
|
||||
+ struct pam_response *resp;
|
||||
+ int i, code;
|
||||
+ unsigned int pwsize;
|
||||
+ struct appl_pam_non_interactive_args *args;
|
||||
+ const char *pwstring;
|
||||
+ resp = malloc(sizeof(struct pam_response) * num_msg);
|
||||
+ if (resp == NULL) {
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+ args = appdata_ptr;
|
||||
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
|
||||
+ code = PAM_SUCCESS;
|
||||
+ for (i = 0; i < num_msg; i++) {
|
||||
+ message = &((*msg)[i]);
|
||||
+ message = msg[i];
|
||||
+ pwstring = NULL;
|
||||
+ switch (message->msg_style) {
|
||||
+ case PAM_TEXT_INFO:
|
||||
+ case PAM_ERROR_MSG:
|
||||
+ break;
|
||||
+ case PAM_PROMPT_ECHO_ON:
|
||||
+ case PAM_PROMPT_ECHO_OFF:
|
||||
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
|
||||
+ /* assume "user" */
|
||||
+ pwstring = args->user;
|
||||
+ } else {
|
||||
+ /* assume "password" */
|
||||
+ pwstring = args->password;
|
||||
+ }
|
||||
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
|
||||
+ pwsize = strlen(pwstring);
|
||||
+ resp[i].resp = malloc(pwsize + 1);
|
||||
+ if (resp[i].resp == NULL) {
|
||||
+ resp[i].resp_retcode = PAM_BUF_ERR;
|
||||
+ } else {
|
||||
+ memcpy(resp[i].resp, pwstring, pwsize);
|
||||
+ resp[i].resp[pwsize] = '\0';
|
||||
+ resp[i].resp_retcode = PAM_SUCCESS;
|
||||
+ }
|
||||
+ } else {
|
||||
+ resp[i].resp_retcode = PAM_CONV_ERR;
|
||||
+ code = PAM_CONV_ERR;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ *presp = resp;
|
||||
+ return code;
|
||||
+}
|
||||
+static int
|
||||
+appl_pam_start(const char *service, int interactive,
|
||||
+ const char *login_username,
|
||||
+ const char *non_interactive_password,
|
||||
+ const char *hostname,
|
||||
+ const char *ruser,
|
||||
+ const char *tty)
|
||||
+{
|
||||
+ static int exit_handler_registered;
|
||||
+ static struct appl_pam_non_interactive_args args;
|
||||
+ int ret = 0;
|
||||
+ if (appl_pam_started &&
|
||||
+ (strcmp(login_username, appl_pam_user) != 0)) {
|
||||
+ appl_pam_cleanup();
|
||||
+ appl_pam_user = NULL;
|
||||
+ }
|
||||
+ if (!appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
|
||||
+ service, login_username);
|
||||
+#endif
|
||||
+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
|
||||
+ appl_pam_conv.conv = interactive ?
|
||||
+ &appl_pam_interactive_converse :
|
||||
+ &appl_pam_non_interactive_converse;
|
||||
+ memset(&args, 0, sizeof(args));
|
||||
+ args.user = strdup(login_username);
|
||||
+ args.password = non_interactive_password ?
|
||||
+ strdup(non_interactive_password) :
|
||||
+ NULL;
|
||||
+ appl_pam_conv.appdata_ptr = &args;
|
||||
+ ret = pam_start(service, login_username,
|
||||
+ &appl_pam_conv, &appl_pamh);
|
||||
+ if (ret == 0) {
|
||||
+ if (hostname != NULL) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
|
||||
+#endif
|
||||
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
|
||||
+ }
|
||||
+ if (ruser != NULL) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting PAM_RUSER to \"%s\".\n", ruser);
|
||||
+#endif
|
||||
+ pam_set_item(appl_pamh, PAM_RUSER, ruser);
|
||||
+ }
|
||||
+ if (tty != NULL) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
|
||||
+#endif
|
||||
+ pam_set_item(appl_pamh, PAM_TTY, tty);
|
||||
+ }
|
||||
+ if (!exit_handler_registered &&
|
||||
+ (atexit(appl_pam_cleanup) != 0)) {
|
||||
+ pam_end(appl_pamh, 0);
|
||||
+ appl_pamh = NULL;
|
||||
+ ret = -1;
|
||||
+ } else {
|
||||
+ appl_pam_started = 1;
|
||||
+ appl_pam_starter = getpid();
|
||||
+ appl_pam_user = strdup(login_username);
|
||||
+ exit_handler_registered = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_acct_mgmt(const char *service, int interactive,
|
||||
+ const char *login_username,
|
||||
+ const char *non_interactive_password,
|
||||
+ const char *hostname,
|
||||
+ const char *ruser,
|
||||
+ const char *tty)
|
||||
+{
|
||||
+ int ret;
|
||||
+ appl_pam_pwchange_required = 0;
|
||||
+ ret = appl_pam_start(service, interactive, login_username,
|
||||
+ non_interactive_password, hostname, ruser, tty);
|
||||
+ if (ret == 0) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Calling pam_acct_mgmt().\n");
|
||||
+#endif
|
||||
+ ret = pam_acct_mgmt(appl_pamh, 0);
|
||||
+ switch (ret) {
|
||||
+ case PAM_IGNORE:
|
||||
+ ret = 0;
|
||||
+ break;
|
||||
+ case PAM_NEW_AUTHTOK_REQD:
|
||||
+ appl_pam_pwchange_required = 1;
|
||||
+ ret = 0;
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_requires_chauthtok(void)
|
||||
+{
|
||||
+ return appl_pam_pwchange_required;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_session_open(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ if (appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Opening PAM session.\n");
|
||||
+#endif
|
||||
+ ret = pam_open_session(appl_pamh, 0);
|
||||
+ if (ret == 0) {
|
||||
+ appl_pam_session_opened = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_setenv(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+#ifdef HAVE_PAM_GETENVLIST
|
||||
+#ifdef HAVE_PUTENV
|
||||
+ int i;
|
||||
+ char **list;
|
||||
+ if (appl_pam_started) {
|
||||
+ list = pam_getenvlist(appl_pamh);
|
||||
+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting \"%s\" in environment.\n", list[i]);
|
||||
+#endif
|
||||
+ putenv(list[i]);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+#endif
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_cred_init(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ if (appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Initializing PAM credentials.\n");
|
||||
+#endif
|
||||
+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
|
||||
+ if (ret == 0) {
|
||||
+ appl_pam_creds_initialized = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
|
||||
new file mode 100644
|
||||
index 000000000..d45b9fd84
|
||||
--- /dev/null
|
||||
+++ b/src/clients/ksu/pam.h
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.h
|
||||
+ *
|
||||
+ * Copyright 2007,2009,2010 Red Hat, Inc.
|
||||
+ *
|
||||
+ * All Rights Reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions are met:
|
||||
+ *
|
||||
+ * Redistributions of source code must retain the above copyright notice, this
|
||||
+ * list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * Redistributions in binary form must reproduce the above copyright notice,
|
||||
+ * this list of conditions and the following disclaimer in the documentation
|
||||
+ * and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
|
||||
+ * used to endorse or promote products derived from this software without
|
||||
+ * specific prior written permission.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
+ * POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Convenience wrappers for using PAM.
|
||||
+ */
|
||||
+
|
||||
+#include <krb5.h>
|
||||
+#ifdef HAVE_SECURITY_PAM_APPL_H
|
||||
+#include <security/pam_appl.h>
|
||||
+#endif
|
||||
+
|
||||
+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
|
||||
+
|
||||
+#ifdef USE_PAM
|
||||
+int appl_pam_enabled(krb5_context context, const char *section);
|
||||
+int appl_pam_acct_mgmt(const char *service, int interactive,
|
||||
+ const char *local_username,
|
||||
+ const char *non_interactive_password,
|
||||
+ const char *hostname,
|
||||
+ const char *ruser,
|
||||
+ const char *tty);
|
||||
+int appl_pam_requires_chauthtok(void);
|
||||
+int appl_pam_session_open(void);
|
||||
+int appl_pam_setenv(void);
|
||||
+int appl_pam_cred_init(void);
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
diff --git a/src/configure.ac b/src/configure.ac
|
||||
index 4eb080784..693f76a81 100644
|
||||
--- a/src/configure.ac
|
||||
+++ b/src/configure.ac
|
||||
@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
|
||||
AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
+KRB5_WITH_PAM
|
||||
+
|
||||
# Make localedir work in autoconf 2.5x.
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
--
|
||||
2.30.0
|
||||
|
28
0002-krb5-1.9-manpaths.patch
Normal file
28
0002-krb5-1.9-manpaths.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:06:55 +0100
|
||||
Subject: [PATCH 2/8] krb5-1.9-manpaths
|
||||
|
||||
Import krb5-1.9-manpaths.dif
|
||||
|
||||
Change the absolute paths included in the man pages so that the correct
|
||||
values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
---
|
||||
src/man/kpropd.man | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
Index: krb5-1.19.3/src/man/kpropd.man
|
||||
===================================================================
|
||||
--- krb5-1.19.3.orig/src/man/kpropd.man
|
||||
+++ krb5-1.19.3/src/man/kpropd.man
|
||||
@@ -68,7 +68,7 @@ the \fB/etc/inetd.conf\fP file which loo
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
|
||||
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
72
0003-Adjust-build-configuration.patch
Normal file
72
0003-Adjust-build-configuration.patch
Normal file
@ -0,0 +1,72 @@
|
||||
From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001
|
||||
From: Robbie Harwood <rharwood@redhat.com>
|
||||
Date: Tue, 23 Aug 2016 16:45:26 -0400
|
||||
Subject: [PATCH 3/8] Adjust build configuration
|
||||
|
||||
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
||||
and install shared libraries with the execute bit set on them. Prune out
|
||||
the -L/usr/lib* and PIE flags where they might leak out and affect
|
||||
apps which just want to link with the libraries. FIXME: needs to check and
|
||||
not just assume that the compiler supports using these flags.
|
||||
|
||||
Last-updated: krb5-1.15-beta1
|
||||
---
|
||||
src/build-tools/krb5-config.in | 7 +++++++
|
||||
src/config/pre.in | 2 +-
|
||||
src/config/shlib.conf | 5 +++--
|
||||
3 files changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
Index: krb5-1.19.3/src/build-tools/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.19.3.orig/src/build-tools/krb5-config.in
|
||||
+++ krb5-1.19.3/src/build-tools/krb5-config.in
|
||||
@@ -224,6 +224,13 @@ if test -n "$do_libs"; then
|
||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||
-e 's#\$(CFLAGS)##'`
|
||||
|
||||
+ if test `dirname $libdir` = /usr ; then
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
||||
+ fi
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
|
||||
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
|
||||
+
|
||||
if test $library = 'kdb'; then
|
||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||
library=krb5
|
||||
Index: krb5-1.19.3/src/config/pre.in
|
||||
===================================================================
|
||||
--- krb5-1.19.3.orig/src/config/pre.in
|
||||
+++ krb5-1.19.3/src/config/pre.in
|
||||
@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
|
||||
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
||||
INSTALL_DATA=@INSTALL_DATA@
|
||||
INSTALL_SHLIB=@INSTALL_SHLIB@
|
||||
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
|
||||
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
|
||||
## This is needed because autoconf will sometimes define @exec_prefix@ to be
|
||||
## ${prefix}.
|
||||
prefix=@prefix@
|
||||
Index: krb5-1.19.3/src/config/shlib.conf
|
||||
===================================================================
|
||||
--- krb5-1.19.3.orig/src/config/shlib.conf
|
||||
+++ krb5-1.19.3/src/config/shlib.conf
|
||||
@@ -424,7 +424,7 @@ mips-*-netbsd*)
|
||||
# Linux ld doesn't default to stuffing the SONAME field...
|
||||
# Use objdump -x to examine the fields of the library
|
||||
# UNDEF_CHECK is suppressed by --enable-asan
|
||||
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
|
||||
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
|
||||
UNDEF_CHECK='-Wl,--no-undefined'
|
||||
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
|
||||
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
|
||||
@@ -436,7 +436,8 @@ mips-*-netbsd*)
|
||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||
PROFFLAGS=-pg
|
||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
26
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Normal file
26
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:09:05 +0100
|
||||
Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages
|
||||
|
||||
Import krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
---
|
||||
src/lib/gssapi/generic/disp_com_err_status.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
index bc416107e..22612f970 100644
|
||||
--- a/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
+++ b/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value,
|
||||
status_string->value = NULL;
|
||||
|
||||
if (! g_make_string_buffer(((status_value == 0)?no_error:
|
||||
- error_message(status_value)),
|
||||
+ error_message((long)status_value)),
|
||||
status_string)) {
|
||||
*minor_status = ENOMEM;
|
||||
return(GSS_S_FAILURE);
|
||||
--
|
||||
2.25.0
|
||||
|
33
0005-krb5-1.6.3-ktutil-manpage.patch
Normal file
33
0005-krb5-1.6.3-ktutil-manpage.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:14:47 +0100
|
||||
Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage
|
||||
|
||||
Import krb5-1.6.3-ktutil-manpage.dif
|
||||
---
|
||||
src/man/ktutil.man | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
Index: krb5-1.19.3/src/man/ktutil.man
|
||||
===================================================================
|
||||
--- krb5-1.19.3.orig/src/man/ktutil.man
|
||||
+++ krb5-1.19.3/src/man/ktutil.man
|
||||
@@ -153,6 +153,18 @@ ktutil:
|
||||
.sp
|
||||
See kerberos(7) for a description of Kerberos environment
|
||||
variables.
|
||||
+.SH REMARKS
|
||||
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
|
||||
+is never overwritten). To directly modify a keytab, save the changes to a
|
||||
+temporary file and then overwrite the keytab file of interest.
|
||||
+.TP
|
||||
+.nf
|
||||
+Example:
|
||||
+ktutil> rkt /etc/krb5.keytab
|
||||
+(modifications to keytab)
|
||||
+ktutil> wkt /tmp/krb5.newtab
|
||||
+ktutil> q
|
||||
+# mv /tmp/krb5.newtab /etc/krb5.keytab
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
kadmin(1), kdb5_util(8), kerberos(7)
|
42
0006-krb5-1.12-api.patch
Normal file
42
0006-krb5-1.12-api.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:15:50 +0100
|
||||
Subject: [PATCH 6/8] krb5-1.12-api
|
||||
|
||||
Import krb5-1.12-api.patch
|
||||
|
||||
Reference docs don't define what happens if you call krb5_realm_compare() with
|
||||
malformed krb5_principal structures. Define a behavior which keeps it from
|
||||
crashing if applications don't check ahead of time.
|
||||
---
|
||||
src/lib/krb5/krb/princ_comp.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
|
||||
index a6936107d..0ed78833b 100644
|
||||
--- a/src/lib/krb5/krb/princ_comp.c
|
||||
+++ b/src/lib/krb5/krb/princ_comp.c
|
||||
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
|
||||
const krb5_data *realm1 = &princ1->realm;
|
||||
const krb5_data *realm2 = &princ2->realm;
|
||||
|
||||
+ if (princ1 == NULL || princ2 == NULL)
|
||||
+ return FALSE;
|
||||
+ if (realm1 == NULL || realm2 == NULL)
|
||||
+ return FALSE;
|
||||
if (realm1->length != realm2->length)
|
||||
return FALSE;
|
||||
if (realm1->length == 0)
|
||||
@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
|
||||
krb5_principal upn2 = NULL;
|
||||
krb5_boolean ret = FALSE;
|
||||
|
||||
+ if (princ1 == NULL || princ2 == NULL)
|
||||
+ return FALSE;
|
||||
+
|
||||
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
|
||||
/* Treat UPNs as if they were real principals */
|
||||
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
|
||||
--
|
||||
2.25.0
|
||||
|
1038
0007-SELinux-integration.patch
Normal file
1038
0007-SELinux-integration.patch
Normal file
File diff suppressed because it is too large
Load Diff
44
0008-krb5-1.9-debuginfo.patch
Normal file
44
0008-krb5-1.9-debuginfo.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:18:16 +0100
|
||||
Subject: [PATCH 8/8] krb5-1.9-debuginfo
|
||||
|
||||
Import krb5-1.9-debuginfo.patch
|
||||
|
||||
We want to keep these y.tab.c files around because the debuginfo points to
|
||||
them. It would be more elegant at the end to use symbolic links, but that
|
||||
could mess up people working in the tree on other things.
|
||||
---
|
||||
src/kadmin/cli/Makefile.in | 5 +++++
|
||||
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
|
||||
index adfea6e2b..8e89cf03b 100644
|
||||
--- a/src/kadmin/cli/Makefile.in
|
||||
+++ b/src/kadmin/cli/Makefile.in
|
||||
@@ -37,3 +37,8 @@ clean-unix::
|
||||
# CC_LINK is not meant for compilation and this use may break in the future.
|
||||
datetest: getdate.c
|
||||
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
|
||||
+
|
||||
+%.c: %.y
|
||||
+ $(RM) y.tab.c $@
|
||||
+ $(YACC.y) $<
|
||||
+ $(CP) y.tab.c $@
|
||||
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
index 8669c2436..a22f23c02 100644
|
||||
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
|
||||
getdate.c: $(GETDATE)
|
||||
$(RM) getdate.c y.tab.c
|
||||
$(YACC) $(GETDATE)
|
||||
- $(MV) y.tab.c getdate.c
|
||||
+ $(CP) y.tab.c getdate.c
|
||||
|
||||
install:
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||
--
|
||||
2.25.0
|
||||
|
67
0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
Normal file
67
0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
Normal file
@ -0,0 +1,67 @@
|
||||
From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Wed, 21 Jun 2023 10:57:39 -0400
|
||||
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
|
||||
|
||||
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
|
||||
key_data array count when decoding. Otherwise when the structure is
|
||||
later freed, xdr_array() could iterate over the wrong number of
|
||||
elements, either leaking some memory or freeing uninitialized
|
||||
pointers. Reported by Robert Morris.
|
||||
|
||||
CVE-2023-36054:
|
||||
|
||||
An authenticated attacker can cause a kadmind process to crash by
|
||||
freeing uninitialized pointers. Remote code execution is unlikely.
|
||||
An attacker with control of a kadmin server can cause a kadmin client
|
||||
to crash by freeing uninitialized pointers.
|
||||
|
||||
(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
|
||||
|
||||
ticket: 9099
|
||||
version_fixed: 1.20.2
|
||||
|
||||
(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df)
|
||||
---
|
||||
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
|
||||
index 0411c3fd3..287cae750 100644
|
||||
--- a/src/lib/kadm5/kadm_rpc_xdr.c
|
||||
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
|
||||
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||
int v)
|
||||
{
|
||||
unsigned int n;
|
||||
+ bool_t r;
|
||||
|
||||
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
|
||||
return (FALSE);
|
||||
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
|
||||
return (FALSE);
|
||||
}
|
||||
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
|
||||
+ return (FALSE);
|
||||
+ }
|
||||
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
|
||||
return (FALSE);
|
||||
}
|
||||
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
||||
return FALSE;
|
||||
}
|
||||
n = objp->n_key_data;
|
||||
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
|
||||
- &n, ~0, sizeof(krb5_key_data),
|
||||
- xdr_krb5_key_data_nocontents)) {
|
||||
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
|
||||
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
|
||||
+ objp->n_key_data = n;
|
||||
+ if (!r) {
|
||||
return (FALSE);
|
||||
}
|
||||
|
||||
--
|
||||
2.41.0
|
||||
|
4
_multibuild
Normal file
4
_multibuild
Normal file
@ -0,0 +1,4 @@
|
||||
<multibuild>
|
||||
<package>krb5-mini</package>
|
||||
</multibuild>
|
||||
|
4
baselibs.conf
Normal file
4
baselibs.conf
Normal file
@ -0,0 +1,4 @@
|
||||
krb5
|
||||
obsoletes "heimdal-lib-<targettype>"
|
||||
provides "heimdal-lib-<targettype>"
|
||||
krb5-devel
|
BIN
krb5-1.20.1.tar.gz
(Stored with Git LFS)
Normal file
BIN
krb5-1.20.1.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
16
krb5-1.20.1.tar.gz.asc
Normal file
16
krb5-1.20.1.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D
|
||||
ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc
|
||||
UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg
|
||||
jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn
|
||||
6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK
|
||||
0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/
|
||||
YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL
|
||||
SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR
|
||||
jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R
|
||||
Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH
|
||||
CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m
|
||||
twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU=
|
||||
=1WIq
|
||||
-----END PGP SIGNATURE-----
|
2199
krb5-mini.changes
Normal file
2199
krb5-mini.changes
Normal file
File diff suppressed because it is too large
Load Diff
347
krb5-mini.spec
Normal file
347
krb5-mini.spec
Normal file
@ -0,0 +1,347 @@
|
||||
#
|
||||
# spec file for package krb5-mini
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
%define srcRoot krb5-%{version}
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: krb5-mini
|
||||
Version: 1.20.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||
License: MIT
|
||||
URL: https://kerberos.org/dist/
|
||||
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
|
||||
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
|
||||
Source2: krb5.keyring
|
||||
Source3: vendor-files.tar.bz2
|
||||
Source4: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source6: krb5.tmpfiles
|
||||
Patch1: 0001-ksu-pam-integration.patch
|
||||
Patch2: 0002-krb5-1.9-manpaths.patch
|
||||
Patch3: 0003-Adjust-build-configuration.patch
|
||||
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
||||
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
Patch6: 0006-krb5-1.12-api.patch
|
||||
Patch7: 0007-SELinux-integration.patch
|
||||
Patch8: 0008-krb5-1.9-debuginfo.patch
|
||||
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: pkgconfig(com_err)
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: pkgconfig(libverto)
|
||||
BuildRequires: pkgconfig(ncurses)
|
||||
Requires(post): %fillup_prereq
|
||||
Conflicts: krb5
|
||||
Conflicts: krb5-client
|
||||
Conflicts: krb5-mini
|
||||
Conflicts: krb5-plugin-kdb-ldap
|
||||
Conflicts: krb5-plugin-preauth-otp
|
||||
Conflicts: krb5-plugin-preauth-pkinit
|
||||
Conflicts: krb5-server
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
|
||||
%description
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of clear text passwords.
|
||||
The package delivers MIT Kerberos with reduced features and minimal
|
||||
dependencies
|
||||
|
||||
%package devel
|
||||
Summary: Development files for MIT Kerberos5 (openSUSE mini variant)
|
||||
Requires: %{name} = %{version}
|
||||
Requires: pkgconfig(com_err)
|
||||
Requires: pkgconfig(libverto)
|
||||
Requires: pkgconfig(ss)
|
||||
Conflicts: krb5-devel
|
||||
Provides: krb5-devel = %{version}
|
||||
|
||||
%description devel
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes Libraries and
|
||||
Include Files for Development
|
||||
|
||||
%prep
|
||||
%setup -q -n %{srcRoot}
|
||||
%setup -q -a 3 -T -D -n %{srcRoot}
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
rm -f src/lib/krb5/krb/deltat.c
|
||||
cd src
|
||||
autoreconf -fi
|
||||
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
||||
# FIXME: you should use the %%configure macro
|
||||
%configure \
|
||||
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
||||
CPPFLAGS="-I%{_includedir}/et " \
|
||||
SS_LIB="-lss" \
|
||||
--sysconfdir=%{_sysconfdir} \
|
||||
--mandir=%{_mandir} \
|
||||
--infodir=%{_infodir} \
|
||||
--libdir=%{_libdir} \
|
||||
--includedir=%{_includedir} \
|
||||
--localstatedir=%{_localstatedir}/lib/kerberos \
|
||||
--localedir=%{_datadir}/locale \
|
||||
--enable-shared \
|
||||
--disable-static \
|
||||
--enable-dns-for-realm \
|
||||
--disable-rpath \
|
||||
--disable-pkinit \
|
||||
--without-pam \
|
||||
--with-selinux \
|
||||
--with-system-et \
|
||||
--with-system-ss \
|
||||
--with-system-verto
|
||||
|
||||
%make_build
|
||||
|
||||
# Copy kadmin manual page into kadmin.local's due to the split between client and server package
|
||||
cp man/kadmin.man man/kadmin.local.8
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
|
||||
%make_install -C src
|
||||
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
|
||||
# of the buildconf patch already conspire to strip out /usr/<anything> from the
|
||||
# list of link flags, and it helps prevent file conflicts on multilib systems.
|
||||
sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_bindir}/krb5-config
|
||||
|
||||
# install autoconf macro
|
||||
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
||||
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
||||
# install sample config files
|
||||
# I'll probably do something about this later on
|
||||
mkdir -p %{buildroot}%{_sysconfdir}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
|
||||
mkdir -p %{buildroot}%{_localstatedir}/log/krb5
|
||||
# create plugin directories
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
|
||||
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
|
||||
|
||||
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
|
||||
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
|
||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
||||
install -m 644 %{SOURCE6} %{buildroot}%{_tmpfilesdir}/krb5.conf
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
|
||||
# Where per-user keytabs live by default.
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
|
||||
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
|
||||
# all libs must have permissions 0755
|
||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||
do
|
||||
chmod 0755 ${lib}
|
||||
done
|
||||
# and binaries too
|
||||
chmod 0755 %{buildroot}%{_bindir}/ksu
|
||||
# install systemd files
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
|
||||
install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
|
||||
install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
|
||||
# install sysconfig templates
|
||||
mkdir -p %{buildroot}/%{_fillupdir}
|
||||
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
|
||||
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
|
||||
# install logrotate files
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
|
||||
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
|
||||
find . -type f -name '*.ps' -exec gzip -9 {} \;
|
||||
# create rc* links
|
||||
mkdir -p %{buildroot}%{_bindir}/
|
||||
mkdir -p %{buildroot}%{_sbindir}/
|
||||
ln -s service %{buildroot}%{_sbindir}/rckadmind
|
||||
ln -s service %{buildroot}%{_sbindir}/rckrb5kdc
|
||||
ln -s service %{buildroot}%{_sbindir}/rckpropd
|
||||
# install doc
|
||||
install -d -m 755 %{buildroot}/%{krb5docdir}
|
||||
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
|
||||
# cleanup
|
||||
rm -f %{buildroot}%{_mandir}/man1/tmac.doc*
|
||||
rm -f %{_mandir}/man1/tmac.doc*
|
||||
rm -rf %{buildroot}%{_datadir}/examples
|
||||
# manually remove otp, spake and test plugin for krb5-mini since configure
|
||||
# doesn't support disabling it at build time
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
|
||||
%if "%{_lto_cflags}" != ""
|
||||
# Don't add the lto flags to the public link flags.
|
||||
sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
|
||||
%endif
|
||||
|
||||
%find_lang mit-krb5
|
||||
|
||||
#####################################################
|
||||
# krb5-mini pre/post/postun
|
||||
#####################################################
|
||||
|
||||
%preun
|
||||
%service_del_preun krb5kdc.service kadmind.service kpropd.service
|
||||
|
||||
%postun
|
||||
/sbin/ldconfig
|
||||
%service_del_postun krb5kdc.service kadmind.service kpropd.service
|
||||
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
%service_add_post krb5kdc.service kadmind.service kpropd.service
|
||||
%tmpfiles_create krb5.conf
|
||||
%{fillup_only -n kadmind}
|
||||
%{fillup_only -n krb5kdc}
|
||||
%{fillup_only -n kpropd}
|
||||
|
||||
%pre
|
||||
%service_add_pre krb5kdc.service kadmind.service kpropd.service
|
||||
|
||||
########################################################
|
||||
# files sections
|
||||
########################################################
|
||||
|
||||
%files devel
|
||||
%dir %{_datadir}/aclocal
|
||||
%{_libdir}/libgssrpc.so
|
||||
%{_libdir}/libk5crypto.so
|
||||
%{_libdir}/libkadm5clnt_mit.so
|
||||
%{_libdir}/libkadm5clnt.so
|
||||
%{_libdir}/libkadm5srv_mit.so
|
||||
%{_libdir}/libkadm5srv.so
|
||||
%{_libdir}/libkdb5.so
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
%{_libdir}/libkrad.so
|
||||
%{_libdir}/pkgconfig/gssrpc.pc
|
||||
%{_libdir}/pkgconfig/kadm-client.pc
|
||||
%{_libdir}/pkgconfig/kadm-server.pc
|
||||
%{_libdir}/pkgconfig/kdb.pc
|
||||
%{_libdir}/pkgconfig/krb5-gssapi.pc
|
||||
%{_libdir}/pkgconfig/krb5.pc
|
||||
%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
|
||||
%{_libdir}/pkgconfig/mit-krb5.pc
|
||||
%{_includedir}/*
|
||||
%{_bindir}/krb5-config
|
||||
%{_sbindir}/krb5-send-pr
|
||||
%{_mandir}/man1/krb5-config.1%{?ext_man}
|
||||
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||
|
||||
%files -f mit-krb5.lang
|
||||
%dir %{krb5docdir}
|
||||
# add directories
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%dir %{_libdir}/krb5/plugins/libkrb5
|
||||
%dir %{_libdir}/krb5/plugins/tls
|
||||
%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
|
||||
%doc %{krb5docdir}/README
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
||||
%dir %{_sysconfdir}/krb5.conf.d
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
||||
%{_fillupdir}/sysconfig.*
|
||||
%{_unitdir}/kadmind.service
|
||||
%{_unitdir}/krb5kdc.service
|
||||
%{_unitdir}/kpropd.service
|
||||
%{_libdir}/libgssapi_krb5.*
|
||||
%{_libdir}/libgssrpc.so.*
|
||||
%{_libdir}/libk5crypto.so.*
|
||||
%{_libdir}/libkadm5clnt_mit.so.*
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
%{_libdir}/libkdb5.so.*
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libkrad.so.*
|
||||
%{_libdir}/krb5/plugins/kdb/*
|
||||
%{_libdir}/krb5/plugins/tls/*
|
||||
%{_tmpfilesdir}/krb5.conf
|
||||
%dir %{_datadir}/kerberos/
|
||||
%dir %{_datadir}/kerberos/krb5kdc
|
||||
%dir %{_datadir}/kerberos/krb5
|
||||
%dir %{_datadir}/kerberos/krb5/user
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
|
||||
%{_sbindir}/kadmin.local
|
||||
%{_sbindir}/kadmind
|
||||
%{_sbindir}/kpropd
|
||||
%{_sbindir}/kproplog
|
||||
%{_sbindir}/kprop
|
||||
%{_sbindir}/kdb5_util
|
||||
%{_sbindir}/krb5kdc
|
||||
%{_sbindir}/uuserver
|
||||
%{_sbindir}/sserver
|
||||
%{_sbindir}/gss-server
|
||||
%{_sbindir}/sim_server
|
||||
%{_bindir}/k5srvutil
|
||||
%{_bindir}/kvno
|
||||
%{_bindir}/kinit
|
||||
%{_bindir}/kdestroy
|
||||
%{_bindir}/kpasswd
|
||||
%{_bindir}/klist
|
||||
%{_bindir}/kadmin
|
||||
%{_bindir}/ktutil
|
||||
%{_bindir}/kswitch
|
||||
%attr(0755,root,root) %{_bindir}/ksu
|
||||
%{_bindir}/uuclient
|
||||
%{_bindir}/sclient
|
||||
%{_bindir}/gss-client
|
||||
%{_bindir}/sim_client
|
||||
%{_bindir}/kinit
|
||||
%{_bindir}/klist
|
||||
%{_sbindir}/rc*
|
||||
%{_mandir}/man1/kvno.1%{?ext_man}
|
||||
%{_mandir}/man1/kinit.1%{?ext_man}
|
||||
%{_mandir}/man1/kdestroy.1%{?ext_man}
|
||||
%{_mandir}/man1/kpasswd.1%{?ext_man}
|
||||
%{_mandir}/man1/klist.1%{?ext_man}
|
||||
%{_mandir}/man1/ksu.1%{?ext_man}
|
||||
%{_mandir}/man1/sclient.1%{?ext_man}
|
||||
%{_mandir}/man1/kadmin.1%{?ext_man}
|
||||
%{_mandir}/man1/ktutil.1%{?ext_man}
|
||||
%{_mandir}/man1/k5srvutil.1%{?ext_man}
|
||||
%{_mandir}/man1/kswitch.1%{?ext_man}
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man5/.k5login.5%{?ext_man}
|
||||
%{_mandir}/man5/.k5identity.5%{?ext_man}
|
||||
%{_mandir}/man7/kerberos.7%{?ext_man}
|
||||
%{_mandir}/man8/*
|
||||
|
||||
%changelog
|
8
krb5-rpmlintrc
Normal file
8
krb5-rpmlintrc
Normal file
@ -0,0 +1,8 @@
|
||||
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
|
||||
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
|
||||
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz")
|
||||
addFilter("files-duplicate .*css")
|
||||
addFilter("files-duplicate .*img.*png")
|
||||
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
|
||||
addFilter("shlib-policy-missing-suffix")
|
||||
addFilter("non-etc-or-var-file-marked-as-conffile")
|
2284
krb5.changes
Normal file
2284
krb5.changes
Normal file
File diff suppressed because it is too large
Load Diff
BIN
krb5.keyring
Normal file
BIN
krb5.keyring
Normal file
Binary file not shown.
502
krb5.spec
Normal file
502
krb5.spec
Normal file
@ -0,0 +1,502 @@
|
||||
#
|
||||
# spec file for package krb5
|
||||
#
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
#Compat macro for new _fillupdir macro introduced in Nov 2017
|
||||
%if ! %{defined _fillupdir}
|
||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||
%endif
|
||||
Name: krb5
|
||||
Version: 1.20.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation
|
||||
License: MIT
|
||||
URL: https://kerberos.org/dist/
|
||||
Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz
|
||||
Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc
|
||||
Source2: krb5.keyring
|
||||
Source3: vendor-files.tar.bz2
|
||||
Source4: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source6: ksu-pam.d
|
||||
Source7: krb5.tmpfiles
|
||||
Patch1: 0001-ksu-pam-integration.patch
|
||||
Patch2: 0002-krb5-1.9-manpaths.patch
|
||||
Patch3: 0003-Adjust-build-configuration.patch
|
||||
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
||||
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
Patch6: 0006-krb5-1.12-api.patch
|
||||
Patch7: 0007-SELinux-integration.patch
|
||||
Patch8: 0008-krb5-1.9-debuginfo.patch
|
||||
Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: cyrus-sasl-devel
|
||||
BuildRequires: keyutils
|
||||
BuildRequires: keyutils-devel
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: pkgconfig(com_err)
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: pkgconfig(libssl)
|
||||
BuildRequires: pkgconfig(libverto)
|
||||
BuildRequires: pkgconfig(ncurses)
|
||||
BuildRequires: pkgconfig(ss)
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
Conflicts: krb5-mini
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
|
||||
%description
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of clear text passwords.
|
||||
|
||||
%package client
|
||||
Summary: Client programs of the MIT Kerberos5 implementation
|
||||
Conflicts: krb5-mini
|
||||
|
||||
%description client
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes some required
|
||||
client programs, like kinit, kadmin, ...
|
||||
|
||||
%package server
|
||||
Summary: Server program of the MIT Kerberos5 implementation
|
||||
Requires: cron
|
||||
Requires: libverto-libev1
|
||||
Requires: logrotate
|
||||
Requires: perl-Date-Calc
|
||||
Requires(post): %fillup_prereq
|
||||
%{?systemd_requires}
|
||||
|
||||
%description server
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes the kdc, kadmind
|
||||
and more.
|
||||
|
||||
%package plugin-kdb-ldap
|
||||
Summary: LDAP database plugin for MIT Kerberos5
|
||||
Requires: krb5-server = %{version}
|
||||
|
||||
%description plugin-kdb-ldap
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of clear text passwords. This package contains the LDAP
|
||||
database plugin.
|
||||
|
||||
%package plugin-preauth-pkinit
|
||||
Summary: PKINIT preauthentication plugin for MIT Kerberos5
|
||||
|
||||
%description plugin-preauth-pkinit
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a PKINIT plugin.
|
||||
|
||||
%package plugin-preauth-otp
|
||||
Summary: OTP preauthentication plugin for MIT Kerberos5
|
||||
|
||||
%description plugin-preauth-otp
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a OTP plugin.
|
||||
|
||||
%package plugin-preauth-spake
|
||||
Summary: SPAKE preauthentication plugin for MIT Kerberos5
|
||||
|
||||
%description plugin-preauth-spake
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a SPAKE plugin.
|
||||
|
||||
%package doc
|
||||
Summary: Documentation for the MIT Kerberos5 implementation
|
||||
|
||||
%description doc
|
||||
Kerberos V5 is a trusted-third-party network authentication
|
||||
system,which can improve network security by eliminating the
|
||||
insecurepractice of clear text passwords. This package includes
|
||||
extended documentation for MIT Kerberos.
|
||||
|
||||
%package devel
|
||||
Summary: Development files for MIT Kerberos5
|
||||
Requires: %{name} = %{version}
|
||||
Requires: keyutils-devel
|
||||
Requires: pkgconfig(com_err)
|
||||
Requires: pkgconfig(libverto)
|
||||
Requires: pkgconfig(ss)
|
||||
Conflicts: krb5-mini-devel
|
||||
|
||||
%description devel
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes Libraries and
|
||||
Include Files for Development
|
||||
|
||||
%define srcRoot krb5-%{version}
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
%prep
|
||||
%setup -q -n %{srcRoot}
|
||||
%setup -q -a 3 -T -D -n %{srcRoot}
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
rm -f src/lib/krb5/krb/deltat.c
|
||||
cd src
|
||||
autoreconf -fi
|
||||
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
||||
%configure \
|
||||
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
||||
CPPFLAGS="-I%{_includedir}/et " \
|
||||
SS_LIB="-lss" \
|
||||
--sysconfdir=%{_sysconfdir} \
|
||||
--mandir=%{_mandir} \
|
||||
--infodir=%{_infodir} \
|
||||
--libdir=%{_libdir} \
|
||||
--includedir=%{_includedir} \
|
||||
--localstatedir=%{_localstatedir}/lib/kerberos \
|
||||
--localedir=%{_datadir}/locale \
|
||||
--enable-shared \
|
||||
--disable-static \
|
||||
--enable-dns-for-realm \
|
||||
--disable-rpath \
|
||||
--with-ldap \
|
||||
--with-pam \
|
||||
--enable-pkinit \
|
||||
--with-crypto-impl=openssl \
|
||||
--with-selinux \
|
||||
--with-system-et \
|
||||
--with-system-ss \
|
||||
--with-system-verto
|
||||
|
||||
%make_build
|
||||
|
||||
# Copy kadmin manual page into kadmin.local's due to the split between client and server package
|
||||
cp man/kadmin.man man/kadmin.local.8
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
|
||||
%make_install -C src
|
||||
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
|
||||
# of the buildconf patch already conspire to strip out /usr/<anything> from the
|
||||
# list of link flags, and it helps prevent file conflicts on multilib systems.
|
||||
sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_bindir}/krb5-config
|
||||
|
||||
# install autoconf macro
|
||||
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
||||
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
||||
# install sample config files
|
||||
# I'll probably do something about this later on
|
||||
mkdir -p %{buildroot}%{_sysconfdir}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
|
||||
mkdir -p %{buildroot}%{_localstatedir}/log/krb5
|
||||
# create plugin directories
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
|
||||
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
|
||||
|
||||
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
|
||||
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
|
||||
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
|
||||
# Where per-user keytabs live by default.
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
|
||||
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
|
||||
# all libs must have permissions 0755
|
||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||
do
|
||||
chmod 0755 ${lib}
|
||||
done
|
||||
# and binaries too
|
||||
chmod 0755 %{buildroot}%{_bindir}/ksu
|
||||
# install systemd files
|
||||
%if 0%{?suse_version} >= 1210
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir}
|
||||
install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir}
|
||||
install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir}
|
||||
%else
|
||||
# install init scripts
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/init.d
|
||||
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
|
||||
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
|
||||
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
|
||||
%endif
|
||||
# install sysconfig templates
|
||||
mkdir -p %{buildroot}/%{_fillupdir}
|
||||
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
|
||||
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
|
||||
# install logrotate files
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
|
||||
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
|
||||
find . -type f -name '*.ps' -exec gzip -9 {} +
|
||||
# create rc* links
|
||||
mkdir -p %{buildroot}%{_bindir}/
|
||||
mkdir -p %{buildroot}%{_sbindir}/
|
||||
ln -s service %{buildroot}%{_sbindir}/rckadmind
|
||||
ln -s service %{buildroot}%{_sbindir}/rckrb5kdc
|
||||
ln -s service %{buildroot}%{_sbindir}/rckpropd
|
||||
# install doc
|
||||
install -d -m 755 %{buildroot}/%{krb5docdir}
|
||||
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
|
||||
install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap
|
||||
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema
|
||||
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif
|
||||
# link pam-config for su to ksu
|
||||
%if 0%{?suse_version} > 1500
|
||||
mkdir -p %{buildroot}%{_pam_vendordir}
|
||||
install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/ksu
|
||||
%else
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/pam.d/
|
||||
install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ksu
|
||||
%endif
|
||||
|
||||
# cleanup
|
||||
rm -f %{buildroot}%{_mandir}/man1/tmac.doc*
|
||||
rm -f %{_mandir}/man1/tmac.doc* html/.doctrees/environment.pickle
|
||||
rm -rf %{buildroot}%{_datadir}/examples
|
||||
# manually remove test plugin since configure doesn't support disabling it at build time
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
|
||||
%if "%{_lto_cflags}" != ""
|
||||
# Don't add the lto flags to the public link flags.
|
||||
sed -i "s/%{_lto_cflags}//" %{buildroot}%{_bindir}/krb5-config
|
||||
%endif
|
||||
|
||||
%find_lang mit-krb5
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
%postun -p /sbin/ldconfig
|
||||
|
||||
%preun server
|
||||
%service_del_preun krb5kdc.service kadmind.service kpropd.service
|
||||
|
||||
%postun server
|
||||
%service_del_postun krb5kdc.service kadmind.service kpropd.service
|
||||
|
||||
%post server
|
||||
%service_add_post krb5kdc.service kadmind.service kpropd.service
|
||||
%tmpfiles_create krb5.conf
|
||||
%{fillup_only -n kadmind}
|
||||
%{fillup_only -n krb5kdc}
|
||||
%{fillup_only -n kpropd}
|
||||
|
||||
%pre server
|
||||
%service_add_pre krb5kdc.service kadmind.service kpropd.service
|
||||
|
||||
%post plugin-kdb-ldap -p /sbin/ldconfig
|
||||
%postun plugin-kdb-ldap -p /sbin/ldconfig
|
||||
|
||||
%if 0%{?suse_version} > 1500
|
||||
%pre client
|
||||
# Prepare for migration to /usr/etc; save any old .rpmsave
|
||||
for i in pam.d/ksu ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
|
||||
done
|
||||
|
||||
%posttrans client
|
||||
# Migration to /usr/etc, restore just created .rpmsave
|
||||
for i in pam.d/ksu ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
|
||||
done
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%dir %{_datadir}/aclocal
|
||||
%{_libdir}/libgssrpc.so
|
||||
%{_libdir}/libk5crypto.so
|
||||
%{_libdir}/libkadm5clnt_mit.so
|
||||
%{_libdir}/libkadm5clnt.so
|
||||
%{_libdir}/libkadm5srv_mit.so
|
||||
%{_libdir}/libkadm5srv.so
|
||||
%{_libdir}/libkdb5.so
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
%{_libdir}/libkrad.so
|
||||
%{_libdir}/pkgconfig/gssrpc.pc
|
||||
%{_libdir}/pkgconfig/kadm-client.pc
|
||||
%{_libdir}/pkgconfig/kadm-server.pc
|
||||
%{_libdir}/pkgconfig/kdb.pc
|
||||
%{_libdir}/pkgconfig/krb5-gssapi.pc
|
||||
%{_libdir}/pkgconfig/krb5.pc
|
||||
%{_libdir}/pkgconfig/mit-krb5-gssapi.pc
|
||||
%{_libdir}/pkgconfig/mit-krb5.pc
|
||||
%{_includedir}/*
|
||||
%{_bindir}/krb5-config
|
||||
%{_sbindir}/krb5-send-pr
|
||||
%{_mandir}/man1/krb5-config.1%{?ext_man}
|
||||
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||
|
||||
%files -f mit-krb5.lang
|
||||
%dir %{krb5docdir}
|
||||
# add plugin directories
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%dir %{_libdir}/krb5/plugins/libkrb5
|
||||
%dir %{_libdir}/krb5/plugins/tls
|
||||
# add log directory
|
||||
%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
|
||||
%doc %{krb5docdir}/README
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
|
||||
%dir %{_sysconfdir}/krb5.conf.d
|
||||
%{_libdir}/libgssapi_krb5.*
|
||||
%{_libdir}/libgssrpc.so.*
|
||||
%{_libdir}/libk5crypto.so.*
|
||||
%{_libdir}/libkadm5clnt_mit.so.*
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
%{_libdir}/libkdb5.so.*
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libkrad.so.*
|
||||
%{_libdir}/krb5/plugins/tls/*.so
|
||||
|
||||
%files server
|
||||
%attr(0700,root,root) %dir %{_localstatedir}/log/krb5
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
||||
%{_unitdir}/kadmind.service
|
||||
%{_unitdir}/krb5kdc.service
|
||||
%{_unitdir}/kpropd.service
|
||||
%{_tmpfilesdir}/krb5.conf
|
||||
%dir %{krb5docdir}
|
||||
%dir %{_datadir}/kerberos/
|
||||
%dir %{_datadir}/kerberos/krb5kdc
|
||||
%dir %{_datadir}/kerberos/krb5
|
||||
%dir %{_datadir}/kerberos/krb5/user
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%dir %{_libdir}/krb5/plugins/tls
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
|
||||
%{_fillupdir}/sysconfig.*
|
||||
%{_sbindir}/rc*
|
||||
%{_sbindir}/kadmin.local
|
||||
%{_sbindir}/kadmind
|
||||
%{_sbindir}/kpropd
|
||||
%{_sbindir}/kproplog
|
||||
%{_sbindir}/kprop
|
||||
%{_sbindir}/kdb5_util
|
||||
%{_sbindir}/krb5kdc
|
||||
%{_sbindir}/gss-server
|
||||
%{_sbindir}/sim_server
|
||||
%{_sbindir}/sserver
|
||||
%{_sbindir}/uuserver
|
||||
%{_libdir}/krb5/plugins/kdb/db2.so
|
||||
%{_mandir}/man5/kdc.conf.5%{?ext_man}
|
||||
%{_mandir}/man5/kadm5.acl.5%{?ext_man}
|
||||
%{_mandir}/man8/kadmind.8%{?ext_man}
|
||||
%{_mandir}/man8/kadmin.local.8%{?ext_man}
|
||||
%{_mandir}/man8/kpropd.8%{?ext_man}
|
||||
%{_mandir}/man8/kprop.8%{?ext_man}
|
||||
%{_mandir}/man8/kproplog.8%{?ext_man}
|
||||
%{_mandir}/man8/kdb5_util.8%{?ext_man}
|
||||
%{_mandir}/man8/krb5kdc.8%{?ext_man}
|
||||
%{_mandir}/man8/sserver.8%{?ext_man}
|
||||
|
||||
%files client
|
||||
%if 0%{?suse_version} > 1500
|
||||
%attr(0644,root,root) %{_pam_vendordir}/ksu
|
||||
%else
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ksu
|
||||
%endif
|
||||
%{_bindir}/kvno
|
||||
%{_bindir}/kinit
|
||||
%{_bindir}/kdestroy
|
||||
%{_bindir}/kpasswd
|
||||
%{_bindir}/klist
|
||||
%{_bindir}/kadmin
|
||||
%{_bindir}/ktutil
|
||||
%{_bindir}/k5srvutil
|
||||
%{_bindir}/gss-client
|
||||
%{_bindir}/ksu
|
||||
%{_bindir}/sclient
|
||||
%{_bindir}/sim_client
|
||||
%{_bindir}/uuclient
|
||||
%{_bindir}/kswitch
|
||||
%{_bindir}/kinit
|
||||
%{_bindir}/klist
|
||||
%{_mandir}/man1/kvno.1%{?ext_man}
|
||||
%{_mandir}/man1/kinit.1%{?ext_man}
|
||||
%{_mandir}/man1/kdestroy.1%{?ext_man}
|
||||
%{_mandir}/man1/kpasswd.1%{?ext_man}
|
||||
%{_mandir}/man1/klist.1%{?ext_man}
|
||||
%{_mandir}/man1/kadmin.1%{?ext_man}
|
||||
%{_mandir}/man1/ktutil.1%{?ext_man}
|
||||
%{_mandir}/man1/k5srvutil.1%{?ext_man}
|
||||
%{_mandir}/man1/kswitch.1%{?ext_man}
|
||||
%{_mandir}/man5/krb5.conf.5%{?ext_man}
|
||||
%{_mandir}/man5/.k5login.5%{?ext_man}
|
||||
%{_mandir}/man5/.k5identity.5%{?ext_man}
|
||||
%{_mandir}/man5/k5identity.5%{?ext_man}
|
||||
%{_mandir}/man5/k5login.5%{?ext_man}
|
||||
%{_mandir}/man1/ksu.1%{?ext_man}
|
||||
%{_mandir}/man1/sclient.1%{?ext_man}
|
||||
%{_mandir}/man7/kerberos.7%{?ext_man}
|
||||
|
||||
%files plugin-kdb-ldap
|
||||
%{_sbindir}/kdb5_ldap_util
|
||||
%dir %{_datadir}/kerberos
|
||||
%dir %{_datadir}/kerberos/ldap
|
||||
%config %{_datadir}/kerberos/ldap/kerberos.schema
|
||||
%config %{_datadir}/kerberos/ldap/kerberos.ldif
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%{_libdir}/krb5/plugins/kdb/kldap.so
|
||||
%{_libdir}/libkdb_ldap*
|
||||
%{_mandir}/man8/kdb5_ldap_util.8%{?ext_man}
|
||||
|
||||
%files plugin-preauth-pkinit
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/pkinit.so
|
||||
|
||||
%files plugin-preauth-otp
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/otp.so
|
||||
|
||||
%files plugin-preauth-spake
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/spake.so
|
||||
|
||||
%changelog
|
7
krb5.tmpfiles
Normal file
7
krb5.tmpfiles
Normal file
@ -0,0 +1,7 @@
|
||||
d /var/lib/kerberos 0755 root root -
|
||||
d /var/lib/kerberos/krb5 0755 root root -
|
||||
d /var/lib/kerberos/krb5/user 0755 root root -
|
||||
d /var/lib/kerberos/krb5kdc 0755 root root -
|
||||
C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf
|
||||
C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl
|
||||
C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict
|
9
ksu-pam.d
Normal file
9
ksu-pam.d
Normal file
@ -0,0 +1,9 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth include common-auth
|
||||
account sufficient pam_rootok.so
|
||||
account include common-account
|
||||
password include common-password
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session optional pam_xauth.so
|
BIN
vendor-files.tar.bz2
(Stored with Git LFS)
Normal file
BIN
vendor-files.tar.bz2
(Stored with Git LFS)
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user