diff --git a/krb5-1.12-pam.patch b/0001-krb5-1.12-pam.patch similarity index 91% rename from krb5-1.12-pam.patch rename to 0001-krb5-1.12-pam.patch index 8562128..ee40760 100644 --- a/krb5-1.12-pam.patch +++ b/0001-krb5-1.12-pam.patch @@ -1,3 +1,10 @@ +From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:05:56 +0100 +Subject: [PATCH 1/9] krb5-1.12-pam + +Import krb5-1.12-pam.patch + Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default service name is "ksu", because on Fedora at least the configuration used @@ -10,10 +17,22 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. +--- + src/aclocal.m4 | 67 +++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 94 ++++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 ++++++ + src/configure.in | 2 + + 6 files changed, 614 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h ---- krb5-1.13.orig/src/aclocal.m4 -+++ krb5-1.13/src/aclocal.m4 -@@ -1671,3 +1671,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 3752d9bd5..340546d80 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ ])) ])dnl dnl @@ -84,8 +103,48 @@ and session management before dropping privileges. +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl ---- krb5-1.13.orig/src/clients/ksu/main.c -+++ krb5-1.13/src/clients/ksu/main.c +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index b2fcbf240..5755bb58a 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index d9596d948..7a0c7e48b 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -113,7 +172,7 @@ and session management before dropping privileges. /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -519,6 +525,25 @@ main (argc, argv) +@@ -528,6 +534,25 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -139,7 +198,7 @@ and session management before dropping privileges. /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -587,6 +612,26 @@ main (argc, argv) +@@ -596,6 +621,26 @@ main (argc, argv) com_err(prog_name,retval, _("while calling cc_filter")); exit(1); } @@ -166,7 +225,7 @@ and session management before dropping privileges. } if (all_rest_copy){ -@@ -636,6 +681,32 @@ main (argc, argv) +@@ -645,6 +690,32 @@ main (argc, argv) exit(1); } @@ -199,7 +258,7 @@ and session management before dropping privileges. /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -733,7 +804,7 @@ main (argc, argv) +@@ -742,7 +813,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -208,7 +267,7 @@ and session management before dropping privileges. execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -763,16 +834,35 @@ main (argc, argv) +@@ -772,16 +843,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -245,44 +304,11 @@ and session management before dropping privileges. exit (1); } } ---- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100 -+++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100 -@@ -3,12 +3,14 @@ - DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' - - KSU_LIBS=@KSU_LIBS@ -+PAM_LIBS=@PAM_LIBS@ - - SRCS = \ - $(srcdir)/krb_auth_su.c \ - $(srcdir)/ccache.c \ - $(srcdir)/authorization.c \ - $(srcdir)/main.c \ -+ $(srcdir)/pam.c \ - $(srcdir)/heuristic.c \ - $(srcdir)/xmalloc.c \ - $(srcdir)/setenv.c -@@ -17,13 +19,17 @@ - ccache.o \ - authorization.o \ - main.o \ -+ pam.o \ - heuristic.o \ - xmalloc.o @SETENVOBJ@ - - all: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) -+ -+pam.o: pam.c -+ $(CC) $(ALL_CFLAGS) -c $< - - clean: - $(RM) ksu +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 000000000..cbfe48704 --- /dev/null -+++ krb5-1.13/src/clients/ksu/pam.c ++++ b/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -673,8 +699,11 @@ and session management before dropping privileges. + return ret; +} +#endif +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 000000000..0ab76569c --- /dev/null -+++ krb5-1.13/src/clients/ksu/pam.h ++++ b/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -733,9 +762,11 @@ and session management before dropping privileges. +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif ---- krb5-1.13.orig/src/configure.in -+++ krb5-1.13/src/configure.in -@@ -1285,6 +1285,8 @@ AC_SUBST([VERTO_VERSION]) +diff --git a/src/configure.in b/src/configure.in +index 61ef738dc..e9a12ac16 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -744,3 +775,6 @@ and session management before dropping privileges. # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' +-- +2.20.1 + diff --git a/0002-krb5-1.9-manpaths.patch b/0002-krb5-1.9-manpaths.patch new file mode 100644 index 0000000..df9ff03 --- /dev/null +++ b/0002-krb5-1.9-manpaths.patch @@ -0,0 +1,31 @@ +From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:06:55 +0100 +Subject: [PATCH 2/9] krb5-1.9-manpaths + +Import krb5-1.9-manpaths.dif + +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 +--- + src/man/kpropd.man | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/man/kpropd.man b/src/man/kpropd.man +index 38daa5e79..a0106ec5f 100644 +--- a/src/man/kpropd.man ++++ b/src/man/kpropd.man +@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: + .sp + .nf + .ft C +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @SBINDIR@/kpropd kpropd + .ft P + .fi + .UNINDENT +-- +2.20.1 + diff --git a/krb5-1.12-buildconf.patch b/0003-krb5-1.12-buildconf.patch similarity index 68% rename from krb5-1.12-buildconf.patch rename to 0003-krb5-1.12-buildconf.patch index 62a7081..a65f0df 100644 --- a/krb5-1.12-buildconf.patch +++ b/0003-krb5-1.12-buildconf.patch @@ -1,33 +1,26 @@ +From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:08:07 +0100 +Subject: [PATCH 3/9] krb5-1.12-buildconf + +Import krb5-1.12-buildconf.patch + Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. +--- + src/build-tools/krb5-config.in | 7 +++++++ + src/config/pre.in | 2 +- + src/config/shlib.conf | 5 +++-- + 3 files changed, 11 insertions(+), 3 deletions(-) ---- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100 -+++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100 -@@ -423,7 +423,7 @@ - # Linux ld doesn't default to stuffing the SONAME field... - # Use objdump -x to examine the fields of the library - # UNDEF_CHECK is suppressed by --enable-asan -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' - UNDEF_CHECK='-Wl,--no-undefined' - # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' -@@ -435,7 +435,8 @@ - SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' - PROFFLAGS=-pg - PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' - CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -189,6 +189,13 @@ if test -n "$do_libs"; then +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f6184da3f..0edf6a1a5 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -225,6 +225,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -41,9 +34,11 @@ not just assume that the compiler supports using these flags. if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -188,7 +188,7 @@ +diff --git a/src/config/pre.in b/src/config/pre.in +index ce87e21ca..164bf8301 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -52,3 +47,29 @@ not just assume that the compiler supports using these flags. ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ +diff --git a/src/config/shlib.conf b/src/config/shlib.conf +index 3e4af6c02..a43736137 100644 +--- a/src/config/shlib.conf ++++ b/src/config/shlib.conf +@@ -423,7 +423,7 @@ mips-*-netbsd*) + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library + # UNDEF_CHECK is suppressed by --enable-asan +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' + UNDEF_CHECK='-Wl,--no-undefined' + # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' +@@ -435,7 +435,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +-- +2.20.1 + diff --git a/0004-krb5-1.6.3-gssapi_improve_errormessages.patch b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch new file mode 100644 index 0000000..77cf086 --- /dev/null +++ b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch @@ -0,0 +1,26 @@ +From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:09:05 +0100 +Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages + +Import krb5-1.6.3-gssapi_improve_errormessages.dif +--- + src/lib/gssapi/generic/disp_com_err_status.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c +index bc416107e..22612f970 100644 +--- a/src/lib/gssapi/generic/disp_com_err_status.c ++++ b/src/lib/gssapi/generic/disp_com_err_status.c +@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value, + status_string->value = NULL; + + if (! g_make_string_buffer(((status_value == 0)?no_error: +- error_message(status_value)), ++ error_message((long)status_value)), + status_string)) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +-- +2.20.1 + diff --git a/0005-krb5-1.6.3-ktutil-manpage.patch b/0005-krb5-1.6.3-ktutil-manpage.patch new file mode 100644 index 0000000..a414f48 --- /dev/null +++ b/0005-krb5-1.6.3-ktutil-manpage.patch @@ -0,0 +1,36 @@ +From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:14:47 +0100 +Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage + +Import krb5-1.6.3-ktutil-manpage.dif +--- + src/man/ktutil.man | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/man/ktutil.man b/src/man/ktutil.man +index 4e174c0fe..f6d6ae814 100644 +--- a/src/man/ktutil.man ++++ b/src/man/ktutil.man +@@ -171,6 +171,18 @@ ktutil: + .sp + See kerberos(7) for a description of Kerberos environment + variables. ++.SH REMARKS ++Changes to the keytab are appended to the keytab file (i.e., the keytab file ++is never overwritten). To directly modify a keytab, save the changes to a ++temporary file and then overwrite the keytab file of interest. ++.TP ++.nf ++Example: ++ktutil> rkt /etc/krb5.keytab ++(modifications to keytab) ++ktutil> wkt /tmp/krb5.newtab ++ktutil> q ++# mv /tmp/krb5.newtab /etc/krb5.keytab + .SH SEE ALSO + .sp + kadmin(1), kdb5_util(8), kerberos(7) +-- +2.20.1 + diff --git a/krb5-1.12-api.patch b/0006-krb5-1.12-api.patch similarity index 57% rename from krb5-1.12-api.patch rename to 0006-krb5-1.12-api.patch index d059432..5ee0bb3 100644 --- a/krb5-1.12-api.patch +++ b/0006-krb5-1.12-api.patch @@ -1,10 +1,22 @@ +From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:15:50 +0100 +Subject: [PATCH 6/9] krb5-1.12-api + +Import krb5-1.12-api.patch + Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. +--- + src/lib/krb5/krb/princ_comp.c | 7 +++++++ + 1 file changed, 7 insertions(+) ---- krb5/src/lib/krb5/krb/princ_comp.c -+++ krb5/src/lib/krb5/krb/princ_comp.c -@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context +diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c +index a6936107d..0ed78833b 100644 +--- a/src/lib/krb5/krb/princ_comp.c ++++ b/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, const krb5_data *realm1 = &princ1->realm; const krb5_data *realm2 = &princ2->realm; @@ -15,7 +27,7 @@ crashing if applications don't check ahead of time. if (realm1->length != realm2->length) return FALSE; if (realm1->length == 0) -@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex +@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; @@ -25,3 +37,6 @@ crashing if applications don't check ahead of time. if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { +-- +2.20.1 + diff --git a/0007-krb5-1.12-ksu-path.patch b/0007-krb5-1.12-ksu-path.patch new file mode 100644 index 0000000..d673157 --- /dev/null +++ b/0007-krb5-1.12-ksu-path.patch @@ -0,0 +1,27 @@ +From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:16:29 +0100 +Subject: [PATCH 7/9] krb5-1.12-ksu + +Import krb5-1.12-ksu-path.patch + +Set the default PATH to the one set by login. +--- + src/clients/ksu/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index 5755bb58a..9d58f29b5 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -1,6 +1,6 @@ + mydir=clients$(S)ksu + BUILDTOP=$(REL)..$(S).. +-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' ++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' + + KSU_LIBS=@KSU_LIBS@ + PAM_LIBS=@PAM_LIBS@ +-- +2.20.1 + diff --git a/krb5-1.12-selinux-label.patch b/0008-krb5-1.12-selinux-label.patch similarity index 74% rename from krb5-1.12-selinux-label.patch rename to 0008-krb5-1.12-selinux-label.patch index 1e2616b..64e7294 100644 --- a/krb5-1.12-selinux-label.patch +++ b/0008-krb5-1.12-selinux-label.patch @@ -1,3 +1,10 @@ +From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:17:28 +0100 +Subject: [PATCH 8/9] krb5-1.12-selinux-label + +Import krb5-1.12-selinux-label.patch + SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -30,11 +37,39 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.in | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/lib/krb5/rcache/rc_dfl.c | 13 + + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 381 ++++++++++++++++++ + 24 files changed, 553 insertions(+), 21 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c -Index: krb5-1.16.1/src/aclocal.m4 -=================================================================== ---- krb5-1.16.1.orig/src/aclocal.m4 -+++ krb5-1.16.1/src/aclocal.m4 +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 340546d80..4440ec5f8 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 @@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF @@ -43,7 +78,7 @@ Index: krb5-1.16.1/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS) +@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -95,10 +130,31 @@ Index: krb5-1.16.1/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -Index: krb5-1.16.1/src/config/pre.in -=================================================================== ---- krb5-1.16.1.orig/src/config/pre.in -+++ krb5-1.16.1/src/config/pre.in +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 0edf6a1a5..1891dea99 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -262,7 +263,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index 164bf8301..a8540ae2a 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in @@ -177,6 +177,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ @@ -107,7 +163,7 @@ Index: krb5-1.16.1/src/config/pre.in INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -116,11 +172,11 @@ Index: krb5-1.16.1/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! -Index: krb5-1.16.1/src/configure.in -=================================================================== ---- krb5-1.16.1.orig/src/configure.in -+++ krb5-1.16.1/src/configure.in -@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff) +diff --git a/src/configure.in b/src/configure.in +index e9a12ac16..93aec682e 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -129,10 +185,10 @@ Index: krb5-1.16.1/src/configure.in # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -Index: krb5-1.16.1/src/include/k5-int.h -=================================================================== ---- krb5-1.16.1.orig/src/include/k5-int.h -+++ krb5-1.16.1/src/include/k5-int.h +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 652242207..7190a8f55 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h @@ -126,6 +126,7 @@ typedef unsigned char u_char; #endif /* HAVE_SYS_TYPES_H */ #endif /* KRB5_SYSTYPES__ */ @@ -141,10 +197,11 @@ Index: krb5-1.16.1/src/include/k5-int.h #include "k5-platform.h" -Index: krb5-1.16.1/src/include/k5-label.h -=================================================================== +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 000000000..dfaaa847c --- /dev/null -+++ krb5-1.16.1/src/include/k5-label.h ++++ b/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -178,10 +235,10 @@ Index: krb5-1.16.1/src/include/k5-label.h +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -Index: krb5-1.16.1/src/include/krb5/krb5.hin -=================================================================== ---- krb5-1.16.1.orig/src/include/krb5/krb5.hin -+++ krb5-1.16.1/src/include/krb5/krb5.hin +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index c40a6cca8..3ff86d7ff 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -195,11 +252,11 @@ Index: krb5-1.16.1/src/include/krb5/krb5.hin #define KRB5_OLD_CRYPTO #include -Index: krb5-1.16.1/src/kadmin/dbutil/dump.c -=================================================================== ---- krb5-1.16.1.orig/src/kadmin/dbutil/dump.c -+++ krb5-1.16.1/src/kadmin/dbutil/dump.c -@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index c9574c6e1..8301a33d0 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) { int fd = -1; FILE *f; @@ -221,41 +278,33 @@ Index: krb5-1.16.1/src/kadmin/dbutil/dump.c if (fd == -1) goto error; -@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char - return 0; +@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) + goto cleanup; } -- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); -+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (*fd == -1) { +- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); - exit_status++; -Index: krb5-1.16.1/src/build-tools/krb5-config.in -=================================================================== ---- krb5-1.16.1.orig/src/build-tools/krb5-config.in -+++ krb5-1.16.1/src/build-tools/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' - DEFCCNAME='@DEFCCNAME@' - DEFKTNAME='@DEFKTNAME@' - DEFCKTNAME='@DEFCKTNAME@' -+SELINUX_LIBS='@SELINUX_LIBS@' + goto cleanup; +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 408c723f5..663fd6303 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -858,7 +858,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -262,7 +263,7 @@ if test -n "$do_libs"; then - fi - - # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. - - echo $lib_flags -Index: krb5-1.16.1/src/lib/kadm5/logger.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/kadm5/logger.c -+++ krb5-1.16.1/src/lib/kadm5/logger.c -@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, ch +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index c6885edf2..9aec3c05e 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -264,7 +313,7 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) f = fdopen(fd, append ? "a" : "w"); -@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -273,11 +322,74 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.16.1/src/lib/krb5/keytab/kt_file.c -@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 2659a2501..a1cd38f4c 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + if (retval) + goto cleanup; + } else { +- log_ctx->ulogfd = open(logname, O_RDWR, 0600); ++ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index bba64e516..73f0fe62d 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index 89cb68680..21c80d419 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -294,11 +406,56 @@ Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c if (!KTFILEP(id)) goto report_errno; writevno = 1; -Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/adb_openclose.c -+++ krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c -@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 4fff8f38c..40a9e7b10 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c +index 1e0cb22c9..f5e93b1ab 100644 +--- a/src/lib/krb5/rcache/rc_dfl.c ++++ b/src/lib/krb5/rcache/rc_dfl.c +@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a33b..2b9d01921 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, * needs be open read/write so that write locking can work with * POSIX systems */ @@ -307,11 +464,26 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c /* * maybe someone took away write permission so we could only * get shared locks? -Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index 5106a5c99..e481e8121 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17f3..d5809a5a9 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; #include #include @@ -319,7 +491,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) goto einval; } @@ -328,11 +500,11 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c goto err; } else { -Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 862dbb164..686a960c9 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; #include #endif @@ -340,7 +512,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c #include "db-int.h" #include "hash.h" #include "page.h" -@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) new_table = 1; } if (file) { @@ -349,11 +521,33 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int arg +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e701..b0daa7c02 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index 1ed72afe9..ce038fc3d 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) /* set password in the file */ old_mode = umask(0177); @@ -362,7 +556,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int arg +@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) * Delete the existing entry and add the new entry */ FILE *newfile; @@ -372,7 +566,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c mode_t omask; -@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int arg +@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) } omask = umask(077); @@ -386,10 +580,10 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); -Index: krb5-1.16.1/src/util/profile/prof_file.c -=================================================================== ---- krb5-1.16.1.orig/src/util/profile/prof_file.c -+++ krb5-1.16.1/src/util/profile/prof_file.c +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index 24e41fb80..0dcb6b543 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ #endif @@ -398,7 +592,7 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_ +@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, errno = 0; @@ -407,10 +601,10 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c if (!f) { retval = errno; if (retval == 0) -Index: krb5-1.16.1/src/util/support/Makefile.in -=================================================================== ---- krb5-1.16.1.orig/src/util/support/Makefile.in -+++ krb5-1.16.1/src/util/support/Makefile.in +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index db7b030b8..321672bcb 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in @@ -69,6 +69,7 @@ IPC_SYMS= \ STLIBOBJS= \ @@ -419,7 +613,7 @@ Index: krb5-1.16.1/src/util/support/Makefile.in init-addrinfo.o \ plugins.o \ errors.o \ -@@ -149,7 +150,7 @@ SRCS=\ +@@ -160,7 +161,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -428,10 +622,11 @@ Index: krb5-1.16.1/src/util/support/Makefile.in DEPLIBS= -Index: krb5-1.16.1/src/util/support/selinux.c -=================================================================== +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 000000000..ffba6a9ff --- /dev/null -+++ krb5-1.16.1/src/util/support/selinux.c ++++ b/src/util/support/selinux.c @@ -0,0 +1,381 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. @@ -814,192 +1009,6 @@ Index: krb5-1.16.1/src/util/support/selinux.c +} + +#endif -Index: krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/rcache/rc_dfl.c -+++ krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c -@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { -Index: krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/ccache/cc_dir.c -+++ krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c -@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p - char *newpath = NULL; - FILE *fp = NULL; - int fd = -1, status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) - return ENOMEM; -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(primary_path); -+#endif - fd = mkstemp(newpath); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd < 0) - goto cleanup; - #ifdef HAVE_CHMOD -@@ -221,10 +230,23 @@ static krb5_error_code - verify_dir(krb5_context context, const char *dirname) - { - struct stat st; -+ int status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (stat(dirname, &st) < 0) { -- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) -- return 0; -+ if (errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(dirname); -+#endif -+ status = mkdir(dirname, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ if (status == 0) -+ return 0; -+ } - k5_setmsg(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not exist"), - dirname); -Index: krb5-1.16.1/src/lib/krb5/os/trace.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/os/trace.c -+++ krb5-1.16.1/src/lib/krb5/os/trace.c -@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context con - fd = malloc(sizeof(*fd)); - if (fd == NULL) - return ENOMEM; -- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); -+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (*fd == -1) { - free(fd); - return errno; -Index: krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/kdb_db2.c -+++ krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c -@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5 - if (retval) - return retval; - -- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, -- 0600); -+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, -+ O_CREAT | O_RDWR | O_TRUNC, 0600); - if (dbc->db_lf_file < 0) { - retval = errno; - goto cleanup; -Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, - int rfd = -1, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && -+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -Index: krb5-1.16.1/src/kdc/main.c -=================================================================== ---- krb5-1.16.1.orig/src/kdc/main.c -+++ krb5-1.16.1/src/kdc/main.c -@@ -873,7 +873,7 @@ write_pid_file(const char *path) - FILE *file; - unsigned long pid; - -- file = fopen(path, "w"); -+ file = WRITABLEFOPEN(path, "w"); - if (file == NULL) - return errno; - pid = (unsigned long) getpid(); -Index: krb5-1.16.1/src/lib/kdb/kdb_log.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/kdb/kdb_log.c -+++ krb5-1.16.1/src/lib/kdb/kdb_log.c -@@ -484,7 +484,7 @@ ulog_map(krb5_context context, const cha - if (extend_file_to(ulogfd, filesize) < 0) - return errno; - } else { -- ulogfd = open(logname, O_RDWR, 0600); -+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; - } -Index: krb5-1.16.1/src/slave/kpropd.c -=================================================================== ---- krb5-1.16.1.orig/src/slave/kpropd.c -+++ krb5-1.16.1/src/slave/kpropd.c -@@ -488,7 +488,9 @@ doit(int fd) - krb5_enctype etype; - int database_fd; - char host[INET6_ADDRSTRLEN + 1]; -- -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - signal_wrapper(SIGALRM, alarm_handler); - alarm(params.iprop_resync_timeout); - fromlen = sizeof(from); -@@ -543,9 +545,15 @@ doit(int fd) - free(name); - exit(1); - } -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(file); -+#endif - omask = umask(077); - lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); - (void)umask(omask); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - retval = krb5_lock_file(kpropd_context, lock_fd, - KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); - if (retval) { +-- +2.20.1 + diff --git a/0009-krb5-1.9-debuginfo.patch b/0009-krb5-1.9-debuginfo.patch new file mode 100644 index 0000000..d5df2f9 --- /dev/null +++ b/0009-krb5-1.9-debuginfo.patch @@ -0,0 +1,44 @@ +From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:18:16 +0100 +Subject: [PATCH 9/9] krb5-1.9-debuginfo + +Import krb5-1.9-debuginfo.patch + +We want to keep these y.tab.c files around because the debuginfo points to +them. It would be more elegant at the end to use symbolic links, but that +could mess up people working in the tree on other things. +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index adfea6e2b..d1327e400 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: + # CC_LINK is not meant for compilation and this use may break in the future. + datetest: getdate.c + $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++ ++%.c: %.y ++ $(RM) y.tab.c $@ ++ $(YACC.y) $< ++ $(CP) y.tab.c $@ +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index 8669c2436..a22f23c02 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) + getdate.c: $(GETDATE) + $(RM) getdate.c y.tab.c + $(YACC) $(GETDATE) +- $(MV) y.tab.c getdate.c ++ $(CP) y.tab.c getdate.c + + install: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.20.1 + diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch deleted file mode 100644 index 74f3a5f..0000000 --- a/krb5-1.12-ksu-path.patch +++ /dev/null @@ -1,12 +0,0 @@ -Set the default PATH to the one set by login. - ---- krb5/src/clients/ksu/Makefile.in -+++ krb5/src/clients/ksu/Makefile.in -@@ -1,6 +1,6 @@ - mydir=clients$(S)ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' - - KSU_LIBS=@KSU_LIBS@ - PAM_LIBS=@PAM_LIBS@ diff --git a/krb5-1.16.1.tar.gz b/krb5-1.16.1.tar.gz deleted file mode 100644 index e1feb85..0000000 --- a/krb5-1.16.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117 -size 9477480 diff --git a/krb5-1.16.1.tar.gz.asc b/krb5-1.16.1.tar.gz.asc deleted file mode 100644 index f43fc3b..0000000 --- a/krb5-1.16.1.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIVAwUAWushEwy6CFdfg3LfAQJ+eBAAijTUBfXzCuxCwbDhCFYb1fIbHMkKkTuq -knFKv0VbALW1qUAj5v35A6GjDam6a33bMvGX8MzbGK/a9IDkpvaaXP/c37V4OfiQ -MhA6uQl0vxBMoCZqAFEVcWd6+M/0rY0WBZKpXRiZxxuSNPnSXn1l9fQAcrYKGb7I -YpaAWnzw+cc1k4Xi+GaaSghEYA4dX7TXh1fViJyHaNSESYZjH3J6wEdPm6LtZk6q -GwJw/ieMQi8djde0AhCbzMHWiaeW3jNPOJmpd3mpY04BAAkzGCyRiYGscxb6ge4u -ag2fojv7rbnJxDzy9RO0ZP0+fVPDMwInZ5GHPftbraSDFkTH2JBAYFudPsLDAoRK -FdjLeHpvuU5ifXWrLyshVYYfeXSe0fHz9Xhfhq2/OmfBD6vQl5k86z8IqxNm4ujy -ziypmTzHFnP/sBKlMgSMdDEKoKZHxevVQM5eJQd1XGexmwogkSPX8mwoEc0q4dtZ -h5w/fCu4ERA0BihvnQMZCZgwe32pO27ccPc6PqNHffUSLOq74J4gBHeoAoZ+SYPu -33oG7wxh+8WONzEGujl1lmxHFstij/njg8nULQ6bo6hSZnlMD0gU59mG9seC2jjr -E4aM4TXd1ixxPzM/cqxfI9SalytwYW0gn7Vuyj3P8xIZ5GQZiTsD7XWJqzb3xHmA -2JSQt4TK3Cc= -=9z9K ------END PGP SIGNATURE----- diff --git a/krb5-1.17.tar.gz b/krb5-1.17.tar.gz new file mode 100644 index 0000000..eb44e69 --- /dev/null +++ b/krb5-1.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5 +size 8761763 diff --git a/krb5-1.17.tar.gz.asc b/krb5-1.17.tar.gz.asc new file mode 100644 index 0000000..be02cb6 --- /dev/null +++ b/krb5-1.17.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJcNMxOAAoJEAy6CFdfg3LfjAwP/2/oQe+4Bs/XwZTwNfakTbBl +YHSY8MNAHIKsLh6Bn+SJBQQXSE0fEsm0hYH+JWz85+mzlZk7TbNZUI+zeikhLxi6 ++d8MMQBpk2mQN0dkIeWjTdfkcThGCDSL7l0fh3MuEfN5C7QPAPD1JL1ZeqXPH5AV +PSQRC9s2wiOTwwuHM2i27rZ7gdhL/xfJ3ZPUFJH4klRgszwp9j10I/nh4/XyS/wB +82umjfusFPa9VNSPzm1jm94oRmALkR3CHGvmku2XD3YOv/f5yO8C1cHWNNLxg+5h +EqVv05ddb6iLku4fRhkEjfN3VgCtEvXuMkuAXppkDJJ7wWxMBWgCIr1DS/x7LfbL +CI0ZTejn8HCUBNmRWsKkUuebgHJ7ccch8p/Fp0cV4eT1FL35N2oV51u7+/zK6R8y +1dygUF2VWFOqwm8cyczdFue7dFQVDGCw7R2eK5lXY3NpZVmJblQ/gNLMcbOxGBis +H2dOzSn+CnxlD/2LqOZnhQ1WnGBhOMxoINwX/MQsIvkwAFaM1EsdhPIP/6mSVA/g +p04+YQ2u2ag7Pq3zHsMIonC18w4ZqDPcvXvOXqCHtlQBDAMtb927XvjoTNj5W8Ei +jywxqdWuuqalmrKGPEsKVOJZN6xg7UTgaKzcvQTvW7D3gLbrTT2iM++VKB3vh9V9 +SkULnR3c7fKMzFeLb/Q2 +=4hZX +-----END PGP SIGNATURE----- diff --git a/krb5-1.6.3-gssapi_improve_errormessages.dif b/krb5-1.6.3-gssapi_improve_errormessages.dif deleted file mode 100644 index d6afe07..0000000 --- a/krb5-1.6.3-gssapi_improve_errormessages.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c -=================================================================== ---- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c -+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c -@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino - status_string->value = NULL; - - if (! g_make_string_buffer(((status_value == 0)?no_error: -- error_message(status_value)), -+ error_message((long)status_value)), - status_string)) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); diff --git a/krb5-1.6.3-ktutil-manpage.dif b/krb5-1.6.3-ktutil-manpage.dif deleted file mode 100644 index 82f1583..0000000 --- a/krb5-1.6.3-ktutil-manpage.dif +++ /dev/null @@ -1,27 +0,0 @@ ---- - src/man/ktutil.man | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -Index: krb5-1.12.2/src/man/ktutil.man -=================================================================== ---- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100 -+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100 -@@ -162,6 +162,18 @@ ktutil: - .UNINDENT - .UNINDENT - .UNINDENT -+.SH REMARKS -+Changes to the keytab are appended to the keytab file (i.e., the keytab file -+is never overwritten). To directly modify a keytab, save the changes to a -+temporary file and then overwrite the keytab file of interest. -+.TP -+.nf -+Example: -+ktutil> rkt /etc/krb5.keytab -+(modifications to keytab) -+ktutil> wkt /tmp/krb5.newtab -+ktutil> q -+# mv /tmp/krb5.newtab /etc/krb5.keytab - .SH SEE ALSO - .sp - \fIkadmin(1)\fP, \fIkdb5_util(8)\fP diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch deleted file mode 100644 index 8709137..0000000 --- a/krb5-1.9-debuginfo.patch +++ /dev/null @@ -1,26 +0,0 @@ -We want to keep these y.tab.c files around because the debuginfo points to -them. It would be more elegant at the end to use symbolic links, but that -could mess up people working in the tree on other things. - ---- krb5-1.15.orig/src/kadmin/cli/Makefile.in -+++ krb5-1.15/src/kadmin/cli/Makefile.in -@@ -37,3 +37,8 @@ - # CC_LINK is not meant for compilation and this use may break in the future. - datetest: getdate.c - $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c -+ -+%.c: %.y -+ $(RM) y.tab.c $@ -+ $(YACC.y) $< -+ $(CP) y.tab.c $@ ---- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in -+++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in -@@ -20,7 +20,7 @@ - getdate.c: $(GETDATE) - $(RM) getdate.c y.tab.c - $(YACC) $(GETDATE) -- $(MV) y.tab.c getdate.c -+ $(CP) y.tab.c getdate.c - - install: - $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) diff --git a/krb5-1.9-manpaths.dif b/krb5-1.9-manpaths.dif deleted file mode 100644 index 9d4b2f5..0000000 --- a/krb5-1.9-manpaths.dif +++ /dev/null @@ -1,18 +0,0 @@ -Change the absolute paths included in the man pages so that the correct -values can be dropped in by config.status. After applying this patch, -these files should be renamed to their ".in" counterparts, and then the -configure scripts should be rebuilt. Originally RT#6525 - -Index: krb5-1.11/src/man/kpropd.man -=================================================================== ---- krb5-1.11.orig/src/man/kpropd.man -+++ krb5-1.11/src/man/kpropd.man -@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo - .sp - .nf - .ft C --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd - .ft P - .fi - .UNINDENT diff --git a/krb5-mini.changes b/krb5-mini.changes index 8537e76..928df91 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,74 @@ +------------------------------------------------------------------- +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + ------------------------------------------------------------------- Tue Oct 9 20:13:24 UTC 2018 - James McDonough @@ -11,7 +82,7 @@ Tue Oct 9 20:13:24 UTC 2018 - James McDonough * dates through 2106 accepted * KDC support for trivially renewable tickets * stop caching referral and alternate cross-realm TGTs to prevent - duplicate credential cache entries + duplicate credential cache entries ------------------------------------------------------------------- Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com @@ -38,7 +109,7 @@ Wed Apr 25 21:56:35 UTC 2018 - luizluca@gmail.com ------------------------------------------------------------------- Thu Nov 23 13:38:33 UTC 2017 - rbrown@suse.com -- Replace references to /var/adm/fillup-templates with new +- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ------------------------------------------------------------------- @@ -194,7 +265,7 @@ Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com nonexistent policies * Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120] - + ------------------------------------------------------------------ Tue May 10 12:41:14 UTC 2016 - hguo@suse.com @@ -528,7 +599,7 @@ Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com ------------------------------------------------------------------- Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com -- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal - added patches: * bnc#897874-CVE-2014-5351.diff ------------------------------------------------------------------- @@ -569,7 +640,7 @@ Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com - buffer overrun in kadmind with LDAP backend CVE-2014-4345 (bnc#891082) - krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch + krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch ------------------------------------------------------------------- Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com @@ -582,7 +653,7 @@ Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com ------------------------------------------------------------------- Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com -- Do not depend of insserv if systemd is used +- Do not depend of insserv if systemd is used ------------------------------------------------------------------- Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com @@ -653,7 +724,7 @@ Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com * krb5-master-gss_oid_leak.patch - Fix SPNEGO one-hop interop against old IIS * krb5-master-ignore-empty-unnecessary-final-token.patch - - Fix GSS krb5 acceptor acquire_cred error handling + - Fix GSS krb5 acceptor acquire_cred error handling * krb5-master-keytab_close.patch - Avoid malloc(0) in SPNEGO get_input_token * krb5-master-no-malloc0.patch @@ -686,7 +757,7 @@ Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com ------------------------------------------------------------------- Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org -- remove fstack-protector-all from CFLAGS, just use the +- remove fstack-protector-all from CFLAGS, just use the lighter/fast version already present in %optflags - Use LFS_CFLAGS to build in 32 bit archs. @@ -725,7 +796,7 @@ Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer - mechanism or from the underlying mechanism. + mechanism or from the underlying mechanism. - upstream fix obsolete krb5-lookup_etypes-leak.patch ------------------------------------------------------------------- @@ -927,7 +998,7 @@ Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de ------------------------------------------------------------------- Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com -- add patches from Fedora and upstream +- add patches from Fedora and upstream - fix init scripts (bnc#689006) ------------------------------------------------------------------- @@ -965,12 +1036,12 @@ Wed Jan 19 14:42:27 CET 2011 - mc@suse.de CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) - CVE-2011-0281, CVE-2011-0282 + CVE-2011-0281, CVE-2011-0282 ------------------------------------------------------------------- Wed Dec 1 11:44:15 CET 2010 - mc@suse.de -- Fix multiple checksum handling vulnerabilities +- Fix multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007, bnc#650650) CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums @@ -982,21 +1053,21 @@ Wed Dec 1 11:44:15 CET 2010 - mc@suse.de CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVE-2010-4021 - * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery + * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery ------------------------------------------------------------------- Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de -- fix csh profile (bnc#649856) +- fix csh profile (bnc#649856) ------------------------------------------------------------------- Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de - update to krb5-1.8.3 * remove patches which are now upstrem - - krb5-1.7-MITKRB5-SA-2010-004.dif - - krb5-1.8.1-gssapi-error-table.dif - - krb5-MITKRB5-SA-2010-005.dif + - krb5-1.7-MITKRB5-SA-2010-004.dif + - krb5-1.8.1-gssapi-error-table.dif + - krb5-MITKRB5-SA-2010-005.dif ------------------------------------------------------------------- Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de @@ -1008,7 +1079,7 @@ Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de - fix a dereference of an uninitialized pointer while processing - authorization data. + authorization data. CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) ------------------------------------------------------------------- @@ -1021,12 +1092,12 @@ Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com Wed May 19 14:27:19 CEST 2010 - mc@suse.de - fix GSS-API library null pointer dereference - CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) + CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) ------------------------------------------------------------------- Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de -- fix a double free vulnerability in the KDC +- fix a double free vulnerability in the KDC CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) ------------------------------------------------------------------- @@ -1034,12 +1105,12 @@ Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de - update to version 1.8.1 * include krb5-1.8-POST.dif - * include MITKRB5-SA-2010-002 + * include MITKRB5-SA-2010-002 ------------------------------------------------------------------- Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de -- update krb5-1.8-POST.dif +- update krb5-1.8-POST.dif ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de @@ -1047,17 +1118,17 @@ Tue Mar 23 14:32:41 CET 2010 - mc@suse.de - fix a bug where an unauthenticated remote attacker could cause a GSS-API application including the Kerberos administration daemon (kadmind) to crash. - CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de - add post 1.8 fixes * Add IPv6 support to changepw.c - * fix two problems in kadm5_get_principal mask handling + * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals - * dereference options while checking + * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting @@ -1067,16 +1138,16 @@ Tue Mar 23 12:33:26 CET 2010 - mc@suse.de Thu Mar 4 10:42:29 CET 2010 - mc@suse.de - update to version 1.8 - * Increase code quality + * Increase code quality * Move toward improved KDB interface - * Investigate and remedy repeatedly-reported performance + * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows - client library to track whether a KDC supports service + client library to track whether a KDC supports service principal referrals. - * Disable DES by default + * Disable DES by default * Account lockout for repeated login failures - * Bridge layer to allow Heimdal HDB modules to act as KDB + * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility @@ -1088,7 +1159,7 @@ Thu Mar 4 10:42:29 CET 2010 - mc@suse.de - fix integer underflow in AES and RC4 decryption CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - + ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de @@ -1108,12 +1179,12 @@ Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com ------------------------------------------------------------------- Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de -- update to final 1.7 release +- update to final 1.7 release ------------------------------------------------------------------- Wed May 13 11:30:42 CEST 2009 - mc@suse.de -- update to version 1.7 Beta2 +- update to version 1.7 Beta2 * Incremental propagation support for the KDC database. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. @@ -1126,7 +1197,7 @@ Wed May 13 11:30:42 CEST 2009 - mc@suse.de ------------------------------------------------------------------- Mon Feb 16 13:04:26 CET 2009 - mc@suse.de -- update to pre 1.7 version +- update to pre 1.7 version * Remove support for version 4 of the Kerberos protocol (krb4). * New libdefaults configuration variable "allow_weak_crypto". * Client library now follows client principal referrals, for @@ -1155,7 +1226,7 @@ Wed Jan 14 09:21:36 CET 2009 - olh@suse.de Thu Dec 11 14:12:57 CET 2008 - mc@suse.de - do not query IPv6 addresses if no IPv6 address exists on this host - [bnc#449143] + [bnc#449143] ------------------------------------------------------------------- Wed Dec 10 12:34:56 CET 2008 - olh@suse.de @@ -1172,7 +1243,7 @@ Thu Oct 30 12:34:56 CET 2008 - olh@suse.de Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de - in case we use ldap as database backend, ldap should be - started before krb5kdc + started before krb5kdc ------------------------------------------------------------------- Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de @@ -1180,8 +1251,8 @@ Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de - add new fixes to post 1.6.3 patch * fix mem leak in krb5_gss_accept_sec_context() * keep minor_status - * kadm5_decrypt_key: A ktype of -1 is documented as meaning - "to be ignored" + * kadm5_decrypt_key: A ktype of -1 is documented as meaning + "to be ignored" * Reject socket fds > FD_SETSIZE ------------------------------------------------------------------- @@ -1198,14 +1269,14 @@ Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de - add case-insensitive.dif (FATE#300771) - minor fixes for ktutil man page -- reduce rpmlint warnings +- reduce rpmlint warnings ------------------------------------------------------------------- Wed May 14 17:44:59 CEST 2008 - mc@suse.de - Fall back to TCP on kdc-unresolvable/unreachable errors. - restore valid sequence number before generating requests - (fix changing passwords in mixed ipv4/ipv6 enviroments) + (fix changing passwords in mixed ipv4/ipv6 enviroments) ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de @@ -1216,7 +1287,7 @@ Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de ------------------------------------------------------------------- Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de -- modify krb5-config to not output rpath and cflags in --libs +- modify krb5-config to not output rpath and cflags in --libs (bnc#378270) ------------------------------------------------------------------- @@ -1228,7 +1299,7 @@ Fri Mar 14 11:27:55 CET 2008 - mc@suse.de * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) Memory corruption while too many open file descriptors [bnc#363151] -- change default config file. Comment out the examples. +- change default config file. Comment out the examples. ------------------------------------------------------------------- Fri Dec 14 10:48:52 CET 2007 - mc@suse.de @@ -1243,12 +1314,12 @@ Fri Dec 14 10:48:52 CET 2007 - mc@suse.de ------------------------------------------------------------------- Tue Dec 4 16:36:07 CET 2007 - mc@suse.de -- improve GSSAPI error messages +- improve GSSAPI error messages ------------------------------------------------------------------- Tue Nov 6 13:53:17 CET 2007 - mc@suse.de -- add coreutils to PreReq +- add coreutils to PreReq ------------------------------------------------------------------- Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de @@ -1264,8 +1335,8 @@ Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de - update krb5-1.6.2-post.dif - * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that - that the client library will not failover to the next KDC. + * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that + that the client library will not failover to the next KDC. [#310540] ------------------------------------------------------------------- @@ -1275,7 +1346,7 @@ Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. - * patch for referrals loop + * patch for referrals loop ------------------------------------------------------------------- Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de @@ -1296,10 +1367,10 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the - session key enctype of a returned credential for the final - service is among the enctypes explicitly selected by the - application, and retry with old_use_conf_ktypes if it is not. - * If mkstemp() is available, the new ccache file gets created but + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. @@ -1308,7 +1379,7 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de - update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release +- remove krb5-1.6.1-post.dif all fixes are included in this release ------------------------------------------------------------------- Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de @@ -1320,7 +1391,7 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree - * rd_req_decoded needs to deal with referral realms + * rd_req_decoded needs to deal with referral realms * fix buffer overflow in kadmind (MITKRB5-SA-2007-005 - CVE-2007-2798) [#278689] @@ -1331,14 +1402,14 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de ------------------------------------------------------------------- Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de -- fix unstripped-binary-or-object rpmlint warning +- fix unstripped-binary-or-object rpmlint warning ------------------------------------------------------------------- Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de - fixing rpmlint warnings and errors: * merged logrotate scripts kadmin and krb5kdc into a single file - krb5-server. + krb5-server. * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. adapted krb5.spec and README.ConvertHeimdalMIT accordingly. @@ -1351,32 +1422,32 @@ Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de ------------------------------------------------------------------- Wed May 9 15:30:53 CEST 2007 - mc@suse.de -- fix uninitialized salt length +- fix uninitialized salt length - add extra check for keytab file ------------------------------------------------------------------- Thu May 3 12:11:29 CEST 2007 - mc@suse.de - adding krb5-1.6.1-post.dif - * fix segfault in krb5_get_init_creds_password + * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes ------------------------------------------------------------------- Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de -- update to final 1.6.1 version +- update to final 1.6.1 version ------------------------------------------------------------------- Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de -- add plugin directories to main package +- add plugin directories to main package ------------------------------------------------------------------- Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de - update to version 1.6.1 Beta1 -- remove obsolete patches +- remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch @@ -1403,8 +1474,8 @@ Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de ------------------------------------------------------------------- Mon Mar 5 11:01:20 CET 2007 - mc@suse.de -- move SuSEFirewall service definitions to - /etc/sysconfig/SuSEfirewall2.d/services +- move SuSEFirewall service definitions to + /etc/sysconfig/SuSEfirewall2.d/services ------------------------------------------------------------------- Thu Feb 22 11:13:48 CET 2007 - mc@suse.de @@ -1415,12 +1486,12 @@ Thu Feb 22 11:13:48 CET 2007 - mc@suse.de Mon Feb 19 13:59:43 CET 2007 - mc@suse.de - update krb5-1.6-post.dif -- move some applications into the right package +- move some applications into the right package ------------------------------------------------------------------- Fri Feb 9 13:31:22 CET 2007 - mc@suse.de -- update krb5-1.6-post.dif +- update krb5-1.6-post.dif ------------------------------------------------------------------- Mon Jan 29 11:27:23 CET 2007 - mc@suse.de @@ -1438,16 +1509,16 @@ Tue Jan 23 17:21:12 CET 2007 - mc@suse.de ------------------------------------------------------------------- Mon Jan 22 16:39:27 CET 2007 - mc@suse.de -- krb5-devel should require keyutils-devel +- krb5-devel should require keyutils-devel ------------------------------------------------------------------- Mon Jan 22 12:19:49 CET 2007 - mc@suse.de - update to version 1.6 - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. - remove obsolete patches ------------------------------------------------------------------- @@ -1465,14 +1536,14 @@ Wed Jan 10 11:16:30 CET 2007 - mc@suse.de ------------------------------------------------------------------- Tue Jan 2 14:53:33 CET 2007 - mc@suse.de -- Fix Requires in krb5-devel +- Fix Requires in krb5-devel [Bug #231008] ------------------------------------------------------------------- Mon Nov 6 11:49:39 CET 2006 - mc@suse.de - fix "local variable used before set" [#217692] -- fix strncat warning +- fix strncat warning ------------------------------------------------------------------- Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de @@ -1483,7 +1554,7 @@ Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de ------------------------------------------------------------------- Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de -- fix function call with too few arguments [#203837] +- fix function call with too few arguments [#203837] ------------------------------------------------------------------- Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de @@ -1491,7 +1562,7 @@ Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de - update to version 1.5.1 - remove obsolete patches which are now included upstream * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif - * trunk-fix-uninitialized-vars.dif + * trunk-fix-uninitialized-vars.dif ------------------------------------------------------------------- Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de @@ -1503,7 +1574,7 @@ Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de ------------------------------------------------------------------- Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de -- remove update-messages +- remove update-messages ------------------------------------------------------------------- Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de @@ -1515,13 +1586,13 @@ Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de - update to version 1.5 - * KDB abstraction layer, donated by Novell. - * plug-in architecture, allowing for extension modules to be - loaded at run-time. - * multi-mechanism GSS-API implementation ("mechglue"), - donated by Sun Microsystems - * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") - implementation, donated by Sun Microsystems + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems - remove obsolete patches and add some new ------------------------------------------------------------------- @@ -1535,17 +1606,17 @@ Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de - add all daemons to %stop_on_removal and %restart_on_update - add reload to kpropd init script -- add force-reload to all init scripts +- add force-reload to all init scripts ------------------------------------------------------------------- Mon Mar 13 18:20:36 CET 2006 - mc@suse.de -- add libgssapi_krb5.so link to main package [#147912] +- add libgssapi_krb5.so link to main package [#147912] ------------------------------------------------------------------- Fri Feb 3 18:17:01 CET 2006 - mc@suse.de -- fix logging section for kadmind in convert script +- fix logging section for kadmind in convert script ------------------------------------------------------------------- Wed Jan 25 21:30:24 CET 2006 - mls@suse.de @@ -1555,12 +1626,12 @@ Wed Jan 25 21:30:24 CET 2006 - mls@suse.de ------------------------------------------------------------------- Fri Jan 13 14:44:24 CET 2006 - mc@suse.de -- change the logging defaults +- change the logging defaults ------------------------------------------------------------------- Wed Jan 11 12:59:08 CET 2006 - mc@suse.de -- add tools and README for heimdal => MIT update +- add tools and README for heimdal => MIT update ------------------------------------------------------------------- Mon Jan 9 14:41:07 CET 2006 - mc@suse.de @@ -1571,7 +1642,7 @@ Mon Jan 9 14:41:07 CET 2006 - mc@suse.de ------------------------------------------------------------------- Tue Jan 3 16:00:13 CET 2006 - mc@suse.de -- added "make %{?jobs:-j%jobs}" +- added "make %{?jobs:-j%jobs}" ------------------------------------------------------------------- Fri Nov 18 12:12:01 CET 2005 - mc@suse.de @@ -1580,33 +1651,33 @@ Fri Nov 18 12:12:01 CET 2005 - mc@suse.de * some memmory leaks fixed * fix for "AS_REP padata has wrong enctype" * fix for "AS_REP padata missing PA-ETYPE-INFO" - * ... and more + * ... and more ------------------------------------------------------------------- Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de -- don't build as root +- don't build as root ------------------------------------------------------------------- Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de - update to version 1.4.2 -- remove some obsolet patches +- remove some obsolet patches ------------------------------------------------------------------- Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de -- build with --disable-static +- build with --disable-static ------------------------------------------------------------------- Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de -- remove devel-static subpackage +- remove devel-static subpackage ------------------------------------------------------------------- Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de -- better patch for princ_comp problem +- better patch for princ_comp problem ------------------------------------------------------------------- Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de @@ -1625,18 +1696,18 @@ Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de - fixed krb5 double free() [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] - fix krb5 NULL pointer reference while comparing principals - [#91600] + [#91600] ------------------------------------------------------------------- Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de -- fix uninitialized variables +- fix uninitialized variables - compile with -fPIE/ link with -pie ------------------------------------------------------------------- Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de -- fixed wrong xinetd files [#77149] +- fixed wrong xinetd files [#77149] ------------------------------------------------------------------- Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de @@ -1647,26 +1718,26 @@ Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de ------------------------------------------------------------------- Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de -- fixed missing descriptions in init files - [#76164, #76165, #76166, #76169] +- fixed missing descriptions in init files + [#76164, #76165, #76166, #76169] ------------------------------------------------------------------- Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de - enhance $PATH via /etc/profile.d/ [#74018] -- remove the "links to important programs" +- remove the "links to important programs" ------------------------------------------------------------------- Fri Mar 18 11:09:43 CET 2005 - mc@suse.de -- fixed not running converter script [#72854] +- fixed not running converter script [#72854] ------------------------------------------------------------------- Thu Mar 17 14:15:17 CET 2005 - mc@suse.de -- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer +- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer Overflow -- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer +- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer Overflow [#73618] @@ -1684,38 +1755,38 @@ Tue Mar 15 19:54:58 CET 2005 - mc@suse.de Mon Mar 14 17:08:59 CET 2005 - mc@suse.de - fixed: rckrb5kdc restart gives wrong status with non-running service - [#72446] + [#72446] ------------------------------------------------------------------- Thu Mar 10 10:48:07 CET 2005 - mc@suse.de -- add requires: e2fsprogs-devel to krb5-devel package [#71732] +- add requires: e2fsprogs-devel to krb5-devel package [#71732] ------------------------------------------------------------------- Fri Feb 25 17:35:37 CET 2005 - mc@suse.de - fix double free [#66534] - krb5-1.4-fix-error_tables.dif + krb5-1.4-fix-error_tables.dif ------------------------------------------------------------------- Fri Feb 11 14:01:32 CET 2005 - mc@suse.de -- change mode for shared libraries to 755 +- change mode for shared libraries to 755 ------------------------------------------------------------------- Fri Feb 4 16:48:16 CET 2005 - mc@suse.de - remove spx.c from tarball because of legal risk -- add README.Source which tell the user about this +- add README.Source which tell the user about this action. - add a check for spx.c in the spec-file -- use rich-text for update-messages [#50250] +- use rich-text for update-messages [#50250] ------------------------------------------------------------------- Tue Feb 1 12:13:45 CET 2005 - mc@suse.de - add krb5-1.4-reduce-namespace-polution.dif - reduce namespace polution in gssapi.h [#50356] + reduce namespace polution in gssapi.h [#50356] ------------------------------------------------------------------- Fri Jan 28 13:25:42 CET 2005 - mc@suse.de @@ -1737,13 +1808,13 @@ Fri Jan 28 13:25:42 CET 2005 - mc@suse.de ------------------------------------------------------------------- Mon Jan 17 11:34:52 CET 2005 - mc@suse.de -- add proofreaded update-messages +- add proofreaded update-messages ------------------------------------------------------------------- Fri Jan 14 14:38:25 CET 2005 - mc@suse.de -- remove Conflicts: and add Provides: -- add some insserv stuff +- remove Conflicts: and add Provides: +- add some insserv stuff ------------------------------------------------------------------- Thu Jan 13 11:54:01 CET 2005 - mc@suse.de @@ -1758,13 +1829,13 @@ Thu Jan 13 11:54:01 CET 2005 - mc@suse.de Mon Jan 10 12:18:02 CET 2005 - mc@suse.de - update to version 1.3.6 -- fix for: heap buffer overflow in libkadm5srv - [CAN-2004-1189 / MITKRB5-SA-2004-004] +- fix for: heap buffer overflow in libkadm5srv + [CAN-2004-1189 / MITKRB5-SA-2004-004] ------------------------------------------------------------------- Tue Dec 14 15:30:23 CET 2004 - mc@suse.de -- build doc subpackage in an own specfile +- build doc subpackage in an own specfile - removed unnecessary neededforbuild requirements ------------------------------------------------------------------- @@ -1776,7 +1847,7 @@ Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de Mon Nov 15 17:25:56 CET 2004 - mc@suse.de - added Conflicts with heimdal* -- rename some manpages to avoid conflicts +- rename some manpages to avoid conflicts ------------------------------------------------------------------- Thu Nov 4 18:03:11 CET 2004 - mc@suse.de @@ -1790,11 +1861,10 @@ Thu Nov 4 18:03:11 CET 2004 - mc@suse.de Wed Nov 3 18:52:07 CET 2004 - mc@suse.de - add e2fsprogs to NFB -- use system-et and system-ss -- fix includes of com_err.h +- use system-et and system-ss +- fix includes of com_err.h ------------------------------------------------------------------- Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de -- Initital checkin - +- Initital checkin diff --git a/krb5-mini.spec b/krb5-mini.spec index 20de26b..ed608d5 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,26 +21,26 @@ %define _fillupdir /var/adm/fillup-templates %endif -%define srcRoot krb5-1.16.1 +%define srcRoot krb5-%{version} %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 Name: krb5-mini -Url: https://web.mit.edu/kerberos/www/ +Version: 1.17 +Release: 0 +Summary: MIT Kerberos5 implementation and libraries with minimal dependencies +License: MIT +Group: Productivity/Networking/Security +URL: https://web.mit.edu/kerberos/www/ +Obsoletes: krb5-plugin-preauth-pkinit-nss BuildRequires: autoconf BuildRequires: bison BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel -BuildRequires: ncurses-devel -Version: 1.16.1 -Release: 0 -Summary: MIT Kerberos5 implementation and libraries with minimal dependencies -License: MIT -Group: Productivity/Networking/Security -Obsoletes: krb5-plugin-preauth-pkinit-nss BuildRequires: libverto-devel +BuildRequires: ncurses-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-64bit @@ -52,21 +52,22 @@ Conflicts: krb5-server Conflicts: krb5-plugin-kdb-ldap Conflicts: krb5-plugin-preauth-pkinit Conflicts: krb5-plugin-preauth-otp -Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.12-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.12-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.12-api.patch -Patch11: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-selinux-label.patch -Patch13: krb5-1.9-debuginfo.patch +Source6: krb5.tmpfiles +Patch1: 0001-krb5-1.12-pam.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-krb5-1.12-buildconf.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-krb5-1.12-ksu-path.patch +Patch8: 0008-krb5-1.12-selinux-label.patch +Patch9: 0009-krb5-1.9-debuginfo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq @@ -104,11 +105,11 @@ Include Files for Development %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 +%patch9 -p1 %build # needs to be re-generated @@ -118,7 +119,7 @@ autoreconf -fi DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME ./configure \ CC="%{__cc}" \ - CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ CPPFLAGS="-I%{_includedir}/et " \ SS_LIB="-lss" \ --prefix=/usr/lib/mit \ @@ -147,25 +148,19 @@ make %{?_smp_mflags} cp man/kadmin.man man/kadmin.local.8 %install - -# Where per-user keytabs live by default. -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5 - -cd src -make DESTDIR=%{buildroot} install -cd .. +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/ from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config +sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config # install autoconf macro mkdir -p %{buildroot}/%{_datadir}/aclocal install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d mkdir -p %{buildroot}/etc/profile.d/ mkdir -p %{buildroot}/var/log/krb5 @@ -176,13 +171,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -204,9 +208,9 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd %endif # install sysconfig templates -mkdir -p $RPM_BUILD_ROOT/%{_fillupdir} -install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/ -install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/ +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -239,10 +243,10 @@ install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples -# manually remove otp plugin for krb5-mini since configure +# manually remove otp, spake and test plugin for krb5-mini since configure # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so -# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 @@ -261,6 +265,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %post /sbin/ldconfig %service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf %{fillup_only -n kadmind} %{fillup_only -n krb5kdc} %{fillup_only -n kpropd} @@ -313,10 +318,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_libdir}/krb5/plugins/preauth %dir %{_libdir}/krb5/plugins/libkrb5 %dir %{_libdir}/krb5/plugins/tls -%dir %{_localstatedir}/lib/kerberos/ -%dir %{_localstatedir}/lib/kerberos/krb5kdc -%dir %{_localstatedir}/lib/kerberos/krb5 -%dir %{_localstatedir}/lib/kerberos/krb5/user %attr(0700,root,root) %dir /var/log/krb5 %dir /usr/lib/mit %dir /usr/lib/mit/sbin @@ -326,9 +327,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_sysconfdir}/krb5.conf.d %attr(0644,root,root) %config /etc/profile.d/krb5* %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_fillupdir}/sysconfig.* %{_unitdir}/kadmind.service @@ -345,6 +343,21 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* %{_libdir}/krb5/plugins/tls/* +%{_libexecdir}/tmpfiles.d/krb5.conf +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict /usr/lib/mit/sbin/kadmin.local /usr/lib/mit/sbin/kadmind /usr/lib/mit/sbin/kpropd @@ -387,6 +400,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_mandir}/man5/* %{_mandir}/man5/.k5login.5.gz %{_mandir}/man5/.k5identity.5* +%{_mandir}/man7/kerberos.7.gz %{_mandir}/man8/* %changelog diff --git a/krb5-rpmlintrc b/krb5-rpmlintrc index aaee6d3..a50983e 100644 --- a/krb5-rpmlintrc +++ b/krb5-rpmlintrc @@ -1,6 +1,8 @@ addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz") addFilter("files-duplicate .*css") addFilter("files-duplicate .*img.*png") addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") addFilter("shlib-policy-missing-suffix") +addFilter("non-etc-or-var-file-marked-as-conffile") diff --git a/krb5.changes b/krb5.changes index 5d47eed..4258e6e 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,74 @@ +------------------------------------------------------------------- +Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt + +- Replace old $RPM_* shell vars + +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + ------------------------------------------------------------------- Tue Oct 9 20:00:21 UTC 2018 - James McDonough @@ -40,11 +111,11 @@ Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com Wed Apr 25 21:54:39 UTC 2018 - luizluca@gmail.com - Added support for /etc/krb5.conf.d/ for configuration snippets - + ------------------------------------------------------------------- Thu Nov 23 13:38:38 UTC 2017 - rbrown@suse.com -- Replace references to /var/adm/fillup-templates with new +- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ------------------------------------------------------------------- @@ -210,8 +281,8 @@ Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com ------------------------------------------------------------------- Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de -- add pam configuration file required for ksu - just use a copy of "su" one from Tumbleweed +- add pam configuration file required for ksu + just use a copy of "su" one from Tumbleweed ------------------------------------------------------------------- Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com @@ -224,11 +295,11 @@ Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com nonexistent policies * Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120] - + ------------------------------------------------------------------- Sat Jul 2 11:38:54 UTC 2016 - idonmez@suse.com -- Remove comments breaking post scripts. +- Remove comments breaking post scripts. ------------------------------------------------------------------- Thu Jun 30 13:34:29 UTC 2016 - fcrozat@suse.com @@ -591,7 +662,7 @@ Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com ------------------------------------------------------------------- Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com -- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal - added patches: * bnc#897874-CVE-2014-5351.diff ------------------------------------------------------------------- @@ -632,7 +703,7 @@ Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com - buffer overrun in kadmind with LDAP backend CVE-2014-4345 (bnc#891082) - krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch + krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch ------------------------------------------------------------------- Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com @@ -645,7 +716,7 @@ Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com ------------------------------------------------------------------- Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com -- Do not depend of insserv if systemd is used +- Do not depend of insserv if systemd is used ------------------------------------------------------------------- Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com @@ -716,7 +787,7 @@ Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com * krb5-master-gss_oid_leak.patch - Fix SPNEGO one-hop interop against old IIS * krb5-master-ignore-empty-unnecessary-final-token.patch - - Fix GSS krb5 acceptor acquire_cred error handling + - Fix GSS krb5 acceptor acquire_cred error handling * krb5-master-keytab_close.patch - Avoid malloc(0) in SPNEGO get_input_token * krb5-master-no-malloc0.patch @@ -749,7 +820,7 @@ Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com ------------------------------------------------------------------- Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org -- remove fstack-protector-all from CFLAGS, just use the +- remove fstack-protector-all from CFLAGS, just use the lighter/fast version already present in %optflags - Use LFS_CFLAGS to build in 32 bit archs. @@ -788,7 +859,7 @@ Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de that failed to load. * gss_import_sec_context incorrectly set internal state that identifies whether an imported context is from an interposer - mechanism or from the underlying mechanism. + mechanism or from the underlying mechanism. - upstream fix obsolete krb5-lookup_etypes-leak.patch ------------------------------------------------------------------- @@ -990,7 +1061,7 @@ Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de ------------------------------------------------------------------- Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com -- add patches from Fedora and upstream +- add patches from Fedora and upstream - fix init scripts (bnc#689006) ------------------------------------------------------------------- @@ -1028,12 +1099,12 @@ Wed Jan 19 14:42:27 CET 2011 - mc@suse.de CVE-2010-4022 - Fix KDC denial of service attacks with LDAP back end (MITKRB5-SA-2011-002, bnc#663619) - CVE-2011-0281, CVE-2011-0282 + CVE-2011-0281, CVE-2011-0282 ------------------------------------------------------------------- Wed Dec 1 11:44:15 CET 2010 - mc@suse.de -- Fix multiple checksum handling vulnerabilities +- Fix multiple checksum handling vulnerabilities (MITKRB5-SA-2010-007, bnc#650650) CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums @@ -1045,21 +1116,21 @@ Wed Dec 1 11:44:15 CET 2010 - mc@suse.de CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVE-2010-4021 - * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery + * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery ------------------------------------------------------------------- Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de -- fix csh profile (bnc#649856) +- fix csh profile (bnc#649856) ------------------------------------------------------------------- Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de - update to krb5-1.8.3 * remove patches which are now upstrem - - krb5-1.7-MITKRB5-SA-2010-004.dif - - krb5-1.8.1-gssapi-error-table.dif - - krb5-MITKRB5-SA-2010-005.dif + - krb5-1.7-MITKRB5-SA-2010-004.dif + - krb5-1.8.1-gssapi-error-table.dif + - krb5-MITKRB5-SA-2010-005.dif ------------------------------------------------------------------- Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de @@ -1071,7 +1142,7 @@ Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de - fix a dereference of an uninitialized pointer while processing - authorization data. + authorization data. CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) ------------------------------------------------------------------- @@ -1084,12 +1155,12 @@ Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com Wed May 19 14:27:19 CEST 2010 - mc@suse.de - fix GSS-API library null pointer dereference - CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) + CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) ------------------------------------------------------------------- Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de -- fix a double free vulnerability in the KDC +- fix a double free vulnerability in the KDC CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) ------------------------------------------------------------------- @@ -1097,12 +1168,12 @@ Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de - update to version 1.8.1 * include krb5-1.8-POST.dif - * include MITKRB5-SA-2010-002 + * include MITKRB5-SA-2010-002 ------------------------------------------------------------------- Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de -- update krb5-1.8-POST.dif +- update krb5-1.8-POST.dif ------------------------------------------------------------------- Tue Mar 23 14:32:41 CET 2010 - mc@suse.de @@ -1110,17 +1181,17 @@ Tue Mar 23 14:32:41 CET 2010 - mc@suse.de - fix a bug where an unauthenticated remote attacker could cause a GSS-API application including the Kerberos administration daemon (kadmind) to crash. - CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) ------------------------------------------------------------------- Tue Mar 23 12:33:26 CET 2010 - mc@suse.de - add post 1.8 fixes * Add IPv6 support to changepw.c - * fix two problems in kadm5_get_principal mask handling + * fix two problems in kadm5_get_principal mask handling * Ignore improperly encoded signedpath AD elements * handle NT_SRV_INST in service principal referrals - * dereference options while checking + * dereference options while checking KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT * Fix the kpasswd fallback from the ccache principal name * Document the ticket_lifetime libdefaults setting @@ -1130,16 +1201,16 @@ Tue Mar 23 12:33:26 CET 2010 - mc@suse.de Thu Mar 4 10:42:29 CET 2010 - mc@suse.de - update to version 1.8 - * Increase code quality + * Increase code quality * Move toward improved KDB interface - * Investigate and remedy repeatedly-reported performance + * Investigate and remedy repeatedly-reported performance bottlenecks. * Reduce DNS dependence by implementing an interface that allows - client library to track whether a KDC supports service + client library to track whether a KDC supports service principal referrals. - * Disable DES by default + * Disable DES by default * Account lockout for repeated login failures - * Bridge layer to allow Heimdal HDB modules to act as KDB + * Bridge layer to allow Heimdal HDB modules to act as KDB backend modules * FAST enhancements * Microsoft Services for User (S4U) compatibility @@ -1151,7 +1222,7 @@ Thu Mar 4 10:42:29 CET 2010 - mc@suse.de - fix integer underflow in AES and RC4 decryption CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl - + ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de @@ -1171,12 +1242,12 @@ Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com ------------------------------------------------------------------- Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de -- update to final 1.7 release +- update to final 1.7 release ------------------------------------------------------------------- Wed May 13 11:30:42 CEST 2009 - mc@suse.de -- update to version 1.7 Beta2 +- update to version 1.7 Beta2 * Incremental propagation support for the KDC database. * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. @@ -1189,7 +1260,7 @@ Wed May 13 11:30:42 CEST 2009 - mc@suse.de ------------------------------------------------------------------- Mon Feb 16 13:04:26 CET 2009 - mc@suse.de -- update to pre 1.7 version +- update to pre 1.7 version * Remove support for version 4 of the Kerberos protocol (krb4). * New libdefaults configuration variable "allow_weak_crypto". * Client library now follows client principal referrals, for @@ -1218,7 +1289,7 @@ Wed Jan 14 09:21:36 CET 2009 - olh@suse.de Thu Dec 11 14:12:57 CET 2008 - mc@suse.de - do not query IPv6 addresses if no IPv6 address exists on this host - [bnc#449143] + [bnc#449143] ------------------------------------------------------------------- Wed Dec 10 12:34:56 CET 2008 - olh@suse.de @@ -1235,7 +1306,7 @@ Thu Oct 30 12:34:56 CET 2008 - olh@suse.de Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de - in case we use ldap as database backend, ldap should be - started before krb5kdc + started before krb5kdc ------------------------------------------------------------------- Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de @@ -1243,8 +1314,8 @@ Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de - add new fixes to post 1.6.3 patch * fix mem leak in krb5_gss_accept_sec_context() * keep minor_status - * kadm5_decrypt_key: A ktype of -1 is documented as meaning - "to be ignored" + * kadm5_decrypt_key: A ktype of -1 is documented as meaning + "to be ignored" * Reject socket fds > FD_SETSIZE ------------------------------------------------------------------- @@ -1261,14 +1332,14 @@ Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de - add case-insensitive.dif (FATE#300771) - minor fixes for ktutil man page -- reduce rpmlint warnings +- reduce rpmlint warnings ------------------------------------------------------------------- Wed May 14 17:44:59 CEST 2008 - mc@suse.de - Fall back to TCP on kdc-unresolvable/unreachable errors. - restore valid sequence number before generating requests - (fix changing passwords in mixed ipv4/ipv6 enviroments) + (fix changing passwords in mixed ipv4/ipv6 enviroments) ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de @@ -1279,7 +1350,7 @@ Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de ------------------------------------------------------------------- Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de -- modify krb5-config to not output rpath and cflags in --libs +- modify krb5-config to not output rpath and cflags in --libs (bnc#378270) ------------------------------------------------------------------- @@ -1291,7 +1362,7 @@ Fri Mar 14 11:27:55 CET 2008 - mc@suse.de * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) Memory corruption while too many open file descriptors [bnc#363151] -- change default config file. Comment out the examples. +- change default config file. Comment out the examples. ------------------------------------------------------------------- Fri Dec 14 10:48:52 CET 2007 - mc@suse.de @@ -1306,12 +1377,12 @@ Fri Dec 14 10:48:52 CET 2007 - mc@suse.de ------------------------------------------------------------------- Tue Dec 4 16:36:07 CET 2007 - mc@suse.de -- improve GSSAPI error messages +- improve GSSAPI error messages ------------------------------------------------------------------- Tue Nov 6 13:53:17 CET 2007 - mc@suse.de -- add coreutils to PreReq +- add coreutils to PreReq ------------------------------------------------------------------- Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de @@ -1327,8 +1398,8 @@ Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de - update krb5-1.6.2-post.dif - * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that - that the client library will not failover to the next KDC. + * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that + that the client library will not failover to the next KDC. [#310540] ------------------------------------------------------------------- @@ -1338,7 +1409,7 @@ Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de * new -S sname option for kvno * read_entropy_from_device on partial read will not fill buffer * Bail out if encoded "ticket" doesn't decode correctly. - * patch for referrals loop + * patch for referrals loop ------------------------------------------------------------------- Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de @@ -1359,10 +1430,10 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de - add krb5-1.6.2-post.dif * during the referrals loop, check to see if the - session key enctype of a returned credential for the final - service is among the enctypes explicitly selected by the - application, and retry with old_use_conf_ktypes if it is not. - * If mkstemp() is available, the new ccache file gets created but + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but the subsequent open(O_CREAT|O_EXCL) call fails because the file was already created by mkstemp(). Apply patch from Apple to keep the file descriptor open. @@ -1371,7 +1442,7 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de - update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release +- remove krb5-1.6.1-post.dif all fixes are included in this release ------------------------------------------------------------------- Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de @@ -1383,7 +1454,7 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de - update krb5-1.6.1-post.dif * fix leak in krb5_walk_realm_tree - * rd_req_decoded needs to deal with referral realms + * rd_req_decoded needs to deal with referral realms * fix buffer overflow in kadmind (MITKRB5-SA-2007-005 - CVE-2007-2798) [#278689] @@ -1394,14 +1465,14 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de ------------------------------------------------------------------- Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de -- fix unstripped-binary-or-object rpmlint warning +- fix unstripped-binary-or-object rpmlint warning ------------------------------------------------------------------- Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de - fixing rpmlint warnings and errors: * merged logrotate scripts kadmin and krb5kdc into a single file - krb5-server. + krb5-server. * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. adapted krb5.spec and README.ConvertHeimdalMIT accordingly. @@ -1414,32 +1485,32 @@ Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de ------------------------------------------------------------------- Wed May 9 15:30:53 CEST 2007 - mc@suse.de -- fix uninitialized salt length +- fix uninitialized salt length - add extra check for keytab file ------------------------------------------------------------------- Thu May 3 12:11:29 CEST 2007 - mc@suse.de - adding krb5-1.6.1-post.dif - * fix segfault in krb5_get_init_creds_password + * fix segfault in krb5_get_init_creds_password * remove debug output in ftp client * profile stores empty string values without double quotes ------------------------------------------------------------------- Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de -- update to final 1.6.1 version +- update to final 1.6.1 version ------------------------------------------------------------------- Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de -- add plugin directories to main package +- add plugin directories to main package ------------------------------------------------------------------- Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de - update to version 1.6.1 Beta1 -- remove obsolete patches +- remove obsolete patches (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) - rework compile_pie patch @@ -1466,8 +1537,8 @@ Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de ------------------------------------------------------------------- Mon Mar 5 11:01:20 CET 2007 - mc@suse.de -- move SuSEFirewall service definitions to - /etc/sysconfig/SuSEfirewall2.d/services +- move SuSEFirewall service definitions to + /etc/sysconfig/SuSEfirewall2.d/services ------------------------------------------------------------------- Thu Feb 22 11:13:48 CET 2007 - mc@suse.de @@ -1478,12 +1549,12 @@ Thu Feb 22 11:13:48 CET 2007 - mc@suse.de Mon Feb 19 13:59:43 CET 2007 - mc@suse.de - update krb5-1.6-post.dif -- move some applications into the right package +- move some applications into the right package ------------------------------------------------------------------- Fri Feb 9 13:31:22 CET 2007 - mc@suse.de -- update krb5-1.6-post.dif +- update krb5-1.6-post.dif ------------------------------------------------------------------- Mon Jan 29 11:27:23 CET 2007 - mc@suse.de @@ -1501,16 +1572,16 @@ Tue Jan 23 17:21:12 CET 2007 - mc@suse.de ------------------------------------------------------------------- Mon Jan 22 16:39:27 CET 2007 - mc@suse.de -- krb5-devel should require keyutils-devel +- krb5-devel should require keyutils-devel ------------------------------------------------------------------- Mon Jan 22 12:19:49 CET 2007 - mc@suse.de - update to version 1.6 - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. - remove obsolete patches ------------------------------------------------------------------- @@ -1528,14 +1599,14 @@ Wed Jan 10 11:16:30 CET 2007 - mc@suse.de ------------------------------------------------------------------- Tue Jan 2 14:53:33 CET 2007 - mc@suse.de -- Fix Requires in krb5-devel +- Fix Requires in krb5-devel [Bug #231008] ------------------------------------------------------------------- Mon Nov 6 11:49:39 CET 2006 - mc@suse.de - fix "local variable used before set" [#217692] -- fix strncat warning +- fix strncat warning ------------------------------------------------------------------- Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de @@ -1546,7 +1617,7 @@ Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de ------------------------------------------------------------------- Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de -- fix function call with too few arguments [#203837] +- fix function call with too few arguments [#203837] ------------------------------------------------------------------- Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de @@ -1554,7 +1625,7 @@ Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de - update to version 1.5.1 - remove obsolete patches which are now included upstream * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif - * trunk-fix-uninitialized-vars.dif + * trunk-fix-uninitialized-vars.dif ------------------------------------------------------------------- Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de @@ -1566,7 +1637,7 @@ Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de ------------------------------------------------------------------- Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de -- remove update-messages +- remove update-messages ------------------------------------------------------------------- Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de @@ -1578,13 +1649,13 @@ Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de - update to version 1.5 - * KDB abstraction layer, donated by Novell. - * plug-in architecture, allowing for extension modules to be - loaded at run-time. - * multi-mechanism GSS-API implementation ("mechglue"), - donated by Sun Microsystems - * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") - implementation, donated by Sun Microsystems + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems - remove obsolete patches and add some new ------------------------------------------------------------------- @@ -1598,17 +1669,17 @@ Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de - add all daemons to %stop_on_removal and %restart_on_update - add reload to kpropd init script -- add force-reload to all init scripts +- add force-reload to all init scripts ------------------------------------------------------------------- Mon Mar 13 18:20:36 CET 2006 - mc@suse.de -- add libgssapi_krb5.so link to main package [#147912] +- add libgssapi_krb5.so link to main package [#147912] ------------------------------------------------------------------- Fri Feb 3 18:17:01 CET 2006 - mc@suse.de -- fix logging section for kadmind in convert script +- fix logging section for kadmind in convert script ------------------------------------------------------------------- Wed Jan 25 21:30:24 CET 2006 - mls@suse.de @@ -1618,12 +1689,12 @@ Wed Jan 25 21:30:24 CET 2006 - mls@suse.de ------------------------------------------------------------------- Fri Jan 13 14:44:24 CET 2006 - mc@suse.de -- change the logging defaults +- change the logging defaults ------------------------------------------------------------------- Wed Jan 11 12:59:08 CET 2006 - mc@suse.de -- add tools and README for heimdal => MIT update +- add tools and README for heimdal => MIT update ------------------------------------------------------------------- Mon Jan 9 14:41:07 CET 2006 - mc@suse.de @@ -1634,7 +1705,7 @@ Mon Jan 9 14:41:07 CET 2006 - mc@suse.de ------------------------------------------------------------------- Tue Jan 3 16:00:13 CET 2006 - mc@suse.de -- added "make %{?jobs:-j%jobs}" +- added "make %{?jobs:-j%jobs}" ------------------------------------------------------------------- Fri Nov 18 12:12:01 CET 2005 - mc@suse.de @@ -1643,33 +1714,33 @@ Fri Nov 18 12:12:01 CET 2005 - mc@suse.de * some memmory leaks fixed * fix for "AS_REP padata has wrong enctype" * fix for "AS_REP padata missing PA-ETYPE-INFO" - * ... and more + * ... and more ------------------------------------------------------------------- Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de -- don't build as root +- don't build as root ------------------------------------------------------------------- Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de - update to version 1.4.2 -- remove some obsolet patches +- remove some obsolet patches ------------------------------------------------------------------- Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de -- build with --disable-static +- build with --disable-static ------------------------------------------------------------------- Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de -- remove devel-static subpackage +- remove devel-static subpackage ------------------------------------------------------------------- Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de -- better patch for princ_comp problem +- better patch for princ_comp problem ------------------------------------------------------------------- Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de @@ -1688,18 +1759,18 @@ Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de - fixed krb5 double free() [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] - fix krb5 NULL pointer reference while comparing principals - [#91600] + [#91600] ------------------------------------------------------------------- Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de -- fix uninitialized variables +- fix uninitialized variables - compile with -fPIE/ link with -pie ------------------------------------------------------------------- Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de -- fixed wrong xinetd files [#77149] +- fixed wrong xinetd files [#77149] ------------------------------------------------------------------- Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de @@ -1710,26 +1781,26 @@ Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de ------------------------------------------------------------------- Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de -- fixed missing descriptions in init files - [#76164, #76165, #76166, #76169] +- fixed missing descriptions in init files + [#76164, #76165, #76166, #76169] ------------------------------------------------------------------- Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de - enhance $PATH via /etc/profile.d/ [#74018] -- remove the "links to important programs" +- remove the "links to important programs" ------------------------------------------------------------------- Fri Mar 18 11:09:43 CET 2005 - mc@suse.de -- fixed not running converter script [#72854] +- fixed not running converter script [#72854] ------------------------------------------------------------------- Thu Mar 17 14:15:17 CET 2005 - mc@suse.de -- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer +- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer Overflow -- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer +- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer Overflow [#73618] @@ -1747,38 +1818,38 @@ Tue Mar 15 19:54:58 CET 2005 - mc@suse.de Mon Mar 14 17:08:59 CET 2005 - mc@suse.de - fixed: rckrb5kdc restart gives wrong status with non-running service - [#72446] + [#72446] ------------------------------------------------------------------- Thu Mar 10 10:48:07 CET 2005 - mc@suse.de -- add requires: e2fsprogs-devel to krb5-devel package [#71732] +- add requires: e2fsprogs-devel to krb5-devel package [#71732] ------------------------------------------------------------------- Fri Feb 25 17:35:37 CET 2005 - mc@suse.de - fix double free [#66534] - krb5-1.4-fix-error_tables.dif + krb5-1.4-fix-error_tables.dif ------------------------------------------------------------------- Fri Feb 11 14:01:32 CET 2005 - mc@suse.de -- change mode for shared libraries to 755 +- change mode for shared libraries to 755 ------------------------------------------------------------------- Fri Feb 4 16:48:16 CET 2005 - mc@suse.de - remove spx.c from tarball because of legal risk -- add README.Source which tell the user about this +- add README.Source which tell the user about this action. - add a check for spx.c in the spec-file -- use rich-text for update-messages [#50250] +- use rich-text for update-messages [#50250] ------------------------------------------------------------------- Tue Feb 1 12:13:45 CET 2005 - mc@suse.de - add krb5-1.4-reduce-namespace-polution.dif - reduce namespace polution in gssapi.h [#50356] + reduce namespace polution in gssapi.h [#50356] ------------------------------------------------------------------- Fri Jan 28 13:25:42 CET 2005 - mc@suse.de @@ -1800,13 +1871,13 @@ Fri Jan 28 13:25:42 CET 2005 - mc@suse.de ------------------------------------------------------------------- Mon Jan 17 11:34:52 CET 2005 - mc@suse.de -- add proofreaded update-messages +- add proofreaded update-messages ------------------------------------------------------------------- Fri Jan 14 14:38:25 CET 2005 - mc@suse.de -- remove Conflicts: and add Provides: -- add some insserv stuff +- remove Conflicts: and add Provides: +- add some insserv stuff ------------------------------------------------------------------- Thu Jan 13 11:54:01 CET 2005 - mc@suse.de @@ -1821,13 +1892,13 @@ Thu Jan 13 11:54:01 CET 2005 - mc@suse.de Mon Jan 10 12:18:02 CET 2005 - mc@suse.de - update to version 1.3.6 -- fix for: heap buffer overflow in libkadm5srv - [CAN-2004-1189 / MITKRB5-SA-2004-004] +- fix for: heap buffer overflow in libkadm5srv + [CAN-2004-1189 / MITKRB5-SA-2004-004] ------------------------------------------------------------------- Tue Dec 14 15:30:23 CET 2004 - mc@suse.de -- build doc subpackage in an own specfile +- build doc subpackage in an own specfile - removed unnecessary neededforbuild requirements ------------------------------------------------------------------- @@ -1839,7 +1910,7 @@ Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de Mon Nov 15 17:25:56 CET 2004 - mc@suse.de - added Conflicts with heimdal* -- rename some manpages to avoid conflicts +- rename some manpages to avoid conflicts ------------------------------------------------------------------- Thu Nov 4 18:03:11 CET 2004 - mc@suse.de @@ -1853,11 +1924,10 @@ Thu Nov 4 18:03:11 CET 2004 - mc@suse.de Wed Nov 3 18:52:07 CET 2004 - mc@suse.de - add e2fsprogs to NFB -- use system-et and system-ss -- fix includes of com_err.h +- use system-et and system-ss +- fix includes of com_err.h ------------------------------------------------------------------- Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de -- Initital checkin - +- Initital checkin diff --git a/krb5.spec b/krb5.spec index bb28e14..5bf50cf 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,22 +22,22 @@ %endif Name: krb5 -Url: https://web.mit.edu/kerberos/www/ +Version: 1.17 +Release: 0 +Summary: MIT Kerberos5 implementation +License: MIT +Group: Productivity/Networking/Security +URL: https://web.mit.edu/kerberos/www/ +Obsoletes: krb5-plugin-preauth-pkinit-nss BuildRequires: autoconf BuildRequires: bison BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel -BuildRequires: libselinux-devel -BuildRequires: ncurses-devel -Version: 1.16.1 -Release: 0 -Summary: MIT Kerberos5 implementation -License: MIT -Group: Productivity/Networking/Security -Obsoletes: krb5-plugin-preauth-pkinit-nss BuildRequires: libopenssl-devel +BuildRequires: libselinux-devel BuildRequires: libverto-devel +BuildRequires: ncurses-devel BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkgconfig(systemd) @@ -46,22 +46,23 @@ BuildRequires: pkgconfig(systemd) Obsoletes: krb5-64bit %endif Conflicts: krb5-mini -Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc Source6: ksu-pam.d -Patch1: krb5-1.12-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.12-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.12-api.patch -Patch11: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-selinux-label.patch -Patch13: krb5-1.9-debuginfo.patch +Source7: krb5.tmpfiles +Patch1: 0001-krb5-1.12-pam.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-krb5-1.12-buildconf.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-krb5-1.12-ksu-path.patch +Patch8: 0008-krb5-1.12-selinux-label.patch +Patch9: 0009-krb5-1.9-debuginfo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -129,6 +130,15 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve network security by eliminating the insecure practice of cleartext passwords. This package includes a OTP plugin. +%package plugin-preauth-spake +Summary: SPAKE preauthentication plugin for MIT Kerberos5 +Group: Productivity/Networking/Security + +%description plugin-preauth-spake +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a SPAKE plugin. + %package doc Summary: Documentation for the MIT Kerberos5 implementation Group: Documentation/Other @@ -169,11 +179,11 @@ Include Files for Development %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 +%patch9 -p1 %build # needs to be re-generated @@ -183,7 +193,7 @@ autoreconf -fi DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME ./configure \ CC="%{__cc}" \ - CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ CPPFLAGS="-I%{_includedir}/et " \ SS_LIB="-lss" \ --prefix=/usr/lib/mit \ @@ -202,7 +212,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME --with-ldap \ --with-pam \ --enable-pkinit \ - --with-pkinit-crypto-impl=openssl \ + --with-crypto-impl=openssl \ --with-selinux \ --with-system-et \ --with-system-ss \ @@ -214,25 +224,19 @@ make %{?_smp_mflags} cp man/kadmin.man man/kadmin.local.8 %install - -# Where per-user keytabs live by default. -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5 - -cd src -make DESTDIR=%{buildroot} install -cd .. +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/ from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config +sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config # install autoconf macro mkdir -p %{buildroot}/%{_datadir}/aclocal install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d mkdir -p %{buildroot}/etc/profile.d/ mkdir -p %{buildroot}/var/log/krb5 @@ -243,13 +247,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -271,13 +284,13 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd %endif # install sysconfig templates -mkdir -p $RPM_BUILD_ROOT/%{_fillupdir} -install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/ -install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/ +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server -find . -type f -name '*.ps' -exec gzip -9 {} \; +find . -type f -name '*.ps' -exec gzip -9 {} + # create rc* links mkdir -p %{buildroot}/usr/bin/ mkdir -p %{buildroot}/usr/sbin/ @@ -329,6 +342,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %post server %service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf %{fillup_only -n kadmind} %{fillup_only -n krb5kdc} %{fillup_only -n kpropd} @@ -406,6 +420,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_unitdir}/kadmind.service %{_unitdir}/krb5kdc.service %{_unitdir}/kpropd.service +%{_libexecdir}/tmpfiles.d/krb5.conf %else %{_sysconfdir}/init.d/kadmind %{_sysconfdir}/init.d/krb5kdc @@ -414,17 +429,24 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{krb5docdir} %dir /usr/lib/mit %dir /usr/lib/mit/sbin -%dir %{_localstatedir}/lib/kerberos/ -%dir %{_localstatedir}/lib/kerberos/krb5kdc -%dir %{_localstatedir}/lib/kerberos/krb5 -%dir %{_localstatedir}/lib/kerberos/krb5/user +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb %dir %{_libdir}/krb5/plugins/tls -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_fillupdir}/sysconfig.* /usr/sbin/rc* @@ -489,6 +511,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_mandir}/man5/k5login.5* %{_mandir}/man1/ksu.1.gz %{_mandir}/man1/sclient.1.gz +%{_mandir}/man7/kerberos.7.gz %files plugin-kdb-ldap %defattr(-,root,root) @@ -518,4 +541,11 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/otp.so +%files plugin-preauth-spake +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/spake.so + %changelog diff --git a/krb5.tmpfiles b/krb5.tmpfiles new file mode 100644 index 0000000..e5777ec --- /dev/null +++ b/krb5.tmpfiles @@ -0,0 +1,7 @@ +d /var/lib/kerberos 0755 root root - +d /var/lib/kerberos/krb5 0755 root root - +d /var/lib/kerberos/krb5/user 0755 root root - +d /var/lib/kerberos/krb5kdc 0755 root root - +C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf +C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl +C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict