From d42ae2c82a182ccd7ba41a3547982c55e38720eab0f5dcce65caca905b13673f Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 13 Feb 2019 17:01:33 +0000 Subject: [PATCH] Accepting request 670179 from home:scabrero:branches:network - Upgrade to 1.17. Major changes: Administrator experience: * A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. * "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. Developer experience: * The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. * KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. * Programs which use large numbers of memory credential caches should perform better. Protocol evolution: * The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. * PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. * Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. * The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. User experience: * The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. * The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. * The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. Code quality: * Python test scripts now use Python 3. * Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. * The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. - Use systemd-tmpfiles to create files under /var/lib/kerberos, required by transactional updates; (bsc#1100126); - Rename patches: * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch * krb5-1.6.3-gssapi_improve_errormessages.dif to 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch - Upgrade to 1.17. Major changes: Administrator experience: * A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. * "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. Developer experience: * The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. * KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. * Programs which use large numbers of memory credential caches should perform better. Protocol evolution: * The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. * PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. * Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. * The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. User experience: * The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. * The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. * The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. Code quality: * Python test scripts now use Python 3. * Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. * The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. - Use systemd-tmpfiles to create files under /var/lib/kerberos, required by transactional updates; (bsc#1100126); - Rename patches: * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch * krb5-1.6.3-gssapi_improve_errormessages.dif to 0004-krb5-1.6.3-gssapi_improve_errormessages.patch * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch OBS-URL: https://build.opensuse.org/request/show/670179 OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=212 --- ...1.12-pam.patch => 0001-krb5-1.12-pam.patch | 136 ++-- 0002-krb5-1.9-manpaths.patch | 31 + ...nf.patch => 0003-krb5-1.12-buildconf.patch | 75 ++- ...5-1.6.3-gssapi_improve_errormessages.patch | 26 + 0005-krb5-1.6.3-ktutil-manpage.patch | 36 ++ ...1.12-api.patch => 0006-krb5-1.12-api.patch | 23 +- 0007-krb5-1.12-ksu-path.patch | 27 + ...atch => 0008-krb5-1.12-selinux-label.patch | 597 +++++++++--------- 0009-krb5-1.9-debuginfo.patch | 44 ++ krb5-1.12-ksu-path.patch | 12 - krb5-1.16.1.tar.gz | 3 - krb5-1.16.1.tar.gz.asc | 17 - krb5-1.17.tar.gz | 3 + krb5-1.17.tar.gz.asc | 17 + krb5-1.6.3-gssapi_improve_errormessages.dif | 13 - krb5-1.6.3-ktutil-manpage.dif | 27 - krb5-1.9-debuginfo.patch | 26 - krb5-1.9-manpaths.dif | 18 - krb5-mini.changes | 66 ++ krb5-mini.spec | 78 ++- krb5-rpmlintrc | 2 + krb5.changes | 66 ++ krb5.spec | 90 ++- krb5.tmpfiles | 7 + 24 files changed, 890 insertions(+), 550 deletions(-) rename krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch (91%) create mode 100644 0002-krb5-1.9-manpaths.patch rename krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch (68%) create mode 100644 0004-krb5-1.6.3-gssapi_improve_errormessages.patch create mode 100644 0005-krb5-1.6.3-ktutil-manpage.patch rename krb5-1.12-api.patch => 0006-krb5-1.12-api.patch (57%) create mode 100644 0007-krb5-1.12-ksu-path.patch rename krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch (74%) create mode 100644 0009-krb5-1.9-debuginfo.patch delete mode 100644 krb5-1.12-ksu-path.patch delete mode 100644 krb5-1.16.1.tar.gz delete mode 100644 krb5-1.16.1.tar.gz.asc create mode 100644 krb5-1.17.tar.gz create mode 100644 krb5-1.17.tar.gz.asc delete mode 100644 krb5-1.6.3-gssapi_improve_errormessages.dif delete mode 100644 krb5-1.6.3-ktutil-manpage.dif delete mode 100644 krb5-1.9-debuginfo.patch delete mode 100644 krb5-1.9-manpaths.dif create mode 100644 krb5.tmpfiles diff --git a/krb5-1.12-pam.patch b/0001-krb5-1.12-pam.patch similarity index 91% rename from krb5-1.12-pam.patch rename to 0001-krb5-1.12-pam.patch index 8562128..ee40760 100644 --- a/krb5-1.12-pam.patch +++ b/0001-krb5-1.12-pam.patch @@ -1,3 +1,10 @@ +From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:05:56 +0100 +Subject: [PATCH 1/9] krb5-1.12-pam + +Import krb5-1.12-pam.patch + Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default service name is "ksu", because on Fedora at least the configuration used @@ -10,10 +17,22 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. +--- + src/aclocal.m4 | 67 +++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 94 ++++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 ++++++ + src/configure.in | 2 + + 6 files changed, 614 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h ---- krb5-1.13.orig/src/aclocal.m4 -+++ krb5-1.13/src/aclocal.m4 -@@ -1671,3 +1671,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 3752d9bd5..340546d80 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ ])) ])dnl dnl @@ -84,8 +103,48 @@ and session management before dropping privileges. +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl ---- krb5-1.13.orig/src/clients/ksu/main.c -+++ krb5-1.13/src/clients/ksu/main.c +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index b2fcbf240..5755bb58a 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index d9596d948..7a0c7e48b 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -113,7 +172,7 @@ and session management before dropping privileges. /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -519,6 +525,25 @@ main (argc, argv) +@@ -528,6 +534,25 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -139,7 +198,7 @@ and session management before dropping privileges. /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -587,6 +612,26 @@ main (argc, argv) +@@ -596,6 +621,26 @@ main (argc, argv) com_err(prog_name,retval, _("while calling cc_filter")); exit(1); } @@ -166,7 +225,7 @@ and session management before dropping privileges. } if (all_rest_copy){ -@@ -636,6 +681,32 @@ main (argc, argv) +@@ -645,6 +690,32 @@ main (argc, argv) exit(1); } @@ -199,7 +258,7 @@ and session management before dropping privileges. /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -733,7 +804,7 @@ main (argc, argv) +@@ -742,7 +813,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -208,7 +267,7 @@ and session management before dropping privileges. execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -763,16 +834,35 @@ main (argc, argv) +@@ -772,16 +843,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -245,44 +304,11 @@ and session management before dropping privileges. exit (1); } } ---- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100 -+++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100 -@@ -3,12 +3,14 @@ - DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' - - KSU_LIBS=@KSU_LIBS@ -+PAM_LIBS=@PAM_LIBS@ - - SRCS = \ - $(srcdir)/krb_auth_su.c \ - $(srcdir)/ccache.c \ - $(srcdir)/authorization.c \ - $(srcdir)/main.c \ -+ $(srcdir)/pam.c \ - $(srcdir)/heuristic.c \ - $(srcdir)/xmalloc.c \ - $(srcdir)/setenv.c -@@ -17,13 +19,17 @@ - ccache.o \ - authorization.o \ - main.o \ -+ pam.o \ - heuristic.o \ - xmalloc.o @SETENVOBJ@ - - all: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) -+ -+pam.o: pam.c -+ $(CC) $(ALL_CFLAGS) -c $< - - clean: - $(RM) ksu +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 000000000..cbfe48704 --- /dev/null -+++ krb5-1.13/src/clients/ksu/pam.c ++++ b/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -673,8 +699,11 @@ and session management before dropping privileges. + return ret; +} +#endif +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 000000000..0ab76569c --- /dev/null -+++ krb5-1.13/src/clients/ksu/pam.h ++++ b/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -733,9 +762,11 @@ and session management before dropping privileges. +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif ---- krb5-1.13.orig/src/configure.in -+++ krb5-1.13/src/configure.in -@@ -1285,6 +1285,8 @@ AC_SUBST([VERTO_VERSION]) +diff --git a/src/configure.in b/src/configure.in +index 61ef738dc..e9a12ac16 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -744,3 +775,6 @@ and session management before dropping privileges. # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' +-- +2.20.1 + diff --git a/0002-krb5-1.9-manpaths.patch b/0002-krb5-1.9-manpaths.patch new file mode 100644 index 0000000..df9ff03 --- /dev/null +++ b/0002-krb5-1.9-manpaths.patch @@ -0,0 +1,31 @@ +From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:06:55 +0100 +Subject: [PATCH 2/9] krb5-1.9-manpaths + +Import krb5-1.9-manpaths.dif + +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 +--- + src/man/kpropd.man | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/man/kpropd.man b/src/man/kpropd.man +index 38daa5e79..a0106ec5f 100644 +--- a/src/man/kpropd.man ++++ b/src/man/kpropd.man +@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: + .sp + .nf + .ft C +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @SBINDIR@/kpropd kpropd + .ft P + .fi + .UNINDENT +-- +2.20.1 + diff --git a/krb5-1.12-buildconf.patch b/0003-krb5-1.12-buildconf.patch similarity index 68% rename from krb5-1.12-buildconf.patch rename to 0003-krb5-1.12-buildconf.patch index 62a7081..a65f0df 100644 --- a/krb5-1.12-buildconf.patch +++ b/0003-krb5-1.12-buildconf.patch @@ -1,33 +1,26 @@ +From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:08:07 +0100 +Subject: [PATCH 3/9] krb5-1.12-buildconf + +Import krb5-1.12-buildconf.patch + Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. +--- + src/build-tools/krb5-config.in | 7 +++++++ + src/config/pre.in | 2 +- + src/config/shlib.conf | 5 +++-- + 3 files changed, 11 insertions(+), 3 deletions(-) ---- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100 -+++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100 -@@ -423,7 +423,7 @@ - # Linux ld doesn't default to stuffing the SONAME field... - # Use objdump -x to examine the fields of the library - # UNDEF_CHECK is suppressed by --enable-asan -- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' - UNDEF_CHECK='-Wl,--no-undefined' - # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. - LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' -@@ -435,7 +435,8 @@ - SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' - PROFFLAGS=-pg - PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' - CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -189,6 +189,13 @@ if test -n "$do_libs"; then +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f6184da3f..0edf6a1a5 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -225,6 +225,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -41,9 +34,11 @@ not just assume that the compiler supports using these flags. if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -188,7 +188,7 @@ +diff --git a/src/config/pre.in b/src/config/pre.in +index ce87e21ca..164bf8301 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ @@ -52,3 +47,29 @@ not just assume that the compiler supports using these flags. ## This is needed because autoconf will sometimes define @exec_prefix@ to be ## ${prefix}. prefix=@prefix@ +diff --git a/src/config/shlib.conf b/src/config/shlib.conf +index 3e4af6c02..a43736137 100644 +--- a/src/config/shlib.conf ++++ b/src/config/shlib.conf +@@ -423,7 +423,7 @@ mips-*-netbsd*) + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library + # UNDEF_CHECK is suppressed by --enable-asan +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' + UNDEF_CHECK='-Wl,--no-undefined' + # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' +@@ -435,7 +435,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +-- +2.20.1 + diff --git a/0004-krb5-1.6.3-gssapi_improve_errormessages.patch b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch new file mode 100644 index 0000000..77cf086 --- /dev/null +++ b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch @@ -0,0 +1,26 @@ +From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:09:05 +0100 +Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages + +Import krb5-1.6.3-gssapi_improve_errormessages.dif +--- + src/lib/gssapi/generic/disp_com_err_status.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c +index bc416107e..22612f970 100644 +--- a/src/lib/gssapi/generic/disp_com_err_status.c ++++ b/src/lib/gssapi/generic/disp_com_err_status.c +@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value, + status_string->value = NULL; + + if (! g_make_string_buffer(((status_value == 0)?no_error: +- error_message(status_value)), ++ error_message((long)status_value)), + status_string)) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +-- +2.20.1 + diff --git a/0005-krb5-1.6.3-ktutil-manpage.patch b/0005-krb5-1.6.3-ktutil-manpage.patch new file mode 100644 index 0000000..a414f48 --- /dev/null +++ b/0005-krb5-1.6.3-ktutil-manpage.patch @@ -0,0 +1,36 @@ +From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:14:47 +0100 +Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage + +Import krb5-1.6.3-ktutil-manpage.dif +--- + src/man/ktutil.man | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/man/ktutil.man b/src/man/ktutil.man +index 4e174c0fe..f6d6ae814 100644 +--- a/src/man/ktutil.man ++++ b/src/man/ktutil.man +@@ -171,6 +171,18 @@ ktutil: + .sp + See kerberos(7) for a description of Kerberos environment + variables. ++.SH REMARKS ++Changes to the keytab are appended to the keytab file (i.e., the keytab file ++is never overwritten). To directly modify a keytab, save the changes to a ++temporary file and then overwrite the keytab file of interest. ++.TP ++.nf ++Example: ++ktutil> rkt /etc/krb5.keytab ++(modifications to keytab) ++ktutil> wkt /tmp/krb5.newtab ++ktutil> q ++# mv /tmp/krb5.newtab /etc/krb5.keytab + .SH SEE ALSO + .sp + kadmin(1), kdb5_util(8), kerberos(7) +-- +2.20.1 + diff --git a/krb5-1.12-api.patch b/0006-krb5-1.12-api.patch similarity index 57% rename from krb5-1.12-api.patch rename to 0006-krb5-1.12-api.patch index d059432..5ee0bb3 100644 --- a/krb5-1.12-api.patch +++ b/0006-krb5-1.12-api.patch @@ -1,10 +1,22 @@ +From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:15:50 +0100 +Subject: [PATCH 6/9] krb5-1.12-api + +Import krb5-1.12-api.patch + Reference docs don't define what happens if you call krb5_realm_compare() with malformed krb5_principal structures. Define a behavior which keeps it from crashing if applications don't check ahead of time. +--- + src/lib/krb5/krb/princ_comp.c | 7 +++++++ + 1 file changed, 7 insertions(+) ---- krb5/src/lib/krb5/krb/princ_comp.c -+++ krb5/src/lib/krb5/krb/princ_comp.c -@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context +diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c +index a6936107d..0ed78833b 100644 +--- a/src/lib/krb5/krb/princ_comp.c ++++ b/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, const krb5_data *realm1 = &princ1->realm; const krb5_data *realm2 = &princ2->realm; @@ -15,7 +27,7 @@ crashing if applications don't check ahead of time. if (realm1->length != realm2->length) return FALSE; if (realm1->length == 0) -@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex +@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, krb5_principal upn2 = NULL; krb5_boolean ret = FALSE; @@ -25,3 +37,6 @@ crashing if applications don't check ahead of time. if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { +-- +2.20.1 + diff --git a/0007-krb5-1.12-ksu-path.patch b/0007-krb5-1.12-ksu-path.patch new file mode 100644 index 0000000..d673157 --- /dev/null +++ b/0007-krb5-1.12-ksu-path.patch @@ -0,0 +1,27 @@ +From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:16:29 +0100 +Subject: [PATCH 7/9] krb5-1.12-ksu + +Import krb5-1.12-ksu-path.patch + +Set the default PATH to the one set by login. +--- + src/clients/ksu/Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index 5755bb58a..9d58f29b5 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -1,6 +1,6 @@ + mydir=clients$(S)ksu + BUILDTOP=$(REL)..$(S).. +-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' ++DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' + + KSU_LIBS=@KSU_LIBS@ + PAM_LIBS=@PAM_LIBS@ +-- +2.20.1 + diff --git a/krb5-1.12-selinux-label.patch b/0008-krb5-1.12-selinux-label.patch similarity index 74% rename from krb5-1.12-selinux-label.patch rename to 0008-krb5-1.12-selinux-label.patch index 1e2616b..64e7294 100644 --- a/krb5-1.12-selinux-label.patch +++ b/0008-krb5-1.12-selinux-label.patch @@ -1,3 +1,10 @@ +From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:17:28 +0100 +Subject: [PATCH 8/9] krb5-1.12-selinux-label + +Import krb5-1.12-selinux-label.patch + SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -30,11 +37,39 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.in | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/lib/krb5/rcache/rc_dfl.c | 13 + + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 381 ++++++++++++++++++ + 24 files changed, 553 insertions(+), 21 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c -Index: krb5-1.16.1/src/aclocal.m4 -=================================================================== ---- krb5-1.16.1.orig/src/aclocal.m4 -+++ krb5-1.16.1/src/aclocal.m4 +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 340546d80..4440ec5f8 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 @@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF @@ -43,7 +78,7 @@ Index: krb5-1.16.1/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS) +@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -95,10 +130,31 @@ Index: krb5-1.16.1/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -Index: krb5-1.16.1/src/config/pre.in -=================================================================== ---- krb5-1.16.1.orig/src/config/pre.in -+++ krb5-1.16.1/src/config/pre.in +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 0edf6a1a5..1891dea99 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -262,7 +263,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index 164bf8301..a8540ae2a 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in @@ -177,6 +177,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ @@ -107,7 +163,7 @@ Index: krb5-1.16.1/src/config/pre.in INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -116,11 +172,11 @@ Index: krb5-1.16.1/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! -Index: krb5-1.16.1/src/configure.in -=================================================================== ---- krb5-1.16.1.orig/src/configure.in -+++ krb5-1.16.1/src/configure.in -@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff) +diff --git a/src/configure.in b/src/configure.in +index e9a12ac16..93aec682e 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -129,10 +185,10 @@ Index: krb5-1.16.1/src/configure.in # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -Index: krb5-1.16.1/src/include/k5-int.h -=================================================================== ---- krb5-1.16.1.orig/src/include/k5-int.h -+++ krb5-1.16.1/src/include/k5-int.h +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 652242207..7190a8f55 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h @@ -126,6 +126,7 @@ typedef unsigned char u_char; #endif /* HAVE_SYS_TYPES_H */ #endif /* KRB5_SYSTYPES__ */ @@ -141,10 +197,11 @@ Index: krb5-1.16.1/src/include/k5-int.h #include "k5-platform.h" -Index: krb5-1.16.1/src/include/k5-label.h -=================================================================== +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 000000000..dfaaa847c --- /dev/null -+++ krb5-1.16.1/src/include/k5-label.h ++++ b/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -178,10 +235,10 @@ Index: krb5-1.16.1/src/include/k5-label.h +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -Index: krb5-1.16.1/src/include/krb5/krb5.hin -=================================================================== ---- krb5-1.16.1.orig/src/include/krb5/krb5.hin -+++ krb5-1.16.1/src/include/krb5/krb5.hin +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index c40a6cca8..3ff86d7ff 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -195,11 +252,11 @@ Index: krb5-1.16.1/src/include/krb5/krb5.hin #define KRB5_OLD_CRYPTO #include -Index: krb5-1.16.1/src/kadmin/dbutil/dump.c -=================================================================== ---- krb5-1.16.1.orig/src/kadmin/dbutil/dump.c -+++ krb5-1.16.1/src/kadmin/dbutil/dump.c -@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index c9574c6e1..8301a33d0 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) { int fd = -1; FILE *f; @@ -221,41 +278,33 @@ Index: krb5-1.16.1/src/kadmin/dbutil/dump.c if (fd == -1) goto error; -@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char - return 0; +@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) + goto cleanup; } -- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); -+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (*fd == -1) { +- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); - exit_status++; -Index: krb5-1.16.1/src/build-tools/krb5-config.in -=================================================================== ---- krb5-1.16.1.orig/src/build-tools/krb5-config.in -+++ krb5-1.16.1/src/build-tools/krb5-config.in -@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' - DEFCCNAME='@DEFCCNAME@' - DEFKTNAME='@DEFKTNAME@' - DEFCKTNAME='@DEFCKTNAME@' -+SELINUX_LIBS='@SELINUX_LIBS@' + goto cleanup; +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 408c723f5..663fd6303 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -858,7 +858,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -262,7 +263,7 @@ if test -n "$do_libs"; then - fi - - # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. - - echo $lib_flags -Index: krb5-1.16.1/src/lib/kadm5/logger.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/kadm5/logger.c -+++ krb5-1.16.1/src/lib/kadm5/logger.c -@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, ch +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index c6885edf2..9aec3c05e 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do */ append = (cp[4] == ':') ? O_APPEND : 0; if (append || cp[4] == '=') { @@ -264,7 +313,7 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c S_IRUSR | S_IWUSR | S_IRGRP); if (fd != -1) f = fdopen(fd, append ? "a" : "w"); -@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -273,11 +322,74 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/keytab/kt_file.c -+++ krb5-1.16.1/src/lib/krb5/keytab/kt_file.c -@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 2659a2501..a1cd38f4c 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + if (retval) + goto cleanup; + } else { +- log_ctx->ulogfd = open(logname, O_RDWR, 0600); ++ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index bba64e516..73f0fe62d 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index 89cb68680..21c80d419 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -294,11 +406,56 @@ Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c if (!KTFILEP(id)) goto report_errno; writevno = 1; -Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/adb_openclose.c -+++ krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c -@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 4fff8f38c..40a9e7b10 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c +index 1e0cb22c9..f5e93b1ab 100644 +--- a/src/lib/krb5/rcache/rc_dfl.c ++++ b/src/lib/krb5/rcache/rc_dfl.c +@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a33b..2b9d01921 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, * needs be open read/write so that write locking can work with * POSIX systems */ @@ -307,11 +464,26 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c /* * maybe someone took away write permission so we could only * get shared locks? -Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index 5106a5c99..e481e8121 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17f3..d5809a5a9 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; #include #include @@ -319,7 +491,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) goto einval; } @@ -328,11 +500,11 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c goto err; } else { -Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 862dbb164..686a960c9 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; #include #endif @@ -340,7 +512,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c #include "db-int.h" #include "hash.h" #include "page.h" -@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) new_table = 1; } if (file) { @@ -349,11 +521,33 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int arg +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e701..b0daa7c02 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index 1ed72afe9..ce038fc3d 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) /* set password in the file */ old_mode = umask(0177); @@ -362,7 +556,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int arg +@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) * Delete the existing entry and add the new entry */ FILE *newfile; @@ -372,7 +566,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c mode_t omask; -@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int arg +@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) } omask = umask(077); @@ -386,10 +580,10 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); -Index: krb5-1.16.1/src/util/profile/prof_file.c -=================================================================== ---- krb5-1.16.1.orig/src/util/profile/prof_file.c -+++ krb5-1.16.1/src/util/profile/prof_file.c +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index 24e41fb80..0dcb6b543 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ #endif @@ -398,7 +592,7 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_ +@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, errno = 0; @@ -407,10 +601,10 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c if (!f) { retval = errno; if (retval == 0) -Index: krb5-1.16.1/src/util/support/Makefile.in -=================================================================== ---- krb5-1.16.1.orig/src/util/support/Makefile.in -+++ krb5-1.16.1/src/util/support/Makefile.in +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index db7b030b8..321672bcb 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in @@ -69,6 +69,7 @@ IPC_SYMS= \ STLIBOBJS= \ @@ -419,7 +613,7 @@ Index: krb5-1.16.1/src/util/support/Makefile.in init-addrinfo.o \ plugins.o \ errors.o \ -@@ -149,7 +150,7 @@ SRCS=\ +@@ -160,7 +161,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -428,10 +622,11 @@ Index: krb5-1.16.1/src/util/support/Makefile.in DEPLIBS= -Index: krb5-1.16.1/src/util/support/selinux.c -=================================================================== +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 000000000..ffba6a9ff --- /dev/null -+++ krb5-1.16.1/src/util/support/selinux.c ++++ b/src/util/support/selinux.c @@ -0,0 +1,381 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. @@ -814,192 +1009,6 @@ Index: krb5-1.16.1/src/util/support/selinux.c +} + +#endif -Index: krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/rcache/rc_dfl.c -+++ krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c -@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { -Index: krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/ccache/cc_dir.c -+++ krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c -@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p - char *newpath = NULL; - FILE *fp = NULL; - int fd = -1, status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) - return ENOMEM; -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(primary_path); -+#endif - fd = mkstemp(newpath); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd < 0) - goto cleanup; - #ifdef HAVE_CHMOD -@@ -221,10 +230,23 @@ static krb5_error_code - verify_dir(krb5_context context, const char *dirname) - { - struct stat st; -+ int status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (stat(dirname, &st) < 0) { -- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) -- return 0; -+ if (errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(dirname); -+#endif -+ status = mkdir(dirname, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ if (status == 0) -+ return 0; -+ } - k5_setmsg(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not exist"), - dirname); -Index: krb5-1.16.1/src/lib/krb5/os/trace.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/krb5/os/trace.c -+++ krb5-1.16.1/src/lib/krb5/os/trace.c -@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context con - fd = malloc(sizeof(*fd)); - if (fd == NULL) - return ENOMEM; -- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); -+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (*fd == -1) { - free(fd); - return errno; -Index: krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/kdb_db2.c -+++ krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c -@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5 - if (retval) - return retval; - -- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, -- 0600); -+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, -+ O_CREAT | O_RDWR | O_TRUNC, 0600); - if (dbc->db_lf_file < 0) { - retval = errno; - goto cleanup; -Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -=================================================================== ---- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, - int rfd = -1, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && -+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -Index: krb5-1.16.1/src/kdc/main.c -=================================================================== ---- krb5-1.16.1.orig/src/kdc/main.c -+++ krb5-1.16.1/src/kdc/main.c -@@ -873,7 +873,7 @@ write_pid_file(const char *path) - FILE *file; - unsigned long pid; - -- file = fopen(path, "w"); -+ file = WRITABLEFOPEN(path, "w"); - if (file == NULL) - return errno; - pid = (unsigned long) getpid(); -Index: krb5-1.16.1/src/lib/kdb/kdb_log.c -=================================================================== ---- krb5-1.16.1.orig/src/lib/kdb/kdb_log.c -+++ krb5-1.16.1/src/lib/kdb/kdb_log.c -@@ -484,7 +484,7 @@ ulog_map(krb5_context context, const cha - if (extend_file_to(ulogfd, filesize) < 0) - return errno; - } else { -- ulogfd = open(logname, O_RDWR, 0600); -+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; - } -Index: krb5-1.16.1/src/slave/kpropd.c -=================================================================== ---- krb5-1.16.1.orig/src/slave/kpropd.c -+++ krb5-1.16.1/src/slave/kpropd.c -@@ -488,7 +488,9 @@ doit(int fd) - krb5_enctype etype; - int database_fd; - char host[INET6_ADDRSTRLEN + 1]; -- -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - signal_wrapper(SIGALRM, alarm_handler); - alarm(params.iprop_resync_timeout); - fromlen = sizeof(from); -@@ -543,9 +545,15 @@ doit(int fd) - free(name); - exit(1); - } -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(file); -+#endif - omask = umask(077); - lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); - (void)umask(omask); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - retval = krb5_lock_file(kpropd_context, lock_fd, - KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); - if (retval) { +-- +2.20.1 + diff --git a/0009-krb5-1.9-debuginfo.patch b/0009-krb5-1.9-debuginfo.patch new file mode 100644 index 0000000..d5df2f9 --- /dev/null +++ b/0009-krb5-1.9-debuginfo.patch @@ -0,0 +1,44 @@ +From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:18:16 +0100 +Subject: [PATCH 9/9] krb5-1.9-debuginfo + +Import krb5-1.9-debuginfo.patch + +We want to keep these y.tab.c files around because the debuginfo points to +them. It would be more elegant at the end to use symbolic links, but that +could mess up people working in the tree on other things. +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index adfea6e2b..d1327e400 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: + # CC_LINK is not meant for compilation and this use may break in the future. + datetest: getdate.c + $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++ ++%.c: %.y ++ $(RM) y.tab.c $@ ++ $(YACC.y) $< ++ $(CP) y.tab.c $@ +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index 8669c2436..a22f23c02 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) + getdate.c: $(GETDATE) + $(RM) getdate.c y.tab.c + $(YACC) $(GETDATE) +- $(MV) y.tab.c getdate.c ++ $(CP) y.tab.c getdate.c + + install: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.20.1 + diff --git a/krb5-1.12-ksu-path.patch b/krb5-1.12-ksu-path.patch deleted file mode 100644 index 74f3a5f..0000000 --- a/krb5-1.12-ksu-path.patch +++ /dev/null @@ -1,12 +0,0 @@ -Set the default PATH to the one set by login. - ---- krb5/src/clients/ksu/Makefile.in -+++ krb5/src/clients/ksu/Makefile.in -@@ -1,6 +1,6 @@ - mydir=clients$(S)ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' - - KSU_LIBS=@KSU_LIBS@ - PAM_LIBS=@PAM_LIBS@ diff --git a/krb5-1.16.1.tar.gz b/krb5-1.16.1.tar.gz deleted file mode 100644 index e1feb85..0000000 --- a/krb5-1.16.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117 -size 9477480 diff --git a/krb5-1.16.1.tar.gz.asc b/krb5-1.16.1.tar.gz.asc deleted file mode 100644 index f43fc3b..0000000 --- a/krb5-1.16.1.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIVAwUAWushEwy6CFdfg3LfAQJ+eBAAijTUBfXzCuxCwbDhCFYb1fIbHMkKkTuq -knFKv0VbALW1qUAj5v35A6GjDam6a33bMvGX8MzbGK/a9IDkpvaaXP/c37V4OfiQ -MhA6uQl0vxBMoCZqAFEVcWd6+M/0rY0WBZKpXRiZxxuSNPnSXn1l9fQAcrYKGb7I -YpaAWnzw+cc1k4Xi+GaaSghEYA4dX7TXh1fViJyHaNSESYZjH3J6wEdPm6LtZk6q -GwJw/ieMQi8djde0AhCbzMHWiaeW3jNPOJmpd3mpY04BAAkzGCyRiYGscxb6ge4u -ag2fojv7rbnJxDzy9RO0ZP0+fVPDMwInZ5GHPftbraSDFkTH2JBAYFudPsLDAoRK -FdjLeHpvuU5ifXWrLyshVYYfeXSe0fHz9Xhfhq2/OmfBD6vQl5k86z8IqxNm4ujy -ziypmTzHFnP/sBKlMgSMdDEKoKZHxevVQM5eJQd1XGexmwogkSPX8mwoEc0q4dtZ -h5w/fCu4ERA0BihvnQMZCZgwe32pO27ccPc6PqNHffUSLOq74J4gBHeoAoZ+SYPu -33oG7wxh+8WONzEGujl1lmxHFstij/njg8nULQ6bo6hSZnlMD0gU59mG9seC2jjr -E4aM4TXd1ixxPzM/cqxfI9SalytwYW0gn7Vuyj3P8xIZ5GQZiTsD7XWJqzb3xHmA -2JSQt4TK3Cc= -=9z9K ------END PGP SIGNATURE----- diff --git a/krb5-1.17.tar.gz b/krb5-1.17.tar.gz new file mode 100644 index 0000000..eb44e69 --- /dev/null +++ b/krb5-1.17.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5 +size 8761763 diff --git a/krb5-1.17.tar.gz.asc b/krb5-1.17.tar.gz.asc new file mode 100644 index 0000000..be02cb6 --- /dev/null +++ b/krb5-1.17.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJcNMxOAAoJEAy6CFdfg3LfjAwP/2/oQe+4Bs/XwZTwNfakTbBl +YHSY8MNAHIKsLh6Bn+SJBQQXSE0fEsm0hYH+JWz85+mzlZk7TbNZUI+zeikhLxi6 ++d8MMQBpk2mQN0dkIeWjTdfkcThGCDSL7l0fh3MuEfN5C7QPAPD1JL1ZeqXPH5AV +PSQRC9s2wiOTwwuHM2i27rZ7gdhL/xfJ3ZPUFJH4klRgszwp9j10I/nh4/XyS/wB +82umjfusFPa9VNSPzm1jm94oRmALkR3CHGvmku2XD3YOv/f5yO8C1cHWNNLxg+5h +EqVv05ddb6iLku4fRhkEjfN3VgCtEvXuMkuAXppkDJJ7wWxMBWgCIr1DS/x7LfbL +CI0ZTejn8HCUBNmRWsKkUuebgHJ7ccch8p/Fp0cV4eT1FL35N2oV51u7+/zK6R8y +1dygUF2VWFOqwm8cyczdFue7dFQVDGCw7R2eK5lXY3NpZVmJblQ/gNLMcbOxGBis +H2dOzSn+CnxlD/2LqOZnhQ1WnGBhOMxoINwX/MQsIvkwAFaM1EsdhPIP/6mSVA/g +p04+YQ2u2ag7Pq3zHsMIonC18w4ZqDPcvXvOXqCHtlQBDAMtb927XvjoTNj5W8Ei +jywxqdWuuqalmrKGPEsKVOJZN6xg7UTgaKzcvQTvW7D3gLbrTT2iM++VKB3vh9V9 +SkULnR3c7fKMzFeLb/Q2 +=4hZX +-----END PGP SIGNATURE----- diff --git a/krb5-1.6.3-gssapi_improve_errormessages.dif b/krb5-1.6.3-gssapi_improve_errormessages.dif deleted file mode 100644 index d6afe07..0000000 --- a/krb5-1.6.3-gssapi_improve_errormessages.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c -=================================================================== ---- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c -+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c -@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino - status_string->value = NULL; - - if (! g_make_string_buffer(((status_value == 0)?no_error: -- error_message(status_value)), -+ error_message((long)status_value)), - status_string)) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); diff --git a/krb5-1.6.3-ktutil-manpage.dif b/krb5-1.6.3-ktutil-manpage.dif deleted file mode 100644 index 82f1583..0000000 --- a/krb5-1.6.3-ktutil-manpage.dif +++ /dev/null @@ -1,27 +0,0 @@ ---- - src/man/ktutil.man | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -Index: krb5-1.12.2/src/man/ktutil.man -=================================================================== ---- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100 -+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100 -@@ -162,6 +162,18 @@ ktutil: - .UNINDENT - .UNINDENT - .UNINDENT -+.SH REMARKS -+Changes to the keytab are appended to the keytab file (i.e., the keytab file -+is never overwritten). To directly modify a keytab, save the changes to a -+temporary file and then overwrite the keytab file of interest. -+.TP -+.nf -+Example: -+ktutil> rkt /etc/krb5.keytab -+(modifications to keytab) -+ktutil> wkt /tmp/krb5.newtab -+ktutil> q -+# mv /tmp/krb5.newtab /etc/krb5.keytab - .SH SEE ALSO - .sp - \fIkadmin(1)\fP, \fIkdb5_util(8)\fP diff --git a/krb5-1.9-debuginfo.patch b/krb5-1.9-debuginfo.patch deleted file mode 100644 index 8709137..0000000 --- a/krb5-1.9-debuginfo.patch +++ /dev/null @@ -1,26 +0,0 @@ -We want to keep these y.tab.c files around because the debuginfo points to -them. It would be more elegant at the end to use symbolic links, but that -could mess up people working in the tree on other things. - ---- krb5-1.15.orig/src/kadmin/cli/Makefile.in -+++ krb5-1.15/src/kadmin/cli/Makefile.in -@@ -37,3 +37,8 @@ - # CC_LINK is not meant for compilation and this use may break in the future. - datetest: getdate.c - $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c -+ -+%.c: %.y -+ $(RM) y.tab.c $@ -+ $(YACC.y) $< -+ $(CP) y.tab.c $@ ---- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in -+++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in -@@ -20,7 +20,7 @@ - getdate.c: $(GETDATE) - $(RM) getdate.c y.tab.c - $(YACC) $(GETDATE) -- $(MV) y.tab.c getdate.c -+ $(CP) y.tab.c getdate.c - - install: - $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) diff --git a/krb5-1.9-manpaths.dif b/krb5-1.9-manpaths.dif deleted file mode 100644 index 9d4b2f5..0000000 --- a/krb5-1.9-manpaths.dif +++ /dev/null @@ -1,18 +0,0 @@ -Change the absolute paths included in the man pages so that the correct -values can be dropped in by config.status. After applying this patch, -these files should be renamed to their ".in" counterparts, and then the -configure scripts should be rebuilt. Originally RT#6525 - -Index: krb5-1.11/src/man/kpropd.man -=================================================================== ---- krb5-1.11.orig/src/man/kpropd.man -+++ krb5-1.11/src/man/kpropd.man -@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo - .sp - .nf - .ft C --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd - .ft P - .fi - .UNINDENT diff --git a/krb5-mini.changes b/krb5-mini.changes index 8537e76..5222122 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,69 @@ +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + ------------------------------------------------------------------- Tue Oct 9 20:13:24 UTC 2018 - James McDonough diff --git a/krb5-mini.spec b/krb5-mini.spec index 20de26b..b164c30 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ %define _fillupdir /var/adm/fillup-templates %endif -%define srcRoot krb5-1.16.1 +%define srcRoot krb5-%{version} %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -34,7 +34,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.16.1 +Version: 1.17 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT @@ -58,15 +58,16 @@ Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.12-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.12-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.12-api.patch -Patch11: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-selinux-label.patch -Patch13: krb5-1.9-debuginfo.patch +Source6: krb5.tmpfiles +Patch1: 0001-krb5-1.12-pam.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-krb5-1.12-buildconf.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-krb5-1.12-ksu-path.patch +Patch8: 0008-krb5-1.12-selinux-label.patch +Patch9: 0009-krb5-1.9-debuginfo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: %fillup_prereq @@ -104,11 +105,11 @@ Include Files for Development %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 +%patch9 -p1 %build # needs to be re-generated @@ -148,8 +149,6 @@ cp man/kadmin.man man/kadmin.local.8 %install -# Where per-user keytabs live by default. -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5 cd src @@ -165,7 +164,7 @@ mkdir -p %{buildroot}/%{_datadir}/aclocal install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d mkdir -p %{buildroot}/etc/profile.d/ mkdir -p %{buildroot}/var/log/krb5 @@ -176,13 +175,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -239,10 +247,10 @@ install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf %{buildroot}/usr/lib/mit/share/examples -# manually remove otp plugin for krb5-mini since configure +# manually remove otp, spake and test plugin for krb5-mini since configure # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so -# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 @@ -261,6 +269,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %post /sbin/ldconfig %service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf %{fillup_only -n kadmind} %{fillup_only -n krb5kdc} %{fillup_only -n kpropd} @@ -313,10 +322,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_libdir}/krb5/plugins/preauth %dir %{_libdir}/krb5/plugins/libkrb5 %dir %{_libdir}/krb5/plugins/tls -%dir %{_localstatedir}/lib/kerberos/ -%dir %{_localstatedir}/lib/kerberos/krb5kdc -%dir %{_localstatedir}/lib/kerberos/krb5 -%dir %{_localstatedir}/lib/kerberos/krb5/user %attr(0700,root,root) %dir /var/log/krb5 %dir /usr/lib/mit %dir /usr/lib/mit/sbin @@ -326,9 +331,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_sysconfdir}/krb5.conf.d %attr(0644,root,root) %config /etc/profile.d/krb5* %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_fillupdir}/sysconfig.* %{_unitdir}/kadmind.service @@ -345,6 +347,21 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* %{_libdir}/krb5/plugins/tls/* +%{_libexecdir}/tmpfiles.d/krb5.conf +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict /usr/lib/mit/sbin/kadmin.local /usr/lib/mit/sbin/kadmind /usr/lib/mit/sbin/kpropd @@ -387,6 +404,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_mandir}/man5/* %{_mandir}/man5/.k5login.5.gz %{_mandir}/man5/.k5identity.5* +%{_mandir}/man7/kerberos.7.gz %{_mandir}/man8/* %changelog diff --git a/krb5-rpmlintrc b/krb5-rpmlintrc index aaee6d3..a50983e 100644 --- a/krb5-rpmlintrc +++ b/krb5-rpmlintrc @@ -1,6 +1,8 @@ addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz") addFilter("files-duplicate .*css") addFilter("files-duplicate .*img.*png") addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") addFilter("shlib-policy-missing-suffix") +addFilter("non-etc-or-var-file-marked-as-conffile") diff --git a/krb5.changes b/krb5.changes index 5d47eed..03a2baa 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,69 @@ +------------------------------------------------------------------- +Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero + +- Upgrade to 1.17. Major changes: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch + ------------------------------------------------------------------- Tue Oct 9 20:00:21 UTC 2018 - James McDonough diff --git a/krb5.spec b/krb5.spec index bb28e14..76586f2 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,7 +30,7 @@ BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.16.1 +Version: 1.17 Release: 0 Summary: MIT Kerberos5 implementation License: MIT @@ -53,15 +53,16 @@ Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc Source6: ksu-pam.d -Patch1: krb5-1.12-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.12-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch8: krb5-1.12-api.patch -Patch11: krb5-1.12-ksu-path.patch -Patch12: krb5-1.12-selinux-label.patch -Patch13: krb5-1.9-debuginfo.patch +Source7: krb5.tmpfiles +Patch1: 0001-krb5-1.12-pam.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-krb5-1.12-buildconf.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-krb5-1.12-ksu-path.patch +Patch8: 0008-krb5-1.12-selinux-label.patch +Patch9: 0009-krb5-1.9-debuginfo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -129,6 +130,15 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve network security by eliminating the insecure practice of cleartext passwords. This package includes a OTP plugin. +%package plugin-preauth-spake +Summary: SPAKE preauthentication plugin for MIT Kerberos5 +Group: Productivity/Networking/Security + +%description plugin-preauth-spake +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a SPAKE plugin. + %package doc Summary: Documentation for the MIT Kerberos5 implementation Group: Documentation/Other @@ -169,11 +179,11 @@ Include Files for Development %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 +%patch9 -p1 %build # needs to be re-generated @@ -202,7 +212,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME --with-ldap \ --with-pam \ --enable-pkinit \ - --with-pkinit-crypto-impl=openssl \ + --with-crypto-impl=openssl \ --with-selinux \ --with-system-et \ --with-system-ss \ @@ -215,8 +225,6 @@ cp man/kadmin.man man/kadmin.local.8 %install -# Where per-user keytabs live by default. -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5 cd src @@ -232,7 +240,7 @@ mkdir -p %{buildroot}/%{_datadir}/aclocal install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # install sample config files # I'll probably do something about this later on -mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d mkdir -p %{buildroot}/etc/profile.d/ mkdir -p %{buildroot}/var/log/krb5 @@ -243,13 +251,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ -install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ +install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -329,6 +346,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %post server %service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf %{fillup_only -n kadmind} %{fillup_only -n krb5kdc} %{fillup_only -n kpropd} @@ -406,6 +424,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_unitdir}/kadmind.service %{_unitdir}/krb5kdc.service %{_unitdir}/kpropd.service +%{_libexecdir}/tmpfiles.d/krb5.conf %else %{_sysconfdir}/init.d/kadmind %{_sysconfdir}/init.d/krb5kdc @@ -414,17 +433,24 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{krb5docdir} %dir /usr/lib/mit %dir /usr/lib/mit/sbin -%dir %{_localstatedir}/lib/kerberos/ -%dir %{_localstatedir}/lib/kerberos/krb5kdc -%dir %{_localstatedir}/lib/kerberos/krb5 -%dir %{_localstatedir}/lib/kerberos/krb5/user +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb %dir %{_libdir}/krb5/plugins/tls -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl -%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_fillupdir}/sysconfig.* /usr/sbin/rc* @@ -489,6 +515,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_mandir}/man5/k5login.5* %{_mandir}/man1/ksu.1.gz %{_mandir}/man1/sclient.1.gz +%{_mandir}/man7/kerberos.7.gz %files plugin-kdb-ldap %defattr(-,root,root) @@ -518,4 +545,11 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/otp.so +%files plugin-preauth-spake +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/spake.so + %changelog diff --git a/krb5.tmpfiles b/krb5.tmpfiles new file mode 100644 index 0000000..e5777ec --- /dev/null +++ b/krb5.tmpfiles @@ -0,0 +1,7 @@ +d /var/lib/kerberos 0755 root root - +d /var/lib/kerberos/krb5 0755 root root - +d /var/lib/kerberos/krb5/user 0755 root root - +d /var/lib/kerberos/krb5kdc 0755 root root - +C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf +C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl +C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict