pam_krb5/bug-641008_pam_krb5-2.3.11-setcred-log.diff

Index: pam_krb5-2.4.4/src/auth.c
===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c
@@ -434,13 +434,32 @@ int
 pam_sm_setcred(pam_handle_t *pamh, int flags,
 	       int argc, PAM_KRB5_MAYBE_CONST char **argv)
 {
+	krb5_context ctx;
+	struct _pam_krb5_options *options;
 	struct _pam_krb5_perms *saved_perms;
-	notice("pam_setcred (%s) called",
-		   (flags & PAM_ESTABLISH_CRED)?"establish credential":
-		   (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
-		   (flags & PAM_REFRESH_CRED)?"refresh credential":
-		   (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+
+	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
+		warn("error initializing Kerberos");
+		return PAM_SERVICE_ERR;
+	}
+
+	options = _pam_krb5_options_init(pamh, argc, argv, ctx);
+	if (options == NULL) {
+		warn("error parsing options (shouldn't happen)");
+		krb5_free_context(ctx);
+		return PAM_SERVICE_ERR;
+	}
+
+	if (options->debug) {
+		debug("pam_setcred (%s) called",
+			(flags & PAM_ESTABLISH_CRED)?"establish credential":
+			(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+			(flags & PAM_REFRESH_CRED)?"refresh credential":
+			(flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+	}
 	if (flags & PAM_ESTABLISH_CRED) {
+		_pam_krb5_options_free(pamh, ctx, options);
+		krb5_free_context(ctx);
 		return _pam_krb5_open_session(pamh, flags, argc, argv,
 					      "pam_setcred(PAM_ESTABLISH_CRED)",
 					      _pam_krb5_session_caller_setcred);
@@ -455,21 +474,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f
 			}
 			saved_perms = NULL;
 
+			_pam_krb5_options_free(pamh, ctx, options);
+			krb5_free_context(ctx);
 			return i;
 		} else {
-			debug("looks unsafe - ignore refresh");
+			if (options->debug) {
+				debug("looks unsafe - ignore refresh");
+			}
 			if (saved_perms != NULL) {
 				_pam_krb5_restore_perms_r2e(saved_perms);
 			}
 			saved_perms = NULL;
+			_pam_krb5_options_free(pamh, ctx, options);
+			krb5_free_context(ctx);
 			return PAM_IGNORE;
 		}
 	}
 	if (flags & PAM_DELETE_CRED) {
+		_pam_krb5_options_free(pamh, ctx, options);
+		krb5_free_context(ctx);
 		return _pam_krb5_close_session(pamh, flags, argc, argv,
 					       "pam_setcred(PAM_DELETE_CRED)",
 					       _pam_krb5_session_caller_setcred);
 	}
 	warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED");
+	_pam_krb5_options_free(pamh, ctx, options);
+	krb5_free_context(ctx);
 	return pam_sm_open_session(pamh, (flags | PAM_ESTABLISH_CRED), argc, argv);
 }
- update to version 2.4.4 * drop configuration settings that duplicated library settings * drop the existing_ticket option * drop krb4 support * add support for preserving configuration information in ccaches * add support for creating and cleaning up DIR: ccaches * finish cleaning up KEYRING: ccaches * add experimental "armor" and "armor_strategy" options * handle creation of /run/user/XXX for FILE: and DIR: caches * handle different function signatures for krb5_trace_callback * avoid overriding the primary when updating DIR: caches - obsolets patches (upstream): * pam_krb5-2.2.0-0.5-configure_ac.dif * use-urandom-for-tests.dif OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=26 2013-04-16 11:12:50 +02:00			`Index: pam_krb5-2.4.4/src/auth.c`
Accepting request 79471 from home:mcalmer:branches:network - update to version 2.3.13 * don't bother creating a v5 ccache in "external" mode * add a "trace" option to enable libkrb5 tracing, if available * avoid trying to get password-change creds twice * use an in-memory ccache when obtaining tokens using v5 creds * turn off creds==session in "sshd" * add a "validate_user_user" option to control trying to perform user-to-user authentication to validate TGTs when a keytab is not available * add an "ignore_k5login" option to control whether or not the module will use the krb5_kuserok() function to perform additional authorization checks * turn on validation by default - verify_ap_req_nofail controls how we treat errors reading keytab files now * add an "always_allow_localname" option when we can use krb5_aname_to_localname() to second-guess the krb5_kuserok() check * prefer krb5_change_password() to krb5_set_password() OBS-URL: https://build.opensuse.org/request/show/79471 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19 2011-08-22 10:25:27 +02:00			`===================================================================`
- update to version 2.4.4 * drop configuration settings that duplicated library settings * drop the existing_ticket option * drop krb4 support * add support for preserving configuration information in ccaches * add support for creating and cleaning up DIR: ccaches * finish cleaning up KEYRING: ccaches * add experimental "armor" and "armor_strategy" options * handle creation of /run/user/XXX for FILE: and DIR: caches * handle different function signatures for krb5_trace_callback * avoid overriding the primary when updating DIR: caches - obsolets patches (upstream): * pam_krb5-2.2.0-0.5-configure_ac.dif * use-urandom-for-tests.dif OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=26 2013-04-16 11:12:50 +02:00			`--- pam_krb5-2.4.4.orig/src/auth.c`
			`+++ pam_krb5-2.4.4/src/auth.c`
			`@@ -434,13 +434,32 @@ int`
- make pam_sm_setcred less verbose (bnc#641008) OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=17 2011-03-01 17:43:02 +01:00			`pam_sm_setcred(pam_handle_t *pamh, int flags,`
			`int argc, PAM_KRB5_MAYBE_CONST char **argv)`
			`{`
			`+ krb5_context ctx;`
			`+ struct _pam_krb5_options *options;`
			`struct _pam_krb5_perms *saved_perms;`
			`- notice("pam_setcred (%s) called",`
			`- (flags & PAM_ESTABLISH_CRED)?"establish credential":`
			`- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":`
			`- (flags & PAM_REFRESH_CRED)?"refresh credential":`
			`- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");`
			`+`
			`+ if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {`
			`+ warn("error initializing Kerberos");`
			`+ return PAM_SERVICE_ERR;`
			`+ }`
			`+`
			`+ options = _pam_krb5_options_init(pamh, argc, argv, ctx);`
			`+ if (options == NULL) {`
			`+ warn("error parsing options (shouldn't happen)");`
			`+ krb5_free_context(ctx);`
			`+ return PAM_SERVICE_ERR;`
			`+ }`
			`+`
			`+ if (options->debug) {`
			`+ debug("pam_setcred (%s) called",`
Accepting request 79471 from home:mcalmer:branches:network - update to version 2.3.13 * don't bother creating a v5 ccache in "external" mode * add a "trace" option to enable libkrb5 tracing, if available * avoid trying to get password-change creds twice * use an in-memory ccache when obtaining tokens using v5 creds * turn off creds==session in "sshd" * add a "validate_user_user" option to control trying to perform user-to-user authentication to validate TGTs when a keytab is not available * add an "ignore_k5login" option to control whether or not the module will use the krb5_kuserok() function to perform additional authorization checks * turn on validation by default - verify_ap_req_nofail controls how we treat errors reading keytab files now * add an "always_allow_localname" option when we can use krb5_aname_to_localname() to second-guess the krb5_kuserok() check * prefer krb5_change_password() to krb5_set_password() OBS-URL: https://build.opensuse.org/request/show/79471 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19 2011-08-22 10:25:27 +02:00			`+ (flags & PAM_ESTABLISH_CRED)?"establish credential":`
			`+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":`
			`+ (flags & PAM_REFRESH_CRED)?"refresh credential":`
			`+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");`
			`+ }`
- make pam_sm_setcred less verbose (bnc#641008) OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=17 2011-03-01 17:43:02 +01:00			`if (flags & PAM_ESTABLISH_CRED) {`
			`+ _pam_krb5_options_free(pamh, ctx, options);`
			`+ krb5_free_context(ctx);`
Accepting request 79471 from home:mcalmer:branches:network - update to version 2.3.13 * don't bother creating a v5 ccache in "external" mode * add a "trace" option to enable libkrb5 tracing, if available * avoid trying to get password-change creds twice * use an in-memory ccache when obtaining tokens using v5 creds * turn off creds==session in "sshd" * add a "validate_user_user" option to control trying to perform user-to-user authentication to validate TGTs when a keytab is not available * add an "ignore_k5login" option to control whether or not the module will use the krb5_kuserok() function to perform additional authorization checks * turn on validation by default - verify_ap_req_nofail controls how we treat errors reading keytab files now * add an "always_allow_localname" option when we can use krb5_aname_to_localname() to second-guess the krb5_kuserok() check * prefer krb5_change_password() to krb5_set_password() OBS-URL: https://build.opensuse.org/request/show/79471 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19 2011-08-22 10:25:27 +02:00			`return _pam_krb5_open_session(pamh, flags, argc, argv,`
			`"pam_setcred(PAM_ESTABLISH_CRED)",`
			`_pam_krb5_session_caller_setcred);`
- update to version 2.4.4 * drop configuration settings that duplicated library settings * drop the existing_ticket option * drop krb4 support * add support for preserving configuration information in ccaches * add support for creating and cleaning up DIR: ccaches * finish cleaning up KEYRING: ccaches * add experimental "armor" and "armor_strategy" options * handle creation of /run/user/XXX for FILE: and DIR: caches * handle different function signatures for krb5_trace_callback * avoid overriding the primary when updating DIR: caches - obsolets patches (upstream): * pam_krb5-2.2.0-0.5-configure_ac.dif * use-urandom-for-tests.dif OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=26 2013-04-16 11:12:50 +02:00			`@@ -455,21 +474,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f`
- make pam_sm_setcred less verbose (bnc#641008) OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=17 2011-03-01 17:43:02 +01:00			`}`
			`saved_perms = NULL;`

			`+ _pam_krb5_options_free(pamh, ctx, options);`
			`+ krb5_free_context(ctx);`
			`return i;`
			`} else {`
			`- debug("looks unsafe - ignore refresh");`
			`+ if (options->debug) {`
			`+ debug("looks unsafe - ignore refresh");`
Accepting request 79471 from home:mcalmer:branches:network - update to version 2.3.13 * don't bother creating a v5 ccache in "external" mode * add a "trace" option to enable libkrb5 tracing, if available * avoid trying to get password-change creds twice * use an in-memory ccache when obtaining tokens using v5 creds * turn off creds==session in "sshd" * add a "validate_user_user" option to control trying to perform user-to-user authentication to validate TGTs when a keytab is not available * add an "ignore_k5login" option to control whether or not the module will use the krb5_kuserok() function to perform additional authorization checks * turn on validation by default - verify_ap_req_nofail controls how we treat errors reading keytab files now * add an "always_allow_localname" option when we can use krb5_aname_to_localname() to second-guess the krb5_kuserok() check * prefer krb5_change_password() to krb5_set_password() OBS-URL: https://build.opensuse.org/request/show/79471 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19 2011-08-22 10:25:27 +02:00			`+ }`
- make pam_sm_setcred less verbose (bnc#641008) OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=17 2011-03-01 17:43:02 +01:00			`if (saved_perms != NULL) {`
			`_pam_krb5_restore_perms_r2e(saved_perms);`
			`}`
			`saved_perms = NULL;`
			`+ _pam_krb5_options_free(pamh, ctx, options);`
			`+ krb5_free_context(ctx);`
			`return PAM_IGNORE;`
			`}`
			`}`
			`if (flags & PAM_DELETE_CRED) {`
			`+ _pam_krb5_options_free(pamh, ctx, options);`
			`+ krb5_free_context(ctx);`
Accepting request 79471 from home:mcalmer:branches:network - update to version 2.3.13 * don't bother creating a v5 ccache in "external" mode * add a "trace" option to enable libkrb5 tracing, if available * avoid trying to get password-change creds twice * use an in-memory ccache when obtaining tokens using v5 creds * turn off creds==session in "sshd" * add a "validate_user_user" option to control trying to perform user-to-user authentication to validate TGTs when a keytab is not available * add an "ignore_k5login" option to control whether or not the module will use the krb5_kuserok() function to perform additional authorization checks * turn on validation by default - verify_ap_req_nofail controls how we treat errors reading keytab files now * add an "always_allow_localname" option when we can use krb5_aname_to_localname() to second-guess the krb5_kuserok() check * prefer krb5_change_password() to krb5_set_password() OBS-URL: https://build.opensuse.org/request/show/79471 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=19 2011-08-22 10:25:27 +02:00			`return _pam_krb5_close_session(pamh, flags, argc, argv,`
			`"pam_setcred(PAM_DELETE_CRED)",`
			`_pam_krb5_session_caller_setcred);`
- make pam_sm_setcred less verbose (bnc#641008) OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=17 2011-03-01 17:43:02 +01:00			`}`
			`warn("pam_setcred() called with no flags. Assume PAM_ESTABLISH_CRED");`
			`+ _pam_krb5_options_free(pamh, ctx, options);`
			`+ krb5_free_context(ctx);`
			`return pam_sm_open_session(pamh, (flags \| PAM_ESTABLISH_CRED), argc, argv);`
			`}`