OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=2

2007-03-15 14:28:50 +00:00 · 2007-03-15 14:28:50 +00:00 · 0b7715d634
commit 0b7715d634
parent d5bd631021
3 changed files with 164 additions and 6 deletions
--- a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+++ b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
@ -0,0 +1,141 @@
+--- src/auth.c
+++ src/auth.c	2007/03/15 10:55:36
+@@ -418,9 +418,13 @@
+ 		return pam_sm_open_session(pamh, flags, argc, argv);
+ 	}
+ 	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
+-		if (_pam_krb5_sly_looks_unsafe() == 0) {
+		int unsave = _pam_krb5_sly_looks_unsafe();
+
+		/* unsave == 2 or 3 can be fixed inside of
+		   _pam_krb5_sly_maybe_refresh */
+		if (unsave == 0 || unsave == 2 || unsave == 3) {
+ 			return _pam_krb5_sly_maybe_refresh(pamh, flags,
+-							   argc, argv);
+			                                   argc, argv);
+ 		} else {
+ 			return PAM_IGNORE;
+ 		}
+--- src/sly.c
+++ src/sly.c	2007/03/15 10:46:36
+@@ -146,6 +146,21 @@
+ 	return 0;
+ }
+ 
+/* restore dropped privileges */
+int
+_restore_privs(uid_t save_euid, gid_t save_egid)
+{
+	int retuid = 0, retgid = 0;
+	
+	retuid = setresuid(getuid(), save_euid, getuid());
+	retgid = setresgid(getgid(), save_egid, getgid());
+	
+	debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid());
+	debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid());
+	
+	return (retuid == -1 || retgid == -1)?-1:0;
+}
+
+ int
+ _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags,
+ 			    int argc, PAM_KRB5_MAYBE_CONST char **argv)
+@@ -159,6 +174,20 @@
+ 	int i, retval, stored;
+ 	char *v5ccname, *v4tktfile;
+ 
+	uid_t save_euid = geteuid();
+	gid_t save_egid = getegid();
+	
+
+	if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3)
+	{
+		/* drop privileges temporarily; restore them on every return from this function */
+		setresuid(getuid(), getuid(), geteuid());
+		setresgid(getgid(), getgid(), getegid());
+		
+		debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid());
+		debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid());
+	}
+
+ 	/* Inexpensive checks. */
+ 	switch (_pam_krb5_sly_looks_unsafe()) {
+ 	case 0:
+@@ -166,18 +195,22 @@
+ 		break;
+ 	case 1:
+ 		warn("won't refresh credentials while running under sudo");
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	case 2:
+ 		warn("won't refresh credentials while running setuid");
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	case 3:
+ 		warn("won't refresh credentials while running setgid");
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	default:
+ 		warn("not safe to refresh credentials");
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 		break;
+ 	}
+@@ -185,6 +218,7 @@
+ 	/* Initialize Kerberos. */
+ 	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
+ 		warn("error initializing Kerberos");
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 
+@@ -193,6 +227,7 @@
+ 	if (i != PAM_SUCCESS) {
+ 		warn("could not identify user name");
+ 		krb5_free_context(ctx);
+		_restore_privs(save_euid, save_egid);
+ 		return i;
+ 	}
+ 
+@@ -201,6 +236,7 @@
+ 	if (options == NULL) {
+ 		warn("error parsing options (shouldn't happen)");
+ 		krb5_free_context(ctx);
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 	if (options->debug) {
+@@ -222,6 +258,7 @@
+ 		}
+ 		_pam_krb5_options_free(pamh, ctx, options);
+ 		krb5_free_context(ctx);
+		_restore_privs(save_euid, save_egid);
+ 		return retval;
+ 	}
+ 
+@@ -233,6 +270,7 @@
+ 		_pam_krb5_user_info_free(ctx, userinfo);
+ 		_pam_krb5_options_free(pamh, ctx, options);
+ 		krb5_free_context(ctx);
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_IGNORE;
+ 	}
+ 
+@@ -244,6 +282,7 @@
+ 		_pam_krb5_user_info_free(ctx, userinfo);
+ 		_pam_krb5_options_free(pamh, ctx, options);
+ 		krb5_free_context(ctx);
+		_restore_privs(save_euid, save_egid);
+ 		return PAM_SERVICE_ERR;
+ 	}
+ 
+@@ -331,5 +370,6 @@
+ 		      pam_strerror(pamh, retval));
+ 	}
+ 
+	_restore_privs(save_euid, save_egid);
+ 	return retval;
+ }
--- a/pam_krb5.changes
+++ b/pam_krb5.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Mar 15 12:34:55 CET 2007 - mc@suse.de
+
+- drop privileges in _pam_krb5_sly_maybe_refresh when
+  running in set uid and restore them on exit of this
+  function. This enables us to refresh the ticket 
+  after screen un-lock.
+  [#124611]
+
 -------------------------------------------------------------------
 Mon Sep 25 10:45:53 CEST 2006 - mc@suse.de

--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam_krb5 (Version 2.2.11)
 #
-# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
 # package are under the same license as the package itself.
 #
@ -13,17 +13,18 @@
 Name:           pam_krb5
 BuildRequires:  krb5-client krb5-devel krb5-server openssl-devel pam-devel
 %define       PAM_RELEASE 1
-License:        GPL
+License:        GNU General Public License (GPL)
 Group:          Productivity/Networking/Security
 Provides:       pam_krb
 Autoreqprov:    on
 Version:        2.2.11
-Release:        1
+Release:        27
 Summary:        PAM Module for Kerberos Authentication
 URL:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
 Patch1:         pam_krb5-2.2.0-0.5-configure_ac.dif
 Patch2:         pam_krb5-2.2.0-2-noafsonarm.patch
+Patch3:         pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -41,6 +42,7 @@ Authors:
 %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
 %patch1
 %patch2
+%patch3

 %build
 %{suse_update_config -f}
@ -72,12 +74,18 @@ rm -rf $RPM_BUILD_ROOT
 %attr(444,root,root) %_mandir/man*/*.*
 %attr(755,root,root) /usr/bin/afs5log

-%changelog -n pam_krb5
+%changelog
+* Thu Mar 15 2007 - mc@suse.de
+- drop privileges in _pam_krb5_sly_maybe_refresh when
+  running in set uid and restore them on exit of this
+  function. This enables us to refresh the ticket
+  after screen un-lock.
+  [#124611]
 * Mon Sep 25 2006 - mc@suse.de
 - version 2.2.11
 - remove two patches with are upstream now
- pam_krb5-2.2.10-0-oldauthtok.dif
- pam_krb5-2.2.10-0-testfix.dif
+  - pam_krb5-2.2.10-0-oldauthtok.dif
+  - pam_krb5-2.2.10-0-testfix.dif
 - make use of --with-os-distribution
 * Thu Sep 14 2006 - mc@suse.de
 - fix pam_set_item call for AUTHTOK and OLDAUTHTOK