diff --git a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif deleted file mode 100644 index a729801..0000000 --- a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif +++ /dev/null @@ -1,148 +0,0 @@ -Index: src/auth.c -=================================================================== ---- src/auth.c.orig -+++ src/auth.c -@@ -480,9 +480,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f - return pam_sm_open_session(pamh, flags, argc, argv); - } - if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { -- if (_pam_krb5_sly_looks_unsafe() == 0) { -+ int unsave = _pam_krb5_sly_looks_unsafe(); -+ -+ /* unsave == 2 or 3 can be fixed inside of -+ _pam_krb5_sly_maybe_refresh */ -+ if (unsave == 0 || unsave == 2 || unsave == 3) { - return _pam_krb5_sly_maybe_refresh(pamh, flags, -- argc, argv); -+ argc, argv); - } else { - return PAM_IGNORE; - } -Index: src/sly.c -=================================================================== ---- src/sly.c.orig -+++ src/sly.c -@@ -148,6 +148,21 @@ _pam_krb5_sly_looks_unsafe(void) - return 0; - } - -+/* restore dropped privileges */ -+int -+_restore_privs(uid_t save_euid, gid_t save_egid) -+{ -+ int retuid = 0, retgid = 0; -+ -+ retuid = setresuid(getuid(), save_euid, getuid()); -+ retgid = setresgid(getgid(), save_egid, getgid()); -+ -+ /* debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */ -+ /* debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid()); */ -+ -+ return (retuid == -1 || retgid == -1)?-1:0; -+} -+ - int - _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags, - int argc, PAM_KRB5_MAYBE_CONST char **argv) -@@ -163,6 +178,23 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - gid_t gid; - char *v5ccname, *v5filename, *v4tktfile; - -+ uid_t save_euid = geteuid(); -+ gid_t save_egid = getegid(); -+ -+ -+ if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3) -+ { -+ /* debug("current privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */ -+ /* debug("current privileges: GID = %u, EGID = %u\n", getgid(), getegid()); *( -+ -+ /* drop privileges temporarily; restore them on every return from this function */ -+ setresuid(getuid(), getuid(), geteuid()); -+ setresgid(getgid(), getgid(), getegid()); -+ -+ /* debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid()); */ -+ /* debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid()); */ -+ } -+ - /* Inexpensive checks. */ - switch (_pam_krb5_sly_looks_unsafe()) { - case 0: -@@ -170,18 +202,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - break; - case 1: - warn("won't refresh credentials while running under sudo"); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - break; - case 2: - warn("won't refresh credentials while running setuid"); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - break; - case 3: - warn("won't refresh credentials while running setgid"); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - break; - default: - warn("not safe to refresh credentials"); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - break; - } -@@ -189,6 +225,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - /* Initialize Kerberos. */ - if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) { - warn("error initializing Kerberos"); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - } - -@@ -197,6 +234,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - if (i != PAM_SUCCESS) { - warn("could not identify user name"); - krb5_free_context(ctx); -+ _restore_privs(save_euid, save_egid); - return i; - } - -@@ -205,6 +243,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - if (options == NULL) { - warn("error parsing options (shouldn't happen)"); - krb5_free_context(ctx); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - } - if (options->debug) { -@@ -226,6 +265,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - } - _pam_krb5_options_free(pamh, ctx, options); - krb5_free_context(ctx); -+ _restore_privs(save_euid, save_egid); - return retval; - } - -@@ -238,6 +278,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - _pam_krb5_user_info_free(ctx, userinfo); - _pam_krb5_options_free(pamh, ctx, options); - krb5_free_context(ctx); -+ _restore_privs(save_euid, save_egid); - return PAM_IGNORE; - } - -@@ -249,6 +290,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - _pam_krb5_user_info_free(ctx, userinfo); - _pam_krb5_options_free(pamh, ctx, options); - krb5_free_context(ctx); -+ _restore_privs(save_euid, save_egid); - return PAM_SERVICE_ERR; - } - -@@ -360,5 +402,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t - _pam_krb5_options_free(pamh, ctx, options); - krb5_free_context(ctx); - -+ _restore_privs(save_euid, save_egid); - return retval; - } diff --git a/pam_krb5-2.3.1-switch-perms-on-refresh.dif b/pam_krb5-2.3.1-switch-perms-on-refresh.dif new file mode 100644 index 0000000..7bd385f --- /dev/null +++ b/pam_krb5-2.3.1-switch-perms-on-refresh.dif @@ -0,0 +1,111 @@ +Index: pam_krb5-2.3.1-1/src/auth.c +=================================================================== +--- pam_krb5-2.3.1-1.orig/src/auth.c ++++ pam_krb5-2.3.1-1/src/auth.c +@@ -62,6 +62,7 @@ + #include "items.h" + #include "kuserok.h" + #include "log.h" ++#include "perms.h" + #include "options.h" + #include "prompter.h" + #include "sly.h" +@@ -477,6 +478,7 @@ int + pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, PAM_KRB5_MAYBE_CONST char **argv) + { ++ struct _pam_krb5_perms *saved_perms; + notice("pam_setcred (%s) called", + (flags & PAM_ESTABLISH_CRED)?"establish credential": + (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": +@@ -486,10 +488,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f + return pam_sm_open_session(pamh, flags, argc, argv); + } + if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { ++ saved_perms = _pam_krb5_switch_perms_r2e(); ++ + if (_pam_krb5_sly_looks_unsafe() == 0) { +- return _pam_krb5_sly_maybe_refresh(pamh, flags, +- argc, argv); ++ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); ++ if (saved_perms != NULL) { ++ _pam_krb5_restore_perms_r2e(saved_perms); ++ } ++ saved_perms = NULL; ++ ++ return i; + } else { ++ debug("looks unsafe - ignore refresh"); ++ if (saved_perms != NULL) { ++ _pam_krb5_restore_perms_r2e(saved_perms); ++ } ++ saved_perms = NULL; + return PAM_IGNORE; + } + } +Index: pam_krb5-2.3.1-1/src/perms.c +=================================================================== +--- pam_krb5-2.3.1-1.orig/src/perms.c ++++ pam_krb5-2.3.1-1/src/perms.c +@@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 + } + return ret; + } ++ ++struct _pam_krb5_perms * ++_pam_krb5_switch_perms_r2e(void) ++{ ++ struct _pam_krb5_perms *ret; ++ ret = malloc(sizeof(*ret)); ++ if (ret != NULL) { ++ ret->ruid = getuid(); ++ ret->euid = geteuid(); ++ ret->rgid = getgid(); ++ ret->egid = getegid(); ++ if (ret->ruid == ret->euid) { ++ ret->ruid = -1; ++ ret->euid = -1; ++ } ++ if (ret->rgid == ret->egid) { ++ ret->rgid = -1; ++ ret->egid = -1; ++ } ++ if (setresgid(ret->rgid, ret->rgid, ret->egid) == -1) { ++ free(ret); ++ ret = NULL; ++ } else { ++ if (setresuid(ret->ruid, ret->ruid, ret->euid) == -1) { ++ setresgid(ret->rgid, ret->egid, ret->rgid); ++ free(ret); ++ ret = NULL; ++ } ++ } ++ } ++ return ret; ++} ++ ++int ++_pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved) ++{ ++ int ret = -1; ++ if (saved != NULL) { ++ if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && ++ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { ++ ret = 0; ++ } ++ free(saved); ++ } ++ return ret; ++} +Index: pam_krb5-2.3.1-1/src/perms.h +=================================================================== +--- pam_krb5-2.3.1-1.orig/src/perms.h ++++ pam_krb5-2.3.1-1/src/perms.h +@@ -37,4 +37,7 @@ struct _pam_krb5_perms; + struct _pam_krb5_perms *_pam_krb5_switch_perms(void); + int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); + ++struct _pam_krb5_perms *_pam_krb5_switch_perms_r2e(void); ++int _pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved); ++ + #endif diff --git a/pam_krb5-po.tar.gz b/pam_krb5-po.tar.gz index b9204f7..aae1a09 100644 --- a/pam_krb5-po.tar.gz +++ b/pam_krb5-po.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:84608ab3ce85b8e5bf1f60a9e46b9db915404d8b62e27474d35f83e6f2950d53 -size 4327 +oid sha256:900f86015ea4c72786f36bc80a1dba6d36ed263bd3a7d20df10a831f7be3b69d +size 4328 diff --git a/pam_krb5.changes b/pam_krb5.changes index a960d4f..fd2197f 100644 --- a/pam_krb5.changes +++ b/pam_krb5.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Oct 28 15:09:24 CET 2008 - mc@suse.de + +- simplify switch permissions of refresh credentials + (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif + add pam_krb5-2.3.1-switch-perms-on-refresh.dif) + ------------------------------------------------------------------- Fri Oct 24 13:44:42 CEST 2008 - mc@suse.de diff --git a/pam_krb5.spec b/pam_krb5.spec index c655f34..d45b2e5 100644 --- a/pam_krb5.spec +++ b/pam_krb5.spec @@ -26,19 +26,19 @@ Group: Productivity/Networking/Security Provides: pam_krb AutoReqProv: on Version: 2.3.1 -Release: 38 +Release: 39 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 Source2: pam_krb5-po.tar.gz Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif -Patch2: pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif Patch3: pam_krb5-2.3.1-log-choise.dif Patch4: pam_krb5-po-Makevars.dif Patch5: pam_krb5-LINGUAS.dif Patch6: pam_krb5-2.3.1-post.dif Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch Patch8: pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif +Patch9: pam_krb5-2.3.1-switch-perms-on-refresh.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -56,13 +56,13 @@ Authors: %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE} %setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE} %patch1 -%patch2 %patch3 -p1 %patch4 -p1 %patch5 %patch6 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build %{suse_update_config -f} @@ -97,6 +97,10 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) /usr/bin/afs5log %changelog +* Tue Oct 28 2008 mc@suse.de +- simplify switch permissions of refresh credentials + (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif + add pam_krb5-2.3.1-switch-perms-on-refresh.dif) * Fri Oct 24 2008 mc@suse.de - write new ticket into shmem after password change if requested. (bnc#438181)