From 0baf56c7da92be94de25b6080be3e41357d246e906955eabbd327a92da93b310 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Tue, 28 Oct 2008 17:12:35 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=23

---
 ...rb5-2.2.11-1-refresh-drop-restore-priv.dif | 148 ------------------
 pam_krb5-2.3.1-switch-perms-on-refresh.dif    | 111 +++++++++++++
 pam_krb5-po.tar.gz                            |   4 +-
 pam_krb5.changes                              |   7 +
 pam_krb5.spec                                 |  10 +-
 5 files changed, 127 insertions(+), 153 deletions(-)
 delete mode 100644 pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
 create mode 100644 pam_krb5-2.3.1-switch-perms-on-refresh.dif

diff --git a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
deleted file mode 100644
index a729801..0000000
--- a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+++ /dev/null
@@ -1,148 +0,0 @@
-Index: src/auth.c
-===================================================================
---- src/auth.c.orig
-+++ src/auth.c
-@@ -480,9 +480,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
- 		return pam_sm_open_session(pamh, flags, argc, argv);
- 	}
- 	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
--		if (_pam_krb5_sly_looks_unsafe() == 0) {
-+		int unsave = _pam_krb5_sly_looks_unsafe();
-+
-+		/* unsave == 2 or 3 can be fixed inside of
-+		   _pam_krb5_sly_maybe_refresh */
-+		if (unsave == 0 || unsave == 2 || unsave == 3) {
- 			return _pam_krb5_sly_maybe_refresh(pamh, flags,
--							   argc, argv);
-+			                                   argc, argv);
- 		} else {
- 			return PAM_IGNORE;
- 		}
-Index: src/sly.c
-===================================================================
---- src/sly.c.orig
-+++ src/sly.c
-@@ -148,6 +148,21 @@ _pam_krb5_sly_looks_unsafe(void)
- 	return 0;
- }
- 
-+/* restore dropped privileges */
-+int
-+_restore_privs(uid_t save_euid, gid_t save_egid)
-+{
-+	int retuid = 0, retgid = 0;
-+	
-+	retuid = setresuid(getuid(), save_euid, getuid());
-+	retgid = setresgid(getgid(), save_egid, getgid());
-+	
-+	/* debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */
-+	/* debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid()); */
-+	
-+	return (retuid == -1 || retgid == -1)?-1:0;
-+}
-+
- int
- _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags,
- 			    int argc, PAM_KRB5_MAYBE_CONST char **argv)
-@@ -163,6 +178,23 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 	gid_t gid;
- 	char *v5ccname, *v5filename, *v4tktfile;
- 
-+	uid_t save_euid = geteuid();
-+	gid_t save_egid = getegid();
-+	
-+
-+	if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3)
-+	{
-+		/* debug("current privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */
-+		/* debug("current privileges: GID = %u, EGID = %u\n", getgid(), getegid()); *(
-+
-+		/* drop privileges temporarily; restore them on every return from this function */
-+		setresuid(getuid(), getuid(), geteuid());
-+		setresgid(getgid(), getgid(), getegid());
-+		
-+		/* debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid()); */
-+		/* debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid()); */
-+	}
-+
- 	/* Inexpensive checks. */
- 	switch (_pam_krb5_sly_looks_unsafe()) {
- 	case 0:
-@@ -170,18 +202,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 		break;
- 	case 1:
- 		warn("won't refresh credentials while running under sudo");
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 		break;
- 	case 2:
- 		warn("won't refresh credentials while running setuid");
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 		break;
- 	case 3:
- 		warn("won't refresh credentials while running setgid");
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 		break;
- 	default:
- 		warn("not safe to refresh credentials");
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 		break;
- 	}
-@@ -189,6 +225,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 	/* Initialize Kerberos. */
- 	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
- 		warn("error initializing Kerberos");
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 	}
- 
-@@ -197,6 +234,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 	if (i != PAM_SUCCESS) {
- 		warn("could not identify user name");
- 		krb5_free_context(ctx);
-+		_restore_privs(save_euid, save_egid);
- 		return i;
- 	}
- 
-@@ -205,6 +243,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 	if (options == NULL) {
- 		warn("error parsing options (shouldn't happen)");
- 		krb5_free_context(ctx);
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 	}
- 	if (options->debug) {
-@@ -226,6 +265,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 		}
- 		_pam_krb5_options_free(pamh, ctx, options);
- 		krb5_free_context(ctx);
-+		_restore_privs(save_euid, save_egid);
- 		return retval;
- 	}
- 
-@@ -238,6 +278,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 		_pam_krb5_user_info_free(ctx, userinfo);
- 		_pam_krb5_options_free(pamh, ctx, options);
- 		krb5_free_context(ctx);
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_IGNORE;
- 	}
- 
-@@ -249,6 +290,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 		_pam_krb5_user_info_free(ctx, userinfo);
- 		_pam_krb5_options_free(pamh, ctx, options);
- 		krb5_free_context(ctx);
-+		_restore_privs(save_euid, save_egid);
- 		return PAM_SERVICE_ERR;
- 	}
- 
-@@ -360,5 +402,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 	_pam_krb5_options_free(pamh, ctx, options);
- 	krb5_free_context(ctx);
- 
-+	_restore_privs(save_euid, save_egid);
- 	return retval;
- }
diff --git a/pam_krb5-2.3.1-switch-perms-on-refresh.dif b/pam_krb5-2.3.1-switch-perms-on-refresh.dif
new file mode 100644
index 0000000..7bd385f
--- /dev/null
+++ b/pam_krb5-2.3.1-switch-perms-on-refresh.dif
@@ -0,0 +1,111 @@
+Index: pam_krb5-2.3.1-1/src/auth.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/auth.c
++++ pam_krb5-2.3.1-1/src/auth.c
+@@ -62,6 +62,7 @@
+ #include "items.h"
+ #include "kuserok.h"
+ #include "log.h"
++#include "perms.h"
+ #include "options.h"
+ #include "prompter.h"
+ #include "sly.h"
+@@ -477,6 +478,7 @@ int
+ pam_sm_setcred(pam_handle_t *pamh, int flags,
+ 	       int argc, PAM_KRB5_MAYBE_CONST char **argv)
+ {
++	struct _pam_krb5_perms *saved_perms;
+ 	notice("pam_setcred (%s) called",
+ 		   (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ 		   (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+@@ -486,10 +488,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+ 		return pam_sm_open_session(pamh, flags, argc, argv);
+ 	}
+ 	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
++		saved_perms = _pam_krb5_switch_perms_r2e();
++
+ 		if (_pam_krb5_sly_looks_unsafe() == 0) {
+-			return _pam_krb5_sly_maybe_refresh(pamh, flags,
+-							   argc, argv);
++			int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv);
++			if (saved_perms != NULL) {
++				_pam_krb5_restore_perms_r2e(saved_perms);
++			}
++			saved_perms = NULL;
++
++			return i;
+ 		} else {
++			debug("looks unsafe - ignore refresh");
++			if (saved_perms != NULL) {
++				_pam_krb5_restore_perms_r2e(saved_perms);
++			}
++			saved_perms = NULL;
+ 			return PAM_IGNORE;
+ 		}
+ 	}
+Index: pam_krb5-2.3.1-1/src/perms.c
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/perms.c
++++ pam_krb5-2.3.1-1/src/perms.c
+@@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
+ 	}
+ 	return ret;
+ }
++
++struct _pam_krb5_perms *
++_pam_krb5_switch_perms_r2e(void)
++{
++	struct _pam_krb5_perms *ret;
++	ret = malloc(sizeof(*ret));
++	if (ret != NULL) {
++		ret->ruid = getuid();
++		ret->euid = geteuid();
++		ret->rgid = getgid();
++		ret->egid = getegid();
++		if (ret->ruid == ret->euid) {
++			ret->ruid = -1;
++			ret->euid = -1;
++		}
++		if (ret->rgid == ret->egid) {
++			ret->rgid = -1;
++			ret->egid = -1;
++		}
++		if (setresgid(ret->rgid, ret->rgid, ret->egid) == -1) {
++			free(ret);
++			ret = NULL;
++		} else {
++			if (setresuid(ret->ruid, ret->ruid, ret->euid) == -1) {
++				setresgid(ret->rgid, ret->egid, ret->rgid);
++				free(ret);
++				ret = NULL;
++			}
++		}
++	}
++	return ret;
++}
++
++int
++_pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved)
++{
++	int ret = -1;
++	if (saved != NULL) {
++		if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
++		    (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
++			ret = 0;
++		}
++		free(saved);
++	}
++	return ret;
++}
+Index: pam_krb5-2.3.1-1/src/perms.h
+===================================================================
+--- pam_krb5-2.3.1-1.orig/src/perms.h
++++ pam_krb5-2.3.1-1/src/perms.h
+@@ -37,4 +37,7 @@ struct _pam_krb5_perms;
+ struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
+ int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
+ 
++struct _pam_krb5_perms *_pam_krb5_switch_perms_r2e(void);
++int _pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved);
++
+ #endif
diff --git a/pam_krb5-po.tar.gz b/pam_krb5-po.tar.gz
index b9204f7..aae1a09 100644
--- a/pam_krb5-po.tar.gz
+++ b/pam_krb5-po.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:84608ab3ce85b8e5bf1f60a9e46b9db915404d8b62e27474d35f83e6f2950d53
-size 4327
+oid sha256:900f86015ea4c72786f36bc80a1dba6d36ed263bd3a7d20df10a831f7be3b69d
+size 4328
diff --git a/pam_krb5.changes b/pam_krb5.changes
index a960d4f..fd2197f 100644
--- a/pam_krb5.changes
+++ b/pam_krb5.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Oct 28 15:09:24 CET 2008 - mc@suse.de
+
+- simplify switch permissions of refresh credentials
+  (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+   add pam_krb5-2.3.1-switch-perms-on-refresh.dif) 
+
 -------------------------------------------------------------------
 Fri Oct 24 13:44:42 CEST 2008 - mc@suse.de
 
diff --git a/pam_krb5.spec b/pam_krb5.spec
index c655f34..d45b2e5 100644
--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@@ -26,19 +26,19 @@ Group:          Productivity/Networking/Security
 Provides:       pam_krb
 AutoReqProv:    on
 Version:        2.3.1
-Release:        38
+Release:        39
 Summary:        PAM Module for Kerberos Authentication
 Url:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
 Source2:        pam_krb5-po.tar.gz
 Patch1:         pam_krb5-2.2.0-0.5-configure_ac.dif
-Patch2:         pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
 Patch3:         pam_krb5-2.3.1-log-choise.dif
 Patch4:         pam_krb5-po-Makevars.dif
 Patch5:         pam_krb5-LINGUAS.dif
 Patch6:         pam_krb5-2.3.1-post.dif
 Patch7:         bug-425861_pam_krb5-2.3.1-ccacheperms.patch
 Patch8:         pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif
+Patch9:         pam_krb5-2.3.1-switch-perms-on-refresh.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -56,13 +56,13 @@ Authors:
 %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
 %setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE}
 %patch1
-%patch2
 %patch3 -p1
 %patch4 -p1
 %patch5
 %patch6
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 %{suse_update_config -f}
@@ -97,6 +97,10 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) /usr/bin/afs5log
 
 %changelog
+* Tue Oct 28 2008 mc@suse.de
+- simplify switch permissions of refresh credentials
+  (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+  add pam_krb5-2.3.1-switch-perms-on-refresh.dif)
 * Fri Oct 24 2008 mc@suse.de
 - write new ticket into shmem after password change if requested.
   (bnc#438181)