This commit is contained in:
OBS User unknown
Git OBS Bridge
parent
54567c5dc7
commit
0baf56c7da
@ -1,148 +0,0 @@
|
||||
Index: src/auth.c
|
||||
===================================================================
|
||||
--- src/auth.c.orig
|
||||
+++ src/auth.c
|
||||
@@ -480,9 +480,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
return pam_sm_open_session(pamh, flags, argc, argv);
|
||||
}
|
||||
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
|
||||
- if (_pam_krb5_sly_looks_unsafe() == 0) {
|
||||
+ int unsave = _pam_krb5_sly_looks_unsafe();
|
||||
+
|
||||
+ /* unsave == 2 or 3 can be fixed inside of
|
||||
+ _pam_krb5_sly_maybe_refresh */
|
||||
+ if (unsave == 0 || unsave == 2 || unsave == 3) {
|
||||
return _pam_krb5_sly_maybe_refresh(pamh, flags,
|
||||
- argc, argv);
|
||||
+ argc, argv);
|
||||
} else {
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
Index: src/sly.c
|
||||
===================================================================
|
||||
--- src/sly.c.orig
|
||||
+++ src/sly.c
|
||||
@@ -148,6 +148,21 @@ _pam_krb5_sly_looks_unsafe(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* restore dropped privileges */
|
||||
+int
|
||||
+_restore_privs(uid_t save_euid, gid_t save_egid)
|
||||
+{
|
||||
+ int retuid = 0, retgid = 0;
|
||||
+
|
||||
+ retuid = setresuid(getuid(), save_euid, getuid());
|
||||
+ retgid = setresgid(getgid(), save_egid, getgid());
|
||||
+
|
||||
+ /* debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */
|
||||
+ /* debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid()); */
|
||||
+
|
||||
+ return (retuid == -1 || retgid == -1)?-1:0;
|
||||
+}
|
||||
+
|
||||
int
|
||||
_pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags,
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
@@ -163,6 +178,23 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
gid_t gid;
|
||||
char *v5ccname, *v5filename, *v4tktfile;
|
||||
|
||||
+ uid_t save_euid = geteuid();
|
||||
+ gid_t save_egid = getegid();
|
||||
+
|
||||
+
|
||||
+ if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3)
|
||||
+ {
|
||||
+ /* debug("current privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); */
|
||||
+ /* debug("current privileges: GID = %u, EGID = %u\n", getgid(), getegid()); *(
|
||||
+
|
||||
+ /* drop privileges temporarily; restore them on every return from this function */
|
||||
+ setresuid(getuid(), getuid(), geteuid());
|
||||
+ setresgid(getgid(), getgid(), getegid());
|
||||
+
|
||||
+ /* debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid()); */
|
||||
+ /* debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid()); */
|
||||
+ }
|
||||
+
|
||||
/* Inexpensive checks. */
|
||||
switch (_pam_krb5_sly_looks_unsafe()) {
|
||||
case 0:
|
||||
@@ -170,18 +202,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
break;
|
||||
case 1:
|
||||
warn("won't refresh credentials while running under sudo");
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
break;
|
||||
case 2:
|
||||
warn("won't refresh credentials while running setuid");
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
break;
|
||||
case 3:
|
||||
warn("won't refresh credentials while running setgid");
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
break;
|
||||
default:
|
||||
warn("not safe to refresh credentials");
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
break;
|
||||
}
|
||||
@@ -189,6 +225,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
/* Initialize Kerberos. */
|
||||
if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
|
||||
warn("error initializing Kerberos");
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
@@ -197,6 +234,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
if (i != PAM_SUCCESS) {
|
||||
warn("could not identify user name");
|
||||
krb5_free_context(ctx);
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return i;
|
||||
}
|
||||
|
||||
@@ -205,6 +243,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
if (options == NULL) {
|
||||
warn("error parsing options (shouldn't happen)");
|
||||
krb5_free_context(ctx);
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
if (options->debug) {
|
||||
@@ -226,6 +265,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
}
|
||||
_pam_krb5_options_free(pamh, ctx, options);
|
||||
krb5_free_context(ctx);
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return retval;
|
||||
}
|
||||
|
||||
@@ -238,6 +278,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
_pam_krb5_user_info_free(ctx, userinfo);
|
||||
_pam_krb5_options_free(pamh, ctx, options);
|
||||
krb5_free_context(ctx);
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
|
||||
@@ -249,6 +290,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
_pam_krb5_user_info_free(ctx, userinfo);
|
||||
_pam_krb5_options_free(pamh, ctx, options);
|
||||
krb5_free_context(ctx);
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
@@ -360,5 +402,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
|
||||
_pam_krb5_options_free(pamh, ctx, options);
|
||||
krb5_free_context(ctx);
|
||||
|
||||
+ _restore_privs(save_euid, save_egid);
|
||||
return retval;
|
||||
}
|
||||
111
pam_krb5-2.3.1-switch-perms-on-refresh.dif
Normal file
111
pam_krb5-2.3.1-switch-perms-on-refresh.dif
Normal file
@ -0,0 +1,111 @@
|
||||
Index: pam_krb5-2.3.1-1/src/auth.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.1-1.orig/src/auth.c
|
||||
+++ pam_krb5-2.3.1-1/src/auth.c
|
||||
@@ -62,6 +62,7 @@
|
||||
#include "items.h"
|
||||
#include "kuserok.h"
|
||||
#include "log.h"
|
||||
+#include "perms.h"
|
||||
#include "options.h"
|
||||
#include "prompter.h"
|
||||
#include "sly.h"
|
||||
@@ -477,6 +478,7 @@ int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
{
|
||||
+ struct _pam_krb5_perms *saved_perms;
|
||||
notice("pam_setcred (%s) called",
|
||||
(flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
@@ -486,10 +488,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
return pam_sm_open_session(pamh, flags, argc, argv);
|
||||
}
|
||||
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
|
||||
+ saved_perms = _pam_krb5_switch_perms_r2e();
|
||||
+
|
||||
if (_pam_krb5_sly_looks_unsafe() == 0) {
|
||||
- return _pam_krb5_sly_maybe_refresh(pamh, flags,
|
||||
- argc, argv);
|
||||
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv);
|
||||
+ if (saved_perms != NULL) {
|
||||
+ _pam_krb5_restore_perms_r2e(saved_perms);
|
||||
+ }
|
||||
+ saved_perms = NULL;
|
||||
+
|
||||
+ return i;
|
||||
} else {
|
||||
+ debug("looks unsafe - ignore refresh");
|
||||
+ if (saved_perms != NULL) {
|
||||
+ _pam_krb5_restore_perms_r2e(saved_perms);
|
||||
+ }
|
||||
+ saved_perms = NULL;
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
}
|
||||
Index: pam_krb5-2.3.1-1/src/perms.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.1-1.orig/src/perms.c
|
||||
+++ pam_krb5-2.3.1-1/src/perms.c
|
||||
@@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+struct _pam_krb5_perms *
|
||||
+_pam_krb5_switch_perms_r2e(void)
|
||||
+{
|
||||
+ struct _pam_krb5_perms *ret;
|
||||
+ ret = malloc(sizeof(*ret));
|
||||
+ if (ret != NULL) {
|
||||
+ ret->ruid = getuid();
|
||||
+ ret->euid = geteuid();
|
||||
+ ret->rgid = getgid();
|
||||
+ ret->egid = getegid();
|
||||
+ if (ret->ruid == ret->euid) {
|
||||
+ ret->ruid = -1;
|
||||
+ ret->euid = -1;
|
||||
+ }
|
||||
+ if (ret->rgid == ret->egid) {
|
||||
+ ret->rgid = -1;
|
||||
+ ret->egid = -1;
|
||||
+ }
|
||||
+ if (setresgid(ret->rgid, ret->rgid, ret->egid) == -1) {
|
||||
+ free(ret);
|
||||
+ ret = NULL;
|
||||
+ } else {
|
||||
+ if (setresuid(ret->ruid, ret->ruid, ret->euid) == -1) {
|
||||
+ setresgid(ret->rgid, ret->egid, ret->rgid);
|
||||
+ free(ret);
|
||||
+ ret = NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+_pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved)
|
||||
+{
|
||||
+ int ret = -1;
|
||||
+ if (saved != NULL) {
|
||||
+ if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
|
||||
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ free(saved);
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
Index: pam_krb5-2.3.1-1/src/perms.h
|
||||
===================================================================
|
||||
--- pam_krb5-2.3.1-1.orig/src/perms.h
|
||||
+++ pam_krb5-2.3.1-1/src/perms.h
|
||||
@@ -37,4 +37,7 @@ struct _pam_krb5_perms;
|
||||
struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
|
||||
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
|
||||
|
||||
+struct _pam_krb5_perms *_pam_krb5_switch_perms_r2e(void);
|
||||
+int _pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved);
|
||||
+
|
||||
#endif
|
||||
@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:84608ab3ce85b8e5bf1f60a9e46b9db915404d8b62e27474d35f83e6f2950d53
|
||||
size 4327
|
||||
oid sha256:900f86015ea4c72786f36bc80a1dba6d36ed263bd3a7d20df10a831f7be3b69d
|
||||
size 4328
|
||||
|
||||
@ -1,3 +1,10 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 28 15:09:24 CET 2008 - mc@suse.de
|
||||
|
||||
- simplify switch permissions of refresh credentials
|
||||
(remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
|
||||
add pam_krb5-2.3.1-switch-perms-on-refresh.dif)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 24 13:44:42 CEST 2008 - mc@suse.de
|
||||
|
||||
|
||||
@ -26,19 +26,19 @@ Group: Productivity/Networking/Security
|
||||
Provides: pam_krb
|
||||
AutoReqProv: on
|
||||
Version: 2.3.1
|
||||
Release: 38
|
||||
Release: 39
|
||||
Summary: PAM Module for Kerberos Authentication
|
||||
Url: http://sourceforge.net/projects/pam-krb5/
|
||||
Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
|
||||
Source2: pam_krb5-po.tar.gz
|
||||
Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif
|
||||
Patch2: pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
|
||||
Patch3: pam_krb5-2.3.1-log-choise.dif
|
||||
Patch4: pam_krb5-po-Makevars.dif
|
||||
Patch5: pam_krb5-LINGUAS.dif
|
||||
Patch6: pam_krb5-2.3.1-post.dif
|
||||
Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch
|
||||
Patch8: pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif
|
||||
Patch9: pam_krb5-2.3.1-switch-perms-on-refresh.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -56,13 +56,13 @@ Authors:
|
||||
%setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
|
||||
%setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE}
|
||||
%patch1
|
||||
%patch2
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5
|
||||
%patch6
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
|
||||
%build
|
||||
%{suse_update_config -f}
|
||||
@ -97,6 +97,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%attr(755,root,root) /usr/bin/afs5log
|
||||
|
||||
%changelog
|
||||
* Tue Oct 28 2008 mc@suse.de
|
||||
- simplify switch permissions of refresh credentials
|
||||
(remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
|
||||
add pam_krb5-2.3.1-switch-perms-on-refresh.dif)
|
||||
* Fri Oct 24 2008 mc@suse.de
|
||||
- write new ticket into shmem after password change if requested.
|
||||
(bnc#438181)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user