This commit is contained in:
Josef Möllers
Git OBS Bridge
parent
60468bdbdd
commit
4c663df9a1
@ -1,8 +1,8 @@
|
||||
Index: src/auth.c
|
||||
Index: pam_krb5-2.4.13/src/auth.c
|
||||
===================================================================
|
||||
--- src/auth.c.orig
|
||||
+++ src/auth.c
|
||||
@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
--- pam_krb5-2.4.13.orig/src/auth.c
|
||||
+++ pam_krb5-2.4.13/src/auth.c
|
||||
@@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
"pam_setcred(PAM_DELETE_CRED)",
|
||||
_pam_krb5_session_caller_setcred);
|
||||
}
|
||||
|
||||
@ -1,92 +1,90 @@
|
||||
Index: pam_krb5-2.4.4/src/acct.c
|
||||
Index: pam_krb5-2.4.13/src/acct.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/acct.c
|
||||
+++ pam_krb5-2.4.4/src/acct.c
|
||||
@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
||||
--- pam_krb5-2.4.13.orig/src/acct.c
|
||||
+++ pam_krb5-2.4.13/src/acct.c
|
||||
@@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
||||
_pam_krb5_free_ctx(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
+ if (options->debug) {
|
||||
+ debug("pam_acct_mgmt called for '%s', realm '%s'", user,
|
||||
+ options->realm);
|
||||
+ options->realm);
|
||||
+ }
|
||||
|
||||
/* Get information about the user and the user's principal name. */
|
||||
userinfo = _pam_krb5_user_info_init(ctx, user, options);
|
||||
Index: pam_krb5-2.4.4/src/auth.c
|
||||
Index: pam_krb5-2.4.13/src/auth.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/auth.c
|
||||
+++ pam_krb5-2.4.4/src/auth.c
|
||||
@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
||||
--- pam_krb5-2.4.13.orig/src/auth.c
|
||||
+++ pam_krb5-2.4.13/src/auth.c
|
||||
@@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
if (options->debug) {
|
||||
- debug("called to authenticate '%s', realm '%s'", user,
|
||||
- options->realm);
|
||||
- debug("called to authenticate '%s', configured realm '%s'",
|
||||
- user, options->realm);
|
||||
+ debug("pam_authenticate called for '%s', realm '%s'", user,
|
||||
+ options->realm);
|
||||
+ options->realm);
|
||||
}
|
||||
+
|
||||
_pam_krb5_set_init_opts(ctx, gic_options, options);
|
||||
|
||||
/* Prompt for the password, as we might need to. */
|
||||
@@ -432,6 +433,11 @@ int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
@@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
{
|
||||
const char *why = "";
|
||||
+ notice("pam_setcred (%s) called",
|
||||
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
|
||||
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
|
||||
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
|
||||
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
|
||||
if (flags & PAM_ESTABLISH_CRED) {
|
||||
return _pam_krb5_open_session(pamh, flags, argc, argv,
|
||||
"pam_setcred(PAM_ESTABLISH_CRED)",
|
||||
Index: pam_krb5-2.4.4/src/password.c
|
||||
Index: pam_krb5-2.4.13/src/password.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/password.c
|
||||
+++ pam_krb5-2.4.4/src/password.c
|
||||
@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
--- pam_krb5-2.4.13.orig/src/password.c
|
||||
+++ pam_krb5-2.4.13/src/password.c
|
||||
@@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
|
||||
_pam_krb5_free_ctx(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
+ if (options->debug) {
|
||||
+ debug("pam_chauthtok called (%s) for '%s', realm '%s'",
|
||||
+ (flags & PAM_PRELIM_CHECK) ?
|
||||
+ "preliminary check" :
|
||||
+ ((flags & PAM_UPDATE_AUTHTOK) ?
|
||||
+ "updating authtok":
|
||||
+ "unknown phase"),
|
||||
+ user,
|
||||
+ options->realm);
|
||||
+ (flags & PAM_PRELIM_CHECK) ?
|
||||
+ "preliminary check" :
|
||||
+ ((flags & PAM_UPDATE_AUTHTOK) ?
|
||||
+ "updating authtok":
|
||||
+ "unknown phase"),
|
||||
+ user,
|
||||
+ options->realm);
|
||||
+ }
|
||||
_pam_krb5_set_init_opts(ctx, gic_options, options);
|
||||
|
||||
/* Get information about the user and the user's principal name. */
|
||||
Index: pam_krb5-2.4.4/src/session.c
|
||||
Index: pam_krb5-2.4.13/src/session.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/session.c
|
||||
+++ pam_krb5-2.4.4/src/session.c
|
||||
@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam
|
||||
--- pam_krb5-2.4.13.orig/src/session.c
|
||||
+++ pam_krb5-2.4.13/src/session.c
|
||||
@@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam
|
||||
_pam_krb5_free_ctx(ctx);
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
+ if (options->debug) {
|
||||
+ debug("pam_open_session called for '%s', realm '%s'", user,
|
||||
+ options->realm);
|
||||
+ options->realm);
|
||||
+ }
|
||||
|
||||
/* If we're in a no-cred-session situation, return. */
|
||||
if ((!options->cred_session) &&
|
||||
@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa
|
||||
@@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa
|
||||
_pam_krb5_free_ctx(ctx);
|
||||
return PAM_SUCCESS;
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
-
|
||||
+ if (options->debug) {
|
||||
+ debug("pam_close_session called for '%s', realm '%s'", user,
|
||||
+ options->realm);
|
||||
+ options->realm);
|
||||
+ }
|
||||
/* Get information about the user and the user's principal name. */
|
||||
userinfo = _pam_krb5_user_info_init(ctx, user, options);
|
||||
if (userinfo == NULL) {
|
||||
/* If we're in a no-cred-session situation, return. */
|
||||
if ((!options->cred_session) &&
|
||||
(caller_type == _pam_krb5_session_caller_setcred)) {
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Index: pam_krb5-2.4.4/src/auth.c
|
||||
Index: pam_krb5-2.4.13/src/auth.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/auth.c
|
||||
+++ pam_krb5-2.4.4/src/auth.c
|
||||
--- pam_krb5-2.4.13.orig/src/auth.c
|
||||
+++ pam_krb5-2.4.13/src/auth.c
|
||||
@@ -56,6 +56,7 @@
|
||||
#include "items.h"
|
||||
#include "kuserok.h"
|
||||
@ -10,24 +10,30 @@ Index: pam_krb5-2.4.4/src/auth.c
|
||||
#include "options.h"
|
||||
#include "prompter.h"
|
||||
#include "session.h"
|
||||
@@ -433,6 +434,7 @@ int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
@@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
int argc, PAM_KRB5_MAYBE_CONST char **argv)
|
||||
{
|
||||
const char *why = "";
|
||||
+ struct _pam_krb5_perms *saved_perms;
|
||||
notice("pam_setcred (%s) called",
|
||||
(flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
(flags & PAM_ESTABLISH_CRED)?"establish credential":
|
||||
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
|
||||
@@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
_pam_krb5_session_caller_setcred);
|
||||
}
|
||||
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
|
||||
+ saved_perms = _pam_krb5_switch_perms_r2e();
|
||||
+
|
||||
if (flags & PAM_REINITIALIZE_CRED) {
|
||||
why = "pam_setcred(PAM_REINITIALIZE_CRED)";
|
||||
if (flags & PAM_REFRESH_CRED) {
|
||||
@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f
|
||||
why = "pam_setcred(PAM_REFRESH_CRED)";
|
||||
}
|
||||
if (_pam_krb5_sly_looks_unsafe() == 0) {
|
||||
- return _pam_krb5_sly_maybe_refresh(pamh, flags,
|
||||
- return _pam_krb5_sly_maybe_refresh(pamh, flags, why,
|
||||
- argc, argv);
|
||||
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv);
|
||||
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv);
|
||||
+ if (saved_perms != NULL) {
|
||||
+ _pam_krb5_restore_perms_r2e(saved_perms);
|
||||
+ }
|
||||
@ -39,14 +45,13 @@ Index: pam_krb5-2.4.4/src/auth.c
|
||||
+ if (saved_perms != NULL) {
|
||||
+ _pam_krb5_restore_perms_r2e(saved_perms);
|
||||
+ }
|
||||
+ saved_perms = NULL;
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
}
|
||||
Index: pam_krb5-2.4.4/src/perms.c
|
||||
Index: pam_krb5-2.4.13/src/perms.c
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/perms.c
|
||||
+++ pam_krb5-2.4.4/src/perms.c
|
||||
--- pam_krb5-2.4.13.orig/src/perms.c
|
||||
+++ pam_krb5-2.4.13/src/perms.c
|
||||
@@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
|
||||
}
|
||||
return ret;
|
||||
@ -90,17 +95,17 @@ Index: pam_krb5-2.4.4/src/perms.c
|
||||
+ int ret = -1;
|
||||
+ if (saved != NULL) {
|
||||
+ if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
|
||||
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
|
||||
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
|
||||
+ ret = 0;
|
||||
+ }
|
||||
+ free(saved);
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
Index: pam_krb5-2.4.4/src/perms.h
|
||||
Index: pam_krb5-2.4.13/src/perms.h
|
||||
===================================================================
|
||||
--- pam_krb5-2.4.4.orig/src/perms.h
|
||||
+++ pam_krb5-2.4.4/src/perms.h
|
||||
--- pam_krb5-2.4.13.orig/src/perms.h
|
||||
+++ pam_krb5-2.4.13/src/perms.h
|
||||
@@ -37,4 +37,7 @@ struct _pam_krb5_perms;
|
||||
struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
|
||||
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user