From 4c663df9a1acb8ffed8af554ed0b626bcd523123e8977664938a3a71dda0edb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20M=C3=B6llers?= Date: Thu, 10 Aug 2017 13:02:50 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=33 --- pam_krb5-2.2.3-1-setcred-assume-establish.dif | 8 +- pam_krb5-2.3.1-log-choise.dif | 82 +++++++++---------- pam_krb5-2.3.1-switch-perms-on-refresh.dif | 41 ++++++---- 3 files changed, 67 insertions(+), 64 deletions(-) diff --git a/pam_krb5-2.2.3-1-setcred-assume-establish.dif b/pam_krb5-2.2.3-1-setcred-assume-establish.dif index a99e013..eadee8b 100644 --- a/pam_krb5-2.2.3-1-setcred-assume-establish.dif +++ b/pam_krb5-2.2.3-1-setcred-assume-establish.dif @@ -1,8 +1,8 @@ -Index: src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- src/auth.c.orig -+++ src/auth.c -@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f "pam_setcred(PAM_DELETE_CRED)", _pam_krb5_session_caller_setcred); } diff --git a/pam_krb5-2.3.1-log-choise.dif b/pam_krb5-2.3.1-log-choise.dif index 5041673..19e57cb 100644 --- a/pam_krb5-2.3.1-log-choise.dif +++ b/pam_krb5-2.3.1-log-choise.dif @@ -1,92 +1,90 @@ -Index: pam_krb5-2.4.4/src/acct.c +Index: pam_krb5-2.4.13/src/acct.c =================================================================== ---- pam_krb5-2.4.4.orig/src/acct.c -+++ pam_krb5-2.4.4/src/acct.c -@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int +--- pam_krb5-2.4.13.orig/src/acct.c ++++ pam_krb5-2.4.13/src/acct.c +@@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_acct_mgmt called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } /* Get information about the user and the user's principal name. */ userinfo = _pam_krb5_user_info_init(ctx, user, options); -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c -@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh, +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c +@@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh, return PAM_SERVICE_ERR; } if (options->debug) { -- debug("called to authenticate '%s', realm '%s'", user, -- options->realm); +- debug("called to authenticate '%s', configured realm '%s'", +- user, options->realm); + debug("pam_authenticate called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); } -+ _pam_krb5_set_init_opts(ctx, gic_options, options); - /* Prompt for the password, as we might need to. */ -@@ -432,6 +433,11 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +@@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + notice("pam_setcred (%s) called", -+ (flags & PAM_ESTABLISH_CRED)?"establish credential": -+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -+ (flags & PAM_REFRESH_CRED)?"refresh credential": -+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); ++ (flags & PAM_ESTABLISH_CRED)?"establish credential": ++ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": ++ (flags & PAM_REFRESH_CRED)?"refresh credential": ++ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); if (flags & PAM_ESTABLISH_CRED) { return _pam_krb5_open_session(pamh, flags, argc, argv, "pam_setcred(PAM_ESTABLISH_CRED)", -Index: pam_krb5-2.4.4/src/password.c +Index: pam_krb5-2.4.13/src/password.c =================================================================== ---- pam_krb5-2.4.4.orig/src/password.c -+++ pam_krb5-2.4.4/src/password.c -@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int +--- pam_krb5-2.4.13.orig/src/password.c ++++ pam_krb5-2.4.13/src/password.c +@@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_chauthtok called (%s) for '%s', realm '%s'", -+ (flags & PAM_PRELIM_CHECK) ? -+ "preliminary check" : -+ ((flags & PAM_UPDATE_AUTHTOK) ? -+ "updating authtok": -+ "unknown phase"), -+ user, -+ options->realm); ++ (flags & PAM_PRELIM_CHECK) ? ++ "preliminary check" : ++ ((flags & PAM_UPDATE_AUTHTOK) ? ++ "updating authtok": ++ "unknown phase"), ++ user, ++ options->realm); + } _pam_krb5_set_init_opts(ctx, gic_options, options); /* Get information about the user and the user's principal name. */ -Index: pam_krb5-2.4.4/src/session.c +Index: pam_krb5-2.4.13/src/session.c =================================================================== ---- pam_krb5-2.4.4.orig/src/session.c -+++ pam_krb5-2.4.4/src/session.c -@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam +--- pam_krb5-2.4.13.orig/src/session.c ++++ pam_krb5-2.4.13/src/session.c +@@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam _pam_krb5_free_ctx(ctx); return PAM_SERVICE_ERR; } + if (options->debug) { + debug("pam_open_session called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } /* If we're in a no-cred-session situation, return. */ if ((!options->cred_session) && -@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa +@@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa _pam_krb5_free_ctx(ctx); - return PAM_SUCCESS; + return PAM_SERVICE_ERR; } - + if (options->debug) { + debug("pam_close_session called for '%s', realm '%s'", user, -+ options->realm); ++ options->realm); + } - /* Get information about the user and the user's principal name. */ - userinfo = _pam_krb5_user_info_init(ctx, user, options); - if (userinfo == NULL) { + /* If we're in a no-cred-session situation, return. */ + if ((!options->cred_session) && + (caller_type == _pam_krb5_session_caller_setcred)) { diff --git a/pam_krb5-2.3.1-switch-perms-on-refresh.dif b/pam_krb5-2.3.1-switch-perms-on-refresh.dif index 92882a3..0c32d69 100644 --- a/pam_krb5-2.3.1-switch-perms-on-refresh.dif +++ b/pam_krb5-2.3.1-switch-perms-on-refresh.dif @@ -1,7 +1,7 @@ -Index: pam_krb5-2.4.4/src/auth.c +Index: pam_krb5-2.4.13/src/auth.c =================================================================== ---- pam_krb5-2.4.4.orig/src/auth.c -+++ pam_krb5-2.4.4/src/auth.c +--- pam_krb5-2.4.13.orig/src/auth.c ++++ pam_krb5-2.4.13/src/auth.c @@ -56,6 +56,7 @@ #include "items.h" #include "kuserok.h" @@ -10,24 +10,30 @@ Index: pam_krb5-2.4.4/src/auth.c #include "options.h" #include "prompter.h" #include "session.h" -@@ -433,6 +434,7 @@ int - pam_sm_setcred(pam_handle_t *pamh, int flags, +@@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f int argc, PAM_KRB5_MAYBE_CONST char **argv) { + const char *why = ""; + struct _pam_krb5_perms *saved_perms; notice("pam_setcred (%s) called", - (flags & PAM_ESTABLISH_CRED)?"establish credential": - (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": -@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f + (flags & PAM_ESTABLISH_CRED)?"establish credential": + (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": +@@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f _pam_krb5_session_caller_setcred); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { + saved_perms = _pam_krb5_switch_perms_r2e(); + + if (flags & PAM_REINITIALIZE_CRED) { + why = "pam_setcred(PAM_REINITIALIZE_CRED)"; + if (flags & PAM_REFRESH_CRED) { +@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f + why = "pam_setcred(PAM_REFRESH_CRED)"; + } if (_pam_krb5_sly_looks_unsafe() == 0) { -- return _pam_krb5_sly_maybe_refresh(pamh, flags, +- return _pam_krb5_sly_maybe_refresh(pamh, flags, why, - argc, argv); -+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); ++ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } @@ -39,14 +45,13 @@ Index: pam_krb5-2.4.4/src/auth.c + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } -+ saved_perms = NULL; return PAM_IGNORE; } } -Index: pam_krb5-2.4.4/src/perms.c +Index: pam_krb5-2.4.13/src/perms.c =================================================================== ---- pam_krb5-2.4.4.orig/src/perms.c -+++ pam_krb5-2.4.4/src/perms.c +--- pam_krb5-2.4.13.orig/src/perms.c ++++ pam_krb5-2.4.13/src/perms.c @@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 } return ret; @@ -90,17 +95,17 @@ Index: pam_krb5-2.4.4/src/perms.c + int ret = -1; + if (saved != NULL) { + if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && -+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { ++ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { + ret = 0; + } + free(saved); + } + return ret; +} -Index: pam_krb5-2.4.4/src/perms.h +Index: pam_krb5-2.4.13/src/perms.h =================================================================== ---- pam_krb5-2.4.4.orig/src/perms.h -+++ pam_krb5-2.4.4/src/perms.h +--- pam_krb5-2.4.13.orig/src/perms.h ++++ pam_krb5-2.4.13/src/perms.h @@ -37,4 +37,7 @@ struct _pam_krb5_perms; struct _pam_krb5_perms *_pam_krb5_switch_perms(void); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);