pool/pam_krb5
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam_krb5?expand=0&rev=33

Browse Source
This commit is contained in:
Josef Möllers 2017-08-10 13:02:50 +00:00 committed by Git OBS Bridge
parent 60468bdbdd
commit 4c663df9a1
3 changed files with 67 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pam_krb5-2.2.3-1-setcred-assume-establish.dif
View File

@ -1,8 +1,8 @@
Index: src/auth.c Index: pam_krb5-2.4.13/src/auth.c
=================================================================== ===================================================================
--- src/auth.c.orig --- pam_krb5-2.4.13.orig/src/auth.c
+++ src/auth.c +++ pam_krb5-2.4.13/src/auth.c
@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f @@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
"pam_setcred(PAM_DELETE_CRED)", "pam_setcred(PAM_DELETE_CRED)",
_pam_krb5_session_caller_setcred); _pam_krb5_session_caller_setcred);
} }

82
pam_krb5-2.3.1-log-choise.dif
View File

@ -1,92 +1,90 @@
Index: pam_krb5-2.4.4/src/acct.c Index: pam_krb5-2.4.13/src/acct.c
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/acct.c --- pam_krb5-2.4.13.orig/src/acct.c
+++ pam_krb5-2.4.4/src/acct.c +++ pam_krb5-2.4.13/src/acct.c
@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int @@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
_pam_krb5_free_ctx(ctx); _pam_krb5_free_ctx(ctx);
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
} }
+ if (options->debug) { + if (options->debug) {
+ debug("pam_acct_mgmt called for '%s', realm '%s'", user, + debug("pam_acct_mgmt called for '%s', realm '%s'", user,
+ options->realm); + options->realm);
+ } + }
/* Get information about the user and the user's principal name. */ /* Get information about the user and the user's principal name. */
userinfo = _pam_krb5_user_info_init(ctx, user, options); userinfo = _pam_krb5_user_info_init(ctx, user, options);
Index: pam_krb5-2.4.4/src/auth.c Index: pam_krb5-2.4.13/src/auth.c
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c --- pam_krb5-2.4.13.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c +++ pam_krb5-2.4.13/src/auth.c
@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh, @@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
} }
if (options->debug) { if (options->debug) {
- debug("called to authenticate '%s', realm '%s'", user, - debug("called to authenticate '%s', configured realm '%s'",
- options->realm); - user, options->realm);
+ debug("pam_authenticate called for '%s', realm '%s'", user, + debug("pam_authenticate called for '%s', realm '%s'", user,
+ options->realm); + options->realm);
} }
+
_pam_krb5_set_init_opts(ctx, gic_options, options); _pam_krb5_set_init_opts(ctx, gic_options, options);
/* Prompt for the password, as we might need to. */ @@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f
@@ -432,6 +433,11 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv) int argc, PAM_KRB5_MAYBE_CONST char **argv)
{ {
const char *why = "";
+ notice("pam_setcred (%s) called", + notice("pam_setcred (%s) called",
+ (flags & PAM_ESTABLISH_CRED)?"establish credential": + (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": + (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+ (flags & PAM_REFRESH_CRED)?"refresh credential": + (flags & PAM_REFRESH_CRED)?"refresh credential":
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag"); + (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
if (flags & PAM_ESTABLISH_CRED) { if (flags & PAM_ESTABLISH_CRED) {
return _pam_krb5_open_session(pamh, flags, argc, argv, return _pam_krb5_open_session(pamh, flags, argc, argv,
"pam_setcred(PAM_ESTABLISH_CRED)", "pam_setcred(PAM_ESTABLISH_CRED)",
Index: pam_krb5-2.4.4/src/password.c Index: pam_krb5-2.4.13/src/password.c
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/password.c --- pam_krb5-2.4.13.orig/src/password.c
+++ pam_krb5-2.4.4/src/password.c +++ pam_krb5-2.4.13/src/password.c
@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int @@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
_pam_krb5_free_ctx(ctx); _pam_krb5_free_ctx(ctx);
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
} }
+ if (options->debug) { + if (options->debug) {
+ debug("pam_chauthtok called (%s) for '%s', realm '%s'", + debug("pam_chauthtok called (%s) for '%s', realm '%s'",
+ (flags & PAM_PRELIM_CHECK) ? + (flags & PAM_PRELIM_CHECK) ?
+ "preliminary check" : + "preliminary check" :
+ ((flags & PAM_UPDATE_AUTHTOK) ? + ((flags & PAM_UPDATE_AUTHTOK) ?
+ "updating authtok": + "updating authtok":
+ "unknown phase"), + "unknown phase"),
+ user, + user,
+ options->realm); + options->realm);
+ } + }
_pam_krb5_set_init_opts(ctx, gic_options, options); _pam_krb5_set_init_opts(ctx, gic_options, options);
/* Get information about the user and the user's principal name. */ /* Get information about the user and the user's principal name. */
Index: pam_krb5-2.4.4/src/session.c Index: pam_krb5-2.4.13/src/session.c
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/session.c --- pam_krb5-2.4.13.orig/src/session.c
+++ pam_krb5-2.4.4/src/session.c +++ pam_krb5-2.4.13/src/session.c
@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam @@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam
_pam_krb5_free_ctx(ctx); _pam_krb5_free_ctx(ctx);
return PAM_SERVICE_ERR; return PAM_SERVICE_ERR;
} }
+ if (options->debug) { + if (options->debug) {
+ debug("pam_open_session called for '%s', realm '%s'", user, + debug("pam_open_session called for '%s', realm '%s'", user,
+ options->realm); + options->realm);
+ } + }
/* If we're in a no-cred-session situation, return. */ /* If we're in a no-cred-session situation, return. */
if ((!options->cred_session) && if ((!options->cred_session) &&
@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa @@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa
_pam_krb5_free_ctx(ctx); _pam_krb5_free_ctx(ctx);
return PAM_SUCCESS; return PAM_SERVICE_ERR;
} }
- -
+ if (options->debug) { + if (options->debug) {
+ debug("pam_close_session called for '%s', realm '%s'", user, + debug("pam_close_session called for '%s', realm '%s'", user,
+ options->realm); + options->realm);
+ } + }
/* Get information about the user and the user's principal name. */ /* If we're in a no-cred-session situation, return. */
userinfo = _pam_krb5_user_info_init(ctx, user, options); if ((!options->cred_session) &&
if (userinfo == NULL) { (caller_type == _pam_krb5_session_caller_setcred)) {

41
pam_krb5-2.3.1-switch-perms-on-refresh.dif
View File

@ -1,7 +1,7 @@
Index: pam_krb5-2.4.4/src/auth.c Index: pam_krb5-2.4.13/src/auth.c
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c --- pam_krb5-2.4.13.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c +++ pam_krb5-2.4.13/src/auth.c
@@ -56,6 +56,7 @@ @@ -56,6 +56,7 @@
#include "items.h" #include "items.h"
#include "kuserok.h" #include "kuserok.h"
@ -10,24 +10,30 @@ Index: pam_krb5-2.4.4/src/auth.c
#include "options.h" #include "options.h"
#include "prompter.h" #include "prompter.h"
#include "session.h" #include "session.h"
@@ -433,6 +434,7 @@ int @@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, PAM_KRB5_MAYBE_CONST char **argv) int argc, PAM_KRB5_MAYBE_CONST char **argv)
{ {
const char *why = "";
+ struct _pam_krb5_perms *saved_perms; + struct _pam_krb5_perms *saved_perms;
notice("pam_setcred (%s) called", notice("pam_setcred (%s) called",
(flags & PAM_ESTABLISH_CRED)?"establish credential": (flags & PAM_ESTABLISH_CRED)?"establish credential":
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f @@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
_pam_krb5_session_caller_setcred); _pam_krb5_session_caller_setcred);
} }
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
+ saved_perms = _pam_krb5_switch_perms_r2e(); + saved_perms = _pam_krb5_switch_perms_r2e();
+ +
if (flags & PAM_REINITIALIZE_CRED) {
why = "pam_setcred(PAM_REINITIALIZE_CRED)";
if (flags & PAM_REFRESH_CRED) {
@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f
why = "pam_setcred(PAM_REFRESH_CRED)";
}
if (_pam_krb5_sly_looks_unsafe() == 0) { if (_pam_krb5_sly_looks_unsafe() == 0) {
- return _pam_krb5_sly_maybe_refresh(pamh, flags, - return _pam_krb5_sly_maybe_refresh(pamh, flags, why,
- argc, argv); - argc, argv);
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); + int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv);
+ if (saved_perms != NULL) { + if (saved_perms != NULL) {
+ _pam_krb5_restore_perms_r2e(saved_perms); + _pam_krb5_restore_perms_r2e(saved_perms);
+ } + }
@ -39,14 +45,13 @@ Index: pam_krb5-2.4.4/src/auth.c
+ if (saved_perms != NULL) { + if (saved_perms != NULL) {
+ _pam_krb5_restore_perms_r2e(saved_perms); + _pam_krb5_restore_perms_r2e(saved_perms);
+ } + }
+ saved_perms = NULL;
return PAM_IGNORE; return PAM_IGNORE;
} }
} }
Index: pam_krb5-2.4.4/src/perms.c Index: pam_krb5-2.4.13/src/perms.c
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/perms.c --- pam_krb5-2.4.13.orig/src/perms.c
+++ pam_krb5-2.4.4/src/perms.c +++ pam_krb5-2.4.13/src/perms.c
@@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 @@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
} }
return ret; return ret;
@ -90,17 +95,17 @@ Index: pam_krb5-2.4.4/src/perms.c
+ int ret = -1; + int ret = -1;
+ if (saved != NULL) { + if (saved != NULL) {
+ if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && + if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { + (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
+ ret = 0; + ret = 0;
+ } + }
+ free(saved); + free(saved);
+ } + }
+ return ret; + return ret;
+} +}
Index: pam_krb5-2.4.4/src/perms.h Index: pam_krb5-2.4.13/src/perms.h
=================================================================== ===================================================================
--- pam_krb5-2.4.4.orig/src/perms.h --- pam_krb5-2.4.13.orig/src/perms.h
+++ pam_krb5-2.4.4/src/perms.h +++ pam_krb5-2.4.13/src/perms.h
@@ -37,4 +37,7 @@ struct _pam_krb5_perms; @@ -37,4 +37,7 @@ struct _pam_krb5_perms;
struct _pam_krb5_perms *_pam_krb5_switch_perms(void); struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);