pool/pam_krb5
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=30

Browse Source
This commit is contained in:
OBS User unknown 2009-05-20 21:55:08 +00:00 committed by Git OBS Bridge
parent b1b95eef95
commit 69a7cfe6de
9 changed files with 38 additions and 461 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

253
bug-425861_pam_krb5-2.3.1-ccacheperms.patch
View File

@ -1,253 +0,0 @@
Index: pam_krb5-2.3.1-1/src/Makefile.am
===================================================================
--- pam_krb5-2.3.1-1.orig/src/Makefile.am
+++ pam_krb5-2.3.1-1/src/Makefile.am
@@ -37,6 +37,8 @@ libpam_krb5_la_SOURCES = \
kuserok.c \
kuserok.h \
minikafs.h \
+ perms.c \
+ perms.h \
prompter.c \
prompter.h \
shmem.c \
@@ -112,6 +114,7 @@ harness_LDADD = \
map.lo \
initopts.lo \
options.lo \
+ perms.lo \
userinfo.lo \
sly.lo \
v4.lo \
@@ -125,6 +128,7 @@ harness_newpag_LDADD = \
pam_newpag.lo \
logstdio.lo \
options.lo \
+ perms.lo \
v4.lo \
v5.lo
harness_newpag_LDADD += libpam_krb5.la @PAM_LIBS@ @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
Index: pam_krb5-2.3.1-1/src/perms.c
===================================================================
--- /dev/null
+++ pam_krb5-2.3.1-1/src/perms.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright 2008 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of the
+ * GNU Lesser General Public License, in which case the provisions of the
+ * LGPL are required INSTEAD OF the above restrictions.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "../config.h"
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include "perms.h"
+
+struct _pam_krb5_perms {
+ uid_t ruid, euid;
+ gid_t rgid, egid;
+};
+
+struct _pam_krb5_perms *
+_pam_krb5_switch_perms(void)
+{
+ struct _pam_krb5_perms *ret;
+ ret = malloc(sizeof(*ret));
+ if (ret != NULL) {
+ ret->ruid = getuid();
+ ret->euid = geteuid();
+ ret->rgid = getgid();
+ ret->egid = getegid();
+ if (ret->ruid == ret->euid) {
+ ret->ruid = -1;
+ ret->euid = -1;
+ }
+ if (ret->rgid == ret->egid) {
+ ret->rgid = -1;
+ ret->egid = -1;
+ }
+ if (setregid(ret->egid, ret->rgid) == -1) {
+ free(ret);
+ ret = NULL;
+ } else {
+ if (setreuid(ret->euid, ret->ruid) == -1) {
+ setregid(ret->rgid, ret->egid);
+ free(ret);
+ ret = NULL;
+ }
+ }
+ }
+ return ret;
+}
+
+int
+_pam_krb5_restore_perms(struct _pam_krb5_perms *saved)
+{
+ int ret = -1;
+ if (saved != NULL) {
+ if ((setreuid(saved->ruid, saved->euid) == 0) &&
+ (setregid(saved->rgid, saved->egid) == 0)) {
+ ret = 0;
+ }
+ free(saved);
+ }
+ return ret;
+}
Index: pam_krb5-2.3.1-1/src/perms.h
===================================================================
--- /dev/null
+++ pam_krb5-2.3.1-1/src/perms.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2008 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of the
+ * GNU Lesser General Public License, in which case the provisions of the
+ * LGPL are required INSTEAD OF the above restrictions.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
+ * NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef pam_krb5_perms_h
+#define pam_krb5_perms_h
+
+struct _pam_krb5_perms;
+struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
+int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);
+
+#endif
Index: pam_krb5-2.3.1-1/src/v5.c
===================================================================
--- pam_krb5-2.3.1-1.orig/src/v5.c
+++ pam_krb5-2.3.1-1/src/v5.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc.
+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -66,6 +66,7 @@
#include "conv.h"
#include "log.h"
+#include "perms.h"
#include "prompter.h"
#include "stash.h"
#include "userinfo.h"
@@ -833,6 +834,7 @@ v5_get_creds(krb5_context ctx,
const char *realm;
struct pam_message message;
struct _pam_krb5_prompter_data prompter_data;
+ struct _pam_krb5_perms *saved_perms;
krb5_principal service_principal;
krb5_creds tmpcreds;
krb5_ccache ccache;
@@ -884,28 +886,46 @@ v5_get_creds(krb5_context ctx,
"from %s", krb5_cc_default_name(ctx));
}
memset(&ccache, 0, sizeof(ccache));
- if (krb5_cc_default(ctx, &ccache) == 0) {
+ /* In case we're setuid/setgid, switch to the caller's
+ * permissions. */
+ saved_perms = _pam_krb5_switch_perms();
+ if ((saved_perms != NULL) &&
+ (krb5_cc_default(ctx, &ccache) == 0)) {
tmpcreds.client = userinfo->principal_name;
tmpcreds.server = service_principal;
i = krb5_cc_retrieve_cred(ctx, ccache, 0,
&tmpcreds, creds);
+ /* FIXME: check if the creds are expired?
+ * What's the right error code if we check, and
+ * they are? */
memset(&tmpcreds, 0, sizeof(tmpcreds));
krb5_cc_close(ctx, ccache);
- switch (v5_validate(ctx, creds, options)) {
- case 0:
- /* we're fine */
- break;
- default:
- /* something (anything) went wrong --
- * discard them */
- krb5_free_cred_contents(ctx, creds);
- i = KRB5KRB_ERR_GENERIC;
- break;
+ /* In case we're setuid/setgid, restore the
+ * previous permissions. */
+ if (saved_perms != NULL) {
+ if (_pam_krb5_restore_perms(saved_perms) != 0) {
+ krb5_free_cred_contents(ctx, creds);
+ memset(creds, 0, sizeof(*creds));
+ krb5_free_principal(ctx, service_principal);
+ return PAM_SYSTEM_ERR;
+ }
+ saved_perms = NULL;
}
} else {
warn("error opening default ccache");
i = KRB5_CC_NOTFOUND;
}
+ /* In case we're setuid/setgid, switch back to the
+ * previous permissions if we didn't already. */
+ if (saved_perms != NULL) {
+ if (_pam_krb5_restore_perms(saved_perms) != 0) {
+ krb5_free_cred_contents(ctx, creds);
+ memset(creds, 0, sizeof(*creds));
+ krb5_free_principal(ctx, service_principal);
+ return PAM_SYSTEM_ERR;
+ }
+ saved_perms = NULL;
+ }
krb5_free_principal(ctx, service_principal);
} else {
warn("error parsing TGT principal name (%s) "

3
pam_krb5-2.3.1-1.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:faa8fb8d46f74a56352fc80001c1b1570c4ffb0f6b7a456bca227cffcd2dbb58
size 413865

35
pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif
View File

@ -1,35 +0,0 @@
diff --git a/src/password.c b/src/password.c
index 85ab240..5ed4cf1 100644
--- a/src/password.c
+++ b/src/password.c
@@ -442,16 +442,22 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
_pam_krb5_always_fail_prompter,
&stash->v5result);
stash->v5attempted = 1;
- if ((i == PAM_SUCCESS) &&
- ((options->v4 == 1) || (options->v4_for_afs == 1))) {
- v4_get_creds(ctx, pamh, stash, userinfo,
- options, password, &i);
- if (i != 0) {
- if (options->debug) {
- debug("error obtaining initial credentials using newly-set password: %d (%s)",
- i, v5_error_message(i));
+ if (i == PAM_SUCCESS) {
+ if ((options->v4 == 1) || (options->v4_for_afs == 1)) {
+ v4_get_creds(ctx, pamh, stash, userinfo,
+ options, password, &i);
+ if (i != 0) {
+ if (options->debug) {
+ debug("error obtaining initial credentials using newly-set password: %d (%s)",
+ i, v5_error_message(i));
+ }
}
}
+ if (options->use_shmem) {
+ _pam_krb5_stash_shm_write(pamh, stash,
+ options,
+ userinfo);
+ }
}
}

128
pam_krb5-2.3.1-post.dif
View File

@ -1,128 +0,0 @@
Index: src/v5.c
===================================================================
--- src/v5.c.orig
+++ src/v5.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc.
+ * Copyright 2003,2004,2005,2006,2007,2008 Red Hat, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -889,11 +889,19 @@ v5_get_creds(krb5_context ctx,
tmpcreds.server = service_principal;
i = krb5_cc_retrieve_cred(ctx, ccache, 0,
&tmpcreds, creds);
- /* FIXME: check if the creds are expired?
- * What's the right error code if we check, and
- * they are? */
memset(&tmpcreds, 0, sizeof(tmpcreds));
krb5_cc_close(ctx, ccache);
+ switch (v5_validate(ctx, creds, options)) {
+ case 0:
+ /* we're fine */
+ break;
+ default:
+ /* something (anything) went wrong --
+ * discard them */
+ krb5_free_cred_contents(ctx, creds);
+ i = KRB5KRB_ERR_GENERIC;
+ break;
+ }
} else {
warn("error opening default ccache");
i = KRB5_CC_NOTFOUND;
Index: configure.ac
===================================================================
--- configure.ac.orig
+++ configure.ac
@@ -360,6 +360,18 @@ if test x$keyutils != xno ; then
AC_SUBST(KEYUTILS_LIBS)
fi
+AC_MSG_CHECKING(whether to link directly with libpam)
+AC_ARG_WITH(libpam,
+[AC_HELP_STRING(--without-libpam,[Refrain from linking directly with libpam.])],
+ [with_libpam=$withval],
+ [with_libpam=yes])
+if test "$with_libpam" != no ; then
+ AC_MSG_RESULT(yes)
+else
+ AC_MSG_RESULT(no)
+fi
+AM_CONDITIONAL(WITH_DIRECT_LIBPAM,test "$with_libpam" != no)
+
AC_ARG_ENABLE(default-realm,AC_HELP_STRING([--enable-default-realm=REALM],[last-ditch fallback realm (default is EXAMPLE.COM)]),default_realm=$enableval,default_realm=EXAMPLE.COM)
AC_DEFINE_UNQUOTED(DEFAULT_REALM,"$default_realm",[Define to the realm name which will be used if no realm is given as a parameter and none is given in krb5.conf.])
AC_MSG_RESULT([Using "$default_realm" as the default realm.])
Index: src/Makefile.am
===================================================================
--- src/Makefile.am.orig
+++ src/Makefile.am
@@ -21,6 +21,12 @@ man_MANS += afs5log.1
noinst_PROGRAMS += pagsh
endif
+if WITH_DIRECT_LIBPAM
+DIRECT_LIBPAM = -lpam
+else
+DIRECT_LIBPAM =
+endif
+
libpam_krb5_la_SOURCES = \
conv.c \
conv.h \
@@ -47,7 +53,7 @@ libpam_krb5_la_SOURCES = \
v5.h
pam_krb5_la_LDFLAGS = -avoid-version -export-dynamic -module -export-symbols-regex 'pam_sm.*' @SYMBOLIC_LINKER_FLAG@
-pam_krb5_la_LIBADD = libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@
+pam_krb5_la_LIBADD = libpam_krb5.la @KRB5_LIBS@ @KRB4_LIBS@ @KEYUTILS_LIBS@ $(DIRECT_LIBPAM)
pam_krb5_la_SOURCES = \
initopts.c \
initopts.h \
Index: src/options.c
===================================================================
--- src/options.c.orig
+++ src/options.c
@@ -105,7 +105,8 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST
ret = -1;
/* configured service yes */
- if ((ret == -1) && (service != NULL) && (strlen(service) > 0)) {
+ if ((ret == -1) && (realm != NULL) &&
+ (service != NULL) && (strlen(service) > 0)) {
list = option_l(argc, argv, ctx, realm, s, "");
for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
if (strcmp(list[i], service) == 0) {
@@ -116,7 +117,8 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST
}
/* configured service no */
- if ((ret == -1) && (service != NULL) && (strlen(service) > 0)) {
+ if ((ret == -1) && (realm != NULL) &&
+ (service != NULL) && (strlen(service) > 0)) {
for (i = 0; i < (sizeof(prefix) / sizeof(prefix[0])); i++) {
nots = malloc(strlen(prefix[i]) + strlen(s) + 1);
if (nots != NULL) {
@@ -142,7 +144,7 @@ option_b(int argc, PAM_KRB5_MAYBE_CONST
}
/* configured boolean */
- if (ret == -1) {
+ if ((ret == -1) && (realm != NULL)) {
v5_appdefault_boolean(ctx, realm, s, -1, &ret);
}
@@ -331,6 +333,11 @@ _pam_krb5_options_init(pam_handle_t *pam
_pam_krb5_get_item_text(pamh, PAM_SERVICE, &service);
}
+ /* command-line option */
+ options->debug = option_b(argc, argv, ctx, NULL,
+ service, NULL, NULL,
+ "debug", 0);
+
for (i = 0; i < argc; i++) {
if (strncmp(argv[i], "realm=", 6) == 0) {
if (options->realm != NULL) {

3
pam_krb5-2.3.4-1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b9cbb260a50085c22107d06c2e73d6f757a1e3901e2eae61406b90bed9e59da
size 426907

17
pam_krb5-LINGUAS.dif
View File

@ -1,31 +1,24 @@
--- po/LINGUAS
+++ po/LINGUAS 2008/10/24 12:25:20
@@ -1 +1,28 @@
+++ po/LINGUAS 2009/05/20 10:30:47
@@ -14,3 +14,21 @@
sr
sr@latin
sv
+ar
+bg
+cs
+da
de
+es
+fi
+fr
+hr
+hu
+it
+ja
+ka
+km
+ko
+nb
+nl
+pl
+pt_BR
+pt
+ru
+sv
+th
+uk
+wa
+zh_CN
+zh_TW
+

13
pam_krb5-po-Makevars.dif
View File

@ -1,13 +0,0 @@
Index: pam_krb5-2.3.1-1/po/Makevars
===================================================================
--- pam_krb5-2.3.1-1.orig/po/Makevars
+++ pam_krb5-2.3.1-1/po/Makevars
@@ -8,7 +8,7 @@ subdir = po
top_builddir = ..
# These options get passed to xgettext.
-XGETTEXT_OPTIONS = --keyword=_ --keyword=N_
+XGETTEXT_OPTIONS = --keyword=_ --keyword=N_ --keyword=Y_
# This is the copyright holder that gets inserted into the header of the
# $(DOMAIN).pot file. Set this to the copyright holder of the surrounding

12
pam_krb5.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Wed May 20 11:49:22 CEST 2009 - mc@suse.de
- update to version 2.3.4
* don't request password-changing credentials using the same options
we use for ticket-granting tickets
* close a couple of open pipes to defunct processes, fix a couple
of debug messages
* fix ccache permissions bypass when the "existing_ticket" option is
used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1)
- obsolete a lot of patches.
-------------------------------------------------------------------
Thu Feb 5 12:31:29 CET 2009 - mc@suse.de

35
pam_krb5.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package pam_krb5 (Version 2.3.1)
# spec file for package pam_krb5 (Version 2.3.4)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -30,21 +30,17 @@ AutoReqProv: on
Obsoletes: pam_krb5-64bit
%endif
#
Version: 2.3.1
Release: 48
Version: 2.3.4
Release: 1
Summary: PAM Module for Kerberos Authentication
Url: http://sourceforge.net/projects/pam-krb5/
Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
Source2: pam_krb5-po.tar.gz
Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif
Patch3: pam_krb5-2.3.1-log-choise.dif
Patch4: pam_krb5-po-Makevars.dif
Patch5: pam_krb5-LINGUAS.dif
Patch6: pam_krb5-2.3.1-post.dif
Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch
Patch8: pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif
Patch9: pam_krb5-2.3.1-switch-perms-on-refresh.dif
Patch10: pam_krb5-2.2.3-1-setcred-assume-establish.dif
Patch2: pam_krb5-2.3.1-log-choise.dif
Patch3: pam_krb5-LINGUAS.dif
Patch4: pam_krb5-2.3.1-switch-perms-on-refresh.dif
Patch5: pam_krb5-2.2.3-1-setcred-assume-establish.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -62,14 +58,10 @@ Authors:
%setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
%setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE}
%patch1
%patch3 -p1
%patch2 -p1
%patch3
%patch4 -p1
%patch5
%patch6
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10
%build
%{suse_update_config -f}
@ -104,6 +96,15 @@ rm -rf $RPM_BUILD_ROOT
%attr(755,root,root) /usr/bin/afs5log
%changelog
* Wed May 20 2009 mc@suse.de
- update to version 2.3.4
* don't request password-changing credentials using the same options
we use for ticket-granting tickets
* close a couple of open pipes to defunct processes, fix a couple
of debug messages
* fix ccache permissions bypass when the "existing_ticket" option is
used (CVE-2008-3825, which affects 2.2.0-2.2.25, 2.3.0, and 2.3.1)
- obsolete a lot of patches.
* Thu Feb 05 2009 mc@suse.de
- update translations
* Mon Feb 02 2009 mc@suse.de