pool/pam_krb5
SHA256
6
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 515934 from Linux-PAM

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/515934
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_krb5?expand=0&rev=58
This commit is contained in:
Dominique Leuenberger 2017-08-24 16:50:17 +00:00 committed by Git OBS Bridge
commit ab4e59c984
11 changed files with 108 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
bug-641008_pam_krb5-2.3.11-setcred-log.diff
View File

@ -1,26 +1,27 @@
Index: pam_krb5-2.4.4/src/auth.c
Index: pam_krb5-2.4.13/src/auth.c
===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c
@@ -434,13 +434,32 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags,
--- pam_krb5-2.4.13.orig/src/auth.c
+++ pam_krb5-2.4.13/src/auth.c
@@ -435,13 +435,33 @@ pam_sm_setcred(pam_handle_t *pamh, int f
int argc, PAM_KRB5_MAYBE_CONST char **argv)
{
const char *why = "";
+ krb5_context ctx;
+ struct _pam_krb5_options *options;
struct _pam_krb5_perms *saved_perms;
- notice("pam_setcred (%s) called",
- (flags & PAM_ESTABLISH_CRED)?"establish credential":
- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
- (flags & PAM_REFRESH_CRED)?"refresh credential":
- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
- (flags & PAM_ESTABLISH_CRED)?"establish credential":
- (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
- (flags & PAM_REFRESH_CRED)?"refresh credential":
- (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+
+ if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
+ warn("error initializing Kerberos");
+ return PAM_SERVICE_ERR;
+ }
+
+ options = _pam_krb5_options_init(pamh, argc, argv, ctx);
+ options = _pam_krb5_options_init(pamh, argc, argv, ctx,
+ _pam_krb5_option_role_general);
+ if (options == NULL) {
+ warn("error parsing options (shouldn't happen)");
+ krb5_free_context(ctx);
@ -40,7 +41,7 @@ Index: pam_krb5-2.4.4/src/auth.c
return _pam_krb5_open_session(pamh, flags, argc, argv,
"pam_setcred(PAM_ESTABLISH_CRED)",
_pam_krb5_session_caller_setcred);
@@ -455,21 +474,31 @@ pam_sm_setcred(pam_handle_t *pamh, int f
@@ -464,20 +484,30 @@ pam_sm_setcred(pam_handle_t *pamh, int f
}
saved_perms = NULL;
@ -55,7 +56,6 @@ Index: pam_krb5-2.4.4/src/auth.c
if (saved_perms != NULL) {
_pam_krb5_restore_perms_r2e(saved_perms);
}
saved_perms = NULL;
+ _pam_krb5_options_free(pamh, ctx, options);
+ krb5_free_context(ctx);
return PAM_IGNORE;

8
pam_krb5-2.2.3-1-setcred-assume-establish.dif
View File

@ -1,8 +1,8 @@
Index: src/auth.c
Index: pam_krb5-2.4.13/src/auth.c
===================================================================
--- src/auth.c.orig
+++ src/auth.c
@@ -470,6 +470,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
--- pam_krb5-2.4.13.orig/src/auth.c
+++ pam_krb5-2.4.13/src/auth.c
@@ -478,6 +478,6 @@ pam_sm_setcred(pam_handle_t *pamh, int f
"pam_setcred(PAM_DELETE_CRED)",
_pam_krb5_session_caller_setcred);
}

82
pam_krb5-2.3.1-log-choise.dif
View File

@ -1,92 +1,90 @@
Index: pam_krb5-2.4.4/src/acct.c
Index: pam_krb5-2.4.13/src/acct.c
===================================================================
--- pam_krb5-2.4.4.orig/src/acct.c
+++ pam_krb5-2.4.4/src/acct.c
@@ -89,6 +89,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
--- pam_krb5-2.4.13.orig/src/acct.c
+++ pam_krb5-2.4.13/src/acct.c
@@ -90,6 +90,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
_pam_krb5_free_ctx(ctx);
return PAM_SERVICE_ERR;
}
+ if (options->debug) {
+ debug("pam_acct_mgmt called for '%s', realm '%s'", user,
+ options->realm);
+ options->realm);
+ }
/* Get information about the user and the user's principal name. */
userinfo = _pam_krb5_user_info_init(ctx, user, options);
Index: pam_krb5-2.4.4/src/auth.c
Index: pam_krb5-2.4.13/src/auth.c
===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c
@@ -108,9 +108,10 @@ pam_sm_authenticate(pam_handle_t *pamh,
--- pam_krb5-2.4.13.orig/src/auth.c
+++ pam_krb5-2.4.13/src/auth.c
@@ -109,8 +109,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
return PAM_SERVICE_ERR;
}
if (options->debug) {
- debug("called to authenticate '%s', realm '%s'", user,
- options->realm);
- debug("called to authenticate '%s', configured realm '%s'",
- user, options->realm);
+ debug("pam_authenticate called for '%s', realm '%s'", user,
+ options->realm);
+ options->realm);
}
+
_pam_krb5_set_init_opts(ctx, gic_options, options);
/* Prompt for the password, as we might need to. */
@@ -432,6 +433,11 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags,
@@ -434,6 +434,11 @@ pam_sm_setcred(pam_handle_t *pamh, int f
int argc, PAM_KRB5_MAYBE_CONST char **argv)
{
const char *why = "";
+ notice("pam_setcred (%s) called",
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
+ (flags & PAM_ESTABLISH_CRED)?"establish credential":
+ (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
+ (flags & PAM_REFRESH_CRED)?"refresh credential":
+ (flags & PAM_DELETE_CRED)?"delete credential":"unknown flag");
if (flags & PAM_ESTABLISH_CRED) {
return _pam_krb5_open_session(pamh, flags, argc, argv,
"pam_setcred(PAM_ESTABLISH_CRED)",
Index: pam_krb5-2.4.4/src/password.c
Index: pam_krb5-2.4.13/src/password.c
===================================================================
--- pam_krb5-2.4.4.orig/src/password.c
+++ pam_krb5-2.4.4/src/password.c
@@ -110,6 +110,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
--- pam_krb5-2.4.13.orig/src/password.c
+++ pam_krb5-2.4.13/src/password.c
@@ -111,6 +111,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int
_pam_krb5_free_ctx(ctx);
return PAM_SERVICE_ERR;
}
+ if (options->debug) {
+ debug("pam_chauthtok called (%s) for '%s', realm '%s'",
+ (flags & PAM_PRELIM_CHECK) ?
+ "preliminary check" :
+ ((flags & PAM_UPDATE_AUTHTOK) ?
+ "updating authtok":
+ "unknown phase"),
+ user,
+ options->realm);
+ (flags & PAM_PRELIM_CHECK) ?
+ "preliminary check" :
+ ((flags & PAM_UPDATE_AUTHTOK) ?
+ "updating authtok":
+ "unknown phase"),
+ user,
+ options->realm);
+ }
_pam_krb5_set_init_opts(ctx, gic_options, options);
/* Get information about the user and the user's principal name. */
Index: pam_krb5-2.4.4/src/session.c
Index: pam_krb5-2.4.13/src/session.c
===================================================================
--- pam_krb5-2.4.4.orig/src/session.c
+++ pam_krb5-2.4.4/src/session.c
@@ -97,6 +97,10 @@ _pam_krb5_open_session(pam_handle_t *pam
--- pam_krb5-2.4.13.orig/src/session.c
+++ pam_krb5-2.4.13/src/session.c
@@ -98,6 +98,10 @@ _pam_krb5_open_session(pam_handle_t *pam
_pam_krb5_free_ctx(ctx);
return PAM_SERVICE_ERR;
}
+ if (options->debug) {
+ debug("pam_open_session called for '%s', realm '%s'", user,
+ options->realm);
+ options->realm);
+ }
/* If we're in a no-cred-session situation, return. */
if ((!options->cred_session) &&
@@ -301,7 +305,10 @@ _pam_krb5_close_session(pam_handle_t *pa
@@ -295,7 +299,10 @@ _pam_krb5_close_session(pam_handle_t *pa
_pam_krb5_free_ctx(ctx);
return PAM_SUCCESS;
return PAM_SERVICE_ERR;
}
-
+ if (options->debug) {
+ debug("pam_close_session called for '%s', realm '%s'", user,
+ options->realm);
+ options->realm);
+ }
/* Get information about the user and the user's principal name. */
userinfo = _pam_krb5_user_info_init(ctx, user, options);
if (userinfo == NULL) {
/* If we're in a no-cred-session situation, return. */
if ((!options->cred_session) &&
(caller_type == _pam_krb5_session_caller_setcred)) {

41
pam_krb5-2.3.1-switch-perms-on-refresh.dif
View File

@ -1,7 +1,7 @@
Index: pam_krb5-2.4.4/src/auth.c
Index: pam_krb5-2.4.13/src/auth.c
===================================================================
--- pam_krb5-2.4.4.orig/src/auth.c
+++ pam_krb5-2.4.4/src/auth.c
--- pam_krb5-2.4.13.orig/src/auth.c
+++ pam_krb5-2.4.13/src/auth.c
@@ -56,6 +56,7 @@
#include "items.h"
#include "kuserok.h"
@ -10,24 +10,30 @@ Index: pam_krb5-2.4.4/src/auth.c
#include "options.h"
#include "prompter.h"
#include "session.h"
@@ -433,6 +434,7 @@ int
pam_sm_setcred(pam_handle_t *pamh, int flags,
@@ -434,6 +435,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f
int argc, PAM_KRB5_MAYBE_CONST char **argv)
{
const char *why = "";
+ struct _pam_krb5_perms *saved_perms;
notice("pam_setcred (%s) called",
(flags & PAM_ESTABLISH_CRED)?"establish credential":
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
@@ -444,10 +446,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f
(flags & PAM_ESTABLISH_CRED)?"establish credential":
(flags & PAM_REINITIALIZE_CRED)?"reinitialize credential":
@@ -445,6 +447,8 @@ pam_sm_setcred(pam_handle_t *pamh, int f
_pam_krb5_session_caller_setcred);
}
if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
+ saved_perms = _pam_krb5_switch_perms_r2e();
+
if (flags & PAM_REINITIALIZE_CRED) {
why = "pam_setcred(PAM_REINITIALIZE_CRED)";
if (flags & PAM_REFRESH_CRED) {
@@ -454,9 +458,18 @@ pam_sm_setcred(pam_handle_t *pamh, int f
why = "pam_setcred(PAM_REFRESH_CRED)";
}
if (_pam_krb5_sly_looks_unsafe() == 0) {
- return _pam_krb5_sly_maybe_refresh(pamh, flags,
- return _pam_krb5_sly_maybe_refresh(pamh, flags, why,
- argc, argv);
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv);
+ int i = _pam_krb5_sly_maybe_refresh(pamh, flags, why, argc, argv);
+ if (saved_perms != NULL) {
+ _pam_krb5_restore_perms_r2e(saved_perms);
+ }
@ -39,14 +45,13 @@ Index: pam_krb5-2.4.4/src/auth.c
+ if (saved_perms != NULL) {
+ _pam_krb5_restore_perms_r2e(saved_perms);
+ }
+ saved_perms = NULL;
return PAM_IGNORE;
}
}
Index: pam_krb5-2.4.4/src/perms.c
Index: pam_krb5-2.4.13/src/perms.c
===================================================================
--- pam_krb5-2.4.4.orig/src/perms.c
+++ pam_krb5-2.4.4/src/perms.c
--- pam_krb5-2.4.13.orig/src/perms.c
+++ pam_krb5-2.4.13/src/perms.c
@@ -89,3 +89,49 @@ _pam_krb5_restore_perms(struct _pam_krb5
}
return ret;
@ -90,17 +95,17 @@ Index: pam_krb5-2.4.4/src/perms.c
+ int ret = -1;
+ if (saved != NULL) {
+ if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) &&
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
+ (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) {
+ ret = 0;
+ }
+ free(saved);
+ }
+ return ret;
+}
Index: pam_krb5-2.4.4/src/perms.h
Index: pam_krb5-2.4.13/src/perms.h
===================================================================
--- pam_krb5-2.4.4.orig/src/perms.h
+++ pam_krb5-2.4.4/src/perms.h
--- pam_krb5-2.4.13.orig/src/perms.h
+++ pam_krb5-2.4.13/src/perms.h
@@ -37,4 +37,7 @@ struct _pam_krb5_perms;
struct _pam_krb5_perms *_pam_krb5_switch_perms(void);
int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved);

BIN
pam_krb5-2.4.13.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
pam_krb5-2.4.4.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:46f7f549048c2a82622bef726008b13687a655cda24e2b9ad72a667b3964940f
size 556439

18
pam_krb5-LINGUAS.dif
View File

@ -1,18 +0,0 @@
Index: po/LINGUAS
===================================================================
--- po/LINGUAS.orig
+++ po/LINGUAS
@@ -33,3 +33,13 @@ te
uk
zh_CN
zh_TW
+ar
+bg
+fi
+hr
+ka
+km
+nb
+pt
+th
+wa

BIN
pam_krb5-po.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
pam_krb5-po.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7bd07c953ca39ed6df1bf9455de24865e424f8ce0ccb0200816b65d81dc4d0cd
size 3906

17
pam_krb5.changes
View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Wed Jul 26 07:04:12 UTC 2017 - josef.moellers@suse.com
- Update to 2.4.13:
* Fix a memory leak on FAST-capable clients
* Learn to run 'kdc' and 'kpasswdd', if appropriate
* Add the ability to specify a server principal
* Drop _pam_krb5_stash_chown_keyring functionality
* Fix a configure syntax error
* Handle ccname templates that don't include a type
* Fix a memory leak (static analysis)
* default to subsequent_prompt=false for chauthtok
* Don't close descriptors for fork-without-exec
* Handle PKINIT without duplicate prompting
* Add support for rxkad-k5-kdf
[pam_krb5-LINGUAS.dif]
-------------------------------------------------------------------
Wed May 28 15:24:21 UTC 2014 - ckornacker@suse.com

14
pam_krb5.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package pam_krb5
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -30,17 +30,16 @@ Provides: pam_krb
Obsoletes: pam_krb5-64bit
%endif
#
Version: 2.4.4
Version: 2.4.13
Release: 0
Summary: A Pluggable Authentication Module for Kerberos 5
License: BSD-3-Clause or LGPL-2.1+
Group: Productivity/Networking/Security
Url: https://fedorahosted.org/pam_krb5/
Source: https://fedorahosted.org/released/pam_krb5/pam_krb5-%{version}.tar.gz
Source2: pam_krb5-po.tar.gz
Url: https://pagure.io/pam_krb5
Source: pam_krb5-%{version}.tar.bz2
Source2: pam_krb5-po.tar.bz2
Source3: baselibs.conf
Patch1: pam_krb5-2.3.1-log-choise.dif
Patch2: pam_krb5-LINGUAS.dif
Patch3: pam_krb5-2.3.1-switch-perms-on-refresh.dif
Patch4: pam_krb5-2.2.3-1-setcred-assume-establish.dif
Patch5: bug-641008_pam_krb5-2.3.11-setcred-log.diff
@ -54,9 +53,8 @@ supports updating your Kerberos password.
%setup -q -n pam_krb5-%{version}
%setup -a 2 -T -D -n pam_krb5-%{version}
%patch1 -p1
%patch2
%patch3 -p1
%patch4
%patch4 -p1
%patch5 -p1
%build