- update to version 1.11.1
* Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - obsolets a lot of patches - refactor some patches - update to version 1.11.1 * Improve ASN.1 support code, making it table-driven for decoding as well as encoding * Refactor parts of KDC * Documentation consolidation * build docs in the main package * bugfixing - obsolets a lot of patches - refactor some patches OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=90
This commit is contained in:
parent
66ced8b26b
commit
13e38775f6
@ -1,45 +0,0 @@
|
||||
commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
|
||||
Author: Xi Wang <xi.wang@gmail.com>
|
||||
Date: Thu Feb 14 18:17:40 2013 -0500
|
||||
|
||||
PKINIT null pointer deref [CVE-2013-1415]
|
||||
|
||||
Don't dereference a null pointer when cleaning up.
|
||||
|
||||
The KDC plugin for PKINIT can dereference a null pointer when a
|
||||
malformed packet causes processing to terminate early, leading to
|
||||
a crash of the KDC process. An attacker would need to have a valid
|
||||
PKINIT certificate or have observed a successful PKINIT authentication,
|
||||
or an unauthenticated attacker could execute the attack if anonymous
|
||||
PKINIT is enabled.
|
||||
|
||||
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
|
||||
|
||||
This is a minimal commit for pullup; style fixes in a followup.
|
||||
[kaduk@mit.edu: reformat and edit commit message]
|
||||
|
||||
ticket: 7570 (new)
|
||||
target_version: 1.11.1
|
||||
tags: pullup
|
||||
|
||||
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
@@ -3242,7 +3242,7 @@ pkinit_check_kdc_pkid(krb5_context conte
|
||||
pkiDebug("found kdcPkId in AS REQ\n");
|
||||
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
|
||||
if (is == NULL)
|
||||
- goto cleanup;
|
||||
+ return retval;
|
||||
|
||||
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
|
||||
if (!status) {
|
||||
@@ -3252,7 +3252,6 @@ pkinit_check_kdc_pkid(krb5_context conte
|
||||
}
|
||||
|
||||
retval = 0;
|
||||
-cleanup:
|
||||
X509_NAME_free(is->issuer);
|
||||
ASN1_INTEGER_free(is->serial);
|
||||
free(is);
|
@ -1,40 +0,0 @@
|
||||
commit cd5ff932c9d1439c961b0cf9ccff979356686aff
|
||||
Author: Nalin Dahyabhai <nalin@redhat.com>
|
||||
Date: Thu Dec 13 14:26:07 2012 -0500
|
||||
|
||||
PKINIT (draft9) null ptr deref [CVE-2012-1016]
|
||||
|
||||
Don't check for an agility KDF identifier in the non-draft9 reply
|
||||
structure when we're building a draft9 reply, because it'll be NULL.
|
||||
|
||||
The KDC plugin for PKINIT can dereference a null pointer when handling
|
||||
a draft9 request, leading to a crash of the KDC process. An attacker
|
||||
would need to have a valid PKINIT certificate, or an unauthenticated
|
||||
attacker could execute the attack if anonymous PKINIT is enabled.
|
||||
|
||||
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
|
||||
|
||||
[tlyu@mit.edu: reformat comment and edit log message]
|
||||
|
||||
ticket: 7506 (new)
|
||||
target_version: 1.11
|
||||
tags: pullup
|
||||
|
||||
Index: krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
+++ krb5-1.10.2/src/plugins/preauth/pkinit/pkinit_srv.c
|
||||
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context
|
||||
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
|
||||
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
|
||||
|
||||
- /* If mutually supported KDFs were found, use the alg agility KDF */
|
||||
- if (rep->u.dh_Info.kdfID) {
|
||||
- secret.data = server_key;
|
||||
+ /* If we're not doing draft 9, and mutually supported KDFs were found,
|
||||
+ * use the algorithm agility KDF. */
|
||||
+ if (rep != NULL && rep->u.dh_Info.kdfID) {
|
||||
+ secret.data = (char *)server_key;
|
||||
secret.length = server_key_len;
|
||||
|
||||
retval = pkinit_alg_agility_kdf(context, &secret,
|
@ -4,10 +4,10 @@ the -L/usr/lib* and PIE flags where they might leak out and affect
|
||||
apps which just want to link with the libraries. FIXME: needs to check and
|
||||
not just assume that the compiler supports using these flags.
|
||||
|
||||
Index: krb5-1.10.2/src/config/shlib.conf
|
||||
Index: krb5-1.11/src/config/shlib.conf
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config/shlib.conf
|
||||
+++ krb5-1.10.2/src/config/shlib.conf
|
||||
--- krb5-1.11.orig/src/config/shlib.conf
|
||||
+++ krb5-1.11/src/config/shlib.conf
|
||||
@@ -419,7 +419,7 @@ mips-*-netbsd*)
|
||||
SHLIBEXT=.so
|
||||
# Linux ld doesn't default to stuffing the SONAME field...
|
||||
@ -27,11 +27,11 @@ Index: krb5-1.10.2/src/config/shlib.conf
|
||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
||||
Index: krb5-1.10.2/src/krb5-config.in
|
||||
Index: krb5-1.11/src/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/krb5-config.in
|
||||
+++ krb5-1.10.2/src/krb5-config.in
|
||||
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
|
||||
--- krb5-1.11.orig/src/krb5-config.in
|
||||
+++ krb5-1.11/src/krb5-config.in
|
||||
@@ -221,6 +221,13 @@ if test -n "$do_libs"; then
|
||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||
-e 's#\$(CFLAGS)##'`
|
||||
|
||||
@ -45,11 +45,11 @@ Index: krb5-1.10.2/src/krb5-config.in
|
||||
if test $library = 'kdb'; then
|
||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||
library=krb5
|
||||
Index: krb5-1.10.2/src/config/pre.in
|
||||
Index: krb5-1.11/src/config/pre.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config/pre.in
|
||||
+++ krb5-1.10.2/src/config/pre.in
|
||||
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
|
||||
--- krb5-1.11.orig/src/config/pre.in
|
||||
+++ krb5-1.11/src/config/pre.in
|
||||
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
|
||||
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
||||
INSTALL_DATA=@INSTALL_DATA@
|
||||
INSTALL_SHLIB=@INSTALL_SHLIB@
|
||||
|
@ -1,12 +0,0 @@
|
||||
This file also triggers the maybe-uninitialized warning/error. RT#7080
|
||||
|
||||
--- src/lib/krb5/krb/x-deltat.y
|
||||
+++ src/lib/krb5/krb/x-deltat.y
|
||||
@@ -44,6 +44,7 @@
|
||||
#ifdef __GNUC__
|
||||
#pragma GCC diagnostic push
|
||||
#pragma GCC diagnostic ignored "-Wuninitialized"
|
||||
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
|
||||
#endif
|
||||
|
||||
#include <ctype.h>
|
53
krb5-1.10-ksu-access.patch
Normal file
53
krb5-1.10-ksu-access.patch
Normal file
@ -0,0 +1,53 @@
|
||||
The idea is to not complain about problems in the default ticket file if we
|
||||
couldn't read it, because the client would be able to tell if it's there or
|
||||
not, and we're implicitly letting the client tell us where it is. Still needs
|
||||
work, I think.
|
||||
|
||||
Index: krb5-1.11.1/src/clients/ksu/ccache.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/clients/ksu/ccache.c
|
||||
+++ krb5-1.11.1/src/clients/ksu/ccache.c
|
||||
@@ -77,7 +77,7 @@ krb5_error_code krb5_ccache_copy (contex
|
||||
cc_def_name = krb5_cc_get_name(context, cc_def);
|
||||
cc_other_name = krb5_cc_get_name(context, *cc_other);
|
||||
|
||||
- if ( ! stat(cc_def_name, &st_temp)){
|
||||
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
|
||||
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
|
||||
return retval;
|
||||
}
|
||||
Index: krb5-1.11.1/src/clients/ksu/heuristic.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/clients/ksu/heuristic.c
|
||||
+++ krb5-1.11.1/src/clients/ksu/heuristic.c
|
||||
@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont
|
||||
|
||||
cc_source_name = krb5_cc_get_name(context, cc);
|
||||
|
||||
- if ( ! stat(cc_source_name, &st_temp)){
|
||||
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
|
||||
|
||||
retval = find_ticket(context, cc, client, end_server, &temp_found);
|
||||
if (retval)
|
||||
@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe
|
||||
cc_source_name = krb5_cc_get_name(context, cc_source);
|
||||
|
||||
|
||||
- if (! stat(cc_source_name, &st_temp)) {
|
||||
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
|
||||
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
|
||||
if (retval)
|
||||
return retval;
|
||||
Index: krb5-1.11.1/src/clients/ksu/main.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/clients/ksu/main.c
|
||||
+++ krb5-1.11.1/src/clients/ksu/main.c
|
||||
@@ -271,7 +271,7 @@ main (argc, argv)
|
||||
if ( strchr(cc_source_tag, ':')){
|
||||
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
|
||||
|
||||
- if( stat( cc_source_tag_tmp, &st_temp)){
|
||||
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
|
||||
com_err(prog_name, errno,
|
||||
_("while looking for credentials file %s"),
|
||||
cc_source_tag_tmp);
|
@ -1,29 +0,0 @@
|
||||
commit 2b06a22f7fd8ec01fb27a7335125290b8ceb6f18
|
||||
Author: Greg Hudson <ghudson@mit.edu>
|
||||
Date: Thu Nov 29 01:58:13 2012 -0500
|
||||
|
||||
Fix spin-loop bug in k5_sendto_kdc
|
||||
|
||||
In the second part of the first pass over the server list, we passed
|
||||
the wrong list pointer to service_fds, causing it to see only a subset
|
||||
of the server entries corresponding to sel_state. This could cause
|
||||
service_fds to spin if an event is reported on an fd not in the
|
||||
subset.
|
||||
|
||||
ticket: 7454
|
||||
target_version: 1.10.4
|
||||
tags: pullup
|
||||
|
||||
Index: krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/os/sendto_kdc.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/os/sendto_kdc.c
|
||||
@@ -1287,7 +1287,7 @@ k5_sendto(krb5_context context, const kr
|
||||
continue;
|
||||
if (maybe_send(context, state, sel_state, callback_info))
|
||||
continue;
|
||||
- done = service_fds(context, sel_state, 1, state, seltemp, msg_handler,
|
||||
+ done = service_fds(context, sel_state, 1, conns, seltemp, msg_handler,
|
||||
msg_handler_data, &winner);
|
||||
}
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8
|
||||
size 9457236
|
@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam.
|
||||
Originally RT#5939, though it's changed since then to perform the account
|
||||
and session management before dropping privileges.
|
||||
|
||||
Index: krb5-1.10.2/src/aclocal.m4
|
||||
Index: krb5-1.11.1/src/aclocal.m4
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||
+++ krb5-1.10.2/src/aclocal.m4
|
||||
@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||
--- krb5-1.11.1.orig/src/aclocal.m4
|
||||
+++ krb5-1.11.1/src/aclocal.m4
|
||||
@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||
]))
|
||||
])dnl
|
||||
dnl
|
||||
@ -86,10 +86,10 @@ Index: krb5-1.10.2/src/aclocal.m4
|
||||
+AC_SUBST(PAM_MAN)
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
Index: krb5-1.10.2/src/clients/ksu/main.c
|
||||
Index: krb5-1.11.1/src/clients/ksu/main.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/clients/ksu/main.c
|
||||
+++ krb5-1.10.2/src/clients/ksu/main.c
|
||||
--- krb5-1.11.1.orig/src/clients/ksu/main.c
|
||||
+++ krb5-1.11.1/src/clients/ksu/main.c
|
||||
@@ -26,6 +26,7 @@
|
||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
@ -249,10 +249,10 @@ Index: krb5-1.10.2/src/clients/ksu/main.c
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
Index: krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||
Index: krb5-1.11.1/src/clients/ksu/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in
|
||||
+++ krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||
--- krb5-1.11.1.orig/src/clients/ksu/Makefile.in
|
||||
+++ krb5-1.11.1/src/clients/ksu/Makefile.in
|
||||
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
|
||||
PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
@ -287,10 +287,10 @@ Index: krb5-1.10.2/src/clients/ksu/Makefile.in
|
||||
|
||||
clean::
|
||||
$(RM) ksu
|
||||
Index: krb5-1.10.2/src/clients/ksu/pam.c
|
||||
Index: krb5-1.11.1/src/clients/ksu/pam.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.10.2/src/clients/ksu/pam.c
|
||||
+++ krb5-1.11.1/src/clients/ksu/pam.c
|
||||
@@ -0,0 +1,389 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.c
|
||||
@ -681,10 +681,10 @@ Index: krb5-1.10.2/src/clients/ksu/pam.c
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
Index: krb5-1.10.2/src/clients/ksu/pam.h
|
||||
Index: krb5-1.11.1/src/clients/ksu/pam.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.10.2/src/clients/ksu/pam.h
|
||||
+++ krb5-1.11.1/src/clients/ksu/pam.h
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.h
|
||||
@ -743,16 +743,16 @@ Index: krb5-1.10.2/src/clients/ksu/pam.h
|
||||
+int appl_pam_cred_init(void);
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
Index: krb5-1.10.2/src/configure.in
|
||||
Index: krb5-1.11.1/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/configure.in
|
||||
+++ krb5-1.10.2/src/configure.in
|
||||
@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then
|
||||
fi
|
||||
AC_SUBST(localedir)
|
||||
--- krb5-1.11.1.orig/src/configure.in
|
||||
+++ krb5-1.11.1/src/configure.in
|
||||
@@ -1244,6 +1244,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
|
||||
AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
+KRB5_WITH_PAM
|
||||
+
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
# Make localedir work in autoconf 2.5x.
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
@ -31,10 +31,10 @@ The selabel APIs for looking up the context should be thread-safe (per
|
||||
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
||||
which we used earlier, is some improvement.
|
||||
|
||||
Index: krb5-1.10.2/src/aclocal.m4
|
||||
Index: krb5-1.11.1/src/aclocal.m4
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||
+++ krb5-1.10.2/src/aclocal.m4
|
||||
--- krb5-1.11.1.orig/src/aclocal.m4
|
||||
+++ krb5-1.11.1/src/aclocal.m4
|
||||
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||
dnl
|
||||
KRB5_AC_PRAGMA_WEAK_REF
|
||||
@ -43,10 +43,10 @@ Index: krb5-1.10.2/src/aclocal.m4
|
||||
KRB5_LIB_PARAMS
|
||||
KRB5_AC_INITFINI
|
||||
KRB5_AC_ENABLE_THREADS
|
||||
@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir)
|
||||
AC_SUBST(manlibexecdir)
|
||||
AC_CONFIG_FILES($1)
|
||||
])
|
||||
@@ -1731,3 +1732,51 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
+dnl
|
||||
+dnl Use libselinux to set file contexts on newly-created files.
|
||||
+dnl
|
||||
@ -95,11 +95,11 @@ Index: krb5-1.10.2/src/aclocal.m4
|
||||
+LIBS="$old_LIBS"
|
||||
+AC_SUBST(SELINUX_LIBS)
|
||||
+])dnl
|
||||
Index: krb5-1.10.2/src/config/pre.in
|
||||
Index: krb5-1.11.1/src/config/pre.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config/pre.in
|
||||
+++ krb5-1.10.2/src/config/pre.in
|
||||
@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
||||
--- krb5-1.11.1.orig/src/config/pre.in
|
||||
+++ krb5-1.11.1/src/config/pre.in
|
||||
@@ -178,6 +178,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
||||
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
|
||||
LDARGS = @LDARGS@
|
||||
LIBS = @LIBS@
|
||||
@ -107,7 +107,7 @@ Index: krb5-1.10.2/src/config/pre.in
|
||||
|
||||
INSTALL=@INSTALL@
|
||||
INSTALL_STRIP=
|
||||
@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
@@ -403,7 +404,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
# HESIOD_LIBS is -lhesiod...
|
||||
HESIOD_LIBS = @HESIOD_LIBS@
|
||||
|
||||
@ -116,24 +116,24 @@ Index: krb5-1.10.2/src/config/pre.in
|
||||
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
|
||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||
# needs fixing if ever used on Mac OS X!
|
||||
Index: krb5-1.10.2/src/configure.in
|
||||
Index: krb5-1.11.1/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/configure.in
|
||||
+++ krb5-1.10.2/src/configure.in
|
||||
@@ -1248,6 +1248,8 @@ AC_SUBST(localedir)
|
||||
--- krb5-1.11.1.orig/src/configure.in
|
||||
+++ krb5-1.11.1/src/configure.in
|
||||
@@ -1246,6 +1246,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
KRB5_WITH_PAM
|
||||
|
||||
+KRB5_WITH_SELINUX
|
||||
+
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
|
||||
V5_AC_OUTPUT_MANPAGE([
|
||||
Index: krb5-1.10.2/src/include/k5-int.h
|
||||
# Make localedir work in autoconf 2.5x.
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
Index: krb5-1.11.1/src/include/k5-int.h
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/include/k5-int.h
|
||||
+++ krb5-1.10.2/src/include/k5-int.h
|
||||
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
|
||||
--- krb5-1.11.1.orig/src/include/k5-int.h
|
||||
+++ krb5-1.11.1/src/include/k5-int.h
|
||||
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
|
||||
typedef UINT64_TYPE krb5_ui_8;
|
||||
typedef INT64_TYPE krb5_int64;
|
||||
|
||||
@ -141,10 +141,10 @@ Index: krb5-1.10.2/src/include/k5-int.h
|
||||
|
||||
#define DEFAULT_PWD_STRING1 "Enter password"
|
||||
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
||||
Index: krb5-1.10.2/src/include/k5-label.h
|
||||
Index: krb5-1.11.1/src/include/k5-label.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.10.2/src/include/k5-label.h
|
||||
+++ krb5-1.11.1/src/include/k5-label.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+#ifndef _KRB5_LABEL_H
|
||||
+#define _KRB5_LABEL_H
|
||||
@ -178,11 +178,11 @@ Index: krb5-1.10.2/src/include/k5-label.h
|
||||
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
+#endif
|
||||
+#endif
|
||||
Index: krb5-1.10.2/src/include/krb5/krb5.hin
|
||||
Index: krb5-1.11.1/src/include/krb5/krb5.hin
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/include/krb5/krb5.hin
|
||||
+++ krb5-1.10.2/src/include/krb5/krb5.hin
|
||||
@@ -83,6 +83,12 @@
|
||||
--- krb5-1.11.1.orig/src/include/krb5/krb5.hin
|
||||
+++ krb5-1.11.1/src/include/krb5/krb5.hin
|
||||
@@ -87,6 +87,12 @@
|
||||
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
#endif
|
||||
|
||||
@ -195,41 +195,54 @@ Index: krb5-1.10.2/src/include/krb5/krb5.hin
|
||||
#define KRB5_OLD_CRYPTO
|
||||
|
||||
#include <stdlib.h>
|
||||
Index: krb5-1.10.2/src/kadmin/dbutil/dump.c
|
||||
Index: krb5-1.11.1/src/kadmin/dbutil/dump.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c
|
||||
+++ krb5-1.10.2/src/kadmin/dbutil/dump.c
|
||||
@@ -346,7 +346,7 @@ void update_ok_file (file_name)
|
||||
exit_status++;
|
||||
return;
|
||||
--- krb5-1.11.1.orig/src/kadmin/dbutil/dump.c
|
||||
+++ krb5-1.11.1/src/kadmin/dbutil/dump.c
|
||||
@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
|
||||
{
|
||||
int fd = -1;
|
||||
FILE *f;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
*tmpname = NULL;
|
||||
if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0)
|
||||
goto error;
|
||||
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(ofile);
|
||||
+#endif
|
||||
fd = mkstemp(*tmpname);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
if (fd == -1)
|
||||
goto error;
|
||||
|
||||
@@ -505,7 +514,7 @@ prep_ok_file(krb5_context context, char
|
||||
return 0;
|
||||
}
|
||||
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
|
||||
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
|
||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
|
||||
file_ok);
|
||||
|
||||
- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
||||
+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
||||
if (*fd == -1) {
|
||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
||||
exit_status++;
|
||||
@@ -1251,7 +1251,7 @@ dump_db(argc, argv)
|
||||
* want to get into.
|
||||
*/
|
||||
unlink(ofile);
|
||||
- if (!(f = fopen(ofile, "w"))) {
|
||||
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
|
||||
fprintf(stderr, ofopen_error,
|
||||
progname, ofile, error_message(errno));
|
||||
exit_status++;
|
||||
Index: krb5-1.10.2/src/krb5-config.in
|
||||
Index: krb5-1.11.1/src/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/krb5-config.in
|
||||
+++ krb5-1.10.2/src/krb5-config.in
|
||||
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
|
||||
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
|
||||
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
|
||||
DL_LIB='@DL_LIB@'
|
||||
--- krb5-1.11.1.orig/src/krb5-config.in
|
||||
+++ krb5-1.11.1/src/krb5-config.in
|
||||
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
|
||||
DEFCCNAME='@DEFCCNAME@'
|
||||
DEFKTNAME='@DEFKTNAME@'
|
||||
DEFCKTNAME='@DEFCKTNAME@'
|
||||
+SELINUX_LIBS='@SELINUX_LIBS@'
|
||||
|
||||
LIBS='@LIBS@'
|
||||
GEN_LIB=@GEN_LIB@
|
||||
@@ -218,7 +219,7 @@ if test -n "$do_libs"; then
|
||||
@@ -258,7 +259,7 @@ if test -n "$do_libs"; then
|
||||
fi
|
||||
|
||||
# If we ever support a flag to generate output suitable for static
|
||||
@ -238,10 +251,10 @@ Index: krb5-1.10.2/src/krb5-config.in
|
||||
# here.
|
||||
|
||||
echo $lib_flags
|
||||
Index: krb5-1.10.2/src/lib/kadm5/logger.c
|
||||
Index: krb5-1.11.1/src/lib/kadm5/logger.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/kadm5/logger.c
|
||||
+++ krb5-1.10.2/src/lib/kadm5/logger.c
|
||||
--- krb5-1.11.1.orig/src/lib/kadm5/logger.c
|
||||
+++ krb5-1.11.1/src/lib/kadm5/logger.c
|
||||
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||
* Check for append/overwrite, then open the file.
|
||||
*/
|
||||
@ -260,10 +273,10 @@ Index: krb5-1.10.2/src/lib/kadm5/logger.c
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[lindex].lfu_filep = f;
|
||||
Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||
Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
|
||||
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
|
||||
KTCHECKLOCK(id);
|
||||
@ -282,11 +295,11 @@ Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
|
||||
if (!KTFILEP(id))
|
||||
goto report_errno;
|
||||
writevno = 1;
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||
Index: krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||
@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/db2/adb_openclose.c
|
||||
+++ krb5-1.11.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
@@ -147,7 +147,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||
* POSIX systems
|
||||
*/
|
||||
lockp->lockinfo.filename = strdup(lockfilename);
|
||||
@ -295,10 +308,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
|
||||
/*
|
||||
* maybe someone took away write permission so we could only
|
||||
* get shared locks?
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
|
||||
|
||||
#include "k5-platform.h" /* mkstemp? */
|
||||
@ -316,10 +329,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
goto err;
|
||||
|
||||
} else {
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
|
||||
#include <assert.h>
|
||||
#endif
|
||||
@ -337,10 +350,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
RETURN_ERROR(errno, error0);
|
||||
(void)fcntl(hashp->fp, F_SETFD, 1);
|
||||
}
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
KRB5_RUN_ENV= @KRB5_RUN_ENV@
|
||||
@ -351,56 +364,11 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
DB_DEPLIB = ../libdb$(DEPLIBEXT)
|
||||
|
||||
all::
|
||||
Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
Index: krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch
|
||||
|
||||
/* Create a temporary file which contains all the entries except the
|
||||
entry for the given service dn */
|
||||
- pfile = fopen(file_name, "r+");
|
||||
+ pfile = WRITABLEFOPEN(file_name, "r+");
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "while deleting entry from file %s", file_name);
|
||||
goto cleanup;
|
||||
@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch
|
||||
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
|
||||
|
||||
|
||||
- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
|
||||
+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
|
||||
umask(omask);
|
||||
if (tmpfd == -1) {
|
||||
com_err(me, errno, "while deleting entry from file\n");
|
||||
@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
|
||||
printf("File does not exist. Creating the file %s...\n", file_name);
|
||||
omask = umask(077);
|
||||
- fd = creat(file_name, S_IRUSR|S_IWUSR);
|
||||
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
|
||||
umask(omask);
|
||||
if (fd == -1) {
|
||||
com_err(me, errno, "Error creating file %s", file_name);
|
||||
@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
|
||||
/* TODO: file lock for the service password file */
|
||||
/* set password in the file */
|
||||
- pfile = fopen(file_name, "r+");
|
||||
+ pfile = WRITABLEFOPEN(file_name, "r+");
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "Failed to open file %s", file_name);
|
||||
goto cleanup;
|
||||
@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc,
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
- newfile = fopen(tmp_file, "w+");
|
||||
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
|
||||
umask(omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||
@@ -2016,7 +2016,7 @@ done:
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ krb5-1.11.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -179,7 +179,7 @@ done:
|
||||
|
||||
/* set password in the file */
|
||||
old_mode = umask(0177);
|
||||
@ -409,29 +377,35 @@ Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
|
||||
strerror (errno));
|
||||
@@ -2068,7 +2068,7 @@ done:
|
||||
@@ -220,6 +220,9 @@ done:
|
||||
* Delete the existing entry and add the new entry
|
||||
*/
|
||||
FILE *newfile;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
mode_t omask;
|
||||
|
||||
@@ -231,7 +234,13 @@ done:
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
- newfile = fopen(tmp_file, "w");
|
||||
+ newfile = WRITABLEFOPEN(tmp_file, "w");
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(file_name);
|
||||
+#endif
|
||||
newfile = fopen(tmp_file, "w");
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
umask (omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, _("Error creating file %s"), tmp_file);
|
||||
Index: krb5-1.10.2/src/slave/kpropd.c
|
||||
Index: krb5-1.11.1/src/slave/kpropd.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/slave/kpropd.c
|
||||
+++ krb5-1.10.2/src/slave/kpropd.c
|
||||
@@ -336,7 +336,7 @@ retry:
|
||||
if (!debug && iproprole != IPROP_SLAVE)
|
||||
daemon(1, 0);
|
||||
#ifdef PID_FILE
|
||||
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
|
||||
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
|
||||
fprintf(pidfile, "%d\n", getpid());
|
||||
fclose(pidfile);
|
||||
} else
|
||||
@@ -437,6 +437,9 @@ void doit(fd)
|
||||
--- krb5-1.11.1.orig/src/slave/kpropd.c
|
||||
+++ krb5-1.11.1/src/slave/kpropd.c
|
||||
@@ -459,6 +459,9 @@ void doit(fd)
|
||||
krb5_enctype etype;
|
||||
int database_fd;
|
||||
char host[INET6_ADDRSTRLEN+1];
|
||||
@ -439,9 +413,9 @@ Index: krb5-1.10.2/src/slave/kpropd.c
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (kpropd_context->kdblog_context &&
|
||||
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
|
||||
@@ -515,9 +518,15 @@ void doit(fd)
|
||||
signal_wrapper(SIGALRM, alarm_handler);
|
||||
alarm(params.iprop_resync_timeout);
|
||||
@@ -516,9 +519,15 @@ void doit(fd)
|
||||
free(name);
|
||||
exit(1);
|
||||
}
|
||||
@ -457,10 +431,10 @@ Index: krb5-1.10.2/src/slave/kpropd.c
|
||||
retval = krb5_lock_file(kpropd_context, lock_fd,
|
||||
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
|
||||
if (retval) {
|
||||
Index: krb5-1.10.2/src/util/profile/prof_file.c
|
||||
Index: krb5-1.11.1/src/util/profile/prof_file.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/util/profile/prof_file.c
|
||||
+++ krb5-1.10.2/src/util/profile/prof_file.c
|
||||
--- krb5-1.11.1.orig/src/util/profile/prof_file.c
|
||||
+++ krb5-1.11.1/src/util/profile/prof_file.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#endif
|
||||
|
||||
@ -478,10 +452,10 @@ Index: krb5-1.10.2/src/util/profile/prof_file.c
|
||||
if (!f) {
|
||||
retval = errno;
|
||||
if (retval == 0)
|
||||
Index: krb5-1.10.2/src/util/support/Makefile.in
|
||||
Index: krb5-1.11.1/src/util/support/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/util/support/Makefile.in
|
||||
+++ krb5-1.10.2/src/util/support/Makefile.in
|
||||
--- krb5-1.11.1.orig/src/util/support/Makefile.in
|
||||
+++ krb5-1.11.1/src/util/support/Makefile.in
|
||||
@@ -64,6 +64,7 @@ IPC_SYMS= \
|
||||
|
||||
STLIBOBJS= \
|
||||
@ -490,7 +464,7 @@ Index: krb5-1.10.2/src/util/support/Makefile.in
|
||||
init-addrinfo.o \
|
||||
plugins.o \
|
||||
errors.o \
|
||||
@@ -127,7 +128,7 @@ SRCS=\
|
||||
@@ -135,7 +136,7 @@ SRCS=\
|
||||
|
||||
SHLIB_EXPDEPS =
|
||||
# Add -lm if dumping thread stats, for sqrt.
|
||||
@ -499,13 +473,13 @@ Index: krb5-1.10.2/src/util/support/Makefile.in
|
||||
SHLIB_DIRS=
|
||||
SHLIB_RDIRS=$(KRB5_LIBDIR)
|
||||
|
||||
Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
Index: krb5-1.11.1/src/util/support/selinux.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ krb5-1.10.2/src/util/support/selinux.c
|
||||
@@ -0,0 +1,372 @@
|
||||
+++ krb5-1.11.1/src/util/support/selinux.c
|
||||
@@ -0,0 +1,405 @@
|
||||
+/*
|
||||
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
|
||||
+ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions are met:
|
||||
@ -542,7 +516,7 @@ Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
+#ifdef USE_SELINUX
|
||||
+
|
||||
+#include <k5-label.h>
|
||||
+#include <k5-thread.h>
|
||||
+#include <k5-platform.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <errno.h>
|
||||
@ -573,15 +547,28 @@ Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
+ k5_mutex_finish_init(&labeled_mutex);
|
||||
+}
|
||||
+
|
||||
+#ifdef HAVE_SELINUX_LABEL_H
|
||||
+static struct selabel_handle *selabel_ctx;
|
||||
+static time_t selabel_last_changed;
|
||||
+
|
||||
+MAKE_FINI_FUNCTION(cleanup_fscreatecon);
|
||||
+
|
||||
+static void
|
||||
+cleanup_fscreatecon(void)
|
||||
+{
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ selabel_close(selabel_ctx);
|
||||
+ selabel_ctx = NULL;
|
||||
+ }
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static security_context_t
|
||||
+push_fscreatecon(const char *pathname, mode_t mode)
|
||||
+{
|
||||
+ security_context_t previous, configuredsc, currentsc, derivedsc;
|
||||
+ context_t current, derived;
|
||||
+ const char *fullpath, *currentuser;
|
||||
+#ifdef HAVE_SELINUX_LABEL_H
|
||||
+ struct selabel_handle *ctx;
|
||||
+#endif
|
||||
+
|
||||
+ previous = NULL;
|
||||
+ if (is_selinux_enabled()) {
|
||||
@ -622,18 +609,37 @@ Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
+#endif
|
||||
+ configuredsc = NULL;
|
||||
+#ifdef HAVE_SELINUX_LABEL_H
|
||||
+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
+ if (ctx != NULL) {
|
||||
+ if (selabel_lookup(ctx, &configuredsc,
|
||||
+ if ((selabel_ctx != NULL) ||
|
||||
+ (selabel_last_changed == 0)) {
|
||||
+ const char *cpath;
|
||||
+ struct stat st;
|
||||
+ int i = -1;
|
||||
+ cpath = selinux_file_context_path();
|
||||
+ if ((cpath == NULL) ||
|
||||
+ ((i = stat(cpath, &st)) != 0) ||
|
||||
+ (st.st_mtime != selabel_last_changed)) {
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ selabel_close(selabel_ctx);
|
||||
+ selabel_ctx = NULL;
|
||||
+ }
|
||||
+ selabel_last_changed = i ?
|
||||
+ time(NULL) :
|
||||
+ st.st_mtime;
|
||||
+ }
|
||||
+ }
|
||||
+ if (selabel_ctx == NULL) {
|
||||
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE,
|
||||
+ NULL, 0);
|
||||
+ }
|
||||
+ if (selabel_ctx != NULL) {
|
||||
+ if (selabel_lookup(selabel_ctx, &configuredsc,
|
||||
+ fullpath, mode) != 0) {
|
||||
+ selabel_close(ctx);
|
||||
+ free(genpath);
|
||||
+ if (previous != NULL) {
|
||||
+ freecon(previous);
|
||||
+ }
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ selabel_close(ctx);
|
||||
+ }
|
||||
+#else
|
||||
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
|
||||
@ -756,7 +762,8 @@ Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
+ int errno_save;
|
||||
+ security_context_t ctx;
|
||||
+
|
||||
+ if (strcmp(mode, "r") == 0) {
|
||||
+ if ((strcmp(mode, "r") == 0) ||
|
||||
+ (strcmp(mode, "rb") == 0)) {
|
||||
+ return fopen(path, mode);
|
||||
+ }
|
||||
+
|
||||
@ -876,10 +883,10 @@ Index: krb5-1.10.2/src/util/support/selinux.c
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||
Index: krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||
--- krb5-1.11.1.orig/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ krb5-1.11.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
krb5_error_code retval = 0;
|
||||
krb5_rcache tmp;
|
||||
@ -908,11 +915,48 @@ Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
for (q = t->a; q; q = q->na) {
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||
Index: krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5
|
||||
--- krb5-1.11.1.orig/src/lib/krb5/ccache/cc_dir.c
|
||||
+++ krb5-1.11.1/src/lib/krb5/ccache/cc_dir.c
|
||||
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
|
||||
char *newpath = NULL;
|
||||
FILE *fp = NULL;
|
||||
int fd = -1, status;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
|
||||
return ENOMEM;
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(primary_path);
|
||||
+#endif
|
||||
fd = mkstemp(newpath);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
if (fd < 0)
|
||||
goto cleanup;
|
||||
#ifdef HAVE_CHMOD
|
||||
Index: krb5-1.11.1/src/lib/krb5/os/trace.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/lib/krb5/os/trace.c
|
||||
+++ krb5-1.11.1/src/lib/krb5/os/trace.c
|
||||
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
|
||||
fd = malloc(sizeof(*fd));
|
||||
if (fd == NULL)
|
||||
return ENOMEM;
|
||||
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
|
||||
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
|
||||
if (*fd == -1) {
|
||||
free(fd);
|
||||
return errno;
|
||||
Index: krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ krb5-1.11.1/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -681,8 +681,8 @@ ctx_create_db(krb5_context context, krb5
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
@ -923,10 +967,10 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
|
||||
if (dbc->db_lf_file < 0) {
|
||||
retval = errno;
|
||||
goto cleanup;
|
||||
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
Index: krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
--- krb5-1.11.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
+++ krb5-1.11.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
@ -945,11 +989,11 @@ Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
return (NULL);
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
Index: krb5-1.10.2/src/kdc/main.c
|
||||
Index: krb5-1.11.1/src/kdc/main.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/kdc/main.c
|
||||
+++ krb5-1.10.2/src/kdc/main.c
|
||||
@@ -909,7 +909,7 @@ write_pid_file(const char *path)
|
||||
--- krb5-1.11.1.orig/src/kdc/main.c
|
||||
+++ krb5-1.11.1/src/kdc/main.c
|
||||
@@ -902,7 +902,7 @@ write_pid_file(const char *path)
|
||||
FILE *file;
|
||||
unsigned long pid;
|
||||
|
||||
@ -958,23 +1002,23 @@ Index: krb5-1.10.2/src/kdc/main.c
|
||||
if (file == NULL)
|
||||
return errno;
|
||||
pid = (unsigned long) getpid();
|
||||
Index: krb5-1.10.2/src/lib/kdb/kdb_log.c
|
||||
Index: krb5-1.11.1/src/lib/kdb/kdb_log.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c
|
||||
+++ krb5-1.10.2/src/lib/kdb/kdb_log.c
|
||||
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
|
||||
--- krb5-1.11.1.orig/src/lib/kdb/kdb_log.c
|
||||
+++ krb5-1.11.1/src/lib/kdb/kdb_log.c
|
||||
@@ -604,7 +604,7 @@ ulog_map(krb5_context context, const cha
|
||||
return (errno);
|
||||
}
|
||||
|
||||
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
|
||||
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
|
||||
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
|
||||
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
|
||||
if (ulogfd == -1) {
|
||||
return (errno);
|
||||
}
|
||||
|
||||
Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
|
||||
Index: krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in
|
||||
+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
|
||||
--- krb5-1.11.1.orig/src/util/gss-kernel-lib/Makefile.in
|
||||
+++ krb5-1.11.1/src/util/gss-kernel-lib/Makefile.in
|
||||
@@ -66,6 +66,7 @@ HEADERS= \
|
||||
gssapi_err_generic.h \
|
||||
k5-int.h \
|
3
krb5-1.11.1.tar.bz2
Normal file
3
krb5-1.11.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:7994928de3fbaeaef4862798ad1608c8bd886b91cc15de7b49d6c3c3cadc1d0d
|
||||
size 9433869
|
@ -1,9 +0,0 @@
|
||||
--- doc/man2html
|
||||
+++ doc/man2html 2004/10/18 16:20:53
|
||||
@@ -1,5 +1,4 @@
|
||||
-#!/usr/athena/bin/perl
|
||||
-#!/usr/local/bin/perl
|
||||
+#!/usr/bin/perl
|
||||
##---------------------------------------------------------------------------##
|
||||
## File:
|
||||
## @(#) man2html 1.2 97/08/12 12:57:30 @(#)
|
@ -1,11 +1,11 @@
|
||||
Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
|
||||
Index: krb5-1.11/src/man/ktutil.man
|
||||
===================================================================
|
||||
--- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M
|
||||
+++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M
|
||||
@@ -63,5 +63,17 @@ Quits
|
||||
Aliases:
|
||||
.BR exit ,
|
||||
.BR q .
|
||||
--- krb5-1.11.orig/src/man/ktutil.man
|
||||
+++ krb5-1.11/src/man/ktutil.man
|
||||
@@ -158,6 +158,18 @@ ktutil:
|
||||
.fi
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
+.SH REMARKS
|
||||
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
|
||||
+is never overwritten). To directly modify a keytab, save the changes to a
|
||||
@ -19,4 +19,5 @@ Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
|
||||
+ktutil> q
|
||||
+# mv /tmp/krb5.newtab /etc/krb5.keytab
|
||||
.SH SEE ALSO
|
||||
kadmin(8), kdb5_util(8)
|
||||
.sp
|
||||
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP
|
||||
|
@ -1,7 +0,0 @@
|
||||
appl/sample/sserver/sserver.M
|
||||
config-files/kdc.conf.M
|
||||
config-files/krb5.conf.M
|
||||
gen-manpages/kerberos.M
|
||||
kadmin/cli/kadmin.M
|
||||
slave/kpropd.M
|
||||
slave/kprop.M
|
30
krb5-1.9-debuginfo.patch
Normal file
30
krb5-1.9-debuginfo.patch
Normal file
@ -0,0 +1,30 @@
|
||||
We want to keep these y.tab.c files around because the debuginfo points to
|
||||
them. It would be more elegant at the end to use symbolic links, but that
|
||||
could mess up people working in the tree on other things.
|
||||
|
||||
Index: src/kadmin/cli/Makefile.in
|
||||
===================================================================
|
||||
--- src/kadmin/cli/Makefile.in.orig
|
||||
+++ src/kadmin/cli/Makefile.in
|
||||
@@ -40,3 +40,8 @@ clean-unix::
|
||||
# CC_LINK is not meant for compilation and this use may break in the future.
|
||||
datetest: getdate.c
|
||||
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
|
||||
+
|
||||
+%.c: %.y
|
||||
+ $(RM) y.tab.c $@
|
||||
+ $(YACC.y) $<
|
||||
+ $(CP) y.tab.c $@
|
||||
Index: src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
===================================================================
|
||||
--- src/plugins/kdb/ldap/ldap_util/Makefile.in.orig
|
||||
+++ src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR
|
||||
getdate.c: $(GETDATE)
|
||||
$(RM) getdate.c y.tab.c
|
||||
$(YACC) $(GETDATE)
|
||||
- $(MV) y.tab.c getdate.c
|
||||
+ $(CP) y.tab.c getdate.c
|
||||
|
||||
install::
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
@ -1,10 +1,10 @@
|
||||
Use an in-memory ccache to silence a compiler warning, for RT#6414.
|
||||
|
||||
Index: krb5-1.10.2/src/slave/kprop.c
|
||||
Index: krb5-1.11/src/slave/kprop.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/slave/kprop.c
|
||||
+++ krb5-1.10.2/src/slave/kprop.c
|
||||
@@ -186,9 +186,8 @@ void PRS(argc, argv)
|
||||
--- krb5-1.11.orig/src/slave/kprop.c
|
||||
+++ krb5-1.11/src/slave/kprop.c
|
||||
@@ -187,9 +187,8 @@ void PRS(argc, argv)
|
||||
void get_tickets(context)
|
||||
krb5_context context;
|
||||
{
|
||||
@ -15,7 +15,7 @@ Index: krb5-1.10.2/src/slave/kprop.c
|
||||
krb5_keytab keytab = NULL;
|
||||
|
||||
/*
|
||||
@@ -229,11 +228,8 @@ void get_tickets(context)
|
||||
@@ -230,11 +229,8 @@ void get_tickets(context)
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -3,206 +3,16 @@ values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
|
||||
Index: krb5-1.10.2/src/aclocal.m4
|
||||
Index: krb5-1.11/src/man/kpropd.man
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/aclocal.m4
|
||||
+++ krb5-1.10.2/src/aclocal.m4
|
||||
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
|
||||
+mansysconfdir=$sysconfdir
|
||||
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
|
||||
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+mansbindir=$sbindir
|
||||
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
|
||||
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
|
||||
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+manlocalstatedir=$localstatedir
|
||||
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
|
||||
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+manlibexecdir=$libexecdir
|
||||
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
|
||||
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
|
||||
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+AC_SUBST(mansysconfdir)
|
||||
+AC_SUBST(mansbindir)
|
||||
+AC_SUBST(manlocalstatedir)
|
||||
+AC_SUBST(manlibexecdir)
|
||||
+AC_CONFIG_FILES($1)
|
||||
+])
|
||||
Index: krb5-1.10.2/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/configure.in
|
||||
+++ krb5-1.10.2/src/configure.in
|
||||
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
|
||||
KRB5_WITH_PAM
|
||||
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ appl/sample/sserver/sserver.M
|
||||
+ config-files/kdc.conf.M
|
||||
+ config-files/krb5.conf.M
|
||||
+ gen-manpages/kerberos.M
|
||||
+ kadmin/cli/kadmin.M
|
||||
+ slave/kpropd.M
|
||||
+ slave/kprop.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
util util/support util/profile util/profile/testmod util/send-pr
|
||||
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
|
||||
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
|
||||
@@ -59,7 +59,7 @@ option allows for a different keytab tha
|
||||
using a line in
|
||||
/etc/inetd.conf that looks like this:
|
||||
.PP
|
||||
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
|
||||
+sample stream tcp nowait root @mansbindir@/sserver sserver
|
||||
.PP
|
||||
Since \fBsample\fP is normally not a port defined in /etc/services, you will
|
||||
usually have to add a line to /etc/services which looks like this:
|
||||
Index: krb5-1.10.2/src/config-files/kdc.conf.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
|
||||
+++ krb5-1.10.2/src/config-files/kdc.conf.M
|
||||
@@ -92,14 +92,14 @@ This
|
||||
.B string
|
||||
specifies the location of the access control list (acl) file that
|
||||
kadmin uses to determine which principals are allowed which permissions
|
||||
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
|
||||
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
|
||||
|
||||
.IP admin_keytab
|
||||
This
|
||||
.B string
|
||||
Specifies the location of the keytab file that kadmin uses to
|
||||
authenticate to the database. The default value is
|
||||
-/usr/local/var/krb5kdc/kadm5.keytab.
|
||||
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
|
||||
|
||||
.IP database_name
|
||||
This
|
||||
@@ -274,7 +274,7 @@ tickets should be checked against the tr
|
||||
realm names and the [capaths] section of its krb5.conf file
|
||||
|
||||
.SH FILES
|
||||
-/usr/local/var/krb5kdc/kdc.conf
|
||||
+@manlocalstatedir@/krb5kdc/kdc.conf
|
||||
|
||||
.SH SEE ALSO
|
||||
krb5.conf(5), krb5kdc(8)
|
||||
Index: krb5-1.10.2/src/config-files/krb5.conf.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
|
||||
+++ krb5-1.10.2/src/config-files/krb5.conf.M
|
||||
@@ -808,6 +808,6 @@ This module implements the encrypted cha
|
||||
This module implements the encrypted timestamp mechanism.
|
||||
|
||||
.SH FILES
|
||||
-/etc/krb5.conf
|
||||
+@mansysconfdir@/krb5.conf
|
||||
.SH SEE ALSO
|
||||
syslog(3)
|
||||
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
|
||||
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
|
||||
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
|
||||
Specifies the location of the KDC configuration file, which contains
|
||||
additional configuration directives for the Key Distribution Center
|
||||
daemon and associated programs. The default is
|
||||
-/usr/local/var/krb5kdc/kdc.conf.
|
||||
+@manlocalstatedir@/krb5kdc/kdc.conf.
|
||||
.TP
|
||||
.B KRB5RCACHETYPE
|
||||
Specifies the default type of replay cache to use for servers. Valid
|
||||
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
|
||||
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
|
||||
@@ -924,9 +924,9 @@ option is specified, less verbose status
|
||||
.RS
|
||||
.TP
|
||||
EXAMPLE:
|
||||
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
|
||||
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
|
||||
Entry for principal kadmin/admin with kvno 3 removed
|
||||
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
|
||||
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
|
||||
kadmin:
|
||||
.RE
|
||||
--- krb5-1.11.orig/src/man/kpropd.man
|
||||
+++ krb5-1.11/src/man/kpropd.man
|
||||
@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
|
||||
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
|
||||
.ft P
|
||||
.fi
|
||||
Index: krb5-1.10.2/src/slave/kpropd.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/slave/kpropd.M
|
||||
+++ krb5-1.10.2/src/slave/kpropd.M
|
||||
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
|
||||
This is done by adding a line to the inetd.conf file which looks like
|
||||
this:
|
||||
|
||||
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
|
||||
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
|
||||
|
||||
However, kpropd can also run as a standalone daemon, if the
|
||||
.B \-S
|
||||
@@ -111,13 +111,13 @@ is used.
|
||||
\fB\-f\fP \fIfile\fP
|
||||
specifies the filename where the dumped principal database file is to be
|
||||
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
|
||||
-(normally /usr/local/var/krb5kdc/from_master).
|
||||
+(normally @manlocalstatedir@/krb5kdc/from_master).
|
||||
.TP
|
||||
.B \-p
|
||||
allows the user to specify the pathname to the
|
||||
.IR kdb5_util (8)
|
||||
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
|
||||
-(normally /usr/local/sbin/kdb5_util).
|
||||
+(normally @mansbindir@/kdb5_util).
|
||||
.TP
|
||||
.B \-S
|
||||
turn on standalone mode. Normally, kpropd is invoked out of
|
||||
@@ -148,14 +148,14 @@ mode.
|
||||
allows the user to specify the path to the
|
||||
kpropd.acl
|
||||
file; by default the path used is KPROPD_ACL_FILE
|
||||
-(normally /usr/local/var/krb5kdc/kpropd.acl).
|
||||
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
|
||||
.SH FILES
|
||||
.TP "\w'kpropd.acl\ \ 'u"
|
||||
kpropd.acl
|
||||
Access file for
|
||||
.BR kpropd ;
|
||||
the default location is KPROPD_ACL_FILE (normally
|
||||
-/usr/local/var/krb5kdc/kpropd.acl).
|
||||
+@manlocalstatedir@/krb5kdc/kpropd.acl).
|
||||
Each entry is a line containing the principal of a host from which the
|
||||
local machine will allow Kerberos database propagation via kprop.
|
||||
.SH SEE ALSO
|
||||
Index: krb5-1.10.2/src/slave/kprop.M
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/slave/kprop.M
|
||||
+++ krb5-1.10.2/src/slave/kprop.M
|
||||
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
|
||||
This is done by transmitting the dumped database file to the slave
|
||||
server over an encrypted, secure channel. The dump file must be created
|
||||
by kdb5_util, and is normally KPROP_DEFAULT_FILE
|
||||
-(/usr/local/var/krb5kdc/slave_datatrans).
|
||||
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
\fB\-r\fP \fIrealm\fP
|
||||
@@ -51,7 +51,7 @@ is used.
|
||||
\fB\-f\fP \fIfile\fP
|
||||
specifies the filename where the dumped principal database file is to be
|
||||
found; by default the dumped database file is KPROP_DEFAULT_FILE
|
||||
-(normally /usr/local/var/krb5kdc/slave_datatrans).
|
||||
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
|
||||
.TP
|
||||
\fB\-P\fP \fIport\fP
|
||||
specifies the port to use to contact the
|
||||
.UNINDENT
|
||||
|
@ -1,2 +0,0 @@
|
||||
addFilter("files-duplicate .*css")
|
||||
addFilter("files-duplicate .*img.*png")
|
196
krb5-doc.changes
196
krb5-doc.changes
@ -1,196 +0,0 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 3 14:34:35 UTC 2012 - idonmez@suse.com
|
||||
|
||||
- Build depend on texinfo & texlive-dvips to fix the build
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de
|
||||
|
||||
- update to version 1.10.2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
|
||||
|
||||
- update to version 1.9.1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de
|
||||
|
||||
- update to version 1.8.1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
|
||||
|
||||
- add post 1.8 fixes
|
||||
* Document the ticket_lifetime libdefaults setting
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 4 11:45:22 CET 2010 - mc@suse.de
|
||||
|
||||
- update to version 1.8
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
|
||||
|
||||
- update to final version 1.7
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 13 11:34:07 CEST 2009 - mc@suse.de
|
||||
|
||||
- update to version 1.7 Beta2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
|
||||
|
||||
- update to pre 1.7 version
|
||||
* remove outdated documentation for kadm5 API
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de
|
||||
|
||||
- add patches from SVN post 1.6.3
|
||||
* some fixes in the man pages
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de
|
||||
|
||||
- reduce rpmlint warnings
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de
|
||||
|
||||
- update to krb5 version 1.6.3
|
||||
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
|
||||
* fix CVE-2007-4000 modify_policy vulnerability
|
||||
* Add PKINIT support
|
||||
- remove patches which are upstream now
|
||||
- enhance init scripts and xinetd profiles
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de
|
||||
|
||||
- update to version 1.6.2
|
||||
- remove krb5-1.6.1-post.dif all fixes are included in this release
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de
|
||||
|
||||
- removed executable permission from doc file
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de
|
||||
|
||||
- update to final 1.6.1 version
|
||||
- replace te_ams with texlive in BuildRequires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de
|
||||
|
||||
- build implementor.ps
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de
|
||||
|
||||
- update to version 1.6.1 Beta1
|
||||
- remove obsolete patches
|
||||
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 19 14:00:49 CET 2007 - mc@suse.de
|
||||
|
||||
- add krb5-1.6-post.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 22 12:21:20 CET 2007 - mc@suse.de
|
||||
|
||||
- update to version 1.6
|
||||
* Major changes in 1.6 include
|
||||
* Partial client implementation to handle server name referrals.
|
||||
* Pre-authentication plug-in framework, donated by Red Hat.
|
||||
* LDAP KDB plug-in, donated by Novell.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de
|
||||
|
||||
- update to version 1.5.1
|
||||
- remove obsolete patches which are now included upstream
|
||||
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
|
||||
* trunk-fix-uninitialized-vars.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de
|
||||
|
||||
- update to version 1.5
|
||||
* KDB abstraction layer, donated by Novell.
|
||||
* plug-in architecture, allowing for extension modules to be
|
||||
loaded at run-time.
|
||||
* multi-mechanism GSS-API implementation ("mechglue"),
|
||||
donated by Sun Microsystems
|
||||
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
|
||||
implementation, donated by Sun Microsystems
|
||||
- remove obsolete patches and add some new
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 13 18:01:06 CET 2006 - mc@suse.de
|
||||
|
||||
- set BuildArchitectures to noarch
|
||||
- set norootforbuild
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
|
||||
|
||||
- converted neededforbuild to BuildRequires
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 18 12:15:07 CET 2005 - mc@suse.de
|
||||
|
||||
- update to version 1.4.3
|
||||
- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de
|
||||
|
||||
- build kadm5 documentation
|
||||
- build documentation also as html
|
||||
- include the text only documentation
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de
|
||||
|
||||
- update to version 1.4.2
|
||||
- remove some obsolet patches
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de
|
||||
|
||||
- update to version 1.4.1
|
||||
- remove obsolet patches
|
||||
- krb5-1.4-VUL-0-telnet.dif
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 10 02:38:39 CET 2005 - ro@suse.de
|
||||
|
||||
- added libpng to neededforbuild (for tetex)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 4 16:50:34 CET 2005 - mc@suse.de
|
||||
|
||||
- remove spx.c from tarball because of legal risk
|
||||
- add README.Source which tell the user about this
|
||||
action.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 28 13:28:18 CET 2005 - mc@suse.de
|
||||
|
||||
- update to version 1.4
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 10 12:20:11 CET 2005 - mc@suse.de
|
||||
|
||||
- update to version 1.3.6
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 14 15:21:02 CET 2004 - mc@suse.de
|
||||
|
||||
- initial release
|
||||
|
@ -1,91 +0,0 @@
|
||||
#
|
||||
# spec file for package krb5-doc
|
||||
#
|
||||
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
Name: krb5-doc
|
||||
BuildRequires: ghostscript-library
|
||||
BuildRequires: texinfo
|
||||
BuildRequires: texlive-dvips
|
||||
Version: 1.10.2
|
||||
Release: 0
|
||||
%define srcRoot krb5-1.10.2
|
||||
Summary: MIT Kerberos5 Implementation--Documentation
|
||||
License: MIT
|
||||
Group: Documentation/Other
|
||||
Url: http://web.mit.edu/kerberos/www/
|
||||
Source: krb5-%{version}.tar.bz2
|
||||
Source3: %{name}-rpmlintrc
|
||||
Patch0: krb5-1.3.5-perlfix.dif
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
Kerberos V5 is a trusted-third-party network authentication
|
||||
system,which can improve your network's security by eliminating the
|
||||
insecurepractice of clear text passwords. This package includes
|
||||
extended documentation for MIT Kerberos.
|
||||
|
||||
|
||||
|
||||
Authors:
|
||||
--------
|
||||
The MIT Kerberos Team
|
||||
Sam Hartman <hartmans@mit.edu>
|
||||
Ken Raeburn <raeburn@mit.edu>
|
||||
Tom Yu <tlyu@mit.edu>
|
||||
|
||||
%prep
|
||||
%setup -n %{srcRoot}
|
||||
%patch0
|
||||
|
||||
%build
|
||||
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
|
||||
sed -i -e '1c\
|
||||
\\documentclass{article}\
|
||||
\\usepackage{fixunder}\
|
||||
\\usepackage{functions}\
|
||||
\\usepackage{fancyheadings}\
|
||||
\\usepackage{hyperref}' doc/implement/implement.tex
|
||||
|
||||
%install
|
||||
cd doc
|
||||
mkdir -p html
|
||||
make
|
||||
make implementor.ps
|
||||
make -C api
|
||||
make -C implement
|
||||
mv *.html html/
|
||||
cd ..
|
||||
find . -type f -name '*.ps' -exec gzip -9 {} \;
|
||||
chmod 644 doc/man2ps
|
||||
chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt
|
||||
# cleanup
|
||||
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
||||
rm -f /usr/share/man/man1/tmac.doc*
|
||||
rm -rf /usr/lib/mit/share
|
||||
rm -rf %{buildroot}/usr/lib/mit/share
|
||||
|
||||
%clean
|
||||
rm -rf %{buildroot}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
|
||||
%doc doc/krb5-protocol doc/kadmin
|
||||
%doc doc/html
|
||||
|
||||
%changelog
|
53
krb5-kvno-230379.patch
Normal file
53
krb5-kvno-230379.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
|
||||
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
|
||||
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
|
||||
have a new key with the right version stored later in the keytab file.
|
||||
Currently, we're setting up to overlook that possibility.
|
||||
|
||||
Note that this only affects the path taken when krb5_rd_rep() is passed a
|
||||
server principal name, as without a server principal name it already tries
|
||||
all of the keys it finds in the keytab, regardless of version numbers.
|
||||
|
||||
Index: krb5-1.11.1/src/kadmin/ktutil/ktutil.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/kadmin/ktutil/ktutil.c
|
||||
+++ krb5-1.11.1/src/kadmin/ktutil/ktutil.c
|
||||
@@ -140,7 +140,7 @@ void ktutil_add_entry(argc, argv)
|
||||
char *princ = NULL;
|
||||
char *enctype = NULL;
|
||||
krb5_kvno kvno = 0;
|
||||
- int use_pass = 0, use_key = 0, i;
|
||||
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
|
||||
|
||||
for (i = 1; i < argc; i++) {
|
||||
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
|
||||
@@ -149,6 +149,7 @@ void ktutil_add_entry(argc, argv)
|
||||
}
|
||||
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
|
||||
kvno = (krb5_kvno) atoi(argv[++i]);
|
||||
+ use_kvno++;
|
||||
continue;
|
||||
}
|
||||
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
|
||||
@@ -165,7 +166,7 @@ void ktutil_add_entry(argc, argv)
|
||||
}
|
||||
}
|
||||
|
||||
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
|
||||
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
|
||||
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
|
||||
"-k kvno -e enctype\n"), argv[0]);
|
||||
return;
|
||||
Index: krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
|
||||
===================================================================
|
||||
--- krb5-1.11.1.orig/src/lib/krb5/keytab/kt_file.c
|
||||
+++ krb5-1.11.1/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -376,7 +376,7 @@ krb5_ktfile_get_entry(krb5_context conte
|
||||
higher than that. Short-term workaround: only compare
|
||||
the low 8 bits. */
|
||||
|
||||
- if (new_entry.vno == (kvno & 0xff)) {
|
||||
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
|
||||
krb5_kt_free_entry(context, &cur_entry);
|
||||
cur_entry = new_entry;
|
||||
break;
|
42
krb5-lookup_etypes-leak.patch
Normal file
42
krb5-lookup_etypes-leak.patch
Normal file
@ -0,0 +1,42 @@
|
||||
Petr Spacek notes that when we walk the keytab in lookup_etypes_for_keytab(),
|
||||
we don't free entries when we're finished examining them. Ensure that when
|
||||
krb5_kt_next_entry() succeeds, we make sure to free the entry storage before we
|
||||
exit the current loop iteration. (RT#7586)
|
||||
|
||||
--- a/src/lib/krb5/krb/gic_keytab.c
|
||||
+++ b/src/lib/krb5/krb/gic_keytab.c
|
||||
@@ -110,9 +110,9 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
|
||||
goto cleanup;
|
||||
|
||||
if (!krb5_c_valid_enctype(entry.key.enctype))
|
||||
- continue;
|
||||
+ goto next_entry;
|
||||
if (!krb5_principal_compare(context, entry.principal, client))
|
||||
- continue;
|
||||
+ goto next_entry;
|
||||
/* Make sure our list is for the highest kvno found for client. */
|
||||
if (entry.vno > max_kvno) {
|
||||
free(etypes);
|
||||
@@ -120,11 +120,12 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
|
||||
count = 0;
|
||||
max_kvno = entry.vno;
|
||||
} else if (entry.vno != max_kvno)
|
||||
- continue;
|
||||
+ goto next_entry;
|
||||
|
||||
/* Leave room for the terminator and possibly a second entry. */
|
||||
p = realloc(etypes, (count + 3) * sizeof(*etypes));
|
||||
if (p == NULL) {
|
||||
+ krb5_free_keytab_entry_contents(context, &entry);
|
||||
ret = ENOMEM;
|
||||
goto cleanup;
|
||||
}
|
||||
@@ -136,6 +137,8 @@ lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
|
||||
entry.key.enctype == ENCTYPE_DES_CBC_MD4)
|
||||
etypes[count++] = ENCTYPE_DES_CBC_CRC;
|
||||
etypes[count] = 0;
|
||||
+next_entry:
|
||||
+ krb5_free_keytab_entry_contents(context, &entry);
|
||||
}
|
||||
|
||||
ret = 0;
|
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de
|
||||
|
||||
- update to version 1.11.1
|
||||
* Improve ASN.1 support code, making it table-driven for
|
||||
decoding as well as encoding
|
||||
* Refactor parts of KDC
|
||||
* Documentation consolidation
|
||||
* build docs in the main package
|
||||
* bugfixing
|
||||
- obsolets a lot of patches
|
||||
- refactor some patches
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define build_mini 1
|
||||
%define srcRoot krb5-1.10.2
|
||||
%define srcRoot krb5-1.11.1
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
@ -25,12 +25,13 @@ Name: krb5-mini
|
||||
Url: http://web.mit.edu/kerberos/www/
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: doxygen
|
||||
BuildRequires: keyutils
|
||||
BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.10.2
|
||||
Version: 1.11.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 Implementation--Libraries
|
||||
License: MIT
|
||||
@ -39,6 +40,10 @@ Group: Productivity/Networking/Security
|
||||
BuildRequires: libopenssl-devel
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: python-Cheetah
|
||||
BuildRequires: python-Sphinx
|
||||
BuildRequires: python-libxml2
|
||||
BuildRequires: python-lxml
|
||||
%if 0%{?suse_version} >= 1210
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%endif
|
||||
@ -52,22 +57,21 @@ Source: krb5-%{version}.tar.bz2
|
||||
Source1: vendor-files.tar.bz2
|
||||
Source2: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source10: krb5-1.8-manpaths.txt
|
||||
Patch1: krb5-1.10-buildconf.patch
|
||||
Patch3: krb5-1.9-manpaths.dif
|
||||
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch6: krb5-1.10-kpasswd_tcp.patch
|
||||
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch10: krb5-1.7-doublelog.patch
|
||||
Patch12: krb5-1.8-api.patch
|
||||
Patch13: krb5-1.8-pam.patch
|
||||
Patch18: krb5-1.9-kprop-mktemp.patch
|
||||
Patch19: krb5-1.9-ksu-path.patch
|
||||
Patch20: krb5-1.10-gcc47.patch
|
||||
Patch21: krb5-1.10-selinux-label.patch
|
||||
Patch22: krb5-1.10-spin-loop.patch
|
||||
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
||||
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
||||
Patch1: krb5-1.11-pam.patch
|
||||
Patch2: krb5-1.9-manpaths.dif
|
||||
Patch3: krb5-1.10-buildconf.patch
|
||||
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch5: krb5-1.10-kpasswd_tcp.patch
|
||||
Patch6: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch7: krb5-1.7-doublelog.patch
|
||||
Patch8: krb5-1.8-api.patch
|
||||
Patch9: krb5-1.9-kprop-mktemp.patch
|
||||
Patch10: krb5-1.10-ksu-access.patch
|
||||
Patch11: krb5-1.9-ksu-path.patch
|
||||
Patch12: krb5-1.11-selinux-label.patch
|
||||
Patch13: krb5-1.9-debuginfo.patch
|
||||
Patch14: krb5-kvno-230379.patch
|
||||
Patch15: krb5-lookup_etypes-leak.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -124,6 +128,16 @@ Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve your network's security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a PKINIT plugin.
|
||||
|
||||
%package doc
|
||||
Summary: MIT Kerberos5 Implementation--Documentation
|
||||
Group: Documentation/Other
|
||||
|
||||
%description doc
|
||||
Kerberos V5 is a trusted-third-party network authentication
|
||||
system,which can improve your network's security by eliminating the
|
||||
insecurepractice of clear text passwords. This package includes
|
||||
extended documentation for MIT Kerberos.
|
||||
|
||||
%endif #! build_mini
|
||||
|
||||
%package devel
|
||||
@ -150,27 +164,21 @@ Include Files for Development
|
||||
%prep
|
||||
%setup -q -n %{srcRoot}
|
||||
%setup -a 1 -T -D -n %{srcRoot}
|
||||
%patch13 -p1
|
||||
%patch3 -p1
|
||||
%patch21 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
# Rename the man pages so that they'll get generated correctly.
|
||||
pushd src
|
||||
cat %{SOURCE10} | while read manpage ; do
|
||||
mv "$manpage" "$manpage".in
|
||||
done
|
||||
popd
|
||||
%patch13 -p0
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
@ -196,14 +204,19 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
|
||||
--with-ldap \
|
||||
--with-pam \
|
||||
--enable-pkinit \
|
||||
--with-selinux \
|
||||
%else
|
||||
--disable-pkinit \
|
||||
--without-pam \
|
||||
%endif
|
||||
--with-system-et \
|
||||
--with-system-ss
|
||||
make %{?jobs:-j%jobs}
|
||||
make %{?jobs:-j%jobs}
|
||||
%if ! 0%{?build_mini}
|
||||
cd doc
|
||||
make %{?jobs:-j%jobs} substhtml
|
||||
cp -a html_subst ../../html
|
||||
cd ..
|
||||
%endif
|
||||
|
||||
%install
|
||||
cd src
|
||||
@ -279,8 +292,10 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
|
||||
# cleanup
|
||||
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
||||
rm -f /usr/share/man/man1/tmac.doc*
|
||||
#rm -rf /usr/lib/mit/share
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/examples
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
|
||||
#####################################################
|
||||
# krb5(-mini) pre/post/postun
|
||||
#####################################################
|
||||
@ -356,13 +371,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
%{_libdir}/libverto.so
|
||||
%{_libdir}/libverto-k5ev.so
|
||||
%{_includedir}/*
|
||||
/usr/lib/mit/bin/krb5-config
|
||||
/usr/lib/mit/sbin/krb5-send-pr
|
||||
/usr/lib/mit/share/gnats
|
||||
%{_mandir}/man1/krb5-send-pr.1*
|
||||
%{_mandir}/man1/krb5-config.1*
|
||||
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||
|
||||
%if %{build_mini}
|
||||
@ -401,7 +414,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
%{_libdir}/krb5/plugins/kdb/*
|
||||
#/usr/lib/mit/sbin/*
|
||||
/usr/lib/mit/sbin/kadmin.local
|
||||
@ -438,7 +450,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_mandir}/man1/kdestroy.1*
|
||||
%{_mandir}/man1/kpasswd.1*
|
||||
%{_mandir}/man1/klist.1*
|
||||
%{_mandir}/man1/kerberos.1*
|
||||
%{_mandir}/man1/ksu.1*
|
||||
%{_mandir}/man1/sclient.1*
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
@ -474,7 +485,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
@ -514,6 +524,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
/usr/lib/mit/sbin/uuserver
|
||||
%{_libdir}/krb5/plugins/kdb/db2.so
|
||||
%{_mandir}/man5/kdc.conf.5*
|
||||
%{_mandir}/man5/kadm5.acl.5*
|
||||
%{_mandir}/man8/kadmind.8*
|
||||
%{_mandir}/man8/kadmin.local.8*
|
||||
%{_mandir}/man8/kpropd.8*
|
||||
@ -549,7 +560,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_mandir}/man1/kdestroy.1*
|
||||
%{_mandir}/man1/kpasswd.1*
|
||||
%{_mandir}/man1/klist.1*
|
||||
%{_mandir}/man1/kerberos.1*
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
@ -582,6 +592,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/pkinit.so
|
||||
|
||||
%files doc
|
||||
%defattr(-,root,root)
|
||||
%doc html doc/CHANGES doc/README
|
||||
|
||||
%endif #build_mini
|
||||
|
||||
%changelog
|
||||
|
13
krb5.changes
13
krb5.changes
@ -1,3 +1,16 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 15 11:14:21 CET 2013 - mc@suse.de
|
||||
|
||||
- update to version 1.11.1
|
||||
* Improve ASN.1 support code, making it table-driven for
|
||||
decoding as well as encoding
|
||||
* Refactor parts of KDC
|
||||
* Documentation consolidation
|
||||
* build docs in the main package
|
||||
* bugfixing
|
||||
- obsolets a lot of patches
|
||||
- refactor some patches
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 6 12:01:32 CET 2013 - mc@suse.de
|
||||
|
||||
|
97
krb5.spec
97
krb5.spec
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
%define build_mini 0
|
||||
%define srcRoot krb5-1.10.2
|
||||
%define srcRoot krb5-1.11.1
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
@ -25,12 +25,13 @@ Name: krb5
|
||||
Url: http://web.mit.edu/kerberos/www/
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: doxygen
|
||||
BuildRequires: keyutils
|
||||
BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.10.2
|
||||
Version: 1.11.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 Implementation--Libraries
|
||||
License: MIT
|
||||
@ -39,6 +40,10 @@ Group: Productivity/Networking/Security
|
||||
BuildRequires: libopenssl-devel
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: python-Cheetah
|
||||
BuildRequires: python-Sphinx
|
||||
BuildRequires: python-libxml2
|
||||
BuildRequires: python-lxml
|
||||
%if 0%{?suse_version} >= 1210
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
%endif
|
||||
@ -52,22 +57,21 @@ Source: krb5-%{version}.tar.bz2
|
||||
Source1: vendor-files.tar.bz2
|
||||
Source2: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source10: krb5-1.8-manpaths.txt
|
||||
Patch1: krb5-1.10-buildconf.patch
|
||||
Patch3: krb5-1.9-manpaths.dif
|
||||
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch6: krb5-1.10-kpasswd_tcp.patch
|
||||
Patch7: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch10: krb5-1.7-doublelog.patch
|
||||
Patch12: krb5-1.8-api.patch
|
||||
Patch13: krb5-1.8-pam.patch
|
||||
Patch18: krb5-1.9-kprop-mktemp.patch
|
||||
Patch19: krb5-1.9-ksu-path.patch
|
||||
Patch20: krb5-1.10-gcc47.patch
|
||||
Patch21: krb5-1.10-selinux-label.patch
|
||||
Patch22: krb5-1.10-spin-loop.patch
|
||||
Patch23: bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif
|
||||
Patch24: bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif
|
||||
Patch1: krb5-1.11-pam.patch
|
||||
Patch2: krb5-1.9-manpaths.dif
|
||||
Patch3: krb5-1.10-buildconf.patch
|
||||
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch5: krb5-1.10-kpasswd_tcp.patch
|
||||
Patch6: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch7: krb5-1.7-doublelog.patch
|
||||
Patch8: krb5-1.8-api.patch
|
||||
Patch9: krb5-1.9-kprop-mktemp.patch
|
||||
Patch10: krb5-1.10-ksu-access.patch
|
||||
Patch11: krb5-1.9-ksu-path.patch
|
||||
Patch12: krb5-1.11-selinux-label.patch
|
||||
Patch13: krb5-1.9-debuginfo.patch
|
||||
Patch14: krb5-kvno-230379.patch
|
||||
Patch15: krb5-lookup_etypes-leak.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: mktemp, grep, /bin/touch, coreutils
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
@ -124,6 +128,16 @@ Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve your network's security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a PKINIT plugin.
|
||||
|
||||
%package doc
|
||||
Summary: MIT Kerberos5 Implementation--Documentation
|
||||
Group: Documentation/Other
|
||||
|
||||
%description doc
|
||||
Kerberos V5 is a trusted-third-party network authentication
|
||||
system,which can improve your network's security by eliminating the
|
||||
insecurepractice of clear text passwords. This package includes
|
||||
extended documentation for MIT Kerberos.
|
||||
|
||||
%endif #! build_mini
|
||||
|
||||
%package devel
|
||||
@ -150,27 +164,21 @@ Include Files for Development
|
||||
%prep
|
||||
%setup -q -n %{srcRoot}
|
||||
%setup -a 1 -T -D -n %{srcRoot}
|
||||
%patch13 -p1
|
||||
%patch3 -p1
|
||||
%patch21 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
# Rename the man pages so that they'll get generated correctly.
|
||||
pushd src
|
||||
cat %{SOURCE10} | while read manpage ; do
|
||||
mv "$manpage" "$manpage".in
|
||||
done
|
||||
popd
|
||||
%patch13 -p0
|
||||
%patch14 -p1
|
||||
%patch15 -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
@ -196,14 +204,19 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
|
||||
--with-ldap \
|
||||
--with-pam \
|
||||
--enable-pkinit \
|
||||
--with-selinux \
|
||||
%else
|
||||
--disable-pkinit \
|
||||
--without-pam \
|
||||
%endif
|
||||
--with-system-et \
|
||||
--with-system-ss
|
||||
make %{?jobs:-j%jobs}
|
||||
make %{?jobs:-j%jobs}
|
||||
%if ! 0%{?build_mini}
|
||||
cd doc
|
||||
make %{?jobs:-j%jobs} substhtml
|
||||
cp -a html_subst ../../html
|
||||
cd ..
|
||||
%endif
|
||||
|
||||
%install
|
||||
cd src
|
||||
@ -279,8 +292,10 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
|
||||
# cleanup
|
||||
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
||||
rm -f /usr/share/man/man1/tmac.doc*
|
||||
#rm -rf /usr/lib/mit/share
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/examples
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
|
||||
#####################################################
|
||||
# krb5(-mini) pre/post/postun
|
||||
#####################################################
|
||||
@ -356,13 +371,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
%{_libdir}/libverto.so
|
||||
%{_libdir}/libverto-k5ev.so
|
||||
%{_includedir}/*
|
||||
/usr/lib/mit/bin/krb5-config
|
||||
/usr/lib/mit/sbin/krb5-send-pr
|
||||
/usr/lib/mit/share/gnats
|
||||
%{_mandir}/man1/krb5-send-pr.1*
|
||||
%{_mandir}/man1/krb5-config.1*
|
||||
%{_datadir}/aclocal/ac_check_krb5.m4
|
||||
|
||||
%if %{build_mini}
|
||||
@ -401,7 +414,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
%{_libdir}/krb5/plugins/kdb/*
|
||||
#/usr/lib/mit/sbin/*
|
||||
/usr/lib/mit/sbin/kadmin.local
|
||||
@ -438,7 +450,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_mandir}/man1/kdestroy.1*
|
||||
%{_mandir}/man1/kpasswd.1*
|
||||
%{_mandir}/man1/klist.1*
|
||||
%{_mandir}/man1/kerberos.1*
|
||||
%{_mandir}/man1/ksu.1*
|
||||
%{_mandir}/man1/sclient.1*
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
@ -474,7 +485,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_libdir}/libkrb5.so.*
|
||||
%{_libdir}/libkrb5support.so.*
|
||||
%{_libdir}/libverto.so.*
|
||||
%{_libdir}/libverto-k5ev.so.*
|
||||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
@ -514,6 +524,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
/usr/lib/mit/sbin/uuserver
|
||||
%{_libdir}/krb5/plugins/kdb/db2.so
|
||||
%{_mandir}/man5/kdc.conf.5*
|
||||
%{_mandir}/man5/kadm5.acl.5*
|
||||
%{_mandir}/man8/kadmind.8*
|
||||
%{_mandir}/man8/kadmin.local.8*
|
||||
%{_mandir}/man8/kpropd.8*
|
||||
@ -549,7 +560,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%{_mandir}/man1/kdestroy.1*
|
||||
%{_mandir}/man1/kpasswd.1*
|
||||
%{_mandir}/man1/klist.1*
|
||||
%{_mandir}/man1/kerberos.1*
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
@ -582,6 +592,11 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/pkinit.so
|
||||
|
||||
%files doc
|
||||
%defattr(-,root,root)
|
||||
%doc html doc/CHANGES doc/README
|
||||
|
||||
%endif #build_mini
|
||||
|
||||
%changelog
|
||||
|
Loading…
Reference in New Issue
Block a user