diff --git a/0001-krb5-1.12-pam.patch b/0001-ksu-pam-integration.patch similarity index 93% rename from 0001-krb5-1.12-pam.patch rename to 0001-ksu-pam-integration.patch index ee40760..462c367 100644 --- a/0001-krb5-1.12-pam.patch +++ b/0001-ksu-pam-integration.patch @@ -1,9 +1,7 @@ -From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 14 Jan 2019 13:05:56 +0100 -Subject: [PATCH 1/9] krb5-1.12-pam - -Import krb5-1.12-pam.patch +From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:29:58 -0400 +Subject: [PATCH 1/8] ksu pam integration Modify ksu so that it performs account and session management on behalf of the target user account, mimicking the action of regular su. The default @@ -16,31 +14,35 @@ section of /etc/krb5.conf. When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account -and session management before dropping privileges. +and session management before dropping privileges, and to apply on top of +changes we're proposing for how it handles cache collections. + +Last-updated: krb5-1.18-beta1 --- - src/aclocal.m4 | 67 +++++++ + src/aclocal.m4 | 68 +++++++ src/clients/ksu/Makefile.in | 8 +- - src/clients/ksu/main.c | 94 ++++++++- + src/clients/ksu/main.c | 88 +++++++- src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ src/clients/ksu/pam.h | 57 ++++++ - src/configure.in | 2 + - 6 files changed, 614 insertions(+), 3 deletions(-) + src/configure.ac | 2 + + 6 files changed, 609 insertions(+), 3 deletions(-) create mode 100644 src/clients/ksu/pam.c create mode 100644 src/clients/ksu/pam.h diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 3752d9bd5..340546d80 100644 +index 2394f7e33..53f8b6fb7 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 -@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[ - ])) +@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then + OPENLDAP_PLUGIN=yes + fi ])dnl - dnl ++dnl +dnl +dnl Use PAM instead of local crypt() compare for checking local passwords, +dnl and perform PAM account, session management, and password-changing where +dnl appropriate. -+dnl ++dnl +AC_DEFUN(KRB5_WITH_PAM,[ +AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], + withpam="$withval",withpam=auto) @@ -104,11 +106,11 @@ index 3752d9bd5..340546d80 100644 +AC_SUBST(NON_PAM_MAN) +])dnl diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index b2fcbf240..5755bb58a 100644 +index 8b4edce4d..9d58f29b5 100644 --- a/src/clients/ksu/Makefile.in +++ b/src/clients/ksu/Makefile.in @@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. - DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' KSU_LIBS=@KSU_LIBS@ +PAM_LIBS=@PAM_LIBS@ @@ -142,7 +144,7 @@ index b2fcbf240..5755bb58a 100644 clean: $(RM) ksu diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c -index d9596d948..7a0c7e48b 100644 +index 4f03dd8ed..21a4d02bb 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -26,6 +26,7 @@ @@ -172,7 +174,7 @@ index d9596d948..7a0c7e48b 100644 /***********/ #define KS_TEMPORARY_CACHE "MEMORY:_ksu" -@@ -528,6 +534,25 @@ main (argc, argv) +@@ -535,6 +541,23 @@ main (argc, argv) prog_name,target_user,client_name, source_user,ontty()); @@ -182,13 +184,11 @@ index d9596d948..7a0c7e48b 100644 + NULL, source_user, + ttyname(STDERR_FILENO)) != 0) { + fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); + exit(1); + } + if (appl_pam_requires_chauthtok()) { + fprintf(stderr, "Password change required for %s.\n", + target_user); -+ sweep_up(ksu_context, cc_target); + exit(1); + } + force_fork++; @@ -198,8 +198,8 @@ index d9596d948..7a0c7e48b 100644 /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " -@@ -596,6 +621,26 @@ main (argc, argv) - com_err(prog_name,retval, _("while calling cc_filter")); +@@ -595,6 +618,24 @@ main (argc, argv) + exit(1); } +#ifdef USE_PAM @@ -210,13 +210,11 @@ index d9596d948..7a0c7e48b 100644 + NULL, source_user, + ttyname(STDERR_FILENO)) != 0) { + fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); + exit(1); + } + if (appl_pam_requires_chauthtok()) { + fprintf(stderr, "Password change required for %s.\n", + target_user); -+ sweep_up(ksu_context, cc_target); + exit(1); + } + force_fork++; @@ -224,8 +222,8 @@ index d9596d948..7a0c7e48b 100644 +#endif } - if (all_rest_copy){ -@@ -645,6 +690,32 @@ main (argc, argv) + if( some_rest_copy){ +@@ -652,6 +693,30 @@ main (argc, argv) exit(1); } @@ -233,7 +231,6 @@ index d9596d948..7a0c7e48b 100644 + if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_session_open() != 0) { + fprintf(stderr, "Error opening session for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef DEBUG @@ -244,7 +241,6 @@ index d9596d948..7a0c7e48b 100644 + if (appl_pam_cred_init()) { + fprintf(stderr, "Error initializing credentials for %s.\n", + target_user); -+ sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef DEBUG @@ -258,7 +254,7 @@ index d9596d948..7a0c7e48b 100644 /* set permissions */ if (setgid(target_pwd->pw_gid) < 0) { perror("ksu: setgid"); -@@ -742,7 +813,7 @@ main (argc, argv) +@@ -749,7 +814,7 @@ main (argc, argv) fprintf(stderr, "program to be execed %s\n",params[0]); } @@ -267,7 +263,7 @@ index d9596d948..7a0c7e48b 100644 execv(params[0], params); com_err(prog_name, errno, _("while trying to execv %s"), params[0]); sweep_up(ksu_context, cc_target); -@@ -772,16 +843,35 @@ main (argc, argv) +@@ -779,16 +844,35 @@ main (argc, argv) if (ret_pid == -1) { com_err(prog_name, errno, _("while calling waitpid")); } @@ -306,7 +302,7 @@ index d9596d948..7a0c7e48b 100644 } diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c new file mode 100644 -index 000000000..cbfe48704 +index 000000000..eb5d03bbf --- /dev/null +++ b/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ @@ -342,7 +338,7 @@ index 000000000..cbfe48704 + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. -+ * ++ * + * Convenience wrappers for using PAM. + */ + @@ -701,7 +697,7 @@ index 000000000..cbfe48704 +#endif diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h new file mode 100644 -index 000000000..0ab76569c +index 000000000..d45b9fd84 --- /dev/null +++ b/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ @@ -737,7 +733,7 @@ index 000000000..0ab76569c + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. -+ * ++ * + * Convenience wrappers for using PAM. + */ + @@ -762,11 +758,11 @@ index 000000000..0ab76569c +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -diff --git a/src/configure.in b/src/configure.in -index 61ef738dc..e9a12ac16 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION]) +diff --git a/src/configure.ac b/src/configure.ac +index 234f4281c..d1f576124 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION]) AC_PATH_PROG(GROFF, groff) @@ -776,5 +772,5 @@ index 61ef738dc..e9a12ac16 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' -- -2.20.1 +2.25.0 diff --git a/0002-krb5-1.9-manpaths.patch b/0002-krb5-1.9-manpaths.patch index df9ff03..75652a2 100644 --- a/0002-krb5-1.9-manpaths.patch +++ b/0002-krb5-1.9-manpaths.patch @@ -1,7 +1,7 @@ -From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001 +From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 14 Jan 2019 13:06:55 +0100 -Subject: [PATCH 2/9] krb5-1.9-manpaths +Subject: [PATCH 2/8] krb5-1.9-manpaths Import krb5-1.9-manpaths.dif @@ -14,7 +14,7 @@ configure scripts should be rebuilt. Originally RT#6525 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/man/kpropd.man b/src/man/kpropd.man -index 38daa5e79..a0106ec5f 100644 +index 66de36813..9988dcdf3 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: @@ -27,5 +27,5 @@ index 38daa5e79..a0106ec5f 100644 .fi .UNINDENT -- -2.20.1 +2.25.0 diff --git a/0003-krb5-1.12-buildconf.patch b/0003-Adjust-build-configuration.patch similarity index 90% rename from 0003-krb5-1.12-buildconf.patch rename to 0003-Adjust-build-configuration.patch index a65f0df..11dfe46 100644 --- a/0003-krb5-1.12-buildconf.patch +++ b/0003-Adjust-build-configuration.patch @@ -1,15 +1,15 @@ -From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 14 Jan 2019 13:08:07 +0100 -Subject: [PATCH 3/9] krb5-1.12-buildconf - -Import krb5-1.12-buildconf.patch +From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:45:26 -0400 +Subject: [PATCH 3/8] Adjust build configuration Build binaries in this package as RELRO PIEs, libraries as partial RELRO, and install shared libraries with the execute bit set on them. Prune out the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. + +Last-updated: krb5-1.15-beta1 --- src/build-tools/krb5-config.in | 7 +++++++ src/config/pre.in | 2 +- @@ -48,7 +48,7 @@ index ce87e21ca..164bf8301 100644 ## ${prefix}. prefix=@prefix@ diff --git a/src/config/shlib.conf b/src/config/shlib.conf -index 3e4af6c02..a43736137 100644 +index 3e4af6c02..2b20c3fda 100644 --- a/src/config/shlib.conf +++ b/src/config/shlib.conf @@ -423,7 +423,7 @@ mips-*-netbsd*) @@ -56,7 +56,7 @@ index 3e4af6c02..a43736137 100644 # Use objdump -x to examine the fields of the library # UNDEF_CHECK is suppressed by --enable-asan - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' -+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' UNDEF_CHECK='-Wl,--no-undefined' # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' @@ -71,5 +71,5 @@ index 3e4af6c02..a43736137 100644 CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -- -2.20.1 +2.25.0 diff --git a/0004-krb5-1.6.3-gssapi_improve_errormessages.patch b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch index 77cf086..7400647 100644 --- a/0004-krb5-1.6.3-gssapi_improve_errormessages.patch +++ b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch @@ -1,7 +1,7 @@ -From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001 +From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 14 Jan 2019 13:09:05 +0100 -Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages +Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages Import krb5-1.6.3-gssapi_improve_errormessages.dif --- @@ -22,5 +22,5 @@ index bc416107e..22612f970 100644 *minor_status = ENOMEM; return(GSS_S_FAILURE); -- -2.20.1 +2.25.0 diff --git a/0005-krb5-1.6.3-ktutil-manpage.patch b/0005-krb5-1.6.3-ktutil-manpage.patch index a414f48..65d839f 100644 --- a/0005-krb5-1.6.3-ktutil-manpage.patch +++ b/0005-krb5-1.6.3-ktutil-manpage.patch @@ -1,7 +1,7 @@ -From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001 +From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 14 Jan 2019 13:14:47 +0100 -Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage +Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage Import krb5-1.6.3-ktutil-manpage.dif --- @@ -9,10 +9,10 @@ Import krb5-1.6.3-ktutil-manpage.dif 1 file changed, 12 insertions(+) diff --git a/src/man/ktutil.man b/src/man/ktutil.man -index 4e174c0fe..f6d6ae814 100644 +index 233329468..915b41c6e 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man -@@ -171,6 +171,18 @@ ktutil: +@@ -151,6 +151,18 @@ ktutil: .sp See kerberos(7) for a description of Kerberos environment variables. @@ -32,5 +32,5 @@ index 4e174c0fe..f6d6ae814 100644 .sp kadmin(1), kdb5_util(8), kerberos(7) -- -2.20.1 +2.25.0 diff --git a/0006-krb5-1.12-api.patch b/0006-krb5-1.12-api.patch index 5ee0bb3..d639f74 100644 --- a/0006-krb5-1.12-api.patch +++ b/0006-krb5-1.12-api.patch @@ -1,7 +1,7 @@ -From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001 +From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 14 Jan 2019 13:15:50 +0100 -Subject: [PATCH 6/9] krb5-1.12-api +Subject: [PATCH 6/8] krb5-1.12-api Import krb5-1.12-api.patch @@ -38,5 +38,5 @@ index a6936107d..0ed78833b 100644 /* Treat UPNs as if they were real principals */ if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { -- -2.20.1 +2.25.0 diff --git a/0008-krb5-1.12-selinux-label.patch b/0007-SELinux-integration.patch similarity index 71% rename from 0008-krb5-1.12-selinux-label.patch rename to 0007-SELinux-integration.patch index 64e7294..e85e31f 100644 --- a/0008-krb5-1.12-selinux-label.patch +++ b/0007-SELinux-integration.patch @@ -1,9 +1,7 @@ -From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 14 Jan 2019 13:17:28 +0100 -Subject: [PATCH 8/9] krb5-1.12-selinux-label - -Import krb5-1.12-selinux-label.patch +From 827413baa8f803ff07e8adc3efaf907ed7faa734 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH 7/8] SELinux integration SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -37,22 +35,24 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. + +Last-updated: krb5-1.18-beta1 --- src/aclocal.m4 | 49 +++ src/build-tools/krb5-config.in | 3 +- src/config/pre.in | 3 +- - src/configure.in | 2 + + src/configure.ac | 2 + src/include/k5-int.h | 1 + src/include/k5-label.h | 32 ++ src/include/krb5/krb5.hin | 6 + src/kadmin/dbutil/dump.c | 11 +- src/kdc/main.c | 2 +- + src/kprop/kpropd.c | 9 + src/lib/kadm5/logger.c | 4 +- src/lib/kdb/kdb_log.c | 2 +- src/lib/krb5/ccache/cc_dir.c | 26 +- src/lib/krb5/keytab/kt_file.c | 4 +- src/lib/krb5/os/trace.c | 2 +- - src/lib/krb5/rcache/rc_dfl.c | 13 + src/plugins/kdb/db2/adb_openclose.c | 2 +- src/plugins/kdb/db2/kdb_db2.c | 4 +- src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- @@ -61,13 +61,13 @@ which we used earlier, is some improvement. .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- src/util/profile/prof_file.c | 3 +- src/util/support/Makefile.in | 3 +- - src/util/support/selinux.c | 381 ++++++++++++++++++ - 24 files changed, 553 insertions(+), 21 deletions(-) + src/util/support/selinux.c | 406 ++++++++++++++++++ + 24 files changed, 574 insertions(+), 21 deletions(-) create mode 100644 src/include/k5-label.h create mode 100644 src/util/support/selinux.c diff --git a/src/aclocal.m4 b/src/aclocal.m4 -index 340546d80..4440ec5f8 100644 +index 53f8b6fb7..b0d1a5337 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) @@ -78,13 +78,13 @@ index 340546d80..4440ec5f8 100644 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS) +@@ -1743,3 +1744,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl +dnl +dnl Use libselinux to set file contexts on newly-created files. -+dnl ++dnl +AC_DEFUN(KRB5_WITH_SELINUX,[ +AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], + withselinux="$withval",withselinux=auto) @@ -172,11 +172,11 @@ index 164bf8301..a8540ae2a 100644 KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on macOS! -diff --git a/src/configure.in b/src/configure.in -index e9a12ac16..93aec682e 100644 ---- a/src/configure.in -+++ b/src/configure.in -@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff) +diff --git a/src/configure.ac b/src/configure.ac +index d1f576124..440a22bd9 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -186,17 +186,17 @@ index e9a12ac16..93aec682e 100644 if test "${localedir+set}" != set; then localedir='$(datadir)/locale' diff --git a/src/include/k5-int.h b/src/include/k5-int.h -index 652242207..7190a8f55 100644 +index 9616b24bf..0d9af3d95 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h -@@ -126,6 +126,7 @@ typedef unsigned char u_char; - #endif /* HAVE_SYS_TYPES_H */ - #endif /* KRB5_SYSTYPES__ */ +@@ -128,6 +128,7 @@ typedef unsigned char u_char; -+#include "k5-label.h" #include "k5-platform.h" ++#include "k5-label.h" + #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ + #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ diff --git a/src/include/k5-label.h b/src/include/k5-label.h new file mode 100644 index 000000000..dfaaa847c @@ -236,7 +236,7 @@ index 000000000..dfaaa847c +#endif +#endif diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin -index c40a6cca8..3ff86d7ff 100644 +index d48685357..d1f5661bf 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ @@ -253,7 +253,7 @@ index c40a6cca8..3ff86d7ff 100644 #include diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c -index c9574c6e1..8301a33d0 100644 +index 301e3476d..19f2cc230 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) @@ -288,10 +288,10 @@ index c9574c6e1..8301a33d0 100644 com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); goto cleanup; diff --git a/src/kdc/main.c b/src/kdc/main.c -index 408c723f5..663fd6303 100644 +index fdcd694d7..1ede4bf2f 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c -@@ -858,7 +858,7 @@ write_pid_file(const char *path) +@@ -872,7 +872,7 @@ write_pid_file(const char *path) FILE *file; unsigned long pid; @@ -300,6 +300,36 @@ index 408c723f5..663fd6303 100644 if (file == NULL) return errno; pid = (unsigned long) getpid(); +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index 5622d56e1..356e3e0e6 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -487,6 +487,9 @@ doit(int fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN + 1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + signal_wrapper(SIGALRM, alarm_handler); + alarm(params.iprop_resync_timeout); +@@ -542,9 +545,15 @@ doit(int fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); + (void)umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); + if (retval) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index c6885edf2..9aec3c05e 100644 --- a/src/lib/kadm5/logger.c @@ -323,20 +353,20 @@ index c6885edf2..9aec3c05e 100644 set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c -index 2659a2501..a1cd38f4c 100644 +index 2659a2501..e9b95fce5 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c -@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) - if (retval) - goto cleanup; - } else { -- log_ctx->ulogfd = open(logname, O_RDWR, 0600); +@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + return ENOMEM; + + if (stat(logname, &st) == -1) { +- log_ctx->ulogfd = open(logname, O_RDWR | O_CREAT, 0600); + log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); if (log_ctx->ulogfd == -1) { retval = errno; goto cleanup; diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c -index bba64e516..73f0fe62d 100644 +index 7b100a0ec..5683a0433 100644 --- a/src/lib/krb5/ccache/cc_dir.c +++ b/src/lib/krb5/ccache/cc_dir.c @@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) @@ -386,10 +416,10 @@ index bba64e516..73f0fe62d 100644 _("Credential cache directory %s does not exist"), dirname); diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c -index 89cb68680..21c80d419 100644 +index 021c94398..aaf573439 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c -@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) +@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -407,7 +437,7 @@ index 89cb68680..21c80d419 100644 goto report_errno; writevno = 1; diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c -index 4fff8f38c..40a9e7b10 100644 +index 2a03ae980..85dbfeb47 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c @@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) @@ -419,38 +449,6 @@ index 4fff8f38c..40a9e7b10 100644 if (*fd == -1) { free(fd); return errno; -diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c -index 1e0cb22c9..f5e93b1ab 100644 ---- a/src/lib/krb5/rcache/rc_dfl.c -+++ b/src/lib/krb5/rcache/rc_dfl.c -@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c index 7db30a33b..2b9d01921 100644 --- a/src/plugins/kdb/db2/adb_openclose.c @@ -544,10 +542,10 @@ index d8b26e701..b0daa7c02 100644 if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -index 1ed72afe9..ce038fc3d 100644 +index b92cb58c7..0a95101ad 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) /* set password in the file */ old_mode = umask(0177); @@ -556,7 +554,7 @@ index 1ed72afe9..ce038fc3d 100644 if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) * Delete the existing entry and add the new entry */ FILE *newfile; @@ -566,7 +564,7 @@ index 1ed72afe9..ce038fc3d 100644 mode_t omask; -@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) +@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) } omask = umask(077); @@ -581,7 +579,7 @@ index 1ed72afe9..ce038fc3d 100644 if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c -index 24e41fb80..0dcb6b543 100644 +index aa951df05..79f9500f6 100644 --- a/src/util/profile/prof_file.c +++ b/src/util/profile/prof_file.c @@ -33,6 +33,7 @@ @@ -602,10 +600,10 @@ index 24e41fb80..0dcb6b543 100644 retval = errno; if (retval == 0) diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in -index db7b030b8..321672bcb 100644 +index 86d5a950a..1052d53a1 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in -@@ -69,6 +69,7 @@ IPC_SYMS= \ +@@ -74,6 +74,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -613,7 +611,7 @@ index db7b030b8..321672bcb 100644 init-addrinfo.o \ plugins.o \ errors.o \ -@@ -160,7 +161,7 @@ SRCS=\ +@@ -168,7 +169,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -624,12 +622,12 @@ index db7b030b8..321672bcb 100644 diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c new file mode 100644 -index 000000000..ffba6a9ff +index 000000000..6d41f3244 --- /dev/null +++ b/src/util/support/selinux.c -@@ -0,0 +1,381 @@ +@@ -0,0 +1,406 @@ +/* -+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. ++ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: @@ -656,7 +654,7 @@ index 000000000..ffba6a9ff + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. -+ * ++ * + * File-opening wrappers for creating correctly-labeled files. So far, we can + * assume that this is Linux-specific, so we make many simplifying assumptions. + */ @@ -667,8 +665,10 @@ index 000000000..ffba6a9ff + +#include +#include ++ +#include +#include ++ +#include +#include +#include @@ -678,13 +678,26 @@ index 000000000..ffba6a9ff +#include +#include +#include ++ +#include +#include -+#ifdef HAVE_SELINUX_LABEL_H +#include -+#endif + +/* #define DEBUG 1 */ ++static void ++debug_log(const char *fmt, ...) ++{ ++#ifdef DEBUG ++ va_list ap; ++ va_start(ap, fmt); ++ if (isatty(fileno(stderr))) { ++ vfprintf(stderr, fmt, ap); ++ } ++ va_end(ap); ++#endif ++ ++ return; ++} + +/* Mutex used to serialize use of the process-global file creation context. */ +k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; @@ -694,10 +707,9 @@ index 000000000..ffba6a9ff +static void +label_mutex_init(void) +{ -+ k5_mutex_finish_init(&labeled_mutex); ++ k5_mutex_finish_init(&labeled_mutex); +} + -+#ifdef HAVE_SELINUX_LABEL_H +static struct selabel_handle *selabel_ctx; +static time_t selabel_last_changed; + @@ -706,309 +718,320 @@ index 000000000..ffba6a9ff +static void +cleanup_fscreatecon(void) +{ -+ if (selabel_ctx != NULL) { -+ selabel_close(selabel_ctx); -+ selabel_ctx = NULL; -+ } ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } +} -+#endif + +static security_context_t +push_fscreatecon(const char *pathname, mode_t mode) +{ -+ security_context_t previous, configuredsc, currentsc, derivedsc; -+ context_t current, derived; -+ const char *fullpath, *currentuser; ++ security_context_t previous, configuredsc, currentsc, derivedsc; ++ context_t current, derived; ++ const char *fullpath, *currentuser; ++ char *genpath; + -+ previous = NULL; -+ if (is_selinux_enabled()) { -+ if (getfscreatecon(&previous) == 0) { -+ char *genpath; -+ genpath = NULL; -+ if (pathname[0] != '/') { -+ char *wd; -+ size_t len; -+ len = 0; -+ wd = getcwd(NULL, len); -+ if (wd == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ len = strlen(wd) + 1 + strlen(pathname) + 1; -+ genpath = malloc(len); -+ if (genpath == NULL) { -+ free(wd); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ sprintf(genpath, "%s/%s", wd, pathname); -+ free(wd); -+ fullpath = genpath; -+ } else { -+ fullpath = pathname; -+ } -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Looking up context for " -+ "\"%s\"(%05o).\n", fullpath, mode); -+ } -+#endif -+ configuredsc = NULL; -+#ifdef HAVE_SELINUX_LABEL_H -+ if ((selabel_ctx != NULL) || -+ (selabel_last_changed == 0)) { -+ const char *cpath; -+ struct stat st; -+ int i = -1; -+ cpath = selinux_file_context_path(); -+ if ((cpath == NULL) || -+ ((i = stat(cpath, &st)) != 0) || -+ (st.st_mtime != selabel_last_changed)) { -+ if (selabel_ctx != NULL) { -+ selabel_close(selabel_ctx); -+ selabel_ctx = NULL; -+ } -+ selabel_last_changed = i ? -+ time(NULL) : -+ st.st_mtime; -+ } -+ } -+ if (selabel_ctx == NULL) { -+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, -+ NULL, 0); -+ } -+ if (selabel_ctx != NULL) { -+ if (selabel_lookup(selabel_ctx, &configuredsc, -+ fullpath, mode) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ } -+#else -+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+#endif -+ free(genpath); -+ if (configuredsc == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ currentsc = NULL; -+ getcon(¤tsc); -+ if (currentsc != NULL) { -+ derived = context_new(configuredsc); -+ if (derived != NULL) { -+ current = context_new(currentsc); -+ if (current != NULL) { -+ currentuser = context_user_get(current); -+ if (currentuser != NULL) { -+ if (context_user_set(derived, -+ currentuser) == 0) { -+ derivedsc = context_str(derived); -+ if (derivedsc != NULL) { -+ freecon(configuredsc); -+ configuredsc = strdup(derivedsc); -+ } -+ } -+ } -+ context_free(current); -+ } -+ context_free(derived); -+ } -+ freecon(currentsc); -+ } -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Setting file creation context " -+ "to \"%s\".\n", configuredsc); -+ } -+#endif -+ if (setfscreatecon(configuredsc) != 0) { -+ freecon(configuredsc); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ freecon(configuredsc); -+#ifdef DEBUG -+ } else { -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Unable to determine " -+ "current context.\n"); -+ } -+#endif -+ } -+ } -+ return previous; ++ previous = configuredsc = currentsc = derivedsc = NULL; ++ current = derived = NULL; ++ genpath = NULL; ++ ++ fullpath = pathname; ++ ++ if (!is_selinux_enabled()) { ++ goto fail; ++ } ++ ++ if (getfscreatecon(&previous) != 0) { ++ goto fail; ++ } ++ ++ /* Canonicalize pathname */ ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ goto fail; ++ } ++ ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ goto fail; ++ } ++ ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } ++ ++ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode); ++ ++ /* Check whether context file has changed under us */ ++ if (selabel_ctx != NULL || selabel_last_changed == 0) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ ++ cpath = selinux_file_context_path(); ++ if (cpath == NULL || (i = stat(cpath, &st)) != 0 || ++ st.st_mtime != selabel_last_changed) { ++ cleanup_fscreatecon(); ++ ++ selabel_last_changed = i ? time(NULL) : st.st_mtime; ++ } ++ } ++ ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ } ++ ++ if (selabel_ctx != NULL && ++ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) { ++ goto fail; ++ } ++ ++ if (genpath != NULL) { ++ free(genpath); ++ genpath = NULL; ++ } ++ ++ if (configuredsc == NULL) { ++ goto fail; ++ } ++ ++ getcon(¤tsc); ++ ++ /* AAAAAAAA */ ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ ++ context_free(current); ++ } ++ ++ context_free(derived); ++ } ++ ++ freecon(currentsc); ++ } ++ ++ debug_log("Setting file creation context to \"%s\".\n", configuredsc); ++ if (setfscreatecon(configuredsc) != 0) { ++ debug_log("Unable to determine current context.\n"); ++ goto fail; ++ } ++ ++ freecon(configuredsc); ++ return previous; ++ ++fail: ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ if (genpath != NULL) { ++ free(genpath); ++ } ++ if (configuredsc != NULL) { ++ freecon(configuredsc); ++ } ++ ++ cleanup_fscreatecon(); ++ return NULL; +} + +static void +pop_fscreatecon(security_context_t previous) +{ -+ if (is_selinux_enabled()) { -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ if (previous != NULL) { -+ fprintf(stderr, "Resetting file creation " -+ "context to \"%s\".\n", previous); -+ } else { -+ fprintf(stderr, "Resetting file creation " -+ "context to default.\n"); -+ } -+ } -+#endif -+ setfscreatecon(previous); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ } ++ if (!is_selinux_enabled()) { ++ return; ++ } ++ ++ if (previous != NULL) { ++ debug_log("Resetting file creation context to \"%s\".\n", previous); ++ } else { ++ debug_log("Resetting file creation context to default.\n"); ++ } ++ ++ /* NULL resets to default */ ++ setfscreatecon(previous); ++ ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ ++ /* Need to clean this up here otherwise it leaks */ ++ cleanup_fscreatecon(); +} + +void * +krb5int_push_fscreatecon_for(const char *pathname) +{ -+ struct stat st; -+ void *retval; -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ if (stat(pathname, &st) != 0) { -+ st.st_mode = S_IRUSR | S_IWUSR; -+ } -+ retval = push_fscreatecon(pathname, st.st_mode); -+ return retval ? retval : (void *) -1; ++ struct stat st; ++ void *retval; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; +} + +void +krb5int_pop_fscreatecon(void *con) +{ -+ if (con != NULL) { -+ pop_fscreatecon((con == (void *) -1) ? NULL : con); -+ k5_mutex_unlock(&labeled_mutex); -+ } ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } +} + +FILE * +krb5int_labeled_fopen(const char *path, const char *mode) +{ -+ FILE *fp; -+ int errno_save; -+ security_context_t ctx; ++ FILE *fp; ++ int errno_save; ++ security_context_t ctx; + -+ if ((strcmp(mode, "r") == 0) || -+ (strcmp(mode, "rb") == 0)) { -+ return fopen(path, mode); -+ } ++ if ((strcmp(mode, "r") == 0) || ++ (strcmp(mode, "rb") == 0)) { ++ return fopen(path, mode); ++ } + -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fp = fopen(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fp; ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fp = fopen(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fp; +} + +int +krb5int_labeled_creat(const char *path, mode_t mode) +{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; ++ int fd; ++ int errno_save; ++ security_context_t ctx; + -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fd = creat(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fd; ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fd = creat(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; +} + +int +krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) +{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; ++ int ret; ++ int errno_save; ++ security_context_t ctx; + -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, mode); -+ ret = mknod(path, mode, dev); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return ret; ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, mode); ++ ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; +} + +int +krb5int_labeled_mkdir(const char *path, mode_t mode) +{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; ++ int ret; ++ int errno_save; ++ security_context_t ctx; + -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, S_IFDIR); -+ ret = mkdir(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return ret; ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; +} + +int +krb5int_labeled_open(const char *path, int flags, ...) +{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ mode_t mode; -+ va_list ap; ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ mode_t mode; ++ va_list ap; + -+ if ((flags & O_CREAT) == 0) { -+ return open(path, flags); -+ } ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } + -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); + -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ va_end(ap); ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); + -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ errno = errno_save; -+ return fd; ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; +} + -+#endif ++#endif /* USE_SELINUX */ -- -2.20.1 +2.25.0 diff --git a/0007-krb5-1.12-ksu-path.patch b/0007-krb5-1.12-ksu-path.patch deleted file mode 100644 index d673157..0000000 --- a/0007-krb5-1.12-ksu-path.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Mon, 14 Jan 2019 13:16:29 +0100 -Subject: [PATCH 7/9] krb5-1.12-ksu - -Import krb5-1.12-ksu-path.patch - -Set the default PATH to the one set by login. ---- - src/clients/ksu/Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in -index 5755bb58a..9d58f29b5 100644 ---- a/src/clients/ksu/Makefile.in -+++ b/src/clients/ksu/Makefile.in -@@ -1,6 +1,6 @@ - mydir=clients$(S)ksu - BUILDTOP=$(REL)..$(S).. --DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"' -+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' - - KSU_LIBS=@KSU_LIBS@ - PAM_LIBS=@PAM_LIBS@ --- -2.20.1 - diff --git a/0009-krb5-1.9-debuginfo.patch b/0008-krb5-1.9-debuginfo.patch similarity index 89% rename from 0009-krb5-1.9-debuginfo.patch rename to 0008-krb5-1.9-debuginfo.patch index d5df2f9..8d44daa 100644 --- a/0009-krb5-1.9-debuginfo.patch +++ b/0008-krb5-1.9-debuginfo.patch @@ -1,7 +1,7 @@ -From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001 +From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Mon, 14 Jan 2019 13:18:16 +0100 -Subject: [PATCH 9/9] krb5-1.9-debuginfo +Subject: [PATCH 8/8] krb5-1.9-debuginfo Import krb5-1.9-debuginfo.patch @@ -14,7 +14,7 @@ could mess up people working in the tree on other things. 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in -index adfea6e2b..d1327e400 100644 +index adfea6e2b..8e89cf03b 100644 --- a/src/kadmin/cli/Makefile.in +++ b/src/kadmin/cli/Makefile.in @@ -37,3 +37,8 @@ clean-unix:: @@ -24,7 +24,7 @@ index adfea6e2b..d1327e400 100644 + +%.c: %.y + $(RM) y.tab.c $@ -+ $(YACC.y) $< ++ $(YACC.y) $< + $(CP) y.tab.c $@ diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in index 8669c2436..a22f23c02 100644 @@ -40,5 +40,5 @@ index 8669c2436..a22f23c02 100644 install: $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -- -2.20.1 +2.25.0 diff --git a/krb5-1.17.1.tar.gz b/krb5-1.17.1.tar.gz deleted file mode 100644 index cf8b557..0000000 --- a/krb5-1.17.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181 -size 8765399 diff --git a/krb5-1.17.1.tar.gz.asc b/krb5-1.17.1.tar.gz.asc deleted file mode 100644 index f215024..0000000 --- a/krb5-1.17.1.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABAgAGBQJd8SakAAoJEAy6CFdfg3LfzPUQAInzRX82JRJ/ifavyqshMjNH -ytk606xteguemUrCQXL8tmoxSaUqijeOcTTEdWqi/yGL33vxNZs7wrJqAWaxRR91 -A98wW51AVbgy1QLtX86KfhZ3tBSIr3NtjIvvu5AjrL2oGUCiIOZeBNkM3YGxMIz6 -KM2A1rb0qPLalGhK6OVtfDUrlT2c+kQYCxy8AdIaKjiD9aUqjAhg7wCXyHZm8Bi6 -MoVNRG5xNXfKvXZFvvmB5hPJOt5YECaXxuC+GgpI7o8hh6KjtwgxNtBBwTYiDH90 -2TY99BTlrT1XjlG4tFcwHCMmtusLmHwVo1OoIdWPGp9mLN3YTRt68mC4FQO885Gp -EhTJ6D9JOTMob0AtCQBgjC8ljiJ6fuG2GNKDeLaUstu0B+Bs6fGEknwVA0U5ZtkU -kD5KM/OLh+bZ27Oi3MdPMBnP97S7se7boOC88pB3SLmJWrGccVZPi3aKiH41hoIW -sxh0FEES8+OZJn0tqfddH/cJzgQ6WKMsTfRJGPphpoWvQt9AI1fZXNuE2baz032X -vAjEeaNQEKGAFgl2itZj1J++iV2EmmhfJcVkdAThxHKZj3AeENW+Yf7VDQ6JRhZg -mo/lGkz0TNSrnuQacVmXDa3SQIwD0YDaMe/NDNDwhEm0thUc5EWTBZf6BaB/Dk3K -E4aCwEtUAedJ99W4/PUd -=NHqs ------END PGP SIGNATURE----- diff --git a/krb5-1.18.tar.gz b/krb5-1.18.tar.gz new file mode 100644 index 0000000..d15e9b4 --- /dev/null +++ b/krb5-1.18.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73913934d711dcf9d5f5605803578edb44b9a11786df3c1b2711f4e1752f2c88 +size 8706395 diff --git a/krb5-1.18.tar.gz.asc b/krb5-1.18.tar.gz.asc new file mode 100644 index 0000000..fe90030 --- /dev/null +++ b/krb5-1.18.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJeREfJAAoJEAy6CFdfg3Lf0sQP/3CCIesW9hqBxbcy9E7RYpfD +P/MPZ7WpCfOlvgzo3BuDvQGp1WTV+53RP0RPvttSeFnI0clEd6Er4oYE9MmcLjc7 +URyNttUT/vIDbUDHR7ac6zdHM313Z3h30vKL8aEtClg3BhIOI4GJUilEaBeRgEY8 +KYxGvH5M4mmBYDSkELayp/a1El8QEia1sivSerBs/zZQjqUoogmQ0f1pqZUx0nTC +A+GowpYniz6FEkIRpGVRFuOFbFEuHWMLU33OSxpvHAf/0x1D5wkRJ4EHFFcYhrLu +T1FvOQGSbUVUXi81bzOhwQOVzZdPk0rc5Q8SLqTefcjNjTIJ+MAxCV1qxv8xpM/X +VtuyrtJLrDTcqa2hqhHfMVQUcRwSnmotic81GJ1BFowMZCNRgyaCWP+K7KI7OCLF +ajPmG+Yr/eDao3JavCME6OdLLS/ARTK/JtR1YOS+kPeaBKjkVtXM9y6kGsUuzXIR +8cyAvlBAIKiFrLWhV44emOEDhzxS9bbgTGQEEQNP6blDjMcNe5PpbZ1opDv9F3kc +Ga4h0/XZmYrijn0NvzG1szBD8j+vatHlQVaQtw7t7Rt+jMF9TtOTgQy8MD+h3hSx +1J8GDFlXHGbYdnRnBZWGHeJ1fZaqTpY4D4erDfOHXjH4kCm3Y7Zlaj6eDb0NMzkr +umorBypPT9mnce2aS43h +=jxUB +-----END PGP SIGNATURE----- diff --git a/krb5-mini.changes b/krb5-mini.changes index 944d80b..3e0f75c 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Tue Feb 25 08:36:37 UTC 2020 - Tomáš Chvátal + +- Remove cruft to support distributions older than SLE 12 +- Use macros where applicable +- Switch to pkgconfig style dependencies + +------------------------------------------------------------------- +Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero + +- Upgrade to 1.18 + Administrator experience: + * Remove support for single-DES encryption types. + * Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" + by default. + * setuid programs will automatically ignore environment variables + that normally affect krb5 API functions, even if the caller does + not use krb5_init_secure_context(). + * Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + * Use the permitted_enctypes krb5.conf setting as the default value + for default_tkt_enctypes and default_tgs_enctypes. + Developer experience: + * Implement krb5_cc_remove_cred() for all credential cache types. + * Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + Protocol evolution: + * Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + * Remove support for an old ("draft 9") variant of PKINIT. + * Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + User experience: + * Add support for "dns_canonicalize_hostname=fallback", causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + * Expand single-component hostnames in host-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf relation + to override this suffix or disable expansion. + * Honor the transited-policy-checked ticket flag on application servers, + eliminating the requirement to configure capaths on servers in some + scenarios. + Code quality: + * The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED + messages has been revised to conform to current coding practices. + * The test suite has been modified to work with macOS System Integrity + Protection enabled. + * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support + can always be tested. +- Updated patches: + * 0002-krb5-1.9-manpaths.patch + * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * 0005-krb5-1.6.3-ktutil-manpage.patch + * 0006-krb5-1.12-api.patch +- Renamed patches: + * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch + * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch + * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch + * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch +- Deleted patches: + * 0007-krb5-1.12-ksu-path.patch + ------------------------------------------------------------------- Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero diff --git a/krb5-mini.spec b/krb5-mini.spec index 754681e..8667839 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,60 +16,52 @@ # -#Compat macro for new _fillupdir macro introduced in Nov 2017 -%if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates -%endif - %define srcRoot krb5-%{version} %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 - +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif Name: krb5-mini -Version: 1.17.1 +Version: 1.18 Release: 0 Summary: MIT Kerberos5 implementation and libraries with minimal dependencies License: MIT -Group: Productivity/Networking/Security URL: https://web.mit.edu/kerberos/www/ -Obsoletes: krb5-plugin-preauth-pkinit-nss -BuildRequires: autoconf -BuildRequires: bison -BuildRequires: keyutils -BuildRequires: keyutils-devel -BuildRequires: libcom_err-devel -BuildRequires: libselinux-devel -BuildRequires: libverto-devel -BuildRequires: ncurses-devel -# bug437293 -%ifarch ppc64 -Obsoletes: krb5-64bit -%endif -Conflicts: krb5-mini -Conflicts: krb5 -Conflicts: krb5-client -Conflicts: krb5-server -Conflicts: krb5-plugin-kdb-ldap -Conflicts: krb5-plugin-preauth-pkinit -Conflicts: krb5-plugin-preauth-otp -Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc Source6: krb5.tmpfiles -Patch1: 0001-krb5-1.12-pam.patch +Patch1: 0001-ksu-pam-integration.patch Patch2: 0002-krb5-1.9-manpaths.patch -Patch3: 0003-krb5-1.12-buildconf.patch +Patch3: 0003-Adjust-build-configuration.patch Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch Patch6: 0006-krb5-1.12-api.patch -Patch7: 0007-krb5-1.12-ksu-path.patch -Patch8: 0008-krb5-1.12-selinux-label.patch -Patch9: 0009-krb5-1.9-debuginfo.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: %fillup_prereq +Patch7: 0007-SELinux-integration.patch +Patch8: 0008-krb5-1.9-debuginfo.patch +BuildRequires: autoconf +BuildRequires: bison +BuildRequires: keyutils +BuildRequires: keyutils-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(com_err) +BuildRequires: pkgconfig(libselinux) +BuildRequires: pkgconfig(libverto) +BuildRequires: pkgconfig(ncurses) +Requires(post): %fillup_prereq +Conflicts: krb5 +Conflicts: krb5-client +Conflicts: krb5-mini +Conflicts: krb5-plugin-kdb-ldap +Conflicts: krb5-plugin-preauth-otp +Conflicts: krb5-plugin-preauth-pkinit +Conflicts: krb5-server +Obsoletes: krb5-plugin-preauth-pkinit-nss %description Kerberos V5 is a trusted-third-party network authentication system, @@ -80,15 +72,11 @@ dependencies %package devel Summary: Development files for MIT Kerberos5 (openSUSE mini variant) -Group: Development/Libraries/C and C++ -PreReq: %{name} = %{version} +Requires: %{name} = %{version} Requires: keyutils-devel -Requires: libcom_err-devel -Requires: libverto-devel -# bug437293 -%ifarch ppc64 -Obsoletes: krb5-devel-64bit -%endif +Requires: pkgconfig(com_err) +Requires: pkgconfig(libverto) +Requires: pkgconfig(ss) Provides: krb5-devel = %{version} Conflicts: krb5-devel @@ -100,16 +88,8 @@ Include Files for Development %prep %setup -q -n %{srcRoot} -%setup -a 3 -T -D -n %{srcRoot} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%setup -q -a 3 -T -D -n %{srcRoot} +%autopatch -p1 %build # needs to be re-generated @@ -117,22 +97,25 @@ rm -f src/lib/krb5/krb/deltat.c cd src autoreconf -fi DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME -./configure \ - CC="%{__cc}" \ +# FIXME: you should use the %%configure macro +%configure \ CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ CPPFLAGS="-I%{_includedir}/et " \ SS_LIB="-lss" \ - --prefix=/usr/lib/mit \ - --sysconfdir=%{_sysconfdir} \ - --mandir=%{_mandir} \ - --infodir=%{_infodir} \ - --libexecdir=/usr/lib/mit/sbin \ - --libdir=%{_libdir} \ - --includedir=%{_includedir} \ + --prefix=%{_prefix}/lib/mit \ + --sysconfdir=%{_sysconfdir} \ + --mandir=%{_mandir} \ + --infodir=%{_infodir} \ + --libexecdir=%{_prefix}/lib/mit/sbin \ + --bindir=%{_prefix}/lib/mit/bin \ + --sbindir=%{_prefix}/lib/mit/sbin \ + --datadir=%{_prefix}/lib/mit/share \ + --libdir=%{_libdir} \ + --includedir=%{_includedir} \ --localstatedir=%{_localstatedir}/lib/kerberos \ --localedir=%{_datadir}/locale \ - --enable-shared \ - --disable-static \ + --enable-shared \ + --disable-static \ --enable-dns-for-realm \ --disable-rpath \ --disable-pkinit \ @@ -142,7 +125,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME --with-system-ss \ --with-system-verto -make %{?_smp_mflags} +%make_build # Copy kadmin manual page into kadmin.local's due to the split between client and server package cp man/kadmin.man man/kadmin.local.8 @@ -153,7 +136,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/ from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config +sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config # install autoconf macro mkdir -p %{buildroot}/%{_datadir}/aclocal @@ -162,21 +145,21 @@ install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # I'll probably do something about this later on mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d -mkdir -p %{buildroot}/etc/profile.d/ -mkdir -p %{buildroot}/var/log/krb5 +mkdir -p %{buildroot}%{_sysconfdir}/profile.d/ +mkdir -p %{buildroot}%{_localstatedir}/log/krb5 # create plugin directories mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh -install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh +install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.csh +install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.sh # Do not write directly to /var/lib/kerberos anymore as it breaks transactional # updates. Use systemd-tmpfiles to copy the files there when it doesn't exist -install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ -install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d/ +install -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/tmpfiles.d/krb5.conf mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc # Where per-user keytabs live by default. mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user @@ -184,26 +167,18 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ -# all libs must have permissions 0755 +# all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` -do - chmod 0755 ${lib} +do + chmod 0755 ${lib} done # and binaries too -chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu +chmod 0755 %{buildroot}%{_prefix}/lib/mit/bin/ksu # install systemd files -%if 0%{?suse_version} >= 1210 mkdir -p %{buildroot}%{_unitdir} install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir} install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir} install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir} -%else -# install init scripts -mkdir -p %{buildroot}%{_sysconfdir}/init.d -install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind -install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc -install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd -%endif # install sysconfig templates mkdir -p %{buildroot}/%{_fillupdir} install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ @@ -212,34 +187,22 @@ install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server find . -type f -name '*.ps' -exec gzip -9 {} \; -# create rc* links -mkdir -p %{buildroot}/usr/bin/ -mkdir -p %{buildroot}/usr/sbin/ -%if 0%{?suse_version} >= 1210 -%if 0%{?suse_version} > 1220 -ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckadmind -ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckrb5kdc -ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckpropd -%else -ln -s /sbin/service %{buildroot}%{_sbindir}/rckadmind -ln -s /sbin/service %{buildroot}%{_sbindir}/rckrb5kdc -ln -s /sbin/service %{buildroot}%{_sbindir}/rcpropd -%endif -%else -ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/sbin/rckadmind -ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/sbin/rckrb5kdc -ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/sbin/rckpropd -%endif +# create rc* links +mkdir -p %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_sbindir}/ +ln -s service %{buildroot}%{_sbindir}/rckadmind +ln -s service %{buildroot}%{_sbindir}/rckrb5kdc +ln -s service %{buildroot}%{_sbindir}/rckpropd # create links for kinit and klist, because of the java ones -ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit -ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist +ln -sf ../..%{_prefix}/lib/mit/bin/kinit %{buildroot}%{_bindir}/kinit +ln -sf ../..%{_prefix}/lib/mit/bin/klist %{buildroot}%{_bindir}/klist # install doc install -d -m 755 %{buildroot}/%{krb5docdir} install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README # cleanup -rm -f %{buildroot}/usr/share/man/man1/tmac.doc* -rm -f /usr/share/man/man1/tmac.doc* -rm -rf %{buildroot}/usr/lib/mit/share/examples +rm -f %{buildroot}%{_mandir}/man1/tmac.doc* +rm -f %{_mandir}/man1/tmac.doc* +rm -rf %{buildroot}%{_prefix}/lib/mit/share/examples # manually remove otp, spake and test plugin for krb5-mini since configure # doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so @@ -259,7 +222,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so /sbin/ldconfig %service_del_postun krb5kdc.service kadmind.service kpropd.service -%post +%post /sbin/ldconfig %service_add_post krb5kdc.service kadmind.service kpropd.service %tmpfiles_create krb5.conf @@ -275,11 +238,10 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so ######################################################## %files devel -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -%dir /usr/lib/mit/sbin -%dir /usr/lib/mit/share +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/bin +%dir %{_prefix}/lib/mit/sbin +%dir %{_prefix}/lib/mit/share %dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so @@ -300,13 +262,12 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_libdir}/pkgconfig/mit-krb5-gssapi.pc %{_libdir}/pkgconfig/mit-krb5.pc %{_includedir}/* -/usr/lib/mit/bin/krb5-config -/usr/lib/mit/sbin/krb5-send-pr -%{_mandir}/man1/krb5-config.1* +%{_prefix}/lib/mit/bin/krb5-config +%{_prefix}/lib/mit/sbin/krb5-send-pr +%{_mandir}/man1/krb5-config.1%{?ext_man} %{_datadir}/aclocal/ac_check_krb5.m4 %files -f mit-krb5.lang -%defattr(-,root,root) %dir %{krb5docdir} # add directories %dir %{_libdir}/krb5 @@ -315,14 +276,14 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_libdir}/krb5/plugins/preauth %dir %{_libdir}/krb5/plugins/libkrb5 %dir %{_libdir}/krb5/plugins/tls -%attr(0700,root,root) %dir /var/log/krb5 -%dir /usr/lib/mit -%dir /usr/lib/mit/sbin -%dir /usr/lib/mit/bin +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/sbin +%dir %{_prefix}/lib/mit/bin %doc %{krb5docdir}/README %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %dir %{_sysconfdir}/krb5.conf.d -%attr(0644,root,root) %config /etc/profile.d/krb5* +%attr(0644,root,root) %config %{_sysconfdir}/profile.d/krb5* %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server %{_fillupdir}/sysconfig.* %{_unitdir}/kadmind.service @@ -354,49 +315,49 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf %ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl %ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict -/usr/lib/mit/sbin/kadmin.local -/usr/lib/mit/sbin/kadmind -/usr/lib/mit/sbin/kpropd -/usr/lib/mit/sbin/kproplog -/usr/lib/mit/sbin/kprop -/usr/lib/mit/sbin/kdb5_util -/usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/uuserver -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/bin/k5srvutil -/usr/lib/mit/bin/kvno -/usr/lib/mit/bin/kinit -/usr/lib/mit/bin/kdestroy -/usr/lib/mit/bin/kpasswd -/usr/lib/mit/bin/klist -/usr/lib/mit/bin/kadmin -/usr/lib/mit/bin/ktutil -/usr/lib/mit/bin/kswitch -%attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/uuclient -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/sim_client -/usr/bin/kinit -/usr/bin/klist -/usr/sbin/rc* -%{_mandir}/man1/kvno.1* -%{_mandir}/man1/kinit.1* -%{_mandir}/man1/kdestroy.1* -%{_mandir}/man1/kpasswd.1* -%{_mandir}/man1/klist.1* -%{_mandir}/man1/ksu.1* -%{_mandir}/man1/sclient.1* -%{_mandir}/man1/kadmin.1* -%{_mandir}/man1/ktutil.1* -%{_mandir}/man1/k5srvutil.1* -%{_mandir}/man1/kswitch.1* +%{_prefix}/lib/mit/sbin/kadmin.local +%{_prefix}/lib/mit/sbin/kadmind +%{_prefix}/lib/mit/sbin/kpropd +%{_prefix}/lib/mit/sbin/kproplog +%{_prefix}/lib/mit/sbin/kprop +%{_prefix}/lib/mit/sbin/kdb5_util +%{_prefix}/lib/mit/sbin/krb5kdc +%{_prefix}/lib/mit/sbin/uuserver +%{_prefix}/lib/mit/sbin/sserver +%{_prefix}/lib/mit/sbin/gss-server +%{_prefix}/lib/mit/sbin/sim_server +%{_prefix}/lib/mit/bin/k5srvutil +%{_prefix}/lib/mit/bin/kvno +%{_prefix}/lib/mit/bin/kinit +%{_prefix}/lib/mit/bin/kdestroy +%{_prefix}/lib/mit/bin/kpasswd +%{_prefix}/lib/mit/bin/klist +%{_prefix}/lib/mit/bin/kadmin +%{_prefix}/lib/mit/bin/ktutil +%{_prefix}/lib/mit/bin/kswitch +%attr(0755,root,root) %{_prefix}/lib/mit/bin/ksu +%{_prefix}/lib/mit/bin/uuclient +%{_prefix}/lib/mit/bin/sclient +%{_prefix}/lib/mit/bin/gss-client +%{_prefix}/lib/mit/bin/sim_client +%{_bindir}/kinit +%{_bindir}/klist +%{_sbindir}/rc* +%{_mandir}/man1/kvno.1%{?ext_man} +%{_mandir}/man1/kinit.1%{?ext_man} +%{_mandir}/man1/kdestroy.1%{?ext_man} +%{_mandir}/man1/kpasswd.1%{?ext_man} +%{_mandir}/man1/klist.1%{?ext_man} +%{_mandir}/man1/ksu.1%{?ext_man} +%{_mandir}/man1/sclient.1%{?ext_man} +%{_mandir}/man1/kadmin.1%{?ext_man} +%{_mandir}/man1/ktutil.1%{?ext_man} +%{_mandir}/man1/k5srvutil.1%{?ext_man} +%{_mandir}/man1/kswitch.1%{?ext_man} %{_mandir}/man5/* -%{_mandir}/man5/.k5login.5.gz -%{_mandir}/man5/.k5identity.5* -%{_mandir}/man7/kerberos.7.gz +%{_mandir}/man5/.k5login.5%{?ext_man} +%{_mandir}/man5/.k5identity.5%{?ext_man} +%{_mandir}/man7/kerberos.7%{?ext_man} %{_mandir}/man8/* %changelog diff --git a/krb5.changes b/krb5.changes index 49afa4f..9f40b15 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Tue Feb 25 08:36:37 UTC 2020 - Tomáš Chvátal + +- Remove cruft to support distributions older than SLE 12 +- Use macros where applicable +- Switch to pkgconfig style dependencies + +------------------------------------------------------------------- +Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero + +- Upgrade to 1.18 + Administrator experience: + * Remove support for single-DES encryption types. + * Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" + by default. + * setuid programs will automatically ignore environment variables + that normally affect krb5 API functions, even if the caller does + not use krb5_init_secure_context(). + * Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + * Use the permitted_enctypes krb5.conf setting as the default value + for default_tkt_enctypes and default_tgs_enctypes. + Developer experience: + * Implement krb5_cc_remove_cred() for all credential cache types. + * Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + Protocol evolution: + * Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + * Remove support for an old ("draft 9") variant of PKINIT. + * Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + User experience: + * Add support for "dns_canonicalize_hostname=fallback", causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + * Expand single-component hostnames in host-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf relation + to override this suffix or disable expansion. + * Honor the transited-policy-checked ticket flag on application servers, + eliminating the requirement to configure capaths on servers in some + scenarios. + Code quality: + * The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED + messages has been revised to conform to current coding practices. + * The test suite has been modified to work with macOS System Integrity + Protection enabled. + * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support + can always be tested. +- Updated patches: + * 0002-krb5-1.9-manpaths.patch + * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * 0005-krb5-1.6.3-ktutil-manpage.patch + * 0006-krb5-1.12-api.patch +- Renamed patches: + * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch + * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch + * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch + * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch +- Deleted patches: + * 0007-krb5-1.12-ksu-path.patch + ------------------------------------------------------------------- Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero diff --git a/krb5.spec b/krb5.spec index e905434..6aeb52b 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,52 +18,46 @@ #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates + %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif - Name: krb5 -Version: 1.17.1 +Version: 1.18 Release: 0 Summary: MIT Kerberos5 implementation License: MIT -Group: Productivity/Networking/Security URL: https://web.mit.edu/kerberos/www/ -Obsoletes: krb5-plugin-preauth-pkinit-nss -BuildRequires: autoconf -BuildRequires: bison -BuildRequires: keyutils -BuildRequires: keyutils-devel -BuildRequires: libcom_err-devel -BuildRequires: libopenssl-devel -BuildRequires: libselinux-devel -BuildRequires: libverto-devel -BuildRequires: ncurses-devel -BuildRequires: openldap2-devel -BuildRequires: pam-devel -BuildRequires: pkgconfig(systemd) -# bug437293 -%ifarch ppc64 -Obsoletes: krb5-64bit -%endif -Conflicts: krb5-mini -Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz -Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc +Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz +Source1: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}.tar.gz.asc Source2: krb5.keyring Source3: vendor-files.tar.bz2 Source4: baselibs.conf Source5: krb5-rpmlintrc Source6: ksu-pam.d Source7: krb5.tmpfiles -Patch1: 0001-krb5-1.12-pam.patch +Patch1: 0001-ksu-pam-integration.patch Patch2: 0002-krb5-1.9-manpaths.patch -Patch3: 0003-krb5-1.12-buildconf.patch +Patch3: 0003-Adjust-build-configuration.patch Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch Patch6: 0006-krb5-1.12-api.patch -Patch7: 0007-krb5-1.12-ksu-path.patch -Patch8: 0008-krb5-1.12-selinux-label.patch -Patch9: 0009-krb5-1.9-debuginfo.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Patch7: 0007-SELinux-integration.patch +Patch8: 0008-krb5-1.9-debuginfo.patch +BuildRequires: autoconf +BuildRequires: bison +BuildRequires: keyutils +BuildRequires: keyutils-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(com_err) +BuildRequires: pkgconfig(libselinux) +BuildRequires: pkgconfig(libssl) +BuildRequires: pkgconfig(libverto) +BuildRequires: pkgconfig(ncurses) +BuildRequires: pkgconfig(ss) +BuildRequires: pkgconfig(systemd) +Conflicts: krb5-mini +Obsoletes: krb5-plugin-preauth-pkinit-nss %description Kerberos V5 is a trusted-third-party network authentication system, @@ -71,9 +65,8 @@ which can improve network security by eliminating the insecure practice of clear text passwords. %package client -Conflicts: krb5-mini Summary: Client programs of the MIT Kerberos5 implementation -Group: Productivity/Networking/Security +Conflicts: krb5-mini %description client Kerberos V5 is a trusted-third-party network authentication system, @@ -83,17 +76,12 @@ client programs, like kinit, kadmin, ... %package server Summary: Server program of the MIT Kerberos5 implementation -Group: Productivity/Networking/Security Requires: cron Requires: libverto-libev1 Requires: logrotate Requires: perl-Date-Calc -%if 0%{?suse_version} >= 1210 +Requires(post): %fillup_prereq %{?systemd_requires} -%else -PreReq: %insserv_prereq -%endif -PreReq: %fillup_prereq %description server Kerberos V5 is a trusted-third-party network authentication system, @@ -103,7 +91,6 @@ and more. %package plugin-kdb-ldap Summary: LDAP database plugin for MIT Kerberos5 -Group: Productivity/Networking/Security Requires: krb5-server = %{version} %description plugin-kdb-ldap @@ -114,7 +101,6 @@ database plugin. %package plugin-preauth-pkinit Summary: PKINIT preauthentication plugin for MIT Kerberos5 -Group: Productivity/Networking/Security %description plugin-preauth-pkinit Kerberos V5 is a trusted-third-party network authentication system, @@ -123,7 +109,6 @@ practice of cleartext passwords. This package includes a PKINIT plugin. %package plugin-preauth-otp Summary: OTP preauthentication plugin for MIT Kerberos5 -Group: Productivity/Networking/Security %description plugin-preauth-otp Kerberos V5 is a trusted-third-party network authentication system, @@ -132,7 +117,6 @@ practice of cleartext passwords. This package includes a OTP plugin. %package plugin-preauth-spake Summary: SPAKE preauthentication plugin for MIT Kerberos5 -Group: Productivity/Networking/Security %description plugin-preauth-spake Kerberos V5 is a trusted-third-party network authentication system, @@ -141,7 +125,6 @@ practice of cleartext passwords. This package includes a SPAKE plugin. %package doc Summary: Documentation for the MIT Kerberos5 implementation -Group: Documentation/Other %description doc Kerberos V5 is a trusted-third-party network authentication @@ -151,15 +134,11 @@ extended documentation for MIT Kerberos. %package devel Summary: Development files for MIT Kerberos5 -Group: Development/Libraries/C and C++ -PreReq: %{name} = %{version} +Requires: %{name} = %{version} Requires: keyutils-devel -Requires: libcom_err-devel -Requires: libverto-devel -# bug437293 -%ifarch ppc64 -Obsoletes: krb5-devel-64bit -%endif +Requires: pkgconfig(com_err) +Requires: pkgconfig(libverto) +Requires: pkgconfig(ss) Conflicts: krb5-mini-devel %description devel @@ -174,7 +153,7 @@ Include Files for Development %prep %setup -q -n %{srcRoot} -%setup -a 3 -T -D -n %{srcRoot} +%setup -q -a 3 -T -D -n %{srcRoot} %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -183,7 +162,6 @@ Include Files for Development %patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 %build # needs to be re-generated @@ -191,22 +169,24 @@ rm -f src/lib/krb5/krb/deltat.c cd src autoreconf -fi DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME -./configure \ - CC="%{__cc}" \ +%configure \ CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ CPPFLAGS="-I%{_includedir}/et " \ SS_LIB="-lss" \ - --prefix=/usr/lib/mit \ - --sysconfdir=%{_sysconfdir} \ - --mandir=%{_mandir} \ - --infodir=%{_infodir} \ - --libexecdir=/usr/lib/mit/sbin \ - --libdir=%{_libdir} \ - --includedir=%{_includedir} \ + --prefix=%{_prefix}/lib/mit \ + --sysconfdir=%{_sysconfdir} \ + --mandir=%{_mandir} \ + --infodir=%{_infodir} \ + --libexecdir=%{_prefix}/lib/mit/sbin \ + --bindir=%{_prefix}/lib/mit/bin \ + --sbindir=%{_prefix}/lib/mit/sbin \ + --datadir=%{_prefix}/lib/mit/share \ + --libdir=%{_libdir} \ + --includedir=%{_includedir} \ --localstatedir=%{_localstatedir}/lib/kerberos \ --localedir=%{_datadir}/locale \ - --enable-shared \ - --disable-static \ + --enable-shared \ + --disable-static \ --enable-dns-for-realm \ --disable-rpath \ --with-ldap \ @@ -218,7 +198,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME --with-system-ss \ --with-system-verto -make %{?_smp_mflags} +%make_build # Copy kadmin manual page into kadmin.local's due to the split between client and server package cp man/kadmin.man man/kadmin.local.8 @@ -229,7 +209,7 @@ mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 # Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks # of the buildconf patch already conspire to strip out /usr/ from the # list of link flags, and it helps prevent file conflicts on multilib systems. -sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config +sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config # install autoconf macro mkdir -p %{buildroot}/%{_datadir}/aclocal @@ -238,21 +218,21 @@ install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ # I'll probably do something about this later on mkdir -p %{buildroot}%{_sysconfdir} mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d -mkdir -p %{buildroot}/etc/profile.d/ -mkdir -p %{buildroot}/var/log/krb5 +mkdir -p %{buildroot}%{_sysconfdir}/profile.d/ +mkdir -p %{buildroot}%{_localstatedir}/log/krb5 # create plugin directories mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} -install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh -install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh +install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.csh +install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.sh # Do not write directly to /var/lib/kerberos anymore as it breaks transactional # updates. Use systemd-tmpfiles to copy the files there when it doesn't exist -install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/ -install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf +install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d/ +install -m 644 %{SOURCE7} %{buildroot}%{_prefix}/lib/tmpfiles.d/krb5.conf mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc # Where per-user keytabs live by default. mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user @@ -260,13 +240,13 @@ install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ -# all libs must have permissions 0755 +# all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` -do - chmod 0755 ${lib} +do + chmod 0755 ${lib} done # and binaries too -chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu +chmod 0755 %{buildroot}%{_prefix}/lib/mit/bin/ksu # install systemd files %if 0%{?suse_version} >= 1210 mkdir -p %{buildroot}%{_unitdir} @@ -288,50 +268,36 @@ install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server find . -type f -name '*.ps' -exec gzip -9 {} + -# create rc* links -mkdir -p %{buildroot}/usr/bin/ -mkdir -p %{buildroot}/usr/sbin/ -%if 0%{?suse_version} >= 1210 -%if 0%{?suse_version} > 1220 -ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckadmind -ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckrb5kdc -ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rckpropd -%else -ln -s /sbin/service %{buildroot}%{_sbindir}/rckadmind -ln -s /sbin/service %{buildroot}%{_sbindir}/rckrb5kdc -ln -s /sbin/service %{buildroot}%{_sbindir}/rcpropd -%endif -%else -ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/sbin/rckadmind -ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/sbin/rckrb5kdc -ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/sbin/rckpropd -%endif +# create rc* links +mkdir -p %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_sbindir}/ +ln -s service %{buildroot}%{_sbindir}/rckadmind +ln -s service %{buildroot}%{_sbindir}/rckrb5kdc +ln -s service %{buildroot}%{_sbindir}/rckpropd # create links for kinit and klist, because of the java ones -ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit -ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist +ln -sf ../..%{_prefix}/lib/mit/bin/kinit %{buildroot}%{_bindir}/kinit +ln -sf ../..%{_prefix}/lib/mit/bin/klist %{buildroot}%{_bindir}/klist # install doc install -d -m 755 %{buildroot}/%{krb5docdir} install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif -# link pam-config for su to ksu -mkdir -p %{buildroot}/etc/pam.d/ -install -m 644 %{S:6} %{buildroot}/etc/pam.d/ksu +# link pam-config for su to ksu +mkdir -p %{buildroot}%{_sysconfdir}/pam.d/ +install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ksu # cleanup -rm -f %{buildroot}/usr/share/man/man1/tmac.doc* -rm -f /usr/share/man/man1/tmac.doc* html/.doctrees/environment.pickle -rm -rf %{buildroot}/usr/lib/mit/share/examples +rm -f %{buildroot}%{_mandir}/man1/tmac.doc* +rm -f %{_mandir}/man1/tmac.doc* html/.doctrees/environment.pickle +rm -rf %{buildroot}%{_prefix}/lib/mit/share/examples # manually remove test plugin since configure doesn't support disabling it at build time rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %find_lang mit-krb5 %post -p /sbin/ldconfig - %postun -p /sbin/ldconfig - %preun server %service_del_preun krb5kdc.service kadmind.service kpropd.service @@ -349,15 +315,13 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %service_add_pre krb5kdc.service kadmind.service kpropd.service %post plugin-kdb-ldap -p /sbin/ldconfig - %postun plugin-kdb-ldap -p /sbin/ldconfig %files devel -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -%dir /usr/lib/mit/sbin -%dir /usr/lib/mit/share +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/bin +%dir %{_prefix}/lib/mit/sbin +%dir %{_prefix}/lib/mit/share %dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so @@ -378,13 +342,12 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_libdir}/pkgconfig/mit-krb5-gssapi.pc %{_libdir}/pkgconfig/mit-krb5.pc %{_includedir}/* -/usr/lib/mit/bin/krb5-config -/usr/lib/mit/sbin/krb5-send-pr -%{_mandir}/man1/krb5-config.1* +%{_prefix}/lib/mit/bin/krb5-config +%{_prefix}/lib/mit/sbin/krb5-send-pr +%{_mandir}/man1/krb5-config.1%{?ext_man} %{_datadir}/aclocal/ac_check_krb5.m4 %files -f mit-krb5.lang -%defattr(-,root,root) %dir %{krb5docdir} # add plugin directories %dir %{_libdir}/krb5 @@ -394,11 +357,11 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %dir %{_libdir}/krb5/plugins/libkrb5 %dir %{_libdir}/krb5/plugins/tls # add log directory -%attr(0700,root,root) %dir /var/log/krb5 +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 %doc %{krb5docdir}/README %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %dir %{_sysconfdir}/krb5.conf.d -%attr(0644,root,root) %config /etc/profile.d/krb5* +%attr(0644,root,root) %config %{_sysconfdir}/profile.d/krb5* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* @@ -411,22 +374,15 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %{_libdir}/krb5/plugins/tls/*.so %files server -%defattr(-,root,root) -%attr(0700,root,root) %dir /var/log/krb5 +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 %config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server -%if 0%{?suse_version} >= 1210 %{_unitdir}/kadmind.service %{_unitdir}/krb5kdc.service %{_unitdir}/kpropd.service %{_libexecdir}/tmpfiles.d/krb5.conf -%else -%{_sysconfdir}/init.d/kadmind -%{_sysconfdir}/init.d/krb5kdc -%{_sysconfdir}/init.d/kpropd -%endif %dir %{krb5docdir} -%dir /usr/lib/mit -%dir /usr/lib/mit/sbin +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/sbin %dir %{_datadir}/kerberos/ %dir %{_datadir}/kerberos/krb5kdc %dir %{_datadir}/kerberos/krb5 @@ -446,101 +402,96 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so %ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl %ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict %{_fillupdir}/sysconfig.* -/usr/sbin/rc* -/usr/lib/mit/sbin/kadmin.local -/usr/lib/mit/sbin/kadmind -/usr/lib/mit/sbin/kpropd -/usr/lib/mit/sbin/kproplog -/usr/lib/mit/sbin/kprop -/usr/lib/mit/sbin/kdb5_util -/usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/uuserver +%{_sbindir}/rc* +%{_prefix}/lib/mit/sbin/kadmin.local +%{_prefix}/lib/mit/sbin/kadmind +%{_prefix}/lib/mit/sbin/kpropd +%{_prefix}/lib/mit/sbin/kproplog +%{_prefix}/lib/mit/sbin/kprop +%{_prefix}/lib/mit/sbin/kdb5_util +%{_prefix}/lib/mit/sbin/krb5kdc +%{_prefix}/lib/mit/sbin/gss-server +%{_prefix}/lib/mit/sbin/sim_server +%{_prefix}/lib/mit/sbin/sserver +%{_prefix}/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so -%{_mandir}/man5/kdc.conf.5* -%{_mandir}/man5/kadm5.acl.5* -%{_mandir}/man8/kadmind.8* -%{_mandir}/man8/kadmin.local.8* -%{_mandir}/man8/kpropd.8* -%{_mandir}/man8/kprop.8* -%{_mandir}/man8/kproplog.8.gz -%{_mandir}/man8/kdb5_util.8* -%{_mandir}/man8/krb5kdc.8* -%{_mandir}/man8/sserver.8* +%{_mandir}/man5/kdc.conf.5%{?ext_man} +%{_mandir}/man5/kadm5.acl.5%{?ext_man} +%{_mandir}/man8/kadmind.8%{?ext_man} +%{_mandir}/man8/kadmin.local.8%{?ext_man} +%{_mandir}/man8/kpropd.8%{?ext_man} +%{_mandir}/man8/kprop.8%{?ext_man} +%{_mandir}/man8/kproplog.8%{?ext_man} +%{_mandir}/man8/kdb5_util.8%{?ext_man} +%{_mandir}/man8/krb5kdc.8%{?ext_man} +%{_mandir}/man8/sserver.8%{?ext_man} %files client -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -%dir /usr/lib/mit/sbin -%attr(0644,root,root) %config(noreplace) /etc/pam.d/ksu -/usr/lib/mit/bin/kvno -/usr/lib/mit/bin/kinit -/usr/lib/mit/bin/kdestroy -/usr/lib/mit/bin/kpasswd -/usr/lib/mit/bin/klist -/usr/lib/mit/bin/kadmin -/usr/lib/mit/bin/ktutil -/usr/lib/mit/bin/k5srvutil -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/ksu -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/uuclient -/usr/lib/mit/bin/kswitch -/usr/bin/kinit -/usr/bin/klist -%{_mandir}/man1/kvno.1* -%{_mandir}/man1/kinit.1* -%{_mandir}/man1/kdestroy.1* -%{_mandir}/man1/kpasswd.1* -%{_mandir}/man1/klist.1* -%{_mandir}/man1/kadmin.1* -%{_mandir}/man1/ktutil.1* -%{_mandir}/man1/k5srvutil.1* -%{_mandir}/man1/kswitch.1* -%{_mandir}/man5/krb5.conf.5* -%{_mandir}/man5/.k5login.5* -%{_mandir}/man5/.k5identity.5* -%{_mandir}/man5/k5identity.5* -%{_mandir}/man5/k5login.5* -%{_mandir}/man1/ksu.1.gz -%{_mandir}/man1/sclient.1.gz -%{_mandir}/man7/kerberos.7.gz +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/bin +%dir %{_prefix}/lib/mit/sbin +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ksu +%{_prefix}/lib/mit/bin/kvno +%{_prefix}/lib/mit/bin/kinit +%{_prefix}/lib/mit/bin/kdestroy +%{_prefix}/lib/mit/bin/kpasswd +%{_prefix}/lib/mit/bin/klist +%{_prefix}/lib/mit/bin/kadmin +%{_prefix}/lib/mit/bin/ktutil +%{_prefix}/lib/mit/bin/k5srvutil +%{_prefix}/lib/mit/bin/gss-client +%{_prefix}/lib/mit/bin/ksu +%{_prefix}/lib/mit/bin/sclient +%{_prefix}/lib/mit/bin/sim_client +%{_prefix}/lib/mit/bin/uuclient +%{_prefix}/lib/mit/bin/kswitch +%{_bindir}/kinit +%{_bindir}/klist +%{_mandir}/man1/kvno.1%{?ext_man} +%{_mandir}/man1/kinit.1%{?ext_man} +%{_mandir}/man1/kdestroy.1%{?ext_man} +%{_mandir}/man1/kpasswd.1%{?ext_man} +%{_mandir}/man1/klist.1%{?ext_man} +%{_mandir}/man1/kadmin.1%{?ext_man} +%{_mandir}/man1/ktutil.1%{?ext_man} +%{_mandir}/man1/k5srvutil.1%{?ext_man} +%{_mandir}/man1/kswitch.1%{?ext_man} +%{_mandir}/man5/krb5.conf.5%{?ext_man} +%{_mandir}/man5/.k5login.5%{?ext_man} +%{_mandir}/man5/.k5identity.5%{?ext_man} +%{_mandir}/man5/k5identity.5%{?ext_man} +%{_mandir}/man5/k5login.5%{?ext_man} +%{_mandir}/man1/ksu.1%{?ext_man} +%{_mandir}/man1/sclient.1%{?ext_man} +%{_mandir}/man7/kerberos.7%{?ext_man} %files plugin-kdb-ldap -%defattr(-,root,root) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb -%dir /usr/lib/mit/sbin/ +%dir %{_prefix}/lib/mit/sbin/ %dir %{_datadir}/kerberos %dir %{_datadir}/kerberos/ldap %config %{_datadir}/kerberos/ldap/kerberos.schema %config %{_datadir}/kerberos/ldap/kerberos.ldif %{_libdir}/krb5/plugins/kdb/kldap.so -/usr/lib/mit/sbin/kdb5_ldap_util +%{_prefix}/lib/mit/sbin/kdb5_ldap_util %{_libdir}/libkdb_ldap* -%{_mandir}/man8/kdb5_ldap_util.8* +%{_mandir}/man8/kdb5_ldap_util.8%{?ext_man} %files plugin-preauth-pkinit -%defattr(-,root,root) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so %files plugin-preauth-otp -%defattr(-,root,root) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/otp.so %files plugin-preauth-spake -%defattr(-,root,root) %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth