diff --git a/krb5-1.10-buildconf.patch b/krb5-1.10-buildconf.patch index b62e1cf..d7f5ed9 100644 --- a/krb5-1.10-buildconf.patch +++ b/krb5-1.10-buildconf.patch @@ -4,10 +4,10 @@ the -L/usr/lib* and PIE flags where they might leak out and affect apps which just want to link with the libraries. FIXME: needs to check and not just assume that the compiler supports using these flags. -Index: krb5-1.11/src/config/shlib.conf +Index: krb5-1.10.2/src/config/shlib.conf =================================================================== ---- krb5-1.11.orig/src/config/shlib.conf -+++ krb5-1.11/src/config/shlib.conf +--- krb5-1.10.2.orig/src/config/shlib.conf ++++ krb5-1.10.2/src/config/shlib.conf @@ -419,7 +419,7 @@ mips-*-netbsd*) SHLIBEXT=.so # Linux ld doesn't default to stuffing the SONAME field... @@ -27,11 +27,11 @@ Index: krb5-1.11/src/config/shlib.conf CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' -Index: krb5-1.11/src/krb5-config.in +Index: krb5-1.10.2/src/krb5-config.in =================================================================== ---- krb5-1.11.orig/src/krb5-config.in -+++ krb5-1.11/src/krb5-config.in -@@ -221,6 +221,13 @@ if test -n "$do_libs"; then +--- krb5-1.10.2.orig/src/krb5-config.in ++++ krb5-1.10.2/src/krb5-config.in +@@ -189,6 +189,13 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)##'` @@ -45,11 +45,11 @@ Index: krb5-1.11/src/krb5-config.in if test $library = 'kdb'; then lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 -Index: krb5-1.11/src/config/pre.in +Index: krb5-1.10.2/src/config/pre.in =================================================================== ---- krb5-1.11.orig/src/config/pre.in -+++ krb5-1.11/src/config/pre.in -@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST +--- krb5-1.10.2.orig/src/config/pre.in ++++ krb5-1.10.2/src/config/pre.in +@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST INSTALL_SCRIPT=@INSTALL_PROGRAM@ INSTALL_DATA=@INSTALL_DATA@ INSTALL_SHLIB=@INSTALL_SHLIB@ diff --git a/krb5-1.10-gcc47.patch b/krb5-1.10-gcc47.patch new file mode 100644 index 0000000..5831fba --- /dev/null +++ b/krb5-1.10-gcc47.patch @@ -0,0 +1,12 @@ +This file also triggers the maybe-uninitialized warning/error. RT#7080 + +--- src/lib/krb5/krb/x-deltat.y ++++ src/lib/krb5/krb/x-deltat.y +@@ -44,6 +44,7 @@ + #ifdef __GNUC__ + #pragma GCC diagnostic push + #pragma GCC diagnostic ignored "-Wuninitialized" ++#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" + #endif + + #include diff --git a/krb5-1.10-selinux-label.patch b/krb5-1.10-selinux-label.patch new file mode 100644 index 0000000..bf9a9f0 --- /dev/null +++ b/krb5-1.10-selinux-label.patch @@ -0,0 +1,999 @@ +SELinux bases access to files on the domain of the requesting process, +the operation being performed, and the context applied to the file. + +In many cases, applications needn't be SELinux aware to work properly, +because SELinux can apply a default label to a file based on the label +of the directory in which it's created. + +In the case of files such as /etc/krb5.keytab, however, this isn't +sufficient, as /etc/krb5.keytab will almost always need to be given a +label which differs from that of /etc/issue or /etc/resolv.conf. The +the kdb stash file needs a different label than the database for which +it's holding a master key, even though both typically live in the same +directory. + +To give the file the correct label, we can either force a "restorecon" +call to fix a file's label after it's created, or create the file with +the right label, as we attempt to do here. We lean on THREEPARAMOPEN +and define a similar macro named WRITABLEFOPEN with which we replace +several uses of fopen(). + +The file creation context that we're manipulating here is a process-wide +attribute. While for the most part, applications which need to label +files when they're created have tended to be single-threaded, there's +not much we can do to avoid interfering with an application that +manipulates the creation context directly. Right now we're mediating +access using a library-local mutex, but that can only work for consumers +that are part of this package -- an unsuspecting application will still +stomp all over us. + +The selabel APIs for looking up the context should be thread-safe (per +Red Hat #273081), so switching to using them instead of matchpathcon(), +which we used earlier, is some improvement. + +Index: krb5-1.10.2/src/aclocal.m4 +=================================================================== +--- krb5-1.10.2.orig/src/aclocal.m4 ++++ krb5-1.10.2/src/aclocal.m4 +@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag) + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir) + AC_SUBST(manlibexecdir) + AC_CONFIG_FILES($1) + ]) ++dnl ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_NOTICE([building with SELinux labeling support]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +Index: krb5-1.10.2/src/config/pre.in +=================================================================== +--- krb5-1.10.2.orig/src/config/pre.in ++++ krb5-1.10.2/src/config/pre.in +@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR + LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ + LDARGS = @LDARGS@ + LIBS = @LIBS@ ++SELINUX_LIBS=@SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) + GSS_LIBS = $(GSS_KRB5_LIB) + # needs fixing if ever used on Mac OS X! +Index: krb5-1.10.2/src/configure.in +=================================================================== +--- krb5-1.10.2.orig/src/configure.in ++++ krb5-1.10.2/src/configure.in +@@ -1248,6 +1248,8 @@ AC_SUBST(localedir) + + KRB5_WITH_PAM + ++KRB5_WITH_SELINUX ++ + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + + V5_AC_OUTPUT_MANPAGE([ +Index: krb5-1.10.2/src/include/k5-int.h +=================================================================== +--- krb5-1.10.2.orig/src/include/k5-int.h ++++ krb5-1.10.2/src/include/k5-int.h +@@ -135,6 +135,7 @@ typedef unsigned char u_char; + typedef UINT64_TYPE krb5_ui_8; + typedef INT64_TYPE krb5_int64; + ++#include "k5-label.h" + + #define DEFAULT_PWD_STRING1 "Enter password" + #define DEFAULT_PWD_STRING2 "Re-enter password for verification" +Index: krb5-1.10.2/src/include/k5-label.h +=================================================================== +--- /dev/null ++++ krb5-1.10.2/src/include/k5-label.h +@@ -0,0 +1,32 @@ ++#ifndef _KRB5_LABEL_H ++#define _KRB5_LABEL_H ++ ++#ifdef THREEPARAMOPEN ++#undef THREEPARAMOPEN ++#endif ++#ifdef WRITABLEFOPEN ++#undef WRITABLEFOPEN ++#endif ++ ++/* Wrapper functions which help us create files and directories with the right ++ * context labels. */ ++#ifdef USE_SELINUX ++#include ++#include ++#include ++#include ++#include ++FILE *krb5int_labeled_fopen(const char *path, const char *mode); ++int krb5int_labeled_creat(const char *path, mode_t mode); ++int krb5int_labeled_open(const char *path, int flags, ...); ++int krb5int_labeled_mkdir(const char *path, mode_t mode); ++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); ++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) ++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++void *krb5int_push_fscreatecon_for(const char *pathname); ++void krb5int_pop_fscreatecon(void *previous); ++#else ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#define THREEPARAMOPEN(x,y,z) open(x,y,z) ++#endif ++#endif +Index: krb5-1.10.2/src/include/krb5/krb5.hin +=================================================================== +--- krb5-1.10.2.orig/src/include/krb5/krb5.hin ++++ krb5-1.10.2/src/include/krb5/krb5.hin +@@ -83,6 +83,12 @@ + #define THREEPARAMOPEN(x,y,z) open(x,y,z) + #endif + ++#if KRB5_PRIVATE ++#ifndef WRITABLEFOPEN ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#endif ++#endif ++ + #define KRB5_OLD_CRYPTO + + #include +Index: krb5-1.10.2/src/kadmin/dbutil/dump.c +=================================================================== +--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c ++++ krb5-1.10.2/src/kadmin/dbutil/dump.c +@@ -346,7 +346,7 @@ void update_ok_file (file_name) + exit_status++; + return; + } +- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { ++ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), + file_ok); + exit_status++; +@@ -1251,7 +1251,7 @@ dump_db(argc, argv) + * want to get into. + */ + unlink(ofile); +- if (!(f = fopen(ofile, "w"))) { ++ if (!(f = WRITABLEFOPEN(ofile, "w"))) { + fprintf(stderr, ofopen_error, + progname, ofile, error_message(errno)); + exit_status++; +Index: krb5-1.10.2/src/krb5-config.in +=================================================================== +--- krb5-1.10.2.orig/src/krb5-config.in ++++ krb5-1.10.2/src/krb5-config.in +@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' + PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' + PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' + DL_LIB='@DL_LIB@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -218,7 +219,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +Index: krb5-1.10.2/src/lib/kadm5/logger.c +=================================================================== +--- krb5-1.10.2.orig/src/lib/kadm5/logger.c ++++ krb5-1.10.2/src/lib/kadm5/logger.c +@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch + * Check for append/overwrite, then open the file. + */ + if (cp[4] == ':' || cp[4] == '=') { +- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w"); ++ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[i].lfu_filep = f; +@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c +=================================================================== +--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c ++++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c +@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context + + KTCHECKLOCK(id); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? + fopen_mode_rbplus : fopen_mode_rb); + if (!KTFILEP(id)) { +@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context + /* try making it first time around */ + krb5_create_secure_file(context, KTFILENAME(id)); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; +Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c ++++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c +@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char + * POSIX systems + */ + lockp->lockinfo.filename = strdup(lockfilename); +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. + + #include "k5-platform.h" /* mkstemp? */ + ++#include "k5-int.h" + #include "db-int.h" + #include "btree.h" + +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, + goto einval; + } + +- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) ++ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + goto err; + + } else { +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 + #include + #endif + ++#include "k5-int.h" + #include "db-int.h" + #include "hash.h" + #include "page.h" +@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info + new_table = 1; + } + if (file) { +- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) ++ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) + RETURN_ERROR(errno, error0); + (void)fcntl(hashp->fp, F_SETFD, 1); + } +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in +@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) + + KRB5_RUN_ENV= @KRB5_RUN_ENV@ + +-DB_LIB = -ldb ++DB_LIB = -ldb $(SUPPORT_DEPLIB) ++ + DB_DEPLIB = ../libdb$(DEPLIBEXT) + + all:: +Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch + + /* Create a temporary file which contains all the entries except the + entry for the given service dn */ +- pfile = fopen(file_name, "r+"); ++ pfile = WRITABLEFOPEN(file_name, "r+"); + if (pfile == NULL) { + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; +@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch + snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp"); + + +- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR); ++ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); + umask(omask); + if (tmpfd == -1) { + com_err(me, errno, "while deleting entry from file\n"); +@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc, + + printf("File does not exist. Creating the file %s...\n", file_name); + omask = umask(077); +- fd = creat(file_name, S_IRUSR|S_IWUSR); ++ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR); + umask(omask); + if (fd == -1) { + com_err(me, errno, "Error creating file %s", file_name); +@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc, + + /* TODO: file lock for the service password file */ + /* set password in the file */ +- pfile = fopen(file_name, "r+"); ++ pfile = WRITABLEFOPEN(file_name, "r+"); + if (pfile == NULL) { + com_err(me, errno, "Failed to open file %s", file_name); + goto cleanup; +@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc, + } + + omask = umask(077); +- newfile = fopen(tmp_file, "w+"); ++ newfile = WRITABLEFOPEN(tmp_file, "w+"); + umask(omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +@@ -2016,7 +2016,7 @@ done: + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = WRITABLEFOPEN(file_name, "a+"); + if (pfile == NULL) { + com_err(me, errno, _("Failed to open file %s: %s"), file_name, + strerror (errno)); +@@ -2068,7 +2068,7 @@ done: + } + + omask = umask(077); +- newfile = fopen(tmp_file, "w"); ++ newfile = WRITABLEFOPEN(tmp_file, "w"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, _("Error creating file %s"), tmp_file); +Index: krb5-1.10.2/src/slave/kpropd.c +=================================================================== +--- krb5-1.10.2.orig/src/slave/kpropd.c ++++ krb5-1.10.2/src/slave/kpropd.c +@@ -336,7 +336,7 @@ retry: + if (!debug && iproprole != IPROP_SLAVE) + daemon(1, 0); + #ifdef PID_FILE +- if ((pidfile = fopen(PID_FILE, "w")) != NULL) { ++ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) { + fprintf(pidfile, "%d\n", getpid()); + fclose(pidfile); + } else +@@ -437,6 +437,9 @@ void doit(fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN+1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (kpropd_context->kdblog_context && + kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) { +@@ -515,9 +518,15 @@ void doit(fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600); + (void) umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK); + if (retval) { +Index: krb5-1.10.2/src/util/profile/prof_file.c +=================================================================== +--- krb5-1.10.2.orig/src/util/profile/prof_file.c ++++ krb5-1.10.2/src/util/profile/prof_file.c +@@ -30,6 +30,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-label.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_ + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +Index: krb5-1.10.2/src/util/support/Makefile.in +=================================================================== +--- krb5-1.10.2.orig/src/util/support/Makefile.in ++++ krb5-1.10.2/src/util/support/Makefile.in +@@ -64,6 +64,7 @@ IPC_SYMS= \ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -127,7 +128,7 @@ SRCS=\ + + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + SHLIB_DIRS= + SHLIB_RDIRS=$(KRB5_LIBDIR) + +Index: krb5-1.10.2/src/util/support/selinux.c +=================================================================== +--- /dev/null ++++ krb5-1.10.2/src/util/support/selinux.c +@@ -0,0 +1,372 @@ ++/* ++ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * File-opening wrappers for creating correctly-labeled files. So far, we can ++ * assume that this is Linux-specific, so we make many simplifying assumptions. ++ */ ++ ++#include "../../include/autoconf.h" ++ ++#ifdef USE_SELINUX ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#ifdef HAVE_SELINUX_LABEL_H ++#include ++#endif ++ ++/* #define DEBUG 1 */ ++ ++/* Mutex used to serialize use of the process-global file creation context. */ ++k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; ++ ++/* Make sure we finish initializing that mutex before attempting to use it. */ ++k5_once_t labeled_once = K5_ONCE_INIT; ++static void ++label_mutex_init(void) ++{ ++ k5_mutex_finish_init(&labeled_mutex); ++} ++ ++static security_context_t ++push_fscreatecon(const char *pathname, mode_t mode) ++{ ++ security_context_t previous, configuredsc, currentsc, derivedsc; ++ context_t current, derived; ++ const char *fullpath, *currentuser; ++#ifdef HAVE_SELINUX_LABEL_H ++ struct selabel_handle *ctx; ++#endif ++ ++ previous = NULL; ++ if (is_selinux_enabled()) { ++ if (getfscreatecon(&previous) == 0) { ++ char *genpath; ++ genpath = NULL; ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } else { ++ fullpath = pathname; ++ } ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Looking up context for " ++ "\"%s\"(%05o).\n", fullpath, mode); ++ } ++#endif ++ configuredsc = NULL; ++#ifdef HAVE_SELINUX_LABEL_H ++ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ if (ctx != NULL) { ++ if (selabel_lookup(ctx, &configuredsc, ++ fullpath, mode) != 0) { ++ selabel_close(ctx); ++ free(genpath); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ selabel_close(ctx); ++ } ++#else ++ if (matchpathcon(fullpath, mode, &configuredsc) != 0) { ++ free(genpath); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++#endif ++ free(genpath); ++ if (configuredsc == NULL) { ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ currentsc = NULL; ++ getcon(¤tsc); ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ context_free(current); ++ } ++ context_free(derived); ++ } ++ freecon(currentsc); ++ } ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Setting file creation context " ++ "to \"%s\".\n", configuredsc); ++ } ++#endif ++ if (setfscreatecon(configuredsc) != 0) { ++ freecon(configuredsc); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ freecon(configuredsc); ++#ifdef DEBUG ++ } else { ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Unable to determine " ++ "current context.\n"); ++ } ++#endif ++ } ++ } ++ return previous; ++} ++ ++static void ++pop_fscreatecon(security_context_t previous) ++{ ++ if (is_selinux_enabled()) { ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ if (previous != NULL) { ++ fprintf(stderr, "Resetting file creation " ++ "context to \"%s\".\n", previous); ++ } else { ++ fprintf(stderr, "Resetting file creation " ++ "context to default.\n"); ++ } ++ } ++#endif ++ setfscreatecon(previous); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ } ++} ++ ++void * ++krb5int_push_fscreatecon_for(const char *pathname) ++{ ++ struct stat st; ++ void *retval; ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; ++ } else { ++ return NULL; ++ } ++} ++ ++void ++krb5int_pop_fscreatecon(void *con) ++{ ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } ++} ++ ++FILE * ++krb5int_labeled_fopen(const char *path, const char *mode) ++{ ++ FILE *fp; ++ int errno_save; ++ security_context_t ctx; ++ ++ if (strcmp(mode, "r") == 0) { ++ return fopen(path, mode); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, 0); ++ fp = fopen(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ fp = fopen(path, mode); ++ } ++ ++ return fp; ++} ++ ++int ++krb5int_labeled_creat(const char *path, mode_t mode) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, 0); ++ fd = creat(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ fd = creat(path, mode); ++ } ++ return fd; ++} ++ ++int ++krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, mode); ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ ret = mknod(path, mode, dev); ++ } ++ return ret; ++} ++ ++int ++krb5int_labeled_mkdir(const char *path, mode_t mode) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ ret = mkdir(path, mode); ++ } ++ return ret; ++} ++ ++int ++krb5int_labeled_open(const char *path, int flags, ...) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ errno = errno_save; ++ } else { ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ errno_save = errno; ++ va_end(ap); ++ errno = errno_save; ++ } ++ return fd; ++} ++ ++#endif +Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c +=================================================================== +--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c ++++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c +@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { +Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c ++++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c +@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5 + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c +=================================================================== +--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +Index: krb5-1.10.2/src/kdc/main.c +=================================================================== +--- krb5-1.10.2.orig/src/kdc/main.c ++++ krb5-1.10.2/src/kdc/main.c +@@ -909,7 +909,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +Index: krb5-1.10.2/src/lib/kdb/kdb_log.c +=================================================================== +--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c ++++ krb5-1.10.2/src/lib/kdb/kdb_log.c +@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha + return (errno); + } + +- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) { ++ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) { + return (errno); + } + +Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in +=================================================================== +--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in ++++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in +@@ -66,6 +66,7 @@ HEADERS= \ + gssapi_err_generic.h \ + k5-int.h \ + k5-int-pkinit.h \ ++ k5-label.h \ + k5-thread.h \ + k5-platform.h \ + k5-buf.h \ +@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ + $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ + gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h + $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ +-k5-int.h: $(INCLUDE)/k5-int.h ++k5-int.h: $(INCLUDE)/k5-int.h k5-label.h + $(CP) $(INCLUDE)/k5-int.h $@ + k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h + $(CP) $(INCLUDE)/k5-int-pkinit.h $@ ++k5-label.h: $(INCLUDE)/k5-label.h ++ $(CP) $(INCLUDE)/k5-label.h $@ + k5-thread.h: $(INCLUDE)/k5-thread.h + $(CP) $(INCLUDE)/k5-thread.h $@ + k5-platform.h: $(INCLUDE)/k5-platform.h diff --git a/krb5-1.10.2.tar.bz2 b/krb5-1.10.2.tar.bz2 new file mode 100644 index 0000000..752e403 --- /dev/null +++ b/krb5-1.10.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8 +size 9457236 diff --git a/krb5-1.11.tar.bz2 b/krb5-1.11.tar.bz2 deleted file mode 100644 index 4467513..0000000 --- a/krb5-1.11.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2276b81a25b329724f31ca65de0636d7aec5fe109cee275c7fc935d16051282b -size 9433922 diff --git a/krb5-1.3.5-perlfix.dif b/krb5-1.3.5-perlfix.dif new file mode 100644 index 0000000..8920770 --- /dev/null +++ b/krb5-1.3.5-perlfix.dif @@ -0,0 +1,9 @@ +--- doc/man2html ++++ doc/man2html 2004/10/18 16:20:53 +@@ -1,5 +1,4 @@ +-#!/usr/athena/bin/perl +-#!/usr/local/bin/perl ++#!/usr/bin/perl + ##---------------------------------------------------------------------------## + ## File: + ## @(#) man2html 1.2 97/08/12 12:57:30 @(#) diff --git a/krb5-1.6.3-ktutil-manpage.dif b/krb5-1.6.3-ktutil-manpage.dif index 956b816..5d0d58a 100644 --- a/krb5-1.6.3-ktutil-manpage.dif +++ b/krb5-1.6.3-ktutil-manpage.dif @@ -1,11 +1,11 @@ -Index: krb5-1.11/src/man/ktutil.man +Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M =================================================================== ---- krb5-1.11.orig/src/man/ktutil.man -+++ krb5-1.11/src/man/ktutil.man -@@ -158,6 +158,18 @@ ktutil: - .fi - .UNINDENT - .UNINDENT +--- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M ++++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M +@@ -63,5 +63,17 @@ Quits + Aliases: + .BR exit , + .BR q . +.SH REMARKS +Changes to the keytab are appended to the keytab file (i.e., the keytab file +is never overwritten). To directly modify a keytab, save the changes to a @@ -19,5 +19,4 @@ Index: krb5-1.11/src/man/ktutil.man +ktutil> q +# mv /tmp/krb5.newtab /etc/krb5.keytab .SH SEE ALSO - .sp - \fIkadmin(1)\fP, \fIkdb5_util(8)\fP + kadmin(8), kdb5_util(8) diff --git a/krb5-1.8-manpaths.txt b/krb5-1.8-manpaths.txt new file mode 100644 index 0000000..eaf544f --- /dev/null +++ b/krb5-1.8-manpaths.txt @@ -0,0 +1,7 @@ +appl/sample/sserver/sserver.M +config-files/kdc.conf.M +config-files/krb5.conf.M +gen-manpages/kerberos.M +kadmin/cli/kadmin.M +slave/kpropd.M +slave/kprop.M diff --git a/krb5-1.8-pam.patch b/krb5-1.8-pam.patch index 196a6fe..e21648b 100644 --- a/krb5-1.8-pam.patch +++ b/krb5-1.8-pam.patch @@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account and session management before dropping privileges. -Index: krb5-1.11/src/aclocal.m4 +Index: krb5-1.10.2/src/aclocal.m4 =================================================================== ---- krb5-1.11.orig/src/aclocal.m4 -+++ krb5-1.11/src/aclocal.m4 -@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ +--- krb5-1.10.2.orig/src/aclocal.m4 ++++ krb5-1.10.2/src/aclocal.m4 +@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ ])) ])dnl dnl @@ -86,10 +86,10 @@ Index: krb5-1.11/src/aclocal.m4 +AC_SUBST(PAM_MAN) +AC_SUBST(NON_PAM_MAN) +])dnl -Index: krb5-1.11/src/clients/ksu/main.c +Index: krb5-1.10.2/src/clients/ksu/main.c =================================================================== ---- krb5-1.11.orig/src/clients/ksu/main.c -+++ krb5-1.11/src/clients/ksu/main.c +--- krb5-1.10.2.orig/src/clients/ksu/main.c ++++ krb5-1.10.2/src/clients/ksu/main.c @@ -26,6 +26,7 @@ * KSU was writen by: Ari Medvinsky, ari@isi.edu */ @@ -249,10 +249,10 @@ Index: krb5-1.11/src/clients/ksu/main.c exit (1); } } -Index: krb5-1.11/src/clients/ksu/Makefile.in +Index: krb5-1.10.2/src/clients/ksu/Makefile.in =================================================================== ---- krb5-1.11.orig/src/clients/ksu/Makefile.in -+++ krb5-1.11/src/clients/ksu/Makefile.in +--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in ++++ krb5-1.10.2/src/clients/ksu/Makefile.in @@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD) PROG_RPATH=$(KRB5_LIBDIR) @@ -287,10 +287,10 @@ Index: krb5-1.11/src/clients/ksu/Makefile.in clean:: $(RM) ksu -Index: krb5-1.11/src/clients/ksu/pam.c +Index: krb5-1.10.2/src/clients/ksu/pam.c =================================================================== --- /dev/null -+++ krb5-1.11/src/clients/ksu/pam.c ++++ krb5-1.10.2/src/clients/ksu/pam.c @@ -0,0 +1,389 @@ +/* + * src/clients/ksu/pam.c @@ -681,10 +681,10 @@ Index: krb5-1.11/src/clients/ksu/pam.c + return ret; +} +#endif -Index: krb5-1.11/src/clients/ksu/pam.h +Index: krb5-1.10.2/src/clients/ksu/pam.h =================================================================== --- /dev/null -+++ krb5-1.11/src/clients/ksu/pam.h ++++ krb5-1.10.2/src/clients/ksu/pam.h @@ -0,0 +1,57 @@ +/* + * src/clients/ksu/pam.h @@ -743,13 +743,13 @@ Index: krb5-1.11/src/clients/ksu/pam.h +int appl_pam_cred_init(void); +void appl_pam_cleanup(void); +#endif -Index: krb5-1.11/src/configure.in +Index: krb5-1.10.2/src/configure.in =================================================================== ---- krb5-1.11.orig/src/configure.in -+++ krb5-1.11/src/configure.in -@@ -1290,6 +1290,8 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNA - AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"], - [Define to default client keytab name]) +--- krb5-1.10.2.orig/src/configure.in ++++ krb5-1.10.2/src/configure.in +@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then + fi + AC_SUBST(localedir) +KRB5_WITH_PAM + diff --git a/krb5-1.9-kprop-mktemp.patch b/krb5-1.9-kprop-mktemp.patch index 70996ce..dca8f8b 100644 --- a/krb5-1.9-kprop-mktemp.patch +++ b/krb5-1.9-kprop-mktemp.patch @@ -1,10 +1,10 @@ Use an in-memory ccache to silence a compiler warning, for RT#6414. -Index: krb5-1.11/src/slave/kprop.c +Index: krb5-1.10.2/src/slave/kprop.c =================================================================== ---- krb5-1.11.orig/src/slave/kprop.c -+++ krb5-1.11/src/slave/kprop.c -@@ -187,9 +187,8 @@ void PRS(argc, argv) +--- krb5-1.10.2.orig/src/slave/kprop.c ++++ krb5-1.10.2/src/slave/kprop.c +@@ -186,9 +186,8 @@ void PRS(argc, argv) void get_tickets(context) krb5_context context; { @@ -15,7 +15,7 @@ Index: krb5-1.11/src/slave/kprop.c krb5_keytab keytab = NULL; /* -@@ -230,11 +229,8 @@ void get_tickets(context) +@@ -229,11 +228,8 @@ void get_tickets(context) #endif /* diff --git a/krb5-1.9-manpaths.dif b/krb5-1.9-manpaths.dif index 9d4b2f5..645672d 100644 --- a/krb5-1.9-manpaths.dif +++ b/krb5-1.9-manpaths.dif @@ -3,16 +3,206 @@ values can be dropped in by config.status. After applying this patch, these files should be renamed to their ".in" counterparts, and then the configure scripts should be rebuilt. Originally RT#6525 -Index: krb5-1.11/src/man/kpropd.man +Index: krb5-1.10.2/src/aclocal.m4 =================================================================== ---- krb5-1.11.orig/src/man/kpropd.man -+++ krb5-1.11/src/man/kpropd.man -@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo - .sp - .nf - .ft C --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd - .ft P +--- krb5-1.10.2.orig/src/aclocal.m4 ++++ krb5-1.10.2/src/aclocal.m4 +@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[ ++mansysconfdir=$sysconfdir ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"` ++mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"` ++mansbindir=$sbindir ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"` ++mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlocalstatedir=$localstatedir ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"` ++manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"` ++manlibexecdir=$libexecdir ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"` ++manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"` ++AC_SUBST(mansysconfdir) ++AC_SUBST(mansbindir) ++AC_SUBST(manlocalstatedir) ++AC_SUBST(manlibexecdir) ++AC_CONFIG_FILES($1) ++]) +Index: krb5-1.10.2/src/configure.in +=================================================================== +--- krb5-1.10.2.orig/src/configure.in ++++ krb5-1.10.2/src/configure.in +@@ -1249,6 +1249,17 @@ AC_SUBST(localedir) + KRB5_WITH_PAM + + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) ++ ++V5_AC_OUTPUT_MANPAGE([ ++ appl/sample/sserver/sserver.M ++ config-files/kdc.conf.M ++ config-files/krb5.conf.M ++ gen-manpages/kerberos.M ++ kadmin/cli/kadmin.M ++ slave/kpropd.M ++ slave/kprop.M ++]) ++ + V5_AC_OUTPUT_MAKEFILE(. + + util util/support util/profile util/profile/testmod util/send-pr +Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M +=================================================================== +--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.10.2/src/appl/sample/sserver/sserver.M +@@ -59,7 +59,7 @@ option allows for a different keytab tha + using a line in + /etc/inetd.conf that looks like this: + .PP +-sample stream tcp nowait root /usr/local/sbin/sserver sserver ++sample stream tcp nowait root @mansbindir@/sserver sserver + .PP + Since \fBsample\fP is normally not a port defined in /etc/services, you will + usually have to add a line to /etc/services which looks like this: +Index: krb5-1.10.2/src/config-files/kdc.conf.M +=================================================================== +--- krb5-1.10.2.orig/src/config-files/kdc.conf.M ++++ krb5-1.10.2/src/config-files/kdc.conf.M +@@ -92,14 +92,14 @@ This + .B string + specifies the location of the access control list (acl) file that + kadmin uses to determine which principals are allowed which permissions +-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl. ++on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl. + + .IP admin_keytab + This + .B string + Specifies the location of the keytab file that kadmin uses to + authenticate to the database. The default value is +-/usr/local/var/krb5kdc/kadm5.keytab. ++@manlocalstatedir@/krb5kdc/kadm5.keytab. + + .IP database_name + This +@@ -274,7 +274,7 @@ tickets should be checked against the tr + realm names and the [capaths] section of its krb5.conf file + + .SH FILES +-/usr/local/var/krb5kdc/kdc.conf ++@manlocalstatedir@/krb5kdc/kdc.conf + + .SH SEE ALSO + krb5.conf(5), krb5kdc(8) +Index: krb5-1.10.2/src/config-files/krb5.conf.M +=================================================================== +--- krb5-1.10.2.orig/src/config-files/krb5.conf.M ++++ krb5-1.10.2/src/config-files/krb5.conf.M +@@ -808,6 +808,6 @@ This module implements the encrypted cha + This module implements the encrypted timestamp mechanism. + + .SH FILES +-/etc/krb5.conf ++@mansysconfdir@/krb5.conf + .SH SEE ALSO + syslog(3) +Index: krb5-1.10.2/src/gen-manpages/kerberos.M +=================================================================== +--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M ++++ krb5-1.10.2/src/gen-manpages/kerberos.M +@@ -125,7 +125,7 @@ default is /etc/krb5.conf. + Specifies the location of the KDC configuration file, which contains + additional configuration directives for the Key Distribution Center + daemon and associated programs. The default is +-/usr/local/var/krb5kdc/kdc.conf. ++@manlocalstatedir@/krb5kdc/kdc.conf. + .TP + .B KRB5RCACHETYPE + Specifies the default type of replay cache to use for servers. Valid +Index: krb5-1.10.2/src/kadmin/cli/kadmin.M +=================================================================== +--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.10.2/src/kadmin/cli/kadmin.M +@@ -924,9 +924,9 @@ option is specified, less verbose status + .RS + .TP + EXAMPLE: +-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin ++kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin + Entry for principal kadmin/admin with kvno 3 removed +- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. ++ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab. + kadmin: + .RE .fi - .UNINDENT +Index: krb5-1.10.2/src/slave/kpropd.M +=================================================================== +--- krb5-1.10.2.orig/src/slave/kpropd.M ++++ krb5-1.10.2/src/slave/kpropd.M +@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of + This is done by adding a line to the inetd.conf file which looks like + this: + +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @mansbindir@/kpropd kpropd + + However, kpropd can also run as a standalone daemon, if the + .B \-S +@@ -111,13 +111,13 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + stored; by default the dumped database file is KPROPD_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/from_master). ++(normally @manlocalstatedir@/krb5kdc/from_master). + .TP + .B \-p + allows the user to specify the pathname to the + .IR kdb5_util (8) + program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL +-(normally /usr/local/sbin/kdb5_util). ++(normally @mansbindir@/kdb5_util). + .TP + .B \-S + turn on standalone mode. Normally, kpropd is invoked out of +@@ -148,14 +148,14 @@ mode. + allows the user to specify the path to the + kpropd.acl + file; by default the path used is KPROPD_ACL_FILE +-(normally /usr/local/var/krb5kdc/kpropd.acl). ++(normally @manlocalstatedir@/krb5kdc/kpropd.acl). + .SH FILES + .TP "\w'kpropd.acl\ \ 'u" + kpropd.acl + Access file for + .BR kpropd ; + the default location is KPROPD_ACL_FILE (normally +-/usr/local/var/krb5kdc/kpropd.acl). ++@manlocalstatedir@/krb5kdc/kpropd.acl). + Each entry is a line containing the principal of a host from which the + local machine will allow Kerberos database propagation via kprop. + .SH SEE ALSO +Index: krb5-1.10.2/src/slave/kprop.M +=================================================================== +--- krb5-1.10.2.orig/src/slave/kprop.M ++++ krb5-1.10.2/src/slave/kprop.M +@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv + This is done by transmitting the dumped database file to the slave + server over an encrypted, secure channel. The dump file must be created + by kdb5_util, and is normally KPROP_DEFAULT_FILE +-(/usr/local/var/krb5kdc/slave_datatrans). ++(@manlocalstatedir@/krb5kdc/slave_datatrans). + .SH OPTIONS + .TP + \fB\-r\fP \fIrealm\fP +@@ -51,7 +51,7 @@ is used. + \fB\-f\fP \fIfile\fP + specifies the filename where the dumped principal database file is to be + found; by default the dumped database file is KPROP_DEFAULT_FILE +-(normally /usr/local/var/krb5kdc/slave_datatrans). ++(normally @manlocalstatedir@/krb5kdc/slave_datatrans). + .TP + \fB\-P\fP \fIport\fP + specifies the port to use to contact the diff --git a/krb5-doc-rpmlintrc b/krb5-doc-rpmlintrc new file mode 100644 index 0000000..de258e7 --- /dev/null +++ b/krb5-doc-rpmlintrc @@ -0,0 +1,2 @@ +addFilter("files-duplicate .*css") +addFilter("files-duplicate .*img.*png") diff --git a/krb5-doc.changes b/krb5-doc.changes new file mode 100644 index 0000000..211fa6c --- /dev/null +++ b/krb5-doc.changes @@ -0,0 +1,196 @@ +------------------------------------------------------------------- +Mon Sep 3 14:34:35 UTC 2012 - idonmez@suse.com + +- Build depend on texinfo & texlive-dvips to fix the build + +------------------------------------------------------------------- +Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de + +- update to version 1.10.2 + +------------------------------------------------------------------- +Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de + +- update to version 1.9.1 + +------------------------------------------------------------------- +Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de + +- update to version 1.8.1 + +------------------------------------------------------------------- +Tue Mar 23 12:38:29 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Document the ticket_lifetime libdefaults setting + +------------------------------------------------------------------- +Thu Mar 4 11:45:22 CET 2010 - mc@suse.de + +- update to version 1.8 + +------------------------------------------------------------------- +Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de + +- update to final version 1.7 + +------------------------------------------------------------------- +Wed May 13 11:34:07 CEST 2009 - mc@suse.de + +- update to version 1.7 Beta2 + +------------------------------------------------------------------- +Mon Feb 16 13:08:05 CET 2009 - mc@suse.de + +- update to pre 1.7 version + * remove outdated documentation for kadm5 API + +------------------------------------------------------------------- +Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * some fixes in the man pages + +------------------------------------------------------------------- +Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de + +- reduce rpmlint warnings + +------------------------------------------------------------------- +Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + +------------------------------------------------------------------- +Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de + +- update to version 1.6.2 +- remove krb5-1.6.1-post.dif all fixes are included in this release + +------------------------------------------------------------------- +Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de + +- removed executable permission from doc file + +------------------------------------------------------------------- +Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de + +- update to final 1.6.1 version +- replace te_ams with texlive in BuildRequires + +------------------------------------------------------------------- +Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de + +- build implementor.ps + +------------------------------------------------------------------- +Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de + +- update to version 1.6.1 Beta1 +- remove obsolete patches + (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) + +------------------------------------------------------------------- +Mon Feb 19 14:00:49 CET 2007 - mc@suse.de + +- add krb5-1.6-post.dif + +------------------------------------------------------------------- +Mon Jan 22 12:21:20 CET 2007 - mc@suse.de + +- update to version 1.6 + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. + +------------------------------------------------------------------- +Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de + +- update to version 1.5.1 +- remove obsolete patches which are now included upstream + * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + * trunk-fix-uninitialized-vars.dif + +------------------------------------------------------------------- +Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de + +- update to version 1.5 + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems +- remove obsolete patches and add some new + +------------------------------------------------------------------- +Mon Mar 13 18:01:06 CET 2006 - mc@suse.de + +- set BuildArchitectures to noarch +- set norootforbuild + +------------------------------------------------------------------- +Wed Jan 25 21:30:24 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Nov 18 12:15:07 CET 2005 - mc@suse.de + +- update to version 1.4.3 +- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif) + +------------------------------------------------------------------- +Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de + +- build kadm5 documentation +- build documentation also as html +- include the text only documentation + +------------------------------------------------------------------- +Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de + +- update to version 1.4.2 +- remove some obsolet patches + +------------------------------------------------------------------- +Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de + +- update to version 1.4.1 +- remove obsolet patches + - krb5-1.4-VUL-0-telnet.dif + +------------------------------------------------------------------- +Thu Feb 10 02:38:39 CET 2005 - ro@suse.de + +- added libpng to neededforbuild (for tetex) + +------------------------------------------------------------------- +Fri Feb 4 16:50:34 CET 2005 - mc@suse.de + +- remove spx.c from tarball because of legal risk +- add README.Source which tell the user about this + action. + +------------------------------------------------------------------- +Fri Jan 28 13:28:18 CET 2005 - mc@suse.de + +- update to version 1.4 + +------------------------------------------------------------------- +Mon Jan 10 12:20:11 CET 2005 - mc@suse.de + +- update to version 1.3.6 + +------------------------------------------------------------------- +Tue Dec 14 15:21:02 CET 2004 - mc@suse.de + +- initial release + diff --git a/krb5-doc.spec b/krb5-doc.spec new file mode 100644 index 0000000..958748b --- /dev/null +++ b/krb5-doc.spec @@ -0,0 +1,91 @@ +# +# spec file for package krb5-doc +# +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +Name: krb5-doc +BuildRequires: ghostscript-library +BuildRequires: texinfo +BuildRequires: texlive-dvips +Version: 1.10.2 +Release: 0 +%define srcRoot krb5-1.10.2 +Summary: MIT Kerberos5 Implementation--Documentation +License: MIT +Group: Documentation/Other +Url: http://web.mit.edu/kerberos/www/ +Source: krb5-%{version}.tar.bz2 +Source3: %{name}-rpmlintrc +Patch0: krb5-1.3.5-perlfix.dif +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch + +%description +Kerberos V5 is a trusted-third-party network authentication +system,which can improve your network's security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%prep +%setup -n %{srcRoot} +%patch0 + +%build +sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex +sed -i -e '1c\ +\\documentclass{article}\ +\\usepackage{fixunder}\ +\\usepackage{functions}\ +\\usepackage{fancyheadings}\ +\\usepackage{hyperref}' doc/implement/implement.tex + +%install +cd doc +mkdir -p html +make +make implementor.ps +make -C api +make -C implement +mv *.html html/ +cd .. +find . -type f -name '*.ps' -exec gzip -9 {} \; +chmod 644 doc/man2ps +chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt +# cleanup +rm -f %{buildroot}/usr/share/man/man1/tmac.doc* +rm -f /usr/share/man/man1/tmac.doc* +rm -rf /usr/lib/mit/share +rm -rf %{buildroot}/usr/lib/mit/share + +%clean +rm -rf %{buildroot} + +%files +%defattr(-,root,root) +%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz +%doc doc/krb5-protocol doc/kadmin +%doc doc/html + +%changelog diff --git a/krb5-mini.changes b/krb5-mini.changes index 000e31b..6c1e5bb 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,19 +1,8 @@ ------------------------------------------------------------------- -Sun Jan 13 15:01:50 UTC 2013 - mc@suse.com +Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com -- update to version 1.11 - * Improve ASN.1 support code, making it table-driven for - decoding as well as encoding - * Refactor parts of KDC - * Documentation consolidation - * build docs in the main package - * bugfixing -- package missing file (bnc#794784) - -------------------------------------------------------------------- -Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com - -- revert the -p usage in %postun to fix SLE build +- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc + (bnc#793336) ------------------------------------------------------------------- Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com diff --git a/krb5-mini.spec b/krb5-mini.spec index 11aad37..f8ed2a2 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.11 +%define srcRoot krb5-1.10.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -25,13 +25,12 @@ Name: krb5-mini Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison -BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.11 +Version: 1.10.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -40,10 +39,6 @@ Group: Productivity/Networking/Security BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel -BuildRequires: python-Cheetah -BuildRequires: python-Sphinx -BuildRequires: python-libxml2 -BuildRequires: python-lxml %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(systemd) %endif @@ -57,16 +52,20 @@ Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.8-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.10-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch5: krb5-1.10-kpasswd_tcp.patch -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch7: krb5-1.7-doublelog.patch -Patch8: krb5-1.8-api.patch -Patch9: krb5-1.9-kprop-mktemp.patch -Patch10: krb5-1.9-ksu-path.patch +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.10-buildconf.patch +Patch3: krb5-1.9-manpaths.dif +Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif +Patch6: krb5-1.10-kpasswd_tcp.patch +Patch7: krb5-1.6.3-ktutil-manpage.dif +Patch10: krb5-1.7-doublelog.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.10-gcc47.patch +Patch21: krb5-1.10-selinux-label.patch +Patch22: krb5-1.10-spin-loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -123,16 +122,6 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. -%package doc -Summary: MIT Kerberos5 Implementation--Documentation -Group: Documentation/Other - -%description doc -Kerberos V5 is a trusted-third-party network authentication -system,which can improve your network's security by eliminating the -insecurepractice of clear text passwords. This package includes -extended documentation for MIT Kerberos. - %endif #! build_mini %package devel @@ -159,16 +148,25 @@ Include Files for Development %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -p1 -%patch2 -p1 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 %patch10 -p1 +%patch12 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 +%patch22 -p1 +# Rename the man pages so that they'll get generated correctly. +pushd src +cat %{SOURCE10} | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd %build # needs to be re-generated @@ -194,19 +192,14 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --with-ldap \ --with-pam \ --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ --without-pam \ %endif --with-system-et \ --with-system-ss -make %{?jobs:-j%jobs} -%if ! 0%{?build_mini} -cd doc -make %{?jobs:-j%jobs} substhtml -cp -a html_subst ../../html -cd .. -%endif +make %{?jobs:-j%jobs} %install cd src @@ -282,9 +275,8 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* -#rm -rf /usr/lib/mit/share -rm -rf %{buildroot}/usr/lib/mit/share/examples -rm -rf %{buildroot}/usr/lib/mit/share/locale +rm -rf /usr/lib/mit/share +rm -rf %{buildroot}/usr/lib/mit/share ##################################################### # krb5(-mini) pre/post/postun @@ -292,8 +284,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %post -p /sbin/ldconfig -%postun -/sbin/ldconfig +%postun -p /sbin/ldconfig %if ! %{build_mini} @@ -335,8 +326,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %post plugin-kdb-ldap -p /sbin/ldconfig -%postun plugin-kdb-ldap -/sbin/ldconfig +%postun plugin-kdb-ldap -p /sbin/ldconfig %endif @@ -349,7 +339,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %dir /usr/lib/mit %dir /usr/lib/mit/bin %dir /usr/lib/mit/sbin -%dir /usr/lib/mit/share %dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so @@ -361,11 +350,12 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so +%{_libdir}/libverto-k5ev.so %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr -/usr/lib/mit/share/gnats %{_mandir}/man1/krb5-send-pr.1* +%{_mandir}/man1/krb5-config.1* %{_datadir}/aclocal/ac_check_krb5.m4 %if %{build_mini} @@ -404,6 +394,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libverto-k5ev.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -440,6 +431,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* %{_mandir}/man1/ksu.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* @@ -475,6 +467,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libverto-k5ev.so.* %files server %defattr(-,root,root) @@ -514,7 +507,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale /usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* -%{_mandir}/man5/kadm5.acl.5* %{_mandir}/man8/kadmind.8* %{_mandir}/man8/kadmin.local.8* %{_mandir}/man8/kpropd.8* @@ -550,6 +542,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* %{_mandir}/man1/k5srvutil.1* @@ -582,11 +575,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so - -%files doc -%defattr(-,root,root) -%doc html doc/CHANGES doc/README - %endif #build_mini %changelog diff --git a/krb5.changes b/krb5.changes index 000e31b..6cd8800 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,14 +1,8 @@ ------------------------------------------------------------------- -Sun Jan 13 15:01:50 UTC 2013 - mc@suse.com +Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com -- update to version 1.11 - * Improve ASN.1 support code, making it table-driven for - decoding as well as encoding - * Refactor parts of KDC - * Documentation consolidation - * build docs in the main package - * bugfixing -- package missing file (bnc#794784) +- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc + (bnc#793336) ------------------------------------------------------------------- Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com diff --git a/krb5.spec b/krb5.spec index 8e1da5b..2c13313 100644 --- a/krb5.spec +++ b/krb5.spec @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.11 +%define srcRoot krb5-1.10.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -25,13 +25,12 @@ Name: krb5 Url: http://web.mit.edu/kerberos/www/ BuildRequires: autoconf BuildRequires: bison -BuildRequires: doxygen BuildRequires: keyutils BuildRequires: keyutils-devel BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.11 +Version: 1.10.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT @@ -40,10 +39,6 @@ Group: Productivity/Networking/Security BuildRequires: libopenssl-devel BuildRequires: openldap2-devel BuildRequires: pam-devel -BuildRequires: python-Cheetah -BuildRequires: python-Sphinx -BuildRequires: python-libxml2 -BuildRequires: python-lxml %if 0%{?suse_version} >= 1210 BuildRequires: pkgconfig(systemd) %endif @@ -57,16 +52,20 @@ Source: krb5-%{version}.tar.bz2 Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc -Patch1: krb5-1.8-pam.patch -Patch2: krb5-1.9-manpaths.dif -Patch3: krb5-1.10-buildconf.patch -Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif -Patch5: krb5-1.10-kpasswd_tcp.patch -Patch6: krb5-1.6.3-ktutil-manpage.dif -Patch7: krb5-1.7-doublelog.patch -Patch8: krb5-1.8-api.patch -Patch9: krb5-1.9-kprop-mktemp.patch -Patch10: krb5-1.9-ksu-path.patch +Source10: krb5-1.8-manpaths.txt +Patch1: krb5-1.10-buildconf.patch +Patch3: krb5-1.9-manpaths.dif +Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif +Patch6: krb5-1.10-kpasswd_tcp.patch +Patch7: krb5-1.6.3-ktutil-manpage.dif +Patch10: krb5-1.7-doublelog.patch +Patch12: krb5-1.8-api.patch +Patch13: krb5-1.8-pam.patch +Patch18: krb5-1.9-kprop-mktemp.patch +Patch19: krb5-1.9-ksu-path.patch +Patch20: krb5-1.10-gcc47.patch +Patch21: krb5-1.10-selinux-label.patch +Patch22: krb5-1.10-spin-loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -123,16 +122,6 @@ Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. This package includes a PKINIT plugin. -%package doc -Summary: MIT Kerberos5 Implementation--Documentation -Group: Documentation/Other - -%description doc -Kerberos V5 is a trusted-third-party network authentication -system,which can improve your network's security by eliminating the -insecurepractice of clear text passwords. This package includes -extended documentation for MIT Kerberos. - %endif #! build_mini %package devel @@ -159,16 +148,25 @@ Include Files for Development %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -%patch1 -p1 -%patch2 -p1 +%patch13 -p1 %patch3 -p1 -%patch4 -p1 +%patch21 -p1 +%patch1 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 %patch10 -p1 +%patch12 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 +%patch22 -p1 +# Rename the man pages so that they'll get generated correctly. +pushd src +cat %{SOURCE10} | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd %build # needs to be re-generated @@ -194,19 +192,14 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI --with-ldap \ --with-pam \ --enable-pkinit \ + --with-selinux \ %else --disable-pkinit \ --without-pam \ %endif --with-system-et \ --with-system-ss -make %{?jobs:-j%jobs} -%if ! 0%{?build_mini} -cd doc -make %{?jobs:-j%jobs} substhtml -cp -a html_subst ../../html -cd .. -%endif +make %{?jobs:-j%jobs} %install cd src @@ -282,9 +275,8 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* -#rm -rf /usr/lib/mit/share -rm -rf %{buildroot}/usr/lib/mit/share/examples -rm -rf %{buildroot}/usr/lib/mit/share/locale +rm -rf /usr/lib/mit/share +rm -rf %{buildroot}/usr/lib/mit/share ##################################################### # krb5(-mini) pre/post/postun @@ -349,7 +341,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %dir /usr/lib/mit %dir /usr/lib/mit/bin %dir /usr/lib/mit/sbin -%dir /usr/lib/mit/share %dir %{_datadir}/aclocal %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so @@ -361,11 +352,12 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so %{_libdir}/libverto.so +%{_libdir}/libverto-k5ev.so %{_includedir}/* /usr/lib/mit/bin/krb5-config /usr/lib/mit/sbin/krb5-send-pr -/usr/lib/mit/share/gnats %{_mandir}/man1/krb5-send-pr.1* +%{_mandir}/man1/krb5-config.1* %{_datadir}/aclocal/ac_check_krb5.m4 %if %{build_mini} @@ -404,6 +396,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libverto-k5ev.so.* %{_libdir}/krb5/plugins/kdb/* #/usr/lib/mit/sbin/* /usr/lib/mit/sbin/kadmin.local @@ -440,6 +433,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* %{_mandir}/man1/ksu.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* @@ -475,6 +469,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* %{_libdir}/libverto.so.* +%{_libdir}/libverto-k5ev.so.* %files server %defattr(-,root,root) @@ -514,7 +509,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale /usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* -%{_mandir}/man5/kadm5.acl.5* %{_mandir}/man8/kadmind.8* %{_mandir}/man8/kadmin.local.8* %{_mandir}/man8/kpropd.8* @@ -550,6 +544,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* %{_mandir}/man1/k5srvutil.1* @@ -582,11 +577,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/preauth %{_libdir}/krb5/plugins/preauth/pkinit.so - -%files doc -%defattr(-,root,root) -%doc html doc/CHANGES doc/README - %endif #build_mini %changelog