rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

osc copypac from project:openSUSE:Factory package:krb5 revision:87, using keep-link

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=84
This commit is contained in:
Michael Calmer 2013-01-25 14:25:26 +00:00 committed by Git OBS Bridge
parent ef8645a69d
commit 3833bf033c
18 changed files with 1652 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
krb5-1.10-buildconf.patch
View File

@ -4,10 +4,10 @@ the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Index: krb5-1.11/src/config/shlib.conf
Index: krb5-1.10.2/src/config/shlib.conf
===================================================================
--- krb5-1.11.orig/src/config/shlib.conf
+++ krb5-1.11/src/config/shlib.conf
--- krb5-1.10.2.orig/src/config/shlib.conf
+++ krb5-1.10.2/src/config/shlib.conf
@@ -419,7 +419,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
@ -27,11 +27,11 @@ Index: krb5-1.11/src/config/shlib.conf
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
Index: krb5-1.11/src/krb5-config.in
Index: krb5-1.10.2/src/krb5-config.in
===================================================================
--- krb5-1.11.orig/src/krb5-config.in
+++ krb5-1.11/src/krb5-config.in
@@ -221,6 +221,13 @@ if test -n "$do_libs"; then
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
@ -45,11 +45,11 @@ Index: krb5-1.11/src/krb5-config.in
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
Index: krb5-1.11/src/config/pre.in
Index: krb5-1.10.2/src/config/pre.in
===================================================================
--- krb5-1.11.orig/src/config/pre.in
+++ krb5-1.11/src/config/pre.in
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -190,7 +190,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INST
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@

12
krb5-1.10-gcc47.patch Normal file
View File

@ -0,0 +1,12 @@
This file also triggers the maybe-uninitialized warning/error. RT#7080
--- src/lib/krb5/krb/x-deltat.y
+++ src/lib/krb5/krb/x-deltat.y
@@ -44,6 +44,7 @@
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wuninitialized"
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
#endif
#include <ctype.h>

999
krb5-1.10-selinux-label.patch Normal file
View File

@ -0,0 +1,999 @@
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
In many cases, applications needn't be SELinux aware to work properly,
because SELinux can apply a default label to a file based on the label
of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't
sufficient, as /etc/krb5.keytab will almost always need to be given a
label which differs from that of /etc/issue or /etc/resolv.conf. The
the kdb stash file needs a different label than the database for which
it's holding a master key, even though both typically live in the same
directory.
To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with
the right label, as we attempt to do here. We lean on THREEPARAMOPEN
and define a similar macro named WRITABLEFOPEN with which we replace
several uses of fopen().
The file creation context that we're manipulating here is a process-wide
attribute. While for the most part, applications which need to label
files when they're created have tended to be single-threaded, there's
not much we can do to avoid interfering with an application that
manipulates the creation context directly. Right now we're mediating
access using a library-local mutex, but that can only work for consumers
that are part of this package -- an unsuspecting application will still
stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -84,6 +84,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1764,3 +1765,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_NOTICE([building with SELinux labeling support])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.10.2/src/config/pre.in
===================================================================
--- krb5-1.10.2.orig/src/config/pre.in
+++ krb5-1.10.2/src/config/pre.in
@@ -182,6 +182,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -406,7 +407,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1248,6 +1248,8 @@ AC_SUBST(localedir)
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
V5_AC_OUTPUT_MANPAGE([
Index: krb5-1.10.2/src/include/k5-int.h
===================================================================
--- krb5-1.10.2.orig/src/include/k5-int.h
+++ krb5-1.10.2/src/include/k5-int.h
@@ -135,6 +135,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
+#include "k5-label.h"
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
Index: krb5-1.10.2/src/include/k5-label.h
===================================================================
--- /dev/null
+++ krb5-1.10.2/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
+#ifdef THREEPARAMOPEN
+#undef THREEPARAMOPEN
+#endif
+#ifdef WRITABLEFOPEN
+#undef WRITABLEFOPEN
+#endif
+
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
+int krb5int_labeled_creat(const char *path, mode_t mode);
+int krb5int_labeled_open(const char *path, int flags, ...);
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
+void *krb5int_push_fscreatecon_for(const char *pathname);
+void krb5int_pop_fscreatecon(void *previous);
+#else
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.10.2/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.10.2.orig/src/include/krb5/krb5.hin
+++ krb5-1.10.2/src/include/krb5/krb5.hin
@@ -83,6 +83,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
+#if KRB5_PRIVATE
+#ifndef WRITABLEFOPEN
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#endif
+#endif
+
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.10.2/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.10.2.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.10.2/src/kadmin/dbutil/dump.c
@@ -346,7 +346,7 @@ void update_ok_file (file_name)
exit_status++;
return;
}
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
file_ok);
exit_status++;
@@ -1251,7 +1251,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
Index: krb5-1.10.2/src/krb5-config.in
===================================================================
--- krb5-1.10.2.orig/src/krb5-config.in
+++ krb5-1.10.2/src/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
DL_LIB='@DL_LIB@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -218,7 +219,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
Index: krb5-1.10.2/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.10.2.orig/src/lib/kadm5/logger.c
+++ krb5-1.10.2/src/lib/kadm5/logger.c
@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.10.2/src/lib/krb5/keytab/kt_file.c
@@ -1039,7 +1039,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1047,7 +1047,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.10.2/src/plugins/kdb/db2/adb_openclose.c
@@ -197,7 +197,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
+#include "k5-int.h"
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
goto einval;
}
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
+#include "k5-int.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info
new_table = 1;
}
if (file) {
- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)
+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/test/Makefile.in
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
-DB_LIB = -ldb
+DB_LIB = -ldb $(SUPPORT_DEPLIB)
+
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
Index: krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.10.2/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1088,7 +1088,7 @@ rem_service_entry_from_file(int argc, ch
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1105,7 +1105,7 @@ rem_service_entry_from_file(int argc, ch
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (tmpfd == -1) {
com_err(me, errno, "while deleting entry from file\n");
@@ -1725,7 +1725,7 @@ kdb5_ldap_set_service_password(int argc,
printf("File does not exist. Creating the file %s...\n", file_name);
omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (fd == -1) {
com_err(me, errno, "Error creating file %s", file_name);
@@ -1753,7 +1753,7 @@ kdb5_ldap_set_service_password(int argc,
/* TODO: file lock for the service password file */
/* set password in the file */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1794,7 +1794,7 @@ kdb5_ldap_set_service_password(int argc,
}
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2016,7 +2016,7 @@ done:
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -2068,7 +2068,7 @@ done:
}
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
Index: krb5-1.10.2/src/slave/kpropd.c
===================================================================
--- krb5-1.10.2.orig/src/slave/kpropd.c
+++ krb5-1.10.2/src/slave/kpropd.c
@@ -336,7 +336,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
#ifdef PID_FILE
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (kpropd_context->kdblog_context &&
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
@@ -515,9 +518,15 @@ void doit(fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
(void) umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
Index: krb5-1.10.2/src/util/profile/prof_file.c
===================================================================
--- krb5-1.10.2.orig/src/util/profile/prof_file.c
+++ krb5-1.10.2/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.10.2/src/util/support/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/util/support/Makefile.in
+++ krb5-1.10.2/src/util/support/Makefile.in
@@ -64,6 +64,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -127,7 +128,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
Index: krb5-1.10.2/src/util/support/selinux.c
===================================================================
--- /dev/null
+++ krb5-1.10.2/src/util/support/selinux.c
@@ -0,0 +1,372 @@
+/*
+ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * File-opening wrappers for creating correctly-labeled files. So far, we can
+ * assume that this is Linux-specific, so we make many simplifying assumptions.
+ */
+
+#include "../../include/autoconf.h"
+
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
+#include <k5-thread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#ifdef HAVE_SELINUX_LABEL_H
+#include <selinux/label.h>
+#endif
+
+/* #define DEBUG 1 */
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+
+/* Make sure we finish initializing that mutex before attempting to use it. */
+k5_once_t labeled_once = K5_ONCE_INIT;
+static void
+label_mutex_init(void)
+{
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
+ security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived;
+ const char *fullpath, *currentuser;
+#ifdef HAVE_SELINUX_LABEL_H
+ struct selabel_handle *ctx;
+#endif
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath;
+ genpath = NULL;
+ if (pathname[0] != '/') {
+ char *wd;
+ size_t len;
+ len = 0;
+ wd = getcwd(NULL, len);
+ if (wd == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len);
+ if (genpath == NULL) {
+ free(wd);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd);
+ fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Looking up context for "
+ "\"%s\"(%05o).\n", fullpath, mode);
+ }
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (ctx != NULL) {
+ if (selabel_lookup(ctx, &configuredsc,
+ fullpath, mode) != 0) {
+ selabel_close(ctx);
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ selabel_close(ctx);
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+#endif
+ free(genpath);
+ if (configuredsc == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ currentsc = NULL;
+ getcon(&currentsc);
+ if (currentsc != NULL) {
+ derived = context_new(configuredsc);
+ if (derived != NULL) {
+ current = context_new(currentsc);
+ if (current != NULL) {
+ currentuser = context_user_get(current);
+ if (currentuser != NULL) {
+ if (context_user_set(derived,
+ currentuser) == 0) {
+ derivedsc = context_str(derived);
+ if (derivedsc != NULL) {
+ freecon(configuredsc);
+ configuredsc = strdup(derivedsc);
+ }
+ }
+ }
+ context_free(current);
+ }
+ context_free(derived);
+ }
+ freecon(currentsc);
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", configuredsc);
+ }
+#endif
+ if (setfscreatecon(configuredsc) != 0) {
+ freecon(configuredsc);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ freecon(configuredsc);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ }
+#endif
+ }
+ }
+ return previous;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
+ if (is_selinux_enabled()) {
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation "
+ "context to \"%s\".\n", previous);
+ } else {
+ fprintf(stderr, "Resetting file creation "
+ "context to default.\n");
+ }
+ }
+#endif
+ setfscreatecon(previous);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ }
+}
+
+void *
+krb5int_push_fscreatecon_for(const char *pathname)
+{
+ struct stat st;
+ void *retval;
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+ retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1;
+ } else {
+ return NULL;
+ }
+}
+
+void
+krb5int_pop_fscreatecon(void *con)
+{
+ if (con != NULL) {
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
+ k5_mutex_unlock(&labeled_mutex);
+ }
+}
+
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
+ FILE *fp;
+ int errno_save;
+ security_context_t ctx;
+
+ if (strcmp(mode, "r") == 0) {
+ return fopen(path, mode);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fp = fopen(path, mode);
+ }
+
+ return fp;
+}
+
+int
+krb5int_labeled_creat(const char *path, mode_t mode)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fd = creat(path, mode);
+ }
+ return fd;
+}
+
+int
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mknod(path, mode, dev);
+ }
+ return ret;
+}
+
+int
+krb5int_labeled_mkdir(const char *path, mode_t mode)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mkdir(path, mode);
+ }
+ return ret;
+}
+
+int
+krb5int_labeled_open(const char *path, int flags, ...)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+ mode_t mode;
+ va_list ap;
+
+ if ((flags & O_CREAT) == 0) {
+ return open(path, flags);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ va_end(ap);
+
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ errno_save = errno;
+ va_end(ap);
+ errno = errno_save;
+ }
+ return fd;
+}
+
+#endif
Index: krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.10.2.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.10.2/src/lib/krb5/rcache/rc_dfl.c
@@ -812,6 +812,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -833,7 +836,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
Index: krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.10.2/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@ ctx_create_db(krb5_context context, krb5
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
Index: krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.10.2.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.10.2/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.10.2/src/kdc/main.c
===================================================================
--- krb5-1.10.2.orig/src/kdc/main.c
+++ krb5-1.10.2/src/kdc/main.c
@@ -909,7 +909,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
Index: krb5-1.10.2/src/lib/kdb/kdb_log.c
===================================================================
--- krb5-1.10.2.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.10.2/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
return (errno);
}
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
return (errno);
}
Index: krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
===================================================================
--- krb5-1.10.2.orig/src/util/gss-kernel-lib/Makefile.in
+++ krb5-1.10.2/src/util/gss-kernel-lib/Makefile.in
@@ -66,6 +66,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -167,10 +168,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h

3
krb5-1.10.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:479d66291ae989d5db9daca5838ff4bddde45c77b703fadcf78ca6d1db315bd8
size 9457236

3
krb5-1.11.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2276b81a25b329724f31ca65de0636d7aec5fe109cee275c7fc935d16051282b
size 9433922

9
krb5-1.3.5-perlfix.dif Normal file
View File

@ -0,0 +1,9 @@
--- doc/man2html
+++ doc/man2html 2004/10/18 16:20:53
@@ -1,5 +1,4 @@
-#!/usr/athena/bin/perl
-#!/usr/local/bin/perl
+#!/usr/bin/perl
##---------------------------------------------------------------------------##
## File:
## @(#) man2html 1.2 97/08/12 12:57:30 @(#)

17
krb5-1.6.3-ktutil-manpage.dif
View File

@ -1,11 +1,11 @@
Index: krb5-1.11/src/man/ktutil.man
Index: krb5-1.6.3/src/kadmin/ktutil/ktutil.M
===================================================================
--- krb5-1.11.orig/src/man/ktutil.man
+++ krb5-1.11/src/man/ktutil.man
@@ -158,6 +158,18 @@ ktutil:
.fi
.UNINDENT
.UNINDENT
--- krb5-1.6.3.orig/src/kadmin/ktutil/ktutil.M
+++ krb5-1.6.3/src/kadmin/ktutil/ktutil.M
@@ -63,5 +63,17 @@ Quits
Aliases:
.BR exit ,
.BR q .
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
@ -19,5 +19,4 @@ Index: krb5-1.11/src/man/ktutil.man
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP
kadmin(8), kdb5_util(8)

7
krb5-1.8-manpaths.txt Normal file
View File

@ -0,0 +1,7 @@
appl/sample/sserver/sserver.M
config-files/kdc.conf.M
config-files/krb5.conf.M
gen-manpages/kerberos.M
kadmin/cli/kadmin.M
slave/kpropd.M
slave/kprop.M

40
krb5-1.8-pam.patch
View File

@ -11,11 +11,11 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
Index: krb5-1.11/src/aclocal.m4
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.11.orig/src/aclocal.m4
+++ krb5-1.11/src/aclocal.m4
@@ -1664,3 +1664,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1676,3 +1676,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
@ -86,10 +86,10 @@ Index: krb5-1.11/src/aclocal.m4
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
Index: krb5-1.11/src/clients/ksu/main.c
Index: krb5-1.10.2/src/clients/ksu/main.c
===================================================================
--- krb5-1.11.orig/src/clients/ksu/main.c
+++ krb5-1.11/src/clients/ksu/main.c
--- krb5-1.10.2.orig/src/clients/ksu/main.c
+++ krb5-1.10.2/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -249,10 +249,10 @@ Index: krb5-1.11/src/clients/ksu/main.c
exit (1);
}
}
Index: krb5-1.11/src/clients/ksu/Makefile.in
Index: krb5-1.10.2/src/clients/ksu/Makefile.in
===================================================================
--- krb5-1.11.orig/src/clients/ksu/Makefile.in
+++ krb5-1.11/src/clients/ksu/Makefile.in
--- krb5-1.10.2.orig/src/clients/ksu/Makefile.in
+++ krb5-1.10.2/src/clients/ksu/Makefile.in
@@ -7,12 +7,14 @@ PROG_LIBPATH=-L$(TOPLIBD)
PROG_RPATH=$(KRB5_LIBDIR)
@ -287,10 +287,10 @@ Index: krb5-1.11/src/clients/ksu/Makefile.in
clean::
$(RM) ksu
Index: krb5-1.11/src/clients/ksu/pam.c
Index: krb5-1.10.2/src/clients/ksu/pam.c
===================================================================
--- /dev/null
+++ krb5-1.11/src/clients/ksu/pam.c
+++ krb5-1.10.2/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -681,10 +681,10 @@ Index: krb5-1.11/src/clients/ksu/pam.c
+ return ret;
+}
+#endif
Index: krb5-1.11/src/clients/ksu/pam.h
Index: krb5-1.10.2/src/clients/ksu/pam.h
===================================================================
--- /dev/null
+++ krb5-1.11/src/clients/ksu/pam.h
+++ krb5-1.10.2/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -743,13 +743,13 @@ Index: krb5-1.11/src/clients/ksu/pam.h
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
Index: krb5-1.11/src/configure.in
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.11.orig/src/configure.in
+++ krb5-1.11/src/configure.in
@@ -1290,6 +1290,8 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNA
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
[Define to default client keytab name])
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1246,6 +1246,8 @@ if test "${localedir+set}" != set; then
fi
AC_SUBST(localedir)
+KRB5_WITH_PAM
+

10
krb5-1.9-kprop-mktemp.patch
View File

@ -1,10 +1,10 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
Index: krb5-1.11/src/slave/kprop.c
Index: krb5-1.10.2/src/slave/kprop.c
===================================================================
--- krb5-1.11.orig/src/slave/kprop.c
+++ krb5-1.11/src/slave/kprop.c
@@ -187,9 +187,8 @@ void PRS(argc, argv)
--- krb5-1.10.2.orig/src/slave/kprop.c
+++ krb5-1.10.2/src/slave/kprop.c
@@ -186,9 +186,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
@ -15,7 +15,7 @@ Index: krb5-1.11/src/slave/kprop.c
krb5_keytab keytab = NULL;
/*
@@ -230,11 +229,8 @@ void get_tickets(context)
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*

212
krb5-1.9-manpaths.dif
View File

@ -3,16 +3,206 @@ values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.11/src/man/kpropd.man
Index: krb5-1.10.2/src/aclocal.m4
===================================================================
--- krb5-1.11.orig/src/man/kpropd.man
+++ krb5-1.11/src/man/kpropd.man
@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo
.sp
.nf
.ft C
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
--- krb5-1.10.2.orig/src/aclocal.m4
+++ krb5-1.10.2/src/aclocal.m4
@@ -1743,3 +1743,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
Index: krb5-1.10.2/src/configure.in
===================================================================
--- krb5-1.10.2.orig/src/configure.in
+++ krb5-1.10.2/src/configure.in
@@ -1249,6 +1249,17 @@ AC_SUBST(localedir)
KRB5_WITH_PAM
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/kerberos.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/profile/testmod util/send-pr
Index: krb5-1.10.2/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.10.2.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.10.2/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.10.2/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.10.2.orig/src/config-files/kdc.conf.M
+++ krb5-1.10.2/src/config-files/kdc.conf.M
@@ -92,14 +92,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -274,7 +274,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.10.2/src/config-files/krb5.conf.M
===================================================================
--- krb5-1.10.2.orig/src/config-files/krb5.conf.M
+++ krb5-1.10.2/src/config-files/krb5.conf.M
@@ -808,6 +808,6 @@ This module implements the encrypted cha
This module implements the encrypted timestamp mechanism.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
Index: krb5-1.10.2/src/gen-manpages/kerberos.M
===================================================================
--- krb5-1.10.2.orig/src/gen-manpages/kerberos.M
+++ krb5-1.10.2/src/gen-manpages/kerberos.M
@@ -125,7 +125,7 @@ default is /etc/krb5.conf.
Specifies the location of the KDC configuration file, which contains
additional configuration directives for the Key Distribution Center
daemon and associated programs. The default is
-/usr/local/var/krb5kdc/kdc.conf.
+@manlocalstatedir@/krb5kdc/kdc.conf.
.TP
.B KRB5RCACHETYPE
Specifies the default type of replay cache to use for servers. Valid
Index: krb5-1.10.2/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.10.2.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.10.2/src/kadmin/cli/kadmin.M
@@ -924,9 +924,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
.UNINDENT
Index: krb5-1.10.2/src/slave/kpropd.M
===================================================================
--- krb5-1.10.2.orig/src/slave/kpropd.M
+++ krb5-1.10.2/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
Index: krb5-1.10.2/src/slave/kprop.M
===================================================================
--- krb5-1.10.2.orig/src/slave/kprop.M
+++ krb5-1.10.2/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the

2
krb5-doc-rpmlintrc Normal file
View File

@ -0,0 +1,2 @@
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")

196
krb5-doc.changes Normal file
View File

@ -0,0 +1,196 @@
-------------------------------------------------------------------
Mon Sep 3 14:34:35 UTC 2012 - idonmez@suse.com
- Build depend on texinfo & texlive-dvips to fix the build
-------------------------------------------------------------------
Wed Jun 6 17:34:26 CEST 2012 - mc@suse.de
- update to version 1.10.2
-------------------------------------------------------------------
Mon Aug 22 10:21:56 CEST 2011 - mc@suse.de
- update to version 1.9.1
-------------------------------------------------------------------
Fri Apr 9 12:45:30 CEST 2010 - mc@suse.de
- update to version 1.8.1
-------------------------------------------------------------------
Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Document the ticket_lifetime libdefaults setting
-------------------------------------------------------------------
Thu Mar 4 11:45:22 CET 2010 - mc@suse.de
- update to version 1.8
-------------------------------------------------------------------
Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
- update to final version 1.7
-------------------------------------------------------------------
Wed May 13 11:34:07 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
-------------------------------------------------------------------
Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
- update to pre 1.7 version
* remove outdated documentation for kadm5 API
-------------------------------------------------------------------
Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de
- add patches from SVN post 1.6.3
* some fixes in the man pages
-------------------------------------------------------------------
Wed Jun 18 15:34:16 CEST 2008 - mc@suse.de
- reduce rpmlint warnings
-------------------------------------------------------------------
Tue Oct 23 10:29:23 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Thu Jul 12 17:02:30 CEST 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
-------------------------------------------------------------------
Wed Jun 13 15:29:42 CEST 2007 - sschober@suse.de
- removed executable permission from doc file
-------------------------------------------------------------------
Mon Apr 23 11:15:59 CEST 2007 - mc@suse.de
- update to final 1.6.1 version
- replace te_ams with texlive in BuildRequires
-------------------------------------------------------------------
Wed Apr 18 14:47:49 CEST 2007 - mc@suse.de
- build implementor.ps
-------------------------------------------------------------------
Mon Apr 16 14:39:40 CEST 2007 - mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
-------------------------------------------------------------------
Mon Feb 19 14:00:49 CET 2007 - mc@suse.de
- add krb5-1.6-post.dif
-------------------------------------------------------------------
Mon Jan 22 12:21:20 CET 2007 - mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
-------------------------------------------------------------------
Thu Aug 24 12:53:25 CEST 2006 - mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
-------------------------------------------------------------------
Mon Jul 3 15:01:57 CEST 2006 - mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
-------------------------------------------------------------------
Mon Mar 13 18:01:06 CET 2006 - mc@suse.de
- set BuildArchitectures to noarch
- set norootforbuild
-------------------------------------------------------------------
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Fri Nov 18 12:15:07 CET 2005 - mc@suse.de
- update to version 1.4.3
- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
-------------------------------------------------------------------
Wed Oct 12 16:19:08 CEST 2005 - mc@suse.de
- build kadm5 documentation
- build documentation also as html
- include the text only documentation
-------------------------------------------------------------------
Tue Oct 11 17:40:26 CEST 2005 - mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
-------------------------------------------------------------------
Mon Jun 27 13:36:04 CEST 2005 - mc@suse.de
- update to version 1.4.1
- remove obsolet patches
- krb5-1.4-VUL-0-telnet.dif
-------------------------------------------------------------------
Thu Feb 10 02:38:39 CET 2005 - ro@suse.de
- added libpng to neededforbuild (for tetex)
-------------------------------------------------------------------
Fri Feb 4 16:50:34 CET 2005 - mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
action.
-------------------------------------------------------------------
Fri Jan 28 13:28:18 CET 2005 - mc@suse.de
- update to version 1.4
-------------------------------------------------------------------
Mon Jan 10 12:20:11 CET 2005 - mc@suse.de
- update to version 1.3.6
-------------------------------------------------------------------
Tue Dec 14 15:21:02 CET 2004 - mc@suse.de
- initial release

91
krb5-doc.spec Normal file
View File

@ -0,0 +1,91 @@
#
# spec file for package krb5-doc
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: krb5-doc
BuildRequires: ghostscript-library
BuildRequires: texinfo
BuildRequires: texlive-dvips
Version: 1.10.2
Release: 0
%define srcRoot krb5-1.10.2
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT
Group: Documentation/Other
Url: http://web.mit.edu/kerberos/www/
Source: krb5-%{version}.tar.bz2
Source3: %{name}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%description
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%prep
%setup -n %{srcRoot}
%patch0
%build
sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
sed -i -e '1c\
\\documentclass{article}\
\\usepackage{fixunder}\
\\usepackage{functions}\
\\usepackage{fancyheadings}\
\\usepackage{hyperref}' doc/implement/implement.tex
%install
cd doc
mkdir -p html
make
make implementor.ps
make -C api
make -C implement
mv *.html html/
cd ..
find . -type f -name '*.ps' -exec gzip -9 {} \;
chmod 644 doc/man2ps
chmod 644 doc/krb5-protocol/draft-jaganathan-rc4-hmac-03.txt
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog

17
krb5-mini.changes
View File

@ -1,19 +1,8 @@
-------------------------------------------------------------------
Sun Jan 13 15:01:50 UTC 2013 - mc@suse.com
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com
- update to version 1.11
* Improve ASN.1 support code, making it table-driven for
decoding as well as encoding
* Refactor parts of KDC
* Documentation consolidation
* build docs in the main package
* bugfixing
- package missing file (bnc#794784)
-------------------------------------------------------------------
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com
- revert the -p usage in %postun to fix SLE build
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
(bnc#793336)
-------------------------------------------------------------------
Tue Oct 16 12:05:00 UTC 2012 - coolo@suse.com

94
krb5-mini.spec
View File

@ -17,7 +17,7 @@
%define build_mini 1
%define srcRoot krb5-1.11
%define srcRoot krb5-1.10.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -25,13 +25,12 @@ Name: krb5-mini
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: doxygen
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.11
Version: 1.10.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -40,10 +39,6 @@ Group: Productivity/Networking/Security
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python-Cheetah
BuildRequires: python-Sphinx
BuildRequires: python-libxml2
BuildRequires: python-lxml
%if 0%{?suse_version} >= 1210
BuildRequires: pkgconfig(systemd)
%endif
@ -57,16 +52,20 @@ Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.8-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.8-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.9-ksu-path.patch
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.10-buildconf.patch
Patch3: krb5-1.9-manpaths.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch10: krb5-1.7-doublelog.patch
Patch12: krb5-1.8-api.patch
Patch13: krb5-1.8-pam.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
Patch22: krb5-1.10-spin-loop.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -123,16 +122,6 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
%description doc
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
%endif #! build_mini
%package devel
@ -159,16 +148,25 @@ Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch1 -p1
%patch2 -p1
%patch13 -p1
%patch3 -p1
%patch4 -p1
%patch21 -p1
%patch1 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch12 -p1
%patch18 -p1
%patch19 -p1
%patch20
%patch22 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
# needs to be re-generated
@ -194,6 +192,7 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else
--disable-pkinit \
--without-pam \
@ -201,12 +200,6 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%if ! 0%{?build_mini}
cd doc
make %{?jobs:-j%jobs} substhtml
cp -a html_subst ../../html
cd ..
%endif
%install
cd src
@ -282,9 +275,8 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
#rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share/examples
rm -rf %{buildroot}/usr/lib/mit/share/locale
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
#####################################################
# krb5(-mini) pre/post/postun
@ -292,8 +284,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%post -p /sbin/ldconfig
%postun
/sbin/ldconfig
%postun -p /sbin/ldconfig
%if ! %{build_mini}
@ -335,8 +326,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%post plugin-kdb-ldap -p /sbin/ldconfig
%postun plugin-kdb-ldap
/sbin/ldconfig
%postun plugin-kdb-ldap -p /sbin/ldconfig
%endif
@ -349,7 +339,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
@ -361,11 +350,12 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libverto-k5ev.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
@ -404,6 +394,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
@ -440,6 +431,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
@ -475,6 +467,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%files server
%defattr(-,root,root)
@ -514,7 +507,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
@ -550,6 +542,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
@ -582,11 +575,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README
%endif #build_mini
%changelog

12
krb5.changes
View File

@ -1,14 +1,8 @@
-------------------------------------------------------------------
Sun Jan 13 15:01:50 UTC 2013 - mc@suse.com
Tue Jan 22 13:55:52 UTC 2013 - lchiquitto@suse.com
- update to version 1.11
* Improve ASN.1 support code, making it table-driven for
decoding as well as encoding
* Refactor parts of KDC
* Documentation consolidation
* build docs in the main package
* bugfixing
- package missing file (bnc#794784)
- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc
(bnc#793336)
-------------------------------------------------------------------
Tue Oct 16 19:35:47 UTC 2012 - coolo@suse.com

88
krb5.spec
View File

@ -17,7 +17,7 @@
%define build_mini 0
%define srcRoot krb5-1.11
%define srcRoot krb5-1.10.2
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -25,13 +25,12 @@ Name: krb5
Url: http://web.mit.edu/kerberos/www/
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: doxygen
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.11
Version: 1.10.2
Release: 0
Summary: MIT Kerberos5 Implementation--Libraries
License: MIT
@ -40,10 +39,6 @@ Group: Productivity/Networking/Security
BuildRequires: libopenssl-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python-Cheetah
BuildRequires: python-Sphinx
BuildRequires: python-libxml2
BuildRequires: python-lxml
%if 0%{?suse_version} >= 1210
BuildRequires: pkgconfig(systemd)
%endif
@ -57,16 +52,20 @@ Source: krb5-%{version}.tar.bz2
Source1: vendor-files.tar.bz2
Source2: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.8-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.10-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch5: krb5-1.10-kpasswd_tcp.patch
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch7: krb5-1.7-doublelog.patch
Patch8: krb5-1.8-api.patch
Patch9: krb5-1.9-kprop-mktemp.patch
Patch10: krb5-1.9-ksu-path.patch
Source10: krb5-1.8-manpaths.txt
Patch1: krb5-1.10-buildconf.patch
Patch3: krb5-1.9-manpaths.dif
Patch5: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.10-kpasswd_tcp.patch
Patch7: krb5-1.6.3-ktutil-manpage.dif
Patch10: krb5-1.7-doublelog.patch
Patch12: krb5-1.8-api.patch
Patch13: krb5-1.8-pam.patch
Patch18: krb5-1.9-kprop-mktemp.patch
Patch19: krb5-1.9-ksu-path.patch
Patch20: krb5-1.10-gcc47.patch
Patch21: krb5-1.10-selinux-label.patch
Patch22: krb5-1.10-spin-loop.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -123,16 +122,6 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
%package doc
Summary: MIT Kerberos5 Implementation--Documentation
Group: Documentation/Other
%description doc
Kerberos V5 is a trusted-third-party network authentication
system,which can improve your network's security by eliminating the
insecurepractice of clear text passwords. This package includes
extended documentation for MIT Kerberos.
%endif #! build_mini
%package devel
@ -159,16 +148,25 @@ Include Files for Development
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
%patch1 -p1
%patch2 -p1
%patch13 -p1
%patch3 -p1
%patch4 -p1
%patch21 -p1
%patch1 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch12 -p1
%patch18 -p1
%patch19 -p1
%patch20
%patch22 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
# needs to be re-generated
@ -194,6 +192,7 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-ldap \
--with-pam \
--enable-pkinit \
--with-selinux \
%else
--disable-pkinit \
--without-pam \
@ -201,12 +200,6 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPI
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%if ! 0%{?build_mini}
cd doc
make %{?jobs:-j%jobs} substhtml
cp -a html_subst ../../html
cd ..
%endif
%install
cd src
@ -282,9 +275,8 @@ install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
#rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share/examples
rm -rf %{buildroot}/usr/lib/mit/share/locale
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
#####################################################
# krb5(-mini) pre/post/postun
@ -349,7 +341,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/share
%dir %{_datadir}/aclocal
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
@ -361,11 +352,12 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_libdir}/libverto.so
%{_libdir}/libverto-k5ev.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
/usr/lib/mit/share/gnats
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%{_datadir}/aclocal/ac_check_krb5.m4
%if %{build_mini}
@ -404,6 +396,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%{_libdir}/krb5/plugins/kdb/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
@ -440,6 +433,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
@ -475,6 +469,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/libverto.so.*
%{_libdir}/libverto-k5ev.so.*
%files server
%defattr(-,root,root)
@ -514,7 +509,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
@ -550,6 +544,7 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
@ -582,11 +577,6 @@ rm -rf %{buildroot}/usr/lib/mit/share/locale
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%files doc
%defattr(-,root,root)
%doc html doc/CHANGES doc/README
%endif #build_mini
%changelog