SHA256
1
0
forked from pool/krb5

Accepting request 777881 from home:scabrero:branches:network

- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch
- Upgrade to 1.18
  Administrator experience:
    * Remove support for single-DES encryption types.
    * Change the replay cache format to be more efficient and robust.
      Replay cache filenames using the new format end with ".rcache2"
      by default.
    * setuid programs will automatically ignore environment variables
      that normally affect krb5 API functions, even if the caller does
      not use krb5_init_secure_context().
    * Add an "enforce_ok_as_delegate" krb5.conf relation to disable
      credential forwarding during GSSAPI authentication unless the KDC
      sets the ok-as-delegate bit in the service ticket.
    * Use the permitted_enctypes krb5.conf setting as the default value
      for default_tkt_enctypes and default_tgs_enctypes.
  Developer experience:
    * Implement krb5_cc_remove_cred() for all credential cache types.
    * Add the krb5_pac_get_client_info() API to get the client account
      name from a PAC.
  Protocol evolution:
    * Add KDC support for S4U2Self requests where the user is identified
      by X.509 certificate. (Requires support for certificate lookup from
      a third-party KDB module.)
    * Remove support for an old ("draft 9") variant of PKINIT.
    * Add support for Microsoft NegoEx. (Requires one or more third-party
      GSS modules implementing NegoEx mechanisms.)
  User experience:
    * Add support for "dns_canonicalize_hostname=fallback", causing
      host-based principal names to be tried first without DNS
      canonicalization, and again with DNS canonicalization if the
      un-canonicalized server is not found.
    * Expand single-component hostnames in host-based principal names
      when DNS canonicalization is not used, adding the system's first DNS
      search path as a suffix. Add a "qualify_shortname" krb5.conf relation
      to override this suffix or disable expansion.
    * Honor the transited-policy-checked ticket flag on application servers,
      eliminating the requirement to configure capaths on servers in some
      scenarios.
  Code quality:
    * The libkrb5 serialization code (used to export and import krb5 GSS
      security contexts) has been simplified and made type-safe.
    * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
      messages has been revised to conform to current coding practices.
    * The test suite has been modified to work with macOS System Integrity
      Protection enabled.
    * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
      can always be tested.
- Updated patches:
  * 0002-krb5-1.9-manpaths.patch
  * 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
  * 0005-krb5-1.6.3-ktutil-manpage.patch
  * 0006-krb5-1.12-api.patch
- Renamed patches:
  * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
  * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
  * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
  * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
  * 0007-krb5-1.12-ksu-path.patch

OBS-URL: https://build.opensuse.org/request/show/777881
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=224
This commit is contained in:
Tomáš Chvátal 2020-02-25 07:55:08 +00:00 committed by Git OBS Bridge
parent 30ac12137f
commit 70aa357ac9
17 changed files with 578 additions and 466 deletions

View File

@ -1,9 +1,7 @@
From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:05:56 +0100
Subject: [PATCH 1/9] krb5-1.12-pam
Import krb5-1.12-pam.patch
From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH 1/8] ksu pam integration
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
@ -16,26 +14,30 @@ section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
and session management before dropping privileges, and to apply on top of
changes we're proposing for how it handles cache collections.
Last-updated: krb5-1.18-beta1
---
src/aclocal.m4 | 67 +++++++
src/aclocal.m4 | 68 +++++++
src/clients/ksu/Makefile.in | 8 +-
src/clients/ksu/main.c | 94 ++++++++-
src/clients/ksu/main.c | 88 +++++++-
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
src/clients/ksu/pam.h | 57 ++++++
src/configure.in | 2 +
6 files changed, 614 insertions(+), 3 deletions(-)
src/configure.ac | 2 +
6 files changed, 609 insertions(+), 3 deletions(-)
create mode 100644 src/clients/ksu/pam.c
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..340546d80 100644
index 2394f7e33..53f8b6fb7 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl
dnl
+dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
@ -104,11 +106,11 @@ index 3752d9bd5..340546d80 100644
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index b2fcbf240..5755bb58a 100644
index 8b4edce4d..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
@ -142,7 +144,7 @@ index b2fcbf240..5755bb58a 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d948..7a0c7e48b 100644
index 4f03dd8ed..21a4d02bb 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
@ -172,7 +174,7 @@ index d9596d948..7a0c7e48b 100644
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -528,6 +534,25 @@ main (argc, argv)
@@ -535,6 +541,23 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -182,13 +184,11 @@ index d9596d948..7a0c7e48b 100644
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
@ -198,8 +198,8 @@ index d9596d948..7a0c7e48b 100644
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -596,6 +621,26 @@ main (argc, argv)
com_err(prog_name,retval, _("while calling cc_filter"));
@@ -595,6 +618,24 @@ main (argc, argv)
exit(1);
}
+#ifdef USE_PAM
@ -210,13 +210,11 @@ index d9596d948..7a0c7e48b 100644
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
@ -224,8 +222,8 @@ index d9596d948..7a0c7e48b 100644
+#endif
}
if (all_rest_copy){
@@ -645,6 +690,32 @@ main (argc, argv)
if( some_rest_copy){
@@ -652,6 +693,30 @@ main (argc, argv)
exit(1);
}
@ -233,7 +231,6 @@ index d9596d948..7a0c7e48b 100644
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
@ -244,7 +241,6 @@ index d9596d948..7a0c7e48b 100644
+ if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
@ -258,7 +254,7 @@ index d9596d948..7a0c7e48b 100644
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -742,7 +813,7 @@ main (argc, argv)
@@ -749,7 +814,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -267,7 +263,7 @@ index d9596d948..7a0c7e48b 100644
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -772,16 +843,35 @@ main (argc, argv)
@@ -779,16 +844,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -306,7 +302,7 @@ index d9596d948..7a0c7e48b 100644
}
diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
new file mode 100644
index 000000000..cbfe48704
index 000000000..eb5d03bbf
--- /dev/null
+++ b/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
@ -701,7 +697,7 @@ index 000000000..cbfe48704
+#endif
diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
new file mode 100644
index 000000000..0ab76569c
index 000000000..d45b9fd84
--- /dev/null
+++ b/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
@ -762,11 +758,11 @@ index 000000000..0ab76569c
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff --git a/src/configure.in b/src/configure.in
index 61ef738dc..e9a12ac16 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
diff --git a/src/configure.ac b/src/configure.ac
index 234f4281c..d1f576124 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
@ -776,5 +772,5 @@ index 61ef738dc..e9a12ac16 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--
2.20.1
2.25.0

View File

@ -1,7 +1,7 @@
From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001
From 852d6a0d81b21673bdcb80ff13bf60dd5a416dd4 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:06:55 +0100
Subject: [PATCH 2/9] krb5-1.9-manpaths
Subject: [PATCH 2/8] krb5-1.9-manpaths
Import krb5-1.9-manpaths.dif
@ -14,7 +14,7 @@ configure scripts should be rebuilt. Originally RT#6525
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 38daa5e79..a0106ec5f 100644
index 66de36813..9988dcdf3 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
@ -27,5 +27,5 @@ index 38daa5e79..a0106ec5f 100644
.fi
.UNINDENT
--
2.20.1
2.25.0

View File

@ -1,15 +1,15 @@
From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:08:07 +0100
Subject: [PATCH 3/9] krb5-1.12-buildconf
Import krb5-1.12-buildconf.patch
From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:45:26 -0400
Subject: [PATCH 3/8] Adjust build configuration
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
Last-updated: krb5-1.15-beta1
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-
@ -48,7 +48,7 @@ index ce87e21ca..164bf8301 100644
## ${prefix}.
prefix=@prefix@
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index 3e4af6c02..a43736137 100644
index 3e4af6c02..2b20c3fda 100644
--- a/src/config/shlib.conf
+++ b/src/config/shlib.conf
@@ -423,7 +423,7 @@ mips-*-netbsd*)
@ -56,7 +56,7 @@ index 3e4af6c02..a43736137 100644
# Use objdump -x to examine the fields of the library
# UNDEF_CHECK is suppressed by --enable-asan
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel'
UNDEF_CHECK='-Wl,--no-undefined'
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@ -71,5 +71,5 @@ index 3e4af6c02..a43736137 100644
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--
2.20.1
2.25.0

View File

@ -1,7 +1,7 @@
From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001
From c1b8aa3d8546453544fd659ef18b96709eb88e54 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:09:05 +0100
Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages
Subject: [PATCH 4/8] krb5-1.6.3-gssapi_improve_errormessages
Import krb5-1.6.3-gssapi_improve_errormessages.dif
---
@ -22,5 +22,5 @@ index bc416107e..22612f970 100644
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
--
2.20.1
2.25.0

View File

@ -1,7 +1,7 @@
From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001
From 2a5b2877495384bbe5db8f3b66ac342f83cd45dc Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:14:47 +0100
Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage
Subject: [PATCH 5/8] krb5-1.6.3-ktutil-manpage
Import krb5-1.6.3-ktutil-manpage.dif
---
@ -9,10 +9,10 @@ Import krb5-1.6.3-ktutil-manpage.dif
1 file changed, 12 insertions(+)
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 4e174c0fe..f6d6ae814 100644
index 233329468..915b41c6e 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -171,6 +171,18 @@ ktutil:
@@ -151,6 +151,18 @@ ktutil:
.sp
See kerberos(7) for a description of Kerberos environment
variables.
@ -32,5 +32,5 @@ index 4e174c0fe..f6d6ae814 100644
.sp
kadmin(1), kdb5_util(8), kerberos(7)
--
2.20.1
2.25.0

View File

@ -1,7 +1,7 @@
From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001
From b8544a75b273008042fadf51f0b49c00617ff275 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:15:50 +0100
Subject: [PATCH 6/9] krb5-1.12-api
Subject: [PATCH 6/8] krb5-1.12-api
Import krb5-1.12-api.patch
@ -38,5 +38,5 @@ index a6936107d..0ed78833b 100644
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
--
2.20.1
2.25.0

View File

@ -1,9 +1,7 @@
From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:17:28 +0100
Subject: [PATCH 8/9] krb5-1.12-selinux-label
Import krb5-1.12-selinux-label.patch
From 827413baa8f803ff07e8adc3efaf907ed7faa734 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:30:53 -0400
Subject: [PATCH 7/8] SELinux integration
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@ -37,22 +35,24 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
Last-updated: krb5-1.18-beta1
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-
src/config/pre.in | 3 +-
src/configure.in | 2 +
src/configure.ac | 2 +
src/include/k5-int.h | 1 +
src/include/k5-label.h | 32 ++
src/include/krb5/krb5.hin | 6 +
src/kadmin/dbutil/dump.c | 11 +-
src/kdc/main.c | 2 +-
src/kprop/kpropd.c | 9 +
src/lib/kadm5/logger.c | 4 +-
src/lib/kdb/kdb_log.c | 2 +-
src/lib/krb5/ccache/cc_dir.c | 26 +-
src/lib/krb5/keytab/kt_file.c | 4 +-
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_dfl.c | 13 +
src/plugins/kdb/db2/adb_openclose.c | 2 +-
src/plugins/kdb/db2/kdb_db2.c | 4 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
@ -61,13 +61,13 @@ which we used earlier, is some improvement.
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 381 ++++++++++++++++++
24 files changed, 553 insertions(+), 21 deletions(-)
src/util/support/selinux.c | 406 ++++++++++++++++++
24 files changed, 574 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 340546d80..4440ec5f8 100644
index 53f8b6fb7..b0d1a5337 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
@ -78,7 +78,7 @@ index 340546d80..4440ec5f8 100644
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS)
@@ -1743,3 +1744,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -172,11 +172,11 @@ index 164bf8301..a8540ae2a 100644
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS!
diff --git a/src/configure.in b/src/configure.in
index e9a12ac16..93aec682e 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
diff --git a/src/configure.ac b/src/configure.ac
index d1f576124..440a22bd9 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@ -186,17 +186,17 @@ index e9a12ac16..93aec682e 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 652242207..7190a8f55 100644
index 9616b24bf..0d9af3d95 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -126,6 +126,7 @@ typedef unsigned char u_char;
#endif /* HAVE_SYS_TYPES_H */
#endif /* KRB5_SYSTYPES__ */
@@ -128,6 +128,7 @@ typedef unsigned char u_char;
+#include "k5-label.h"
#include "k5-platform.h"
+#include "k5-label.h"
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
diff --git a/src/include/k5-label.h b/src/include/k5-label.h
new file mode 100644
index 000000000..dfaaa847c
@ -236,7 +236,7 @@ index 000000000..dfaaa847c
+#endif
+#endif
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c40a6cca8..3ff86d7ff 100644
index d48685357..d1f5661bf 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
@ -253,7 +253,7 @@ index c40a6cca8..3ff86d7ff 100644
#include <stdlib.h>
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index c9574c6e1..8301a33d0 100644
index 301e3476d..19f2cc230 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
@ -288,10 +288,10 @@ index c9574c6e1..8301a33d0 100644
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 408c723f5..663fd6303 100644
index fdcd694d7..1ede4bf2f 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -858,7 +858,7 @@ write_pid_file(const char *path)
@@ -872,7 +872,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
@ -300,6 +300,36 @@ index 408c723f5..663fd6303 100644
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c
index 5622d56e1..356e3e0e6 100644
--- a/src/kprop/kpropd.c
+++ b/src/kprop/kpropd.c
@@ -487,6 +487,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -542,9 +545,15 @@ doit(int fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
(void)umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index c6885edf2..9aec3c05e 100644
--- a/src/lib/kadm5/logger.c
@ -323,20 +353,20 @@ index c6885edf2..9aec3c05e 100644
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a2501..a1cd38f4c 100644
index 2659a2501..e9b95fce5 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
if (retval)
goto cleanup;
} else {
- log_ctx->ulogfd = open(logname, O_RDWR, 0600);
@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
return ENOMEM;
if (stat(logname, &st) == -1) {
- log_ctx->ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (log_ctx->ulogfd == -1) {
retval = errno;
goto cleanup;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index bba64e516..73f0fe62d 100644
index 7b100a0ec..5683a0433 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
@ -386,10 +416,10 @@ index bba64e516..73f0fe62d 100644
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 89cb68680..21c80d419 100644
index 021c94398..aaf573439 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@ -407,7 +437,7 @@ index 89cb68680..21c80d419 100644
goto report_errno;
writevno = 1;
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 4fff8f38c..40a9e7b10 100644
index 2a03ae980..85dbfeb47 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
@ -419,38 +449,6 @@ index 4fff8f38c..40a9e7b10 100644
if (*fd == -1) {
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 1e0cb22c9..f5e93b1ab 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
@ -544,10 +542,10 @@ index d8b26e701..b0daa7c02 100644
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 1ed72afe9..ce038fc3d 100644
index b92cb58c7..0a95101ad 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
/* set password in the file */
old_mode = umask(0177);
@ -556,7 +554,7 @@ index 1ed72afe9..ce038fc3d 100644
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
* Delete the existing entry and add the new entry
*/
FILE *newfile;
@ -566,7 +564,7 @@ index 1ed72afe9..ce038fc3d 100644
mode_t omask;
@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
}
omask = umask(077);
@ -581,7 +579,7 @@ index 1ed72afe9..ce038fc3d 100644
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 24e41fb80..0dcb6b543 100644
index aa951df05..79f9500f6 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
@ -602,10 +600,10 @@ index 24e41fb80..0dcb6b543 100644
retval = errno;
if (retval == 0)
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index db7b030b8..321672bcb 100644
index 86d5a950a..1052d53a1 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
@@ -74,6 +74,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@ -613,7 +611,7 @@ index db7b030b8..321672bcb 100644
init-addrinfo.o \
plugins.o \
errors.o \
@@ -160,7 +161,7 @@ SRCS=\
@@ -168,7 +169,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -624,12 +622,12 @@ index db7b030b8..321672bcb 100644
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
new file mode 100644
index 000000000..ffba6a9ff
index 000000000..6d41f3244
--- /dev/null
+++ b/src/util/support/selinux.c
@@ -0,0 +1,381 @@
@@ -0,0 +1,406 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
+ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
@ -667,8 +665,10 @@ index 000000000..ffba6a9ff
+
+#include <k5-label.h>
+#include <k5-platform.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
@ -678,13 +678,26 @@ index 000000000..ffba6a9ff
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#ifdef HAVE_SELINUX_LABEL_H
+#include <selinux/label.h>
+#endif
+
+/* #define DEBUG 1 */
+static void
+debug_log(const char *fmt, ...)
+{
+#ifdef DEBUG
+ va_list ap;
+ va_start(ap, fmt);
+ if (isatty(fileno(stderr))) {
+ vfprintf(stderr, fmt, ap);
+ }
+ va_end(ap);
+#endif
+
+ return;
+}
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
@ -697,7 +710,6 @@ index 000000000..ffba6a9ff
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+#ifdef HAVE_SELINUX_LABEL_H
+static struct selabel_handle *selabel_ctx;
+static time_t selabel_last_changed;
+
@ -711,7 +723,6 @@ index 000000000..ffba6a9ff
+ selabel_ctx = NULL;
+ }
+}
+#endif
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
@ -719,164 +730,159 @@ index 000000000..ffba6a9ff
+ security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived;
+ const char *fullpath, *currentuser;
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath;
+
+ previous = configuredsc = currentsc = derivedsc = NULL;
+ current = derived = NULL;
+ genpath = NULL;
+
+ fullpath = pathname;
+
+ if (!is_selinux_enabled()) {
+ goto fail;
+ }
+
+ if (getfscreatecon(&previous) != 0) {
+ goto fail;
+ }
+
+ /* Canonicalize pathname */
+ if (pathname[0] != '/') {
+ char *wd;
+ size_t len;
+ len = 0;
+
+ wd = getcwd(NULL, len);
+ if (wd == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ goto fail;
+ }
+
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len);
+ if (genpath == NULL) {
+ free(wd);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ goto fail;
+ }
+
+ sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd);
+ fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Looking up context for "
+ "\"%s\"(%05o).\n", fullpath, mode);
+ }
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ if ((selabel_ctx != NULL) ||
+ (selabel_last_changed == 0)) {
+
+ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode);
+
+ /* Check whether context file has changed under us */
+ if (selabel_ctx != NULL || selabel_last_changed == 0) {
+ const char *cpath;
+ struct stat st;
+ int i = -1;
+
+ cpath = selinux_file_context_path();
+ if ((cpath == NULL) ||
+ ((i = stat(cpath, &st)) != 0) ||
+ (st.st_mtime != selabel_last_changed)) {
+ if (selabel_ctx != NULL) {
+ selabel_close(selabel_ctx);
+ selabel_ctx = NULL;
+ }
+ selabel_last_changed = i ?
+ time(NULL) :
+ st.st_mtime;
+ if (cpath == NULL || (i = stat(cpath, &st)) != 0 ||
+ st.st_mtime != selabel_last_changed) {
+ cleanup_fscreatecon();
+
+ selabel_last_changed = i ? time(NULL) : st.st_mtime;
+ }
+ }
+
+ if (selabel_ctx == NULL) {
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE,
+ NULL, 0);
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ }
+ if (selabel_ctx != NULL) {
+ if (selabel_lookup(selabel_ctx, &configuredsc,
+ fullpath, mode) != 0) {
+
+ if (selabel_ctx != NULL &&
+ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) {
+ goto fail;
+ }
+
+ if (genpath != NULL) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ genpath = NULL;
+ }
+ return NULL;
+ }
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+#endif
+ free(genpath);
+
+ if (configuredsc == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ goto fail;
+ }
+ return NULL;
+ }
+ currentsc = NULL;
+
+ getcon(&currentsc);
+
+ /* AAAAAAAA */
+ if (currentsc != NULL) {
+ derived = context_new(configuredsc);
+
+ if (derived != NULL) {
+ current = context_new(currentsc);
+
+ if (current != NULL) {
+ currentuser = context_user_get(current);
+
+ if (currentuser != NULL) {
+ if (context_user_set(derived,
+ currentuser) == 0) {
+ derivedsc = context_str(derived);
+
+ if (derivedsc != NULL) {
+ freecon(configuredsc);
+ configuredsc = strdup(derivedsc);
+ }
+ }
+ }
+
+ context_free(current);
+ }
+
+ context_free(derived);
+ }
+
+ freecon(currentsc);
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", configuredsc);
+ }
+#endif
+
+ debug_log("Setting file creation context to \"%s\".\n", configuredsc);
+ if (setfscreatecon(configuredsc) != 0) {
+ debug_log("Unable to determine current context.\n");
+ goto fail;
+ }
+
+ freecon(configuredsc);
+ return previous;
+
+fail:
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ if (genpath != NULL) {
+ free(genpath);
+ }
+ if (configuredsc != NULL) {
+ freecon(configuredsc);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ }
+#endif
+ }
+ }
+ return previous;
+
+ cleanup_fscreatecon();
+ return NULL;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
+ if (is_selinux_enabled()) {
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ if (!is_selinux_enabled()) {
+ return;
+ }
+
+ if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation "
+ "context to \"%s\".\n", previous);
+ debug_log("Resetting file creation context to \"%s\".\n", previous);
+ } else {
+ fprintf(stderr, "Resetting file creation "
+ "context to default.\n");
+ debug_log("Resetting file creation context to default.\n");
+ }
+ }
+#endif
+
+ /* NULL resets to default */
+ setfscreatecon(previous);
+
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ }
+
+ /* Need to clean this up here otherwise it leaks */
+ cleanup_fscreatecon();
+}
+
+void *
@ -884,11 +890,14 @@ index 000000000..ffba6a9ff
+{
+ struct stat st;
+ void *retval;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+
+ retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1;
+}
@ -917,10 +926,13 @@ index 000000000..ffba6a9ff
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+
+ fp = fopen(path, mode);
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fp;
+}
@ -935,10 +947,13 @@ index 000000000..ffba6a9ff
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+
+ fd = creat(path, mode);
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fd;
+}
@ -953,10 +968,13 @@ index 000000000..ffba6a9ff
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, mode);
+
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return ret;
+}
@ -971,10 +989,13 @@ index 000000000..ffba6a9ff
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, S_IFDIR);
+
+ ret = mkdir(path, mode);
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return ret;
+}
@ -1002,13 +1023,15 @@ index 000000000..ffba6a9ff
+ va_end(ap);
+
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fd;
+}
+
+#endif
+#endif /* USE_SELINUX */
--
2.20.1
2.25.0

View File

@ -1,27 +0,0 @@
From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:16:29 +0100
Subject: [PATCH 7/9] krb5-1.12-ksu
Import krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 5755bb58a..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@
--
2.20.1

View File

@ -1,7 +1,7 @@
From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001
From f079a7f765dc76eb01ba80fb7214ee0d25116e59 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:18:16 +0100
Subject: [PATCH 9/9] krb5-1.9-debuginfo
Subject: [PATCH 8/8] krb5-1.9-debuginfo
Import krb5-1.9-debuginfo.patch
@ -14,7 +14,7 @@ could mess up people working in the tree on other things.
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
index adfea6e2b..d1327e400 100644
index adfea6e2b..8e89cf03b 100644
--- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix::
@ -40,5 +40,5 @@ index 8669c2436..a22f23c02 100644
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.20.1
2.25.0

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3706d7ec2eaa773e0e32d3a87bf742ebaecae7d064e190443a3acddfd8afb181
size 8765399

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJd8SakAAoJEAy6CFdfg3LfzPUQAInzRX82JRJ/ifavyqshMjNH
ytk606xteguemUrCQXL8tmoxSaUqijeOcTTEdWqi/yGL33vxNZs7wrJqAWaxRR91
A98wW51AVbgy1QLtX86KfhZ3tBSIr3NtjIvvu5AjrL2oGUCiIOZeBNkM3YGxMIz6
KM2A1rb0qPLalGhK6OVtfDUrlT2c+kQYCxy8AdIaKjiD9aUqjAhg7wCXyHZm8Bi6
MoVNRG5xNXfKvXZFvvmB5hPJOt5YECaXxuC+GgpI7o8hh6KjtwgxNtBBwTYiDH90
2TY99BTlrT1XjlG4tFcwHCMmtusLmHwVo1OoIdWPGp9mLN3YTRt68mC4FQO885Gp
EhTJ6D9JOTMob0AtCQBgjC8ljiJ6fuG2GNKDeLaUstu0B+Bs6fGEknwVA0U5ZtkU
kD5KM/OLh+bZ27Oi3MdPMBnP97S7se7boOC88pB3SLmJWrGccVZPi3aKiH41hoIW
sxh0FEES8+OZJn0tqfddH/cJzgQ6WKMsTfRJGPphpoWvQt9AI1fZXNuE2baz032X
vAjEeaNQEKGAFgl2itZj1J++iV2EmmhfJcVkdAThxHKZj3AeENW+Yf7VDQ6JRhZg
mo/lGkz0TNSrnuQacVmXDa3SQIwD0YDaMe/NDNDwhEm0thUc5EWTBZf6BaB/Dk3K
E4aCwEtUAedJ99W4/PUd
=NHqs
-----END PGP SIGNATURE-----

3
krb5-1.18.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:73913934d711dcf9d5f5605803578edb44b9a11786df3c1b2711f4e1752f2c88
size 8706395

17
krb5-1.18.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJeREfJAAoJEAy6CFdfg3Lf0sQP/3CCIesW9hqBxbcy9E7RYpfD
P/MPZ7WpCfOlvgzo3BuDvQGp1WTV+53RP0RPvttSeFnI0clEd6Er4oYE9MmcLjc7
URyNttUT/vIDbUDHR7ac6zdHM313Z3h30vKL8aEtClg3BhIOI4GJUilEaBeRgEY8
KYxGvH5M4mmBYDSkELayp/a1El8QEia1sivSerBs/zZQjqUoogmQ0f1pqZUx0nTC
A+GowpYniz6FEkIRpGVRFuOFbFEuHWMLU33OSxpvHAf/0x1D5wkRJ4EHFFcYhrLu
T1FvOQGSbUVUXi81bzOhwQOVzZdPk0rc5Q8SLqTefcjNjTIJ+MAxCV1qxv8xpM/X
VtuyrtJLrDTcqa2hqhHfMVQUcRwSnmotic81GJ1BFowMZCNRgyaCWP+K7KI7OCLF
ajPmG+Yr/eDao3JavCME6OdLLS/ARTK/JtR1YOS+kPeaBKjkVtXM9y6kGsUuzXIR
8cyAvlBAIKiFrLWhV44emOEDhzxS9bbgTGQEEQNP6blDjMcNe5PpbZ1opDv9F3kc
Ga4h0/XZmYrijn0NvzG1szBD8j+vatHlQVaQtw7t7Rt+jMF9TtOTgQy8MD+h3hSx
1J8GDFlXHGbYdnRnBZWGHeJ1fZaqTpY4D4erDfOHXjH4kCm3Y7Zlaj6eDb0NMzkr
umorBypPT9mnce2aS43h
=jxUB
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,65 @@
-------------------------------------------------------------------
Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.18
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2"
by default.
* setuid programs will automatically ignore environment variables
that normally affect krb5 API functions, even if the caller does
not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
User experience:
* Add support for "dns_canonicalize_hostname=fallback", causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names
when DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf relation
to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
- Updated patches:
* 0002-krb5-1.9-manpaths.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
- Renamed patches:
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
* 0007-krb5-1.12-ksu-path.patch
-------------------------------------------------------------------
Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero <scabrero@suse.de>

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2019 SUSE LLC
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -26,7 +26,7 @@
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
Version: 1.17.1
Version: 1.18
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
@ -59,15 +59,14 @@ Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Source6: krb5.tmpfiles
Patch1: 0001-krb5-1.12-pam.patch
Patch1: 0001-ksu-pam-integration.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-krb5-1.12-buildconf.patch
Patch3: 0003-Adjust-build-configuration.patch
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-krb5-1.12-ksu-path.patch
Patch8: 0008-krb5-1.12-selinux-label.patch
Patch9: 0009-krb5-1.9-debuginfo.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq
@ -109,7 +108,6 @@ Include Files for Development
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
# needs to be re-generated

View File

@ -1,3 +1,65 @@
-------------------------------------------------------------------
Mon Feb 17 17:26:16 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.18
Administrator experience:
* Remove support for single-DES encryption types.
* Change the replay cache format to be more efficient and robust.
Replay cache filenames using the new format end with ".rcache2"
by default.
* setuid programs will automatically ignore environment variables
that normally affect krb5 API functions, even if the caller does
not use krb5_init_secure_context().
* Add an "enforce_ok_as_delegate" krb5.conf relation to disable
credential forwarding during GSSAPI authentication unless the KDC
sets the ok-as-delegate bit in the service ticket.
* Use the permitted_enctypes krb5.conf setting as the default value
for default_tkt_enctypes and default_tgs_enctypes.
Developer experience:
* Implement krb5_cc_remove_cred() for all credential cache types.
* Add the krb5_pac_get_client_info() API to get the client account
name from a PAC.
Protocol evolution:
* Add KDC support for S4U2Self requests where the user is identified
by X.509 certificate. (Requires support for certificate lookup from
a third-party KDB module.)
* Remove support for an old ("draft 9") variant of PKINIT.
* Add support for Microsoft NegoEx. (Requires one or more third-party
GSS modules implementing NegoEx mechanisms.)
User experience:
* Add support for "dns_canonicalize_hostname=fallback", causing
host-based principal names to be tried first without DNS
canonicalization, and again with DNS canonicalization if the
un-canonicalized server is not found.
* Expand single-component hostnames in host-based principal names
when DNS canonicalization is not used, adding the system's first DNS
search path as a suffix. Add a "qualify_shortname" krb5.conf relation
to override this suffix or disable expansion.
* Honor the transited-policy-checked ticket flag on application servers,
eliminating the requirement to configure capaths on servers in some
scenarios.
Code quality:
* The libkrb5 serialization code (used to export and import krb5 GSS
security contexts) has been simplified and made type-safe.
* The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED
messages has been revised to conform to current coding practices.
* The test suite has been modified to work with macOS System Integrity
Protection enabled.
* The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support
can always be tested.
- Updated patches:
* 0002-krb5-1.9-manpaths.patch
* 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* 0005-krb5-1.6.3-ktutil-manpage.patch
* 0006-krb5-1.12-api.patch
- Renamed patches:
* 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch
* 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch
* 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch
* 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch
- Deleted patches:
* 0007-krb5-1.12-ksu-path.patch
-------------------------------------------------------------------
Thu Dec 12 08:56:09 UTC 2019 - Samuel Cabrero <scabrero@suse.de>

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2019 SUSE LLC
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
%endif
Name: krb5
Version: 1.17.1
Version: 1.18
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT
@ -54,15 +54,14 @@ Source4: baselibs.conf
Source5: krb5-rpmlintrc
Source6: ksu-pam.d
Source7: krb5.tmpfiles
Patch1: 0001-krb5-1.12-pam.patch
Patch1: 0001-ksu-pam-integration.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-krb5-1.12-buildconf.patch
Patch3: 0003-Adjust-build-configuration.patch
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-krb5-1.12-ksu-path.patch
Patch8: 0008-krb5-1.12-selinux-label.patch
Patch9: 0009-krb5-1.9-debuginfo.patch
Patch7: 0007-SELinux-integration.patch
Patch8: 0008-krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -183,7 +182,6 @@ Include Files for Development
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
# needs to be re-generated