rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

Accepting request 674895 from network

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/674895
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=138
This commit is contained in:
Yuchen Lin 2019-02-19 12:54:57 +00:00 committed by Git OBS Bridge
commit 9cfbbfdef3
24 changed files with 1175 additions and 835 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
krb5-1.12-pam.patch → 0001-krb5-1.12-pam.patch
View File

@ -1,3 +1,10 @@
From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:05:56 +0100
Subject: [PATCH 1/9] krb5-1.12-pam
Import krb5-1.12-pam.patch
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
@ -10,10 +17,22 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
---
src/aclocal.m4 | 67 +++++++
src/clients/ksu/Makefile.in | 8 +-
src/clients/ksu/main.c | 94 ++++++++-
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
src/clients/ksu/pam.h | 57 ++++++
src/configure.in | 2 +
6 files changed, 614 insertions(+), 3 deletions(-)
create mode 100644 src/clients/ksu/pam.c
create mode 100644 src/clients/ksu/pam.h
--- krb5-1.13.orig/src/aclocal.m4
+++ krb5-1.13/src/aclocal.m4
@@ -1671,3 +1671,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..340546d80 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
])dnl
dnl
@ -84,8 +103,48 @@ and session management before dropping privileges.
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
--- krb5-1.13.orig/src/clients/ksu/main.c
+++ krb5-1.13/src/clients/ksu/main.c
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index b2fcbf240..5755bb58a 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -17,13 +19,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d948..7a0c7e48b 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -113,7 +172,7 @@ and session management before dropping privileges.
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -519,6 +525,25 @@ main (argc, argv)
@@ -528,6 +534,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -139,7 +198,7 @@ and session management before dropping privileges.
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -587,6 +612,26 @@ main (argc, argv)
@@ -596,6 +621,26 @@ main (argc, argv)
com_err(prog_name,retval, _("while calling cc_filter"));
exit(1);
}
@ -166,7 +225,7 @@ and session management before dropping privileges.
}
if (all_rest_copy){
@@ -636,6 +681,32 @@ main (argc, argv)
@@ -645,6 +690,32 @@ main (argc, argv)
exit(1);
}
@ -199,7 +258,7 @@ and session management before dropping privileges.
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -733,7 +804,7 @@ main (argc, argv)
@@ -742,7 +813,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -208,7 +267,7 @@ and session management before dropping privileges.
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -763,16 +834,35 @@ main (argc, argv)
@@ -772,16 +843,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -245,44 +304,11 @@ and session management before dropping privileges.
exit (1);
}
}
--- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100
+++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100
@@ -3,12 +3,14 @@
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -17,13 +19,17 @@
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean:
$(RM) ksu
diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
new file mode 100644
index 000000000..cbfe48704
--- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.c
+++ b/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -673,8 +699,11 @@ and session management before dropping privileges.
+ return ret;
+}
+#endif
diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
new file mode 100644
index 000000000..0ab76569c
--- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.h
+++ b/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -733,9 +762,11 @@ and session management before dropping privileges.
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
--- krb5-1.13.orig/src/configure.in
+++ krb5-1.13/src/configure.in
@@ -1285,6 +1285,8 @@ AC_SUBST([VERTO_VERSION])
diff --git a/src/configure.in b/src/configure.in
index 61ef738dc..e9a12ac16 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
@ -744,3 +775,6 @@ and session management before dropping privileges.
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--
2.20.1

31
0002-krb5-1.9-manpaths.patch Normal file
View File

@ -0,0 +1,31 @@
From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:06:55 +0100
Subject: [PATCH 2/9] krb5-1.9-manpaths
Import krb5-1.9-manpaths.dif
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
---
src/man/kpropd.man | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 38daa5e79..a0106ec5f 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
.sp
.nf
.ft C
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
.fi
.UNINDENT
--
2.20.1

75
krb5-1.12-buildconf.patch → 0003-krb5-1.12-buildconf.patch
View File

@ -1,33 +1,26 @@
From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:08:07 +0100
Subject: [PATCH 3/9] krb5-1.12-buildconf
Import krb5-1.12-buildconf.patch
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-
src/config/shlib.conf | 5 +++--
3 files changed, 11 insertions(+), 3 deletions(-)
--- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100
+++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100
@@ -423,7 +423,7 @@
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
# UNDEF_CHECK is suppressed by --enable-asan
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
UNDEF_CHECK='-Wl,--no-undefined'
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -435,7 +435,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index f6184da3f..0edf6a1a5 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -225,6 +225,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
@ -41,9 +34,11 @@ not just assume that the compiler supports using these flags.
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -188,7 +188,7 @@
diff --git a/src/config/pre.in b/src/config/pre.in
index ce87e21ca..164bf8301 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
@ -52,3 +47,29 @@ not just assume that the compiler supports using these flags.
## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}.
prefix=@prefix@
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index 3e4af6c02..a43736137 100644
--- a/src/config/shlib.conf
+++ b/src/config/shlib.conf
@@ -423,7 +423,7 @@ mips-*-netbsd*)
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
# UNDEF_CHECK is suppressed by --enable-asan
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
UNDEF_CHECK='-Wl,--no-undefined'
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -435,7 +435,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--
2.20.1

26
0004-krb5-1.6.3-gssapi_improve_errormessages.patch Normal file
View File

@ -0,0 +1,26 @@
From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:09:05 +0100
Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages
Import krb5-1.6.3-gssapi_improve_errormessages.dif
---
src/lib/gssapi/generic/disp_com_err_status.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
index bc416107e..22612f970 100644
--- a/src/lib/gssapi/generic/disp_com_err_status.c
+++ b/src/lib/gssapi/generic/disp_com_err_status.c
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value,
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
--
2.20.1

36
0005-krb5-1.6.3-ktutil-manpage.patch Normal file
View File

@ -0,0 +1,36 @@
From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:14:47 +0100
Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage
Import krb5-1.6.3-ktutil-manpage.dif
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 4e174c0fe..f6d6ae814 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -171,6 +171,18 @@ ktutil:
.sp
See kerberos(7) for a description of Kerberos environment
variables.
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
kadmin(1), kdb5_util(8), kerberos(7)
--
2.20.1

23
krb5-1.12-api.patch → 0006-krb5-1.12-api.patch
View File

@ -1,10 +1,22 @@
From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:15:50 +0100
Subject: [PATCH 6/9] krb5-1.12-api
Import krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)
--- krb5/src/lib/krb5/krb/princ_comp.c
+++ krb5/src/lib/krb5/krb/princ_comp.c
@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
index a6936107d..0ed78833b 100644
--- a/src/lib/krb5/krb/princ_comp.c
+++ b/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
const krb5_data *realm1 = &princ1->realm;
const krb5_data *realm2 = &princ2->realm;
@ -15,7 +27,7 @@ crashing if applications don't check ahead of time.
if (realm1->length != realm2->length)
return FALSE;
if (realm1->length == 0)
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
@ -25,3 +37,6 @@ crashing if applications don't check ahead of time.
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
--
2.20.1

27
0007-krb5-1.12-ksu-path.patch Normal file
View File

@ -0,0 +1,27 @@
From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:16:29 +0100
Subject: [PATCH 7/9] krb5-1.12-ksu
Import krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 5755bb58a..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@
--
2.20.1

597
krb5-1.12-selinux-label.patch → 0008-krb5-1.12-selinux-label.patch
View File

@ -1,3 +1,10 @@
From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:17:28 +0100
Subject: [PATCH 8/9] krb5-1.12-selinux-label
Import krb5-1.12-selinux-label.patch
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@ -30,11 +37,39 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-
src/config/pre.in | 3 +-
src/configure.in | 2 +
src/include/k5-int.h | 1 +
src/include/k5-label.h | 32 ++
src/include/krb5/krb5.hin | 6 +
src/kadmin/dbutil/dump.c | 11 +-
src/kdc/main.c | 2 +-
src/lib/kadm5/logger.c | 4 +-
src/lib/kdb/kdb_log.c | 2 +-
src/lib/krb5/ccache/cc_dir.c | 26 +-
src/lib/krb5/keytab/kt_file.c | 4 +-
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_dfl.c | 13 +
src/plugins/kdb/db2/adb_openclose.c | 2 +-
src/plugins/kdb/db2/kdb_db2.c | 4 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +-
src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 381 ++++++++++++++++++
24 files changed, 553 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c
Index: krb5-1.16.1/src/aclocal.m4
===================================================================
--- krb5-1.16.1.orig/src/aclocal.m4
+++ krb5-1.16.1/src/aclocal.m4
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 340546d80..4440ec5f8 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
@ -43,7 +78,7 @@ Index: krb5-1.16.1/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS)
@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -95,10 +130,31 @@ Index: krb5-1.16.1/src/aclocal.m4
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.16.1/src/config/pre.in
===================================================================
--- krb5-1.16.1.orig/src/config/pre.in
+++ krb5-1.16.1/src/config/pre.in
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index 0edf6a1a5..1891dea99 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in
index 164bf8301..a8540ae2a 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
@ -107,7 +163,7 @@ Index: krb5-1.16.1/src/config/pre.in
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -116,11 +172,11 @@ Index: krb5-1.16.1/src/config/pre.in
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS!
Index: krb5-1.16.1/src/configure.in
===================================================================
--- krb5-1.16.1.orig/src/configure.in
+++ krb5-1.16.1/src/configure.in
@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff)
diff --git a/src/configure.in b/src/configure.in
index e9a12ac16..93aec682e 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@ -129,10 +185,10 @@ Index: krb5-1.16.1/src/configure.in
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
Index: krb5-1.16.1/src/include/k5-int.h
===================================================================
--- krb5-1.16.1.orig/src/include/k5-int.h
+++ krb5-1.16.1/src/include/k5-int.h
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 652242207..7190a8f55 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -126,6 +126,7 @@ typedef unsigned char u_char;
#endif /* HAVE_SYS_TYPES_H */
#endif /* KRB5_SYSTYPES__ */
@ -141,10 +197,11 @@ Index: krb5-1.16.1/src/include/k5-int.h
#include "k5-platform.h"
Index: krb5-1.16.1/src/include/k5-label.h
===================================================================
diff --git a/src/include/k5-label.h b/src/include/k5-label.h
new file mode 100644
index 000000000..dfaaa847c
--- /dev/null
+++ krb5-1.16.1/src/include/k5-label.h
+++ b/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
@ -178,10 +235,10 @@ Index: krb5-1.16.1/src/include/k5-label.h
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.16.1/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.16.1.orig/src/include/krb5/krb5.hin
+++ krb5-1.16.1/src/include/krb5/krb5.hin
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c40a6cca8..3ff86d7ff 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -195,11 +252,11 @@ Index: krb5-1.16.1/src/include/krb5/krb5.hin
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.16.1/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.16.1.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.16.1/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index c9574c6e1..8301a33d0 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
{
int fd = -1;
FILE *f;
@ -221,41 +278,33 @@ Index: krb5-1.16.1/src/kadmin/dbutil/dump.c
if (fd == -1)
goto error;
@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char
return 0;
@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out)
goto cleanup;
}
- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (*fd == -1) {
- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
Index: krb5-1.16.1/src/build-tools/krb5-config.in
===================================================================
--- krb5-1.16.1.orig/src/build-tools/krb5-config.in
+++ krb5-1.16.1/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 408c723f5..663fd6303 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -858,7 +858,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
Index: krb5-1.16.1/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.16.1.orig/src/lib/kadm5/logger.c
+++ krb5-1.16.1/src/lib/kadm5/logger.c
@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, ch
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index c6885edf2..9aec3c05e 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
*/
append = (cp[4] == ':') ? O_APPEND : 0;
if (append || cp[4] == '=') {
@ -264,7 +313,7 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c
S_IRUSR | S_IWUSR | S_IRGRP);
if (fd != -1)
f = fdopen(fd, append ? "a" : "w");
@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
@ -273,11 +322,74 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a2501..a1cd38f4c 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
if (retval)
goto cleanup;
} else {
- log_ctx->ulogfd = open(logname, O_RDWR, 0600);
+ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (log_ctx->ulogfd == -1) {
retval = errno;
goto cleanup;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index bba64e516..73f0fe62d 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -221,10 +230,23 @@ static krb5_error_code
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 89cb68680..21c80d419 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@ -294,11 +406,56 @@ Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 4fff8f38c..40a9e7b10 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 1e0cb22c9..f5e93b1ab 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
+++ b/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
* needs be open read/write so that write locking can work with
* POSIX systems
*/
@ -307,11 +464,26 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 5106a5c99..e481e8121 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index 2977b17f3..d5809a5a9 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
#include <string.h>
#include <unistd.h>
@ -319,7 +491,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
goto einval;
}
@ -328,11 +500,11 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
goto err;
} else {
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 862dbb164..686a960c9 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
#include <assert.h>
#endif
@ -340,7 +512,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
new_table = 1;
}
if (file) {
@ -349,11 +521,33 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int arg
diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
index d8b26e701..b0daa7c02 100644
--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 1ed72afe9..ce038fc3d 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
/* set password in the file */
old_mode = umask(0177);
@ -362,7 +556,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int arg
@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
* Delete the existing entry and add the new entry
*/
FILE *newfile;
@ -372,7 +566,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
mode_t omask;
@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int arg
@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
}
omask = umask(077);
@ -386,10 +580,10 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
Index: krb5-1.16.1/src/util/profile/prof_file.c
===================================================================
--- krb5-1.16.1.orig/src/util/profile/prof_file.c
+++ krb5-1.16.1/src/util/profile/prof_file.c
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 24e41fb80..0dcb6b543 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
#endif
@ -398,7 +592,7 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
errno = 0;
@ -407,10 +601,10 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.16.1/src/util/support/Makefile.in
===================================================================
--- krb5-1.16.1.orig/src/util/support/Makefile.in
+++ krb5-1.16.1/src/util/support/Makefile.in
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index db7b030b8..321672bcb 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
STLIBOBJS= \
@ -419,7 +613,7 @@ Index: krb5-1.16.1/src/util/support/Makefile.in
init-addrinfo.o \
plugins.o \
errors.o \
@@ -149,7 +150,7 @@ SRCS=\
@@ -160,7 +161,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -428,10 +622,11 @@ Index: krb5-1.16.1/src/util/support/Makefile.in
DEPLIBS=
Index: krb5-1.16.1/src/util/support/selinux.c
===================================================================
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
new file mode 100644
index 000000000..ffba6a9ff
--- /dev/null
+++ krb5-1.16.1/src/util/support/selinux.c
+++ b/src/util/support/selinux.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
@ -814,192 +1009,6 @@ Index: krb5-1.16.1/src/util/support/selinux.c
+}
+
+#endif
Index: krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
Index: krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/ccache/cc_dir.c
+++ krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -221,10 +230,23 @@ static krb5_error_code
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
Index: krb5-1.16.1/src/lib/krb5/os/trace.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/os/trace.c
+++ krb5-1.16.1/src/lib/krb5/os/trace.c
@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
Index: krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.16.1/src/kdc/main.c
===================================================================
--- krb5-1.16.1.orig/src/kdc/main.c
+++ krb5-1.16.1/src/kdc/main.c
@@ -873,7 +873,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
Index: krb5-1.16.1/src/lib/kdb/kdb_log.c
===================================================================
--- krb5-1.16.1.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.16.1/src/lib/kdb/kdb_log.c
@@ -484,7 +484,7 @@ ulog_map(krb5_context context, const cha
if (extend_file_to(ulogfd, filesize) < 0)
return errno;
} else {
- ulogfd = open(logname, O_RDWR, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
}
Index: krb5-1.16.1/src/slave/kpropd.c
===================================================================
--- krb5-1.16.1.orig/src/slave/kpropd.c
+++ krb5-1.16.1/src/slave/kpropd.c
@@ -488,7 +488,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
-
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
fromlen = sizeof(from);
@@ -543,9 +545,15 @@ doit(int fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
(void)umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
--
2.20.1

44
0009-krb5-1.9-debuginfo.patch Normal file
View File

@ -0,0 +1,44 @@
From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:18:16 +0100
Subject: [PATCH 9/9] krb5-1.9-debuginfo
Import krb5-1.9-debuginfo.patch
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
index adfea6e2b..d1327e400 100644
--- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
index 8669c2436..a22f23c02 100644
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.20.1

12
krb5-1.12-ksu-path.patch
View File

@ -1,12 +0,0 @@
Set the default PATH to the one set by login.
--- krb5/src/clients/ksu/Makefile.in
+++ krb5/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@

3
krb5-1.16.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117
size 9477480

17
krb5-1.16.1.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUAWushEwy6CFdfg3LfAQJ+eBAAijTUBfXzCuxCwbDhCFYb1fIbHMkKkTuq
knFKv0VbALW1qUAj5v35A6GjDam6a33bMvGX8MzbGK/a9IDkpvaaXP/c37V4OfiQ
MhA6uQl0vxBMoCZqAFEVcWd6+M/0rY0WBZKpXRiZxxuSNPnSXn1l9fQAcrYKGb7I
YpaAWnzw+cc1k4Xi+GaaSghEYA4dX7TXh1fViJyHaNSESYZjH3J6wEdPm6LtZk6q
GwJw/ieMQi8djde0AhCbzMHWiaeW3jNPOJmpd3mpY04BAAkzGCyRiYGscxb6ge4u
ag2fojv7rbnJxDzy9RO0ZP0+fVPDMwInZ5GHPftbraSDFkTH2JBAYFudPsLDAoRK
FdjLeHpvuU5ifXWrLyshVYYfeXSe0fHz9Xhfhq2/OmfBD6vQl5k86z8IqxNm4ujy
ziypmTzHFnP/sBKlMgSMdDEKoKZHxevVQM5eJQd1XGexmwogkSPX8mwoEc0q4dtZ
h5w/fCu4ERA0BihvnQMZCZgwe32pO27ccPc6PqNHffUSLOq74J4gBHeoAoZ+SYPu
33oG7wxh+8WONzEGujl1lmxHFstij/njg8nULQ6bo6hSZnlMD0gU59mG9seC2jjr
E4aM4TXd1ixxPzM/cqxfI9SalytwYW0gn7Vuyj3P8xIZ5GQZiTsD7XWJqzb3xHmA
2JSQt4TK3Cc=
=9z9K
-----END PGP SIGNATURE-----

3
krb5-1.17.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5
size 8761763

17
krb5-1.17.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJcNMxOAAoJEAy6CFdfg3LfjAwP/2/oQe+4Bs/XwZTwNfakTbBl
YHSY8MNAHIKsLh6Bn+SJBQQXSE0fEsm0hYH+JWz85+mzlZk7TbNZUI+zeikhLxi6
+d8MMQBpk2mQN0dkIeWjTdfkcThGCDSL7l0fh3MuEfN5C7QPAPD1JL1ZeqXPH5AV
PSQRC9s2wiOTwwuHM2i27rZ7gdhL/xfJ3ZPUFJH4klRgszwp9j10I/nh4/XyS/wB
82umjfusFPa9VNSPzm1jm94oRmALkR3CHGvmku2XD3YOv/f5yO8C1cHWNNLxg+5h
EqVv05ddb6iLku4fRhkEjfN3VgCtEvXuMkuAXppkDJJ7wWxMBWgCIr1DS/x7LfbL
CI0ZTejn8HCUBNmRWsKkUuebgHJ7ccch8p/Fp0cV4eT1FL35N2oV51u7+/zK6R8y
1dygUF2VWFOqwm8cyczdFue7dFQVDGCw7R2eK5lXY3NpZVmJblQ/gNLMcbOxGBis
H2dOzSn+CnxlD/2LqOZnhQ1WnGBhOMxoINwX/MQsIvkwAFaM1EsdhPIP/6mSVA/g
p04+YQ2u2ag7Pq3zHsMIonC18w4ZqDPcvXvOXqCHtlQBDAMtb927XvjoTNj5W8Ei
jywxqdWuuqalmrKGPEsKVOJZN6xg7UTgaKzcvQTvW7D3gLbrTT2iM++VKB3vh9V9
SkULnR3c7fKMzFeLb/Q2
=4hZX
-----END PGP SIGNATURE-----

13
krb5-1.6.3-gssapi_improve_errormessages.dif
View File

@ -1,13 +0,0 @@
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);

27
krb5-1.6.3-ktutil-manpage.dif
View File

@ -1,27 +0,0 @@
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
Index: krb5-1.12.2/src/man/ktutil.man
===================================================================
--- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100
+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100
@@ -162,6 +162,18 @@ ktutil:
.UNINDENT
.UNINDENT
.UNINDENT
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP

26
krb5-1.9-debuginfo.patch
View File

@ -1,26 +0,0 @@
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
--- krb5-1.15.orig/src/kadmin/cli/Makefile.in
+++ krb5-1.15/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
--- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)

18
krb5-1.9-manpaths.dif
View File

@ -1,18 +0,0 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.11/src/man/kpropd.man
===================================================================
--- krb5-1.11.orig/src/man/kpropd.man
+++ krb5-1.11/src/man/kpropd.man
@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo
.sp
.nf
.ft C
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
.fi
.UNINDENT

310
krb5-mini.changes
View File

@ -1,3 +1,74 @@
-------------------------------------------------------------------
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Replace old $RPM_* shell vars
-------------------------------------------------------------------
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
-------------------------------------------------------------------
Tue Oct 9 20:13:24 UTC 2018 - James McDonough <jmcdonough@suse.com>
@ -11,7 +82,7 @@ Tue Oct 9 20:13:24 UTC 2018 - James McDonough <jmcdonough@suse.com>
* dates through 2106 accepted
* KDC support for trivially renewable tickets
* stop caching referral and alternate cross-realm TGTs to prevent
duplicate credential cache entries
duplicate credential cache entries
-------------------------------------------------------------------
Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com
@ -38,7 +109,7 @@ Wed Apr 25 21:56:35 UTC 2018 - luizluca@gmail.com
-------------------------------------------------------------------
Thu Nov 23 13:38:33 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
@ -194,7 +265,7 @@ Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com
nonexistent policies
* Fix a rare KDC denial of service vulnerability when anonymous client
principals are restricted to obtaining TGTs only [CVE-2016-3120]
------------------------------------------------------------------
Tue May 10 12:41:14 UTC 2016 - hguo@suse.com
@ -528,7 +599,7 @@ Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com
-------------------------------------------------------------------
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
- added patches:
* bnc#897874-CVE-2014-5351.diff
-------------------------------------------------------------------
@ -569,7 +640,7 @@ Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
- buffer overrun in kadmind with LDAP backend
CVE-2014-4345 (bnc#891082)
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
-------------------------------------------------------------------
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
@ -582,7 +653,7 @@ Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
-------------------------------------------------------------------
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
- Do not depend of insserv if systemd is used
- Do not depend of insserv if systemd is used
-------------------------------------------------------------------
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
@ -653,7 +724,7 @@ Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
* krb5-master-gss_oid_leak.patch
- Fix SPNEGO one-hop interop against old IIS
* krb5-master-ignore-empty-unnecessary-final-token.patch
- Fix GSS krb5 acceptor acquire_cred error handling
- Fix GSS krb5 acceptor acquire_cred error handling
* krb5-master-keytab_close.patch
- Avoid malloc(0) in SPNEGO get_input_token
* krb5-master-no-malloc0.patch
@ -686,7 +757,7 @@ Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com
-------------------------------------------------------------------
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org
- remove fstack-protector-all from CFLAGS, just use the
- remove fstack-protector-all from CFLAGS, just use the
lighter/fast version already present in %optflags
- Use LFS_CFLAGS to build in 32 bit archs.
@ -725,7 +796,7 @@ Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de
that failed to load.
* gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
mechanism or from the underlying mechanism.
- upstream fix obsolete krb5-lookup_etypes-leak.patch
-------------------------------------------------------------------
@ -927,7 +998,7 @@ Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de
-------------------------------------------------------------------
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
- add patches from Fedora and upstream
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)
-------------------------------------------------------------------
@ -965,12 +1036,12 @@ Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
CVE-2010-4022
- Fix KDC denial of service attacks with LDAP back end
(MITKRB5-SA-2011-002, bnc#663619)
CVE-2011-0281, CVE-2011-0282
CVE-2011-0281, CVE-2011-0282
-------------------------------------------------------------------
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
- Fix multiple checksum handling vulnerabilities
- Fix multiple checksum handling vulnerabilities
(MITKRB5-SA-2010-007, bnc#650650)
CVE-2010-1324
* krb5 GSS-API applications may accept unkeyed checksums
@ -982,21 +1053,21 @@ Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
CVE-2010-4020
* krb5 may accept authdata checksums with low-entropy derived keys
CVE-2010-4021
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
-------------------------------------------------------------------
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de
- fix csh profile (bnc#649856)
- fix csh profile (bnc#649856)
-------------------------------------------------------------------
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de
- update to krb5-1.8.3
* remove patches which are now upstrem
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif
-------------------------------------------------------------------
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de
@ -1008,7 +1079,7 @@ Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de
- fix a dereference of an uninitialized pointer while processing
authorization data.
authorization data.
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
-------------------------------------------------------------------
@ -1021,12 +1092,12 @@ Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com
Wed May 19 14:27:19 CEST 2010 - mc@suse.de
- fix GSS-API library null pointer dereference
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
-------------------------------------------------------------------
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de
- fix a double free vulnerability in the KDC
- fix a double free vulnerability in the KDC
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
-------------------------------------------------------------------
@ -1034,12 +1105,12 @@ Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de
- update to version 1.8.1
* include krb5-1.8-POST.dif
* include MITKRB5-SA-2010-002
* include MITKRB5-SA-2010-002
-------------------------------------------------------------------
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de
- update krb5-1.8-POST.dif
- update krb5-1.8-POST.dif
-------------------------------------------------------------------
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
@ -1047,17 +1118,17 @@ Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
-------------------------------------------------------------------
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
@ -1067,16 +1138,16 @@ Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
- update to version 1.8
* Increase code quality
* Increase code quality
* Move toward improved KDB interface
* Investigate and remedy repeatedly-reported performance
* Investigate and remedy repeatedly-reported performance
bottlenecks.
* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
client library to track whether a KDC supports service
principal referrals.
* Disable DES by default
* Disable DES by default
* Account lockout for repeated login failures
* Bridge layer to allow Heimdal HDB modules to act as KDB
* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules
* FAST enhancements
* Microsoft Services for User (S4U) compatibility
@ -1088,7 +1159,7 @@ Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
-------------------------------------------------------------------
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
@ -1108,12 +1179,12 @@ Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com
-------------------------------------------------------------------
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
- update to final 1.7 release
- update to final 1.7 release
-------------------------------------------------------------------
Wed May 13 11:30:42 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
- update to version 1.7 Beta2
* Incremental propagation support for the KDC database.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
@ -1126,7 +1197,7 @@ Wed May 13 11:30:42 CEST 2009 - mc@suse.de
-------------------------------------------------------------------
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
- update to pre 1.7 version
- update to pre 1.7 version
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto".
* Client library now follows client principal referrals, for
@ -1155,7 +1226,7 @@ Wed Jan 14 09:21:36 CET 2009 - olh@suse.de
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de
- do not query IPv6 addresses if no IPv6 address exists on this host
[bnc#449143]
[bnc#449143]
-------------------------------------------------------------------
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
@ -1172,7 +1243,7 @@ Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de
- in case we use ldap as database backend, ldap should be
started before krb5kdc
started before krb5kdc
-------------------------------------------------------------------
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
@ -1180,8 +1251,8 @@ Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
- add new fixes to post 1.6.3 patch
* fix mem leak in krb5_gss_accept_sec_context()
* keep minor_status
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
"to be ignored"
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
"to be ignored"
* Reject socket fds > FD_SETSIZE
-------------------------------------------------------------------
@ -1198,14 +1269,14 @@ Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de
- add case-insensitive.dif (FATE#300771)
- minor fixes for ktutil man page
- reduce rpmlint warnings
- reduce rpmlint warnings
-------------------------------------------------------------------
Wed May 14 17:44:59 CEST 2008 - mc@suse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)
(fix changing passwords in mixed ipv4/ipv6 enviroments)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
@ -1216,7 +1287,7 @@ Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
-------------------------------------------------------------------
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de
- modify krb5-config to not output rpath and cflags in --libs
- modify krb5-config to not output rpath and cflags in --libs
(bnc#378270)
-------------------------------------------------------------------
@ -1228,7 +1299,7 @@ Fri Mar 14 11:27:55 CET 2008 - mc@suse.de
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
Memory corruption while too many open file descriptors
[bnc#363151]
- change default config file. Comment out the examples.
- change default config file. Comment out the examples.
-------------------------------------------------------------------
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
@ -1243,12 +1314,12 @@ Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
-------------------------------------------------------------------
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de
- improve GSSAPI error messages
- improve GSSAPI error messages
-------------------------------------------------------------------
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de
- add coreutils to PreReq
- add coreutils to PreReq
-------------------------------------------------------------------
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
@ -1264,8 +1335,8 @@ Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
-------------------------------------------------------------------
@ -1275,7 +1346,7 @@ Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
* patch for referrals loop
-------------------------------------------------------------------
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de
@ -1296,10 +1367,10 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
@ -1308,7 +1379,7 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
- remove krb5-1.6.1-post.dif all fixes are included in this release
-------------------------------------------------------------------
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de
@ -1320,7 +1391,7 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
@ -1331,14 +1402,14 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
-------------------------------------------------------------------
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de
- fix unstripped-binary-or-object rpmlint warning
- fix unstripped-binary-or-object rpmlint warning
-------------------------------------------------------------------
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de
- fixing rpmlint warnings and errors:
* merged logrotate scripts kadmin and krb5kdc into a single file
krb5-server.
krb5-server.
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.
@ -1351,32 +1422,32 @@ Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de
-------------------------------------------------------------------
Wed May 9 15:30:53 CEST 2007 - mc@suse.de
- fix uninitialized salt length
- fix uninitialized salt length
- add extra check for keytab file
-------------------------------------------------------------------
Thu May 3 12:11:29 CEST 2007 - mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
-------------------------------------------------------------------
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de
- update to final 1.6.1 version
- update to final 1.6.1 version
-------------------------------------------------------------------
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de
- add plugin directories to main package
- add plugin directories to main package
-------------------------------------------------------------------
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
@ -1403,8 +1474,8 @@ Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de
-------------------------------------------------------------------
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services
-------------------------------------------------------------------
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de
@ -1415,12 +1486,12 @@ Thu Feb 22 11:13:48 CET 2007 - mc@suse.de
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
- move some applications into the right package
- move some applications into the right package
-------------------------------------------------------------------
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
- update krb5-1.6-post.dif
-------------------------------------------------------------------
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de
@ -1438,16 +1509,16 @@ Tue Jan 23 17:21:12 CET 2007 - mc@suse.de
-------------------------------------------------------------------
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de
- krb5-devel should require keyutils-devel
- krb5-devel should require keyutils-devel
-------------------------------------------------------------------
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
- remove obsolete patches
-------------------------------------------------------------------
@ -1465,14 +1536,14 @@ Wed Jan 10 11:16:30 CET 2007 - mc@suse.de
-------------------------------------------------------------------
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de
- Fix Requires in krb5-devel
- Fix Requires in krb5-devel
[Bug #231008]
-------------------------------------------------------------------
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de
- fix "local variable used before set" [#217692]
- fix strncat warning
- fix strncat warning
-------------------------------------------------------------------
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de
@ -1483,7 +1554,7 @@ Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de
-------------------------------------------------------------------
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de
- fix function call with too few arguments [#203837]
- fix function call with too few arguments [#203837]
-------------------------------------------------------------------
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de
@ -1491,7 +1562,7 @@ Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
* trunk-fix-uninitialized-vars.dif
-------------------------------------------------------------------
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de
@ -1503,7 +1574,7 @@ Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de
-------------------------------------------------------------------
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de
- remove update-messages
- remove update-messages
-------------------------------------------------------------------
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de
@ -1515,13 +1586,13 @@ Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
-------------------------------------------------------------------
@ -1535,17 +1606,17 @@ Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de
- add all daemons to %stop_on_removal and %restart_on_update
- add reload to kpropd init script
- add force-reload to all init scripts
- add force-reload to all init scripts
-------------------------------------------------------------------
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de
- add libgssapi_krb5.so link to main package [#147912]
- add libgssapi_krb5.so link to main package [#147912]
-------------------------------------------------------------------
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de
- fix logging section for kadmind in convert script
- fix logging section for kadmind in convert script
-------------------------------------------------------------------
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
@ -1555,12 +1626,12 @@ Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
-------------------------------------------------------------------
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de
- change the logging defaults
- change the logging defaults
-------------------------------------------------------------------
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de
- add tools and README for heimdal => MIT update
- add tools and README for heimdal => MIT update
-------------------------------------------------------------------
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de
@ -1571,7 +1642,7 @@ Mon Jan 9 14:41:07 CET 2006 - mc@suse.de
-------------------------------------------------------------------
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de
- added "make %{?jobs:-j%jobs}"
- added "make %{?jobs:-j%jobs}"
-------------------------------------------------------------------
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de
@ -1580,33 +1651,33 @@ Fri Nov 18 12:12:01 CET 2005 - mc@suse.de
* some memmory leaks fixed
* fix for "AS_REP padata has wrong enctype"
* fix for "AS_REP padata missing PA-ETYPE-INFO"
* ... and more
* ... and more
-------------------------------------------------------------------
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de
- don't build as root
- don't build as root
-------------------------------------------------------------------
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
- remove some obsolet patches
-------------------------------------------------------------------
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de
- build with --disable-static
- build with --disable-static
-------------------------------------------------------------------
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de
- remove devel-static subpackage
- remove devel-static subpackage
-------------------------------------------------------------------
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de
- better patch for princ_comp problem
- better patch for princ_comp problem
-------------------------------------------------------------------
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de
@ -1625,18 +1696,18 @@ Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de
- fixed krb5 double free()
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]
- fix krb5 NULL pointer reference while comparing principals
[#91600]
[#91600]
-------------------------------------------------------------------
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de
- fix uninitialized variables
- fix uninitialized variables
- compile with -fPIE/ link with -pie
-------------------------------------------------------------------
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de
- fixed wrong xinetd files [#77149]
- fixed wrong xinetd files [#77149]
-------------------------------------------------------------------
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de
@ -1647,26 +1718,26 @@ Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de
-------------------------------------------------------------------
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de
- fixed missing descriptions in init files
[#76164, #76165, #76166, #76169]
- fixed missing descriptions in init files
[#76164, #76165, #76166, #76169]
-------------------------------------------------------------------
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de
- enhance $PATH via /etc/profile.d/ [#74018]
- remove the "links to important programs"
- remove the "links to important programs"
-------------------------------------------------------------------
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de
- fixed not running converter script [#72854]
- fixed not running converter script [#72854]
-------------------------------------------------------------------
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
Overflow
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
Overflow
[#73618]
@ -1684,38 +1755,38 @@ Tue Mar 15 19:54:58 CET 2005 - mc@suse.de
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de
- fixed: rckrb5kdc restart gives wrong status with non-running service
[#72446]
[#72446]
-------------------------------------------------------------------
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
-------------------------------------------------------------------
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de
- fix double free [#66534]
krb5-1.4-fix-error_tables.dif
krb5-1.4-fix-error_tables.dif
-------------------------------------------------------------------
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de
- change mode for shared libraries to 755
- change mode for shared libraries to 755
-------------------------------------------------------------------
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
- add README.Source which tell the user about this
action.
- add a check for spx.c in the spec-file
- use rich-text for update-messages [#50250]
- use rich-text for update-messages [#50250]
-------------------------------------------------------------------
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de
- add krb5-1.4-reduce-namespace-polution.dif
reduce namespace polution in gssapi.h [#50356]
reduce namespace polution in gssapi.h [#50356]
-------------------------------------------------------------------
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de
@ -1737,13 +1808,13 @@ Fri Jan 28 13:25:42 CET 2005 - mc@suse.de
-------------------------------------------------------------------
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de
- add proofreaded update-messages
- add proofreaded update-messages
-------------------------------------------------------------------
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de
- remove Conflicts: and add Provides:
- add some insserv stuff
- remove Conflicts: and add Provides:
- add some insserv stuff
-------------------------------------------------------------------
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de
@ -1758,13 +1829,13 @@ Thu Jan 13 11:54:01 CET 2005 - mc@suse.de
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de
- update to version 1.3.6
- fix for: heap buffer overflow in libkadm5srv
[CAN-2004-1189 / MITKRB5-SA-2004-004]
- fix for: heap buffer overflow in libkadm5srv
[CAN-2004-1189 / MITKRB5-SA-2004-004]
-------------------------------------------------------------------
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de
- build doc subpackage in an own specfile
- build doc subpackage in an own specfile
- removed unnecessary neededforbuild requirements
-------------------------------------------------------------------
@ -1776,7 +1847,7 @@ Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de
- added Conflicts with heimdal*
- rename some manpages to avoid conflicts
- rename some manpages to avoid conflicts
-------------------------------------------------------------------
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de
@ -1790,11 +1861,10 @@ Thu Nov 4 18:03:11 CET 2004 - mc@suse.de
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
- add e2fsprogs to NFB
- use system-et and system-ss
- fix includes of com_err.h
- use system-et and system-ss
- fix includes of com_err.h
-------------------------------------------------------------------
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
- Initital checkin
- Initital checkin

114
krb5-mini.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -21,26 +21,26 @@
%define _fillupdir /var/adm/fillup-templates
%endif
%define srcRoot krb5-1.16.1
%define srcRoot krb5-%{version}
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
Url: https://web.mit.edu/kerberos/www/
Version: 1.17
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
Group: Productivity/Networking/Security
URL: https://web.mit.edu/kerberos/www/
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.16.1
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: libverto-devel
BuildRequires: ncurses-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
@ -52,21 +52,22 @@ Conflicts: krb5-server
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring
Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Source6: krb5.tmpfiles
Patch1: 0001-krb5-1.12-pam.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-krb5-1.12-buildconf.patch
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-krb5-1.12-ksu-path.patch
Patch8: 0008-krb5-1.12-selinux-label.patch
Patch9: 0009-krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq
@ -104,11 +105,11 @@ Include Files for Development
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch9 -p1
%build
# needs to be re-generated
@ -118,7 +119,7 @@ autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \
CC="%{__cc}" \
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--prefix=/usr/lib/mit \
@ -147,25 +148,19 @@ make %{?_smp_mflags}
cp man/kadmin.man man/kadmin.local.8
%install
# Where per-user keytabs live by default.
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
cd src
make DESTDIR=%{buildroot} install
cd ..
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
%make_install -C src
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
@ -176,13 +171,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -204,9 +208,9 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
@ -239,10 +243,10 @@ install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
# manually remove otp plugin for krb5-mini since configure
# manually remove otp, spake and test plugin for krb5-mini since configure
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
# manually remove test plugin since configure doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%find_lang mit-krb5
@ -261,6 +265,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%post
/sbin/ldconfig
%service_add_post krb5kdc.service kadmind.service kpropd.service
%tmpfiles_create krb5.conf
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
@ -313,10 +318,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
%dir %{_localstatedir}/lib/kerberos/krb5/user
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
@ -326,9 +327,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{_sysconfdir}/krb5.conf.d
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_fillupdir}/sysconfig.*
%{_unitdir}/kadmind.service
@ -345,6 +343,21 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
%{_libexecdir}/tmpfiles.d/krb5.conf
%dir %{_datadir}/kerberos/
%dir %{_datadir}/kerberos/krb5kdc
%dir %{_datadir}/kerberos/krb5
%dir %{_datadir}/kerberos/krb5/user
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
%ghost %dir %{_sharedstatedir}/kerberos/
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
%ghost %dir %{_sharedstatedir}/kerberos/krb5
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
@ -387,6 +400,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man7/kerberos.7.gz
%{_mandir}/man8/*
%changelog

2
krb5-rpmlintrc
View File

@ -1,6 +1,8 @@
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz")
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
addFilter("shlib-policy-missing-suffix")
addFilter("non-etc-or-var-file-marked-as-conffile")

316
krb5.changes
View File

@ -1,3 +1,74 @@
-------------------------------------------------------------------
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Replace old $RPM_* shell vars
-------------------------------------------------------------------
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
-------------------------------------------------------------------
Tue Oct 9 20:00:21 UTC 2018 - James McDonough <jmcdonough@suse.com>
@ -40,11 +111,11 @@ Fri May 4 09:48:36 UTC 2018 - michael@stroeder.com
Wed Apr 25 21:54:39 UTC 2018 - luizluca@gmail.com
- Added support for /etc/krb5.conf.d/ for configuration snippets
-------------------------------------------------------------------
Thu Nov 23 13:38:38 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
@ -210,8 +281,8 @@ Sat Dec 3 13:04:11 UTC 2016 - michael@stroeder.com
-------------------------------------------------------------------
Mon Nov 14 08:36:06 UTC 2016 - christof.hanke@rzg.mpg.de
- add pam configuration file required for ksu
just use a copy of "su" one from Tumbleweed
- add pam configuration file required for ksu
just use a copy of "su" one from Tumbleweed
-------------------------------------------------------------------
Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com
@ -224,11 +295,11 @@ Fri Jul 22 08:45:19 UTC 2016 - michael@stroeder.com
nonexistent policies
* Fix a rare KDC denial of service vulnerability when anonymous client
principals are restricted to obtaining TGTs only [CVE-2016-3120]
-------------------------------------------------------------------
Sat Jul 2 11:38:54 UTC 2016 - idonmez@suse.com
- Remove comments breaking post scripts.
- Remove comments breaking post scripts.
-------------------------------------------------------------------
Thu Jun 30 13:34:29 UTC 2016 - fcrozat@suse.com
@ -591,7 +662,7 @@ Thu Sep 25 12:48:32 UTC 2014 - ddiss@suse.com
-------------------------------------------------------------------
Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal
- added patches:
* bnc#897874-CVE-2014-5351.diff
-------------------------------------------------------------------
@ -632,7 +703,7 @@ Fri Aug 8 15:55:01 UTC 2014 - ckornacker@suse.com
- buffer overrun in kadmind with LDAP backend
CVE-2014-4345 (bnc#891082)
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
-------------------------------------------------------------------
Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
@ -645,7 +716,7 @@ Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
-------------------------------------------------------------------
Sat Jul 19 12:38:21 UTC 2014 - p.drouand@gmail.com
- Do not depend of insserv if systemd is used
- Do not depend of insserv if systemd is used
-------------------------------------------------------------------
Thu Jul 10 15:59:52 UTC 2014 - ckornacker@suse.com
@ -716,7 +787,7 @@ Mon Jan 13 15:37:16 UTC 2014 - ckornacker@suse.com
* krb5-master-gss_oid_leak.patch
- Fix SPNEGO one-hop interop against old IIS
* krb5-master-ignore-empty-unnecessary-final-token.patch
- Fix GSS krb5 acceptor acquire_cred error handling
- Fix GSS krb5 acceptor acquire_cred error handling
* krb5-master-keytab_close.patch
- Avoid malloc(0) in SPNEGO get_input_token
* krb5-master-no-malloc0.patch
@ -749,7 +820,7 @@ Mon Jun 24 16:21:07 UTC 2013 - mc@suse.com
-------------------------------------------------------------------
Fri Jun 21 02:12:03 UTC 2013 - crrodriguez@opensuse.org
- remove fstack-protector-all from CFLAGS, just use the
- remove fstack-protector-all from CFLAGS, just use the
lighter/fast version already present in %optflags
- Use LFS_CFLAGS to build in 32 bit archs.
@ -788,7 +859,7 @@ Sun Apr 28 17:14:36 CEST 2013 - mc@suse.de
that failed to load.
* gss_import_sec_context incorrectly set internal state that
identifies whether an imported context is from an interposer
mechanism or from the underlying mechanism.
mechanism or from the underlying mechanism.
- upstream fix obsolete krb5-lookup_etypes-leak.patch
-------------------------------------------------------------------
@ -990,7 +1061,7 @@ Tue Aug 23 13:52:03 CEST 2011 - mc@suse.de
-------------------------------------------------------------------
Sun Aug 21 09:37:01 UTC 2011 - mc@novell.com
- add patches from Fedora and upstream
- add patches from Fedora and upstream
- fix init scripts (bnc#689006)
-------------------------------------------------------------------
@ -1028,12 +1099,12 @@ Wed Jan 19 14:42:27 CET 2011 - mc@suse.de
CVE-2010-4022
- Fix KDC denial of service attacks with LDAP back end
(MITKRB5-SA-2011-002, bnc#663619)
CVE-2011-0281, CVE-2011-0282
CVE-2011-0281, CVE-2011-0282
-------------------------------------------------------------------
Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
- Fix multiple checksum handling vulnerabilities
- Fix multiple checksum handling vulnerabilities
(MITKRB5-SA-2010-007, bnc#650650)
CVE-2010-1324
* krb5 GSS-API applications may accept unkeyed checksums
@ -1045,21 +1116,21 @@ Wed Dec 1 11:44:15 CET 2010 - mc@suse.de
CVE-2010-4020
* krb5 may accept authdata checksums with low-entropy derived keys
CVE-2010-4021
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery
-------------------------------------------------------------------
Thu Oct 28 12:53:13 CEST 2010 - mc@suse.de
- fix csh profile (bnc#649856)
- fix csh profile (bnc#649856)
-------------------------------------------------------------------
Fri Oct 22 11:15:43 CEST 2010 - mc@suse.de
- update to krb5-1.8.3
* remove patches which are now upstrem
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif
- krb5-1.7-MITKRB5-SA-2010-004.dif
- krb5-1.8.1-gssapi-error-table.dif
- krb5-MITKRB5-SA-2010-005.dif
-------------------------------------------------------------------
Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de
@ -1071,7 +1142,7 @@ Fri Oct 22 10:49:11 CEST 2010 - mc@suse.de
Mon Sep 27 11:42:43 CEST 2010 - mc@suse.de
- fix a dereference of an uninitialized pointer while processing
authorization data.
authorization data.
CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990)
-------------------------------------------------------------------
@ -1084,12 +1155,12 @@ Mon Jun 21 21:31:53 UTC 2010 - lchiquitto@novell.com
Wed May 19 14:27:19 CEST 2010 - mc@suse.de
- fix GSS-API library null pointer dereference
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826)
-------------------------------------------------------------------
Wed Apr 14 11:36:32 CEST 2010 - mc@suse.de
- fix a double free vulnerability in the KDC
- fix a double free vulnerability in the KDC
CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002)
-------------------------------------------------------------------
@ -1097,12 +1168,12 @@ Fri Apr 9 12:43:44 CEST 2010 - mc@suse.de
- update to version 1.8.1
* include krb5-1.8-POST.dif
* include MITKRB5-SA-2010-002
* include MITKRB5-SA-2010-002
-------------------------------------------------------------------
Tue Apr 6 14:14:56 CEST 2010 - mc@suse.de
- update krb5-1.8-POST.dif
- update krb5-1.8-POST.dif
-------------------------------------------------------------------
Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
@ -1110,17 +1181,17 @@ Tue Mar 23 14:32:41 CET 2010 - mc@suse.de
- fix a bug where an unauthenticated remote attacker could cause
a GSS-API application including the Kerberos administration
daemon (kadmind) to crash.
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557)
-------------------------------------------------------------------
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
@ -1130,16 +1201,16 @@ Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
- update to version 1.8
* Increase code quality
* Increase code quality
* Move toward improved KDB interface
* Investigate and remedy repeatedly-reported performance
* Investigate and remedy repeatedly-reported performance
bottlenecks.
* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
client library to track whether a KDC supports service
principal referrals.
* Disable DES by default
* Disable DES by default
* Account lockout for repeated login failures
* Bridge layer to allow Heimdal HDB modules to act as KDB
* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules
* FAST enhancements
* Microsoft Services for User (S4U) compatibility
@ -1151,7 +1222,7 @@ Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
-------------------------------------------------------------------
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de
@ -1171,12 +1242,12 @@ Sun Jul 12 21:36:17 CEST 2009 - coolo@novell.com
-------------------------------------------------------------------
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
- update to final 1.7 release
- update to final 1.7 release
-------------------------------------------------------------------
Wed May 13 11:30:42 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
- update to version 1.7 Beta2
* Incremental propagation support for the KDC database.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
@ -1189,7 +1260,7 @@ Wed May 13 11:30:42 CEST 2009 - mc@suse.de
-------------------------------------------------------------------
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
- update to pre 1.7 version
- update to pre 1.7 version
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto".
* Client library now follows client principal referrals, for
@ -1218,7 +1289,7 @@ Wed Jan 14 09:21:36 CET 2009 - olh@suse.de
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de
- do not query IPv6 addresses if no IPv6 address exists on this host
[bnc#449143]
[bnc#449143]
-------------------------------------------------------------------
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
@ -1235,7 +1306,7 @@ Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de
- in case we use ldap as database backend, ldap should be
started before krb5kdc
started before krb5kdc
-------------------------------------------------------------------
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
@ -1243,8 +1314,8 @@ Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
- add new fixes to post 1.6.3 patch
* fix mem leak in krb5_gss_accept_sec_context()
* keep minor_status
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
"to be ignored"
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
"to be ignored"
* Reject socket fds > FD_SETSIZE
-------------------------------------------------------------------
@ -1261,14 +1332,14 @@ Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de
- add case-insensitive.dif (FATE#300771)
- minor fixes for ktutil man page
- reduce rpmlint warnings
- reduce rpmlint warnings
-------------------------------------------------------------------
Wed May 14 17:44:59 CEST 2008 - mc@suse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)
(fix changing passwords in mixed ipv4/ipv6 enviroments)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
@ -1279,7 +1350,7 @@ Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
-------------------------------------------------------------------
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de
- modify krb5-config to not output rpath and cflags in --libs
- modify krb5-config to not output rpath and cflags in --libs
(bnc#378270)
-------------------------------------------------------------------
@ -1291,7 +1362,7 @@ Fri Mar 14 11:27:55 CET 2008 - mc@suse.de
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
Memory corruption while too many open file descriptors
[bnc#363151]
- change default config file. Comment out the examples.
- change default config file. Comment out the examples.
-------------------------------------------------------------------
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
@ -1306,12 +1377,12 @@ Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
-------------------------------------------------------------------
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de
- improve GSSAPI error messages
- improve GSSAPI error messages
-------------------------------------------------------------------
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de
- add coreutils to PreReq
- add coreutils to PreReq
-------------------------------------------------------------------
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
@ -1327,8 +1398,8 @@ Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
-------------------------------------------------------------------
@ -1338,7 +1409,7 @@ Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
* patch for referrals loop
-------------------------------------------------------------------
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de
@ -1359,10 +1430,10 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
@ -1371,7 +1442,7 @@ Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
- remove krb5-1.6.1-post.dif all fixes are included in this release
-------------------------------------------------------------------
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de
@ -1383,7 +1454,7 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
@ -1394,14 +1465,14 @@ Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
-------------------------------------------------------------------
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de
- fix unstripped-binary-or-object rpmlint warning
- fix unstripped-binary-or-object rpmlint warning
-------------------------------------------------------------------
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de
- fixing rpmlint warnings and errors:
* merged logrotate scripts kadmin and krb5kdc into a single file
krb5-server.
krb5-server.
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.
@ -1414,32 +1485,32 @@ Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de
-------------------------------------------------------------------
Wed May 9 15:30:53 CEST 2007 - mc@suse.de
- fix uninitialized salt length
- fix uninitialized salt length
- add extra check for keytab file
-------------------------------------------------------------------
Thu May 3 12:11:29 CEST 2007 - mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
-------------------------------------------------------------------
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de
- update to final 1.6.1 version
- update to final 1.6.1 version
-------------------------------------------------------------------
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de
- add plugin directories to main package
- add plugin directories to main package
-------------------------------------------------------------------
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
@ -1466,8 +1537,8 @@ Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de
-------------------------------------------------------------------
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services
-------------------------------------------------------------------
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de
@ -1478,12 +1549,12 @@ Thu Feb 22 11:13:48 CET 2007 - mc@suse.de
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
- move some applications into the right package
- move some applications into the right package
-------------------------------------------------------------------
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
- update krb5-1.6-post.dif
-------------------------------------------------------------------
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de
@ -1501,16 +1572,16 @@ Tue Jan 23 17:21:12 CET 2007 - mc@suse.de
-------------------------------------------------------------------
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de
- krb5-devel should require keyutils-devel
- krb5-devel should require keyutils-devel
-------------------------------------------------------------------
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
- remove obsolete patches
-------------------------------------------------------------------
@ -1528,14 +1599,14 @@ Wed Jan 10 11:16:30 CET 2007 - mc@suse.de
-------------------------------------------------------------------
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de
- Fix Requires in krb5-devel
- Fix Requires in krb5-devel
[Bug #231008]
-------------------------------------------------------------------
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de
- fix "local variable used before set" [#217692]
- fix strncat warning
- fix strncat warning
-------------------------------------------------------------------
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de
@ -1546,7 +1617,7 @@ Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de
-------------------------------------------------------------------
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de
- fix function call with too few arguments [#203837]
- fix function call with too few arguments [#203837]
-------------------------------------------------------------------
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de
@ -1554,7 +1625,7 @@ Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
* trunk-fix-uninitialized-vars.dif
-------------------------------------------------------------------
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de
@ -1566,7 +1637,7 @@ Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de
-------------------------------------------------------------------
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de
- remove update-messages
- remove update-messages
-------------------------------------------------------------------
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de
@ -1578,13 +1649,13 @@ Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
-------------------------------------------------------------------
@ -1598,17 +1669,17 @@ Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de
- add all daemons to %stop_on_removal and %restart_on_update
- add reload to kpropd init script
- add force-reload to all init scripts
- add force-reload to all init scripts
-------------------------------------------------------------------
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de
- add libgssapi_krb5.so link to main package [#147912]
- add libgssapi_krb5.so link to main package [#147912]
-------------------------------------------------------------------
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de
- fix logging section for kadmind in convert script
- fix logging section for kadmind in convert script
-------------------------------------------------------------------
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
@ -1618,12 +1689,12 @@ Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
-------------------------------------------------------------------
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de
- change the logging defaults
- change the logging defaults
-------------------------------------------------------------------
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de
- add tools and README for heimdal => MIT update
- add tools and README for heimdal => MIT update
-------------------------------------------------------------------
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de
@ -1634,7 +1705,7 @@ Mon Jan 9 14:41:07 CET 2006 - mc@suse.de
-------------------------------------------------------------------
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de
- added "make %{?jobs:-j%jobs}"
- added "make %{?jobs:-j%jobs}"
-------------------------------------------------------------------
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de
@ -1643,33 +1714,33 @@ Fri Nov 18 12:12:01 CET 2005 - mc@suse.de
* some memmory leaks fixed
* fix for "AS_REP padata has wrong enctype"
* fix for "AS_REP padata missing PA-ETYPE-INFO"
* ... and more
* ... and more
-------------------------------------------------------------------
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de
- don't build as root
- don't build as root
-------------------------------------------------------------------
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
- remove some obsolet patches
-------------------------------------------------------------------
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de
- build with --disable-static
- build with --disable-static
-------------------------------------------------------------------
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de
- remove devel-static subpackage
- remove devel-static subpackage
-------------------------------------------------------------------
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de
- better patch for princ_comp problem
- better patch for princ_comp problem
-------------------------------------------------------------------
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de
@ -1688,18 +1759,18 @@ Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de
- fixed krb5 double free()
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]
- fix krb5 NULL pointer reference while comparing principals
[#91600]
[#91600]
-------------------------------------------------------------------
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de
- fix uninitialized variables
- fix uninitialized variables
- compile with -fPIE/ link with -pie
-------------------------------------------------------------------
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de
- fixed wrong xinetd files [#77149]
- fixed wrong xinetd files [#77149]
-------------------------------------------------------------------
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de
@ -1710,26 +1781,26 @@ Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de
-------------------------------------------------------------------
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de
- fixed missing descriptions in init files
[#76164, #76165, #76166, #76169]
- fixed missing descriptions in init files
[#76164, #76165, #76166, #76169]
-------------------------------------------------------------------
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de
- enhance $PATH via /etc/profile.d/ [#74018]
- remove the "links to important programs"
- remove the "links to important programs"
-------------------------------------------------------------------
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de
- fixed not running converter script [#72854]
- fixed not running converter script [#72854]
-------------------------------------------------------------------
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
Overflow
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
Overflow
[#73618]
@ -1747,38 +1818,38 @@ Tue Mar 15 19:54:58 CET 2005 - mc@suse.de
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de
- fixed: rckrb5kdc restart gives wrong status with non-running service
[#72446]
[#72446]
-------------------------------------------------------------------
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
-------------------------------------------------------------------
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de
- fix double free [#66534]
krb5-1.4-fix-error_tables.dif
krb5-1.4-fix-error_tables.dif
-------------------------------------------------------------------
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de
- change mode for shared libraries to 755
- change mode for shared libraries to 755
-------------------------------------------------------------------
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
- add README.Source which tell the user about this
action.
- add a check for spx.c in the spec-file
- use rich-text for update-messages [#50250]
- use rich-text for update-messages [#50250]
-------------------------------------------------------------------
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de
- add krb5-1.4-reduce-namespace-polution.dif
reduce namespace polution in gssapi.h [#50356]
reduce namespace polution in gssapi.h [#50356]
-------------------------------------------------------------------
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de
@ -1800,13 +1871,13 @@ Fri Jan 28 13:25:42 CET 2005 - mc@suse.de
-------------------------------------------------------------------
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de
- add proofreaded update-messages
- add proofreaded update-messages
-------------------------------------------------------------------
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de
- remove Conflicts: and add Provides:
- add some insserv stuff
- remove Conflicts: and add Provides:
- add some insserv stuff
-------------------------------------------------------------------
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de
@ -1821,13 +1892,13 @@ Thu Jan 13 11:54:01 CET 2005 - mc@suse.de
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de
- update to version 1.3.6
- fix for: heap buffer overflow in libkadm5srv
[CAN-2004-1189 / MITKRB5-SA-2004-004]
- fix for: heap buffer overflow in libkadm5srv
[CAN-2004-1189 / MITKRB5-SA-2004-004]
-------------------------------------------------------------------
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de
- build doc subpackage in an own specfile
- build doc subpackage in an own specfile
- removed unnecessary neededforbuild requirements
-------------------------------------------------------------------
@ -1839,7 +1910,7 @@ Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de
- added Conflicts with heimdal*
- rename some manpages to avoid conflicts
- rename some manpages to avoid conflicts
-------------------------------------------------------------------
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de
@ -1853,11 +1924,10 @@ Thu Nov 4 18:03:11 CET 2004 - mc@suse.de
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
- add e2fsprogs to NFB
- use system-et and system-ss
- fix includes of com_err.h
- use system-et and system-ss
- fix includes of com_err.h
-------------------------------------------------------------------
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
- Initital checkin
- Initital checkin

130
krb5.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,22 +22,22 @@
%endif
Name: krb5
Url: https://web.mit.edu/kerberos/www/
Version: 1.17
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT
Group: Productivity/Networking/Security
URL: https://web.mit.edu/kerberos/www/
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.16.1
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: libopenssl-devel
BuildRequires: libselinux-devel
BuildRequires: libverto-devel
BuildRequires: ncurses-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig(systemd)
@ -46,22 +46,23 @@ BuildRequires: pkgconfig(systemd)
Obsoletes: krb5-64bit
%endif
Conflicts: krb5-mini
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring
Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Source6: ksu-pam.d
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Source7: krb5.tmpfiles
Patch1: 0001-krb5-1.12-pam.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-krb5-1.12-buildconf.patch
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-krb5-1.12-ksu-path.patch
Patch8: 0008-krb5-1.12-selinux-label.patch
Patch9: 0009-krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -129,6 +130,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes a OTP plugin.
%package plugin-preauth-spake
Summary: SPAKE preauthentication plugin for MIT Kerberos5
Group: Productivity/Networking/Security
%description plugin-preauth-spake
Kerberos V5 is a trusted-third-party network authentication system,
which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes a SPAKE plugin.
%package doc
Summary: Documentation for the MIT Kerberos5 implementation
Group: Documentation/Other
@ -169,11 +179,11 @@ Include Files for Development
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch9 -p1
%build
# needs to be re-generated
@ -183,7 +193,7 @@ autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \
CC="%{__cc}" \
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--prefix=/usr/lib/mit \
@ -202,7 +212,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
--with-ldap \
--with-pam \
--enable-pkinit \
--with-pkinit-crypto-impl=openssl \
--with-crypto-impl=openssl \
--with-selinux \
--with-system-et \
--with-system-ss \
@ -214,25 +224,19 @@ make %{?_smp_mflags}
cp man/kadmin.man man/kadmin.local.8
%install
# Where per-user keytabs live by default.
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
cd src
make DESTDIR=%{buildroot} install
cd ..
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
%make_install -C src
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
@ -243,13 +247,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -271,13 +284,13 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
find . -type f -name '*.ps' -exec gzip -9 {} +
# create rc* links
mkdir -p %{buildroot}/usr/bin/
mkdir -p %{buildroot}/usr/sbin/
@ -329,6 +342,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%post server
%service_add_post krb5kdc.service kadmind.service kpropd.service
%tmpfiles_create krb5.conf
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
@ -406,6 +420,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
%{_libexecdir}/tmpfiles.d/krb5.conf
%else
%{_sysconfdir}/init.d/kadmind
%{_sysconfdir}/init.d/krb5kdc
@ -414,17 +429,24 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{krb5docdir}
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
%dir %{_localstatedir}/lib/kerberos/krb5/user
%dir %{_datadir}/kerberos/
%dir %{_datadir}/kerberos/krb5kdc
%dir %{_datadir}/kerberos/krb5
%dir %{_datadir}/kerberos/krb5/user
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/tls
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
%ghost %dir %{_sharedstatedir}/kerberos/
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
%ghost %dir %{_sharedstatedir}/kerberos/krb5
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_fillupdir}/sysconfig.*
/usr/sbin/rc*
@ -489,6 +511,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_mandir}/man5/k5login.5*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%{_mandir}/man7/kerberos.7.gz
%files plugin-kdb-ldap
%defattr(-,root,root)
@ -518,4 +541,11 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/otp.so
%files plugin-preauth-spake
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/spake.so
%changelog

7
krb5.tmpfiles Normal file
View File

@ -0,0 +1,7 @@
d /var/lib/kerberos 0755 root root -
d /var/lib/kerberos/krb5 0755 root root -
d /var/lib/kerberos/krb5/user 0755 root root -
d /var/lib/kerberos/krb5kdc 0755 root root -
C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf
C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl
C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict