SHA256
1
0
forked from pool/krb5
Yuchen Lin 2019-02-19 12:54:57 +00:00 committed by Git OBS Bridge
commit 9cfbbfdef3
24 changed files with 1175 additions and 835 deletions

View File

@ -1,3 +1,10 @@
From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:05:56 +0100
Subject: [PATCH 1/9] krb5-1.12-pam
Import krb5-1.12-pam.patch
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
@ -10,10 +17,22 @@ When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
---
src/aclocal.m4 | 67 +++++++
src/clients/ksu/Makefile.in | 8 +-
src/clients/ksu/main.c | 94 ++++++++-
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
src/clients/ksu/pam.h | 57 ++++++
src/configure.in | 2 +
6 files changed, 614 insertions(+), 3 deletions(-)
create mode 100644 src/clients/ksu/pam.c
create mode 100644 src/clients/ksu/pam.h
--- krb5-1.13.orig/src/aclocal.m4
+++ krb5-1.13/src/aclocal.m4
@@ -1671,3 +1671,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..340546d80 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
]))
])dnl
dnl
@ -84,8 +103,48 @@ and session management before dropping privileges.
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
--- krb5-1.13.orig/src/clients/ksu/main.c
+++ krb5-1.13/src/clients/ksu/main.c
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index b2fcbf240..5755bb58a 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -17,13 +19,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d948..7a0c7e48b 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
@ -113,7 +172,7 @@ and session management before dropping privileges.
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -519,6 +525,25 @@ main (argc, argv)
@@ -528,6 +534,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -139,7 +198,7 @@ and session management before dropping privileges.
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -587,6 +612,26 @@ main (argc, argv)
@@ -596,6 +621,26 @@ main (argc, argv)
com_err(prog_name,retval, _("while calling cc_filter"));
exit(1);
}
@ -166,7 +225,7 @@ and session management before dropping privileges.
}
if (all_rest_copy){
@@ -636,6 +681,32 @@ main (argc, argv)
@@ -645,6 +690,32 @@ main (argc, argv)
exit(1);
}
@ -199,7 +258,7 @@ and session management before dropping privileges.
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -733,7 +804,7 @@ main (argc, argv)
@@ -742,7 +813,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -208,7 +267,7 @@ and session management before dropping privileges.
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -763,16 +834,35 @@ main (argc, argv)
@@ -772,16 +843,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -245,44 +304,11 @@ and session management before dropping privileges.
exit (1);
}
}
--- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100
+++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100
@@ -3,12 +3,14 @@
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -17,13 +19,17 @@
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean:
$(RM) ksu
diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
new file mode 100644
index 000000000..cbfe48704
--- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.c
+++ b/src/clients/ksu/pam.c
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
@ -673,8 +699,11 @@ and session management before dropping privileges.
+ return ret;
+}
+#endif
diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
new file mode 100644
index 000000000..0ab76569c
--- /dev/null
+++ krb5-1.13/src/clients/ksu/pam.h
+++ b/src/clients/ksu/pam.h
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
@ -733,9 +762,11 @@ and session management before dropping privileges.
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
--- krb5-1.13.orig/src/configure.in
+++ krb5-1.13/src/configure.in
@@ -1285,6 +1285,8 @@ AC_SUBST([VERTO_VERSION])
diff --git a/src/configure.in b/src/configure.in
index 61ef738dc..e9a12ac16 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
@ -744,3 +775,6 @@ and session management before dropping privileges.
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--
2.20.1

View File

@ -0,0 +1,31 @@
From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:06:55 +0100
Subject: [PATCH 2/9] krb5-1.9-manpaths
Import krb5-1.9-manpaths.dif
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
---
src/man/kpropd.man | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
index 38daa5e79..a0106ec5f 100644
--- a/src/man/kpropd.man
+++ b/src/man/kpropd.man
@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
.sp
.nf
.ft C
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
.fi
.UNINDENT
--
2.20.1

View File

@ -1,33 +1,26 @@
From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:08:07 +0100
Subject: [PATCH 3/9] krb5-1.12-buildconf
Import krb5-1.12-buildconf.patch
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
---
src/build-tools/krb5-config.in | 7 +++++++
src/config/pre.in | 2 +-
src/config/shlib.conf | 5 +++--
3 files changed, 11 insertions(+), 3 deletions(-)
--- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100
+++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100
@@ -423,7 +423,7 @@
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
# UNDEF_CHECK is suppressed by --enable-asan
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
UNDEF_CHECK='-Wl,--no-undefined'
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -435,7 +435,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index f6184da3f..0edf6a1a5 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -225,6 +225,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
@ -41,9 +34,11 @@ not just assume that the compiler supports using these flags.
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -188,7 +188,7 @@
diff --git a/src/config/pre.in b/src/config/pre.in
index ce87e21ca..164bf8301 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
@ -52,3 +47,29 @@ not just assume that the compiler supports using these flags.
## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}.
prefix=@prefix@
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
index 3e4af6c02..a43736137 100644
--- a/src/config/shlib.conf
+++ b/src/config/shlib.conf
@@ -423,7 +423,7 @@ mips-*-netbsd*)
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
# UNDEF_CHECK is suppressed by --enable-asan
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
UNDEF_CHECK='-Wl,--no-undefined'
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
@@ -435,7 +435,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--
2.20.1

View File

@ -0,0 +1,26 @@
From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:09:05 +0100
Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages
Import krb5-1.6.3-gssapi_improve_errormessages.dif
---
src/lib/gssapi/generic/disp_com_err_status.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
index bc416107e..22612f970 100644
--- a/src/lib/gssapi/generic/disp_com_err_status.c
+++ b/src/lib/gssapi/generic/disp_com_err_status.c
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value,
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);
--
2.20.1

View File

@ -0,0 +1,36 @@
From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:14:47 +0100
Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage
Import krb5-1.6.3-ktutil-manpage.dif
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
index 4e174c0fe..f6d6ae814 100644
--- a/src/man/ktutil.man
+++ b/src/man/ktutil.man
@@ -171,6 +171,18 @@ ktutil:
.sp
See kerberos(7) for a description of Kerberos environment
variables.
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
kadmin(1), kdb5_util(8), kerberos(7)
--
2.20.1

View File

@ -1,10 +1,22 @@
From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:15:50 +0100
Subject: [PATCH 6/9] krb5-1.12-api
Import krb5-1.12-api.patch
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
---
src/lib/krb5/krb/princ_comp.c | 7 +++++++
1 file changed, 7 insertions(+)
--- krb5/src/lib/krb5/krb/princ_comp.c
+++ krb5/src/lib/krb5/krb/princ_comp.c
@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
index a6936107d..0ed78833b 100644
--- a/src/lib/krb5/krb/princ_comp.c
+++ b/src/lib/krb5/krb/princ_comp.c
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
const krb5_data *realm1 = &princ1->realm;
const krb5_data *realm2 = &princ2->realm;
@ -15,7 +27,7 @@ crashing if applications don't check ahead of time.
if (realm1->length != realm2->length)
return FALSE;
if (realm1->length == 0)
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
@ -25,3 +37,6 @@ crashing if applications don't check ahead of time.
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
--
2.20.1

View File

@ -0,0 +1,27 @@
From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:16:29 +0100
Subject: [PATCH 7/9] krb5-1.12-ksu
Import krb5-1.12-ksu-path.patch
Set the default PATH to the one set by login.
---
src/clients/ksu/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index 5755bb58a..9d58f29b5 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@
--
2.20.1

View File

@ -1,3 +1,10 @@
From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:17:28 +0100
Subject: [PATCH 8/9] krb5-1.12-selinux-label
Import krb5-1.12-selinux-label.patch
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
@ -30,11 +37,39 @@ stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
---
src/aclocal.m4 | 49 +++
src/build-tools/krb5-config.in | 3 +-
src/config/pre.in | 3 +-
src/configure.in | 2 +
src/include/k5-int.h | 1 +
src/include/k5-label.h | 32 ++
src/include/krb5/krb5.hin | 6 +
src/kadmin/dbutil/dump.c | 11 +-
src/kdc/main.c | 2 +-
src/lib/kadm5/logger.c | 4 +-
src/lib/kdb/kdb_log.c | 2 +-
src/lib/krb5/ccache/cc_dir.c | 26 +-
src/lib/krb5/keytab/kt_file.c | 4 +-
src/lib/krb5/os/trace.c | 2 +-
src/lib/krb5/rcache/rc_dfl.c | 13 +
src/plugins/kdb/db2/adb_openclose.c | 2 +-
src/plugins/kdb/db2/kdb_db2.c | 4 +-
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +-
src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
src/util/profile/prof_file.c | 3 +-
src/util/support/Makefile.in | 3 +-
src/util/support/selinux.c | 381 ++++++++++++++++++
24 files changed, 553 insertions(+), 21 deletions(-)
create mode 100644 src/include/k5-label.h
create mode 100644 src/util/support/selinux.c
Index: krb5-1.16.1/src/aclocal.m4
===================================================================
--- krb5-1.16.1.orig/src/aclocal.m4
+++ krb5-1.16.1/src/aclocal.m4
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 340546d80..4440ec5f8 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
@ -43,7 +78,7 @@ Index: krb5-1.16.1/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS)
@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
@ -95,10 +130,31 @@ Index: krb5-1.16.1/src/aclocal.m4
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
Index: krb5-1.16.1/src/config/pre.in
===================================================================
--- krb5-1.16.1.orig/src/config/pre.in
+++ krb5-1.16.1/src/config/pre.in
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
index 0edf6a1a5..1891dea99 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
diff --git a/src/config/pre.in b/src/config/pre.in
index 164bf8301..a8540ae2a 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
@ -107,7 +163,7 @@ Index: krb5-1.16.1/src/config/pre.in
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
@ -116,11 +172,11 @@ Index: krb5-1.16.1/src/config/pre.in
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on macOS!
Index: krb5-1.16.1/src/configure.in
===================================================================
--- krb5-1.16.1.orig/src/configure.in
+++ krb5-1.16.1/src/configure.in
@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff)
diff --git a/src/configure.in b/src/configure.in
index e9a12ac16..93aec682e 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
@ -129,10 +185,10 @@ Index: krb5-1.16.1/src/configure.in
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
Index: krb5-1.16.1/src/include/k5-int.h
===================================================================
--- krb5-1.16.1.orig/src/include/k5-int.h
+++ krb5-1.16.1/src/include/k5-int.h
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 652242207..7190a8f55 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -126,6 +126,7 @@ typedef unsigned char u_char;
#endif /* HAVE_SYS_TYPES_H */
#endif /* KRB5_SYSTYPES__ */
@ -141,10 +197,11 @@ Index: krb5-1.16.1/src/include/k5-int.h
#include "k5-platform.h"
Index: krb5-1.16.1/src/include/k5-label.h
===================================================================
diff --git a/src/include/k5-label.h b/src/include/k5-label.h
new file mode 100644
index 000000000..dfaaa847c
--- /dev/null
+++ krb5-1.16.1/src/include/k5-label.h
+++ b/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
@ -178,10 +235,10 @@ Index: krb5-1.16.1/src/include/k5-label.h
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5-1.16.1/src/include/krb5/krb5.hin
===================================================================
--- krb5-1.16.1.orig/src/include/krb5/krb5.hin
+++ krb5-1.16.1/src/include/krb5/krb5.hin
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index c40a6cca8..3ff86d7ff 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@ -195,11 +252,11 @@ Index: krb5-1.16.1/src/include/krb5/krb5.hin
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
Index: krb5-1.16.1/src/kadmin/dbutil/dump.c
===================================================================
--- krb5-1.16.1.orig/src/kadmin/dbutil/dump.c
+++ krb5-1.16.1/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index c9574c6e1..8301a33d0 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
{
int fd = -1;
FILE *f;
@ -221,41 +278,33 @@ Index: krb5-1.16.1/src/kadmin/dbutil/dump.c
if (fd == -1)
goto error;
@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char
return 0;
@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out)
goto cleanup;
}
- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (*fd == -1) {
- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
Index: krb5-1.16.1/src/build-tools/krb5-config.in
===================================================================
--- krb5-1.16.1.orig/src/build-tools/krb5-config.in
+++ krb5-1.16.1/src/build-tools/krb5-config.in
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
goto cleanup;
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 408c723f5..663fd6303 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -858,7 +858,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
Index: krb5-1.16.1/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.16.1.orig/src/lib/kadm5/logger.c
+++ krb5-1.16.1/src/lib/kadm5/logger.c
@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, ch
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index c6885edf2..9aec3c05e 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
*/
append = (cp[4] == ':') ? O_APPEND : 0;
if (append || cp[4] == '=') {
@ -264,7 +313,7 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c
S_IRUSR | S_IWUSR | S_IRGRP);
if (fd != -1)
f = fdopen(fd, append ? "a" : "w");
@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
@ -273,11 +322,74 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/keytab/kt_file.c
+++ krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
index 2659a2501..a1cd38f4c 100644
--- a/src/lib/kdb/kdb_log.c
+++ b/src/lib/kdb/kdb_log.c
@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
if (retval)
goto cleanup;
} else {
- log_ctx->ulogfd = open(logname, O_RDWR, 0600);
+ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (log_ctx->ulogfd == -1) {
retval = errno;
goto cleanup;
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
index bba64e516..73f0fe62d 100644
--- a/src/lib/krb5/ccache/cc_dir.c
+++ b/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -221,10 +230,23 @@ static krb5_error_code
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 89cb68680..21c80d419 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
@ -294,11 +406,56 @@ Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/adb_openclose.c
+++ krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 4fff8f38c..40a9e7b10 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 1e0cb22c9..f5e93b1ab 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
index 7db30a33b..2b9d01921 100644
--- a/src/plugins/kdb/db2/adb_openclose.c
+++ b/src/plugins/kdb/db2/adb_openclose.c
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
* needs be open read/write so that write locking can work with
* POSIX systems
*/
@ -307,11 +464,26 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
/*
* maybe someone took away write permission so we could only
* get shared locks?
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
index 5106a5c99..e481e8121 100644
--- a/src/plugins/kdb/db2/kdb_db2.c
+++ b/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
index 2977b17f3..d5809a5a9 100644
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
#include <string.h>
#include <unistd.h>
@ -319,7 +491,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
goto einval;
}
@ -328,11 +500,11 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
goto err;
} else {
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 862dbb164..686a960c9 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
#include <assert.h>
#endif
@ -340,7 +512,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
new_table = 1;
}
if (file) {
@ -349,11 +521,33 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int arg
diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
index d8b26e701..b0daa7c02 100644
--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
index 1ed72afe9..ce038fc3d 100644
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
/* set password in the file */
old_mode = umask(0177);
@ -362,7 +556,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int arg
@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
* Delete the existing entry and add the new entry
*/
FILE *newfile;
@ -372,7 +566,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
mode_t omask;
@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int arg
@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
}
omask = umask(077);
@ -386,10 +580,10 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
Index: krb5-1.16.1/src/util/profile/prof_file.c
===================================================================
--- krb5-1.16.1.orig/src/util/profile/prof_file.c
+++ krb5-1.16.1/src/util/profile/prof_file.c
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
index 24e41fb80..0dcb6b543 100644
--- a/src/util/profile/prof_file.c
+++ b/src/util/profile/prof_file.c
@@ -33,6 +33,7 @@
#endif
@ -398,7 +592,7 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
errno = 0;
@ -407,10 +601,10 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c
if (!f) {
retval = errno;
if (retval == 0)
Index: krb5-1.16.1/src/util/support/Makefile.in
===================================================================
--- krb5-1.16.1.orig/src/util/support/Makefile.in
+++ krb5-1.16.1/src/util/support/Makefile.in
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
index db7b030b8..321672bcb 100644
--- a/src/util/support/Makefile.in
+++ b/src/util/support/Makefile.in
@@ -69,6 +69,7 @@ IPC_SYMS= \
STLIBOBJS= \
@ -419,7 +613,7 @@ Index: krb5-1.16.1/src/util/support/Makefile.in
init-addrinfo.o \
plugins.o \
errors.o \
@@ -149,7 +150,7 @@ SRCS=\
@@ -160,7 +161,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
@ -428,10 +622,11 @@ Index: krb5-1.16.1/src/util/support/Makefile.in
DEPLIBS=
Index: krb5-1.16.1/src/util/support/selinux.c
===================================================================
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
new file mode 100644
index 000000000..ffba6a9ff
--- /dev/null
+++ krb5-1.16.1/src/util/support/selinux.c
+++ b/src/util/support/selinux.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
@ -814,192 +1009,6 @@ Index: krb5-1.16.1/src/util/support/selinux.c
+}
+
+#endif
Index: krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/rcache/rc_dfl.c
+++ krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
--
2.20.1
if (! t->recovering) {
name = t->name;
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
Index: krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/ccache/cc_dir.c
+++ krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -221,10 +230,23 @@ static krb5_error_code
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
Index: krb5-1.16.1/src/lib/krb5/os/trace.c
===================================================================
--- krb5-1.16.1.orig/src/lib/krb5/os/trace.c
+++ krb5-1.16.1/src/lib/krb5/os/trace.c
@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
Index: krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/kdb_db2.c
+++ krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
===================================================================
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
Index: krb5-1.16.1/src/kdc/main.c
===================================================================
--- krb5-1.16.1.orig/src/kdc/main.c
+++ krb5-1.16.1/src/kdc/main.c
@@ -873,7 +873,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
Index: krb5-1.16.1/src/lib/kdb/kdb_log.c
===================================================================
--- krb5-1.16.1.orig/src/lib/kdb/kdb_log.c
+++ krb5-1.16.1/src/lib/kdb/kdb_log.c
@@ -484,7 +484,7 @@ ulog_map(krb5_context context, const cha
if (extend_file_to(ulogfd, filesize) < 0)
return errno;
} else {
- ulogfd = open(logname, O_RDWR, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
}
Index: krb5-1.16.1/src/slave/kpropd.c
===================================================================
--- krb5-1.16.1.orig/src/slave/kpropd.c
+++ krb5-1.16.1/src/slave/kpropd.c
@@ -488,7 +488,9 @@ doit(int fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
-
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
fromlen = sizeof(from);
@@ -543,9 +545,15 @@ doit(int fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
(void)umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {

View File

@ -0,0 +1,44 @@
From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Mon, 14 Jan 2019 13:18:16 +0100
Subject: [PATCH 9/9] krb5-1.9-debuginfo
Import krb5-1.9-debuginfo.patch
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
---
src/kadmin/cli/Makefile.in | 5 +++++
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
index adfea6e2b..d1327e400 100644
--- a/src/kadmin/cli/Makefile.in
+++ b/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
index 8669c2436..a22f23c02 100644
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
--
2.20.1

View File

@ -1,12 +0,0 @@
Set the default PATH to the one set by login.
--- krb5/src/clients/ksu/Makefile.in
+++ krb5/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117
size 9477480

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUAWushEwy6CFdfg3LfAQJ+eBAAijTUBfXzCuxCwbDhCFYb1fIbHMkKkTuq
knFKv0VbALW1qUAj5v35A6GjDam6a33bMvGX8MzbGK/a9IDkpvaaXP/c37V4OfiQ
MhA6uQl0vxBMoCZqAFEVcWd6+M/0rY0WBZKpXRiZxxuSNPnSXn1l9fQAcrYKGb7I
YpaAWnzw+cc1k4Xi+GaaSghEYA4dX7TXh1fViJyHaNSESYZjH3J6wEdPm6LtZk6q
GwJw/ieMQi8djde0AhCbzMHWiaeW3jNPOJmpd3mpY04BAAkzGCyRiYGscxb6ge4u
ag2fojv7rbnJxDzy9RO0ZP0+fVPDMwInZ5GHPftbraSDFkTH2JBAYFudPsLDAoRK
FdjLeHpvuU5ifXWrLyshVYYfeXSe0fHz9Xhfhq2/OmfBD6vQl5k86z8IqxNm4ujy
ziypmTzHFnP/sBKlMgSMdDEKoKZHxevVQM5eJQd1XGexmwogkSPX8mwoEc0q4dtZ
h5w/fCu4ERA0BihvnQMZCZgwe32pO27ccPc6PqNHffUSLOq74J4gBHeoAoZ+SYPu
33oG7wxh+8WONzEGujl1lmxHFstij/njg8nULQ6bo6hSZnlMD0gU59mG9seC2jjr
E4aM4TXd1ixxPzM/cqxfI9SalytwYW0gn7Vuyj3P8xIZ5GQZiTsD7XWJqzb3xHmA
2JSQt4TK3Cc=
=9z9K
-----END PGP SIGNATURE-----

3
krb5-1.17.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5
size 8761763

17
krb5-1.17.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJcNMxOAAoJEAy6CFdfg3LfjAwP/2/oQe+4Bs/XwZTwNfakTbBl
YHSY8MNAHIKsLh6Bn+SJBQQXSE0fEsm0hYH+JWz85+mzlZk7TbNZUI+zeikhLxi6
+d8MMQBpk2mQN0dkIeWjTdfkcThGCDSL7l0fh3MuEfN5C7QPAPD1JL1ZeqXPH5AV
PSQRC9s2wiOTwwuHM2i27rZ7gdhL/xfJ3ZPUFJH4klRgszwp9j10I/nh4/XyS/wB
82umjfusFPa9VNSPzm1jm94oRmALkR3CHGvmku2XD3YOv/f5yO8C1cHWNNLxg+5h
EqVv05ddb6iLku4fRhkEjfN3VgCtEvXuMkuAXppkDJJ7wWxMBWgCIr1DS/x7LfbL
CI0ZTejn8HCUBNmRWsKkUuebgHJ7ccch8p/Fp0cV4eT1FL35N2oV51u7+/zK6R8y
1dygUF2VWFOqwm8cyczdFue7dFQVDGCw7R2eK5lXY3NpZVmJblQ/gNLMcbOxGBis
H2dOzSn+CnxlD/2LqOZnhQ1WnGBhOMxoINwX/MQsIvkwAFaM1EsdhPIP/6mSVA/g
p04+YQ2u2ag7Pq3zHsMIonC18w4ZqDPcvXvOXqCHtlQBDAMtb927XvjoTNj5W8Ei
jywxqdWuuqalmrKGPEsKVOJZN6xg7UTgaKzcvQTvW7D3gLbrTT2iM++VKB3vh9V9
SkULnR3c7fKMzFeLb/Q2
=4hZX
-----END PGP SIGNATURE-----

View File

@ -1,13 +0,0 @@
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);

View File

@ -1,27 +0,0 @@
---
src/man/ktutil.man | 12 ++++++++++++
1 file changed, 12 insertions(+)
Index: krb5-1.12.2/src/man/ktutil.man
===================================================================
--- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100
+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100
@@ -162,6 +162,18 @@ ktutil:
.UNINDENT
.UNINDENT
.UNINDENT
+.SH REMARKS
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
+is never overwritten). To directly modify a keytab, save the changes to a
+temporary file and then overwrite the keytab file of interest.
+.TP
+.nf
+Example:
+ktutil> rkt /etc/krb5.keytab
+(modifications to keytab)
+ktutil> wkt /tmp/krb5.newtab
+ktutil> q
+# mv /tmp/krb5.newtab /etc/krb5.keytab
.SH SEE ALSO
.sp
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP

View File

@ -1,26 +0,0 @@
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
--- krb5-1.15.orig/src/kadmin/cli/Makefile.in
+++ krb5-1.15/src/kadmin/cli/Makefile.in
@@ -37,3 +37,8 @@
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
--- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -20,7 +20,7 @@
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install:
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)

View File

@ -1,18 +0,0 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
Index: krb5-1.11/src/man/kpropd.man
===================================================================
--- krb5-1.11.orig/src/man/kpropd.man
+++ krb5-1.11/src/man/kpropd.man
@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo
.sp
.nf
.ft C
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
.ft P
.fi
.UNINDENT

View File

@ -1,3 +1,74 @@
-------------------------------------------------------------------
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Replace old $RPM_* shell vars
-------------------------------------------------------------------
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
-------------------------------------------------------------------
Tue Oct 9 20:13:24 UTC 2018 - James McDonough <jmcdonough@suse.com>
@ -1797,4 +1868,3 @@ Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
- Initital checkin

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -21,26 +21,26 @@
%define _fillupdir /var/adm/fillup-templates
%endif
%define srcRoot krb5-1.16.1
%define srcRoot krb5-%{version}
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
Url: https://web.mit.edu/kerberos/www/
Version: 1.17
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
Group: Productivity/Networking/Security
URL: https://web.mit.edu/kerberos/www/
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.16.1
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: libverto-devel
BuildRequires: ncurses-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
@ -52,21 +52,22 @@ Conflicts: krb5-server
Conflicts: krb5-plugin-kdb-ldap
Conflicts: krb5-plugin-preauth-pkinit
Conflicts: krb5-plugin-preauth-otp
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring
Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Source6: krb5.tmpfiles
Patch1: 0001-krb5-1.12-pam.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-krb5-1.12-buildconf.patch
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-krb5-1.12-ksu-path.patch
Patch8: 0008-krb5-1.12-selinux-label.patch
Patch9: 0009-krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq
@ -104,11 +105,11 @@ Include Files for Development
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch9 -p1
%build
# needs to be re-generated
@ -118,7 +119,7 @@ autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \
CC="%{__cc}" \
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--prefix=/usr/lib/mit \
@ -147,25 +148,19 @@ make %{?_smp_mflags}
cp man/kadmin.man man/kadmin.local.8
%install
# Where per-user keytabs live by default.
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
cd src
make DESTDIR=%{buildroot} install
cd ..
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
%make_install -C src
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
@ -176,13 +171,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -204,9 +208,9 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
@ -239,10 +243,10 @@ install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf %{buildroot}/usr/lib/mit/share/examples
# manually remove otp plugin for krb5-mini since configure
# manually remove otp, spake and test plugin for krb5-mini since configure
# doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
# manually remove test plugin since configure doesn't support disabling it at build time
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%find_lang mit-krb5
@ -261,6 +265,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%post
/sbin/ldconfig
%service_add_post krb5kdc.service kadmind.service kpropd.service
%tmpfiles_create krb5.conf
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
@ -313,10 +318,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_libdir}/krb5/plugins/tls
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
%dir %{_localstatedir}/lib/kerberos/krb5/user
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
@ -326,9 +327,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{_sysconfdir}/krb5.conf.d
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_fillupdir}/sysconfig.*
%{_unitdir}/kadmind.service
@ -345,6 +343,21 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_libdir}/libkrad.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/tls/*
%{_libexecdir}/tmpfiles.d/krb5.conf
%dir %{_datadir}/kerberos/
%dir %{_datadir}/kerberos/krb5kdc
%dir %{_datadir}/kerberos/krb5
%dir %{_datadir}/kerberos/krb5/user
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
%ghost %dir %{_sharedstatedir}/kerberos/
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
%ghost %dir %{_sharedstatedir}/kerberos/krb5
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
@ -387,6 +400,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
%{_mandir}/man5/.k5identity.5*
%{_mandir}/man7/kerberos.7.gz
%{_mandir}/man8/*
%changelog

View File

@ -1,6 +1,8 @@
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz")
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
addFilter("shlib-policy-missing-suffix")
addFilter("non-etc-or-var-file-marked-as-conffile")

View File

@ -1,3 +1,74 @@
-------------------------------------------------------------------
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Replace old $RPM_* shell vars
-------------------------------------------------------------------
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
- Upgrade to 1.17. Major changes:
Administrator experience:
* A new Kerberos database module using the Lightning Memory-Mapped
Database library (LMDB) has been added. The LMDB KDB module should
be more performant and more robust than the DB2 module, and may
become the default module for new databases in a future release.
* "kdb5_util dump" will no longer dump policy entries when specific
principal names are requested.
Developer experience:
* The new krb5_get_etype_info() API can be used to retrieve enctype,
salt, and string-to-key parameters from the KDC for a client
principal.
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
principal names to be used with GSS-API functions.
* KDC and kadmind modules which call com_err() will now write to the
log file in a format more consistent with other log messages.
* Programs which use large numbers of memory credential caches should
perform better.
Protocol evolution:
* The SPAKE pre-authentication mechanism is now supported. This
mechanism protects against password dictionary attacks without
requiring any additional infrastructure such as certificates. SPAKE
is enabled by default on clients, but must be manually enabled on
the KDC for this release.
* PKINIT freshness tokens are now supported. Freshness tokens can
protect against scenarios where an attacker uses temporary access to
a smart card to generate authentication requests for the future.
* Password change operations now prefer TCP over UDP, to avoid
spurious error messages about replays when a response packet is
dropped.
* The KDC now supports cross-realm S4U2Self requests when used with a
third-party KDB module such as Samba's. The client code for
cross-realm S4U2Self requests is also now more robust.
User experience:
* The new ktutil addent -f flag can be used to fetch salt information
from the KDC for password-based keys.
* The new kdestroy -p option can be used to destroy a credential cache
within a collection by client principal name.
* The Kerberos man page has been restored, and documents the
environment variables that affect programs using the Kerberos
library.
Code quality:
* Python test scripts now use Python 3.
* Python test scripts now display markers in verbose output, making it
easier to find where a failure occurred within the scripts.
* The Windows build system has been simplified and updated to work
with more recent versions of Visual Studio. A large volume of
unused Windows-specific code has been removed. Visual Studio 2013
or later is now required.
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
by transactional updates; (bsc#1100126);
- Rename patches:
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
* krb5-1.6.3-gssapi_improve_errormessages.dif to
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
-------------------------------------------------------------------
Tue Oct 9 20:00:21 UTC 2018 - James McDonough <jmcdonough@suse.com>
@ -1860,4 +1931,3 @@ Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
- Initital checkin

130
krb5.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,22 +22,22 @@
%endif
Name: krb5
Url: https://web.mit.edu/kerberos/www/
Version: 1.17
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT
Group: Productivity/Networking/Security
URL: https://web.mit.edu/kerberos/www/
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: autoconf
BuildRequires: bison
BuildRequires: keyutils
BuildRequires: keyutils-devel
BuildRequires: libcom_err-devel
BuildRequires: libselinux-devel
BuildRequires: ncurses-devel
Version: 1.16.1
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT
Group: Productivity/Networking/Security
Obsoletes: krb5-plugin-preauth-pkinit-nss
BuildRequires: libopenssl-devel
BuildRequires: libselinux-devel
BuildRequires: libverto-devel
BuildRequires: ncurses-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig(systemd)
@ -46,22 +46,23 @@ BuildRequires: pkgconfig(systemd)
Obsoletes: krb5-64bit
%endif
Conflicts: krb5-mini
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
Source2: krb5.keyring
Source3: vendor-files.tar.bz2
Source4: baselibs.conf
Source5: krb5-rpmlintrc
Source6: ksu-pam.d
Patch1: krb5-1.12-pam.patch
Patch2: krb5-1.9-manpaths.dif
Patch3: krb5-1.12-buildconf.patch
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch6: krb5-1.6.3-ktutil-manpage.dif
Patch8: krb5-1.12-api.patch
Patch11: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-selinux-label.patch
Patch13: krb5-1.9-debuginfo.patch
Source7: krb5.tmpfiles
Patch1: 0001-krb5-1.12-pam.patch
Patch2: 0002-krb5-1.9-manpaths.patch
Patch3: 0003-krb5-1.12-buildconf.patch
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
Patch6: 0006-krb5-1.12-api.patch
Patch7: 0007-krb5-1.12-ksu-path.patch
Patch8: 0008-krb5-1.12-selinux-label.patch
Patch9: 0009-krb5-1.9-debuginfo.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@ -129,6 +130,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes a OTP plugin.
%package plugin-preauth-spake
Summary: SPAKE preauthentication plugin for MIT Kerberos5
Group: Productivity/Networking/Security
%description plugin-preauth-spake
Kerberos V5 is a trusted-third-party network authentication system,
which can improve network security by eliminating the insecure
practice of cleartext passwords. This package includes a SPAKE plugin.
%package doc
Summary: Documentation for the MIT Kerberos5 implementation
Group: Documentation/Other
@ -169,11 +179,11 @@ Include Files for Development
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch9 -p1
%build
# needs to be re-generated
@ -183,7 +193,7 @@ autoreconf -fi
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
./configure \
CC="%{__cc}" \
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
CPPFLAGS="-I%{_includedir}/et " \
SS_LIB="-lss" \
--prefix=/usr/lib/mit \
@ -202,7 +212,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
--with-ldap \
--with-pam \
--enable-pkinit \
--with-pkinit-crypto-impl=openssl \
--with-crypto-impl=openssl \
--with-selinux \
--with-system-et \
--with-system-ss \
@ -214,25 +224,19 @@ make %{?_smp_mflags}
cp man/kadmin.man man/kadmin.local.8
%install
# Where per-user keytabs live by default.
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
cd src
make DESTDIR=%{buildroot} install
cd ..
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
%make_install -C src
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
# of the buildconf patch already conspire to strip out /usr/<anything> from the
# list of link flags, and it helps prevent file conflicts on multilib systems.
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
# install autoconf macro
mkdir -p %{buildroot}/%{_datadir}/aclocal
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
@ -243,13 +247,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
# Where per-user keytabs live by default.
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -271,13 +284,13 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
%endif
# install sysconfig templates
mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
mkdir -p %{buildroot}/%{_fillupdir}
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
find . -type f -name '*.ps' -exec gzip -9 {} +
# create rc* links
mkdir -p %{buildroot}/usr/bin/
mkdir -p %{buildroot}/usr/sbin/
@ -329,6 +342,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%post server
%service_add_post krb5kdc.service kadmind.service kpropd.service
%tmpfiles_create krb5.conf
%{fillup_only -n kadmind}
%{fillup_only -n krb5kdc}
%{fillup_only -n kpropd}
@ -406,6 +420,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_unitdir}/kadmind.service
%{_unitdir}/krb5kdc.service
%{_unitdir}/kpropd.service
%{_libexecdir}/tmpfiles.d/krb5.conf
%else
%{_sysconfdir}/init.d/kadmind
%{_sysconfdir}/init.d/krb5kdc
@ -414,17 +429,24 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{krb5docdir}
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_localstatedir}/lib/kerberos/krb5
%dir %{_localstatedir}/lib/kerberos/krb5/user
%dir %{_datadir}/kerberos/
%dir %{_datadir}/kerberos/krb5kdc
%dir %{_datadir}/kerberos/krb5
%dir %{_datadir}/kerberos/krb5/user
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/tls
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
%ghost %dir %{_sharedstatedir}/kerberos/
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
%ghost %dir %{_sharedstatedir}/kerberos/krb5
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_fillupdir}/sysconfig.*
/usr/sbin/rc*
@ -489,6 +511,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%{_mandir}/man5/k5login.5*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%{_mandir}/man7/kerberos.7.gz
%files plugin-kdb-ldap
%defattr(-,root,root)
@ -518,4 +541,11 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/otp.so
%files plugin-preauth-spake
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/spake.so
%changelog

7
krb5.tmpfiles Normal file
View File

@ -0,0 +1,7 @@
d /var/lib/kerberos 0755 root root -
d /var/lib/kerberos/krb5 0755 root root -
d /var/lib/kerberos/krb5/user 0755 root root -
d /var/lib/kerberos/krb5kdc 0755 root root -
C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf
C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl
C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict