Accepting request 674895 from network
OBS-URL: https://build.opensuse.org/request/show/674895 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=138
This commit is contained in:
commit
9cfbbfdef3
@ -1,3 +1,10 @@
|
||||
From 333d843912825435da5c3e62807efb6753946be1 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:05:56 +0100
|
||||
Subject: [PATCH 1/9] krb5-1.12-pam
|
||||
|
||||
Import krb5-1.12-pam.patch
|
||||
|
||||
Modify ksu so that it performs account and session management on behalf of
|
||||
the target user account, mimicking the action of regular su. The default
|
||||
service name is "ksu", because on Fedora at least the configuration used
|
||||
@ -10,10 +17,22 @@ When enabled, ksu gains a dependency on libpam.
|
||||
|
||||
Originally RT#5939, though it's changed since then to perform the account
|
||||
and session management before dropping privileges.
|
||||
---
|
||||
src/aclocal.m4 | 67 +++++++
|
||||
src/clients/ksu/Makefile.in | 8 +-
|
||||
src/clients/ksu/main.c | 94 ++++++++-
|
||||
src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++
|
||||
src/clients/ksu/pam.h | 57 ++++++
|
||||
src/configure.in | 2 +
|
||||
6 files changed, 614 insertions(+), 3 deletions(-)
|
||||
create mode 100644 src/clients/ksu/pam.c
|
||||
create mode 100644 src/clients/ksu/pam.h
|
||||
|
||||
--- krb5-1.13.orig/src/aclocal.m4
|
||||
+++ krb5-1.13/src/aclocal.m4
|
||||
@@ -1671,3 +1671,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index 3752d9bd5..340546d80 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -1697,3 +1697,70 @@ AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
|
||||
]))
|
||||
])dnl
|
||||
dnl
|
||||
@ -84,8 +103,48 @@ and session management before dropping privileges.
|
||||
+AC_SUBST(PAM_MAN)
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
--- krb5-1.13.orig/src/clients/ksu/main.c
|
||||
+++ krb5-1.13/src/clients/ksu/main.c
|
||||
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
|
||||
index b2fcbf240..5755bb58a 100644
|
||||
--- a/src/clients/ksu/Makefile.in
|
||||
+++ b/src/clients/ksu/Makefile.in
|
||||
@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S)..
|
||||
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
|
||||
|
||||
KSU_LIBS=@KSU_LIBS@
|
||||
+PAM_LIBS=@PAM_LIBS@
|
||||
|
||||
SRCS = \
|
||||
$(srcdir)/krb_auth_su.c \
|
||||
$(srcdir)/ccache.c \
|
||||
$(srcdir)/authorization.c \
|
||||
$(srcdir)/main.c \
|
||||
+ $(srcdir)/pam.c \
|
||||
$(srcdir)/heuristic.c \
|
||||
$(srcdir)/xmalloc.c \
|
||||
$(srcdir)/setenv.c
|
||||
@@ -17,13 +19,17 @@ OBJS = \
|
||||
ccache.o \
|
||||
authorization.o \
|
||||
main.o \
|
||||
+ pam.o \
|
||||
heuristic.o \
|
||||
xmalloc.o @SETENVOBJ@
|
||||
|
||||
all: ksu
|
||||
|
||||
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
|
||||
+
|
||||
+pam.o: pam.c
|
||||
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||
|
||||
clean:
|
||||
$(RM) ksu
|
||||
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
|
||||
index d9596d948..7a0c7e48b 100644
|
||||
--- a/src/clients/ksu/main.c
|
||||
+++ b/src/clients/ksu/main.c
|
||||
@@ -26,6 +26,7 @@
|
||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
@ -113,7 +172,7 @@ and session management before dropping privileges.
|
||||
/***********/
|
||||
|
||||
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
|
||||
@@ -519,6 +525,25 @@ main (argc, argv)
|
||||
@@ -528,6 +534,25 @@ main (argc, argv)
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
@ -139,7 +198,7 @@ and session management before dropping privileges.
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, _("while switching to target for "
|
||||
@@ -587,6 +612,26 @@ main (argc, argv)
|
||||
@@ -596,6 +621,26 @@ main (argc, argv)
|
||||
com_err(prog_name,retval, _("while calling cc_filter"));
|
||||
exit(1);
|
||||
}
|
||||
@ -166,7 +225,7 @@ and session management before dropping privileges.
|
||||
}
|
||||
|
||||
if (all_rest_copy){
|
||||
@@ -636,6 +681,32 @@ main (argc, argv)
|
||||
@@ -645,6 +690,32 @@ main (argc, argv)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -199,7 +258,7 @@ and session management before dropping privileges.
|
||||
/* set permissions */
|
||||
if (setgid(target_pwd->pw_gid) < 0) {
|
||||
perror("ksu: setgid");
|
||||
@@ -733,7 +804,7 @@ main (argc, argv)
|
||||
@@ -742,7 +813,7 @@ main (argc, argv)
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
@ -208,7 +267,7 @@ and session management before dropping privileges.
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
|
||||
sweep_up(ksu_context, cc_target);
|
||||
@@ -763,16 +834,35 @@ main (argc, argv)
|
||||
@@ -772,16 +843,35 @@ main (argc, argv)
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, _("while calling waitpid"));
|
||||
}
|
||||
@ -245,44 +304,11 @@ and session management before dropping privileges.
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
--- krb5-1.15.orig/src/clients/ksu/Makefile.in 2016-12-01 23:31:24.000000000 +0100
|
||||
+++ krb5-1.15/src/clients/ksu/Makefile.in 2016-12-03 16:08:50.583613246 +0100
|
||||
@@ -3,12 +3,14 @@
|
||||
DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
|
||||
|
||||
KSU_LIBS=@KSU_LIBS@
|
||||
+PAM_LIBS=@PAM_LIBS@
|
||||
|
||||
SRCS = \
|
||||
$(srcdir)/krb_auth_su.c \
|
||||
$(srcdir)/ccache.c \
|
||||
$(srcdir)/authorization.c \
|
||||
$(srcdir)/main.c \
|
||||
+ $(srcdir)/pam.c \
|
||||
$(srcdir)/heuristic.c \
|
||||
$(srcdir)/xmalloc.c \
|
||||
$(srcdir)/setenv.c
|
||||
@@ -17,13 +19,17 @@
|
||||
ccache.o \
|
||||
authorization.o \
|
||||
main.o \
|
||||
+ pam.o \
|
||||
heuristic.o \
|
||||
xmalloc.o @SETENVOBJ@
|
||||
|
||||
all: ksu
|
||||
|
||||
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
|
||||
+
|
||||
+pam.o: pam.c
|
||||
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||
|
||||
clean:
|
||||
$(RM) ksu
|
||||
diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c
|
||||
new file mode 100644
|
||||
index 000000000..cbfe48704
|
||||
--- /dev/null
|
||||
+++ krb5-1.13/src/clients/ksu/pam.c
|
||||
+++ b/src/clients/ksu/pam.c
|
||||
@@ -0,0 +1,389 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.c
|
||||
@ -673,8 +699,11 @@ and session management before dropping privileges.
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h
|
||||
new file mode 100644
|
||||
index 000000000..0ab76569c
|
||||
--- /dev/null
|
||||
+++ krb5-1.13/src/clients/ksu/pam.h
|
||||
+++ b/src/clients/ksu/pam.h
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.h
|
||||
@ -733,9 +762,11 @@ and session management before dropping privileges.
|
||||
+int appl_pam_cred_init(void);
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
--- krb5-1.13.orig/src/configure.in
|
||||
+++ krb5-1.13/src/configure.in
|
||||
@@ -1285,6 +1285,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 61ef738dc..e9a12ac16 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1352,6 +1352,8 @@ AC_SUBST([VERTO_VERSION])
|
||||
|
||||
AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
@ -744,3 +775,6 @@ and session management before dropping privileges.
|
||||
# Make localedir work in autoconf 2.5x.
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
--
|
||||
2.20.1
|
||||
|
31
0002-krb5-1.9-manpaths.patch
Normal file
31
0002-krb5-1.9-manpaths.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From 84aceebf6f76934c5d8fa11b0f7cd662542c286a Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:06:55 +0100
|
||||
Subject: [PATCH 2/9] krb5-1.9-manpaths
|
||||
|
||||
Import krb5-1.9-manpaths.dif
|
||||
|
||||
Change the absolute paths included in the man pages so that the correct
|
||||
values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
---
|
||||
src/man/kpropd.man | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/man/kpropd.man b/src/man/kpropd.man
|
||||
index 38daa5e79..a0106ec5f 100644
|
||||
--- a/src/man/kpropd.man
|
||||
+++ b/src/man/kpropd.man
|
||||
@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which looks like this:
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
|
||||
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
||||
--
|
||||
2.20.1
|
||||
|
@ -1,33 +1,26 @@
|
||||
From a04d1b609e0ca89d1ad93faeeafa5b3202cca4df Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:08:07 +0100
|
||||
Subject: [PATCH 3/9] krb5-1.12-buildconf
|
||||
|
||||
Import krb5-1.12-buildconf.patch
|
||||
|
||||
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
||||
and install shared libraries with the execute bit set on them. Prune out
|
||||
the -L/usr/lib* and PIE flags where they might leak out and affect
|
||||
apps which just want to link with the libraries. FIXME: needs to check and
|
||||
not just assume that the compiler supports using these flags.
|
||||
---
|
||||
src/build-tools/krb5-config.in | 7 +++++++
|
||||
src/config/pre.in | 2 +-
|
||||
src/config/shlib.conf | 5 +++--
|
||||
3 files changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
--- krb5-1.15.orig/src/config/shlib.conf 2016-12-01 23:31:24.000000000 +0100
|
||||
+++ krb5-1.15/src/config/shlib.conf 2016-12-03 16:58:48.378478508 +0100
|
||||
@@ -423,7 +423,7 @@
|
||||
# Linux ld doesn't default to stuffing the SONAME field...
|
||||
# Use objdump -x to examine the fields of the library
|
||||
# UNDEF_CHECK is suppressed by --enable-asan
|
||||
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
|
||||
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
|
||||
UNDEF_CHECK='-Wl,--no-undefined'
|
||||
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
|
||||
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
|
||||
@@ -435,7 +435,8 @@
|
||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||
PROFFLAGS=-pg
|
||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
||||
--- krb5/src/build-tools/krb5-config.in
|
||||
+++ krb5/src/build-tools/krb5-config.in
|
||||
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
|
||||
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
|
||||
index f6184da3f..0edf6a1a5 100755
|
||||
--- a/src/build-tools/krb5-config.in
|
||||
+++ b/src/build-tools/krb5-config.in
|
||||
@@ -225,6 +225,13 @@ if test -n "$do_libs"; then
|
||||
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
||||
-e 's#\$(CFLAGS)##'`
|
||||
|
||||
@ -41,9 +34,11 @@ not just assume that the compiler supports using these flags.
|
||||
if test $library = 'kdb'; then
|
||||
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
||||
library=krb5
|
||||
--- krb5/src/config/pre.in
|
||||
+++ krb5/src/config/pre.in
|
||||
@@ -188,7 +188,7 @@
|
||||
diff --git a/src/config/pre.in b/src/config/pre.in
|
||||
index ce87e21ca..164bf8301 100644
|
||||
--- a/src/config/pre.in
|
||||
+++ b/src/config/pre.in
|
||||
@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
|
||||
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
||||
INSTALL_DATA=@INSTALL_DATA@
|
||||
INSTALL_SHLIB=@INSTALL_SHLIB@
|
||||
@ -52,3 +47,29 @@ not just assume that the compiler supports using these flags.
|
||||
## This is needed because autoconf will sometimes define @exec_prefix@ to be
|
||||
## ${prefix}.
|
||||
prefix=@prefix@
|
||||
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
|
||||
index 3e4af6c02..a43736137 100644
|
||||
--- a/src/config/shlib.conf
|
||||
+++ b/src/config/shlib.conf
|
||||
@@ -423,7 +423,7 @@ mips-*-netbsd*)
|
||||
# Linux ld doesn't default to stuffing the SONAME field...
|
||||
# Use objdump -x to examine the fields of the library
|
||||
# UNDEF_CHECK is suppressed by --enable-asan
|
||||
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
|
||||
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro'
|
||||
UNDEF_CHECK='-Wl,--no-undefined'
|
||||
# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
|
||||
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
|
||||
@@ -435,7 +435,8 @@ mips-*-netbsd*)
|
||||
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
||||
PROFFLAGS=-pg
|
||||
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
||||
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
||||
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
||||
+ INSTALL_SHLIB='${INSTALL} -m755'
|
||||
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
||||
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
||||
--
|
||||
2.20.1
|
||||
|
26
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Normal file
26
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 3cdd9863a1a7a9a004f3d75e32136bb0be26a32b Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:09:05 +0100
|
||||
Subject: [PATCH 4/9] krb5-1.6.3-gssapi_improve_errormessages
|
||||
|
||||
Import krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
---
|
||||
src/lib/gssapi/generic/disp_com_err_status.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
index bc416107e..22612f970 100644
|
||||
--- a/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
+++ b/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value,
|
||||
status_string->value = NULL;
|
||||
|
||||
if (! g_make_string_buffer(((status_value == 0)?no_error:
|
||||
- error_message(status_value)),
|
||||
+ error_message((long)status_value)),
|
||||
status_string)) {
|
||||
*minor_status = ENOMEM;
|
||||
return(GSS_S_FAILURE);
|
||||
--
|
||||
2.20.1
|
||||
|
36
0005-krb5-1.6.3-ktutil-manpage.patch
Normal file
36
0005-krb5-1.6.3-ktutil-manpage.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From af0fe879800e72101b6d306c1b510880aec7cdaa Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:14:47 +0100
|
||||
Subject: [PATCH 5/9] krb5-1.6.3-ktutil-manpage
|
||||
|
||||
Import krb5-1.6.3-ktutil-manpage.dif
|
||||
---
|
||||
src/man/ktutil.man | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/man/ktutil.man b/src/man/ktutil.man
|
||||
index 4e174c0fe..f6d6ae814 100644
|
||||
--- a/src/man/ktutil.man
|
||||
+++ b/src/man/ktutil.man
|
||||
@@ -171,6 +171,18 @@ ktutil:
|
||||
.sp
|
||||
See kerberos(7) for a description of Kerberos environment
|
||||
variables.
|
||||
+.SH REMARKS
|
||||
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
|
||||
+is never overwritten). To directly modify a keytab, save the changes to a
|
||||
+temporary file and then overwrite the keytab file of interest.
|
||||
+.TP
|
||||
+.nf
|
||||
+Example:
|
||||
+ktutil> rkt /etc/krb5.keytab
|
||||
+(modifications to keytab)
|
||||
+ktutil> wkt /tmp/krb5.newtab
|
||||
+ktutil> q
|
||||
+# mv /tmp/krb5.newtab /etc/krb5.keytab
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
kadmin(1), kdb5_util(8), kerberos(7)
|
||||
--
|
||||
2.20.1
|
||||
|
@ -1,10 +1,22 @@
|
||||
From 70039109cc843f4958e89fd674d098c7c89affa8 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:15:50 +0100
|
||||
Subject: [PATCH 6/9] krb5-1.12-api
|
||||
|
||||
Import krb5-1.12-api.patch
|
||||
|
||||
Reference docs don't define what happens if you call krb5_realm_compare() with
|
||||
malformed krb5_principal structures. Define a behavior which keeps it from
|
||||
crashing if applications don't check ahead of time.
|
||||
---
|
||||
src/lib/krb5/krb/princ_comp.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
--- krb5/src/lib/krb5/krb/princ_comp.c
|
||||
+++ krb5/src/lib/krb5/krb/princ_comp.c
|
||||
@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
|
||||
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
|
||||
index a6936107d..0ed78833b 100644
|
||||
--- a/src/lib/krb5/krb/princ_comp.c
|
||||
+++ b/src/lib/krb5/krb/princ_comp.c
|
||||
@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context,
|
||||
const krb5_data *realm1 = &princ1->realm;
|
||||
const krb5_data *realm2 = &princ2->realm;
|
||||
|
||||
@ -15,7 +27,7 @@ crashing if applications don't check ahead of time.
|
||||
if (realm1->length != realm2->length)
|
||||
return FALSE;
|
||||
if (realm1->length == 0)
|
||||
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
|
||||
@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context,
|
||||
krb5_principal upn2 = NULL;
|
||||
krb5_boolean ret = FALSE;
|
||||
|
||||
@ -25,3 +37,6 @@ crashing if applications don't check ahead of time.
|
||||
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
|
||||
/* Treat UPNs as if they were real principals */
|
||||
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
|
||||
--
|
||||
2.20.1
|
||||
|
27
0007-krb5-1.12-ksu-path.patch
Normal file
27
0007-krb5-1.12-ksu-path.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 2af2add95fdd3973437cd0ce5ca1794afb461227 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:16:29 +0100
|
||||
Subject: [PATCH 7/9] krb5-1.12-ksu
|
||||
|
||||
Import krb5-1.12-ksu-path.patch
|
||||
|
||||
Set the default PATH to the one set by login.
|
||||
---
|
||||
src/clients/ksu/Makefile.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
|
||||
index 5755bb58a..9d58f29b5 100644
|
||||
--- a/src/clients/ksu/Makefile.in
|
||||
+++ b/src/clients/ksu/Makefile.in
|
||||
@@ -1,6 +1,6 @@
|
||||
mydir=clients$(S)ksu
|
||||
BUILDTOP=$(REL)..$(S)..
|
||||
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
|
||||
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
|
||||
|
||||
KSU_LIBS=@KSU_LIBS@
|
||||
PAM_LIBS=@PAM_LIBS@
|
||||
--
|
||||
2.20.1
|
||||
|
@ -1,3 +1,10 @@
|
||||
From e079ae26bbec6bce74e09a980d734fa886ee93b0 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:17:28 +0100
|
||||
Subject: [PATCH 8/9] krb5-1.12-selinux-label
|
||||
|
||||
Import krb5-1.12-selinux-label.patch
|
||||
|
||||
SELinux bases access to files on the domain of the requesting process,
|
||||
the operation being performed, and the context applied to the file.
|
||||
|
||||
@ -30,11 +37,39 @@ stomp all over us.
|
||||
The selabel APIs for looking up the context should be thread-safe (per
|
||||
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
||||
which we used earlier, is some improvement.
|
||||
---
|
||||
src/aclocal.m4 | 49 +++
|
||||
src/build-tools/krb5-config.in | 3 +-
|
||||
src/config/pre.in | 3 +-
|
||||
src/configure.in | 2 +
|
||||
src/include/k5-int.h | 1 +
|
||||
src/include/k5-label.h | 32 ++
|
||||
src/include/krb5/krb5.hin | 6 +
|
||||
src/kadmin/dbutil/dump.c | 11 +-
|
||||
src/kdc/main.c | 2 +-
|
||||
src/lib/kadm5/logger.c | 4 +-
|
||||
src/lib/kdb/kdb_log.c | 2 +-
|
||||
src/lib/krb5/ccache/cc_dir.c | 26 +-
|
||||
src/lib/krb5/keytab/kt_file.c | 4 +-
|
||||
src/lib/krb5/os/trace.c | 2 +-
|
||||
src/lib/krb5/rcache/rc_dfl.c | 13 +
|
||||
src/plugins/kdb/db2/adb_openclose.c | 2 +-
|
||||
src/plugins/kdb/db2/kdb_db2.c | 4 +-
|
||||
src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
|
||||
src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +-
|
||||
src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
|
||||
.../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
|
||||
src/util/profile/prof_file.c | 3 +-
|
||||
src/util/support/Makefile.in | 3 +-
|
||||
src/util/support/selinux.c | 381 ++++++++++++++++++
|
||||
24 files changed, 553 insertions(+), 21 deletions(-)
|
||||
create mode 100644 src/include/k5-label.h
|
||||
create mode 100644 src/util/support/selinux.c
|
||||
|
||||
Index: krb5-1.16.1/src/aclocal.m4
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/aclocal.m4
|
||||
+++ krb5-1.16.1/src/aclocal.m4
|
||||
diff --git a/src/aclocal.m4 b/src/aclocal.m4
|
||||
index 340546d80..4440ec5f8 100644
|
||||
--- a/src/aclocal.m4
|
||||
+++ b/src/aclocal.m4
|
||||
@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||
dnl
|
||||
KRB5_AC_PRAGMA_WEAK_REF
|
||||
@ -43,7 +78,7 @@ Index: krb5-1.16.1/src/aclocal.m4
|
||||
KRB5_LIB_PARAMS
|
||||
KRB5_AC_INITFINI
|
||||
KRB5_AC_ENABLE_THREADS
|
||||
@@ -1763,3 +1764,51 @@ AC_SUBST(PAM_LIBS)
|
||||
@@ -1764,3 +1765,51 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
@ -95,10 +130,31 @@ Index: krb5-1.16.1/src/aclocal.m4
|
||||
+LIBS="$old_LIBS"
|
||||
+AC_SUBST(SELINUX_LIBS)
|
||||
+])dnl
|
||||
Index: krb5-1.16.1/src/config/pre.in
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/config/pre.in
|
||||
+++ krb5-1.16.1/src/config/pre.in
|
||||
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
|
||||
index 0edf6a1a5..1891dea99 100755
|
||||
--- a/src/build-tools/krb5-config.in
|
||||
+++ b/src/build-tools/krb5-config.in
|
||||
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
|
||||
DEFCCNAME='@DEFCCNAME@'
|
||||
DEFKTNAME='@DEFKTNAME@'
|
||||
DEFCKTNAME='@DEFCKTNAME@'
|
||||
+SELINUX_LIBS='@SELINUX_LIBS@'
|
||||
|
||||
LIBS='@LIBS@'
|
||||
GEN_LIB=@GEN_LIB@
|
||||
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
|
||||
fi
|
||||
|
||||
# If we ever support a flag to generate output suitable for static
|
||||
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
|
||||
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||
# here.
|
||||
|
||||
echo $lib_flags
|
||||
diff --git a/src/config/pre.in b/src/config/pre.in
|
||||
index 164bf8301..a8540ae2a 100644
|
||||
--- a/src/config/pre.in
|
||||
+++ b/src/config/pre.in
|
||||
@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
|
||||
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
|
||||
LDFLAGS = @LDFLAGS@
|
||||
@ -107,7 +163,7 @@ Index: krb5-1.16.1/src/config/pre.in
|
||||
|
||||
INSTALL=@INSTALL@
|
||||
INSTALL_STRIP=
|
||||
@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
# HESIOD_LIBS is -lhesiod...
|
||||
HESIOD_LIBS = @HESIOD_LIBS@
|
||||
|
||||
@ -116,11 +172,11 @@ Index: krb5-1.16.1/src/config/pre.in
|
||||
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
|
||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||
# needs fixing if ever used on macOS!
|
||||
Index: krb5-1.16.1/src/configure.in
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/configure.in
|
||||
+++ krb5-1.16.1/src/configure.in
|
||||
@@ -1308,6 +1308,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index e9a12ac16..93aec682e 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1354,6 +1354,8 @@ AC_PATH_PROG(GROFF, groff)
|
||||
|
||||
KRB5_WITH_PAM
|
||||
|
||||
@ -129,10 +185,10 @@ Index: krb5-1.16.1/src/configure.in
|
||||
# Make localedir work in autoconf 2.5x.
|
||||
if test "${localedir+set}" != set; then
|
||||
localedir='$(datadir)/locale'
|
||||
Index: krb5-1.16.1/src/include/k5-int.h
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/include/k5-int.h
|
||||
+++ krb5-1.16.1/src/include/k5-int.h
|
||||
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
|
||||
index 652242207..7190a8f55 100644
|
||||
--- a/src/include/k5-int.h
|
||||
+++ b/src/include/k5-int.h
|
||||
@@ -126,6 +126,7 @@ typedef unsigned char u_char;
|
||||
#endif /* HAVE_SYS_TYPES_H */
|
||||
#endif /* KRB5_SYSTYPES__ */
|
||||
@ -141,10 +197,11 @@ Index: krb5-1.16.1/src/include/k5-int.h
|
||||
|
||||
#include "k5-platform.h"
|
||||
|
||||
Index: krb5-1.16.1/src/include/k5-label.h
|
||||
===================================================================
|
||||
diff --git a/src/include/k5-label.h b/src/include/k5-label.h
|
||||
new file mode 100644
|
||||
index 000000000..dfaaa847c
|
||||
--- /dev/null
|
||||
+++ krb5-1.16.1/src/include/k5-label.h
|
||||
+++ b/src/include/k5-label.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+#ifndef _KRB5_LABEL_H
|
||||
+#define _KRB5_LABEL_H
|
||||
@ -178,10 +235,10 @@ Index: krb5-1.16.1/src/include/k5-label.h
|
||||
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
+#endif
|
||||
+#endif
|
||||
Index: krb5-1.16.1/src/include/krb5/krb5.hin
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/include/krb5/krb5.hin
|
||||
+++ krb5-1.16.1/src/include/krb5/krb5.hin
|
||||
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
|
||||
index c40a6cca8..3ff86d7ff 100644
|
||||
--- a/src/include/krb5/krb5.hin
|
||||
+++ b/src/include/krb5/krb5.hin
|
||||
@@ -87,6 +87,12 @@
|
||||
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
#endif
|
||||
@ -195,11 +252,11 @@ Index: krb5-1.16.1/src/include/krb5/krb5.hin
|
||||
#define KRB5_OLD_CRYPTO
|
||||
|
||||
#include <stdlib.h>
|
||||
Index: krb5-1.16.1/src/kadmin/dbutil/dump.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/kadmin/dbutil/dump.c
|
||||
+++ krb5-1.16.1/src/kadmin/dbutil/dump.c
|
||||
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname
|
||||
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
|
||||
index c9574c6e1..8301a33d0 100644
|
||||
--- a/src/kadmin/dbutil/dump.c
|
||||
+++ b/src/kadmin/dbutil/dump.c
|
||||
@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
|
||||
{
|
||||
int fd = -1;
|
||||
FILE *f;
|
||||
@ -221,41 +278,33 @@ Index: krb5-1.16.1/src/kadmin/dbutil/dump.c
|
||||
if (fd == -1)
|
||||
goto error;
|
||||
|
||||
@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char
|
||||
return 0;
|
||||
@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
||||
+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
||||
if (*fd == -1) {
|
||||
- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
||||
+ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
|
||||
if (fd == -1) {
|
||||
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
|
||||
exit_status++;
|
||||
Index: krb5-1.16.1/src/build-tools/krb5-config.in
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/build-tools/krb5-config.in
|
||||
+++ krb5-1.16.1/src/build-tools/krb5-config.in
|
||||
@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
|
||||
DEFCCNAME='@DEFCCNAME@'
|
||||
DEFKTNAME='@DEFKTNAME@'
|
||||
DEFCKTNAME='@DEFCKTNAME@'
|
||||
+SELINUX_LIBS='@SELINUX_LIBS@'
|
||||
goto cleanup;
|
||||
diff --git a/src/kdc/main.c b/src/kdc/main.c
|
||||
index 408c723f5..663fd6303 100644
|
||||
--- a/src/kdc/main.c
|
||||
+++ b/src/kdc/main.c
|
||||
@@ -858,7 +858,7 @@ write_pid_file(const char *path)
|
||||
FILE *file;
|
||||
unsigned long pid;
|
||||
|
||||
LIBS='@LIBS@'
|
||||
GEN_LIB=@GEN_LIB@
|
||||
@@ -262,7 +263,7 @@ if test -n "$do_libs"; then
|
||||
fi
|
||||
|
||||
# If we ever support a flag to generate output suitable for static
|
||||
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
|
||||
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
|
||||
# here.
|
||||
|
||||
echo $lib_flags
|
||||
Index: krb5-1.16.1/src/lib/kadm5/logger.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/lib/kadm5/logger.c
|
||||
+++ krb5-1.16.1/src/lib/kadm5/logger.c
|
||||
@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||
- file = fopen(path, "w");
|
||||
+ file = WRITABLEFOPEN(path, "w");
|
||||
if (file == NULL)
|
||||
return errno;
|
||||
pid = (unsigned long) getpid();
|
||||
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
|
||||
index c6885edf2..9aec3c05e 100644
|
||||
--- a/src/lib/kadm5/logger.c
|
||||
+++ b/src/lib/kadm5/logger.c
|
||||
@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
|
||||
*/
|
||||
append = (cp[4] == ':') ? O_APPEND : 0;
|
||||
if (append || cp[4] == '=') {
|
||||
@ -264,7 +313,7 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c
|
||||
S_IRUSR | S_IWUSR | S_IRGRP);
|
||||
if (fd != -1)
|
||||
f = fdopen(fd, append ? "a" : "w");
|
||||
@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
* In case the old logfile did not get moved out of the
|
||||
* way, open for append to prevent squashing the old logs.
|
||||
*/
|
||||
@ -273,11 +322,74 @@ Index: krb5-1.16.1/src/lib/kadm5/logger.c
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[lindex].lfu_filep = f;
|
||||
Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/lib/krb5/keytab/kt_file.c
|
||||
+++ krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context
|
||||
diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
|
||||
index 2659a2501..a1cd38f4c 100644
|
||||
--- a/src/lib/kdb/kdb_log.c
|
||||
+++ b/src/lib/kdb/kdb_log.c
|
||||
@@ -491,7 +491,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
} else {
|
||||
- log_ctx->ulogfd = open(logname, O_RDWR, 0600);
|
||||
+ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
|
||||
if (log_ctx->ulogfd == -1) {
|
||||
retval = errno;
|
||||
goto cleanup;
|
||||
diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
|
||||
index bba64e516..73f0fe62d 100644
|
||||
--- a/src/lib/krb5/ccache/cc_dir.c
|
||||
+++ b/src/lib/krb5/ccache/cc_dir.c
|
||||
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
|
||||
char *newpath = NULL;
|
||||
FILE *fp = NULL;
|
||||
int fd = -1, status;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
|
||||
return ENOMEM;
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(primary_path);
|
||||
+#endif
|
||||
fd = mkstemp(newpath);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
if (fd < 0)
|
||||
goto cleanup;
|
||||
#ifdef HAVE_CHMOD
|
||||
@@ -221,10 +230,23 @@ static krb5_error_code
|
||||
verify_dir(krb5_context context, const char *dirname)
|
||||
{
|
||||
struct stat st;
|
||||
+ int status;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (stat(dirname, &st) < 0) {
|
||||
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
|
||||
- return 0;
|
||||
+ if (errno == ENOENT) {
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(dirname);
|
||||
+#endif
|
||||
+ status = mkdir(dirname, S_IRWXU);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
+ if (status == 0)
|
||||
+ return 0;
|
||||
+ }
|
||||
k5_setmsg(context, KRB5_FCC_NOFILE,
|
||||
_("Credential cache directory %s does not exist"),
|
||||
dirname);
|
||||
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
|
||||
index 89cb68680..21c80d419 100644
|
||||
--- a/src/lib/krb5/keytab/kt_file.c
|
||||
+++ b/src/lib/krb5/keytab/kt_file.c
|
||||
@@ -1024,14 +1024,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
|
||||
|
||||
KTCHECKLOCK(id);
|
||||
errno = 0;
|
||||
@ -294,11 +406,56 @@ Index: krb5-1.16.1/src/lib/krb5/keytab/kt_file.c
|
||||
if (!KTFILEP(id))
|
||||
goto report_errno;
|
||||
writevno = 1;
|
||||
Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/plugins/kdb/db2/adb_openclose.c
|
||||
+++ krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
|
||||
index 4fff8f38c..40a9e7b10 100644
|
||||
--- a/src/lib/krb5/os/trace.c
|
||||
+++ b/src/lib/krb5/os/trace.c
|
||||
@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
|
||||
fd = malloc(sizeof(*fd));
|
||||
if (fd == NULL)
|
||||
return ENOMEM;
|
||||
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
|
||||
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
|
||||
if (*fd == -1) {
|
||||
free(fd);
|
||||
return errno;
|
||||
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
|
||||
index 1e0cb22c9..f5e93b1ab 100644
|
||||
--- a/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ b/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
|
||||
krb5_error_code retval = 0;
|
||||
krb5_rcache tmp;
|
||||
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (! t->recovering) {
|
||||
name = t->name;
|
||||
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
|
||||
retval = krb5_rc_resolve(context, tmp, 0);
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
+#ifdef USE_SELINUX
|
||||
+ if (t->d.fn != NULL)
|
||||
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
|
||||
+ else
|
||||
+ selabel = NULL;
|
||||
+#endif
|
||||
retval = krb5_rc_initialize(context, tmp, lifespan);
|
||||
+#ifdef USE_SELINUX
|
||||
+ if (selabel != NULL)
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
for (q = t->a; q; q = q->na) {
|
||||
diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
|
||||
index 7db30a33b..2b9d01921 100644
|
||||
--- a/src/plugins/kdb/db2/adb_openclose.c
|
||||
+++ b/src/plugins/kdb/db2/adb_openclose.c
|
||||
@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
|
||||
* needs be open read/write so that write locking can work with
|
||||
* POSIX systems
|
||||
*/
|
||||
@ -307,11 +464,26 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/adb_openclose.c
|
||||
/*
|
||||
* maybe someone took away write permission so we could only
|
||||
* get shared locks?
|
||||
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
|
||||
diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
|
||||
index 5106a5c99..e481e8121 100644
|
||||
--- a/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ b/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
|
||||
- 0600);
|
||||
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
|
||||
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
|
||||
if (dbc->db_lf_file < 0) {
|
||||
retval = errno;
|
||||
goto cleanup;
|
||||
diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
index 2977b17f3..d5809a5a9 100644
|
||||
--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@ -319,7 +491,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
#include "db-int.h"
|
||||
#include "btree.h"
|
||||
|
||||
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
|
||||
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
|
||||
goto einval;
|
||||
}
|
||||
|
||||
@ -328,11 +500,11 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
goto err;
|
||||
|
||||
} else {
|
||||
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
|
||||
diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
index 862dbb164..686a960c9 100644
|
||||
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
|
||||
#include <assert.h>
|
||||
#endif
|
||||
|
||||
@ -340,7 +512,7 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
#include "db-int.h"
|
||||
#include "hash.h"
|
||||
#include "page.h"
|
||||
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info
|
||||
@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
|
||||
new_table = 1;
|
||||
}
|
||||
if (file) {
|
||||
@ -349,11 +521,33 @@ Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
RETURN_ERROR(errno, error0);
|
||||
(void)fcntl(hashp->fp, F_SETFD, 1);
|
||||
}
|
||||
Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int arg
|
||||
diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
index d8b26e701..b0daa7c02 100644
|
||||
--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include "k5-int.h"
|
||||
#include "db-int.h"
|
||||
#include "recno.h"
|
||||
|
||||
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
|
||||
int rfd = -1, sverrno;
|
||||
|
||||
/* Open the user's file -- if this fails, we're done. */
|
||||
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
|
||||
+ if (fname != NULL &&
|
||||
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
|
||||
return (NULL);
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
index 1ed72afe9..ce038fc3d 100644
|
||||
--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
@@ -194,7 +194,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
|
||||
|
||||
/* set password in the file */
|
||||
old_mode = umask(0177);
|
||||
@ -362,7 +556,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
|
||||
strerror (errno));
|
||||
@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int arg
|
||||
@@ -235,6 +235,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
|
||||
* Delete the existing entry and add the new entry
|
||||
*/
|
||||
FILE *newfile;
|
||||
@ -372,7 +566,7 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
|
||||
mode_t omask;
|
||||
|
||||
@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int arg
|
||||
@@ -246,7 +249,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
@ -386,10 +580,10 @@ Index: krb5-1.16.1/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
umask (omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, _("Error creating file %s"), tmp_file);
|
||||
Index: krb5-1.16.1/src/util/profile/prof_file.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/util/profile/prof_file.c
|
||||
+++ krb5-1.16.1/src/util/profile/prof_file.c
|
||||
diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
|
||||
index 24e41fb80..0dcb6b543 100644
|
||||
--- a/src/util/profile/prof_file.c
|
||||
+++ b/src/util/profile/prof_file.c
|
||||
@@ -33,6 +33,7 @@
|
||||
#endif
|
||||
|
||||
@ -398,7 +592,7 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c
|
||||
|
||||
struct global_shared_profile_data {
|
||||
/* This is the head of the global list of shared trees */
|
||||
@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_
|
||||
@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
|
||||
|
||||
errno = 0;
|
||||
|
||||
@ -407,10 +601,10 @@ Index: krb5-1.16.1/src/util/profile/prof_file.c
|
||||
if (!f) {
|
||||
retval = errno;
|
||||
if (retval == 0)
|
||||
Index: krb5-1.16.1/src/util/support/Makefile.in
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/util/support/Makefile.in
|
||||
+++ krb5-1.16.1/src/util/support/Makefile.in
|
||||
diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
|
||||
index db7b030b8..321672bcb 100644
|
||||
--- a/src/util/support/Makefile.in
|
||||
+++ b/src/util/support/Makefile.in
|
||||
@@ -69,6 +69,7 @@ IPC_SYMS= \
|
||||
|
||||
STLIBOBJS= \
|
||||
@ -419,7 +613,7 @@ Index: krb5-1.16.1/src/util/support/Makefile.in
|
||||
init-addrinfo.o \
|
||||
plugins.o \
|
||||
errors.o \
|
||||
@@ -149,7 +150,7 @@ SRCS=\
|
||||
@@ -160,7 +161,7 @@ SRCS=\
|
||||
|
||||
SHLIB_EXPDEPS =
|
||||
# Add -lm if dumping thread stats, for sqrt.
|
||||
@ -428,10 +622,11 @@ Index: krb5-1.16.1/src/util/support/Makefile.in
|
||||
|
||||
DEPLIBS=
|
||||
|
||||
Index: krb5-1.16.1/src/util/support/selinux.c
|
||||
===================================================================
|
||||
diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
|
||||
new file mode 100644
|
||||
index 000000000..ffba6a9ff
|
||||
--- /dev/null
|
||||
+++ krb5-1.16.1/src/util/support/selinux.c
|
||||
+++ b/src/util/support/selinux.c
|
||||
@@ -0,0 +1,381 @@
|
||||
+/*
|
||||
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
|
||||
@ -814,192 +1009,6 @@ Index: krb5-1.16.1/src/util/support/selinux.c
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
Index: krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/lib/krb5/rcache/rc_dfl.c
|
||||
+++ krb5-1.16.1/src/lib/krb5/rcache/rc_dfl.c
|
||||
@@ -793,6 +793,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
krb5_error_code retval = 0;
|
||||
krb5_rcache tmp;
|
||||
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
--
|
||||
2.20.1
|
||||
|
||||
if (! t->recovering) {
|
||||
name = t->name;
|
||||
@@ -814,7 +817,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
|
||||
retval = krb5_rc_resolve(context, tmp, 0);
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
+#ifdef USE_SELINUX
|
||||
+ if (t->d.fn != NULL)
|
||||
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
|
||||
+ else
|
||||
+ selabel = NULL;
|
||||
+#endif
|
||||
retval = krb5_rc_initialize(context, tmp, lifespan);
|
||||
+#ifdef USE_SELINUX
|
||||
+ if (selabel != NULL)
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
if (retval)
|
||||
goto cleanup;
|
||||
for (q = t->a; q; q = q->na) {
|
||||
Index: krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/lib/krb5/ccache/cc_dir.c
|
||||
+++ krb5-1.16.1/src/lib/krb5/ccache/cc_dir.c
|
||||
@@ -183,10 +183,19 @@ write_primary_file(const char *primary_p
|
||||
char *newpath = NULL;
|
||||
FILE *fp = NULL;
|
||||
int fd = -1, status;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
|
||||
return ENOMEM;
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(primary_path);
|
||||
+#endif
|
||||
fd = mkstemp(newpath);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
if (fd < 0)
|
||||
goto cleanup;
|
||||
#ifdef HAVE_CHMOD
|
||||
@@ -221,10 +230,23 @@ static krb5_error_code
|
||||
verify_dir(krb5_context context, const char *dirname)
|
||||
{
|
||||
struct stat st;
|
||||
+ int status;
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
|
||||
if (stat(dirname, &st) < 0) {
|
||||
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
|
||||
- return 0;
|
||||
+ if (errno == ENOENT) {
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(dirname);
|
||||
+#endif
|
||||
+ status = mkdir(dirname, S_IRWXU);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
+ if (status == 0)
|
||||
+ return 0;
|
||||
+ }
|
||||
k5_setmsg(context, KRB5_FCC_NOFILE,
|
||||
_("Credential cache directory %s does not exist"),
|
||||
dirname);
|
||||
Index: krb5-1.16.1/src/lib/krb5/os/trace.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/lib/krb5/os/trace.c
|
||||
+++ krb5-1.16.1/src/lib/krb5/os/trace.c
|
||||
@@ -398,7 +398,7 @@ krb5_set_trace_filename(krb5_context con
|
||||
fd = malloc(sizeof(*fd));
|
||||
if (fd == NULL)
|
||||
return ENOMEM;
|
||||
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
|
||||
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
|
||||
if (*fd == -1) {
|
||||
free(fd);
|
||||
return errno;
|
||||
Index: krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/plugins/kdb/db2/kdb_db2.c
|
||||
+++ krb5-1.16.1/src/plugins/kdb/db2/kdb_db2.c
|
||||
@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
|
||||
- 0600);
|
||||
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
|
||||
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
|
||||
if (dbc->db_lf_file < 0) {
|
||||
retval = errno;
|
||||
goto cleanup;
|
||||
Index: krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
+++ krb5-1.16.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include "k5-int.h"
|
||||
#include "db-int.h"
|
||||
#include "recno.h"
|
||||
|
||||
@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo,
|
||||
int rfd = -1, sverrno;
|
||||
|
||||
/* Open the user's file -- if this fails, we're done. */
|
||||
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
|
||||
+ if (fname != NULL &&
|
||||
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
|
||||
return (NULL);
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
Index: krb5-1.16.1/src/kdc/main.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/kdc/main.c
|
||||
+++ krb5-1.16.1/src/kdc/main.c
|
||||
@@ -873,7 +873,7 @@ write_pid_file(const char *path)
|
||||
FILE *file;
|
||||
unsigned long pid;
|
||||
|
||||
- file = fopen(path, "w");
|
||||
+ file = WRITABLEFOPEN(path, "w");
|
||||
if (file == NULL)
|
||||
return errno;
|
||||
pid = (unsigned long) getpid();
|
||||
Index: krb5-1.16.1/src/lib/kdb/kdb_log.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/lib/kdb/kdb_log.c
|
||||
+++ krb5-1.16.1/src/lib/kdb/kdb_log.c
|
||||
@@ -484,7 +484,7 @@ ulog_map(krb5_context context, const cha
|
||||
if (extend_file_to(ulogfd, filesize) < 0)
|
||||
return errno;
|
||||
} else {
|
||||
- ulogfd = open(logname, O_RDWR, 0600);
|
||||
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
|
||||
if (ulogfd == -1)
|
||||
return errno;
|
||||
}
|
||||
Index: krb5-1.16.1/src/slave/kpropd.c
|
||||
===================================================================
|
||||
--- krb5-1.16.1.orig/src/slave/kpropd.c
|
||||
+++ krb5-1.16.1/src/slave/kpropd.c
|
||||
@@ -488,7 +488,9 @@ doit(int fd)
|
||||
krb5_enctype etype;
|
||||
int database_fd;
|
||||
char host[INET6_ADDRSTRLEN + 1];
|
||||
-
|
||||
+#ifdef USE_SELINUX
|
||||
+ void *selabel;
|
||||
+#endif
|
||||
signal_wrapper(SIGALRM, alarm_handler);
|
||||
alarm(params.iprop_resync_timeout);
|
||||
fromlen = sizeof(from);
|
||||
@@ -543,9 +545,15 @@ doit(int fd)
|
||||
free(name);
|
||||
exit(1);
|
||||
}
|
||||
+#ifdef USE_SELINUX
|
||||
+ selabel = krb5int_push_fscreatecon_for(file);
|
||||
+#endif
|
||||
omask = umask(077);
|
||||
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
|
||||
(void)umask(omask);
|
||||
+#ifdef USE_SELINUX
|
||||
+ krb5int_pop_fscreatecon(selabel);
|
||||
+#endif
|
||||
retval = krb5_lock_file(kpropd_context, lock_fd,
|
||||
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
|
||||
if (retval) {
|
44
0009-krb5-1.9-debuginfo.patch
Normal file
44
0009-krb5-1.9-debuginfo.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From ea232e6646a96e0b1dff41b1b1e0b30f95214ebe Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Mon, 14 Jan 2019 13:18:16 +0100
|
||||
Subject: [PATCH 9/9] krb5-1.9-debuginfo
|
||||
|
||||
Import krb5-1.9-debuginfo.patch
|
||||
|
||||
We want to keep these y.tab.c files around because the debuginfo points to
|
||||
them. It would be more elegant at the end to use symbolic links, but that
|
||||
could mess up people working in the tree on other things.
|
||||
---
|
||||
src/kadmin/cli/Makefile.in | 5 +++++
|
||||
src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +-
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in
|
||||
index adfea6e2b..d1327e400 100644
|
||||
--- a/src/kadmin/cli/Makefile.in
|
||||
+++ b/src/kadmin/cli/Makefile.in
|
||||
@@ -37,3 +37,8 @@ clean-unix::
|
||||
# CC_LINK is not meant for compilation and this use may break in the future.
|
||||
datetest: getdate.c
|
||||
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
|
||||
+
|
||||
+%.c: %.y
|
||||
+ $(RM) y.tab.c $@
|
||||
+ $(YACC.y) $<
|
||||
+ $(CP) y.tab.c $@
|
||||
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
index 8669c2436..a22f23c02 100644
|
||||
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE)
|
||||
getdate.c: $(GETDATE)
|
||||
$(RM) getdate.c y.tab.c
|
||||
$(YACC) $(GETDATE)
|
||||
- $(MV) y.tab.c getdate.c
|
||||
+ $(CP) y.tab.c getdate.c
|
||||
|
||||
install:
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
||||
--
|
||||
2.20.1
|
||||
|
@ -1,12 +0,0 @@
|
||||
Set the default PATH to the one set by login.
|
||||
|
||||
--- krb5/src/clients/ksu/Makefile.in
|
||||
+++ krb5/src/clients/ksu/Makefile.in
|
||||
@@ -1,6 +1,6 @@
|
||||
mydir=clients$(S)ksu
|
||||
BUILDTOP=$(REL)..$(S)..
|
||||
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
|
||||
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
|
||||
|
||||
KSU_LIBS=@KSU_LIBS@
|
||||
PAM_LIBS=@PAM_LIBS@
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117
|
||||
size 9477480
|
@ -1,17 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQIVAwUAWushEwy6CFdfg3LfAQJ+eBAAijTUBfXzCuxCwbDhCFYb1fIbHMkKkTuq
|
||||
knFKv0VbALW1qUAj5v35A6GjDam6a33bMvGX8MzbGK/a9IDkpvaaXP/c37V4OfiQ
|
||||
MhA6uQl0vxBMoCZqAFEVcWd6+M/0rY0WBZKpXRiZxxuSNPnSXn1l9fQAcrYKGb7I
|
||||
YpaAWnzw+cc1k4Xi+GaaSghEYA4dX7TXh1fViJyHaNSESYZjH3J6wEdPm6LtZk6q
|
||||
GwJw/ieMQi8djde0AhCbzMHWiaeW3jNPOJmpd3mpY04BAAkzGCyRiYGscxb6ge4u
|
||||
ag2fojv7rbnJxDzy9RO0ZP0+fVPDMwInZ5GHPftbraSDFkTH2JBAYFudPsLDAoRK
|
||||
FdjLeHpvuU5ifXWrLyshVYYfeXSe0fHz9Xhfhq2/OmfBD6vQl5k86z8IqxNm4ujy
|
||||
ziypmTzHFnP/sBKlMgSMdDEKoKZHxevVQM5eJQd1XGexmwogkSPX8mwoEc0q4dtZ
|
||||
h5w/fCu4ERA0BihvnQMZCZgwe32pO27ccPc6PqNHffUSLOq74J4gBHeoAoZ+SYPu
|
||||
33oG7wxh+8WONzEGujl1lmxHFstij/njg8nULQ6bo6hSZnlMD0gU59mG9seC2jjr
|
||||
E4aM4TXd1ixxPzM/cqxfI9SalytwYW0gn7Vuyj3P8xIZ5GQZiTsD7XWJqzb3xHmA
|
||||
2JSQt4TK3Cc=
|
||||
=9z9K
|
||||
-----END PGP SIGNATURE-----
|
3
krb5-1.17.tar.gz
Normal file
3
krb5-1.17.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5a6e2284a53de5702d3dc2be3b9339c963f9b5397d3fbbc53beb249380a781f5
|
||||
size 8761763
|
17
krb5-1.17.tar.gz.asc
Normal file
17
krb5-1.17.tar.gz.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iQIcBAABAgAGBQJcNMxOAAoJEAy6CFdfg3LfjAwP/2/oQe+4Bs/XwZTwNfakTbBl
|
||||
YHSY8MNAHIKsLh6Bn+SJBQQXSE0fEsm0hYH+JWz85+mzlZk7TbNZUI+zeikhLxi6
|
||||
+d8MMQBpk2mQN0dkIeWjTdfkcThGCDSL7l0fh3MuEfN5C7QPAPD1JL1ZeqXPH5AV
|
||||
PSQRC9s2wiOTwwuHM2i27rZ7gdhL/xfJ3ZPUFJH4klRgszwp9j10I/nh4/XyS/wB
|
||||
82umjfusFPa9VNSPzm1jm94oRmALkR3CHGvmku2XD3YOv/f5yO8C1cHWNNLxg+5h
|
||||
EqVv05ddb6iLku4fRhkEjfN3VgCtEvXuMkuAXppkDJJ7wWxMBWgCIr1DS/x7LfbL
|
||||
CI0ZTejn8HCUBNmRWsKkUuebgHJ7ccch8p/Fp0cV4eT1FL35N2oV51u7+/zK6R8y
|
||||
1dygUF2VWFOqwm8cyczdFue7dFQVDGCw7R2eK5lXY3NpZVmJblQ/gNLMcbOxGBis
|
||||
H2dOzSn+CnxlD/2LqOZnhQ1WnGBhOMxoINwX/MQsIvkwAFaM1EsdhPIP/6mSVA/g
|
||||
p04+YQ2u2ag7Pq3zHsMIonC18w4ZqDPcvXvOXqCHtlQBDAMtb927XvjoTNj5W8Ei
|
||||
jywxqdWuuqalmrKGPEsKVOJZN6xg7UTgaKzcvQTvW7D3gLbrTT2iM++VKB3vh9V9
|
||||
SkULnR3c7fKMzFeLb/Q2
|
||||
=4hZX
|
||||
-----END PGP SIGNATURE-----
|
@ -1,13 +0,0 @@
|
||||
Index: krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
===================================================================
|
||||
--- krb5-1.10.2.orig/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
+++ krb5-1.10.2/src/lib/gssapi/generic/disp_com_err_status.c
|
||||
@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *mino
|
||||
status_string->value = NULL;
|
||||
|
||||
if (! g_make_string_buffer(((status_value == 0)?no_error:
|
||||
- error_message(status_value)),
|
||||
+ error_message((long)status_value)),
|
||||
status_string)) {
|
||||
*minor_status = ENOMEM;
|
||||
return(GSS_S_FAILURE);
|
@ -1,27 +0,0 @@
|
||||
---
|
||||
src/man/ktutil.man | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
Index: krb5-1.12.2/src/man/ktutil.man
|
||||
===================================================================
|
||||
--- krb5-1.12.2.orig/src/man/ktutil.man 2014-08-30 23:06:53.000000000 +0100
|
||||
+++ krb5-1.12.2/src/man/ktutil.man 2014-08-30 23:07:00.000000000 +0100
|
||||
@@ -162,6 +162,18 @@ ktutil:
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
.UNINDENT
|
||||
+.SH REMARKS
|
||||
+Changes to the keytab are appended to the keytab file (i.e., the keytab file
|
||||
+is never overwritten). To directly modify a keytab, save the changes to a
|
||||
+temporary file and then overwrite the keytab file of interest.
|
||||
+.TP
|
||||
+.nf
|
||||
+Example:
|
||||
+ktutil> rkt /etc/krb5.keytab
|
||||
+(modifications to keytab)
|
||||
+ktutil> wkt /tmp/krb5.newtab
|
||||
+ktutil> q
|
||||
+# mv /tmp/krb5.newtab /etc/krb5.keytab
|
||||
.SH SEE ALSO
|
||||
.sp
|
||||
\fIkadmin(1)\fP, \fIkdb5_util(8)\fP
|
@ -1,26 +0,0 @@
|
||||
We want to keep these y.tab.c files around because the debuginfo points to
|
||||
them. It would be more elegant at the end to use symbolic links, but that
|
||||
could mess up people working in the tree on other things.
|
||||
|
||||
--- krb5-1.15.orig/src/kadmin/cli/Makefile.in
|
||||
+++ krb5-1.15/src/kadmin/cli/Makefile.in
|
||||
@@ -37,3 +37,8 @@
|
||||
# CC_LINK is not meant for compilation and this use may break in the future.
|
||||
datetest: getdate.c
|
||||
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
|
||||
+
|
||||
+%.c: %.y
|
||||
+ $(RM) y.tab.c $@
|
||||
+ $(YACC.y) $<
|
||||
+ $(CP) y.tab.c $@
|
||||
--- krb5-1.15.orig/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
+++ krb5-1.15/src/plugins/kdb/ldap/ldap_util/Makefile.in
|
||||
@@ -20,7 +20,7 @@
|
||||
getdate.c: $(GETDATE)
|
||||
$(RM) getdate.c y.tab.c
|
||||
$(YACC) $(GETDATE)
|
||||
- $(MV) y.tab.c getdate.c
|
||||
+ $(CP) y.tab.c getdate.c
|
||||
|
||||
install:
|
||||
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
|
@ -1,18 +0,0 @@
|
||||
Change the absolute paths included in the man pages so that the correct
|
||||
values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
|
||||
Index: krb5-1.11/src/man/kpropd.man
|
||||
===================================================================
|
||||
--- krb5-1.11.orig/src/man/kpropd.man
|
||||
+++ krb5-1.11/src/man/kpropd.man
|
||||
@@ -63,7 +63,7 @@ the \fB/etc/inetd.conf\fP file which loo
|
||||
.sp
|
||||
.nf
|
||||
.ft C
|
||||
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
|
||||
+kprop stream tcp nowait root @SBINDIR@/kpropd kpropd
|
||||
.ft P
|
||||
.fi
|
||||
.UNINDENT
|
@ -1,3 +1,74 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Replace old $RPM_* shell vars
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Upgrade to 1.17. Major changes:
|
||||
Administrator experience:
|
||||
* A new Kerberos database module using the Lightning Memory-Mapped
|
||||
Database library (LMDB) has been added. The LMDB KDB module should
|
||||
be more performant and more robust than the DB2 module, and may
|
||||
become the default module for new databases in a future release.
|
||||
* "kdb5_util dump" will no longer dump policy entries when specific
|
||||
principal names are requested.
|
||||
Developer experience:
|
||||
* The new krb5_get_etype_info() API can be used to retrieve enctype,
|
||||
salt, and string-to-key parameters from the KDC for a client
|
||||
principal.
|
||||
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
|
||||
principal names to be used with GSS-API functions.
|
||||
* KDC and kadmind modules which call com_err() will now write to the
|
||||
log file in a format more consistent with other log messages.
|
||||
* Programs which use large numbers of memory credential caches should
|
||||
perform better.
|
||||
Protocol evolution:
|
||||
* The SPAKE pre-authentication mechanism is now supported. This
|
||||
mechanism protects against password dictionary attacks without
|
||||
requiring any additional infrastructure such as certificates. SPAKE
|
||||
is enabled by default on clients, but must be manually enabled on
|
||||
the KDC for this release.
|
||||
* PKINIT freshness tokens are now supported. Freshness tokens can
|
||||
protect against scenarios where an attacker uses temporary access to
|
||||
a smart card to generate authentication requests for the future.
|
||||
* Password change operations now prefer TCP over UDP, to avoid
|
||||
spurious error messages about replays when a response packet is
|
||||
dropped.
|
||||
* The KDC now supports cross-realm S4U2Self requests when used with a
|
||||
third-party KDB module such as Samba's. The client code for
|
||||
cross-realm S4U2Self requests is also now more robust.
|
||||
User experience:
|
||||
* The new ktutil addent -f flag can be used to fetch salt information
|
||||
from the KDC for password-based keys.
|
||||
* The new kdestroy -p option can be used to destroy a credential cache
|
||||
within a collection by client principal name.
|
||||
* The Kerberos man page has been restored, and documents the
|
||||
environment variables that affect programs using the Kerberos
|
||||
library.
|
||||
Code quality:
|
||||
* Python test scripts now use Python 3.
|
||||
* Python test scripts now display markers in verbose output, making it
|
||||
easier to find where a failure occurred within the scripts.
|
||||
* The Windows build system has been simplified and updated to work
|
||||
with more recent versions of Visual Studio. A large volume of
|
||||
unused Windows-specific code has been removed. Visual Studio 2013
|
||||
or later is now required.
|
||||
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
|
||||
by transactional updates; (bsc#1100126);
|
||||
- Rename patches:
|
||||
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
|
||||
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
|
||||
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
|
||||
* krb5-1.6.3-gssapi_improve_errormessages.dif to
|
||||
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
||||
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
|
||||
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
|
||||
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
|
||||
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 9 20:13:24 UTC 2018 - James McDonough <jmcdonough@suse.com>
|
||||
|
||||
@ -1797,4 +1868,3 @@ Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
|
||||
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
|
||||
|
||||
- Initital checkin
|
||||
|
||||
|
114
krb5-mini.spec
114
krb5-mini.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package krb5-mini
|
||||
#
|
||||
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -21,26 +21,26 @@
|
||||
%define _fillupdir /var/adm/fillup-templates
|
||||
%endif
|
||||
|
||||
%define srcRoot krb5-1.16.1
|
||||
%define srcRoot krb5-%{version}
|
||||
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
|
||||
%define krb5docdir %{_defaultdocdir}/krb5
|
||||
|
||||
Name: krb5-mini
|
||||
Url: https://web.mit.edu/kerberos/www/
|
||||
Version: 1.17
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||
License: MIT
|
||||
Group: Productivity/Networking/Security
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: keyutils
|
||||
BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.16.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
|
||||
License: MIT
|
||||
Group: Productivity/Networking/Security
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
BuildRequires: libverto-devel
|
||||
BuildRequires: ncurses-devel
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: krb5-64bit
|
||||
@ -52,21 +52,22 @@ Conflicts: krb5-server
|
||||
Conflicts: krb5-plugin-kdb-ldap
|
||||
Conflicts: krb5-plugin-preauth-pkinit
|
||||
Conflicts: krb5-plugin-preauth-otp
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
|
||||
Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
|
||||
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
|
||||
Source2: krb5.keyring
|
||||
Source3: vendor-files.tar.bz2
|
||||
Source4: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Patch1: krb5-1.12-pam.patch
|
||||
Patch2: krb5-1.9-manpaths.dif
|
||||
Patch3: krb5-1.12-buildconf.patch
|
||||
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch6: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch8: krb5-1.12-api.patch
|
||||
Patch11: krb5-1.12-ksu-path.patch
|
||||
Patch12: krb5-1.12-selinux-label.patch
|
||||
Patch13: krb5-1.9-debuginfo.patch
|
||||
Source6: krb5.tmpfiles
|
||||
Patch1: 0001-krb5-1.12-pam.patch
|
||||
Patch2: 0002-krb5-1.9-manpaths.patch
|
||||
Patch3: 0003-krb5-1.12-buildconf.patch
|
||||
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
||||
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
Patch6: 0006-krb5-1.12-api.patch
|
||||
Patch7: 0007-krb5-1.12-ksu-path.patch
|
||||
Patch8: 0008-krb5-1.12-selinux-label.patch
|
||||
Patch9: 0009-krb5-1.9-debuginfo.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
PreReq: %fillup_prereq
|
||||
|
||||
@ -104,11 +105,11 @@ Include Files for Development
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch9 -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
@ -118,7 +119,7 @@ autoreconf -fi
|
||||
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
||||
./configure \
|
||||
CC="%{__cc}" \
|
||||
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
||||
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
||||
CPPFLAGS="-I%{_includedir}/et " \
|
||||
SS_LIB="-lss" \
|
||||
--prefix=/usr/lib/mit \
|
||||
@ -147,25 +148,19 @@ make %{?_smp_mflags}
|
||||
cp man/kadmin.man man/kadmin.local.8
|
||||
|
||||
%install
|
||||
|
||||
# Where per-user keytabs live by default.
|
||||
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
|
||||
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
|
||||
|
||||
cd src
|
||||
make DESTDIR=%{buildroot} install
|
||||
cd ..
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
|
||||
%make_install -C src
|
||||
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
|
||||
# of the buildconf patch already conspire to strip out /usr/<anything> from the
|
||||
# list of link flags, and it helps prevent file conflicts on multilib systems.
|
||||
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
|
||||
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
|
||||
|
||||
# install autoconf macro
|
||||
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
||||
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
||||
# install sample config files
|
||||
# I'll probably do something about this later on
|
||||
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
|
||||
mkdir -p %{buildroot}%{_sysconfdir}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
|
||||
mkdir -p %{buildroot}/etc/profile.d/
|
||||
mkdir -p %{buildroot}/var/log/krb5
|
||||
@ -176,13 +171,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
|
||||
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
|
||||
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
|
||||
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
|
||||
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
|
||||
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
|
||||
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
|
||||
|
||||
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
|
||||
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
|
||||
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
|
||||
install -m 644 %{SOURCE6} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
|
||||
# Where per-user keytabs live by default.
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
|
||||
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
|
||||
# all libs must have permissions 0755
|
||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||
do
|
||||
@ -204,9 +208,9 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb
|
||||
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
|
||||
%endif
|
||||
# install sysconfig templates
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
|
||||
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
|
||||
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
|
||||
mkdir -p %{buildroot}/%{_fillupdir}
|
||||
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
|
||||
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
|
||||
# install logrotate files
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
|
||||
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
|
||||
@ -239,10 +243,10 @@ install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
|
||||
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
|
||||
rm -f /usr/share/man/man1/tmac.doc*
|
||||
rm -rf %{buildroot}/usr/lib/mit/share/examples
|
||||
# manually remove otp plugin for krb5-mini since configure
|
||||
# manually remove otp, spake and test plugin for krb5-mini since configure
|
||||
# doesn't support disabling it at build time
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/otp.so
|
||||
# manually remove test plugin since configure doesn't support disabling it at build time
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/spake.so
|
||||
rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
|
||||
%find_lang mit-krb5
|
||||
@ -261,6 +265,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%post
|
||||
/sbin/ldconfig
|
||||
%service_add_post krb5kdc.service kadmind.service kpropd.service
|
||||
%tmpfiles_create krb5.conf
|
||||
%{fillup_only -n kadmind}
|
||||
%{fillup_only -n krb5kdc}
|
||||
%{fillup_only -n kpropd}
|
||||
@ -313,10 +318,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%dir %{_libdir}/krb5/plugins/libkrb5
|
||||
%dir %{_libdir}/krb5/plugins/tls
|
||||
%dir %{_localstatedir}/lib/kerberos/
|
||||
%dir %{_localstatedir}/lib/kerberos/krb5kdc
|
||||
%dir %{_localstatedir}/lib/kerberos/krb5
|
||||
%dir %{_localstatedir}/lib/kerberos/krb5/user
|
||||
%attr(0700,root,root) %dir /var/log/krb5
|
||||
%dir /usr/lib/mit
|
||||
%dir /usr/lib/mit/sbin
|
||||
@ -326,9 +327,6 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%dir %{_sysconfdir}/krb5.conf.d
|
||||
%attr(0644,root,root) %config /etc/profile.d/krb5*
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
|
||||
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
|
||||
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
|
||||
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
|
||||
%{_fillupdir}/sysconfig.*
|
||||
%{_unitdir}/kadmind.service
|
||||
@ -345,6 +343,21 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%{_libdir}/libkrad.so.*
|
||||
%{_libdir}/krb5/plugins/kdb/*
|
||||
%{_libdir}/krb5/plugins/tls/*
|
||||
%{_libexecdir}/tmpfiles.d/krb5.conf
|
||||
%dir %{_datadir}/kerberos/
|
||||
%dir %{_datadir}/kerberos/krb5kdc
|
||||
%dir %{_datadir}/kerberos/krb5
|
||||
%dir %{_datadir}/kerberos/krb5/user
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
|
||||
/usr/lib/mit/sbin/kadmin.local
|
||||
/usr/lib/mit/sbin/kadmind
|
||||
/usr/lib/mit/sbin/kpropd
|
||||
@ -387,6 +400,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man5/.k5login.5.gz
|
||||
%{_mandir}/man5/.k5identity.5*
|
||||
%{_mandir}/man7/kerberos.7.gz
|
||||
%{_mandir}/man8/*
|
||||
|
||||
%changelog
|
||||
|
@ -1,6 +1,8 @@
|
||||
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
|
||||
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
|
||||
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz")
|
||||
addFilter("files-duplicate .*css")
|
||||
addFilter("files-duplicate .*img.*png")
|
||||
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
|
||||
addFilter("shlib-policy-missing-suffix")
|
||||
addFilter("non-etc-or-var-file-marked-as-conffile")
|
||||
|
72
krb5.changes
72
krb5.changes
@ -1,3 +1,74 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 13 17:45:34 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Replace old $RPM_* shell vars
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 14 16:10:06 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
||||
|
||||
- Upgrade to 1.17. Major changes:
|
||||
Administrator experience:
|
||||
* A new Kerberos database module using the Lightning Memory-Mapped
|
||||
Database library (LMDB) has been added. The LMDB KDB module should
|
||||
be more performant and more robust than the DB2 module, and may
|
||||
become the default module for new databases in a future release.
|
||||
* "kdb5_util dump" will no longer dump policy entries when specific
|
||||
principal names are requested.
|
||||
Developer experience:
|
||||
* The new krb5_get_etype_info() API can be used to retrieve enctype,
|
||||
salt, and string-to-key parameters from the KDC for a client
|
||||
principal.
|
||||
* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise
|
||||
principal names to be used with GSS-API functions.
|
||||
* KDC and kadmind modules which call com_err() will now write to the
|
||||
log file in a format more consistent with other log messages.
|
||||
* Programs which use large numbers of memory credential caches should
|
||||
perform better.
|
||||
Protocol evolution:
|
||||
* The SPAKE pre-authentication mechanism is now supported. This
|
||||
mechanism protects against password dictionary attacks without
|
||||
requiring any additional infrastructure such as certificates. SPAKE
|
||||
is enabled by default on clients, but must be manually enabled on
|
||||
the KDC for this release.
|
||||
* PKINIT freshness tokens are now supported. Freshness tokens can
|
||||
protect against scenarios where an attacker uses temporary access to
|
||||
a smart card to generate authentication requests for the future.
|
||||
* Password change operations now prefer TCP over UDP, to avoid
|
||||
spurious error messages about replays when a response packet is
|
||||
dropped.
|
||||
* The KDC now supports cross-realm S4U2Self requests when used with a
|
||||
third-party KDB module such as Samba's. The client code for
|
||||
cross-realm S4U2Self requests is also now more robust.
|
||||
User experience:
|
||||
* The new ktutil addent -f flag can be used to fetch salt information
|
||||
from the KDC for password-based keys.
|
||||
* The new kdestroy -p option can be used to destroy a credential cache
|
||||
within a collection by client principal name.
|
||||
* The Kerberos man page has been restored, and documents the
|
||||
environment variables that affect programs using the Kerberos
|
||||
library.
|
||||
Code quality:
|
||||
* Python test scripts now use Python 3.
|
||||
* Python test scripts now display markers in verbose output, making it
|
||||
easier to find where a failure occurred within the scripts.
|
||||
* The Windows build system has been simplified and updated to work
|
||||
with more recent versions of Visual Studio. A large volume of
|
||||
unused Windows-specific code has been removed. Visual Studio 2013
|
||||
or later is now required.
|
||||
- Use systemd-tmpfiles to create files under /var/lib/kerberos, required
|
||||
by transactional updates; (bsc#1100126);
|
||||
- Rename patches:
|
||||
* krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch
|
||||
* krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch
|
||||
* krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch
|
||||
* krb5-1.6.3-gssapi_improve_errormessages.dif to
|
||||
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
||||
* krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
* krb5-1.12-api.patch => 0006-krb5-1.12-api.patch
|
||||
* krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch
|
||||
* krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch
|
||||
* krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 9 20:00:21 UTC 2018 - James McDonough <jmcdonough@suse.com>
|
||||
|
||||
@ -1860,4 +1931,3 @@ Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
|
||||
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
|
||||
|
||||
- Initital checkin
|
||||
|
||||
|
130
krb5.spec
130
krb5.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package krb5
|
||||
#
|
||||
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -22,22 +22,22 @@
|
||||
%endif
|
||||
|
||||
Name: krb5
|
||||
Url: https://web.mit.edu/kerberos/www/
|
||||
Version: 1.17
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation
|
||||
License: MIT
|
||||
Group: Productivity/Networking/Security
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: bison
|
||||
BuildRequires: keyutils
|
||||
BuildRequires: keyutils-devel
|
||||
BuildRequires: libcom_err-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: ncurses-devel
|
||||
Version: 1.16.1
|
||||
Release: 0
|
||||
Summary: MIT Kerberos5 implementation
|
||||
License: MIT
|
||||
Group: Productivity/Networking/Security
|
||||
Obsoletes: krb5-plugin-preauth-pkinit-nss
|
||||
BuildRequires: libopenssl-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: libverto-devel
|
||||
BuildRequires: ncurses-devel
|
||||
BuildRequires: openldap2-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pkgconfig(systemd)
|
||||
@ -46,22 +46,23 @@ BuildRequires: pkgconfig(systemd)
|
||||
Obsoletes: krb5-64bit
|
||||
%endif
|
||||
Conflicts: krb5-mini
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz
|
||||
Source1: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}.tar.gz.asc
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz
|
||||
Source1: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}.tar.gz.asc
|
||||
Source2: krb5.keyring
|
||||
Source3: vendor-files.tar.bz2
|
||||
Source4: baselibs.conf
|
||||
Source5: krb5-rpmlintrc
|
||||
Source6: ksu-pam.d
|
||||
Patch1: krb5-1.12-pam.patch
|
||||
Patch2: krb5-1.9-manpaths.dif
|
||||
Patch3: krb5-1.12-buildconf.patch
|
||||
Patch4: krb5-1.6.3-gssapi_improve_errormessages.dif
|
||||
Patch6: krb5-1.6.3-ktutil-manpage.dif
|
||||
Patch8: krb5-1.12-api.patch
|
||||
Patch11: krb5-1.12-ksu-path.patch
|
||||
Patch12: krb5-1.12-selinux-label.patch
|
||||
Patch13: krb5-1.9-debuginfo.patch
|
||||
Source7: krb5.tmpfiles
|
||||
Patch1: 0001-krb5-1.12-pam.patch
|
||||
Patch2: 0002-krb5-1.9-manpaths.patch
|
||||
Patch3: 0003-krb5-1.12-buildconf.patch
|
||||
Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch
|
||||
Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch
|
||||
Patch6: 0006-krb5-1.12-api.patch
|
||||
Patch7: 0007-krb5-1.12-ksu-path.patch
|
||||
Patch8: 0008-krb5-1.12-selinux-label.patch
|
||||
Patch9: 0009-krb5-1.9-debuginfo.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
|
||||
%description
|
||||
@ -129,6 +130,15 @@ Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a OTP plugin.
|
||||
|
||||
%package plugin-preauth-spake
|
||||
Summary: SPAKE preauthentication plugin for MIT Kerberos5
|
||||
Group: Productivity/Networking/Security
|
||||
|
||||
%description plugin-preauth-spake
|
||||
Kerberos V5 is a trusted-third-party network authentication system,
|
||||
which can improve network security by eliminating the insecure
|
||||
practice of cleartext passwords. This package includes a SPAKE plugin.
|
||||
|
||||
%package doc
|
||||
Summary: Documentation for the MIT Kerberos5 implementation
|
||||
Group: Documentation/Other
|
||||
@ -169,11 +179,11 @@ Include Files for Development
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
%patch9 -p1
|
||||
|
||||
%build
|
||||
# needs to be re-generated
|
||||
@ -183,7 +193,7 @@ autoreconf -fi
|
||||
DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
||||
./configure \
|
||||
CC="%{__cc}" \
|
||||
CFLAGS="$RPM_OPT_FLAGS -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
||||
CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \
|
||||
CPPFLAGS="-I%{_includedir}/et " \
|
||||
SS_LIB="-lss" \
|
||||
--prefix=/usr/lib/mit \
|
||||
@ -202,7 +212,7 @@ DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME
|
||||
--with-ldap \
|
||||
--with-pam \
|
||||
--enable-pkinit \
|
||||
--with-pkinit-crypto-impl=openssl \
|
||||
--with-crypto-impl=openssl \
|
||||
--with-selinux \
|
||||
--with-system-et \
|
||||
--with-system-ss \
|
||||
@ -214,25 +224,19 @@ make %{?_smp_mflags}
|
||||
cp man/kadmin.man man/kadmin.local.8
|
||||
|
||||
%install
|
||||
|
||||
# Where per-user keytabs live by default.
|
||||
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/kerberos/krb5/user
|
||||
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/krb5
|
||||
|
||||
cd src
|
||||
make DESTDIR=%{buildroot} install
|
||||
cd ..
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/log/krb5
|
||||
%make_install -C src
|
||||
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
|
||||
# of the buildconf patch already conspire to strip out /usr/<anything> from the
|
||||
# list of link flags, and it helps prevent file conflicts on multilib systems.
|
||||
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
|
||||
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' %{buildroot}/usr/lib/mit/bin/krb5-config
|
||||
|
||||
# install autoconf macro
|
||||
mkdir -p %{buildroot}/%{_datadir}/aclocal
|
||||
install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/
|
||||
# install sample config files
|
||||
# I'll probably do something about this later on
|
||||
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
|
||||
mkdir -p %{buildroot}%{_sysconfdir}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d
|
||||
mkdir -p %{buildroot}/etc/profile.d/
|
||||
mkdir -p %{buildroot}/var/log/krb5
|
||||
@ -243,13 +247,22 @@ mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
|
||||
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls
|
||||
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
|
||||
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
|
||||
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
|
||||
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
|
||||
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
|
||||
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
|
||||
|
||||
# Do not write directly to /var/lib/kerberos anymore as it breaks transactional
|
||||
# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist
|
||||
install -d -m 0755 %{buildroot}/usr/lib/tmpfiles.d/
|
||||
install -m 644 %{SOURCE7} %{buildroot}/usr/lib/tmpfiles.d/krb5.conf
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc
|
||||
# Where per-user keytabs live by default.
|
||||
mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user
|
||||
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/
|
||||
|
||||
# all libs must have permissions 0755
|
||||
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
|
||||
do
|
||||
@ -271,13 +284,13 @@ install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb
|
||||
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
|
||||
%endif
|
||||
# install sysconfig templates
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_fillupdir}
|
||||
install -m 644 %{vendorFiles}/sysconfig.kadmind $RPM_BUILD_ROOT/%{_fillupdir}/
|
||||
install -m 644 %{vendorFiles}/sysconfig.krb5kdc $RPM_BUILD_ROOT/%{_fillupdir}/
|
||||
mkdir -p %{buildroot}/%{_fillupdir}
|
||||
install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/
|
||||
install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/
|
||||
# install logrotate files
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
|
||||
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
|
||||
find . -type f -name '*.ps' -exec gzip -9 {} \;
|
||||
find . -type f -name '*.ps' -exec gzip -9 {} +
|
||||
# create rc* links
|
||||
mkdir -p %{buildroot}/usr/bin/
|
||||
mkdir -p %{buildroot}/usr/sbin/
|
||||
@ -329,6 +342,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
|
||||
%post server
|
||||
%service_add_post krb5kdc.service kadmind.service kpropd.service
|
||||
%tmpfiles_create krb5.conf
|
||||
%{fillup_only -n kadmind}
|
||||
%{fillup_only -n krb5kdc}
|
||||
%{fillup_only -n kpropd}
|
||||
@ -406,6 +420,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%{_unitdir}/kadmind.service
|
||||
%{_unitdir}/krb5kdc.service
|
||||
%{_unitdir}/kpropd.service
|
||||
%{_libexecdir}/tmpfiles.d/krb5.conf
|
||||
%else
|
||||
%{_sysconfdir}/init.d/kadmind
|
||||
%{_sysconfdir}/init.d/krb5kdc
|
||||
@ -414,17 +429,24 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%dir %{krb5docdir}
|
||||
%dir /usr/lib/mit
|
||||
%dir /usr/lib/mit/sbin
|
||||
%dir %{_localstatedir}/lib/kerberos/
|
||||
%dir %{_localstatedir}/lib/kerberos/krb5kdc
|
||||
%dir %{_localstatedir}/lib/kerberos/krb5
|
||||
%dir %{_localstatedir}/lib/kerberos/krb5/user
|
||||
%dir %{_datadir}/kerberos/
|
||||
%dir %{_datadir}/kerberos/krb5kdc
|
||||
%dir %{_datadir}/kerberos/krb5
|
||||
%dir %{_datadir}/kerberos/krb5/user
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%dir %{_libdir}/krb5/plugins/tls
|
||||
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
|
||||
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl
|
||||
%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5
|
||||
%ghost %dir %{_sharedstatedir}/kerberos/krb5/user
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict
|
||||
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
|
||||
%{_fillupdir}/sysconfig.*
|
||||
/usr/sbin/rc*
|
||||
@ -489,6 +511,7 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%{_mandir}/man5/k5login.5*
|
||||
%{_mandir}/man1/ksu.1.gz
|
||||
%{_mandir}/man1/sclient.1.gz
|
||||
%{_mandir}/man7/kerberos.7.gz
|
||||
|
||||
%files plugin-kdb-ldap
|
||||
%defattr(-,root,root)
|
||||
@ -518,4 +541,11 @@ rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/otp.so
|
||||
|
||||
%files plugin-preauth-spake
|
||||
%defattr(-,root,root)
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%{_libdir}/krb5/plugins/preauth/spake.so
|
||||
|
||||
%changelog
|
||||
|
7
krb5.tmpfiles
Normal file
7
krb5.tmpfiles
Normal file
@ -0,0 +1,7 @@
|
||||
d /var/lib/kerberos 0755 root root -
|
||||
d /var/lib/kerberos/krb5 0755 root root -
|
||||
d /var/lib/kerberos/krb5/user 0755 root root -
|
||||
d /var/lib/kerberos/krb5kdc 0755 root root -
|
||||
C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf
|
||||
C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl
|
||||
C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict
|
Loading…
Reference in New Issue
Block a user