opensourcemirror
/
ipfire-3.x
mirror of git://git.ipfire.org/ipfire-3.x.git
1
0
Fork 0
Code Issues Releases Wiki Activity

krb5: New package. 

Fixes #10288.
This commit is contained in:
Stefan Schantl 2013-01-27 14:37:21 +01:00
parent 092b90ae70
commit 6cf77d0523
34 changed files with 4093 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
krb5/kadm5.acl Normal file
View File

@ -0,0 +1 @@
*/admin@EXAMPLE.COM *

12
krb5/kdc.conf Normal file
View File

@ -0,0 +1,12 @@
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

21
krb5/krb5.conf Normal file
View File

@ -0,0 +1,21 @@
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# default_realm = EXAMPLE.COM
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

245
krb5/krb5.nm Normal file
View File

@ -0,0 +1,245 @@
###############################################################################
# IPFire.org - An Open Source Firewall Solution #
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
###############################################################################
name = krb5
version = %{version_maj}.%{version_min}
version_maj= 1.10
version_min= 2
release = 1
groups = System/Libraries
url = http://web.mit.edu/kerberos/www/
license = MIT
summary = The Kerberos network authentication system.
description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.
end
# Upstream only provides a "signed" tarball which contains the actual
# tar archive.
#source_dl = http://we1b.mit.edu/kerberos/dist/krb5/%{version_maj}/
#sources = %{thisapp}-signed.tar
patches
krb5-1.10.2-pam.patch
krb5-1.10.2-manpaths.patch
krb5-1.10.2-selinux-label.patch
krb5-1.3.1-dns.patch
krb5-1.3.4-send-pr-tempfile.patch
krb5-1.7-ktany.patch
krb5-1.8-api.patch
krb5-1.9-debuginfo.patch0
krb5-1.9-dirsrv-accountlock.patch
krb5-1.10-buildconf.patch
krb5-1.10-doublelog.patch
krb5-1.10-gcc47.patch0
krb5-1.10-kpasswd_tcp.patch
krb5-1.10-kprop-mktemp.patch
krb5-1.10-ksu-access.patch
krb5-1.10-ksu-path.patch
krb5-1.10.2-keytab-etype.patch
krb5-kvno-230379.patch
krb5-tex-pdf.sh
krb5-trunk-7046.patch
krb5-trunk-7047.patch
krb5-trunk-7048.patch
krb5-trunk-pkinit-anchorsign.patch
end
build
requires
autoconf
automake
bison
dejagnu
e2fsprogs-devel
flex
gettext
libselinux-devel
ncurses-devel
openldap-devel
openssl-devel
pam-devel
perl
systemd-units
tcl-devel
texinfo
end
prepare_cmds
pushd src
for file in appl/sample/sserver/sserver.M \
config-files/kdc.conf.M \
config-files/krb5.conf.M \
gen-manpages/kerberos.M \
kadmin/cli/kadmin.M \
slave/kpropd.M \
slave/kprop.M; do
mv -v ${file} ${file}.in
done
rm -vf lib/krb5/krb/deltat.c
# Regenerate configure scripts.
autoheader
autoconf
popd
end
configure_options += \
--enable-shared \
--disable-rpath \
--localstatedir=/var/kerberos \
--with-system-et \
--with-system-ss \
--with-netlib=-lresolv \
--with-tcl \
--enable-dns-for-realm \
--with-dirsrv \
--enable-pkinit \
--with-crypto-impl=openssl \
--with-pam \
--with-selinux
# Don't use strlcpy that comes with glibc.
configure_options += \
ac_cv_func_strlcpy=no
build
cd %{DIR_APP}/src
./configure \
%{configure_options}
make %{PARALLELISMFLAGS}
end
test
make -C src fake-install
tmpdir=$(mktemp -d)
# Disable the following tests, because the don't work in the chroot env.
#make -C src/lib check TMPDIR=${tmpdir}
#make -C src/kdc check TMPDIR=${tmpdir}
end
install
# Install krb5.
make -C src install DESTDIR=%{BUILDROOT}
# Sample KDC config files (bundled kdc.conf and kadm5.acl).
mkdir -pv %{BUILDROOT}%{localstatedir}/kerberos/krb5kdc
install -pm 600 %{DIR_SOURCE}/kdc.conf %{BUILDROOT}%{localstatedir}/kerberos/krb5kdc/
install -pm 600 %{DIR_SOURCE}/kadm5.acl %{BUILDROOT}%{localstatedir}/kerberos/krb5kdc/
# Default configuration file for everything.
mkdir -pv %{BUILDROOT}/etc
install -pm 644 %{DIR_SOURCE}/krb5.conf %{BUILDROOT}/etc/krb5.conf
# Plug-in directories.
install -pdm 755 %{BUILDROOT}%{libdir}/krb5/plugins/preauth
install -pdm 755 %{BUILDROOT}%{libdir}/krb5/plugins/kdb
install -pdm 755 %{BUILDROOT}%{libdir}/krb5/plugins/authdata
end
end
packages
package %{name}-server
summary = The KDC and related programs for Kerberos 5.
description
Kerberos is a network authentication system. The krb5-server package
contains the programs that must be installed on a Kerberos 5 key
distribution center (KDC). If you are installing a Kerberos 5 KDC,
you need to install this package.
end
requires
%{name}-libs = %{thisver}
end
script postin
/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || :
end
script preun
/usr/bin/systemctl --no-reload disable kadmin.service >/dev/null 2>&1 || :
/usr/bin/systemctl --no-reload disable kprop.service >/dev/null 2>&1 || :
/usr/bin/systemctl --no-reload disable krb5kdc.service >/dev/null 2>&1 || :
/usr/bin/systemctl stop kadmin.service >/dev/null 2>&1 || :
/usr/bin/systemctl stop kprop.service >/dev/null 2>&1 || :
/usr/bin/systemctl stop krb5kdc.service >/dev/null 2>&1 || :
end
script postun
/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || :
end
script postup
/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || :
/usr/bin/systemctl try-restart kadmin.service >/dev/null 2>&1 || :
/usr/bin/systemctl try-restart kprop.service >/dev/null 2>&1 || :
/usr/bin/systemctl try-restart krb5kdc.service >/dev/null 2>&1 || :
end
end
package %{name}-workstation
summary = Kerberos 5 programs for use on workstations.
description
Kerberos is a network authentication system. The krb5-workstation
package contains the basic Kerberos programs (kinit, klist, kdestroy,
kpasswd). If your network uses Kerberos, this package should be
installed on every workstation.
end
requires
%{name}-libs = %{thisver}
end
files
%{bindir}/kdestroy
%{bindir}/kinit
%{bindir}/klist
%{bindir}/kpassword
%{bindir}/kswitch
%{bindir}/kvno
%{bindir}/kadmin
%{bindir}/k5srvutil
%{bindir}/kutil
%{bindir}/ksu
%{bindir}/krb5-send-pr
%{sysconfdir}/pam.d
%{mandir}/man1/kdestroy.*
%{mandir}/man1/kinit.*
%{mandir}/man1/klist.*
%{mandir}/man1/kpassword.*
%{mandir}/man1/kswitch.*
%{mandir}/man1/kvno.*
%{mandir}/man1/kadmin.*
%{mandir}/man1/k5srvutil.*
%{mandir}/man1/kutil.*
%{mandir}/man1/ksu.*
end
end
package %{name}-libs
template LIBS
end
package %{name}-devel
template DEVEL
requires
libselinux-devel
end
end
package %{name}-debuginfo
template DEBUGINFO
end
end

4
krb5/ksu.pam Normal file
View File

@ -0,0 +1,4 @@
#%PAM-1.0
auth include su
account include su
session include su

9
krb5/logrotate/kadmind.logrotate Normal file
View File

@ -0,0 +1,9 @@
/var/log/kadmind.log {
missingok
notifempty
monthly
rotate 12
postrotate
/bin/kill -HUP `cat /var/run/kadmind.pid 2>/dev/null` 2> /dev/null || true
endscript
}

9
krb5/logrotate/krb5kdc.logrotate Normal file
View File

@ -0,0 +1,9 @@
/var/log/krb5kdc.log {
missingok
notifempty
monthly
rotate 12
postrotate
/bin/kill -HUP `cat /var/run/krb5kdc.pid 2>/dev/null` 2> /dev/null || true
endscript
}

54
krb5/patches/krb5-1.10-buildconf.patch Normal file
View File

@ -0,0 +1,54 @@
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
and install shared libraries with the execute bit set on them. Prune out
the -L/usr/lib* and PIE flags where they might leak out and affect
apps which just want to link with the libraries. FIXME: needs to check and
not just assume that the compiler supports using these flags.
--- krb5/src/config/shlib.conf
+++ krb5/src/config/shlib.conf
@@ -419,7 +419,7 @@ mips-*-netbsd*)
SHLIBEXT=.so
# Linux ld doesn't default to stuffing the SONAME field...
# Use objdump -x to examine the fields of the library
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro'
#
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
@@ -430,7 +430,8 @@
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
--- krb5/src/krb5-config.in
+++ krb5/src/krb5-config.in
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)##'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -188,7 +188,7 @@
INSTALL_SCRIPT=@INSTALL_PROGRAM@
INSTALL_DATA=@INSTALL_DATA@
INSTALL_SHLIB=@INSTALL_SHLIB@
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
## This is needed because autoconf will sometimes define @exec_prefix@ to be
## ${prefix}.
prefix=@prefix@

14
krb5/patches/krb5-1.10-doublelog.patch Normal file
View File

@ -0,0 +1,14 @@
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
--- krb5/src/include/Makefile.in
+++ krb5/src/include/Makefile.in
@@ -67,6 +67,8 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
-e 's+@DYNOBJEXT+$(DYNOBJEXT)+'
OSCONFSRC = $(srcdir)/osconf.hin

12
krb5/patches/krb5-1.10-gcc47.patch0 Normal file
View File

@ -0,0 +1,12 @@
This file also triggers the maybe-uninitialized warning/error. RT#7080
--- src/lib/krb5/krb/x-deltat.y
+++ src/lib/krb5/krb/x-deltat.y
@@ -44,6 +44,7 @@
#ifdef __GNUC__
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wuninitialized"
+#pragma GCC diagnostic ignored "-Wmaybe-uninitialized"
#endif
#include <ctype.h>

32
krb5/patches/krb5-1.10-kpasswd_tcp.patch Normal file
View File

@ -0,0 +1,32 @@
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
to wait for UDP to fail, so this might not be ideal. RT #5868.
--- krb5/src/lib/krb5/os/changepw.c
+++ krb5/src/lib/krb5/os/changepw.c
@@ -270,10 +270,22 @@ change_set_password(krb5_context context
&callback_info, &chpw_rep, ss2sa(&remote_addr),
&addrlen, NULL, NULL, NULL);
if (code) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!use_tcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ k5_free_serverlist (&sl);
+ use_tcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

28
krb5/patches/krb5-1.10-kprop-mktemp.patch Normal file
View File

@ -0,0 +1,28 @@
Use an in-memory ccache to silence a compiler warning, for RT#6414.
--- krb5/src/slave/kprop.c
+++ krb5/src/slave/kprop.c
@@ -202,9 +202,8 @@ void PRS(argc, argv)
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ], *def_realm;
+ char buf[] = "MEMORY:_kproptkt", *def_realm;
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
/*
@@ -229,11 +228,8 @@ void get_tickets(context)
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
-
retval = krb5_cc_resolve(context, buf, &ccache);
if (retval) {
com_err(progname, retval, _("while opening credential cache %s"), buf);

47
krb5/patches/krb5-1.10-ksu-access.patch Normal file
View File

@ -0,0 +1,47 @@
The idea is to not complain about problems in the default ticket file if we
couldn't read it, because the client would be able to tell if it's there or
not, and we're implicitly letting the client tell us where it is. Still needs
work, I think.
--- krb5/src/clients/ksu/ccache.c
+++ krb5/src/clients/ksu/ccache.c
@@ -78,7 +78,7 @@ krb5_error_code krb5_ccache_copy (contex
cc_def_name = krb5_cc_get_name(context, cc_def);
cc_other_name = krb5_cc_get_name(context, *cc_other);
- if ( ! stat(cc_def_name, &st_temp)){
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
return retval;
}
--- krb5/src/clients/ksu/heuristic.c
+++ krb5/src/clients/ksu/heuristic.c
@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont
cc_source_name = krb5_cc_get_name(context, cc);
- if ( ! stat(cc_source_name, &st_temp)){
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
retval = find_ticket(context, cc, client, end_server, &temp_found);
if (retval)
@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe
cc_source_name = krb5_cc_get_name(context, cc_source);
- if (! stat(cc_source_name, &st_temp)) {
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
if (retval)
return retval;
--- krb5/src/clients/ksu/main.c
+++ krb5/src/clients/ksu/main.c
@@ -270,7 +270,7 @@ main (argc, argv)
if ( strchr(cc_source_tag, ':')){
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
- if( stat( cc_source_tag_tmp, &st_temp)){
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
com_err(prog_name, errno,
_("while looking for credentials file %s"),
cc_source_tag_tmp);

12
krb5/patches/krb5-1.10-ksu-path.patch Normal file
View File

@ -0,0 +1,12 @@
Set the default PATH to the one set by login.
--- krb5/src/clients/ksu/Makefile.in
+++ krb5/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
DEFS=
PROG_LIBPATH=-L$(TOPLIBD)

332
krb5/patches/krb5-1.10.2-keytab-etype.patch Normal file
View File

@ -0,0 +1,332 @@
(Had to drop the changes to src/tests/t_keytab.py, which didn't exist in 1.10.)
commit d1da158f47ea604bed4d5db5e98a976a9e54ccd0
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Apr 19 17:55:10 2012 +0000
Unify krb5_get_init_creds_keytab code paths
Use krb5_init_creds_set_keytab in krb5_get_init_creds_keytab, so that
processing added to the former will be used by the latter. This is
slightly awkward because of the way we do the use_master fallback, in
that we have to duplicate some of krb5int_get_init_creds.
Based on a patch from Stef Walter.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25817 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/krb5/krb/deps b/src/lib/krb5/krb/deps
index fe2d54c..8c4db77 100644
--- a/src/lib/krb5/krb/deps
+++ b/src/lib/krb5/krb/deps
@@ -473,7 +473,8 @@ gic_keytab.so gic_keytab.po $(OUTPRE)gic_keytab.$(OBJEXT): \
$(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \
$(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \
$(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \
- $(top_srcdir)/include/socket-utils.h gic_keytab.c init_creds_ctx.h
+ $(top_srcdir)/include/socket-utils.h gic_keytab.c init_creds_ctx.h \
+ int-proto.h
gic_opt.so gic_opt.po $(OUTPRE)gic_opt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index aaabc4e..681b648 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -542,10 +542,9 @@ krb5_init_creds_free(krb5_context context,
free(ctx);
}
-static krb5_error_code
-init_creds_get(krb5_context context,
- krb5_init_creds_context ctx,
- int *use_master)
+krb5_error_code
+k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+ int *use_master)
{
krb5_error_code code;
krb5_data request;
@@ -599,7 +598,7 @@ krb5_init_creds_get(krb5_context context,
{
int use_master = 0;
- return init_creds_get(context, ctx, &use_master);
+ return k5_init_creds_get(context, ctx, &use_master);
}
krb5_error_code KRB5_CALLCONV
@@ -1664,7 +1663,7 @@ krb5int_get_init_creds(krb5_context context,
goto cleanup;
}
- code = init_creds_get(context, ctx, use_master);
+ code = k5_init_creds_get(context, ctx, use_master);
if (code != 0)
goto cleanup;
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index 88de6a8..e59177f 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -26,6 +26,7 @@
#ifndef LEAN_CLIENT
#include "k5-int.h"
+#include "int-proto.h"
#include "init_creds_ctx.h"
static krb5_error_code
@@ -87,6 +88,44 @@ krb5_init_creds_set_keytab(krb5_context context,
return 0;
}
+static krb5_error_code
+get_init_creds_keytab(krb5_context context, krb5_creds *creds,
+ krb5_principal client, krb5_keytab keytab,
+ krb5_deltat start_time, char *in_tkt_service,
+ krb5_get_init_creds_opt *options, int *use_master)
+{
+ krb5_error_code ret;
+ krb5_init_creds_context ctx = NULL;
+
+ ret = krb5_init_creds_init(context, client, NULL, NULL, start_time,
+ options, &ctx);
+ if (ret != 0)
+ goto cleanup;
+
+ if (in_tkt_service) {
+ ret = krb5_init_creds_set_service(context, ctx, in_tkt_service);
+ if (ret != 0)
+ goto cleanup;
+ }
+
+ ret = krb5_init_creds_set_keytab(context, ctx, keytab);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = k5_init_creds_get(context, ctx, use_master);
+ if (ret != 0)
+ goto cleanup;
+
+ ret = krb5_init_creds_get_creds(context, ctx, creds);
+ if (ret != 0)
+ goto cleanup;
+
+cleanup:
+ krb5_init_creds_free(context, ctx);
+
+ return ret;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_keytab(krb5_context context,
krb5_creds *creds,
@@ -111,10 +150,8 @@ krb5_get_init_creds_keytab(krb5_context context,
/* first try: get the requested tkt from any kdc */
- ret = krb5int_get_init_creds(context, creds, client, NULL, NULL,
- start_time, in_tkt_service, options,
- get_as_key_keytab, (void *) keytab,
- &use_master,NULL);
+ ret = get_init_creds_keytab(context, creds, client, keytab, start_time,
+ in_tkt_service, options, &use_master);
/* check for success */
@@ -132,10 +169,9 @@ krb5_get_init_creds_keytab(krb5_context context,
if (!use_master) {
use_master = 1;
- ret2 = krb5int_get_init_creds(context, creds, client, NULL, NULL,
- start_time, in_tkt_service, options,
- get_as_key_keytab, (void *) keytab,
- &use_master, NULL);
+ ret2 = get_init_creds_keytab(context, creds, client, keytab,
+ start_time, in_tkt_service, options,
+ &use_master);
if (ret2 == 0) {
ret = 0;
diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h
index 6b16095..899579f 100644
--- a/src/lib/krb5/krb/int-proto.h
+++ b/src/lib/krb5/krb/int-proto.h
@@ -196,4 +196,8 @@ krb5int_mk_setpw_req(krb5_context context, krb5_auth_context auth_context,
void
k5_ccselect_free_context(krb5_context context);
+krb5_error_code
+k5_init_creds_get(krb5_context context, krb5_init_creds_context ctx,
+ int *use_master);
+
#endif /* KRB5_INT_FUNC_PROTO__ */
commit 8230c4b7b7323cdef2a6c877deb710a15380f40f
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Apr 19 17:55:14 2012 +0000
Use etypes from keytab in krb5_gic_keytab
When getting initial credentials with a keytab, filter the list of
request enctypes based on the keys in the keytab.
Based on a patch from Stef Walter.
ticket: 2131
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25818 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 3749cf9..36eb23b 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -187,6 +187,10 @@
#define TRACE_INIT_CREDS_GAK(c, salt, s2kparams) \
TRACE(c, (c, "Getting AS key, salt \"{data}\", params \"{data}\"", \
salt, s2kparams))
+#define TRACE_INIT_CREDS_KEYTAB_LOOKUP(c, etypes) \
+ TRACE(c, (c, "Looked up etypes in keytab: {etypes}", etypes))
+#define TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(c, code) \
+ TRACE(c, (c, "Couldn't lookup etypes in keytab: {kerr}", code))
#define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \
TRACE(c, (c, "Decrypt with preauth AS key failed: {kerr}", code))
#define TRACE_INIT_CREDS_RESTART_FAST(c) \
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index e59177f..3554b25 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -77,14 +77,132 @@ get_as_key_keytab(krb5_context context,
return(ret);
}
+/* Return the list of etypes available for client in keytab. */
+static krb5_error_code
+lookup_etypes_for_keytab(krb5_context context, krb5_keytab keytab,
+ krb5_principal client, krb5_enctype **etypes_out)
+{
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry entry;
+ krb5_enctype *p, *etypes = NULL;
+ krb5_kvno max_kvno = 0;
+ krb5_error_code ret;
+ size_t count = 0;
+
+ *etypes_out = NULL;
+
+ if (keytab->ops->start_seq_get == NULL)
+ return EINVAL;
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret != 0)
+ return ret;
+
+ for (;;) {
+ ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
+ if (ret == KRB5_KT_END)
+ break;
+ if (ret)
+ goto cleanup;
+
+ if (!krb5_c_valid_enctype(entry.key.enctype))
+ continue;
+ if (!krb5_principal_compare(context, entry.principal, client))
+ continue;
+ /* Make sure our list is for the highest kvno found for client. */
+ if (entry.vno > max_kvno) {
+ free(etypes);
+ etypes = NULL;
+ count = 0;
+ max_kvno = entry.vno;
+ } else if (entry.vno != max_kvno)
+ continue;
+
+ /* Leave room for the terminator and possibly a second entry. */
+ p = realloc(etypes, (count + 3) * sizeof(*etypes));
+ if (p == NULL) {
+ ret = ENOMEM;
+ goto cleanup;
+ }
+ etypes = p;
+ etypes[count++] = entry.key.enctype;
+ /* All DES key types work with des-cbc-crc, which is more likely to be
+ * accepted by the KDC (since MIT KDCs refuse des-cbc-md5). */
+ if (entry.key.enctype == ENCTYPE_DES_CBC_MD5 ||
+ entry.key.enctype == ENCTYPE_DES_CBC_MD4)
+ etypes[count++] = ENCTYPE_DES_CBC_CRC;
+ etypes[count] = 0;
+ }
+
+ ret = 0;
+ *etypes_out = etypes;
+ etypes = NULL;
+cleanup:
+ krb5_kt_end_seq_get(context, keytab, &cursor);
+ free(etypes);
+ return ret;
+}
+
+/* Return true if search_for is in etype_list. */
+static krb5_boolean
+check_etypes_have(krb5_enctype *etype_list, krb5_enctype search_for)
+{
+ int i;
+
+ if (!etype_list)
+ return FALSE;
+
+ for (i = 0; etype_list[i] != 0; i++) {
+ if (etype_list[i] == search_for)
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
krb5_error_code KRB5_CALLCONV
krb5_init_creds_set_keytab(krb5_context context,
krb5_init_creds_context ctx,
krb5_keytab keytab)
{
+ krb5_enctype *etype_list;
+ krb5_error_code ret;
+ int i, j;
+ char *name;
+
ctx->gak_fct = get_as_key_keytab;
ctx->gak_data = keytab;
+ ret = lookup_etypes_for_keytab(context, keytab, ctx->request->client,
+ &etype_list);
+ if (ret) {
+ TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(context, ret);
+ return 0;
+ }
+
+ TRACE_INIT_CREDS_KEYTAB_LOOKUP(context, etype_list);
+
+ /* Filter the ktypes list based on what's in the keytab */
+ for (i = 0, j = 0; i < ctx->request->nktypes; i++) {
+ if (check_etypes_have(etype_list, ctx->request->ktype[i])) {
+ ctx->request->ktype[j] = ctx->request->ktype[i];
+ j++;
+ }
+ }
+ ctx->request->nktypes = j;
+ free(etype_list);
+
+ /* Error out now if there's no overlap. */
+ if (ctx->request->nktypes == 0) {
+ ret = krb5_unparse_name(context, ctx->request->client, &name);
+ if (ret == 0) {
+ krb5_set_error_message(context, KRB5_KT_NOTFOUND,
+ _("Keytab contains no suitable keys for "
+ "%s"), name);
+ }
+ krb5_free_unparsed_name(context, name);
+ return KRB5_KT_NOTFOUND;
+ }
+
return 0;
}

190
krb5/patches/krb5-1.10.2-manpaths.patch Normal file
View File

@ -0,0 +1,190 @@
Change the absolute paths included in the man pages so that the correct
values can be dropped in by config.status. After applying this patch,
these files should be renamed to their ".in" counterparts, and then the
configure scripts should be rebuilt. Originally RT#6525
--- krb5/src/aclocal.m4
+++ krb5/src/aclocal.m4
@@ -1770,3 +1770,24 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
+mansysconfdir=$sysconfdir
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
+mansbindir=$sbindir
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlocalstatedir=$localstatedir
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
+manlibexecdir=$libexecdir
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
+AC_SUBST(mansysconfdir)
+AC_SUBST(mansbindir)
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_CONFIG_FILES($1)
+])
--- krb5/src/configure.in
+++ krb5/src/configure.in
@@ -1054,6 +1054,17 @@ fi
AC_SUBST(localedir)
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
+V5_AC_OUTPUT_MANPAGE([
+ appl/sample/sserver/sserver.M
+ config-files/kdc.conf.M
+ config-files/krb5.conf.M
+ gen-manpages/kerberos.M
+ kadmin/cli/kadmin.M
+ slave/kpropd.M
+ slave/kprop.M
+])
+
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/profile/testmod util/send-pr
--- krb5/src/appl/sample/sserver/sserver.M
+++ krb5/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
.PP
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root @mansbindir@/sserver sserver
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
--- krb5/src/config-files/kdc.conf.M
+++ krb5/src/config-files/kdc.conf.M
@@ -82,14 +82,14 @@ This
.B string
specifies the location of the access control list (acl) file that
kadmin uses to determine which principals are allowed which permissions
-on the database. The default value is /usr/local/var/krb5kdc/kadm5.acl.
+on the database. The default value is @manlocalstatedir@/krb5kdc/kadm5.acl.
.IP admin_keytab
This
.B string
Specifies the location of the keytab file that kadmin uses to
authenticate to the database. The default value is
-/usr/local/var/krb5kdc/kadm5.keytab.
+@manlocalstatedir@/krb5kdc/kadm5.keytab.
.IP database_name
This
@@ -254,7 +254,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
-/usr/local/var/krb5kdc/kdc.conf
+@manlocalstatedir@/krb5kdc/kdc.conf
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
--- krb5/src/config-files/krb5.conf.M
+++ krb5/src/config-files/krb5.conf.M
@@ -808,6 +808,6 @@ is whitespace-separated. The LDAP server
This module implements the encrypted timestamp mechanism.
.SH FILES
-/etc/krb5.conf
+@mansysconfdir@/krb5.conf
.SH SEE ALSO
syslog(3)
--- krb5/src/gen-manpages/kerberos.M
+++ krb5/src/gen-manpages/kerberos.M
@@ -126,7 +126,7 @@
Specifies the location of the KDC configuration file, which contains
additional configuration directives for the Key Distribution Center
daemon and associated programs. The default is
-/usr/local/var/krb5kdc/kdc.conf.
+@manlocalstatedir@/krb5kdc/kdc.conf.
.TP
.B KRB5RCACHETYPE
Specifies the default type of replay cache to use for servers. Valid
--- krb5/src/kadmin/cli/kadmin.M
+++ krb5/src/kadmin/cli/kadmin.M
@@ -869,9 +869,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
kadmin:
.RE
.fi
--- krb5/src/slave/kpropd.M
+++ krb5/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/from_master).
+(normally @manlocalstatedir@/krb5kdc/from_master).
.TP
.B \-p
allows the user to specify the pathname to the
.IR kdb5_util (8)
program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL
-(normally /usr/local/sbin/kdb5_util).
+(normally @mansbindir@/kdb5_util).
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).
.SH FILES
.TP "\w'kpropd.acl\ \ 'u"
kpropd.acl
Access file for
.BR kpropd ;
the default location is KPROPD_ACL_FILE (normally
-/usr/local/var/krb5kdc/kpropd.acl).
+@manlocalstatedir@/krb5kdc/kpropd.acl).
Each entry is a line containing the principal of a host from which the
local machine will allow Kerberos database propagation via kprop.
.SH SEE ALSO
--- krb5/src/slave/kprop.M
+++ krb5/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
by kdb5_util, and is normally KPROP_DEFAULT_FILE
-(/usr/local/var/krb5kdc/slave_datatrans).
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
.SH OPTIONS
.TP
\fB\-r\fP \fIrealm\fP
@@ -51,7 +51,7 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
found; by default the dumped database file is KPROP_DEFAULT_FILE
-(normally /usr/local/var/krb5kdc/slave_datatrans).
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the

752
krb5/patches/krb5-1.10.2-pam.patch Normal file
View File

@ -0,0 +1,752 @@
Modify ksu so that it performs account and session management on behalf of
the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam.
Originally RT#5939, though it's changed since then to perform the account
and session management before dropping privileges.
diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500
@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
+dnl
+dnl Use PAM instead of local crypt() compare for checking local passwords,
+dnl and perform PAM account, session management, and password-changing where
+dnl appropriate.
+dnl
+AC_DEFUN(KRB5_WITH_PAM,[
+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
+ withpam="$withval",withpam=auto)
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
+ withksupamservice="$withval",withksupamservice=ksu)
+old_LIBS="$LIBS"
+if test "$withpam" != no ; then
+ AC_MSG_RESULT([checking for PAM...])
+ PAM_LIBS=
+
+ AC_CHECK_HEADERS(security/pam_appl.h)
+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
+ if test "$withpam" = auto ; then
+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
+ withpam=no
+ else
+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_pam_start
+ AC_CHECK_FUNCS(putenv pam_start)
+ if test "x$ac_cv_func_pam_start" = xno ; then
+ unset ac_cv_func_pam_start
+ AC_CHECK_LIB(dl,dlopen)
+ AC_CHECK_FUNCS(pam_start)
+ if test "x$ac_cv_func_pam_start" = xno ; then
+ AC_CHECK_LIB(pam,pam_start)
+ unset ac_cv_func_pam_start
+ unset ac_cv_func_pam_getenvlist
+ AC_CHECK_FUNCS(pam_start pam_getenvlist)
+ if test "x$ac_cv_func_pam_start" = xyes ; then
+ PAM_LIBS="$LIBS"
+ else
+ if test "$withpam" = auto ; then
+ AC_MSG_RESULT([Unable to locate libpam.])
+ withpam=no
+ else
+ AC_MSG_ERROR([Unable to locate libpam.])
+ fi
+ fi
+ fi
+ fi
+ if test "$withpam" != no ; then
+ AC_MSG_NOTICE([building with PAM support])
+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
+ [Define to the name of the PAM service name to be used by ksu.])
+ PAM_LIBS="$LIBS"
+ NON_PAM_MAN=".\\\" "
+ PAM_MAN=
+ else
+ PAM_MAN=".\\\" "
+ NON_PAM_MAN=
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(PAM_LIBS)
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
--- krb5-1.8/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500
+++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
*/
+#include "autoconf.h"
#include "ksu.h"
#include "adm_proto.h"
#include <sys/types.h>
@@ -33,6 +34,10 @@
#include <signal.h>
#include <grp.h>
+#ifdef USE_PAM
+#include "pam.h"
+#endif
+
/* globals */
char * prog_name;
int auth_debug =0;
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
char k5users_path[MAXPATHLEN];
char * gb_err = NULL;
int quiet = 0;
+int force_fork = 0;
/***********/
#define _DEF_CSH "/bin/csh"
@@ -586,6 +592,25 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
+
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -651,6 +676,26 @@
sweep_up(ksu_context, cc_target);
exit(1);
}
+#ifdef USE_PAM
+ } else {
+ /* we always do PAM account management, even for root */
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+ NULL, source_user,
+ ttyname(STDERR_FILENO)) != 0) {
+ fprintf(stderr, "Access denied for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ if (appl_pam_requires_chauthtok()) {
+ fprintf(stderr, "Password change required for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+ force_fork++;
+ }
+#endif
}
if( some_rest_copy){
@@ -720,6 +745,32 @@
exit(1);
}
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_session_open() != 0) {
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Opened PAM session.\n");
+ }
+#endif
+ if (appl_pam_cred_init()) {
+ fprintf(stderr, "Error initializing credentials for %s.\n",
+ target_user);
+ sweep_up(ksu_context, cc_target);
+ exit(1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Initialized PAM credentials.\n");
+ }
+#endif
+ }
+#endif
+
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -792,7 +817,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
- if( keep_target_cache ) {
+ if( keep_target_cache && !force_fork ) {
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -823,16 +875,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
- sweep_up(ksu_context, cc_target);
+ if( !keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (statusp);
case -1:
com_err(prog_name, errno, _("while trying to fork."));
sweep_up(ksu_context, cc_target);
exit (1);
case 0:
+#ifdef USE_PAM
+ if (appl_pam_enabled(ksu_context, "ksu")) {
+ if (appl_pam_setenv() != 0) {
+ fprintf(stderr, "Error setting up environment for %s.\n",
+ target_user);
+ exit (1);
+ }
+#ifdef DEBUG
+ if (auth_debug){
+ printf(" Set up PAM environment.\n");
+ }
+#endif
+ }
+#endif
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"),
params[0]);
+ if( keep_target_cache ) {
+ sweep_up(ksu_context, cc_target);
+ }
exit (1);
}
}
diff -up krb5-1.8/src/clients/ksu/Makefile.in.pam krb5-1.8/src/clients/ksu/Makefile.in
--- krb5-1.8/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500
+++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500
@@ -7,12 +7,14 @@
PROG_RPATH=$(KRB5_LIBDIR)
KSU_LIBS=@KSU_LIBS@
+PAM_LIBS=@PAM_LIBS@
SRCS = \
$(srcdir)/krb_auth_su.c \
$(srcdir)/ccache.c \
$(srcdir)/authorization.c \
$(srcdir)/main.c \
+ $(srcdir)/pam.c \
$(srcdir)/heuristic.c \
$(srcdir)/xmalloc.c \
$(srcdir)/setenv.c
@@ -21,13 +23,17 @@ OBJS = \
ccache.o \
authorization.o \
main.o \
+ pam.o \
heuristic.o \
xmalloc.o @SETENVOBJ@
all:: ksu
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
+
+pam.o: pam.c
+ $(CC) $(ALL_CFLAGS) -c $<
clean::
$(RM) ksu
diff -up krb5-1.8/src/clients/ksu/pam.c.pam krb5-1.8/src/clients/ksu/pam.c
--- krb5-1.8/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500
+++ krb5-1.8/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500
@@ -0,0 +1,389 @@
+/*
+ * src/clients/ksu/pam.c
+ *
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Convenience wrappers for using PAM.
+ */
+
+#include "autoconf.h"
+#ifdef USE_PAM
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "k5-int.h"
+#include "pam.h"
+
+#ifndef MAXPWSIZE
+#define MAXPWSIZE 128
+#endif
+
+static int appl_pam_started;
+static pid_t appl_pam_starter = -1;
+static int appl_pam_session_opened;
+static int appl_pam_creds_initialized;
+static int appl_pam_pwchange_required;
+static pam_handle_t *appl_pamh;
+static struct pam_conv appl_pam_conv;
+static char *appl_pam_user;
+struct appl_pam_non_interactive_args {
+ const char *user;
+ const char *password;
+};
+
+int
+appl_pam_enabled(krb5_context context, const char *section)
+{
+ int enabled = 1;
+ if ((context != NULL) && (context->profile != NULL)) {
+ if (profile_get_boolean(context->profile,
+ section,
+ USE_PAM_CONFIGURATION_KEYWORD,
+ NULL,
+ enabled, &enabled) != 0) {
+ enabled = 1;
+ }
+ }
+ return enabled;
+}
+
+void
+appl_pam_cleanup(void)
+{
+ if (getpid() != appl_pam_starter) {
+ return;
+ }
+#ifdef DEBUG
+ printf("Called to clean up PAM.\n");
+#endif
+ if (appl_pam_creds_initialized) {
+#ifdef DEBUG
+ printf("Deleting PAM credentials.\n");
+#endif
+ pam_setcred(appl_pamh, PAM_DELETE_CRED);
+ appl_pam_creds_initialized = 0;
+ }
+ if (appl_pam_session_opened) {
+#ifdef DEBUG
+ printf("Closing PAM session.\n");
+#endif
+ pam_close_session(appl_pamh, 0);
+ appl_pam_session_opened = 0;
+ }
+ appl_pam_pwchange_required = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Shutting down PAM.\n");
+#endif
+ pam_end(appl_pamh, 0);
+ appl_pam_started = 0;
+ appl_pam_starter = -1;
+ free(appl_pam_user);
+ appl_pam_user = NULL;
+ }
+}
+static int
+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
+ struct pam_response **presp, void *appdata_ptr)
+{
+ const struct pam_message *message;
+ struct pam_response *resp;
+ int i, code;
+ char *pwstring, pwbuf[MAXPWSIZE];
+ unsigned int pwsize;
+ resp = malloc(sizeof(struct pam_response) * num_msg);
+ if (resp == NULL) {
+ return PAM_BUF_ERR;
+ }
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
+ code = PAM_SUCCESS;
+ for (i = 0; i < num_msg; i++) {
+ message = &(msg[0][i]); /* XXX */
+ message = msg[i]; /* XXX */
+ pwstring = NULL;
+ switch (message->msg_style) {
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ printf("[%s]\n", message->msg ? message->msg : "");
+ fflush(stdout);
+ resp[i].resp = NULL;
+ resp[i].resp_retcode = PAM_SUCCESS;
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
+ if (fgets(pwbuf, sizeof(pwbuf),
+ stdin) != NULL) {
+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
+ pwstring = pwbuf;
+ }
+ } else {
+ pwstring = getpass(message->msg ?
+ message->msg :
+ "");
+ }
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
+ pwsize = strlen(pwstring);
+ resp[i].resp = malloc(pwsize + 1);
+ if (resp[i].resp == NULL) {
+ resp[i].resp_retcode = PAM_BUF_ERR;
+ } else {
+ memcpy(resp[i].resp, pwstring, pwsize);
+ resp[i].resp[pwsize] = '\0';
+ resp[i].resp_retcode = PAM_SUCCESS;
+ }
+ } else {
+ resp[i].resp_retcode = PAM_CONV_ERR;
+ code = PAM_CONV_ERR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ *presp = resp;
+ return code;
+}
+static int
+appl_pam_non_interactive_converse(int num_msg,
+ const struct pam_message **msg,
+ struct pam_response **presp,
+ void *appdata_ptr)
+{
+ const struct pam_message *message;
+ struct pam_response *resp;
+ int i, code;
+ unsigned int pwsize;
+ struct appl_pam_non_interactive_args *args;
+ const char *pwstring;
+ resp = malloc(sizeof(struct pam_response) * num_msg);
+ if (resp == NULL) {
+ return PAM_BUF_ERR;
+ }
+ args = appdata_ptr;
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
+ code = PAM_SUCCESS;
+ for (i = 0; i < num_msg; i++) {
+ message = &((*msg)[i]);
+ message = msg[i];
+ pwstring = NULL;
+ switch (message->msg_style) {
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ break;
+ case PAM_PROMPT_ECHO_ON:
+ case PAM_PROMPT_ECHO_OFF:
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
+ /* assume "user" */
+ pwstring = args->user;
+ } else {
+ /* assume "password" */
+ pwstring = args->password;
+ }
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
+ pwsize = strlen(pwstring);
+ resp[i].resp = malloc(pwsize + 1);
+ if (resp[i].resp == NULL) {
+ resp[i].resp_retcode = PAM_BUF_ERR;
+ } else {
+ memcpy(resp[i].resp, pwstring, pwsize);
+ resp[i].resp[pwsize] = '\0';
+ resp[i].resp_retcode = PAM_SUCCESS;
+ }
+ } else {
+ resp[i].resp_retcode = PAM_CONV_ERR;
+ code = PAM_CONV_ERR;
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ *presp = resp;
+ return code;
+}
+static int
+appl_pam_start(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty)
+{
+ static int exit_handler_registered;
+ static struct appl_pam_non_interactive_args args;
+ int ret = 0;
+ if (appl_pam_started &&
+ (strcmp(login_username, appl_pam_user) != 0)) {
+ appl_pam_cleanup();
+ appl_pam_user = NULL;
+ }
+ if (!appl_pam_started) {
+#ifdef DEBUG
+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
+ service, login_username);
+#endif
+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
+ appl_pam_conv.conv = interactive ?
+ &appl_pam_interactive_converse :
+ &appl_pam_non_interactive_converse;
+ memset(&args, 0, sizeof(args));
+ args.user = strdup(login_username);
+ args.password = non_interactive_password ?
+ strdup(non_interactive_password) :
+ NULL;
+ appl_pam_conv.appdata_ptr = &args;
+ ret = pam_start(service, login_username,
+ &appl_pam_conv, &appl_pamh);
+ if (ret == 0) {
+ if (hostname != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
+#endif
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
+ }
+ if (ruser != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_RUSER to \"%s\".\n", ruser);
+#endif
+ pam_set_item(appl_pamh, PAM_RUSER, ruser);
+ }
+ if (tty != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
+#endif
+ pam_set_item(appl_pamh, PAM_TTY, tty);
+ }
+ if (!exit_handler_registered &&
+ (atexit(appl_pam_cleanup) != 0)) {
+ pam_end(appl_pamh, 0);
+ appl_pamh = NULL;
+ ret = -1;
+ } else {
+ appl_pam_started = 1;
+ appl_pam_starter = getpid();
+ appl_pam_user = strdup(login_username);
+ exit_handler_registered = 1;
+ }
+ }
+ }
+ return ret;
+}
+int
+appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty)
+{
+ int ret;
+ appl_pam_pwchange_required = 0;
+ ret = appl_pam_start(service, interactive, login_username,
+ non_interactive_password, hostname, ruser, tty);
+ if (ret == 0) {
+#ifdef DEBUG
+ printf("Calling pam_acct_mgmt().\n");
+#endif
+ ret = pam_acct_mgmt(appl_pamh, 0);
+ switch (ret) {
+ case PAM_IGNORE:
+ ret = 0;
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ appl_pam_pwchange_required = 1;
+ ret = 0;
+ break;
+ default:
+ break;
+ }
+ }
+ return ret;
+}
+int
+appl_pam_requires_chauthtok(void)
+{
+ return appl_pam_pwchange_required;
+}
+int
+appl_pam_session_open(void)
+{
+ int ret = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Opening PAM session.\n");
+#endif
+ ret = pam_open_session(appl_pamh, 0);
+ if (ret == 0) {
+ appl_pam_session_opened = 1;
+ }
+ }
+ return ret;
+}
+int
+appl_pam_setenv(void)
+{
+ int ret = 0;
+#ifdef HAVE_PAM_GETENVLIST
+#ifdef HAVE_PUTENV
+ int i;
+ char **list;
+ if (appl_pam_started) {
+ list = pam_getenvlist(appl_pamh);
+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
+#ifdef DEBUG
+ printf("Setting \"%s\" in environment.\n", list[i]);
+#endif
+ putenv(list[i]);
+ }
+ }
+#endif
+#endif
+ return ret;
+}
+int
+appl_pam_cred_init(void)
+{
+ int ret = 0;
+ if (appl_pam_started) {
+#ifdef DEBUG
+ printf("Initializing PAM credentials.\n");
+#endif
+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
+ if (ret == 0) {
+ appl_pam_creds_initialized = 1;
+ }
+ }
+ return ret;
+}
+#endif
diff -up krb5-1.8/src/clients/ksu/pam.h.pam krb5-1.8/src/clients/ksu/pam.h
--- krb5-1.8/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500
+++ krb5-1.8/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500
@@ -0,0 +1,57 @@
+/*
+ * src/clients/ksu/pam.h
+ *
+ * Copyright 2007,2009,2010 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Convenience wrappers for using PAM.
+ */
+
+#include <krb5.h>
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+
+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
+
+#ifdef USE_PAM
+int appl_pam_enabled(krb5_context context, const char *section);
+int appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
+ const char *hostname,
+ const char *ruser,
+ const char *tty);
+int appl_pam_requires_chauthtok(void);
+int appl_pam_session_open(void);
+int appl_pam_setenv(void);
+int appl_pam_cred_init(void);
+void appl_pam_cleanup(void);
+#endif
diff -up krb5-1.8/src/configure.in.pam krb5-1.8/src/configure.in
--- krb5-1.8/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500
+++ krb5-1.8/src/configure.in 2010-03-05 10:48:08.000000000 -0500
@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
AC_SUBST([VERTO_LIBS])
AC_SUBST([VERTO_VERSION])
+KRB5_WITH_PAM
+
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'

950
krb5/patches/krb5-1.10.2-selinux-label.patch Normal file
View File

@ -0,0 +1,950 @@
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
In many cases, applications needn't be SELinux aware to work properly,
because SELinux can apply a default label to a file based on the label
of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't
sufficient, as /etc/krb5.keytab will almost always need to be given a
label which differs from that of /etc/issue or /etc/resolv.conf. The
the kdb stash file needs a different label than the database for which
it's holding a master key, even though both typically live in the same
directory.
To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with
the right label, as we attempt to do here. We lean on THREEPARAMOPEN
and define a similar macro named WRITABLEFOPEN with which we replace
several uses of fopen().
The file creation context that we're manipulating here is a process-wide
attribute. While for the most part, applications which need to label
files when they're created have tended to be single-threaded, there's
not much we can do to avoid interfering with an application that
manipulates the creation context directly. Right now we're mediating
access using a library-local mutex, but that can only work for consumers
that are part of this package -- an unsuspecting application will still
stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
--- krb5/src/aclocal.m4
+++ krb5/src/aclocal.m4
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_NOTICE([building with SELinux labeling support])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
LDARGS = @LDARGS@
LIBS = @LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
--- krb5/src/configure.in
+++ krb5/src/configure.in
@@ -1053,6 +1053,8 @@ fi
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--- krb5/src/include/k5-int.h
+++ krb5/src/include/k5-int.h
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
+#include "k5-label.h"
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
--- krb5/src/include/k5-label.h
+++ krb5/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
+#ifdef THREEPARAMOPEN
+#undef THREEPARAMOPEN
+#endif
+#ifdef WRITABLEFOPEN
+#undef WRITABLEFOPEN
+#endif
+
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
+int krb5int_labeled_creat(const char *path, mode_t mode);
+int krb5int_labeled_open(const char *path, int flags, ...);
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
+void *krb5int_push_fscreatecon_for(const char *pathname);
+void krb5int_pop_fscreatecon(void *previous);
+#else
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
--- krb5/src/include/krb5/krb5.hin
+++ krb5/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
+#if KRB5_PRIVATE
+#ifndef WRITABLEFOPEN
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#endif
+#endif
+
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
--- krb5/src/kadmin/dbutil/dump.c
+++ krb5/src/kadmin/dbutil/dump.c
@@ -346,7 +346,7 @@
exit_status++;
return;
}
- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
+ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"),
file_ok);
exit_status++;
@@ -1274,7 +1274,7 @@ dump_db(argc, argv)
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
progname, ofile, error_message(errno));
exit_status++;
--- krb5/src/krb5-config.in
+++ krb5/src/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
DL_LIB='@DL_LIB@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -218,7 +219,7 @@
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
--- krb5/src/lib/kadm5/logger.c
+++ krb5/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
--- krb5/src/lib/krb5/keytab/kt_file.c
+++ krb5/src/lib/krb5/keytab/kt_file.c
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
--- krb5/src/plugins/kdb/db2/adb_openclose.c
+++ krb5/src/plugins/kdb/db2/adb_openclose.c
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/*
* maybe someone took away write permission so we could only
* get shared locks?
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include "k5-platform.h" /* mkstemp? */
+#include "k5-int.h"
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
goto einval;
}
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
+#include "k5-int.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info
new_table = 1;
}
if (file) {
- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)
+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
--- krb5/src/plugins/kdb/db2/libdb2/test/Makefile.in
+++ krb5/src/plugins/kdb/db2/libdb2/test/Makefile.in
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
-DB_LIB = -ldb
+DB_LIB = -ldb $(SUPPORT_DEPLIB)
+
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::
--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -1091,7 +1091,7 @@
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1108,7 +1108,7 @@
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
- tmpfd = creat(tmp_file, S_IRUSR|S_IWUSR);
+ tmpfd = THREEPARAMOPEN(tmp_file, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (tmpfd == -1) {
com_err(me, errno, "while deleting entry from file\n");
@@ -1728,7 +1728,7 @@
printf("File does not exist. Creating the file %s...\n", file_name);
omask = umask(077);
- fd = creat(file_name, S_IRUSR|S_IWUSR);
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
umask(omask);
if (fd == -1) {
com_err(me, errno, "Error creating file %s", file_name);
@@ -1756,7 +1756,7 @@
/* TODO: file lock for the service password file */
/* set password in the file */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1797,7 +1797,7 @@
}
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2019,7 +2019,7 @@
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -2069,7 +2069,7 @@
}
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
--- krb5/src/slave/kpropd.c
+++ krb5/src/slave/kpropd.c
@@ -328,7 +328,7 @@ retry:
if (!debug && iproprole != IPROP_SLAVE)
daemon(1, 0);
#ifdef PID_FILE
- if ((pidfile = fopen(PID_FILE, "w")) != NULL) {
+ if ((pidfile = WRITABLEFOPEN(PID_FILE, "w")) != NULL) {
fprintf(pidfile, "%d\n", getpid());
fclose(pidfile);
} else
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN+1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (kpropd_context->kdblog_context &&
kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) {
@@ -515,9 +518,15 @@ void doit(fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600);
(void) umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
--- krb5/src/util/profile/prof_file.c
+++ krb5/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
--- krb5/src/util/support/Makefile.in
+++ krb5/src/util/support/Makefile.in
@@ -54,6 +54,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -108,7 +109,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
--- krb5/src/util/support/selinux.c
+++ krb5/src/util/support/selinux.c
@@ -0,0 +1,373 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * File-opening wrappers for creating correctly-labeled files. So far, we can
+ * assume that this is Linux-specific, so we make many simplifying assumptions.
+ */
+
+#include "../../include/autoconf.h"
+
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
+#include <k5-thread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#ifdef HAVE_SELINUX_LABEL_H
+#include <selinux/label.h>
+#endif
+
+/* #define DEBUG 1 */
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+
+/* Make sure we finish initializing that mutex before attempting to use it. */
+k5_once_t labeled_once = K5_ONCE_INIT;
+static void
+label_mutex_init(void)
+{
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
+ security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived;
+ const char *fullpath, *currentuser;
+#ifdef HAVE_SELINUX_LABEL_H
+ struct selabel_handle *ctx;
+#endif
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath;
+ genpath = NULL;
+ if (pathname[0] != '/') {
+ char *wd;
+ size_t len;
+ len = 0;
+ wd = getcwd(NULL, len);
+ if (wd == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len);
+ if (genpath == NULL) {
+ free(wd);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd);
+ fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Looking up context for "
+ "\"%s\"(%05o).\n", fullpath, mode);
+ }
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (ctx != NULL) {
+ if (selabel_lookup(ctx, &configuredsc,
+ fullpath, mode) != 0) {
+ selabel_close(ctx);
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ selabel_close(ctx);
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+#endif
+ free(genpath);
+ if (configuredsc == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ currentsc = NULL;
+ getcon(&currentsc);
+ if (currentsc != NULL) {
+ derived = context_new(configuredsc);
+ if (derived != NULL) {
+ current = context_new(currentsc);
+ if (current != NULL) {
+ currentuser = context_user_get(current);
+ if (currentuser != NULL) {
+ if (context_user_set(derived,
+ currentuser) == 0) {
+ derivedsc = context_str(derived);
+ if (derivedsc != NULL) {
+ freecon(configuredsc);
+ configuredsc = strdup(derivedsc);
+ }
+ }
+ }
+ context_free(current);
+ }
+ context_free(derived);
+ }
+ freecon(currentsc);
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", configuredsc);
+ }
+#endif
+ if (setfscreatecon(configuredsc) != 0) {
+ freecon(configuredsc);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ freecon(configuredsc);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ }
+#endif
+ }
+ }
+ return previous;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
+ if (is_selinux_enabled()) {
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation "
+ "context to \"%s\".\n", previous);
+ } else {
+ fprintf(stderr, "Resetting file creation "
+ "context to default.\n");
+ }
+ }
+#endif
+ setfscreatecon(previous);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ }
+}
+
+void *
+krb5int_push_fscreatecon_for(const char *pathname)
+{
+ struct stat st;
+ void *retval;
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+ retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1;
+ } else {
+ return NULL;
+ }
+}
+
+void
+krb5int_pop_fscreatecon(void *con)
+{
+ if (con != NULL) {
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
+ k5_mutex_unlock(&labeled_mutex);
+ }
+}
+
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
+ FILE *fp;
+ int errno_save;
+ security_context_t ctx;
+
+ if ((strcmp(mode, "r") == 0) ||
+ (strcmp(mode, "rb") == 0)) {
+ return fopen(path, mode);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fp = fopen(path, mode);
+ }
+
+ return fp;
+}
+
+int
+krb5int_labeled_creat(const char *path, mode_t mode)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fd = creat(path, mode);
+ }
+ return fd;
+}
+
+int
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mknod(path, mode, dev);
+ }
+ return ret;
+}
+
+int
+krb5int_labeled_mkdir(const char *path, mode_t mode)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ ret = mkdir(path, mode);
+ }
+ return ret;
+}
+
+int
+krb5int_labeled_open(const char *path, int flags, ...)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+ mode_t mode;
+ va_list ap;
+
+ if ((flags & O_CREAT) == 0) {
+ return open(path, flags);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ va_end(ap);
+
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ errno_save = errno;
+ va_end(ap);
+ errno = errno_save;
+ }
+ return fd;
+}
+
+#endif
--- krb5/src/lib/krb5/rcache/rc_dfl.c
+++ krb5/src/lib/krb5/rcache/rc_dfl.c
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
--- krb5/src/plugins/kdb/db2/kdb_db2.c
+++ krb5/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
--- krb5/src/kdc/main.c
+++ krb5/src/kdc/main.c
@@ -905,7 +905,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
--- krb5/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/kdb/kdb_log.c
@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha
return (errno);
}
- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) {
+ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) {
return (errno);
}
--- krb5/src/util/gss-kernel-lib/Makefile.in
+++ krb5/src/util/gss-kernel-lib/Makefile.in
@@ -60,6 +60,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h

12
krb5/patches/krb5-1.3.1-dns.patch Normal file
View File

@ -0,0 +1,12 @@
We want to be able to use --with-netlib and --enable-dns at the same time.
RT#2022
--- krb5-1.3.1/src/aclocal.m4 2003-11-24 11:17:30.000000000 -0500
+++ krb5-1.3.1/src/aclocal.m4 2003-11-24 11:18:45.000000000 -0500
@@ -647,6 +647,7 @@
LIBS="$LIBS $withval"
AC_MSG_RESULT("netlib will use \'$withval\'")
fi
+ KRB5_AC_ENABLE_DNS
],dnl
[AC_LIBRARY_NET]
)])dnl

41
krb5/patches/krb5-1.3.4-send-pr-tempfile.patch Normal file
View File

@ -0,0 +1,41 @@
Use mktemp to create our temporary files instead of basing them on our PID.
Only portable if you assume the presence of a mktemp helper.
diff -ur krb5-1.3.4/src/util/send-pr/send-pr.sh krb5-1.3.4/src/util/send-pr/send-pr.sh
--- krb5-1.3.4/src/util/send-pr/send-pr.sh 1997-03-20 01:13:56.000000000 +0100
+++ krb5-1.3.4/src/util/send-pr/send-pr.sh 2004-09-20 11:28:56.000000000 +0200
@@ -96,9 +96,9 @@
fi
fi
-TEMP=$TMPDIR/p$$
-BAD=$TMPDIR/pbad$$
-REF=$TMPDIR/pf$$
+TEMP=`mktemp "$TMPDIR"/p.XXXXXX` || exit 1
+BAD=`mktemp "$TMPDIR"/pbad.XXXXXX` || exit 1
+REF=`mktemp "$TMPDIR"/pf.XXXXXX` || exit 1
# find a user name
if [ "$LOGNAME" = "" ]; then
@@ -122,9 +122,10 @@
else
# Must use temp file due to incompatibilities in quoting behavior
# and to protect shell metacharacters in the expansion of $LOGNAME
- $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
- ORIGINATOR="`cat $TEMP`"
- rm -f $TEMP
+ TEMP2=`mktemp "$TMPDIR"/plogname.XXXXXX` || exit 1
+ $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP2
+ ORIGINATOR="`cat $TEMP2`"
+ rm -f $TEMP2
fi
if [ -n "$ORGANIZATION" ]; then
@@ -280,7 +281,7 @@
# Catch some signals. ($xs kludge needed by Sun /bin/sh)
xs=0
trap 'rm -f $REF $TEMP; exit $xs' 0
-trap 'echo "$COMMAND: Aborting ..."; rm -f $REF $TEMP; xs=1; exit' 1 2 3 13 15
+trap 'echo "$COMMAND: Aborting ..."; rm -f "$REF" "$BAD" "$TEMP"; xs=1; exit' 1 2 3 13 15
# If they told us to use a specific file, then do so.
if [ -n "$IN_FILE" ]; then

247
krb5/patches/krb5-1.6.3-kdc_listen_all.patch0 Normal file
View File

@ -0,0 +1,247 @@
Provide an option to make the KDC also listen on loopback interfaces for
datagram requests. Adds an internal symbol to libkrb5 which the KDC
needs if listening on loopback is enabled.
The default might be better changed from FALSE to TRUE so that the
default matches what we do with stream sockets.
FIXME: doesn't add documentation anywhere.
diff -up src/include/foreachaddr.h src/include/foreachaddr.h
--- src/include/foreachaddr.h 2004-05-05 18:44:46.000000000 -0400
+++ src/include/foreachaddr.h 2008-04-04 15:39:28.000000000 -0400
@@ -62,3 +62,18 @@ krb5int_foreach_localaddr (/*@null@*/ vo
;
#define foreach_localaddr krb5int_foreach_localaddr
+
+extern int
+krb5int_foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
+#if defined(DEBUG) || defined(TEST)
+ /*@modifies fileSystem@*/
+#endif
+ ;
+
+#define foreach_localaddr_ext krb5int_foreach_localaddr_ext
diff -up src/kdc/kdc_util.h src/kdc/kdc_util.h
--- src/kdc/kdc_util.h 2008-04-04 16:28:18.000000000 -0400
+++ src/kdc/kdc_util.h 2008-04-04 16:51:27.000000000 -0400
@@ -126,6 +126,7 @@ krb5_error_code kdc_initialize_rcache (k
krb5_error_code setup_server_realm (krb5_principal);
/* network.c */
+void process_listen_loopback (krb5_boolean);
krb5_error_code listen_and_process (const char *);
krb5_error_code setup_network (const char *);
krb5_error_code closedown_network (const char *);
diff -up src/kdc/main.c src/kdc/main.c
--- src/kdc/main.c 2008-04-04 16:22:43.000000000 -0400
+++ src/kdc/main.c 2008-04-04 16:55:22.000000000 -0400
@@ -422,6 +422,7 @@ initialize_realms(krb5_context kcontext,
krb5_enctype menctype = ENCTYPE_UNKNOWN;
kdc_realm_t *rdatap;
krb5_boolean manual = FALSE;
+ krb5_boolean listen_loopback = FALSE;
char *default_udp_ports = 0;
char *default_tcp_ports = 0;
krb5_pointer aprof;
@@ -448,6 +449,9 @@ initialize_realms(krb5_context kcontext,
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &v4mode))
v4mode = 0;
#endif
+ hierarchy[1] = "kdc_listen_loopback";
+ if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &listen_loopback))
+ listen_loopback = FALSE;
/* aprof_init can return 0 with aprof == NULL */
if (aprof)
krb5_aprof_finish(aprof);
@@ -587,6 +591,8 @@ initialize_realms(krb5_context kcontext,
free(v4mode);
#endif
+ process_listen_loopback(listen_loopback);
+
/*
* Check to see if we processed any realms.
*/
diff -up src/kdc/network.c src/kdc/network.c
--- src/kdc/network.c 2008-04-04 15:39:28.000000000 -0400
+++ src/kdc/network.c 2008-04-04 16:51:44.000000000 -0400
@@ -221,6 +221,7 @@ static SET(u_short) udp_port_data, tcp_p
#include "cm.h"
static struct select_state sstate;
+static krb5_boolean listen_loopback;
static krb5_error_code add_udp_port(int port)
{
@@ -604,6 +605,12 @@ scan_for_newlines:
}
#endif
+void
+process_listen_loopback(krb5_boolean listen_loop)
+{
+ listen_loopback = listen_loop;
+}
+
/* XXX */
extern int krb5int_debug_sendto_kdc;
extern void (*krb5int_sendtokdc_debug_handler)(const void*, size_t);
@@ -662,7 +669,9 @@ setup_network(const char *prog)
so we might need only one UDP socket; fall back to binding
sockets on each address only if IPV6_PKTINFO isn't
supported. */
- if (foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
+ if (listen_loopback ?
+ foreach_localaddr_ext (&setup_data, setup_udp_port, 0, 0, 0) :
+ foreach_localaddr (&setup_data, setup_udp_port, 0, 0)) {
return setup_data.retval;
}
setup_tcp_listener_ports(&setup_data);
diff -up src/lib/krb5/os/localaddr.c src/lib/krb5/os/localaddr.c
--- src/lib/krb5/os/localaddr.c 2005-04-13 12:55:43.000000000 -0400
+++ src/lib/krb5/os/localaddr.c 2008-04-04 15:39:28.000000000 -0400
@@ -242,6 +242,17 @@ addr_eq (const struct sockaddr *s1, cons
}
#endif
+static krb5_boolean
+skip_loopback (struct sockaddr *addr, int flags)
+{
+#ifdef IFF_LOOPBACK
+ if (flags & IFF_LOOPBACK) {
+ return TRUE;
+ }
+#endif
+ return FALSE;
+}
+
#ifndef HAVE_IFADDRS_H
/*@-usereleased@*/ /* lclint doesn't understand realloc */
static /*@null@*/ void *
@@ -413,14 +424,27 @@ get_linux_ipv6_addrs ()
indication, it should do it via some field pointed to by the DATA
argument. */
-#ifdef HAVE_IFADDRS_H
-
int
foreach_localaddr (/*@null@*/ void *data,
int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
/*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
/*@null@*/ int (*pass2fn) (/*@null@*/ void *,
struct sockaddr *) /*@*/)
+{
+ return foreach_localaddr_ext(data, pass1fn,
+ &skip_loopback, betweenfn,
+ pass2fn);
+}
+
+#ifdef HAVE_IFADDRS_H
+
+int
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ krb5_boolean (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -436,7 +460,7 @@ foreach_localaddr (/*@null@*/ void *data
#endif
if ((ifp->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp->ifa_flags & IFF_LOOPBACK) {
+ if (skipfn && (*skipfn)(ifp->ifa_addr, ifp->ifa_flags)) {
/* Pretend it's not up, so the second pass will skip
it. */
ifp->ifa_flags &= ~IFF_UP;
@@ -459,7 +483,7 @@ foreach_localaddr (/*@null@*/ void *data
for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
if ((ifp2->ifa_flags & IFF_UP) == 0)
continue;
- if (ifp2->ifa_flags & IFF_LOOPBACK)
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, ifp2->ifa_flags))
continue;
if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) {
match = 1;
@@ -488,11 +512,12 @@ foreach_localaddr (/*@null@*/ void *data
#elif defined (SIOCGLIFNUM) && defined(HAVE_STRUCT_LIFCONF) /* Solaris 8 and later; Sol 7? */
int
-foreach_localaddr (/*@null@*/ void *data,
- int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
- /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
- /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
- struct sockaddr *) /*@*/)
+foreach_localaddr_ext (/*@null@*/ void *data,
+ int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/,
+ /*@null@*/ int (*skipfn) (/*@null@*/ struct sockaddr *, int) /*@*/,
+ /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/,
+ /*@null@*/ int (*pass2fn) (/*@null@*/ void *,
+ struct sockaddr *) /*@*/)
#if defined(DEBUG) || defined(TEST)
/*@modifies fileSystem@*/
#endif
@@ -583,13 +608,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (lifreq.lifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(lifreq.lifr_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((lifreq.lifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -755,13 +779,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
/* None of the current callers want loopback addresses. */
- if (lifreq.iflr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(ifp2->ifa_addr, lifreq.lifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
/* Ignore interfaces that are down. */
if ((lifreq.iflr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));
@@ -971,13 +994,12 @@ foreach_localaddr (/*@null@*/ void *data
}
/*@=moduncon@*/
-#ifdef IFF_LOOPBACK
- /* None of the current callers want loopback addresses. */
- if (ifreq.ifr_flags & IFF_LOOPBACK) {
- Tprintf ((" loopback\n"));
+ if (skipfn && (*skipfn)(NULL, ifreq.ifr_flags))
+ if (skipfn && (skipfn == &skip_loopback))
+ Tprintf ((" loopback\n"));
goto skip;
}
-#endif
+
/* Ignore interfaces that are down. */
if ((ifreq.ifr_flags & IFF_UP) == 0) {
Tprintf ((" down\n"));

351
krb5/patches/krb5-1.7-ktany.patch Normal file
View File

@ -0,0 +1,351 @@
Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents
the contents of the first keytab.
diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c 2009-06-04 13:54:36.000000000 -0400
@@ -0,0 +1,292 @@
+/*
+ * lib/krb5/keytab/kt_any.c
+ *
+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5_kta_ops
+ */
+
+#include "k5-int.h"
+
+typedef struct _krb5_ktany_data {
+ char *name;
+ krb5_keytab *choices;
+ int nchoices;
+} krb5_ktany_data;
+
+typedef struct _krb5_ktany_cursor_data {
+ int which;
+ krb5_kt_cursor cursor;
+} krb5_ktany_cursor_data;
+
+static krb5_error_code krb5_ktany_resolve
+ (krb5_context,
+ const char *,
+ krb5_keytab *);
+static krb5_error_code krb5_ktany_get_name
+ (krb5_context context,
+ krb5_keytab id,
+ char *name,
+ unsigned int len);
+static krb5_error_code krb5_ktany_close
+ (krb5_context context,
+ krb5_keytab id);
+static krb5_error_code krb5_ktany_get_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_const_principal principal,
+ krb5_kvno kvno,
+ krb5_enctype enctype,
+ krb5_keytab_entry *entry);
+static krb5_error_code krb5_ktany_start_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursorp);
+static krb5_error_code krb5_ktany_next_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_keytab_entry *entry,
+ krb5_kt_cursor *cursor);
+static krb5_error_code krb5_ktany_end_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursor);
+static void cleanup
+ (krb5_context context,
+ krb5_ktany_data *data,
+ int nchoices);
+
+struct _krb5_kt_ops krb5_kta_ops = {
+ 0,
+ "ANY", /* Prefix -- this string should not appear anywhere else! */
+ krb5_ktany_resolve,
+ krb5_ktany_get_name,
+ krb5_ktany_close,
+ krb5_ktany_get_entry,
+ krb5_ktany_start_seq_get,
+ krb5_ktany_next_entry,
+ krb5_ktany_end_seq_get,
+ NULL,
+ NULL,
+ NULL,
+};
+
+static krb5_error_code
+krb5_ktany_resolve(context, name, id)
+ krb5_context context;
+ const char *name;
+ krb5_keytab *id;
+{
+ const char *p, *q;
+ char *copy;
+ krb5_error_code kerror;
+ krb5_ktany_data *data;
+ int i;
+
+ /* Allocate space for our data and remember a copy of the name. */
+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL)
+ return(ENOMEM);
+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) {
+ krb5_xfree(data);
+ return(ENOMEM);
+ }
+ strcpy(data->name, name);
+
+ /* Count the number of choices and allocate memory for them. */
+ data->nchoices = 1;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1)
+ data->nchoices++;
+ if ((data->choices = (krb5_keytab *)
+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) {
+ krb5_xfree(data->name);
+ krb5_xfree(data);
+ return(ENOMEM);
+ }
+
+ /* Resolve each of the choices. */
+ i = 0;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) {
+ /* Make a copy of the choice name so we can terminate it. */
+ if ((copy = (char *)malloc(q - p + 1)) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ memcpy(copy, p, q - p);
+ copy[q - p] = 0;
+
+ /* Try resolving the choice name. */
+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]);
+ krb5_xfree(copy);
+ if (kerror) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+ i++;
+ }
+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+
+ /* Allocate and fill in an ID for the caller. */
+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ (*id)->ops = &krb5_kta_ops;
+ (*id)->data = (krb5_pointer)data;
+ (*id)->magic = KV5M_KEYTAB;
+
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_name(context, id, name, len)
+ krb5_context context;
+ krb5_keytab id;
+ char *name;
+ unsigned int len;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ if (len < strlen(data->name) + 1)
+ return(KRB5_KT_NAME_TOOLONG);
+ strcpy(name, data->name);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_close(context, id)
+ krb5_context context;
+ krb5_keytab id;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ cleanup(context, data, data->nchoices);
+ id->ops = 0;
+ krb5_xfree(id);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_const_principal principal;
+ krb5_kvno kvno;
+ krb5_enctype enctype;
+ krb5_keytab_entry *entry;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_error_code kerror = KRB5_KT_NOTFOUND;
+ int i;
+
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal,
+ kvno, enctype, entry)) != ENOENT)
+ return kerror;
+ }
+ return kerror;
+}
+
+static krb5_error_code
+krb5_ktany_start_seq_get(context, id, cursorp)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursorp;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata;
+ krb5_error_code kerror = ENOENT;
+ int i;
+
+ if ((cdata = (krb5_ktany_cursor_data *)
+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL)
+ return(ENOMEM);
+
+ /* Find a choice which can handle the serialization request. */
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i],
+ &cdata->cursor)) == 0)
+ break;
+ else if (kerror != ENOENT) {
+ krb5_xfree(cdata);
+ return(kerror);
+ }
+ }
+
+ if (i == data->nchoices) {
+ /* Everyone returned ENOENT, so no go. */
+ krb5_xfree(cdata);
+ return(kerror);
+ }
+
+ cdata->which = i;
+ *cursorp = (krb5_kt_cursor)cdata;
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_next_entry(context, id, entry, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_keytab_entry *entry;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+
+ choice_id = data->choices[cdata->which];
+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor));
+}
+
+static krb5_error_code
+krb5_ktany_end_seq_get(context, id, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+ krb5_error_code kerror;
+
+ choice_id = data->choices[cdata->which];
+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor);
+ krb5_xfree(cdata);
+ return(kerror);
+}
+
+static void
+cleanup(context, data, nchoices)
+ krb5_context context;
+ krb5_ktany_data *data;
+ int nchoices;
+{
+ int i;
+
+ krb5_xfree(data->name);
+ for (i = 0; i < nchoices; i++)
+ krb5_kt_close(context, data->choices[i]);
+ krb5_xfree(data->choices);
+ krb5_xfree(data);
+}
diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c
--- krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-02-18 13:18:56.000000000 -0500
+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-06-04 13:54:36.000000000 -0400
@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops;
extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
extern const krb5_kt_ops krb5_mkt_ops;
+extern const krb5_kt_ops krb5_kta_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
const struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_any = {
+ &krb5_kta_ops,
+ NULL
+};
const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
&krb5_kts_ops,
- NULL
+ &krb5_kt_typelist_any
};
const static struct krb5_kt_typelist krb5_kt_typelist_memory = {
&krb5_mkt_ops,
diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in
--- krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-01-05 15:27:53.000000000 -0500
+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-06-04 13:54:36.000000000 -0400
@@ -19,6 +19,7 @@ STLIBOBJS= \
ktfr_entry.o \
ktremove.o \
ktfns.o \
+ kt_any.o \
kt_file.o \
kt_memory.o \
kt_srvtab.o \
@@ -31,6 +32,7 @@ OBJS= \
$(OUTPRE)ktfr_entry.$(OBJEXT) \
$(OUTPRE)ktremove.$(OBJEXT) \
$(OUTPRE)ktfns.$(OBJEXT) \
+ $(OUTPRE)kt_any.$(OBJEXT) \
$(OUTPRE)kt_file.$(OBJEXT) \
$(OUTPRE)kt_memory.$(OBJEXT) \
$(OUTPRE)kt_srvtab.$(OBJEXT) \
@@ -43,6 +45,7 @@ SRCS= \
$(srcdir)/ktfr_entry.c \
$(srcdir)/ktremove.c \
$(srcdir)/ktfns.c \
+ $(srcdir)/kt_any.c \
$(srcdir)/kt_file.c \
$(srcdir)/kt_memory.c \
$(srcdir)/kt_srvtab.c \

30
krb5/patches/krb5-1.8-api.patch Normal file
View File

@ -0,0 +1,30 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((realm1 == NULL) || (realm2 == NULL))
+ return FALSE;
+
if (realm1->length != realm2->length)
return FALSE;
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) {

26
krb5/patches/krb5-1.9-debuginfo.patch0 Normal file
View File

@ -0,0 +1,26 @@
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
--- src/kadmin/cli/Makefile.in
+++ src/kadmin/cli/Makefile.in
@@ -43,3 +43,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
--- src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)

69
krb5/patches/krb5-1.9-dirsrv-accountlock.patch Normal file
View File

@ -0,0 +1,69 @@
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500
@@ -1678,6 +1678,12 @@ AC_ARG_WITH([edirectory],
yes | no) ;;
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
if test $with_ldap = yes; then
if test $with_edirectory = yes; then
@@ -1689,6 +1695,10 @@ elif test $with_edirectory = yes; then
AC_MSG_NOTICE(enabling eDirectory database backend module support)
OPENLDAP_PLUGIN=yes
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
+ OPENLDAP_PLUGIN=yes
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
else
: # neither enabled
dnl AC_MSG_NOTICE(disabling ldap backend module support)
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500
@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont
}
}
#endif
+#ifdef HAVE_DIRSRV
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+ &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500
@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr
"loginexpirationtime",
"logindisabled",
#endif
+#ifdef HAVE_DIRSRV
+ "nsaccountlock",
+#endif
"krbLastPwdChange",
"krbLastAdminUnlock",
"krbExtraData",

53
krb5/patches/krb5-kvno-230379.patch Normal file
View File

@ -0,0 +1,53 @@
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
have a new key with the right version stored later in the keytab file.
Currently, we're setting up to overlook that possibility.
Note that this only affects the path taken when krb5_rd_rep() is passed a
server principal name, as without a server principal name it already tries
all of the keys it finds in the keytab, regardless of version numbers.
Index: krb5/src/kadmin/ktutil/ktutil.c
===================================================================
--- krb5/src/kadmin/ktutil/ktutil.c (revision 3367)
+++ krb5/src/kadmin/ktutil/ktutil.c (working copy)
@@ -155,7 +155,7 @@
char *princ = NULL;
char *enctype = NULL;
krb5_kvno kvno = 0;
- int use_pass = 0, use_key = 0, i;
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
for (i = 1; i < argc; i++) {
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -164,6 +164,7 @@
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
kvno = (krb5_kvno) atoi(argv[++i]);
+ use_kvno++;
continue;
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -180,7 +181,7 @@
}
}
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
"-k kvno -e enctype\n"), argv[0]);
return;
Index: krb5/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367)
+++ krb5/src/lib/krb5/keytab/kt_file.c (working copy)
@@ -349,7 +349,7 @@
higher than that. Short-term workaround: only compare
the low 8 bits. */
- if (new_entry.vno == (kvno & 0xff)) {
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
break;

55
krb5/patches/krb5-tex-pdf.sh Normal file
View File

@ -0,0 +1,55 @@
#!/bin/sh
# Based on Enrico's snippet for using pdflatex for building PDFs, except we're
# switching to pregenerating the docs for the SRPM so that we don't get
# different contents when we build on multiple build machines and architectures
# (timestamps and IDs change, and even some of the compressed content looks
# different). The filename and checksum are used to verify that the PDF always
# matches the doc which was used to generate it, and we flag an error if that
# isn't the case.
create() {
pushd "$1" > /dev/null
touch "$2".ind
pdflatex "$2"
test ! -e "$2".idx || makeindex ${3:+-s "$3".ist} "$2".idx
pdflatex "$2"
pdflatex "$2"
sum=`sha1sum "$2".tex | sed 's,[[:blank:]].*,,g'`
sed -ri \
-e 's|^/ID \[<.{32}> <.{32}>\]|/ID [<'"$1/$2"'> <'"$sum"'>]|g' \
"$2".pdf
popd > /dev/null
}
check() {
pushd "$1" > /dev/null
sum=`sha1sum "$2".tex | sed 's, .*,,g'`
id=`sed -rn -e '/^\/ID \[<[^>]*> <[^>]*>\]/p' "$2".pdf`
filename=`echo "$id" | sed -r 's|^.*\[<([^>]*)> <([^>]*)>\].*|\1|g'`
checksum=`echo "$id" | sed -r 's|^.*\[<([^>]*)> <([^>]*)>\].*|\2|g'`
echo $filename
echo $checksum $sum
popd > /dev/null
test "$filename" = "$1/$2" && test "$checksum" = "$sum"
}
mode=$1
case $mode in
create)
while read subdir doc style ; do
if ! create $subdir $doc $style ; then
exit 1
fi
done
;;
check)
while read subdir doc style ; do
if ! check $subdir $doc $style ; then
exit 1
fi
done
;;
esac
exit 0

301
krb5/patches/krb5-trunk-7046.patch Normal file
View File

@ -0,0 +1,301 @@
commit 9dc75551cb8cc4c03f7e0fe5e8a705ed678079f4
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:13 2011 +0000
ticket: 7046
subject: Allow S4U2Proxy delegated credentials to be saved
The initial implementation of client-side S4U2Proxy support did not
allow delegated proxy credentials to be stored (gss_store_cred would
error out, and gss_krb5_copy_ccache would generate a non-working
cache). To make this work, we save the impersonator name in a cache
config variable and in a cred structure field (replacing the
proxy_cred flag), and make the default principal of the proxy cache
the subject principal as the caller would expect for a regular
delegated cred.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25529 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 514e2ea..b25c159 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -273,7 +273,10 @@ typedef INT64_TYPE krb5_int64;
#define KRB5_CONF_V4_INSTANCE_CONVERT "v4_instance_convert"
#define KRB5_CONF_V4_REALM "v4_realm"
#define KRB5_CONF_ASTERISK "*"
+
+/* Cache configuration variables */
#define KRB5_CONF_FAST_AVAIL "fast_avail"
+#define KRB5_CONF_PROXY_IMPERSONATOR "proxy_impersonator"
/* Error codes used in KRB_ERROR protocol messages.
Return values of library routines are based on a different error table
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index c815b35..c08e059 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -417,6 +417,34 @@ prep_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
return 0;
}
+/* If an impersonator config entry exists in ccache, set *impersonator_out to
+ * the parsed principal. Otherwise set *impersonator_out to NULL. */
+static krb5_error_code
+get_impersonator(krb5_context context, krb5_ccache ccache,
+ krb5_principal *impersonator_out)
+{
+ krb5_error_code code;
+ krb5_data data = empty_data(), data0 = empty_data();
+
+ *impersonator_out = NULL;
+
+ code = krb5_cc_get_config(context, ccache, NULL,
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
+ if (code)
+ return (code == KRB5_CC_NOTFOUND) ? 0 : code;
+
+ code = krb5int_copy_data_contents_add0(context, &data, &data0);
+ if (code)
+ goto cleanup;
+
+ code = krb5_parse_name(context, data0.data, impersonator_out);
+
+cleanup:
+ krb5_free_data_contents(context, &data);
+ krb5_free_data_contents(context, &data0);
+ return code;
+}
+
/* Check ccache and scan it for its expiry time. On success, cred takes
* ownership of ccache. */
static krb5_error_code
@@ -493,6 +521,10 @@ scan_ccache(krb5_context context, krb5_gss_cred_id_rec *cred,
goto cleanup;
}
+ code = get_impersonator(context, ccache, &cred->impersonator);
+ if (code)
+ goto cleanup;
+
(void)krb5_cc_set_flags(context, ccache, KRB5_TC_OPENCLOSE);
cred->ccache = ccache;
@@ -622,6 +654,7 @@ acquire_cred(OM_uint32 *minor_status,
cred->usage = args->cred_usage;
cred->name = NULL;
+ cred->impersonator = NULL;
cred->iakerb_mech = args->iakerb;
cred->default_identity = (name == NULL);
#ifndef LEAN_CLIENT
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 016a2e6..6b7d530 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -172,7 +172,7 @@ typedef struct _krb5_gss_cred_id_rec {
/* name/type of credential */
gss_cred_usage_t usage;
krb5_gss_name_t name;
- unsigned int proxy_cred : 1;
+ krb5_principal impersonator;
unsigned int default_identity : 1;
unsigned int iakerb_mech : 1;
unsigned int destroy_ccache : 1;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index 1b8120c..d7b9ffa 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -129,7 +129,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
krb5_error_code code;
krb5_creds in_creds, evidence_creds, *result_creds = NULL;
krb5_flags flags = 0;
- krb5_principal cc_princ = NULL;
*out_creds = NULL;
@@ -140,16 +139,13 @@ static krb5_error_code get_credentials(context, cred, server, now,
assert(cred->name != NULL);
- if ((code = krb5_cc_get_principal(context, cred->ccache, &cc_princ)))
- goto cleanup;
-
/*
* Do constrained delegation if we have proxy credentials and
* we're not trying to get a ticket to ourselves (in which case
* we can just use the S4U2Self or evidence ticket directly).
*/
- if (cred->proxy_cred &&
- !krb5_principal_compare(context, cc_princ, server->princ)) {
+ if (cred->impersonator &&
+ !krb5_principal_compare(context, cred->impersonator, server->princ)) {
krb5_creds mcreds;
flags |= KRB5_GC_CANONICALIZE |
@@ -159,20 +155,18 @@ static krb5_error_code get_credentials(context, cred, server, now,
memset(&mcreds, 0, sizeof(mcreds));
mcreds.magic = KV5M_CREDS;
- mcreds.times.endtime = cred->tgt_expire;
- mcreds.server = cc_princ;
+ mcreds.server = cred->impersonator;
mcreds.client = cred->name->princ;
code = krb5_cc_retrieve_cred(context, cred->ccache,
- KRB5_TC_MATCH_TIMES | KRB5_TC_MATCH_AUTHDATA,
- &mcreds,
+ KRB5_TC_MATCH_AUTHDATA, &mcreds,
&evidence_creds);
if (code)
goto cleanup;
assert(evidence_creds.ticket_flags & TKT_FLG_FORWARDABLE);
- in_creds.client = cc_princ;
+ in_creds.client = cred->impersonator;
in_creds.second_ticket = evidence_creds.ticket;
} else {
in_creds.client = cred->name->princ;
@@ -255,7 +249,6 @@ static krb5_error_code get_credentials(context, cred, server, now,
cleanup:
krb5_free_authdata(context, in_creds.authdata);
- krb5_free_principal(context, cc_princ);
krb5_free_cred_contents(context, &evidence_creds);
krb5_free_creds(context, result_creds);
diff --git a/src/lib/gssapi/krb5/rel_cred.c b/src/lib/gssapi/krb5/rel_cred.c
index 5b2ea2f..4fd3694 100644
--- a/src/lib/gssapi/krb5/rel_cred.c
+++ b/src/lib/gssapi/krb5/rel_cred.c
@@ -71,6 +71,8 @@ krb5_gss_release_cred(minor_status, cred_handle)
if (cred->name)
kg_release_name(context, &cred->name);
+ krb5_free_principal(context, cred->impersonator);
+
if (cred->req_enctypes)
free(cred->req_enctypes);
diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c
index 4ac2ce3..4b37c5a 100644
--- a/src/lib/gssapi/krb5/s4u_gss_glue.c
+++ b/src/lib/gssapi/krb5/s4u_gss_glue.c
@@ -169,6 +169,39 @@ krb5_gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
}
+/*
+ * Set up cred to be an S4U2Proxy credential by copying in the impersonator's
+ * creds, setting a cache config variable with the impersonator principal name,
+ * and saving the impersonator principal name in the cred structure.
+ */
+static krb5_error_code
+make_proxy_cred(krb5_context context, krb5_gss_cred_id_t cred,
+ krb5_gss_cred_id_t impersonator_cred)
+{
+ krb5_error_code code;
+ krb5_data data;
+ char *str;
+
+ code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
+ cred->ccache);
+ if (code)
+ return code;
+
+ code = krb5_unparse_name(context, impersonator_cred->name->princ, &str);
+ if (code)
+ return code;
+
+ data = string2data(str);
+ code = krb5_cc_set_config(context, cred->ccache, NULL,
+ KRB5_CONF_PROXY_IMPERSONATOR, &data);
+ krb5_free_unparsed_name(context, str);
+ if (code)
+ return code;
+
+ return krb5_copy_principal(context, impersonator_cred->name->princ,
+ &cred->impersonator);
+}
+
OM_uint32
kg_compose_deleg_cred(OM_uint32 *minor_status,
krb5_gss_cred_id_t impersonator_cred,
@@ -187,7 +220,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
if (!kg_is_initiator_cred(impersonator_cred) ||
impersonator_cred->name == NULL ||
- impersonator_cred->proxy_cred) {
+ impersonator_cred->impersonator != NULL) {
code = G_BAD_USAGE;
goto cleanup;
}
@@ -208,14 +241,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
if (code != 0)
goto cleanup;
- /*
- * Only return a "proxy" credential for use with constrained
- * delegation if the subject credentials are forwardable.
- * Submitting non-forwardable credentials to the KDC for use
- * with constrained delegation will only return an error.
- */
cred->usage = GSS_C_INITIATE;
- cred->proxy_cred = !!(subject_creds->ticket_flags & TKT_FLG_FORWARDABLE);
cred->tgt_expire = subject_creds->times.endtime;
@@ -229,16 +255,18 @@ kg_compose_deleg_cred(OM_uint32 *minor_status,
goto cleanup;
cred->destroy_ccache = 1;
- code = krb5_cc_initialize(context, cred->ccache,
- cred->proxy_cred ? impersonator_cred->name->princ :
- subject_creds->client);
+ code = krb5_cc_initialize(context, cred->ccache, subject_creds->client);
if (code != 0)
goto cleanup;
- if (cred->proxy_cred) {
- /* Impersonator's TGT will be necessary for S4U2Proxy */
- code = krb5_cc_copy_creds(context, impersonator_cred->ccache,
- cred->ccache);
+ /*
+ * Only return a "proxy" credential for use with constrained
+ * delegation if the subject credentials are forwardable.
+ * Submitting non-forwardable credentials to the KDC for use
+ * with constrained delegation will only return an error.
+ */
+ if (subject_creds->ticket_flags & TKT_FLG_FORWARDABLE) {
+ code = make_proxy_cred(context, cred, impersonator_cred);
if (code != 0)
goto cleanup;
}
diff --git a/src/lib/gssapi/krb5/store_cred.c b/src/lib/gssapi/krb5/store_cred.c
index bff3cde..d587589 100644
--- a/src/lib/gssapi/krb5/store_cred.c
+++ b/src/lib/gssapi/krb5/store_cred.c
@@ -91,7 +91,7 @@ copy_initiator_creds(OM_uint32 *minor_status,
kcred = (krb5_gss_cred_id_t)input_cred_handle;
- if (kcred->ccache == NULL || kcred->proxy_cred) {
+ if (kcred->ccache == NULL) {
*minor_status = KG_CCACHE_NOMATCH;
major_status = GSS_S_DEFECTIVE_CREDENTIAL;
goto cleanup;
diff --git a/src/lib/gssapi/krb5/val_cred.c b/src/lib/gssapi/krb5/val_cred.c
index e87f249..46a9ae1 100644
--- a/src/lib/gssapi/krb5/val_cred.c
+++ b/src/lib/gssapi/krb5/val_cred.c
@@ -50,8 +50,7 @@ krb5_gss_validate_cred_1(OM_uint32 *minor_status, gss_cred_id_t cred_handle,
*minor_status = code;
return(GSS_S_DEFECTIVE_CREDENTIAL);
}
- if (!cred->proxy_cred &&
- !krb5_principal_compare(context, princ, cred->name->princ)) {
+ if (!krb5_principal_compare(context, princ, cred->name->princ)) {
k5_mutex_unlock(&cred->lock);
*minor_status = KG_CCACHE_NOMATCH;
return(GSS_S_DEFECTIVE_CREDENTIAL);

28
krb5/patches/krb5-trunk-7047.patch Normal file
View File

@ -0,0 +1,28 @@
commit 59a8a0861d5aacd4e985ad4dc4d46a11c2ebc136
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:22 2011 +0000
ticket: 7047
subject: Allow S4U2Proxy service tickets to be cached
Previous to this change, the GSS code avoids caching S4U2Proxy results
for fear of the memory cache growing without bound, but that seems
unlikely to be a serious problem. Allow these to be cached.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25530 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index d7b9ffa..07baefa 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -148,9 +148,7 @@ static krb5_error_code get_credentials(context, cred, server, now,
!krb5_principal_compare(context, cred->impersonator, server->princ)) {
krb5_creds mcreds;
- flags |= KRB5_GC_CANONICALIZE |
- KRB5_GC_NO_STORE |
- KRB5_GC_CONSTRAINED_DELEGATION;
+ flags |= KRB5_GC_CANONICALIZE | KRB5_GC_CONSTRAINED_DELEGATION;
memset(&mcreds, 0, sizeof(mcreds));

78
krb5/patches/krb5-trunk-7048.patch Normal file
View File

@ -0,0 +1,78 @@
commit 1c2f5144de0f15f7d9c8659a71adc10c2755b57e
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Wed Dec 7 19:38:32 2011 +0000
ticket: 7048
subject: Allow null server key to krb5_pac_verify
When the KDC verifies a PAC, it doesn't really need to check the
server signature, since it can't trust that anyway. Allow the caller
to pass only a TGT key.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25532 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index f3d0225..83c2dc7 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -7506,13 +7506,13 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
* @param [in] pac PAC handle
* @param [in] authtime Expected timestamp
* @param [in] principal Expected principal name (or NULL)
- * @param [in] server Key to validate server checksum
+ * @param [in] server Key to validate server checksum (or NULL)
* @param [in] privsvr Key to validate KDC checksum (or NULL)
*
* This function validates @a pac against the supplied @a server, @a privsvr,
* @a principal and @a authtime. If @a principal is NULL, the principal and
- * authtime are not verified. If @a privsvr is NULL, the KDC checksum is not
- * verified.
+ * authtime are not verified. If @a server or @a privsvr is NULL, the
+ * corresponding checksum is not verified.
*
* If successful, @a pac is marked as verified.
*
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index f173b04..23aa930 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -637,9 +637,11 @@ krb5_pac_verify(krb5_context context,
if (server == NULL)
return EINVAL;
- ret = k5_pac_verify_server_checksum(context, pac, server);
- if (ret != 0)
- return ret;
+ if (server != NULL) {
+ ret = k5_pac_verify_server_checksum(context, pac, server);
+ if (ret != 0)
+ return ret;
+ }
if (privsvr != NULL) {
ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
commit e31486a84380647e49ba6199a3e10ac739fa1a45
Author: ghudson <ghudson@dc483132-0cff-0310-8789-dd5450dbe970>
Date: Thu Dec 8 04:21:23 2011 +0000
ticket: 7048
Actually allow null server key in krb5_pac_verify
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25534 dc483132-0cff-0310-8789-dd5450dbe970
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 23aa930..3262d21 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -634,9 +634,6 @@ krb5_pac_verify(krb5_context context,
{
krb5_error_code ret;
- if (server == NULL)
- return EINVAL;
-
if (server != NULL) {
ret = k5_pac_verify_server_checksum(context, pac, server);
if (ret != 0)

40
krb5/patches/krb5-trunk-pkinit-anchorsign.patch Normal file
View File

@ -0,0 +1,40 @@
commit db83abc7dcfe369bd4467c78eebb7028ba0c0e0d
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jun 21 17:20:29 2012 -0400
Handle PKINIT DH replies with no certs
If a PKINIT Diffie-Hellman reply contains no certificates in the
SignedData object, that may be because the signer certificate was a
trust anchor as transmitted to the KDC. Heimdal's KDC, for instance,
filters client trust anchors out of the returned set of certificates.
Match against idctx->trustedCAs and idctx->intermediateCAs to handle
this case. This fix only works with OpenSSL 1.0 or later; when built
against OpenSSL 0.9.x, the client will still require a cert in the
reply.
Code changes suggested by nalin@redhat.com.
ticket: 7183
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 0136d4f..7120ecf 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -1398,8 +1398,15 @@ cms_signeddata_verify(krb5_context context,
X509_STORE_set_verify_cb_func(store, openssl_callback_ignore_crls);
X509_STORE_set_flags(store, vflags);
- /* get the signer's information from the CMS message */
+ /*
+ * Get the signer's information from the CMS message. Match signer ID
+ * against anchors and intermediate CAs in case no certs are present in the
+ * SignedData. If we start sending kdcPkId values in requests, we'll need
+ * to match against the source of that information too.
+ */
CMS_set1_signers_certs(cms, NULL, 0);
+ CMS_set1_signers_certs(cms, idctx->trustedCAs, CMS_NOINTERN);
+ CMS_set1_signers_certs(cms, idctx->intermediateCAs, CMS_NOINTERN);
if (((si_sk = CMS_get0_SignerInfos(cms)) == NULL) ||
((si = sk_CMS_SignerInfo_value(si_sk, 0)) == NULL)) {
/* Not actually signed; anonymous case */

14
krb5/systemd/kadmin.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Kerberos 5 Password-changing and Administration
After=syslog.target network.target
ConditionPathExists=!/var/kerberos/krb5kdc/kpropd.acl
[Service]
Type=forking
PIDFile=/var/run/kadmind.pid
EnvironmentFile=-/etc/sysconfig/kadmin
ExecStart=/usr/sbin/kadmind -P /var/run/kadmind.pid $KADMIND_ARGS
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

11
krb5/systemd/kprop.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Kerberos 5 Propagation
After=syslog.target network.target
ConditionPathExists=/var/kerberos/krb5kdc/kpropd.acl
[Service]
Type=forking
ExecStart=/usr/sbin/kpropd -S
[Install]
WantedBy=multi-user.target

13
krb5/systemd/krb5kdc.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Kerberos 5 KDC
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/krb5kdc.pid
EnvironmentFile=-/etc/sysconfig/krb5kdc
ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target