diff --git a/krb5-1.7-buildconf.patch b/krb5-1.7-buildconf.patch index 0319e50..296ead2 100644 --- a/krb5-1.7-buildconf.patch +++ b/krb5-1.7-buildconf.patch @@ -1,6 +1,7 @@ -Build binaries in this package as PIEs, install shared libraries with the -execute bit set on them, and prune out the -L/usr/lib* and PIE flags where they -might leak out and affect apps which want to link with the libraries. +Build binaries in this package as PIEs and install shared libraries with the +execute bit set on them. Prune out the -L/usr/lib*, PIE flags, and CFLAGS +where they might leak out and affect apps which just want to link with the +libraries (RT#TBD). diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf --- krb5-1.7/src/config/shlib.conf 2008-12-08 17:33:07.000000000 -0500 @@ -17,9 +18,12 @@ diff -up krb5-1.7/src/config/shlib.conf krb5-1.7/src/config/shlib.conf diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in --- krb5-1.7/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 +++ krb5-1.7/src/krb5-config.in 2009-06-04 14:01:28.000000000 -0400 -@@ -189,6 +189,11 @@ if test -n "$do_libs"; then +@@ -187,8 +187,13 @@ if test -n "$do_libs"; then + -e 's#\$(RPATH_FLAG)#'"$RPATH_FLAG"'#' \ + -e 's#\$(LDFLAGS)#'"$LDFLAGS"'#' \ -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` +- -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` ++ -e 's#\$(CFLAGS)##'` + if test `dirname $libdir` = /usr ; then + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` diff --git a/krb5-1.7-pam.patch b/krb5-1.7-pam.patch index 8c8adee..6e5a6f7 100644 --- a/krb5-1.7-pam.patch +++ b/krb5-1.7-pam.patch @@ -1092,45 +1092,61 @@ diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c #include "ksu.h" #include "adm_proto.h" #include -@@ -32,6 +33,11 @@ +@@ -32,6 +33,10 @@ #include #include +#ifdef USE_PAM +#include "../../appl/bsd/pam.h" -+int force_fork = 0; +#endif + /* globals */ char * prog_name; int auth_debug =0; -@@ -791,7 +797,24 @@ main (argc, argv) - fprintf(stderr, "program to be execed %s\n",params[0]); - } - -- if( keep_target_cache ) { +@@ -39,6 +44,7 @@ + char k5users_path[MAXPATHLEN]; + char * gb_err = NULL; + int quiet = 0; ++int force_fork = 0; + /***********/ + + #define _DEF_CSH "/bin/csh" +@@ -585,6 +591,25 @@ + prog_name,target_user,client_name, + source_user,ontty()); + +#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, -+ NULL, source_user, ttyname(STDERR_FILENO)) != 0) { -+ fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+ if (appl_pam_requires_chauthtok()) { -+ fprintf(stderr, "Password change required for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++ force_fork++; + } -+ force_fork++; -+ } +#endif + + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, "while switching to target for authorization check"); +@@ -791,7 +816,7 @@ + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { + if( keep_target_cache && !force_fork ) { execv(params[0], params); com_err(prog_name, errno, "while trying to execv %s", params[0]); -@@ -799,6 +822,33 @@ main (argc, argv) +@@ -799,6 +824,33 @@ exit(1); }else{ statusp = 1; @@ -1164,7 +1180,7 @@ diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c switch ((child_pid = fork())) { default: if (auth_debug){ -@@ -822,15 +872,34 @@ main (argc, argv) +@@ -822,15 +874,34 @@ if (ret_pid == -1) { com_err(prog_name, errno, "while calling waitpid"); } diff --git a/krb5-1.7-selinux-label.patch b/krb5-1.7-selinux-label.patch index 9b328ad..106af6d 100644 --- a/krb5-1.7-selinux-label.patch +++ b/krb5-1.7-selinux-label.patch @@ -42,7 +42,7 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1876,3 +1877,51 @@ AC_SUBST(PAM_LIBS) +@@ -1876,3 +1877,53 @@ AC_SUBST(PAM_LIBS) AC_SUBST(manlibexecdir) AC_CONFIG_FILES($1) ]) @@ -56,7 +56,7 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 +if test "$withselinux" != no ; then + AC_MSG_RESULT([checking for libselinux...]) + SELINUX_LIBS= -+ AC_CHECK_HEADERS(selinux/selinux.h) ++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) + if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then + if test "$withselinux" = auto ; then + AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) @@ -68,11 +68,13 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4 + + LIBS= + unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) + if test "x$ac_cv_func_setfscreatecon" = xno ; then + AC_CHECK_LIB(selinux,setfscreatecon) ++ AC_CHECK_LIB(selinux,selabel_open) + unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) ++ unset ac_cv_func_selabel_open ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) + if test "x$ac_cv_func_setfscreatecon" = xyes ; then + SELINUX_LIBS="$LIBS" + else @@ -162,17 +164,20 @@ diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in diff -up krb5-1.7/src/include/autoconf.h.in krb5-1.7/src/include/autoconf.h.in --- krb5-1.7/src/include/autoconf.h.in 2009-06-01 20:58:35.000000000 -0400 +++ krb5-1.7/src/include/autoconf.h.in 2009-06-04 13:47:20.000000000 -0400 -@@ -389,6 +389,9 @@ +@@ -389,6 +389,12 @@ /* Define to 1 if you have the `sched_yield' function. */ #undef HAVE_SCHED_YIELD ++/* Define to 1 if you have the header file. */ ++#undef HAVE_SELINUX_LABEL_H ++ +/* Define to 1 if you have the header file. */ +#undef HAVE_SELINUX_SELINUX_H + /* Define to 1 if you have the header file. */ #undef HAVE_SEMAPHORE_H -@@ -401,6 +404,9 @@ +@@ -401,6 +407,9 @@ /* Define to 1 if you have the `setegid' function. */ #undef HAVE_SETEGID @@ -182,7 +187,7 @@ diff -up krb5-1.7/src/include/autoconf.h.in krb5-1.7/src/include/autoconf.h.in /* Define to 1 if you have the `setenv' function. */ #undef HAVE_SETENV -@@ -768,6 +774,10 @@ +@@ -768,6 +777,10 @@ /* Define if the KDC should use a replay cache */ #undef USE_RCACHE @@ -536,7 +541,7 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil diff -up /dev/null krb5-1.7/src/util/support/selinux.c --- /dev/null 2009-06-04 10:34:55.169007373 -0400 +++ krb5-1.7/src/util/support/selinux.c 2009-06-04 13:47:20.000000000 -0400 -@@ -0,0 +1,300 @@ +@@ -0,0 +1,346 @@ +/* + * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved. + * @@ -588,7 +593,10 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c +#include +#include +#include ++#include ++#ifdef HAVE_SELINUX_LABEL_H +#include ++#endif + +/* #define DEBUG 1 */ + @@ -606,9 +614,12 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c +static security_context_t +push_fscreatecon(const char *pathname, mode_t mode) +{ -+ security_context_t previous, next; ++ security_context_t previous, configuredsc, currentsc, derivedsc; ++ context_t current, derived; ++ const char *fullpath, *currentuser; ++#ifdef HAVE_SELINUX_LABEL_H + struct selabel_handle *ctx; -+ const char *fullpath; ++#endif + + previous = NULL; + if (is_selinux_enabled()) { @@ -641,16 +652,17 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c + } else { + fullpath = pathname; + } -+ next = NULL; +#ifdef DEBUG + if (isatty(fileno(stderr))) { + fprintf(stderr, "Looking up context for " + "\"%s\"(%05o).\n", fullpath, mode); + } +#endif ++ configuredsc = NULL; ++#ifdef HAVE_SELINUX_LABEL_H + ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (ctx != NULL) { -+ if (selabel_lookup(ctx, &next, ++ if (selabel_lookup(ctx, &configuredsc, + fullpath, mode) != 0) { + selabel_close(ctx); + free(genpath); @@ -661,21 +673,60 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c + } + selabel_close(ctx); + } ++#else ++ if (matchpathcon(fullpath, mode, &configuredsc) != 0) { ++ free(genpath); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++#endif + free(genpath); ++ if (configuredsc == NULL) { ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ currentsc = NULL; ++ getcon(¤tsc); ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ context_free(current); ++ } ++ context_free(derived); ++ } ++ freecon(currentsc); ++ } +#ifdef DEBUG + if (isatty(fileno(stderr))) { + fprintf(stderr, "Setting file creation context " -+ "to \"%s\".\n", next); ++ "to \"%s\".\n", configured); + } +#endif -+ if (setfscreatecon(next) != 0) { -+ freecon(next); ++ if (setfscreatecon(configuredsc) != 0) { ++ freecon(configuredsc); + if (previous != NULL) { + freecon(previous); + } + return NULL; + } -+ freecon(next); ++ freecon(configuredsc); +#ifdef DEBUG + } else { + if (isatty(fileno(stderr))) { diff --git a/krb5-1.7-spnego-deleg.patch b/krb5-1.7-spnego-deleg.patch new file mode 100644 index 0000000..737f897 --- /dev/null +++ b/krb5-1.7-spnego-deleg.patch @@ -0,0 +1,60 @@ +Punt a set_cred_option() call down to the mechanism for the first +credential that we have whose mechanism implements a set_cred_option() +method. It's not the complete set of changes from 1.7 to trunk, but +it should be enough to make gss_krb5_copy_ccache() work. RT#6594 + +Index: src/lib/gssapi/spnego/gssapiP_spnego.h +=================================================================== +--- src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23481) ++++ src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23482) +@@ -352,6 +352,15 @@ + ); + + OM_uint32 ++spnego_gss_set_cred_option ++( ++ OM_uint32 *minor_status, ++ gss_cred_id_t cred_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value ++); ++ ++OM_uint32 + spnego_gss_set_sec_context_option + ( + OM_uint32 *minor_status, +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c ++++ src/lib/gssapi/spnego/spnego_mech.c (revision 23482) +@@ -250,7 +250,7 @@ + spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */ + NULL, /* gss_inquire_cred_by_oid */ + spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */ +- NULL, /* gssspi_set_cred_option */ ++ spnego_gss_set_cred_option, /* gssspi_set_cred_option */ + NULL, /* gssspi_mech_invoke */ + spnego_gss_wrap_aead, + spnego_gss_unwrap_aead, +@@ -2187,6 +2187,21 @@ + } + + OM_uint32 ++spnego_gss_set_cred_option( ++ OM_uint32 *minor_status, ++ gss_cred_id_t cred_handle, ++ const gss_OID desired_object, ++ const gss_buffer_t value) ++{ ++ OM_uint32 ret; ++ ret = gssspi_set_cred_option(minor_status, ++ cred_handle, ++ desired_object, ++ value); ++ return (ret); ++} ++ ++OM_uint32 + spnego_gss_set_sec_context_option( + OM_uint32 *minor_status, + gss_ctx_id_t *context_handle, diff --git a/krb5.spec b/krb5.spec index 32637e5..1dc7c14 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.7 -Release: 10%{?dist} +Release: 14%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar Source0: krb5-%{version}.tar.gz @@ -79,13 +79,16 @@ Patch87: krb5-1.7-errs.patch Patch88: krb5-1.7-sizeof.patch Patch89: krb5-1.7-largefile.patch Patch90: krb5-1.7-openssl-1.0.patch +Patch91: krb5-1.7-spnego-deleg.patch License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: autoconf, bison, flex, gawk +%if 0%{?fedora} >= 12 BuildRequires: libcom_err-devel, libss-devel +%endif BuildRequires: gzip, ncurses-devel, rsh, texinfo, texinfo-tex, tar BuildRequires: tetex-latex BuildRequires: keyutils-libs-devel @@ -107,7 +110,10 @@ practice of cleartext passwords. %package devel Summary: Development files needed to compile Kerberos 5 programs Group: Development/Libraries -Requires: %{name}-libs = %{version}-%{release}, libcom_err-devel +Requires: %{name}-libs = %{version}-%{release} +%if 0%{?fedora} >= 12 +Requires: libcom_err-devel +%endif Requires: keyutils-libs-devel, libselinux-devel %description devel @@ -210,11 +216,42 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Mon Dec 21 2009 Nalin Dahyabhai - 1.7-14 +- refresh patch for #542868 from trunk + +* Thu Dec 10 2009 Nalin Dahyabhai +- move man pages that live in the -libs subpackage into the regular + %%{_mandir} tree where they'll still be found if that package is the + only one installed (#529319) + +* Wed Dec 9 2009 Nalin Dahyabhai - 1.7-13 +- and put it back in + +* Tue Dec 8 2009 Nalin Dahyabhai +- back that last change out + +* Tue Dec 8 2009 Nalin Dahyabhai - 1.7-12 +- try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) + +* Fri Dec 4 2009 Nalin Dahyabhai +- make krb5-config suppress CFLAGS output when called with --libs (#544391) + +* Thu Dec 3 2009 Nalin Dahyabhai - 1.7-11 +- ksu: move account management checks to before we drop privileges, like + su does (#540769) +- selinux: set the user part of file creation contexts to match the current + context instead of what we looked up +- configure with --enable-dns-for-realm instead of --enable-dns, which isn't + recognized any more + * Fri Nov 20 2009 Nalin Dahyabhai - 1.7-10 - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, where it's actually needed (#538703) -* Tue Oct 13 2009 Nalin Dahyabhai - 1.7-9 +* Fri Oct 23 2009 Nalin Dahyabhai - 1.7-9 +- add some conditional logic to simplify building on older Fedora releases + +* Tue Oct 13 2009 Nalin Dahyabhai - don't forget the README * Mon Sep 14 2009 Nalin Dahyabhai - 1.7-8 @@ -1482,6 +1519,7 @@ popd %patch88 -p1 -b .sizeof %patch89 -p1 -b .largefile %patch90 -p0 -b .openssl-1.0 +%patch91 -p0 -b .spnego-deleg gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -1541,7 +1579,11 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" CC="%{__cc}" \ CFLAGS="$CFLAGS" \ CPPFLAGS="$CPPFLAGS" \ +%if 0%{?fedora} >= 7 SS_LIB="-lss -ltinfo" \ +%else + SS_LIB="-lss -lncurses" \ +%endif --enable-shared \ --bindir=%{krb5prefix}/bin \ --mandir=%{krb5prefix}/man \ @@ -1553,7 +1595,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" --with-system-ss \ --with-netlib=-lresolv \ --without-tcl \ - --enable-dns \ + --enable-dns-for-realm \ %if %{WITH_LDAP} %if %{WITH_DIRSRV} --with-dirsrv \ @@ -1656,6 +1698,13 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do popd done +# Move man pages which will be in the -libs subpackage into %%{_mandir}'s tree. +for man in man1/tmac.doc man1/kerberos.1 man5/.k5login.5 man5/krb5.conf.5 ; do + mkdir -p $RPM_BUILD_ROOT/%{_mandir}/${man%%/*} + mv $RPM_BUILD_ROOT/%{krb5prefix}/man/${man} \ + $RPM_BUILD_ROOT/%{_mandir}/${man%%/*}/ +done + %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT @@ -1953,14 +2002,10 @@ exit 0 %doc README %docdir %{krb5prefix}/man %verify(not md5 size mtime) %config(noreplace) /etc/krb5.conf -%dir %{krb5prefix} -%dir %{krb5prefix}/man -%dir %{krb5prefix}/man/man1 -%dir %{krb5prefix}/man/man5 -%{krb5prefix}/man/man1/tmac.doc* -%{krb5prefix}/man/man1/kerberos.1* -%{krb5prefix}/man/man5/.k5login.5* -%{krb5prefix}/man/man5/krb5.conf.5* +/%{_mandir}/man1/tmac.doc* +/%{_mandir}/man1/kerberos.1* +/%{_mandir}/man5/.k5login.5* +/%{_mandir}/man5/krb5.conf.5* /%{_lib}/libgssapi_krb5.so.* /%{_lib}/libgssrpc.so.* /%{_lib}/libk5crypto.so.*