rpms/krb5/devel krb5-1.8-pam.patch,1.2,1.3 krb5.spec,1.267,1.268

Nalin Dahyabhai nalin at fedoraproject.org
Thu May 27 20:01:44 UTC 2010 

Author: nalin

Update of /cvs/extras/rpms/krb5/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13419

Modified Files:
	krb5-1.8-pam.patch krb5.spec 
Log Message:
- ksu: move session management calls to before we drop privileges, like
  su does (#596887)


krb5-1.8-pam.patch:
 aclocal.m4              |   67 ++++++++
 clients/ksu/Makefile.in |    8 
 clients/ksu/main.c      |   74 ++++++++-
 clients/ksu/pam.c       |  389 ++++++++++++++++++++++++++++++++++++++++++++++++
 clients/ksu/pam.h       |   57 +++++++
 configure.in            |    2 
 6 files changed, 594 insertions(+), 3 deletions(-)

Index: krb5-1.8-pam.patch
===================================================================
RCS file: /cvs/extras/rpms/krb5/devel/krb5-1.8-pam.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- krb5-1.8-pam.patch	12 Mar 2010 21:08:20 -0000	1.2
+++ krb5-1.8-pam.patch	27 May 2010 20:01:43 -0000	1.3
@@ -1,5 +1,5 @@
-Modify ksu so that it performs account and session management for the
-target user account, mimicking the action of regular su.  The default
+Modify ksu so that it performs account and session management on behalf of
+the target user account, mimicking the action of regular su.  The default
 service name is "ksu", because on Fedora at least the configuration used
 is determined by whether or not a login shell is being opened, and so
 this may need to vary, too.  At run-time, ksu's behavior can be reset to
@@ -8,7 +8,8 @@ section of /etc/krb5.conf.
 
 When enabled, ksu gains a dependency on libpam.
 
-Originally RT#5939.
+Originally RT#5939, though it's changed since then to perform the account
+and session management before dropping privileges.
 
 diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
 --- krb5-1.8/src/aclocal.m4.pam	2009-11-22 12:00:45.000000000 -0500
@@ -140,49 +141,48 @@ diff -up krb5-1.8/src/clients/ksu/main.c
          /* Run authorization as target.*/
          if (krb5_seteuid(target_uid)) {
              com_err(prog_name, errno, "while switching to target for authorization check");
-@@ -792,7 +817,7 @@ main (argc, argv)
-         fprintf(stderr, "program to be execed %s\n",params[0]);
+@@ -720,6 +745,32 @@
+         exit(1);
      }
  
--    if( keep_target_cache ) {
-+    if( keep_target_cache && !force_fork ) {
-         execv(params[0], params);
-         com_err(prog_name, errno, "while trying to execv %s",
-                 params[0]);
-@@ -800,6 +825,33 @@ main (argc, argv)
-         exit(1);
-     }else{
-         statusp = 1;
-+
 +#ifdef USE_PAM
-+        if (appl_pam_enabled(ksu_context, "ksu")) {
-+            if (appl_pam_session_open() != 0) {
-+                fprintf(stderr, "Error opening session for %s.\n", target_user);
-+                sweep_up(ksu_context, cc_target);
-+                exit(1);
-+            }
++    if (appl_pam_enabled(ksu_context, "ksu")) {
++        if (appl_pam_session_open() != 0) {
++            fprintf(stderr, "Error opening session for %s.\n", target_user);
++            sweep_up(ksu_context, cc_target);
++            exit(1);
++        }
 +#ifdef DEBUG
-+            if (auth_debug){
-+                printf(" Opened PAM session.\n");
-+            }
++        if (auth_debug){
++            printf(" Opened PAM session.\n");
++        }
 +#endif
-+            if (appl_pam_cred_init()) {
-+                fprintf(stderr, "Error initializing credentials for %s.\n",
-+                        target_user);
-+                sweep_up(ksu_context, cc_target);
-+                exit(1);
-+            }
++        if (appl_pam_cred_init()) {
++            fprintf(stderr, "Error initializing credentials for %s.\n",
++                    target_user);
++            sweep_up(ksu_context, cc_target);
++            exit(1);
++        }
 +#ifdef DEBUG
-+            if (auth_debug){
-+                printf(" Initialized PAM credentials.\n");
-+            }
-+#endif
++        if (auth_debug){
++            printf(" Initialized PAM credentials.\n");
 +        }
 +#endif
++    }
++#endif
 +
-         switch ((child_pid = fork())) {
-         default:
-             if (auth_debug){
+     /* set permissions */
+     if (setgid(target_pwd->pw_gid) < 0) {
+         perror("ksu: setgid");
+@@ -792,7 +817,7 @@ main (argc, argv)
+         fprintf(stderr, "program to be execed %s\n",params[0]);
+     }
+ 
+-    if( keep_target_cache ) {
++    if( keep_target_cache && !force_fork ) {
+         execv(params[0], params);
+         com_err(prog_name, errno, "while trying to execv %s",
+                 params[0]);
 @@ -823,15 +875,34 @@ main (argc, argv)
              if (ret_pid == -1) {
                  com_err(prog_name, errno, "while calling waitpid");


Index: krb5.spec
===================================================================
RCS file: /cvs/extras/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.267
retrieving revision 1.268
diff -u -p -r1.267 -r1.268
--- krb5.spec	24 May 2010 22:15:15 -0000	1.267
+++ krb5.spec	27 May 2010 20:01:43 -0000	1.268
@@ -625,6 +625,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu May 27 2010 Nalin Dahyabhai <nalin at redhat.com>
+- ksu: move session management calls to before we drop privileges, like
+  su does (#596887)
+
 * Mon May 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.1-6
 - make krb5-server-ldap also depend on the same version-release of krb5-libs,
   as the other subpackages do, if only to make it clearer than it is when we

More information about the scm-commits mailing list