rpms/krb5/devel krb5-1.8-pam.patch,1.2,1.3 krb5.spec,1.267,1.268
Nalin Dahyabhai
nalin at fedoraproject.org
Thu May 27 20:01:44 UTC 2010
Author: nalin
Update of /cvs/extras/rpms/krb5/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13419
Modified Files:
krb5-1.8-pam.patch krb5.spec
Log Message:
- ksu: move session management calls to before we drop privileges, like
su does (#596887)
krb5-1.8-pam.patch:
aclocal.m4 | 67 ++++++++
clients/ksu/Makefile.in | 8
clients/ksu/main.c | 74 ++++++++-
clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++++++++++++++
clients/ksu/pam.h | 57 +++++++
configure.in | 2
6 files changed, 594 insertions(+), 3 deletions(-)
Index: krb5-1.8-pam.patch
===================================================================
RCS file: /cvs/extras/rpms/krb5/devel/krb5-1.8-pam.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- krb5-1.8-pam.patch 12 Mar 2010 21:08:20 -0000 1.2
+++ krb5-1.8-pam.patch 27 May 2010 20:01:43 -0000 1.3
@@ -1,5 +1,5 @@
-Modify ksu so that it performs account and session management for the
-target user account, mimicking the action of regular su. The default
+Modify ksu so that it performs account and session management on behalf of
+the target user account, mimicking the action of regular su. The default
service name is "ksu", because on Fedora at least the configuration used
is determined by whether or not a login shell is being opened, and so
this may need to vary, too. At run-time, ksu's behavior can be reset to
@@ -8,7 +8,8 @@ section of /etc/krb5.conf.
When enabled, ksu gains a dependency on libpam.
-Originally RT#5939.
+Originally RT#5939, though it's changed since then to perform the account
+and session management before dropping privileges.
diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500
@@ -140,49 +141,48 @@ diff -up krb5-1.8/src/clients/ksu/main.c
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, "while switching to target for authorization check");
-@@ -792,7 +817,7 @@ main (argc, argv)
- fprintf(stderr, "program to be execed %s\n",params[0]);
+@@ -720,6 +745,32 @@
+ exit(1);
}
-- if( keep_target_cache ) {
-+ if( keep_target_cache && !force_fork ) {
- execv(params[0], params);
- com_err(prog_name, errno, "while trying to execv %s",
- params[0]);
-@@ -800,6 +825,33 @@ main (argc, argv)
- exit(1);
- }else{
- statusp = 1;
-+
+#ifdef USE_PAM
-+ if (appl_pam_enabled(ksu_context, "ksu")) {
-+ if (appl_pam_session_open() != 0) {
-+ fprintf(stderr, "Error opening session for %s.\n", target_user);
-+ sweep_up(ksu_context, cc_target);
-+ exit(1);
-+ }
++ if (appl_pam_enabled(ksu_context, "ksu")) {
++ if (appl_pam_session_open() != 0) {
++ fprintf(stderr, "Error opening session for %s.\n", target_user);
++ sweep_up(ksu_context, cc_target);
++ exit(1);
++ }
+#ifdef DEBUG
-+ if (auth_debug){
-+ printf(" Opened PAM session.\n");
-+ }
++ if (auth_debug){
++ printf(" Opened PAM session.\n");
++ }
+#endif
-+ if (appl_pam_cred_init()) {
-+ fprintf(stderr, "Error initializing credentials for %s.\n",
-+ target_user);
-+ sweep_up(ksu_context, cc_target);
-+ exit(1);
-+ }
++ if (appl_pam_cred_init()) {
++ fprintf(stderr, "Error initializing credentials for %s.\n",
++ target_user);
++ sweep_up(ksu_context, cc_target);
++ exit(1);
++ }
+#ifdef DEBUG
-+ if (auth_debug){
-+ printf(" Initialized PAM credentials.\n");
-+ }
-+#endif
++ if (auth_debug){
++ printf(" Initialized PAM credentials.\n");
+ }
+#endif
++ }
++#endif
+
- switch ((child_pid = fork())) {
- default:
- if (auth_debug){
+ /* set permissions */
+ if (setgid(target_pwd->pw_gid) < 0) {
+ perror("ksu: setgid");
+@@ -792,7 +817,7 @@ main (argc, argv)
+ fprintf(stderr, "program to be execed %s\n",params[0]);
+ }
+
+- if( keep_target_cache ) {
++ if( keep_target_cache && !force_fork ) {
+ execv(params[0], params);
+ com_err(prog_name, errno, "while trying to execv %s",
+ params[0]);
@@ -823,15 +875,34 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, "while calling waitpid");
Index: krb5.spec
===================================================================
RCS file: /cvs/extras/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.267
retrieving revision 1.268
diff -u -p -r1.267 -r1.268
--- krb5.spec 24 May 2010 22:15:15 -0000 1.267
+++ krb5.spec 27 May 2010 20:01:43 -0000 1.268
@@ -625,6 +625,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Thu May 27 2010 Nalin Dahyabhai <nalin at redhat.com>
+- ksu: move session management calls to before we drop privileges, like
+ su does (#596887)
+
* Mon May 24 2010 Nalin Dahyabhai <nalin at redhat.com> 1.8.1-6
- make krb5-server-ldap also depend on the same version-release of krb5-libs,
as the other subpackages do, if only to make it clearer than it is when we
More information about the scm-commits
mailing list