diff options
author | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-05-27 17:52:48 -0400 |
---|---|---|
committer | Nalin Dahyabhai <nalin@dahyabhai.net> | 2014-05-27 17:52:48 -0400 |
commit | 199cac4d2dc5fc2cf388420c816d1aa301f3b3df (patch) | |
tree | d4ba073ef0cbf9fae9169f95f458b59d9768690f | |
parent | 935ba7465142106516baab0e0f5c085400045038 (diff) | |
download | krb5-1.11.5-6.fc20.tar.gz krb5-1.11.5-6.fc20.tar.xz krb5-1.11.5-6.fc20.zip |
Back off on ksu fixes for now, caused regressions for FILE:krb5-1.11.5-6.fc20
- back out currently-proposed changes to teach ksu about credential cache
collections and the default_ccache_name setting (#1089035) for now
-rw-r--r-- | krb5-1.11-pam.patch | 19 | ||||
-rw-r--r-- | krb5.spec | 20 |
2 files changed, 21 insertions, 18 deletions
diff --git a/krb5-1.11-pam.patch b/krb5-1.11-pam.patch index 9e1d516..55c3ddf 100644 --- a/krb5-1.11-pam.patch +++ b/krb5-1.11-pam.patch @@ -9,8 +9,7 @@ section of /etc/krb5.conf. When enabled, ksu gains a dependency on libpam. Originally RT#5939, though it's changed since then to perform the account -and session management before dropping privileges, and to apply on top of -changes we're proposing for how it handles cache collections. +and session management before dropping privileges. diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4 --- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500 @@ -96,7 +95,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c +#include "autoconf.h" #include "ksu.h" #include "adm_proto.h" - #include "../../lib/krb5/os/os-proto.h" + #include <sys/types.h> @@ -33,6 +34,10 @@ #include <signal.h> #include <grp.h> @@ -126,13 +125,13 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c + NULL, source_user, + ttyname(STDERR_FILENO)) != 0) { + fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_tmp); ++ sweep_up(ksu_context, cc_target); + exit(1); + } + if (appl_pam_requires_chauthtok()) { + fprintf(stderr, "Password change required for %s.\n", + target_user); -+ sweep_up(ksu_context, cc_tmp); ++ sweep_up(ksu_context, cc_target); + exit(1); + } + force_fork++; @@ -143,7 +142,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, _("while switching to target for " @@ -651,6 +676,26 @@ - sweep_up(ksu_context, cc_tmp); + sweep_up(ksu_context, cc_target); exit(1); } +#ifdef USE_PAM @@ -154,13 +153,13 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c + NULL, source_user, + ttyname(STDERR_FILENO)) != 0) { + fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_tmp); ++ sweep_up(ksu_context, cc_target); + exit(1); + } + if (appl_pam_requires_chauthtok()) { + fprintf(stderr, "Password change required for %s.\n", + target_user); -+ sweep_up(ksu_context, cc_tmp); ++ sweep_up(ksu_context, cc_target); + exit(1); + } + force_fork++; @@ -177,7 +176,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c + if (appl_pam_enabled(ksu_context, "ksu")) { + if (appl_pam_session_open() != 0) { + fprintf(stderr, "Error opening session for %s.\n", target_user); -+ sweep_up(ksu_context, cc_tmp); ++ sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef DEBUG @@ -188,7 +187,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c + if (appl_pam_cred_init()) { + fprintf(stderr, "Error initializing credentials for %s.\n", + target_user); -+ sweep_up(ksu_context, cc_tmp); ++ sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef DEBUG @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.5 -Release: 5%{?dist} +Release: 6%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar Source0: krb5-%{version}.tar.gz @@ -343,13 +343,13 @@ ln -s NOTICE LICENSE %patch302 -p1 -b .kinit-cccol %patch303 -p1 -b .keyring-strtol -%patch400 -p1 -b .ksu-intermediates -%patch401 -p1 -b .Don-t-try-to-stat-not-on-disk-ccache-residuals -%patch402 -p1 -b .Use-an-in-memory-cache-until-we-need-the-target-s -%patch403 -p1 -b .Learn-to-destroy-the-ccache-we-re-copying-from -%patch404 -p1 -b .Try-to-use-the-default_ccache_name-d-as-the-target -%patch405 -p1 -b .Be-more-careful-of-target-ccache-collections -%patch406 -p1 -b .Copy-config-entries-to-the-target-ccache +#%patch400 -p1 -b .ksu-intermediates +#%patch401 -p1 -b .Don-t-try-to-stat-not-on-disk-ccache-residuals +#%patch402 -p1 -b .Use-an-in-memory-cache-until-we-need-the-target-s +#%patch403 -p1 -b .Learn-to-destroy-the-ccache-we-re-copying-from +#%patch404 -p1 -b .Try-to-use-the-default_ccache_name-d-as-the-target +#%patch405 -p1 -b .Be-more-careful-of-target-ccache-collections +#%patch406 -p1 -b .Copy-config-entries-to-the-target-ccache %patch60 -p1 -b .pam @@ -1072,6 +1072,10 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon May 27 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.5-6 +- back out currently-proposed changes to teach ksu about credential cache + collections and the default_ccache_name setting (#1089035) for now + * Tue Mar 04 2014 Nathaniel McCallum <npmccallum@redhat.com> - 1.11.5-5 - Backport fix for change password requests when using FAST (RT#7868) |