diff options
| author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2010-05-27 22:16:08 +0000 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2010-05-27 22:16:08 +0000 |
| commit | f905e92cf831e12373c1c23dea2ea9c631cf45f9 (patch) | |
| tree | 9496efee6b2601e5e2f9c7cf62287a77249c3a2f | |
| parent | 8da5d352e7073e850693426d32b8f9cf6c2a319d (diff) | |
| download | krb5-f905e92cf831e12373c1c23dea2ea9c631cf45f9.tar.gz krb5-f905e92cf831e12373c1c23dea2ea9c631cf45f9.tar.xz krb5-f905e92cf831e12373c1c23dea2ea9c631cf45f9.zip | |
- ksu: move session management calls to before we drop privileges, like su
does (#596887), and don't skip the PAM account check for root or the
same user (more of #540769)
| -rw-r--r-- | krb5-1.7-pam.patch | 88 | ||||
| -rw-r--r-- | krb5.spec | 5 |
2 files changed, 62 insertions, 31 deletions
diff --git a/krb5-1.7-pam.patch b/krb5-1.7-pam.patch index 33331da..8912ea6 100644 --- a/krb5-1.7-pam.patch +++ b/krb5-1.7-pam.patch @@ -28,8 +28,8 @@ is pretty much always going to be there. At run-time, login's behavior can be reset to the earlier, non-PAM behavior by setting "use_pam" to false in the [login] section of /etc/krb5.conf. -Modify ksu so that it performs account and session management for the -target user account, mimicking the action of regular su. The default +Modify ksu so that it performs account and session management on behalf of +the target user account, mimicking the action of regular su. The default service name is "ksu", because on Fedora at least the configuration used is determined by whether or not a login shell is being opened, and so this may need to vary, too. At run-time, ksu's behavior can be reset to @@ -1137,49 +1137,75 @@ diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c /* Run authorization as target.*/ if (krb5_seteuid(target_uid)) { com_err(prog_name, errno, "while switching to target for authorization check"); -@@ -791,7 +816,7 @@ - fprintf(stderr, "program to be execed %s\n",params[0]); - } - -- if( keep_target_cache ) { -+ if( keep_target_cache && !force_fork ) { - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", - params[0]); -@@ -799,6 +824,33 @@ - exit(1); - }else{ - statusp = 1; -+ +@@ -650,6 +675,26 @@ + sweep_up(ksu_context, cc_target); + exit(1); + } +#ifdef USE_PAM ++ } else { ++ /* we always do PAM account management, even for root */ + if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_session_open() != 0) { -+ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); + sweep_up(ksu_context, cc_target); + exit(1); + } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Opened PAM session.\n"); -+ } -+#endif -+ if (appl_pam_cred_init()) { -+ fprintf(stderr, "Error initializing credentials for %s.\n", ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", + target_user); + sweep_up(ksu_context, cc_target); + exit(1); + } ++ force_fork++; ++ } ++#endif + } + + if( some_rest_copy){ +@@ -719,6 +744,32 @@ + exit(1); + } + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_session_open() != 0) { ++ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } +#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Initialized PAM credentials.\n"); -+ } ++ if (auth_debug){ ++ printf(" Opened PAM session.\n"); ++ } +#endif ++ if (appl_pam_cred_init()) { ++ fprintf(stderr, "Error initializing credentials for %s.\n", ++ target_user); ++ sweep_up(ksu_context, cc_target); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Initialized PAM credentials.\n"); + } +#endif ++ } ++#endif + - switch ((child_pid = fork())) { - default: - if (auth_debug){ + /* set permissions */ + if (setgid(target_pwd->pw_gid) < 0) { + perror("ksu: setgid"); +@@ -791,7 +816,7 @@ + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { ++ if( keep_target_cache && !force_fork ) { + execv(params[0], params); + com_err(prog_name, errno, "while trying to execv %s", + params[0]); @@ -822,15 +874,34 @@ if (ret_pid == -1) { com_err(prog_name, errno, "while calling waitpid"); @@ -227,6 +227,11 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com> +- ksu: move session management calls to before we drop privileges, like + su does (#596887), and don't skip the PAM account check for root or the + same user (more of #540769) + * Tue May 18 2010 Nalin Dahyabhai <nalin@redhat.com> 1.7.1-10 - add patch to correct GSSAPI library null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #582466) |