commit 5a3d6e96376ed2d97eefa8392c4961b391fd237a Author: zyppe <210hcl@gmail.com> Date: Fri Feb 9 17:53:21 2024 +0800 Initialize for krb5 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0b4902e --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +krb5-1.20.1.tar.gz +vendor-files.tar.bz2 diff --git a/.krb5.metadata b/.krb5.metadata new file mode 100644 index 0000000..b06263e --- /dev/null +++ b/.krb5.metadata @@ -0,0 +1,2 @@ +270df5df4c60e00b0b10d83b04b83741a9260c36509c062154a3cfcfe1fad628 krb5-1.20.1.tar.gz +21fb5ee1f60ae28c2acfb7d5f4532d638a1edc9a195b65b47160327771c8ddc8 vendor-files.tar.bz2 diff --git a/0001-ksu-pam-integration.patch b/0001-ksu-pam-integration.patch new file mode 100644 index 0000000..76efa8e --- /dev/null +++ b/0001-ksu-pam-integration.patch @@ -0,0 +1,776 @@ +From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:29:58 -0400 +Subject: [PATCH 1/8] ksu pam integration + +Modify ksu so that it performs account and session management on behalf of +the target user account, mimicking the action of regular su. The default +service name is "ksu", because on Fedora at least the configuration used +is determined by whether or not a login shell is being opened, and so +this may need to vary, too. At run-time, ksu's behavior can be reset to +the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] +section of /etc/krb5.conf. + +When enabled, ksu gains a dependency on libpam. + +Originally RT#5939, though it's changed since then to perform the account +and session management before dropping privileges, and to apply on top of +changes we're proposing for how it handles cache collections. + +Last-updated: krb5-1.18-beta1 +--- + src/aclocal.m4 | 68 +++++++ + src/clients/ksu/Makefile.in | 8 +- + src/clients/ksu/main.c | 88 +++++++- + src/clients/ksu/pam.c | 389 ++++++++++++++++++++++++++++++++++++ + src/clients/ksu/pam.h | 57 ++++++ + src/configure.ac | 2 + + 6 files changed, 609 insertions(+), 3 deletions(-) + create mode 100644 src/clients/ksu/pam.c + create mode 100644 src/clients/ksu/pam.h + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 024d6370c..43eed3b87 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then + OPENLDAP_PLUGIN=yes + fi + ])dnl ++dnl ++dnl ++dnl Use PAM instead of local crypt() compare for checking local passwords, ++dnl and perform PAM account, session management, and password-changing where ++dnl appropriate. ++dnl ++AC_DEFUN(KRB5_WITH_PAM,[ ++AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], ++ withpam="$withval",withpam=auto) ++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], ++ withksupamservice="$withval",withksupamservice=ksu) ++old_LIBS="$LIBS" ++if test "$withpam" != no ; then ++ AC_MSG_RESULT([checking for PAM...]) ++ PAM_LIBS= ++ ++ AC_CHECK_HEADERS(security/pam_appl.h) ++ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_pam_start ++ AC_CHECK_FUNCS(putenv pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ unset ac_cv_func_pam_start ++ AC_CHECK_LIB(dl,dlopen) ++ AC_CHECK_FUNCS(pam_start) ++ if test "x$ac_cv_func_pam_start" = xno ; then ++ AC_CHECK_LIB(pam,pam_start) ++ unset ac_cv_func_pam_start ++ unset ac_cv_func_pam_getenvlist ++ AC_CHECK_FUNCS(pam_start pam_getenvlist) ++ if test "x$ac_cv_func_pam_start" = xyes ; then ++ PAM_LIBS="$LIBS" ++ else ++ if test "$withpam" = auto ; then ++ AC_MSG_RESULT([Unable to locate libpam.]) ++ withpam=no ++ else ++ AC_MSG_ERROR([Unable to locate libpam.]) ++ fi ++ fi ++ fi ++ fi ++ if test "$withpam" != no ; then ++ AC_MSG_NOTICE([building with PAM support]) ++ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) ++ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", ++ [Define to the name of the PAM service name to be used by ksu.]) ++ PAM_LIBS="$LIBS" ++ NON_PAM_MAN=".\\\" " ++ PAM_MAN= ++ else ++ PAM_MAN=".\\\" " ++ NON_PAM_MAN= ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(PAM_LIBS) ++AC_SUBST(PAM_MAN) ++AC_SUBST(NON_PAM_MAN) ++])dnl +diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in +index 8b4edce4d..9d58f29b5 100644 +--- a/src/clients/ksu/Makefile.in ++++ b/src/clients/ksu/Makefile.in +@@ -3,12 +3,14 @@ BUILDTOP=$(REL)..$(S).. + DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"' + + KSU_LIBS=@KSU_LIBS@ ++PAM_LIBS=@PAM_LIBS@ + + SRCS = \ + $(srcdir)/krb_auth_su.c \ + $(srcdir)/ccache.c \ + $(srcdir)/authorization.c \ + $(srcdir)/main.c \ ++ $(srcdir)/pam.c \ + $(srcdir)/heuristic.c \ + $(srcdir)/xmalloc.c \ + $(srcdir)/setenv.c +@@ -17,13 +19,17 @@ OBJS = \ + ccache.o \ + authorization.o \ + main.o \ ++ pam.o \ + heuristic.o \ + xmalloc.o @SETENVOBJ@ + + all: ksu + + ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) +- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) ++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) ++ ++pam.o: pam.c ++ $(CC) $(ALL_CFLAGS) -c $< + + clean: + $(RM) ksu +diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c +index af1286172..931f05404 100644 +--- a/src/clients/ksu/main.c ++++ b/src/clients/ksu/main.c +@@ -26,6 +26,7 @@ + * KSU was written by: Ari Medvinsky, ari@isi.edu + */ + ++#include "autoconf.h" + #include "ksu.h" + #include "adm_proto.h" + #include +@@ -33,6 +34,10 @@ + #include + #include + ++#ifdef USE_PAM ++#include "pam.h" ++#endif ++ + /* globals */ + char * prog_name; + int auth_debug =0; +@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN]; + char k5users_path[MAXPATHLEN]; + char * gb_err = NULL; + int quiet = 0; ++int force_fork = 0; + /***********/ + + #define KS_TEMPORARY_CACHE "MEMORY:_ksu" +@@ -536,6 +542,23 @@ main (argc, argv) + prog_name,target_user,client_name, + source_user,ontty()); + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif ++ + /* Run authorization as target.*/ + if (krb5_seteuid(target_uid)) { + com_err(prog_name, errno, _("while switching to target for " +@@ -596,6 +619,24 @@ main (argc, argv) + + exit(1); + } ++#ifdef USE_PAM ++ } else { ++ /* we always do PAM account management, even for root */ ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, ++ NULL, source_user, ++ ttyname(STDERR_FILENO)) != 0) { ++ fprintf(stderr, "Access denied for %s.\n", target_user); ++ exit(1); ++ } ++ if (appl_pam_requires_chauthtok()) { ++ fprintf(stderr, "Password change required for %s.\n", ++ target_user); ++ exit(1); ++ } ++ force_fork++; ++ } ++#endif + } + + if( some_rest_copy){ +@@ -653,6 +694,30 @@ main (argc, argv) + exit(1); + } + ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_session_open() != 0) { ++ fprintf(stderr, "Error opening session for %s.\n", target_user); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Opened PAM session.\n"); ++ } ++#endif ++ if (appl_pam_cred_init()) { ++ fprintf(stderr, "Error initializing credentials for %s.\n", ++ target_user); ++ exit(1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Initialized PAM credentials.\n"); ++ } ++#endif ++ } ++#endif ++ + /* set permissions */ + if (setgid(target_pwd->pw_gid) < 0) { + perror("ksu: setgid"); +@@ -750,7 +815,7 @@ main (argc, argv) + fprintf(stderr, "program to be execed %s\n",params[0]); + } + +- if( keep_target_cache ) { ++ if( keep_target_cache && !force_fork ) { + execv(params[0], params); + com_err(prog_name, errno, _("while trying to execv %s"), params[0]); + sweep_up(ksu_context, cc_target); +@@ -780,16 +845,35 @@ main (argc, argv) + if (ret_pid == -1) { + com_err(prog_name, errno, _("while calling waitpid")); + } +- sweep_up(ksu_context, cc_target); ++ if( !keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (statusp); + case -1: + com_err(prog_name, errno, _("while trying to fork.")); + sweep_up(ksu_context, cc_target); + exit (1); + case 0: ++#ifdef USE_PAM ++ if (appl_pam_enabled(ksu_context, "ksu")) { ++ if (appl_pam_setenv() != 0) { ++ fprintf(stderr, "Error setting up environment for %s.\n", ++ target_user); ++ exit (1); ++ } ++#ifdef DEBUG ++ if (auth_debug){ ++ printf(" Set up PAM environment.\n"); ++ } ++#endif ++ } ++#endif + execv(params[0], params); + com_err(prog_name, errno, _("while trying to execv %s"), + params[0]); ++ if( keep_target_cache ) { ++ sweep_up(ksu_context, cc_target); ++ } + exit (1); + } + } +diff --git a/src/clients/ksu/pam.c b/src/clients/ksu/pam.c +new file mode 100644 +index 000000000..eb5d03bbf +--- /dev/null ++++ b/src/clients/ksu/pam.c +@@ -0,0 +1,389 @@ ++/* ++ * src/clients/ksu/pam.c ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include "autoconf.h" ++#ifdef USE_PAM ++#include ++#include ++#include ++#include ++#include ++#include "k5-int.h" ++#include "pam.h" ++ ++#ifndef MAXPWSIZE ++#define MAXPWSIZE 128 ++#endif ++ ++static int appl_pam_started; ++static pid_t appl_pam_starter = -1; ++static int appl_pam_session_opened; ++static int appl_pam_creds_initialized; ++static int appl_pam_pwchange_required; ++static pam_handle_t *appl_pamh; ++static struct pam_conv appl_pam_conv; ++static char *appl_pam_user; ++struct appl_pam_non_interactive_args { ++ const char *user; ++ const char *password; ++}; ++ ++int ++appl_pam_enabled(krb5_context context, const char *section) ++{ ++ int enabled = 1; ++ if ((context != NULL) && (context->profile != NULL)) { ++ if (profile_get_boolean(context->profile, ++ section, ++ USE_PAM_CONFIGURATION_KEYWORD, ++ NULL, ++ enabled, &enabled) != 0) { ++ enabled = 1; ++ } ++ } ++ return enabled; ++} ++ ++void ++appl_pam_cleanup(void) ++{ ++ if (getpid() != appl_pam_starter) { ++ return; ++ } ++#ifdef DEBUG ++ printf("Called to clean up PAM.\n"); ++#endif ++ if (appl_pam_creds_initialized) { ++#ifdef DEBUG ++ printf("Deleting PAM credentials.\n"); ++#endif ++ pam_setcred(appl_pamh, PAM_DELETE_CRED); ++ appl_pam_creds_initialized = 0; ++ } ++ if (appl_pam_session_opened) { ++#ifdef DEBUG ++ printf("Closing PAM session.\n"); ++#endif ++ pam_close_session(appl_pamh, 0); ++ appl_pam_session_opened = 0; ++ } ++ appl_pam_pwchange_required = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Shutting down PAM.\n"); ++#endif ++ pam_end(appl_pamh, 0); ++ appl_pam_started = 0; ++ appl_pam_starter = -1; ++ free(appl_pam_user); ++ appl_pam_user = NULL; ++ } ++} ++static int ++appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, ++ struct pam_response **presp, void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ char *pwstring, pwbuf[MAXPWSIZE]; ++ unsigned int pwsize; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &(msg[0][i]); /* XXX */ ++ message = msg[i]; /* XXX */ ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ printf("[%s]\n", message->msg ? message->msg : ""); ++ fflush(stdout); ++ resp[i].resp = NULL; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ if (fgets(pwbuf, sizeof(pwbuf), ++ stdin) != NULL) { ++ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; ++ pwstring = pwbuf; ++ } ++ } else { ++ pwstring = getpass(message->msg ? ++ message->msg : ++ ""); ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_non_interactive_converse(int num_msg, ++ const struct pam_message **msg, ++ struct pam_response **presp, ++ void *appdata_ptr) ++{ ++ const struct pam_message *message; ++ struct pam_response *resp; ++ int i, code; ++ unsigned int pwsize; ++ struct appl_pam_non_interactive_args *args; ++ const char *pwstring; ++ resp = malloc(sizeof(struct pam_response) * num_msg); ++ if (resp == NULL) { ++ return PAM_BUF_ERR; ++ } ++ args = appdata_ptr; ++ memset(resp, 0, sizeof(struct pam_response) * num_msg); ++ code = PAM_SUCCESS; ++ for (i = 0; i < num_msg; i++) { ++ message = &((*msg)[i]); ++ message = msg[i]; ++ pwstring = NULL; ++ switch (message->msg_style) { ++ case PAM_TEXT_INFO: ++ case PAM_ERROR_MSG: ++ break; ++ case PAM_PROMPT_ECHO_ON: ++ case PAM_PROMPT_ECHO_OFF: ++ if (message->msg_style == PAM_PROMPT_ECHO_ON) { ++ /* assume "user" */ ++ pwstring = args->user; ++ } else { ++ /* assume "password" */ ++ pwstring = args->password; ++ } ++ if ((pwstring != NULL) && (pwstring[0] != '\0')) { ++ pwsize = strlen(pwstring); ++ resp[i].resp = malloc(pwsize + 1); ++ if (resp[i].resp == NULL) { ++ resp[i].resp_retcode = PAM_BUF_ERR; ++ } else { ++ memcpy(resp[i].resp, pwstring, pwsize); ++ resp[i].resp[pwsize] = '\0'; ++ resp[i].resp_retcode = PAM_SUCCESS; ++ } ++ } else { ++ resp[i].resp_retcode = PAM_CONV_ERR; ++ code = PAM_CONV_ERR; ++ } ++ break; ++ default: ++ break; ++ } ++ } ++ *presp = resp; ++ return code; ++} ++static int ++appl_pam_start(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ static int exit_handler_registered; ++ static struct appl_pam_non_interactive_args args; ++ int ret = 0; ++ if (appl_pam_started && ++ (strcmp(login_username, appl_pam_user) != 0)) { ++ appl_pam_cleanup(); ++ appl_pam_user = NULL; ++ } ++ if (!appl_pam_started) { ++#ifdef DEBUG ++ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", ++ service, login_username); ++#endif ++ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); ++ appl_pam_conv.conv = interactive ? ++ &appl_pam_interactive_converse : ++ &appl_pam_non_interactive_converse; ++ memset(&args, 0, sizeof(args)); ++ args.user = strdup(login_username); ++ args.password = non_interactive_password ? ++ strdup(non_interactive_password) : ++ NULL; ++ appl_pam_conv.appdata_ptr = &args; ++ ret = pam_start(service, login_username, ++ &appl_pam_conv, &appl_pamh); ++ if (ret == 0) { ++ if (hostname != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RHOST to \"%s\".\n", hostname); ++#endif ++ pam_set_item(appl_pamh, PAM_RHOST, hostname); ++ } ++ if (ruser != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_RUSER to \"%s\".\n", ruser); ++#endif ++ pam_set_item(appl_pamh, PAM_RUSER, ruser); ++ } ++ if (tty != NULL) { ++#ifdef DEBUG ++ printf("Setting PAM_TTY to \"%s\".\n", tty); ++#endif ++ pam_set_item(appl_pamh, PAM_TTY, tty); ++ } ++ if (!exit_handler_registered && ++ (atexit(appl_pam_cleanup) != 0)) { ++ pam_end(appl_pamh, 0); ++ appl_pamh = NULL; ++ ret = -1; ++ } else { ++ appl_pam_started = 1; ++ appl_pam_starter = getpid(); ++ appl_pam_user = strdup(login_username); ++ exit_handler_registered = 1; ++ } ++ } ++ } ++ return ret; ++} ++int ++appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *login_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty) ++{ ++ int ret; ++ appl_pam_pwchange_required = 0; ++ ret = appl_pam_start(service, interactive, login_username, ++ non_interactive_password, hostname, ruser, tty); ++ if (ret == 0) { ++#ifdef DEBUG ++ printf("Calling pam_acct_mgmt().\n"); ++#endif ++ ret = pam_acct_mgmt(appl_pamh, 0); ++ switch (ret) { ++ case PAM_IGNORE: ++ ret = 0; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ appl_pam_pwchange_required = 1; ++ ret = 0; ++ break; ++ default: ++ break; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_requires_chauthtok(void) ++{ ++ return appl_pam_pwchange_required; ++} ++int ++appl_pam_session_open(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Opening PAM session.\n"); ++#endif ++ ret = pam_open_session(appl_pamh, 0); ++ if (ret == 0) { ++ appl_pam_session_opened = 1; ++ } ++ } ++ return ret; ++} ++int ++appl_pam_setenv(void) ++{ ++ int ret = 0; ++#ifdef HAVE_PAM_GETENVLIST ++#ifdef HAVE_PUTENV ++ int i; ++ char **list; ++ if (appl_pam_started) { ++ list = pam_getenvlist(appl_pamh); ++ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { ++#ifdef DEBUG ++ printf("Setting \"%s\" in environment.\n", list[i]); ++#endif ++ putenv(list[i]); ++ } ++ } ++#endif ++#endif ++ return ret; ++} ++int ++appl_pam_cred_init(void) ++{ ++ int ret = 0; ++ if (appl_pam_started) { ++#ifdef DEBUG ++ printf("Initializing PAM credentials.\n"); ++#endif ++ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); ++ if (ret == 0) { ++ appl_pam_creds_initialized = 1; ++ } ++ } ++ return ret; ++} ++#endif +diff --git a/src/clients/ksu/pam.h b/src/clients/ksu/pam.h +new file mode 100644 +index 000000000..d45b9fd84 +--- /dev/null ++++ b/src/clients/ksu/pam.h +@@ -0,0 +1,57 @@ ++/* ++ * src/clients/ksu/pam.h ++ * ++ * Copyright 2007,2009,2010 Red Hat, Inc. ++ * ++ * All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * Convenience wrappers for using PAM. ++ */ ++ ++#include ++#ifdef HAVE_SECURITY_PAM_APPL_H ++#include ++#endif ++ ++#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" ++ ++#ifdef USE_PAM ++int appl_pam_enabled(krb5_context context, const char *section); ++int appl_pam_acct_mgmt(const char *service, int interactive, ++ const char *local_username, ++ const char *non_interactive_password, ++ const char *hostname, ++ const char *ruser, ++ const char *tty); ++int appl_pam_requires_chauthtok(void); ++int appl_pam_session_open(void); ++int appl_pam_setenv(void); ++int appl_pam_cred_init(void); ++void appl_pam_cleanup(void); ++#endif +diff --git a/src/configure.ac b/src/configure.ac +index 4eb080784..693f76a81 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION]) + + AC_PATH_PROG(GROFF, groff) + ++KRB5_WITH_PAM ++ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +-- +2.30.0 + diff --git a/0002-krb5-1.9-manpaths.patch b/0002-krb5-1.9-manpaths.patch new file mode 100644 index 0000000..a056938 --- /dev/null +++ b/0002-krb5-1.9-manpaths.patch @@ -0,0 +1,29 @@ +From 191084a19585fbc99e11b6ef4f00ce9df7f45e2f Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:06:55 +0100 +Subject: [PATCH 2/9] Import krb5-1.9-manpaths.dif + +Change the absolute paths included in the man pages so that the correct +values can be dropped in by config.status. After applying this patch, +these files should be renamed to their ".in" counterparts, and then the +configure scripts should be rebuilt. Originally RT#6525 +--- + src/man/kpropd.man | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/man/kpropd.man b/src/man/kpropd.man +index d80e43ad7..949407edd 100644 +--- a/src/man/kpropd.man ++++ b/src/man/kpropd.man +@@ -66,7 +66,7 @@ the \fB/etc/inetd.conf\fP file which looks like this: + .sp + .nf + .ft C +-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd ++kprop stream tcp nowait root @SBINDIR@/kpropd kpropd + .ft P + .fi + .UNINDENT +-- +2.20.1 + diff --git a/0003-Adjust-build-configuration.patch b/0003-Adjust-build-configuration.patch new file mode 100644 index 0000000..95013b8 --- /dev/null +++ b/0003-Adjust-build-configuration.patch @@ -0,0 +1,75 @@ +From 48abdf7c7b28611c1135b35dfa23ac61899e80b2 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:45:26 -0400 +Subject: [PATCH 3/8] Adjust build configuration + +Build binaries in this package as RELRO PIEs, libraries as partial RELRO, +and install shared libraries with the execute bit set on them. Prune out +the -L/usr/lib* and PIE flags where they might leak out and affect +apps which just want to link with the libraries. FIXME: needs to check and +not just assume that the compiler supports using these flags. + +Last-updated: krb5-1.15-beta1 +--- + src/build-tools/krb5-config.in | 7 +++++++ + src/config/pre.in | 2 +- + src/config/shlib.conf | 5 +++-- + 3 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f6184da3f..0edf6a1a5 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -225,6 +225,13 @@ if test -n "$do_libs"; then + -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ + -e 's#\$(CFLAGS)##'` + ++ if test `dirname $libdir` = /usr ; then ++ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` ++ fi ++ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` ++ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` ++ + if test $library = 'kdb'; then + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" + library=krb5 +diff --git a/src/config/pre.in b/src/config/pre.in +index ce87e21ca..164bf8301 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -184,7 +184,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP) + INSTALL_SCRIPT=@INSTALL_PROGRAM@ + INSTALL_DATA=@INSTALL_DATA@ + INSTALL_SHLIB=@INSTALL_SHLIB@ +-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root ++INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 + ## This is needed because autoconf will sometimes define @exec_prefix@ to be + ## ${prefix}. + prefix=@prefix@ +diff --git a/src/config/shlib.conf b/src/config/shlib.conf +index 3e4af6c02..2b20c3fda 100644 +--- a/src/config/shlib.conf ++++ b/src/config/shlib.conf +@@ -423,7 +423,7 @@ mips-*-netbsd*) + # Linux ld doesn't default to stuffing the SONAME field... + # Use objdump -x to examine the fields of the library + # UNDEF_CHECK is suppressed by --enable-asan +- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)' ++ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK) -Wl,-z,relro -Wl,--warn-shared-textrel' + UNDEF_CHECK='-Wl,--no-undefined' + # $(EXPORT_CHECK) runs export-check.pl when in maintainer mode. + LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)' +@@ -435,7 +435,8 @@ mips-*-netbsd*) + SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' + PROFFLAGS=-pg + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' + CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' +-- +2.25.0 + diff --git a/0004-krb5-1.6.3-gssapi_improve_errormessages.patch b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch new file mode 100644 index 0000000..066a170 --- /dev/null +++ b/0004-krb5-1.6.3-gssapi_improve_errormessages.patch @@ -0,0 +1,25 @@ +From 48b7d6a58b6efab9578ef160767aaed86168d046 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:09:05 +0100 +Subject: [PATCH 4/9] Import krb5-1.6.3-gssapi_improve_errormessages.dif + +--- + src/lib/gssapi/generic/disp_com_err_status.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c +index bc416107e..22612f970 100644 +--- a/src/lib/gssapi/generic/disp_com_err_status.c ++++ b/src/lib/gssapi/generic/disp_com_err_status.c +@@ -52,7 +52,7 @@ g_display_com_err_status(OM_uint32 *minor_status, OM_uint32 status_value, + status_string->value = NULL; + + if (! g_make_string_buffer(((status_value == 0)?no_error: +- error_message(status_value)), ++ error_message((long)status_value)), + status_string)) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); +-- +2.20.1 + diff --git a/0005-krb5-1.6.3-ktutil-manpage.patch b/0005-krb5-1.6.3-ktutil-manpage.patch new file mode 100644 index 0000000..6649dae --- /dev/null +++ b/0005-krb5-1.6.3-ktutil-manpage.patch @@ -0,0 +1,35 @@ +From 08b99cc69debeb8da38854ddd09f62f854f29309 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:14:47 +0100 +Subject: [PATCH 5/9] Import krb5-1.6.3-ktutil-manpage.dif + +--- + src/man/ktutil.man | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/man/ktutil.man b/src/man/ktutil.man +index 75dee9c56..85a121f5b 100644 +--- a/src/man/ktutil.man ++++ b/src/man/ktutil.man +@@ -166,6 +166,18 @@ ktutil: + .sp + See kerberos(7) for a description of Kerberos environment + variables. ++.SH REMARKS ++Changes to the keytab are appended to the keytab file (i.e., the keytab file ++is never overwritten). To directly modify a keytab, save the changes to a ++temporary file and then overwrite the keytab file of interest. ++.TP ++.nf ++Example: ++ktutil> rkt /etc/krb5.keytab ++(modifications to keytab) ++ktutil> wkt /tmp/krb5.newtab ++ktutil> q ++# mv /tmp/krb5.newtab /etc/krb5.keytab + .SH SEE ALSO + .sp + kadmin(1), kdb5_util(8), kerberos(7) +-- +2.20.1 + diff --git a/0006-krb5-1.12-api.patch b/0006-krb5-1.12-api.patch new file mode 100644 index 0000000..32a3950 --- /dev/null +++ b/0006-krb5-1.12-api.patch @@ -0,0 +1,40 @@ +From a853fd08ebbb8b46b15abb11c8e11c0390f139b1 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:15:50 +0100 +Subject: [PATCH 6/9] Import krb5-1.12-api.patch + +Reference docs don't define what happens if you call krb5_realm_compare() with +malformed krb5_principal structures. Define a behavior which keeps it from +crashing if applications don't check ahead of time. +--- + src/lib/krb5/krb/princ_comp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c +index a6936107d..0ed78833b 100644 +--- a/src/lib/krb5/krb/princ_comp.c ++++ b/src/lib/krb5/krb/princ_comp.c +@@ -36,6 +36,10 @@ realm_compare_flags(krb5_context context, + const krb5_data *realm1 = &princ1->realm; + const krb5_data *realm2 = &princ2->realm; + ++ if (princ1 == NULL || princ2 == NULL) ++ return FALSE; ++ if (realm1 == NULL || realm2 == NULL) ++ return FALSE; + if (realm1->length != realm2->length) + return FALSE; + if (realm1->length == 0) +@@ -88,6 +92,9 @@ krb5_principal_compare_flags(krb5_context context, + krb5_principal upn2 = NULL; + krb5_boolean ret = FALSE; + ++ if (princ1 == NULL || princ2 == NULL) ++ return FALSE; ++ + if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { + /* Treat UPNs as if they were real principals */ + if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { +-- +2.20.1 + diff --git a/0007-SELinux-integration.patch b/0007-SELinux-integration.patch new file mode 100644 index 0000000..3ad1745 --- /dev/null +++ b/0007-SELinux-integration.patch @@ -0,0 +1,1037 @@ +From 827413baa8f803ff07e8adc3efaf907ed7faa734 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH 7/8] SELinux integration + +SELinux bases access to files on the domain of the requesting process, +the operation being performed, and the context applied to the file. + +In many cases, applications needn't be SELinux aware to work properly, +because SELinux can apply a default label to a file based on the label +of the directory in which it's created. + +In the case of files such as /etc/krb5.keytab, however, this isn't +sufficient, as /etc/krb5.keytab will almost always need to be given a +label which differs from that of /etc/issue or /etc/resolv.conf. The +the kdb stash file needs a different label than the database for which +it's holding a master key, even though both typically live in the same +directory. + +To give the file the correct label, we can either force a "restorecon" +call to fix a file's label after it's created, or create the file with +the right label, as we attempt to do here. We lean on THREEPARAMOPEN +and define a similar macro named WRITABLEFOPEN with which we replace +several uses of fopen(). + +The file creation context that we're manipulating here is a process-wide +attribute. While for the most part, applications which need to label +files when they're created have tended to be single-threaded, there's +not much we can do to avoid interfering with an application that +manipulates the creation context directly. Right now we're mediating +access using a library-local mutex, but that can only work for consumers +that are part of this package -- an unsuspecting application will still +stomp all over us. + +The selabel APIs for looking up the context should be thread-safe (per +Red Hat #273081), so switching to using them instead of matchpathcon(), +which we used earlier, is some improvement. + +Last-updated: krb5-1.18-beta1 +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.ac | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/kprop/kpropd.c | 9 + + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 406 ++++++++++++++++++ + 24 files changed, 574 insertions(+), 21 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c + +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index 53f8b6fb7..b0d1a5337 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag) + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1743,3 +1744,51 @@ AC_SUBST(PAM_LIBS) + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++dnl ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon selabel_open) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_NOTICE([building with SELinux labeling support]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index 0edf6a1a5..1891dea99 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -262,7 +263,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index 164bf8301..a8540ae2a 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -177,6 +177,7 @@ LD = $(PURE) @LD@ + KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include + LDFLAGS = @LDFLAGS@ + LIBS = @LIBS@ ++SELINUX_LIBS=@SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -402,7 +403,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) + GSS_LIBS = $(GSS_KRB5_LIB) + # needs fixing if ever used on macOS! +diff --git a/src/configure.ac b/src/configure.ac +index d1f576124..440a22bd9 100644 +--- a/src/configure.ac ++++ b/src/configure.ac +@@ -1392,6 +1392,8 @@ AC_PATH_PROG(GROFF, groff) + + KRB5_WITH_PAM + ++KRB5_WITH_SELINUX ++ + # Make localedir work in autoconf 2.5x. + if test "${localedir+set}" != set; then + localedir='$(datadir)/locale' +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 9616b24bf..0d9af3d95 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -128,6 +128,7 @@ typedef unsigned char u_char; + + + #include "k5-platform.h" ++#include "k5-label.h" + + #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ + #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 000000000..dfaaa847c +--- /dev/null ++++ b/src/include/k5-label.h +@@ -0,0 +1,32 @@ ++#ifndef _KRB5_LABEL_H ++#define _KRB5_LABEL_H ++ ++#ifdef THREEPARAMOPEN ++#undef THREEPARAMOPEN ++#endif ++#ifdef WRITABLEFOPEN ++#undef WRITABLEFOPEN ++#endif ++ ++/* Wrapper functions which help us create files and directories with the right ++ * context labels. */ ++#ifdef USE_SELINUX ++#include ++#include ++#include ++#include ++#include ++FILE *krb5int_labeled_fopen(const char *path, const char *mode); ++int krb5int_labeled_creat(const char *path, mode_t mode); ++int krb5int_labeled_open(const char *path, int flags, ...); ++int krb5int_labeled_mkdir(const char *path, mode_t mode); ++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); ++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) ++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++void *krb5int_push_fscreatecon_for(const char *pathname); ++void krb5int_pop_fscreatecon(void *previous); ++#else ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#define THREEPARAMOPEN(x,y,z) open(x,y,z) ++#endif ++#endif +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index d48685357..d1f5661bf 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin +@@ -87,6 +87,12 @@ + #define THREEPARAMOPEN(x,y,z) open(x,y,z) + #endif + ++#if KRB5_PRIVATE ++#ifndef WRITABLEFOPEN ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#endif ++#endif ++ + #define KRB5_OLD_CRYPTO + + #include +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index 301e3476d..19f2cc230 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) + { + int fd = -1; + FILE *f; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + *tmpname = NULL; + if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0) + goto error; + ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(ofile); ++#endif + fd = mkstemp(*tmpname); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd == -1) + goto error; + +@@ -197,7 +206,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd_out) + goto cleanup; + } + +- fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); ++ fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); + goto cleanup; +diff --git a/src/kdc/main.c b/src/kdc/main.c +index fdcd694d7..1ede4bf2f 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -872,7 +872,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c +index 5622d56e1..356e3e0e6 100644 +--- a/src/kprop/kpropd.c ++++ b/src/kprop/kpropd.c +@@ -487,6 +487,9 @@ doit(int fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN + 1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + signal_wrapper(SIGALRM, alarm_handler); + alarm(params.iprop_resync_timeout); +@@ -542,9 +545,15 @@ doit(int fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); + (void)umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); + if (retval) { +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index c6885edf2..9aec3c05e 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -309,7 +309,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do + */ + append = (cp[4] == ':') ? O_APPEND : 0; + if (append || cp[4] == '=') { +- fd = open(&cp[5], O_CREAT | O_WRONLY | append, ++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append, + S_IRUSR | S_IWUSR | S_IRGRP); + if (fd != -1) + f = fdopen(fd, append ? "a" : "w"); +@@ -776,7 +776,7 @@ krb5_klog_reopen(krb5_context kcontext) + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + set_cloexec_file(f); + log_control.log_entries[lindex].lfu_filep = f; +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 2659a2501..e9b95fce5 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -480,7 +480,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + return ENOMEM; + + if (stat(logname, &st) == -1) { +- log_ctx->ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ log_ctx->ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index 7b100a0ec..5683a0433 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index 021c94398..aaf573439 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -735,14 +735,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) + + KTCHECKLOCK(id); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb"); + if (!KTFILEP(id)) { + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { + /* try making it first time around */ + k5_create_secure_file(context, KTFILENAME(id)); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), "rb+"); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+"); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 2a03ae980..85dbfeb47 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -458,7 +458,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a33b..2b9d01921 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + * needs be open read/write so that write locking can work with + * POSIX systems + */ +- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { ++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { + /* + * maybe someone took away write permission so we could only + * get shared locks? +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index 5106a5c99..e481e8121 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17f3..d5809a5a9 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "btree.h" + +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) + goto einval; + } + +- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) ++ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + goto err; + + } else { +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 862dbb164..686a960c9 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; + #include + #endif + ++#include "k5-int.h" + #include "db-int.h" + #include "hash.h" + #include "page.h" +@@ -129,7 +130,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) + new_table = 1; + } + if (file) { +- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) ++ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) + RETURN_ERROR(errno, error0); + (void)fcntl(hashp->fp, F_SETFD, 1); + } +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e701..b0daa7c02 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index b92cb58c7..0a95101ad 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -190,7 +190,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = WRITABLEFOPEN(file_name, "a+"); + if (pfile == NULL) { + com_err(me, errno, _("Failed to open file %s: %s"), file_name, + strerror (errno)); +@@ -231,6 +231,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + * Delete the existing entry and add the new entry + */ + FILE *newfile; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + mode_t omask; + +@@ -242,7 +245,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv) + } + + omask = umask(077); ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file_name); ++#endif + newfile = fopen(tmp_file, "w"); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + umask (omask); + if (newfile == NULL) { + com_err(me, errno, _("Error creating file %s"), tmp_file); +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index aa951df05..79f9500f6 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -33,6 +33,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-label.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +@@ -391,7 +392,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 86d5a950a..1052d53a1 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -74,6 +74,7 @@ IPC_SYMS= \ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -168,7 +169,7 @@ SRCS=\ + + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + + DEPLIBS= + +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 000000000..6d41f3244 +--- /dev/null ++++ b/src/util/support/selinux.c +@@ -0,0 +1,406 @@ ++/* ++ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * File-opening wrappers for creating correctly-labeled files. So far, we can ++ * assume that this is Linux-specific, so we make many simplifying assumptions. ++ */ ++ ++#include "../../include/autoconf.h" ++ ++#ifdef USE_SELINUX ++ ++#include ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* #define DEBUG 1 */ ++static void ++debug_log(const char *fmt, ...) ++{ ++#ifdef DEBUG ++ va_list ap; ++ va_start(ap, fmt); ++ if (isatty(fileno(stderr))) { ++ vfprintf(stderr, fmt, ap); ++ } ++ va_end(ap); ++#endif ++ ++ return; ++} ++ ++/* Mutex used to serialize use of the process-global file creation context. */ ++k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; ++ ++/* Make sure we finish initializing that mutex before attempting to use it. */ ++k5_once_t labeled_once = K5_ONCE_INIT; ++static void ++label_mutex_init(void) ++{ ++ k5_mutex_finish_init(&labeled_mutex); ++} ++ ++static struct selabel_handle *selabel_ctx; ++static time_t selabel_last_changed; ++ ++MAKE_FINI_FUNCTION(cleanup_fscreatecon); ++ ++static void ++cleanup_fscreatecon(void) ++{ ++ if (selabel_ctx != NULL) { ++ selabel_close(selabel_ctx); ++ selabel_ctx = NULL; ++ } ++} ++ ++static security_context_t ++push_fscreatecon(const char *pathname, mode_t mode) ++{ ++ security_context_t previous, configuredsc, currentsc, derivedsc; ++ context_t current, derived; ++ const char *fullpath, *currentuser; ++ char *genpath; ++ ++ previous = configuredsc = currentsc = derivedsc = NULL; ++ current = derived = NULL; ++ genpath = NULL; ++ ++ fullpath = pathname; ++ ++ if (!is_selinux_enabled()) { ++ goto fail; ++ } ++ ++ if (getfscreatecon(&previous) != 0) { ++ goto fail; ++ } ++ ++ /* Canonicalize pathname */ ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ goto fail; ++ } ++ ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ goto fail; ++ } ++ ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } ++ ++ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode); ++ ++ /* Check whether context file has changed under us */ ++ if (selabel_ctx != NULL || selabel_last_changed == 0) { ++ const char *cpath; ++ struct stat st; ++ int i = -1; ++ ++ cpath = selinux_file_context_path(); ++ if (cpath == NULL || (i = stat(cpath, &st)) != 0 || ++ st.st_mtime != selabel_last_changed) { ++ cleanup_fscreatecon(); ++ ++ selabel_last_changed = i ? time(NULL) : st.st_mtime; ++ } ++ } ++ ++ if (selabel_ctx == NULL) { ++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ } ++ ++ if (selabel_ctx != NULL && ++ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) { ++ goto fail; ++ } ++ ++ if (genpath != NULL) { ++ free(genpath); ++ genpath = NULL; ++ } ++ ++ if (configuredsc == NULL) { ++ goto fail; ++ } ++ ++ getcon(¤tsc); ++ ++ /* AAAAAAAA */ ++ if (currentsc != NULL) { ++ derived = context_new(configuredsc); ++ ++ if (derived != NULL) { ++ current = context_new(currentsc); ++ ++ if (current != NULL) { ++ currentuser = context_user_get(current); ++ ++ if (currentuser != NULL) { ++ if (context_user_set(derived, ++ currentuser) == 0) { ++ derivedsc = context_str(derived); ++ ++ if (derivedsc != NULL) { ++ freecon(configuredsc); ++ configuredsc = strdup(derivedsc); ++ } ++ } ++ } ++ ++ context_free(current); ++ } ++ ++ context_free(derived); ++ } ++ ++ freecon(currentsc); ++ } ++ ++ debug_log("Setting file creation context to \"%s\".\n", configuredsc); ++ if (setfscreatecon(configuredsc) != 0) { ++ debug_log("Unable to determine current context.\n"); ++ goto fail; ++ } ++ ++ freecon(configuredsc); ++ return previous; ++ ++fail: ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ if (genpath != NULL) { ++ free(genpath); ++ } ++ if (configuredsc != NULL) { ++ freecon(configuredsc); ++ } ++ ++ cleanup_fscreatecon(); ++ return NULL; ++} ++ ++static void ++pop_fscreatecon(security_context_t previous) ++{ ++ if (!is_selinux_enabled()) { ++ return; ++ } ++ ++ if (previous != NULL) { ++ debug_log("Resetting file creation context to \"%s\".\n", previous); ++ } else { ++ debug_log("Resetting file creation context to default.\n"); ++ } ++ ++ /* NULL resets to default */ ++ setfscreatecon(previous); ++ ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ ++ /* Need to clean this up here otherwise it leaks */ ++ cleanup_fscreatecon(); ++} ++ ++void * ++krb5int_push_fscreatecon_for(const char *pathname) ++{ ++ struct stat st; ++ void *retval; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; ++} ++ ++void ++krb5int_pop_fscreatecon(void *con) ++{ ++ if (con != NULL) { ++ pop_fscreatecon((con == (void *) -1) ? NULL : con); ++ k5_mutex_unlock(&labeled_mutex); ++ } ++} ++ ++FILE * ++krb5int_labeled_fopen(const char *path, const char *mode) ++{ ++ FILE *fp; ++ int errno_save; ++ security_context_t ctx; ++ ++ if ((strcmp(mode, "r") == 0) || ++ (strcmp(mode, "rb") == 0)) { ++ return fopen(path, mode); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fp = fopen(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fp; ++} ++ ++int ++krb5int_labeled_creat(const char *path, mode_t mode) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ fd = creat(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++int ++krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, mode); ++ ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_mkdir(const char *path, mode_t mode) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_open(const char *path, int flags, ...) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ k5_once(&labeled_once, label_mutex_init); ++ k5_mutex_lock(&labeled_mutex); ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ k5_mutex_unlock(&labeled_mutex); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++#endif /* USE_SELINUX */ +-- +2.25.0 + diff --git a/0008-krb5-1.9-debuginfo.patch b/0008-krb5-1.9-debuginfo.patch new file mode 100644 index 0000000..5ac0c4d --- /dev/null +++ b/0008-krb5-1.9-debuginfo.patch @@ -0,0 +1,42 @@ +From 24f176ead80418642bc9a6898f122c03dfb223d1 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Mon, 14 Jan 2019 13:18:16 +0100 +Subject: [PATCH 9/9] Import krb5-1.9-debuginfo.patch + +We want to keep these y.tab.c files around because the debuginfo points to +them. It would be more elegant at the end to use symbolic links, but that +could mess up people working in the tree on other things. +--- + src/kadmin/cli/Makefile.in | 5 +++++ + src/plugins/kdb/ldap/ldap_util/Makefile.in | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/kadmin/cli/Makefile.in b/src/kadmin/cli/Makefile.in +index adfea6e2b..d1327e400 100644 +--- a/src/kadmin/cli/Makefile.in ++++ b/src/kadmin/cli/Makefile.in +@@ -37,3 +37,8 @@ clean-unix:: + # CC_LINK is not meant for compilation and this use may break in the future. + datetest: getdate.c + $(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c ++ ++%.c: %.y ++ $(RM) y.tab.c $@ ++ $(YACC.y) $< ++ $(CP) y.tab.c $@ +diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in b/src/plugins/kdb/ldap/ldap_util/Makefile.in +index 8669c2436..a22f23c02 100644 +--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in ++++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in +@@ -20,7 +20,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIB) $(GETDATE) + getdate.c: $(GETDATE) + $(RM) getdate.c y.tab.c + $(YACC) $(GETDATE) +- $(MV) y.tab.c getdate.c ++ $(CP) y.tab.c getdate.c + + install: + $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) +-- +2.20.1 + diff --git a/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch b/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch new file mode 100644 index 0000000..91a1480 --- /dev/null +++ b/0009-Ensure-array-count-consistency-in-kadm5-RPC.patch @@ -0,0 +1,67 @@ +From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 21 Jun 2023 10:57:39 -0400 +Subject: [PATCH] Ensure array count consistency in kadm5 RPC + +In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the +key_data array count when decoding. Otherwise when the structure is +later freed, xdr_array() could iterate over the wrong number of +elements, either leaking some memory or freeing uninitialized +pointers. Reported by Robert Morris. + +CVE-2023-36054: + +An authenticated attacker can cause a kadmind process to crash by +freeing uninitialized pointers. Remote code execution is unlikely. +An attacker with control of a kadmin server can cause a kadmin client +to crash by freeing uninitialized pointers. + +(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd) + +ticket: 9099 +version_fixed: 1.20.2 + +(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df) +--- + src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c +index 0411c3fd3..287cae750 100644 +--- a/src/lib/kadm5/kadm_rpc_xdr.c ++++ b/src/lib/kadm5/kadm_rpc_xdr.c +@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + int v) + { + unsigned int n; ++ bool_t r; + + if (!xdr_krb5_principal(xdrs, &objp->principal)) { + return (FALSE); +@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) { + return (FALSE); + } ++ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) { ++ return (FALSE); ++ } + if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) { + return (FALSE); + } +@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp, + return FALSE; + } + n = objp->n_key_data; +- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, +- &n, ~0, sizeof(krb5_key_data), +- xdr_krb5_key_data_nocontents)) { ++ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data, ++ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents); ++ objp->n_key_data = n; ++ if (!r) { + return (FALSE); + } + +-- +2.41.0 + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..1a56ee1 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,4 @@ +krb5 + obsoletes "heimdal-lib-" + provides "heimdal-lib-" +krb5-devel diff --git a/krb5-1.20.1.tar.gz.asc b/krb5-1.20.1.tar.gz.asc new file mode 100644 index 0000000..b928cb8 --- /dev/null +++ b/krb5-1.20.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmNvED8ACgkQDLoIV1+D +ct9uKw/8C5GS8mdh335lB+bkfjYYCZLD+oQToDAAbdCddrIcuLftvnTfXJ8cMtMc +UT2hsp8u7ZupjJRevdhaH7fFwomc0V8iSES5J2cQHTNd9aK93j/W6NaMoqWLrQWg +jx99oqLn7orvp8N5RufEQcNMNWhFIX4XSfrA3vPfHbbffA2vkjJzOGno4UHi8zUn +6nye7jbrBpiQIeFIJSS3VPsvGrKdRgb9BqGTUsqPIuFvr3Qvo42lKr5X8CWYSXjK +0aKlOpfbWdkteEe2o84/wyMpuGvmYkmOgaMB5xQ3jfEuvPNAWX2CWHNDamiqwBT/ +YxwhZimNa1B9r3P1yDHvpUu8cJaRzw2UDRi2f3Kztrmn2jlqzmoZ31WBALJA7lmL +SrVFdXi7AcWwppMp1kbe9SvurCXID8/Q4n+qAdzSvqrXbeWerVUkdYFvtxQ1bMJR +jnqN11iZFYaoCaaR2lFEhjoMdR80jUa2m6vdF7a7xhH1UvuPHDnzLT9X/TiPvx0R +Itrp5MMIrUQHcZUL9hM5hrg3nxEsGsSCnjB0zWDmgXdLGwd4CvcOF4HPQR3BBlEH +CLtAa27bBXMJTYVvmmKt06hw+U3ALDfUlFrV6ZNLr9ug69l29n7JoChAbZ97Hx1m +twPwJpKd8AiUz+j3KCfgGU21qMbHNP3jEn3q9tkq0qcs/z7RCmU= +=1WIq +-----END PGP SIGNATURE----- diff --git a/krb5-rpmlintrc b/krb5-rpmlintrc new file mode 100644 index 0000000..85771ce --- /dev/null +++ b/krb5-rpmlintrc @@ -0,0 +1,8 @@ +addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5identity.5.gz") +addFilter("files-duplicate .*css") +addFilter("files-duplicate .*img.*png") +addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") +addFilter("shlib-policy-missing-suffix") +addFilter("non-etc-or-var-file-marked-as-conffile") diff --git a/krb5.changes b/krb5.changes new file mode 100644 index 0000000..ce0dcf7 --- /dev/null +++ b/krb5.changes @@ -0,0 +1,1528 @@ +* Tue Aug 8 2023 scabrero@suse.de +- Ensure array count consistency in kadm5 RPC; (bsc#1214054); + (CVE-2023-36054); +- Added patches: + * 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +* Tue Dec 13 2022 scabrero@suse.de +- Update to 1.20.1; (bsc#1205126); (CVE-2022-42898); + * Fix integer overflows in PAC parsing [CVE-2022-42898]. + * Fix null deref in KDC when decoding invalid NDR. + * Fix memory leak in OTP kdcpreauth module. + * Fix PKCS11 module path search. +- update to 1.20.0: + * Added a "disable_pac" realm relation to suppress adding PAC authdata + to tickets, for realms which do not need to support S4U requests. + * Most credential cache types will use atomic replacement when a cache + is reinitialized using kinit or refreshed from the client keytab. + * kprop can now propagate databases with a dump size larger than 4GB, + if both the client and server are upgraded. + * kprop can now work over NATs that change the destination IP address, + if the client is upgraded. + * Updated the KDB interface. The sign_authdata() method is replaced + with the issue_pac() method, allowing KDB modules to add logon info + and other buffers to the PAC issued by the KDC. + * Host-based initiator names are better supported in the GSS krb5 + mechanism. + * Replaced AD-SIGNEDPATH authdata with minimal PACs. + * To avoid spurious replay errors, password change requests will not + be attempted over UDP until the attempt over TCP fails. + * PKINIT will sign its CMS messages with SHA-256 instead of SHA-1. + * Updated all code using OpenSSL to be compatible with OpenSSL 3. + * Reorganized the libk5crypto build system to allow the OpenSSL + back-end to pull in material from the builtin back-end depending on + the OpenSSL version. + * Simplified the PRNG logic to always use the platform PRNG. + * Converted the remaining Tcl tests to Python. +- update to 1.19.3 (bsc#1189929, CVE-2021-37750): + * Fix a denial of service attack against the KDC [CVE-2021-37750]. + * Fix KDC null deref on TGS inner body null server + * Fix conformance issue in GSSAPI tests +- Resolve "Credential cache directory /run/user/0/krb5cc does not + exist while opening default credentials cache" by using a kernel + keyring instead of a dir cache; (bsc#1109830); +- Added hardening to systemd services; (bsc#1181400); +- Drop 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch, + fixed in release 1.20.0 +- Drop 0010-Fix-integer-overflows-in-PAC-parsing.patch, + fixed in release 1.20.1 +* Mon Nov 7 2022 nopower@suse.com +- Fix integer overflows in PAC parsing; (CVE-2022-42898); + (bso#15203), (bsc#1205126). +- Added patches: + * 0010-Fix-integer-overflows-in-PAC-parsing.patch +* Fri Sep 17 2021 scabrero@suse.de +- Update to 1.19.2 + * Fix a denial of service attack against the KDC encrypted challenge + code; (CVE-2021-36222); + * Fix a memory leak when gss_inquire_cred() is called without a + credential handle. +- Changes from 1.19.1 + * Fix a linking issue with Samba. + * Better support multiple pkinit_identities values by checking whether + certificates can be loaded for each value. +- Changes from 1.19 + Administrator experience + * When a client keytab is present, the GSSAPI krb5 mech will refresh + credentials even if the current credentials were acquired manually. + * It is now harder to accidentally delete the K/M entry from a KDB. + Developer experience + * gss_acquire_cred_from() now supports the "password" and "verify" + options, allowing credentials to be acquired via password and + verified using a keytab key. + * When an application accepts a GSS security context, the new + GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor + both provided matching channel bindings. + * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests + to identify the desired client principal by certificate. + * PKINIT certauth modules can now cause the hw-authent flag to be set + in issued tickets. + * The krb5_init_creds_step() API will now issue the same password + expiration warnings as krb5_get_init_creds_password(). + Protocol evolution + * Added client and KDC support for Microsoft's Resource-Based Constrained + Delegation, which allows cross-realm S4U2Proxy requests. A third-party + database module is required for KDC support. + * kadmin/admin is now the preferred server principal name for kadmin + connections, and the host-based form is no longer created by default. + The client will still try the host-based form as a fallback. + * Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT + extension, which causes channel bindings to be required for the + initiator if the acceptor provided them. The client will send this + option if the client_aware_gss_bindings profile option is set. + User experience + * kinit will now issue a warning if the des3-cbc-sha1 encryption type is + used in the reply. This encryption type will be deprecated and removed + in future releases. + * Added kvno flags --out-cache, --no-store, and --cached-only + (inspired by Heimdal's kgetcred). +- Changes from 1.18.3 + * Fix a denial of service vulnerability when decoding Kerberos + protocol messages; (CVE-2020-28196); (bsc#1178512); + * Fix a locking issue with the LMDB KDB module which could cause + KDC and kadmind processes to lose access to the database. + * Fix an assertion failure when libgssapi_krb5 is repeatedly loaded + and unloaded while libkrb5support remains loaded. +- Changes from 1.18.2 + * Fix a SPNEGO regression where an acceptor using the default credential + would improperly filter mechanisms, causing a negotiation failure. + * Fix a bug where the KDC would fail to issue tickets if the local krbtgt + principal's first key has a single-DES enctype. + * Add stub functions to allow old versions of OpenSSL libcrypto to link + against libkrb5. + * Fix a NegoEx bug where the client name and delegated credential might + not be reported. +- Changes from 1.18.1 + * Fix a crash when qualifying short hostnames when the system has + no primary DNS domain. + * Fix a regression when an application imports "service@" as a GSS + host-based name for its acceptor credential handle. + * Fix KDC enforcement of auth indicators when they are modified by + the KDB module. + * Fix removal of require_auth string attributes when the LDAP KDB + module is used. + * Fix a compile error when building with musl libc on Linux. + * Fix a compile error when building with gcc 4.x. + * Change the KDC constrained delegation precedence order for consistency + with Windows KDCs. +- Changes from 1.18 + Administrator experience: + * Remove support for single-DES encryption types. + * Change the replay cache format to be more efficient and robust. + Replay cache filenames using the new format end with ".rcache2" + by default. + * setuid programs will automatically ignore environment variables + that normally affect krb5 API functions, even if the caller does + not use krb5_init_secure_context(). + * Add an "enforce_ok_as_delegate" krb5.conf relation to disable + credential forwarding during GSSAPI authentication unless the KDC + sets the ok-as-delegate bit in the service ticket. + * Use the permitted_enctypes krb5.conf setting as the default value + for default_tkt_enctypes and default_tgs_enctypes. + Developer experience: + * Implement krb5_cc_remove_cred() for all credential cache types. + * Add the krb5_pac_get_client_info() API to get the client account + name from a PAC. + Protocol evolution: + * Add KDC support for S4U2Self requests where the user is identified + by X.509 certificate. (Requires support for certificate lookup from + a third-party KDB module.) + * Remove support for an old ("draft 9") variant of PKINIT. + * Add support for Microsoft NegoEx. (Requires one or more third-party + GSS modules implementing NegoEx mechanisms.) + User experience: + * Add support for "dns_canonicalize_hostname=fallback", causing + host-based principal names to be tried first without DNS + canonicalization, and again with DNS canonicalization if the + un-canonicalized server is not found. + * Expand single-component hostnames in host-based principal names + when DNS canonicalization is not used, adding the system's first DNS + search path as a suffix. Add a "qualify_shortname" krb5.conf relation + to override this suffix or disable expansion. + * Honor the transited-policy-checked ticket flag on application servers, + eliminating the requirement to configure capaths on servers in some + scenarios. + Code quality: + * The libkrb5 serialization code (used to export and import krb5 GSS + security contexts) has been simplified and made type-safe. + * The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED + messages has been revised to conform to current coding practices. + * The test suite has been modified to work with macOS System Integrity + Protection enabled. + * The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support + can always be tested. +- Changes from 1.17.1 + * Fix a bug preventing "addprinc -randkey -kvno" from working in kadmin. + * Fix a bug preventing time skew correction from working when a KCM + credential cache is used. +- Changes from 1.17: + Administrator experience: + * A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. + * "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + Developer experience: + * The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + * The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + * KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + * Programs which use large numbers of memory credential caches should + perform better. + Protocol evolution: + * The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. + * PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. + * Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + * The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust + (CVE-2018-20217). + User experience: + * The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. + * The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. + * The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + Code quality: + * Python test scripts now use Python 3. + * Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. + * The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. +- Replace old $RPM_* shell vars +- Removal of SuSEfirewall2 service since SuSEfirewall2 has been replaced + by firewalld +- Remove cruft to support distributions older than SLE 12 +- Use macros where applicable +- Switch to pkgconfig style dependencies +- Use %%_tmpfilesdir instead of the wrong %%_libexecdir/tmpfiles.d + notation: libexecdir is likely changing away from /usr/lib to + /usr/libexec +- Build with full Cyrus SASL support. Negotiating SASL credentials with + an EXTERNAL bind mechanism requires interaction. Kerberos provides its + own interaction function that skips all interaction, thus preventing the + mechanism from working. +- Removed patches: + * 0007-krb5-1.12-ksu-path.patch + * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch + * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch +- Renamed patches: + * 0001-krb5-1.12-pam.patch => 0001-ksu-pam-integration.patch + * 0003-krb5-1.12-buildconf.patch => 0003-Adjust-build-configuration.patch + * 0008-krb5-1.12-selinux-label.patch => 0007-SELinux-integration.patch + * 0009-krb5-1.9-debuginfo.patch => 0008-krb5-1.9-debuginfo.patch + * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch => + 0009-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch +* Mon Aug 30 2021 scabrero@suse.de +- Fix KDC null pointer dereference via a FAST inner body that + lacks a server field; (CVE-2021-37750); (bsc#1189929); +- Added patches: + * 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch +* Mon Jul 26 2021 scabrero@suse.de +- Fix KDC null deref on bad encrypted challenge; (CVE-2021-36222); + (bsc#1188571); +- Added patches: + * 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch +* Thu Apr 22 2021 scabrero@suse.de +- Use /run instead of /var/run for daemon PID files; (bsc#1185163); +* Mon Nov 9 2020 scabrero@suse.de +- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196); + (bsc#1178512); +- Added patches: + * 0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch +* Mon Jul 27 2020 scabrero@suse.de +- Fix prefix reported by krb5-config, libraries and headers are not + installed under /usr/lib/mit prefix. (bsc#1174079) +* Mon Jun 8 2020 scabrero@suse.de +- Update logrotate script, call systemd to reload the services + instead of init-scripts. (boo#1169357) +* Mon Aug 5 2019 scabrero@suse.de +- Integrate pam_keyinit pam module, ksu-pam.d; (bsc#1081947); + (bsc#1144047); +* Tue May 7 2019 scabrero@suse.de +- Move LDAP schema files from /usr/share/doc/packages/krb5 to + /usr/share/kerberos/ldap; (bsc#1134217); +* Wed Jan 30 2019 scabrero@suse.de +- Upgrade to 1.16.3 + * Fix a regression in the MEMORY credential cache type which could cause + client programs to crash. + * MEMORY credential caches will not be listed in the global collection, + with the exception of the default credential cache if it is of type MEMORY. + * Remove an incorrect assertion in the KDC which could be used to cause + a crash [CVE-2018-20217]. + * Fix bugs with concurrent use of MEMORY ccache handles. + * Fix a KDC crash when falling back between multiple OTP tokens configured + for a principal entry. + * Fix memory bugs when gss_add_cred() is used to create a new credential, + and fix a bug where it ignores the desired_name. + * Fix the behavior of gss_inquire_cred_by_mech() when the credential does + not contain an element of the requested mechanism. + * Make cross-realm S4U2Self requests work on the client when no + default_realm is configured. + * Add a kerberos(7) man page containing documentation of the environment + variables that affect Kerberos programs. +- Use systemd-tmpfiles to create files under /var/lib/kerberos, required + by transactional updates; (bsc#1100126); +- Rename patches: + * krb5-1.12-pam.patch => 0001-krb5-1.12-pam.patch + * krb5-1.9-manpaths.dif => 0002-krb5-1.9-manpaths.patch + * krb5-1.12-buildconf.patch => 0003-krb5-1.12-buildconf.patch + * krb5-1.6.3-gssapi_improve_errormessages.dif to + 0004-krb5-1.6.3-gssapi_improve_errormessages.patch + * krb5-1.6.3-ktutil-manpage.dif => 0005-krb5-1.6.3-ktutil-manpage.patch + * krb5-1.12-api.patch => 0006-krb5-1.12-api.patch + * krb5-1.12-ksu-path.patch => 0007-krb5-1.12-ksu-path.patch + * krb5-1.12-selinux-label.patch => 0008-krb5-1.12-selinux-label.patch + * krb5-1.9-debuginfo.patch => 0009-krb5-1.9-debuginfo.patch +* Tue Oct 9 2018 jmcdonough@suse.com +- Upgrade to 1.16.1 + * kdc client cert matching on client principal entry + * Allow ktutil addent command to ignore key version and use + non-default salt string. + * add kpropd pidfile support + * enable "encrypted_challenge_indicator" realm option on tickets + obtained using FAST encrypted challenge pre-authentication. + * dates through 2106 accepted + * KDC support for trivially renewable tickets + * stop caching referral and alternate cross-realm TGTs to prevent + duplicate credential cache entries +* Mon Jun 18 2018 mcepl@suse.com +- BSC#1021402 move %%{_libdir}/krb5/plugins/tls/k5tls.so to krb5 package + so it is avaiable for krb5-client as well. +* Fri May 4 2018 michael@stroeder.com +- Upgrade to 1.15.3 + * Fix flaws in LDAP DN checking, including a null dereference KDC + crash which could be triggered by kadmin clients with administrative + privileges [CVE-2018-5729, CVE-2018-5730]. + * Fix a KDC PKINIT memory leak. + * Fix a small KDC memory leak on transited or authdata errors when + processing TGS requests. + * Fix a null dereference when the KDC sends a large TGS reply. + * Fix "kdestroy -A" with the KCM credential cache type. + * Fix the handling of capaths "." values. + * Fix handling of repeated subsection specifications in profile files + (such as when multiple included files specify relations in the same + subsection). +* Wed Apr 25 2018 luizluca@gmail.com +- Added support for /etc/krb5.conf.d/ for configuration snippets +* Thu Nov 23 2017 rbrown@suse.com +- Replace references to /var/adm/fillup-templates with new + %%_fillupdir macro (boo#1069468) +* Mon Nov 6 2017 hguo@suse.com +- Remove build dependency doxygen, python-Cheetah, python-Sphinx, + python-libxml2, python-lxml, most of which are python 2 programs. + Consequently remove -doc subpackage. Users are encouraged to use + online documentation. (bsc#1066461) +* Mon Oct 2 2017 jengelh@inai.de +- Update package descriptions. +* Mon Sep 25 2017 michael@stroeder.com +- Upgrade to 1.15.2 + * Fix a KDC denial of service vulnerability caused by unset status + strings [CVE-2017-11368] + * Preserve GSS contexts on init/accept failure [CVE-2017-11462] + * Fix kadm5 setkey operation with LDAP KDB module + * Use a ten-second timeout after successful connection for HTTPS KDC + requests, as we do for TCP requests + * Fix client null dereference when KDC offers encrypted challenge + without FAST + * Ignore dotfiles when processing profile includedir directive + * Improve documentation +* Fri Aug 18 2017 hguo@suse.com +- Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf + in order to improve client security in handling service principle + names. (bsc#1054028) +* Fri Aug 11 2017 hguo@suse.com +- Prevent kadmind.service startup failure caused by absence of + LDAP service. (bsc#903543) +* Tue Jun 6 2017 hguo@suse.com +- There is no change made about the package itself, this is only + copying over some changelog texts from SLE package: +- bug#918595 owned by varkoly@suse.com: VUL-0: CVE-2014-5355 + krb5: denial of service in krb5_read_message +- bug#912002 owned by varkoly@suse.com: VUL-0 + CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423: + krb5: Vulnerabilities in kadmind, libgssrpc, gss_process_context_token +- bug#910458 owned by varkoly@suse.com: VUL-1 + CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries +- bug#928978 owned by varkoly@suse.com: VUL-0 + CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading + to requires_preauth bypass +- bug#910457 owned by varkoly@suse.com: VUL-1 + CVE-2014-5353: krb5: NULL pointer dereference when using a ticket policy + name as a password policy name +- bug#991088 owned by hguo@suse.com: VUL-1 + CVE-2016-3120: krb5: S4U2Self KDC crash when anon is restricted +- bug#992853 owned by hguo@suse.com: krb5: bogus prerequires +- [fate#320326](https://fate.suse.com/320326) +- bug#982313 owned by pgajdos@suse.com: Doxygen unable to resolve reference + from \cite +* Thu Apr 6 2017 kukuk@suse.de +- Remove wrong PreRequires from krb5 +* Thu Mar 9 2017 michael@stroeder.com +- use HTTPS project and source URLs +* Thu Mar 9 2017 meissner@suse.com +- use source urls. +- krb5.keyring: Added Greg Hudson +* Sat Mar 4 2017 michael@stroeder.com +- removed obsolete krb5-1.15-fix_kdb_free_principal_e_data.patch +- Upgrade to 1.15.1 + * Allow KDB modules to determine how the e_data field of principal + fields is freed + * Fix udp_preference_limit when the KDC location is configured with + SRV records + * Fix KDC and kadmind startup on some IPv4-only systems + * Fix the processing of PKINIT certificate matching rules which have + two components and no explicit relation + * Improve documentation +* Fri Jan 27 2017 bwiedemann@suse.com +- remove useless environment.pickle to make build-compare happy +* Thu Jan 19 2017 asn@cryptomilk.org +- Introduce patch + krb5-1.15-fix_kdb_free_principal_e_data.patch + to fix freeing of e_data in the kdb principal +* Sat Dec 3 2016 michael@stroeder.com +- Upgrade to 1.15 +- obsoleted Patch7 (krb5-1.7-doublelog.patch) fixed in 1.12.2 +- obsoleted patch to src/util/gss-kernel-lib/Makefile.in since + file is not available in upstream source anymore +- obsoleted Patch15 (krb5-fix_interposer.patch) fixed in 1.15 +- Upgrade from 1.14.4 to 1.15 - major changes: + Administrator experience: + * Add support to kadmin for remote extraction of current keys without + changing them (requires a special kadmin permission that is excluded + from the wildcard permission), with the exception of highly + protected keys. + * Add a lockdown_keys principal attribute to prevent retrieval of the + principal's keys (old or new) via the kadmin protocol. In newly + created databases, this attribute is set on the krbtgt and kadmin + principals. + * Restore recursive dump capability for DB2 back end, so sites can + more easily recover from database corruption resulting from power + failure events. + * Add DNS auto-discovery of KDC and kpasswd servers from URI records, + in addition to SRV records. URI records can convey TCP and UDP + servers and master KDC status in a single DNS lookup, and can also + point to HTTPS proxy servers. + * Add support for password history to the LDAP back end. + * Add support for principal renaming to the LDAP back end. + * Use the getrandom system call on supported Linux kernels to avoid + blocking problems when getting entropy from the operating system. + * In the PKINIT client, use the correct DigestInfo encoding for PKCS + [#1] signatures, so that some especially strict smart cards will work. + Code quality: + * Clean up numerous compilation warnings. + * Remove various infrequently built modules, including some preauth + modules that were not built by default. + Developer experience: + * Add support for building with OpenSSL 1.1. + * Use SHA-256 instead of MD5 for (non-cryptographic) hashing of + authenticators in the replay cache. This helps sites that must + build with FIPS 140 conformant libraries that lack MD5. + Protocol evolution: + * Add support for the AES-SHA2 enctypes, which allows sites to conform + to Suite B crypto requirements. +- Upgrade from 1.14.3 to 1.14.4 - major changes: + * Fix some rare btree data corruption bugs + * Fix numerous minor memory leaks + * Improve portability (Linux-ppc64el, FreeBSD) + * Improve some error messages + * Improve documentation +* Mon Nov 14 2016 christof.hanke@rzg.mpg.de +- add pam configuration file required for ksu + just use a copy of "su" one from Tumbleweed +* Fri Jul 22 2016 michael@stroeder.com +- Upgrade from 1.14.2 to 1.14.3: + * Improve some error messages + * Improve documentation + * Allow a principal with nonexistent policy to bypass the minimum + password lifetime check, consistent with other aspects of + nonexistent policies + * Fix a rare KDC denial of service vulnerability when anonymous client + principals are restricted to obtaining TGTs only [CVE-2016-3120] +* Sat Jul 2 2016 idonmez@suse.com +- Remove comments breaking post scripts. +* Thu Jun 30 2016 fcrozat@suse.com +- Do no use systemd_requires macros in main package, it adds + unneeded dependencies which pulls systemd into minimal chroot. +- Only call %%insserv_prereq when building for pre-systemd + distributions. +- Optimise some %%post/%%postun when only /sbin/ldconfig is called. +* Tue May 10 2016 hguo@suse.com +- Remove source file ccapi/common/win/OldCC/autolock.hxx + that is not needed and does not carry an acceptable license. + (bsc#968111) +* Thu Apr 28 2016 michael@stroeder.com +- removed obsolete patches: + * 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + * krb5-mechglue_inqure_attrs.patch +- Upgrade from 1.14.1 to 1.14.2: + * Fix a moderate-severity vulnerability in the LDAP KDC back end that + could be exploited by a privileged kadmin user [CVE-2016-3119] + * Improve documentation + * Fix some interactions with GSSAPI interposer mechanisms +* Fri Apr 1 2016 hguo@suse.com +- Upgrade from 1.14 to 1.14.1: + * Remove expired patches: + 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + krbdev.mit.edu-8301.patch + * Replace source archives: + krb5-1.14.tar.gz -> + krb5-1.14.1.tar.gz + krb5-1.14.tar.gz.asc -> + krb5-1.14.1.tar.gz.asc + * Adjust line numbers in: + krb5-fix_interposer.patch +* Wed Mar 23 2016 hguo@suse.com +- Introduce patch + 0107-Fix-LDAP-null-deref-on-empty-arg-CVE-2016-3119.patch + to fix CVE-2016-3119 (bsc#971942) +* Thu Feb 11 2016 hguo@suse.com +- Remove krb5-mini pieces from spec file. + Hence remove pre_checkin.sh +- Remove expired macros and other minor clean-ups in spec file. +* Tue Feb 2 2016 hguo@suse.com +- Fix CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character + with patch 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch + (bsc#963968) +- Fix CVE-2015-8631: krb5: Memory leak caused by supplying a null principal name in request + with patch 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch + (bsc#963975) +- Fix CVE-2015-8630: krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask + with patch 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch + (bsc#963964) +* Mon Jan 11 2016 idonmez@suse.com +- Add two patches from Fedora, fixing two crashes: + * krb5-fix_interposer.patch + * krb5-mechglue_inqure_attrs.patch +* Tue Dec 8 2015 michael@stroeder.com +- Update to 1.14 +- dropped krb5-kvno-230379.patch +- added krbdev.mit.edu-8301.patch fixing wrong function call + Major changes in 1.14 (2015-11-20) + Administrator experience: + * Add a new kdb5_util tabdump command to provide reporting-friendly + tabular dump formats (tab-separated or CSV) for the KDC database. + Unlike the normal dump format, each output table has a fixed number + of fields. Some tables include human-readable forms of data that + are opaque in ordinary dump files. This format is also suitable for + importing into relational databases for complex queries. + * Add support to kadmin and kadmin.local for specifying a single + command line following any global options, where the command + arguments are split by the shell--for example, "kadmin getprinc + principalname". Commands issued this way do not prompt for + confirmation or display warning messages, and exit with non-zero + status if the operation fails. + * Accept the same principal flag names in kadmin as we do for the + default_principal_flags kdc.conf variable, and vice versa. Also + accept flag specifiers in the form that kadmin prints, as well as + hexadecimal numbers. + * Remove the triple-DES and RC4 encryption types from the default + value of supported_enctypes, which determines the default key and + salt types for new password-derived keys. By default, keys will + only created only for AES128 and AES256. This mitigates some types + of password guessing attacks. + * Add support for directory names in the KRB5_CONFIG and + KRB5_KDC_PROFILE environment variables. + * Add support for authentication indicators, which are ticket + annotations to indicate the strength of the initial authentication. + Add support for the "require_auth" string attribute, which can be + set on server principal entries to require an indicator when + authenticating to the server. + * Add support for key version numbers larger than 255 in keytab files, + and for version numbers up to 65535 in KDC databases. + * Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC + during pre-authentication, corresponding to the client's most + preferred encryption type. + * Add support for server name identification (SNI) when proxying KDC + requests over HTTPS. + * Add support for the err_fmt profile parameter, which can be used to + generate custom-formatted error messages. + Code quality: + * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] + * Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + Developer experience: + * Change gss_acquire_cred_with_password() to acquire credentials into + a private memory credential cache. Applications can use + gss_store_cred() to make the resulting credentials visible to other + processes. + * Change gss_acquire_cred() and SPNEGO not to acquire credentials for + IAKERB or for non-standard variants of the krb5 mechanism OID unless + explicitly requested. (SPNEGO will still accept the Microsoft + variant of the krb5 mechanism OID during negotiation.) + * Change gss_accept_sec_context() not to accept tokens for IAKERB or + for non-standard variants of the krb5 mechanism OID unless an + acceptor credential is acquired for those mechanisms. + * Change gss_acquire_cred() to immediately resolve credentials if the + time_rec parameter is not NULL, so that a correct expiration time + can be returned. Normally credential resolution is delayed until + the target name is known. + * Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, + which can be used by plugin modules or applications to add prefixes + to existing detailed error messages. + * Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which + implement the RFC 6113 PRF+ operation and key derivation using PRF+. + * Add support for pre-authentication mechanisms which use multiple + round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error + code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth + interface; these callbacks can be used to save marshalled state + information in an encrypted cookie for the next request. + * Add a client_key() callback to the kdcpreauth interface to retrieve + the chosen client key, corresponding to the ETYPE-INFO2 entry sent + by the KDC. + * Add an add_auth_indicator() callback to the kdcpreauth interface, + allowing pre-authentication modules to assert authentication + indicators. + * Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to + suppress sending the confidentiality and integrity flags in GSS + initiator tokens unless they are requested by the caller. These + flags control the negotiated SASL security layer for the Microsoft + GSS-SPNEGO SASL mechanism. + * Make the FILE credential cache implementation less prone to + corruption issues in multi-threaded programs, especially on + platforms with support for open file description locks. + Performance: + * On slave KDCs, poll the master KDC immediately after processing a + full resync, and do not require two full resyncs after the master + KDC's log file is reset. + User experience: + * Make gss_accept_sec_context() accept tickets near their expiration + but within clock skew tolerances, rather than rejecting them + immediately after the server's view of the ticket expiration time. +* Mon Dec 7 2015 michael@stroeder.com +- Update to 1.13.3 +- removed patches for security fixes now in upstream source: + 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + Major changes in 1.13.3 (2015-12-04) + This is a bug fix release. The krb5-1.13 release series is in + maintenance, and for new deployments, installers should prefer the + krb5-1.14 release series or later. + * Fix memory aliasing issues in SPNEGO and IAKERB mechanisms that + could cause server crashes. [CVE-2015-2695] [CVE-2015-2696] + [CVE-2015-2698] + * Fix build_principal memory bug that could cause a KDC + crash. [CVE-2015-2697] + * Allow an iprop slave to receive full resyncs from KDCs running + krb5-1.10 or earlier. +* Tue Nov 10 2015 hguo@suse.com +- Apply patch 0103-Fix-IAKERB-context-export-import-CVE-2015-2698.patch + to fix a memory corruption regression introduced by resolution of + CVE-2015-2698. bsc#954204 +* Wed Oct 28 2015 hguo@suse.com +- Make kadmin.local man page available without having to install krb5-client. bsc#948011 +- Apply patch 0100-Fix-build_principal-memory-bug-CVE-2015-2697.patch + to fix build_principal memory bug [CVE-2015-2697] bsc#952190 +- Apply patch 0101-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch + to fix IAKERB context aliasing bugs [CVE-2015-2696] bsc#952189 +- Apply patch 0102-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch + to fix SPNEGO context aliasing bugs [CVE-2015-2695] bsc#952188 +* Mon Jun 1 2015 hguo@suse.com +- Let server depend on libev (module of libverto). This was the + preferred implementation before the seperation of libverto from krb. +* Thu May 28 2015 dimstar@opensuse.org +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. +* Wed May 27 2015 dimstar@opensuse.org +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. +* Fri May 22 2015 meissner@suse.com +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring +* Tue May 12 2015 michael@stroeder.com +- update to krb5 1.13.2 +- DES transition + ============== + The Data Encryption Standard (DES) is widely recognized as weak. The + krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration + variable that enables "weak" enctypes, which defaults to "false" + beginning with krb5-1.8. + Major changes in 1.13.2 (2015-05-08) + This is a bug fix release. + * Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + * Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + * Fix some issues with the LDAP KDC database back end. + * Fix an iteration-related memory leak in the DB2 KDC database back + end. + * Fix issues with some less-used kadm5.acl functionality. + * Improve documentation. +* Thu Apr 23 2015 hguo@suse.com +- Use externally built libverto +* Wed Feb 18 2015 michael@stroeder.com +- update to krb5 1.13.1 + Major changes in 1.13.1 (2015-02-11) + This is a bug fix release. + * Fix multiple vulnerabilities in the LDAP KDC back end. + [CVE-2014-5354] [CVE-2014-5353] + * Fix multiple kadmind vulnerabilities, some of which are based in the + gssrpc library. [CVE-2014-5352 CVE-2014-5352 CVE-2014-9421 + CVE-2014-9422 CVE-2014-9423] +* Tue Jan 6 2015 mlin@suse.com +- Update to krb5 1.13 + * Add support for accessing KDCs via an HTTPS proxy server using the + MS-KKDCP protocol. + * Add support for hierarchical incremental propagation, where slaves + can act as intermediates between an upstream master and other downstream + slaves. + * Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf + files in addition to /etc/gss/mech. + * Add support to the LDAP KDB module for binding to the LDAP server using + SASL. + * The KDC listens for TCP connections by default. + * Fix a minor key disclosure vulnerability where using the "keepold" option + to the kadmin randkey operation could return the old keys. [CVE-2014-5351] + * Add client support for the Kerberos Cache Manager protocol. If the host + is running a Heimdal kcm daemon, caches served by the daemon can be + accessed with the KCM: cache type. + * When built on OS X 10.7 and higher, use "KCM:" as the default cache type, + unless overridden by command-line options or krb5-config values. + * Add support for doing unlocked database dumps for the DB2 KDC back end, + which would allow the KDC and kadmind to continue accessing the database + during lengthy database dumps. +- Removed patches, useless or upstreamed + * krb5-1.9-kprop-mktemp.patch + * krb5-1.10-ksu-access.patch + * krb5-1.12-doxygen.patch + * bnc#897874-CVE-2014-5351.diff + * krb5-1.13-work-around-replay-cache-creation-race.patch + * krb5-1.10-kpasswd_tcp.patch +- Refreshed patches + * krb5-1.12-pam.patch + * krb5-1.12-selinux-label.patch + * krb5-1.7-doublelog.patch +* Thu Sep 25 2014 ddiss@suse.com +- Work around replay cache creation race; (bnc#898439). + krb5-1.13-work-around-replay-cache-creation-race.patch +* Tue Sep 23 2014 varkoly@suse.com +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- added patches: + * bnc#897874-CVE-2014-5351.diff +* Sat Aug 30 2014 andreas.stieger@gmx.de +- krb5 5.12.2: + * Work around a gcc optimizer bug that could cause DB2 KDC + database operations to spin in an infinite loop + * Fix a backward compatibility problem with the LDAP KDB schema + that could prevent krb5-1.11 and later from decoding entries + created by krb5-1.6. + * Avoid an infinite loop under some circumstances when the GSS + mechglue loads a dynamic mechanism. + * Fix krb5kdc argument parsing so "-w" and "-r" options work + togetherreliably. +- Vulnerability fixes previously fixed in package via patches: + * Handle certain invalid RFC 1964 GSS tokens correctly to avoid + invalid memory reference vulnerabilities. [CVE-2014-4341 + CVE-2014-4342] + * Fix memory management vulnerabilities in GSSAPI SPNEGO. + [CVE-2014-4343 CVE-2014-4344] + * Fix buffer overflow vulnerability in LDAP KDB back end. + [CVE-2014-4345] +- updated patches: + * krb5-1.7-doublelog.patch for context change + * krb5-1.6.3-ktutil-manpage.dif, same +- removed patches, in upstream: + * krb5-master-keyring-kdcsync.patch + * krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch + * krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + * krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch + * krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +- Fix build with doxygen 1.8.8 - adding krb5-1.12-doxygen.patch + from upstream +* Fri Aug 8 2014 ckornacker@suse.com +- buffer overrun in kadmind with LDAP backend + CVE-2014-4345 (bnc#891082) + krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch +* Mon Jul 28 2014 ckornacker@suse.com +- Fix double-free in SPNEGO [CVE-2014-4343] (bnc#888697) + krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch + Fix null deref in SPNEGO acceptor [CVE-2014-4344] + krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch +* Sat Jul 19 2014 p.drouand@gmail.com +- Do not depend of insserv if systemd is used +* Thu Jul 10 2014 ckornacker@suse.com +- denial of service flaws when handling RFC 1964 tokens (bnc#886016) + krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch +- start krb5kdc after slapd (bnc#886102) +* Fri Jun 6 2014 ckornacker@suse.com +- obsolete krb5-plugin-preauth-pkinit-nss (bnc#881674) + similar functionality is provided by krb5-plugin-preauth-pkinit +* Tue Feb 18 2014 ckornacker@suse.com +- don't deliver SysV init files to systemd distributions +* Tue Jan 21 2014 ckornacker@suse.com +- update to version 1.12.1 + * Make KDC log service principal names more consistently during + some error conditions, instead of "" + * Fix several bugs related to building AES-NI support on less + common configurations + * Fix several bugs related to keyring credential caches +- upstream obsoletes: + krb5-1.12-copy_context.patch + krb5-1.12-enable-NX.patch + krb5-1.12-pic-aes-ni.patch + krb5-master-no-malloc0.patch + krb5-master-ignore-empty-unnecessary-final-token.patch + krb5-master-gss_oid_leak.patch + krb5-master-keytab_close.patch + krb5-master-spnego_error_messages.patch +- Fix Get time offsets for all keyring ccaches + krb5-master-keyring-kdcsync.patch (RT#7820) +* Mon Jan 13 2014 ckornacker@suse.com +- update to version 1.12 + * Add GSSAPI extensions for constructing MIC tokens using IOV lists + * Add a FAST OTP preauthentication module for the KDC which uses + RADIUS to validate OTP token values. + * The AES-based encryption types will use AES-NI instructions + when possible for improved performance. +- revert dependency on libcom_err-mini-devel since it's not yet + available +- update and rebase patches + * krb5-1.10-buildconf.patch -> krb5-1.12-buildconf.patch + * krb5-1.11-pam.patch -> krb5-1.12-pam.patch + * krb5-1.11-selinux-label.patch -> krb5-1.12-selinux-label.patch + * krb5-1.8-api.patch -> krb5-1.12-api.patch + * krb5-1.9-ksu-path.patch -> krb5-1.12-ksu-path.patch + * krb5-1.9-debuginfo.patch + * krb5-1.9-kprop-mktemp.patch + * krb5-kvno-230379.patch +- added upstream patches + - Fix krb5_copy_context + * krb5-1.12-copy_context.patch + - Mark AESNI files as not needing executable stacks + * krb5-1.12-enable-NX.patch + * krb5-1.12-pic-aes-ni.patch + - Fix memory leak in SPNEGO initiator + * krb5-master-gss_oid_leak.patch + - Fix SPNEGO one-hop interop against old IIS + * krb5-master-ignore-empty-unnecessary-final-token.patch + - Fix GSS krb5 acceptor acquire_cred error handling + * krb5-master-keytab_close.patch + - Avoid malloc(0) in SPNEGO get_input_token + * krb5-master-no-malloc0.patch + - Test SPNEGO error message in t_s4u.py + * krb5-master-spnego_error_messages.patch +* Tue Dec 10 2013 nfbrown@suse.com +- Reduce build dependencies for krb5-mini by removing + doxygen and changing libcom_err-devel to + libcom_err-mini-devel +- Small fix to pre_checkin.sh so krb5-mini.spec is correct. +* Fri Nov 15 2013 ckornacker@suse.com +- update to version 1.11.4 + - Fix a KDC null pointer dereference [CVE-2013-1417] that could + affect realms with an uncommon configuration. + - Fix a KDC null pointer dereference [CVE-2013-1418] that could + affect KDCs that serve multiple realms. + - Fix a number of bugs related to KDC master key rollover. +* Mon Jun 24 2013 mc@suse.com +- install and enable systemd service files also in -mini package +* Fri Jun 21 2013 crrodriguez@opensuse.org +- remove fstack-protector-all from CFLAGS, just use the + lighter/fast version already present in %%optflags +- Use LFS_CFLAGS to build in 32 bit archs. +* Sun Jun 9 2013 mc@suse.com +- update to version 1.11.3 + - Fix a UDP ping-pong vulnerability in the kpasswd + (password changing) service. [CVE-2002-2443] + - Improve interoperability with some Windows native PKINIT clients. +- install translation files +- remove outdated configure options +* Tue May 28 2013 mc@suse.com +- cleanup systemd files (remove syslog.target) +* Fri May 3 2013 mc@suse.de +- let krb5-mini conflict with all main packages +* Thu May 2 2013 mc@suse.de +- add conflicts between krb5-mini and krb5-server +* Sun Apr 28 2013 mc@suse.de +- update to version 1.11.2 + * Incremental propagation could erroneously act as if a slave's + database were current after the slave received a full dump + that failed to load. + * gss_import_sec_context incorrectly set internal state that + identifies whether an imported context is from an interposer + mechanism or from the underlying mechanism. +- upstream fix obsolete krb5-lookup_etypes-leak.patch +* Thu Apr 4 2013 mc@suse.de +- add conflicts between krb5-mini-devel and krb5-devel +* Tue Apr 2 2013 mc@suse.de +- add conflicts between krb5-mini and krb5 and krb5-client +* Wed Mar 27 2013 mc@suse.de +- enable selinux and set openssl as crypto implementation +* Fri Mar 22 2013 mc@suse.de +- fix path to executables in service files + (bnc#810926) +* Fri Mar 15 2013 mc@suse.de +- update to version 1.11.1 + * Improve ASN.1 support code, making it table-driven for + decoding as well as encoding + * Refactor parts of KDC + * Documentation consolidation + * build docs in the main package + * bugfixing +- changes of patches: + * bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif: + upstream + * bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif: + upstream + * krb5-1.10-gcc47.patch: upstream + * krb5-1.10-selinux-label.patch replaced by + krb5-1.11-selinux-label.patch + * krb5-1.10-spin-loop.patch: upstream + * krb5-1.3.5-perlfix.dif: the tool was removed from upstream + * krb5-1.8-pam.patch replaced by + krb5-1.11-pam.patch +* Wed Mar 6 2013 mc@suse.de +- fix PKINIT null pointer deref in pkinit_check_kdc_pkid() + CVE-2012-1016 (bnc#807556) + bug-807556-CVE-2012-1016-fix-PKINIT-null-pointer-deref2.dif +* Mon Mar 4 2013 mc@suse.de +- fix PKINIT null pointer deref + CVE-2013-1415 (bnc#806715) + bug-806715-CVE-2013-1415-fix-PKINIT-null-pointer-deref.dif +* Fri Jan 25 2013 mc@suse.de +- package missing file (bnc#794784) +* Tue Jan 22 2013 lchiquitto@suse.com +- krb5-1.10-spin-loop.patch: fix spin-loop bug in k5_sendto_kdc + (bnc#793336) +* Tue Oct 16 2012 coolo@suse.com +- revert the -p usage in %%postun to fix SLE build +* Tue Oct 16 2012 coolo@suse.com +- buildrequire systemd by pkgconfig provide to get systemd-mini +* Sat Oct 13 2012 coolo@suse.com +- do not require systemd in krb5-mini +* Fri Oct 5 2012 mc@suse.de +- add systemd service files for kadmind, krb5kdc and kpropd +- add sysconfig templates for kadmind and krb5kdc +* Wed Jun 13 2012 coolo@suse.com +- fix %%files section for krb5-mini +* Thu Jun 7 2012 mc@suse.de +- fix gcc47 issues +* Wed Jun 6 2012 mc@suse.de +- update to version 1.10.2 + obsolte patches: + * krb5-1.7-nodeplibs.patch + * krb5-1.9.1-ai_addrconfig.patch + * krb5-1.9.1-ai_addrconfig2.patch + * krb5-1.9.1-sendto_poll.patch + * krb5-1.9-canonicalize-fallback.patch + * krb5-1.9-paren.patch + * krb5-klist_s.patch + * krb5-pkinit-cms2.patch + * krb5-trunk-chpw-err.patch + * krb5-trunk-gss_delete_sec.patch + * krb5-trunk-kadmin-oldproto.patch + * krb5-1.9-MITKRB5-SA-2011-006.dif + * krb5-1.9-gss_display_status-iakerb.patch + * krb5-1.9.1-sendto_poll2.patch + * krb5-1.9.1-sendto_poll3.patch + * krb5-1.9-MITKRB5-SA-2011-007.dif +- Fix an interop issue with Windows Server 2008 R2 Read-Only Domain + Controllers. +- Update a workaround for a glibc bug that would cause DNS PTR queries + to occur even when rdns = false. +- Fix a kadmind denial of service issue (null pointer dereference), + which could only be triggered by an administrator with the "create" + privilege. [CVE-2012-1013] +- Fix access controls for KDB string attributes [CVE-2012-1012] +- Make the ASN.1 encoding of key version numbers interoperate with + Windows Read-Only Domain Controllers +- Avoid generating spurious password expiry warnings in cases where + the KDC sends an account expiry time without a password expiry time +- Make PKINIT work with FAST in the client library. +- Add the DIR credential cache type, which can hold a collection of + credential caches. +- Enhance kinit, klist, and kdestroy to support credential cache + collections if the cache type supports it. +- Add the kswitch command, which changes the selected default cache + within a collection. +- Add heuristic support for choosing client credentials based on + the service realm. +- Add support for $HOME/.k5identity, which allows credential + choice based on configured rules. +* Sun Feb 26 2012 stefan.bruens@rwth-aachen.de +- add autoconf macro to devel subpackage +* Tue Jan 31 2012 meissner@suse.de +- fix license in krb5-mini +* Tue Dec 20 2011 coolo@suse.com +- add autoconf as buildrequire to avoid implicit dependency +* Tue Dec 20 2011 coolo@suse.com +- remove call to suse_update_config, very old work around +* Mon Nov 21 2011 mc@suse.de +- fix KDC null pointer dereference in TGS handling + (MITKRB5-SA-2011-007, bnc#730393) + CVE-2011-1530 +* Mon Nov 21 2011 mc@suse.de +- fix KDC HA feature introduced with implementing KDC poll + (RT#6951, bnc#731648) +* Fri Nov 18 2011 rhafer@suse.de +- fix minor error messages for the IAKERB GSSAPI mechanism + (see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020) +* Mon Oct 17 2011 mc@suse.de +- fix kdc remote denial of service + (MITKRB5-SA-2011-006, bnc#719393) + CVE-2011-1527, CVE-2011-1528, CVE-2011-1529 +* Tue Aug 23 2011 mc@suse.de +- use --without-pam to build krb5-mini +* Sun Aug 21 2011 mc@novell.com +- add patches from Fedora and upstream +- fix init scripts (bnc#689006) +* Fri Aug 19 2011 mc@novell.com +- update to version 1.9.1 + * obsolete patches: + MITKRB5-SA-2010-007-1.8.dif + krb5-1.8-MITKRB5-SA-2010-006.dif + krb5-1.8-MITKRB5-SA-2011-001.dif + krb5-1.8-MITKRB5-SA-2011-002.dif + krb5-1.8-MITKRB5-SA-2011-003.dif + krb5-1.8-MITKRB5-SA-2011-004.dif + krb5-1.4.3-enospc.dif + * replace krb5-1.6.1-compile_pie.dif +* Thu Apr 14 2011 mc@suse.de +- fix kadmind invalid pointer free() + (MITKRB5-SA-2011-004, bnc#687469) + CVE-2011-0285 +* Tue Mar 1 2011 mc@suse.de +- Fix vulnerability to a double-free condition in KDC daemon + (MITKRB5-SA-2011-003, bnc#671717) + CVE-2011-0284 +* Wed Jan 19 2011 mc@suse.de +- Fix kpropd denial of service + (MITKRB5-SA-2011-001, bnc#662665) + CVE-2010-4022 +- Fix KDC denial of service attacks with LDAP back end + (MITKRB5-SA-2011-002, bnc#663619) + CVE-2011-0281, CVE-2011-0282 +* Wed Dec 1 2010 mc@suse.de +- Fix multiple checksum handling vulnerabilities + (MITKRB5-SA-2010-007, bnc#650650) + CVE-2010-1324 + * krb5 GSS-API applications may accept unkeyed checksums + * krb5 application services may accept unkeyed PAC checksums + * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums + CVE-2010-1323 + * krb5 clients may accept unkeyed SAM-2 challenge checksums + * krb5 may accept KRB-SAFE checksums with low-entropy derived keys + CVE-2010-4020 + * krb5 may accept authdata checksums with low-entropy derived keys + CVE-2010-4021 + * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery +* Thu Oct 28 2010 mc@suse.de +- fix csh profile (bnc#649856) +* Fri Oct 22 2010 mc@suse.de +- update to krb5-1.8.3 + * remove patches which are now upstrem + - krb5-1.7-MITKRB5-SA-2010-004.dif + - krb5-1.8.1-gssapi-error-table.dif + - krb5-MITKRB5-SA-2010-005.dif +* Fri Oct 22 2010 mc@suse.de +- change environment variable PATH directly for csh + (bnc#642080) +* Mon Sep 27 2010 mc@suse.de +- fix a dereference of an uninitialized pointer while processing + authorization data. + CVE-2010-1322, MITKRB5-SA-2010-006 (bnc#640990) +* Mon Jun 21 2010 lchiquitto@novell.com +- add correct error table when initializing gss-krb5 (bnc#606584, + bnc#608295) +* Wed May 19 2010 mc@suse.de +- fix GSS-API library null pointer dereference + CVE-2010-1321, MITKRB5-SA-2010-005 (bnc#596826) +* Wed Apr 14 2010 mc@suse.de +- fix a double free vulnerability in the KDC + CVE-2010-1320, MITKRB5-SA-2010-004 (bnc#596002) +* Fri Apr 9 2010 mc@suse.de +- update to version 1.8.1 + * include krb5-1.8-POST.dif + * include MITKRB5-SA-2010-002 +* Tue Apr 6 2010 mc@suse.de +- update krb5-1.8-POST.dif +* Tue Mar 23 2010 mc@suse.de +- fix a bug where an unauthenticated remote attacker could cause + a GSS-API application including the Kerberos administration + daemon (kadmind) to crash. + CVE-2010-0628, MITKRB5-SA-2010-002 (bnc#582557) +* Tue Mar 23 2010 mc@suse.de +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 +* Thu Mar 4 2010 mc@suse.de +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) +- fix KDC denial of service in cross-realm referral processing + CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) +- fix integer underflow in AES and RC4 decryption + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl +* Mon Dec 14 2009 jengelh@medozas.de +- add baselibs.conf as a source +* Fri Nov 13 2009 mc@suse.de +- enhance '$PATH' only if the directories are available + and not empty (bnc#544949) +* Sun Jul 12 2009 coolo@novell.com +- readd lost baselibs.conf +* Wed Jun 3 2009 mc@suse.de +- update to final 1.7 release +* Wed May 13 2009 mc@suse.de +- update to version 1.7 Beta2 + * Incremental propagation support for the KDC database. + * Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attack. + * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. + * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- + various vulnerabilities in SPNEGO and ASN.1 code. +* Mon Feb 16 2009 mc@suse.de +- update to pre 1.7 version + * Remove support for version 4 of the Kerberos protocol (krb4). + * New libdefaults configuration variable "allow_weak_crypto". + * Client library now follows client principal referrals, for + compatibility with Windows. + * KDC can issue realm referrals for service principals based on domain + names. + * Encryption algorithm negotiation (RFC 4537). + * In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is + similar to the equivalent SSPI functionality. + * DCE RPC, including three-leg GSS context setup and unencapsulated + GSS tokens. + * NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + * KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. + * Master key rollover support. +* Wed Jan 14 2009 olh@suse.de +- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit +* Thu Dec 11 2008 mc@suse.de +- do not query IPv6 addresses if no IPv6 address exists on this host + [bnc#449143] +* Wed Dec 10 2008 olh@suse.de +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) +* Thu Oct 30 2008 olh@suse.de +- obsolete old -XXbit packages (bnc#437293) +* Fri Sep 26 2008 mc@suse.de +- in case we use ldap as database backend, ldap should be + started before krb5kdc +* Mon Jul 28 2008 mc@suse.de +- add new fixes to post 1.6.3 patch + * fix mem leak in krb5_gss_accept_sec_context() + * keep minor_status + * kadm5_decrypt_key: A ktype of -1 is documented as meaning + "to be ignored" + * Reject socket fds > FD_SETSIZE +* Fri Jul 25 2008 mc@suse.de +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes +* Wed Jun 18 2008 mc@suse.de +- add case-insensitive.dif (FATE#300771) +- minor fixes for ktutil man page +- reduce rpmlint warnings +* Wed May 14 2008 mc@suse.de +- Fall back to TCP on kdc-unresolvable/unreachable errors. +- restore valid sequence number before generating requests + (fix changing passwords in mixed ipv4/ipv6 enviroments) +* Thu Apr 10 2008 ro@suse.de +- added baselibs.conf file to build xxbit packages + for multilib support +* Wed Apr 9 2008 mc@suse.de +- modify krb5-config to not output rpath and cflags in --libs + (bnc#378270) +* Fri Mar 14 2008 mc@suse.de +- fix two security bugs: + * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) + fix double free [bnc#361373] + * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) + Memory corruption while too many open file descriptors + [bnc#363151] +- change default config file. Comment out the examples. +* Fri Dec 14 2007 mc@suse.de +- fix several security bugs: + * CVE-2007-5894 apparent uninit length + * CVE-2007-5902 integer overflow + * CVE-2007-5971 free of non-heap pointer and double-free + * CVE-2007-5972 double fclose() + [#346745, #346748, #346746, #346749, #346747] +* Tue Dec 4 2007 mc@suse.de +- improve GSSAPI error messages +* Tue Nov 6 2007 mc@suse.de +- add coreutils to PreReq +* Tue Oct 23 2007 mc@suse.de +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles +* Fri Sep 14 2007 mc@suse.de +- update krb5-1.6.2-post.dif + * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that + that the client library will not failover to the next KDC. + [#310540] +* Tue Sep 11 2007 mc@suse.de +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop +* Thu Sep 6 2007 mc@suse.de +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] +* Wed Sep 5 2007 mc@suse.de +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] +* Tue Aug 7 2007 mc@suse.de +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. +* Thu Jul 12 2007 mc@suse.de +- update to version 1.6.2 +- remove krb5-1.6.1-post.dif all fixes are included in this release +* Thu Jul 5 2007 mc@suse.de +- change requires to libcom_err-devel +* Mon Jul 2 2007 mc@suse.de +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] +* Thu Jun 14 2007 mc@suse.de +- fix unstripped-binary-or-object rpmlint warning +* Mon Jun 11 2007 sschober@suse.de +- fixing rpmlint warnings and errors: + * merged logrotate scripts kadmin and krb5kdc into a single file + krb5-server. + * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl + from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. + adapted krb5.spec and README.ConvertHeimdalMIT accordingly. + * added surpression filter for + "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" + (see [#147912]). + * set default runlevel of init scripts in chkconfig line to 3 and + 5 +* Wed May 9 2007 mc@suse.de +- fix uninitialized salt length +- add extra check for keytab file +* Thu May 3 2007 mc@suse.de +- adding krb5-1.6.1-post.dif + * fix segfault in krb5_get_init_creds_password + * remove debug output in ftp client + * profile stores empty string values without double quotes +* Mon Apr 23 2007 mc@suse.de +- update to final 1.6.1 version +* Wed Apr 18 2007 mc@suse.de +- add plugin directories to main package +* Mon Apr 16 2007 mc@suse.de +- update to version 1.6.1 Beta1 +- remove obsolete patches + (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) +- rework compile_pie patch +* Wed Apr 11 2007 mc@suse.de +- update krb5-1.6-post.dif + * fix kadmind stack overflow in krb5_klog_syslog + (MITKRB5-SA-2007-002 - CVE-2007-0957) + [#253548] + * fix double free attack in the RPC library + (MITKRB5-SA-2007-003 - CVE-2007-1216) + [#252487] + * fix krb5 telnetd login injection + (MIT-SA-2007-001 - CVE-2007-0956) + [#247765] +* Thu Mar 29 2007 mc@suse.de +- add ncurses-devel and bison to BuildRequires +- rework some patches +* Mon Mar 5 2007 mc@suse.de +- move SuSEFirewall service definitions to + /etc/sysconfig/SuSEfirewall2.d/services +* Thu Feb 22 2007 mc@suse.de +- add firewall definition to krb5-server, FATE #300687 +* Mon Feb 19 2007 mc@suse.de +- update krb5-1.6-post.dif +- move some applications into the right package +* Fri Feb 9 2007 mc@suse.de +- update krb5-1.6-post.dif +* Mon Jan 29 2007 mc@suse.de +- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif + are now upstream. Remove patches. +- fix leak in krb5_kt_resolve and krb5_kt_wresolve +* Tue Jan 23 2007 mc@suse.de +- fix "local variable used before set" in ftp.c + [#237684] +* Mon Jan 22 2007 mc@suse.de +- krb5-devel should require keyutils-devel +* Mon Jan 22 2007 mc@suse.de +- update to version 1.6 + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. +- remove obsolete patches +* Wed Jan 10 2007 mc@suse.de +- fix for + kadmind (via RPC library) calls uninitialized function pointer + (CVE-2006-6143)(Bug #225990) + krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +- fix for + kadmind (via GSS-API mechglue) frees uninitialized pointers + (CVE-2006-6144)(Bug #225992) + krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif +* Tue Jan 2 2007 mc@suse.de +- Fix Requires in krb5-devel + [Bug #231008] +* Mon Nov 6 2006 mc@suse.de +- fix "local variable used before set" [#217692] +- fix strncat warning +* Fri Oct 27 2006 mc@suse.de +- add a default kadm5.dict file +- require $network on daemon start +* Wed Sep 13 2006 mc@suse.de +- fix function call with too few arguments [#203837] +* Thu Aug 24 2006 mc@suse.de +- update to version 1.5.1 +- remove obsolete patches which are now included upstream + * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + * trunk-fix-uninitialized-vars.dif +* Fri Aug 11 2006 mc@suse.de +- krb5 setuid return check fixes + krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + [#182351] +* Mon Aug 7 2006 mc@suse.de +- remove update-messages +* Mon Jul 24 2006 mc@suse.de +- add check for krb5_prop in services to kpropd init script. + [#192446] +* Mon Jul 3 2006 mc@suse.de +- update to version 1.5 + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems +- remove obsolete patches and add some new +* Fri May 26 2006 ro@suse.de +- libcom is not in e2fsck-devel but in its own package now, change + Requires accordingly. +* Mon Mar 27 2006 mc@suse.de +- add all daemons to %%stop_on_removal and %%restart_on_update +- add reload to kpropd init script +- add force-reload to all init scripts +* Mon Mar 13 2006 mc@suse.de +- add libgssapi_krb5.so link to main package [#147912] +* Fri Feb 3 2006 mc@suse.de +- fix logging section for kadmind in convert script +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Fri Jan 13 2006 mc@suse.de +- change the logging defaults +* Wed Jan 11 2006 mc@suse.de +- add tools and README for heimdal => MIT update +* Mon Jan 9 2006 mc@suse.de +- fix build problems, define _GNU_SOURCE + (krb5-1.4.3-set_gnu_source.dif ) +* Tue Jan 3 2006 mc@suse.de +- added "make %%{?jobs:-j%%jobs}" +* Fri Nov 18 2005 mc@suse.de +- update to version 1.4.3 + * some memmory leaks fixed + * fix for "AS_REP padata has wrong enctype" + * fix for "AS_REP padata missing PA-ETYPE-INFO" + * ... and more +* Wed Nov 2 2005 dmueller@suse.de +- don't build as root +* Tue Oct 11 2005 mc@suse.de +- update to version 1.4.2 +- remove some obsolet patches +* Mon Aug 8 2005 mc@suse.de +- build with --disable-static +* Thu Aug 4 2005 ro@suse.de +- remove devel-static subpackage +* Thu Jun 30 2005 mc@suse.de +- better patch for princ_comp problem +* Mon Jun 27 2005 mc@suse.de +- update to version 1.4.1 +- remove obsolet patches + - krb5-1.4-gcc4.dif + - krb5-1.4-reduce-namespace-polution.dif + - krb5-1.4-VUL-0-telnet.dif +* Thu Jun 23 2005 mc@suse.de +- fixed krb5 KDC heap corruption by random free + [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] +- fixed krb5 double free() + [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] +- fix krb5 NULL pointer reference while comparing principals + [#91600] +* Fri Jun 17 2005 mc@suse.de +- fix uninitialized variables +- compile with -fPIE/ link with -pie +* Wed Apr 20 2005 mc@suse.de +- fixed wrong xinetd files [#77149] +* Fri Apr 8 2005 mt@suse.de +- removed krb5-1.4-fix-error_tables.dif patch obsoleted + by libcom_err locking patches +* Thu Apr 7 2005 mc@suse.de +- fixed missing descriptions in init files + [#76164, #76165, #76166, #76169] +* Wed Mar 30 2005 mc@suse.de +- enhance $PATH via /etc/profile.d/ [#74018] +- remove the "links to important programs" +* Fri Mar 18 2005 mc@suse.de +- fixed not running converter script [#72854] +* Thu Mar 17 2005 mc@suse.de +- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer + Overflow +- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer + Overflow + [#73618] +* Wed Mar 16 2005 mc@suse.de +- fixed wrong PreReqs [#73020] +* Tue Mar 15 2005 mc@suse.de +- add a simple krb5.conf converter [#72854] +* Mon Mar 14 2005 mc@suse.de +- fixed: rckrb5kdc restart gives wrong status with non-running service + [#72446] +* Thu Mar 10 2005 mc@suse.de +- add requires: e2fsprogs-devel to krb5-devel package [#71732] +* Fri Feb 25 2005 mc@suse.de +- fix double free [#66534] + krb5-1.4-fix-error_tables.dif +* Fri Feb 11 2005 mc@suse.de +- change mode for shared libraries to 755 +* Fri Feb 4 2005 mc@suse.de +- remove spx.c from tarball because of legal risk +- add README.Source which tell the user about this + action. +- add a check for spx.c in the spec-file +- use rich-text for update-messages [#50250] +* Tue Feb 1 2005 mc@suse.de +- add krb5-1.4-reduce-namespace-polution.dif + reduce namespace polution in gssapi.h [#50356] +* Fri Jan 28 2005 mc@suse.de +- update to version 1.4 +- Add implementation of the RPCSEC_GSS authentication flavor to the + RPC library. +- Thread safety for krb5 libraries. +- Merged Athena telnetd changes for creating a new option for + requiring encryption. +- The kadmind4 backwards-compatibility admin server and the v5passwdd + backwards-compatibility password-changing server have been removed. +- Yarrow code now uses AES. +- Merged Athena changes to allow ftpd to require encrypted passwords. +- Incorporate gss_krb5_set_allowable_enctypes() and + gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. +- remove obsolet patches +* Mon Jan 17 2005 mc@suse.de +- add proofreaded update-messages +* Fri Jan 14 2005 mc@suse.de +- remove Conflicts: and add Provides: +- add some insserv stuff +* Thu Jan 13 2005 mc@suse.de +- move vendor files to vendor-files.tar.bz2 +- add obsoletes: heimdal +- add %%pre and %%post sections to detect update + from heimdal and backup invalid configuration files +- add update-messages for heimdal update +* Mon Jan 10 2005 mc@suse.de +- update to version 1.3.6 +- fix for: heap buffer overflow in libkadm5srv + [CAN-2004-1189 / MITKRB5-SA-2004-004] +* Tue Dec 14 2004 mc@suse.de +- build doc subpackage in an own specfile +- removed unnecessary neededforbuild requirements +* Wed Nov 24 2004 coolo@suse.de +- fix build with gcc 4 +* Mon Nov 15 2004 mc@suse.de +- added Conflicts with heimdal* +- rename some manpages to avoid conflicts +* Thu Nov 4 2004 mc@suse.de +- new init scripts +- fix logrotate scripts +- add some 64Bit fixes +- add default krb5.conf, kdc.conf and kadm5.acl +* Wed Nov 3 2004 mc@suse.de +- add e2fsprogs to NFB +- use system-et and system-ss +- fix includes of com_err.h +* Thu Oct 28 2004 mc@suse.de +- Initital checkin diff --git a/krb5.keyring b/krb5.keyring new file mode 100644 index 0000000..b465007 Binary files /dev/null and b/krb5.keyring differ diff --git a/krb5.spec b/krb5.spec new file mode 100644 index 0000000..cee1007 --- /dev/null +++ b/krb5.spec @@ -0,0 +1,501 @@ +# +# spec file for package krb5 +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: krb5 +Version: 1.20.1 +Release: 150500.3.3.1 +Summary: MIT Kerberos5 implementation +License: MIT +URL: https://kerberos.org/dist/ +Source0: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz +Source1: https://kerberos.org/dist/krb5/1.20/krb5-%{version}.tar.gz.asc +Source2: krb5.keyring +Source3: vendor-files.tar.bz2 +Source4: baselibs.conf +Source5: krb5-rpmlintrc +Source6: ksu-pam.d +Source7: krb5.tmpfiles +Patch1: 0001-ksu-pam-integration.patch +Patch2: 0002-krb5-1.9-manpaths.patch +Patch3: 0003-Adjust-build-configuration.patch +Patch4: 0004-krb5-1.6.3-gssapi_improve_errormessages.patch +Patch5: 0005-krb5-1.6.3-ktutil-manpage.patch +Patch6: 0006-krb5-1.12-api.patch +Patch7: 0007-SELinux-integration.patch +Patch8: 0008-krb5-1.9-debuginfo.patch +Patch9: 0009-Ensure-array-count-consistency-in-kadm5-RPC.patch +BuildRequires: autoconf +BuildRequires: bison +BuildRequires: cyrus-sasl-devel +BuildRequires: keyutils +BuildRequires: keyutils-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(com_err) +BuildRequires: pkgconfig(libselinux) +BuildRequires: pkgconfig(libssl) +BuildRequires: pkgconfig(libverto) +BuildRequires: pkgconfig(ncurses) +BuildRequires: pkgconfig(ss) +BuildRequires: pkgconfig(systemd) +# bug437293 +%ifarch ppc64 +Obsoletes: krb5-64bit +%endif +Conflicts: krb5-mini +Obsoletes: krb5-plugin-preauth-pkinit-nss + +%description +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of clear text passwords. + +%package client +Summary: Client programs of the MIT Kerberos5 implementation +Conflicts: krb5-mini + +%description client +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes some required +client programs, like kinit, kadmin, ... + +%package server +Summary: Server program of the MIT Kerberos5 implementation +Requires: cron +Requires: libverto-libev1 +Requires: logrotate +Requires: perl-Date-Calc +Requires(post): %fillup_prereq +%{?systemd_requires} + +%description server +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes the kdc, kadmind +and more. + +%package plugin-kdb-ldap +Summary: LDAP database plugin for MIT Kerberos5 +Requires: krb5-server = %{version} + +%description plugin-kdb-ldap +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of clear text passwords. This package contains the LDAP +database plugin. + +%package plugin-preauth-pkinit +Summary: PKINIT preauthentication plugin for MIT Kerberos5 + +%description plugin-preauth-pkinit +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a PKINIT plugin. + +%package plugin-preauth-otp +Summary: OTP preauthentication plugin for MIT Kerberos5 + +%description plugin-preauth-otp +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a OTP plugin. + +%package plugin-preauth-spake +Summary: SPAKE preauthentication plugin for MIT Kerberos5 + +%description plugin-preauth-spake +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes a SPAKE plugin. + +%package doc +Summary: Documentation for the MIT Kerberos5 implementation + +%description doc +Kerberos V5 is a trusted-third-party network authentication +system,which can improve network security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. + +%package devel +Summary: Development files for MIT Kerberos5 +Requires: %{name} = %{version} +Requires: keyutils-devel +Requires: pkgconfig(com_err) +Requires: pkgconfig(libverto) +Requires: pkgconfig(ss) +# bug437293 +%ifarch ppc64 +Obsoletes: krb5-devel-64bit +%endif +Conflicts: krb5-mini-devel + +%description devel +Kerberos V5 is a trusted-third-party network authentication system, +which can improve network security by eliminating the insecure +practice of cleartext passwords. This package includes Libraries and +Include Files for Development + +%define srcRoot krb5-%{version} +%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ +%define krb5docdir %{_defaultdocdir}/krb5 + +%prep +%setup -q -n %{srcRoot} +%setup -q -a 3 -T -D -n %{srcRoot} +%autopatch -p1 + +%build +# needs to be re-generated +rm -f src/lib/krb5/krb/deltat.c +cd src +autoreconf -fi +DEFCCNAME=DIR:/run/user/%%{uid}/krb5cc; export DEFCCNAME +%configure \ + CFLAGS="%{optflags} -I%{_includedir}/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC $(getconf LFS_CFLAGS)" \ + CPPFLAGS="-I%{_includedir}/et " \ + SS_LIB="-lss" \ + --prefix=/usr/lib/mit \ + --sysconfdir=%{_sysconfdir} \ + --mandir=%{_mandir} \ + --infodir=%{_infodir} \ + --libexecdir=/usr/lib/mit/sbin \ + --bindir=%{_prefix}/lib/mit/bin \ + --sbindir=%{_prefix}/lib/mit/sbin \ + --datadir=%{_prefix}/lib/mit/share \ + --libdir=%{_libdir} \ + --includedir=%{_includedir} \ + --localstatedir=%{_localstatedir}/lib/kerberos \ + --localedir=%{_datadir}/locale \ + --enable-shared \ + --disable-static \ + --enable-dns-for-realm \ + --disable-rpath \ + --with-ldap \ + --with-pam \ + --enable-pkinit \ + --with-crypto-impl=openssl \ + --with-selinux \ + --with-system-et \ + --with-system-ss \ + --with-system-verto + +%make_build + +# Copy kadmin manual page into kadmin.local's due to the split between client and server package +cp man/kadmin.man man/kadmin.local.8 + +%install +mkdir -p %{buildroot}/%{_localstatedir}/log/krb5 +%make_install -C src +# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks +# of the buildconf patch already conspire to strip out /usr/ from the +# list of link flags, and it helps prevent file conflicts on multilib systems. +sed -r -i -e 's|^libdir=%{_prefix}/lib(64)?$|libdir=%{_prefix}/lib|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config + +# And again. krb5-config does not distinguish between libdir, includedir, +# just exec_prefix. Libraries and headers not installed under /usr/lib/mit +# prefix (bsc#1174079). +sed -r -i -e 's|^prefix=%{_prefix}/lib/mit$|prefix=/usr|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config +sed -r -i -e 's|^exec_prefix=\$\{prefix\}$|exec_prefix=%{_prefix}/lib/mit|g' %{buildroot}%{_prefix}/lib/mit/bin/krb5-config + +# install autoconf macro +mkdir -p %{buildroot}/%{_datadir}/aclocal +install -m 644 src/util/ac_check_krb5.m4 %{buildroot}%{_datadir}/aclocal/ +# install sample config files +# I'll probably do something about this later on +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}%{_sysconfdir}/krb5.conf.d +mkdir -p %{buildroot}%{_sysconfdir}/profile.d/ +mkdir -p %{buildroot}%{_localstatedir}/log/krb5 +# create plugin directories +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/tls +install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} +install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.csh +install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}%{_sysconfdir}/profile.d/krb5.sh + +# Do not write directly to /var/lib/kerberos anymore as it breaks transactional +# updates. Use systemd-tmpfiles to copy the files there when it doesn't exist +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/krb5.conf +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5kdc +# Where per-user keytabs live by default. +mkdir -p %{buildroot}/%{_datadir}/kerberos/krb5/user +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_datadir}/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_datadir}/kerberos/krb5kdc/ + +# all libs must have permissions 0755 +for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` +do + chmod 0755 ${lib} +done +# and binaries too +chmod 0755 %{buildroot}%{_prefix}/lib/mit/bin/ksu +# install systemd files +%if 0%{?suse_version} >= 1210 +mkdir -p %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/kadmind.service %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/krb5kdc.service %{buildroot}%{_unitdir} +install -m 644 %{vendorFiles}/kpropd.service %{buildroot}%{_unitdir} +%else +# install init scripts +mkdir -p %{buildroot}%{_sysconfdir}/init.d +install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind +install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc +install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +%endif +# install sysconfig templates +mkdir -p %{buildroot}/%{_fillupdir} +install -m 644 %{vendorFiles}/sysconfig.kadmind %{buildroot}/%{_fillupdir}/ +install -m 644 %{vendorFiles}/sysconfig.krb5kdc %{buildroot}/%{_fillupdir}/ +# install logrotate files +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server +find . -type f -name '*.ps' -exec gzip -9 {} + +# create rc* links +mkdir -p %{buildroot}%{_bindir}/ +mkdir -p %{buildroot}%{_sbindir}/ +ln -s service %{buildroot}%{_sbindir}/rckadmind +ln -s service %{buildroot}%{_sbindir}/rckrb5kdc +ln -s service %{buildroot}%{_sbindir}/rckpropd +# create links for kinit and klist, because of the java ones +ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}%{_bindir}/kinit +ln -sf ../../usr/lib/mit/bin/klist %{buildroot}%{_bindir}/klist +# install doc +install -d -m 755 %{buildroot}/%{krb5docdir} +install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README +install -d -m 755 %{buildroot}/%{_datadir}/kerberos/ldap +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.schema +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{_datadir}/kerberos/ldap/kerberos.ldif +# link pam-config for su to ksu +mkdir -p %{buildroot}%{_sysconfdir}/pam.d/ +install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/ksu + +# cleanup +rm -f %{buildroot}%{_mandir}/man1/tmac.doc* +rm -f %{_mandir}/man1/tmac.doc* html/.doctrees/environment.pickle +rm -rf %{buildroot}%{_prefix}/lib/mit/share/examples +# manually remove test plugin since configure doesn't support disabling it at build time +rm -f %{buildroot}/%{_libdir}/krb5/plugins/preauth/test.so + +%if "%{_lto_cflags}" != "" +# Don't add the lto flags to the public link flags. +sed -i "s/%{_lto_cflags}//" %{buildroot}%{_prefix}/lib/mit/bin/krb5-config +%endif + +%find_lang mit-krb5 + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%preun server +%service_del_preun krb5kdc.service kadmind.service kpropd.service + +%postun server +%service_del_postun krb5kdc.service kadmind.service kpropd.service + +%post server +%service_add_post krb5kdc.service kadmind.service kpropd.service +%tmpfiles_create krb5.conf +%{fillup_only -n kadmind} +%{fillup_only -n krb5kdc} +%{fillup_only -n kpropd} + +%pre server +%service_add_pre krb5kdc.service kadmind.service kpropd.service + +%post plugin-kdb-ldap -p /sbin/ldconfig +%postun plugin-kdb-ldap -p /sbin/ldconfig + +%files devel +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/bin +%dir %{_prefix}/lib/mit/sbin +# XXX %dir %{_prefix}/lib/mit/share +%dir %{_datadir}/aclocal +%{_libdir}/libgssrpc.so +%{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so +%{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so +%{_libdir}/libkadm5srv.so +%{_libdir}/libkdb5.so +%{_libdir}/libkrb5.so +%{_libdir}/libkrb5support.so +%{_libdir}/libkrad.so +%{_libdir}/pkgconfig/gssrpc.pc +%{_libdir}/pkgconfig/kadm-client.pc +%{_libdir}/pkgconfig/kadm-server.pc +%{_libdir}/pkgconfig/kdb.pc +%{_libdir}/pkgconfig/krb5-gssapi.pc +%{_libdir}/pkgconfig/krb5.pc +%{_libdir}/pkgconfig/mit-krb5-gssapi.pc +%{_libdir}/pkgconfig/mit-krb5.pc +%{_includedir}/* +%{_prefix}/lib/mit/bin/krb5-config +%{_prefix}/lib/mit/sbin/krb5-send-pr +%{_mandir}/man1/krb5-config.1%{?ext_man} +%{_datadir}/aclocal/ac_check_krb5.m4 + +%files -f mit-krb5.lang +%dir %{krb5docdir} +# add plugin directories +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/libkrb5 +%dir %{_libdir}/krb5/plugins/tls +# add log directory +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 +%doc %{krb5docdir}/README +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf +%dir %{_sysconfdir}/krb5.conf.d +%attr(0644,root,root) %config /etc/profile.d/krb5* +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/libkrad.so.* +%{_libdir}/krb5/plugins/tls/*.so + +%files server +%attr(0700,root,root) %dir %{_localstatedir}/log/krb5 +%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server +%{_unitdir}/kadmind.service +%{_unitdir}/krb5kdc.service +%{_unitdir}/kpropd.service +%{_tmpfilesdir}/krb5.conf +%dir %{krb5docdir} +%dir %{_prefix}/lib/mit +%dir %{_prefix}/lib/mit/sbin +%dir %{_datadir}/kerberos/ +%dir %{_datadir}/kerberos/krb5kdc +%dir %{_datadir}/kerberos/krb5 +%dir %{_datadir}/kerberos/krb5/user +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/tls +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_datadir}/kerberos/krb5kdc/kadm5.dict +%ghost %dir %{_sharedstatedir}/kerberos/ +%ghost %dir %{_sharedstatedir}/kerberos/krb5kdc +%ghost %dir %{_sharedstatedir}/kerberos/krb5 +%ghost %dir %{_sharedstatedir}/kerberos/krb5/user +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kdc.conf +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.acl +%ghost %attr(0600,root,root) %config(noreplace) %{_sharedstatedir}/kerberos/krb5kdc/kadm5.dict +%{_fillupdir}/sysconfig.* +%{_sbindir}/rc* +%{_prefix}/lib/mit/sbin/kadmin.local +%{_prefix}/lib/mit/sbin/kadmind +%{_prefix}/lib/mit/sbin/kpropd +%{_prefix}/lib/mit/sbin/kproplog +%{_prefix}/lib/mit/sbin/kprop +%{_prefix}/lib/mit/sbin/kdb5_util +%{_prefix}/lib/mit/sbin/krb5kdc +%{_prefix}/lib/mit/sbin/gss-server +%{_prefix}/lib/mit/sbin/sim_server +%{_prefix}/lib/mit/sbin/sserver +%{_prefix}/lib/mit/sbin/uuserver +%{_libdir}/krb5/plugins/kdb/db2.so +%{_mandir}/man5/kdc.conf.5%{?ext_man} +%{_mandir}/man5/kadm5.acl.5%{?ext_man} +%{_mandir}/man8/kadmind.8%{?ext_man} +%{_mandir}/man8/kadmin.local.8%{?ext_man} +%{_mandir}/man8/kpropd.8%{?ext_man} +%{_mandir}/man8/kprop.8%{?ext_man} +%{_mandir}/man8/kproplog.8%{?ext_man} +%{_mandir}/man8/kdb5_util.8%{?ext_man} +%{_mandir}/man8/krb5kdc.8%{?ext_man} +%{_mandir}/man8/sserver.8%{?ext_man} + +%files client +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/ksu +%{_prefix}/lib/mit/bin/kvno +%{_prefix}/lib/mit/bin/kinit +%{_prefix}/lib/mit/bin/kdestroy +%{_prefix}/lib/mit/bin/kpasswd +%{_prefix}/lib/mit/bin/klist +%{_prefix}/lib/mit/bin/kadmin +%{_prefix}/lib/mit/bin/ktutil +%{_prefix}/lib/mit/bin/k5srvutil +%{_prefix}/lib/mit/bin/gss-client +%{_prefix}/lib/mit/bin/ksu +%{_prefix}/lib/mit/bin/sclient +%{_prefix}/lib/mit/bin/sim_client +%{_prefix}/lib/mit/bin/uuclient +%{_prefix}/lib/mit/bin/kswitch +%{_bindir}/kinit +%{_bindir}/klist +%{_mandir}/man1/kvno.1%{?ext_man} +%{_mandir}/man1/kinit.1%{?ext_man} +%{_mandir}/man1/kdestroy.1%{?ext_man} +%{_mandir}/man1/kpasswd.1%{?ext_man} +%{_mandir}/man1/klist.1%{?ext_man} +%{_mandir}/man1/kadmin.1%{?ext_man} +%{_mandir}/man1/ktutil.1%{?ext_man} +%{_mandir}/man1/k5srvutil.1%{?ext_man} +%{_mandir}/man1/kswitch.1%{?ext_man} +%{_mandir}/man5/krb5.conf.5%{?ext_man} +%{_mandir}/man5/.k5login.5%{?ext_man} +%{_mandir}/man5/.k5identity.5%{?ext_man} +%{_mandir}/man5/k5identity.5%{?ext_man} +%{_mandir}/man5/k5login.5%{?ext_man} +%{_mandir}/man1/ksu.1%{?ext_man} +%{_mandir}/man1/sclient.1%{?ext_man} +%{_mandir}/man7/kerberos.7%{?ext_man} + +%files plugin-kdb-ldap +%dir %{_prefix}/lib/mit/sbin/ +%{_prefix}/lib/mit/sbin/kdb5_ldap_util +%dir %{_datadir}/kerberos +%dir %{_datadir}/kerberos/ldap +%config %{_datadir}/kerberos/ldap/kerberos.schema +%config %{_datadir}/kerberos/ldap/kerberos.ldif +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%{_libdir}/krb5/plugins/kdb/kldap.so +%{_libdir}/libkdb_ldap* +%{_mandir}/man8/kdb5_ldap_util.8%{?ext_man} + +%files plugin-preauth-pkinit +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so + +%files plugin-preauth-otp +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/otp.so + +%files plugin-preauth-spake +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/spake.so + +%changelog diff --git a/krb5.tmpfiles b/krb5.tmpfiles new file mode 100644 index 0000000..9946946 --- /dev/null +++ b/krb5.tmpfiles @@ -0,0 +1,7 @@ +d /var/lib/kerberos 0755 root root - +d /var/lib/kerberos/krb5 0755 root root - +d /var/lib/kerberos/krb5/user 0755 root root - +d /var/lib/kerberos/krb5kdc 0755 root root - +C /var/lib/kerberos/krb5kdc/kdc.conf 0600 root root - /usr/share/kerberos/krb5kdc/kdc.conf +C /var/lib/kerberos/krb5kdc/kadm5.acl 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.acl +C /var/lib/kerberos/krb5kdc/kadm5.dict 0600 root root - /usr/share/kerberos/krb5kdc/kadm5.dict diff --git a/ksu-pam.d b/ksu-pam.d new file mode 100644 index 0000000..6b771f3 --- /dev/null +++ b/ksu-pam.d @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth include common-auth +account sufficient pam_rootok.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session include common-session +session optional pam_xauth.so