rpms/krb5/devel ksu.pamd, NONE, 1.1 krb5-1.6.1-pam.patch, 1.7, 1.8 krb5.spec, 1.193, 1.194
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Apr 23 22:43:27 UTC 2009
- Previous message (by thread): rpms/nautilus-cd-burner/devel Makefile, 1.3, 1.4 nautilus-cd-burner.spec, 1.115, 1.116 sources, 1.59, 1.60
- Next message (by thread): rpms/kdelibs/devel kdelibs-4.2.2-popupapplet-kconf_update.patch, 1.2, 1.3 kdelibs.spec, 1.471, 1.472
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nalin
Update of /cvs/pkgs/rpms/krb5/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24339
Modified Files:
krb5-1.6.1-pam.patch krb5.spec
Added Files:
ksu.pamd
Log Message:
- extend PAM support to ksu: perform account and session management for the
target user
- pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware
network-facing services
--- NEW FILE ksu.pamd ---
#%PAM-1.0
account include su
session include su
krb5-1.6.1-pam.patch:
Index: krb5-1.6.1-pam.patch
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5-1.6.1-pam.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- krb5-1.6.1-pam.patch 16 Jul 2008 18:09:47 -0000 1.7
+++ krb5-1.6.1-pam.patch 23 Apr 2009 22:43:25 -0000 1.8
@@ -28,7 +28,15 @@
can be reset to the earlier, non-PAM behavior by setting "use_pam" to
false in the [login] section of /etc/krb5.conf.
-When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
+Modify ksu so that it performs account and session management for the
+target user account, mimicking the action of regular su. The default
+service name is "ksu", because on Fedora at least the configuration used
+is determined by whether or not a login shell is being opened, and so
+this may need to vary, too. At run-time, ksu's behavior can be reset to
+the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
+section of /etc/krb5.conf.
+
+When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
--- krb5-1.6.1/src/appl/bsd/configure.in 2006-03-27 23:35:02.000000000 -0500
+++ krb5-1.6.1/src/appl/bsd/configure.in 2007-06-21 17:39:57.000000000 -0400
@@ -76,7 +84,7 @@
#ifdef KERBEROS
#if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK)
-@@ -1151,11 +1148,49 @@ void doit(f, fromp)
+@@ -1151,11 +1148,50 @@ void doit(f, fromp)
goto signout_please;
}
@@ -88,6 +96,7 @@
+ 0,
+ locuser,
+ "",
++ hostname,
+ do_encrypt ?
+ EKSHELL_PAM_SERVICE :
+ KSHELL_PAM_SERVICE) != 0) {
@@ -126,7 +135,7 @@
/* Log access to account */
pwd = (struct passwd *) getpwnam(locuser);
if (pwd && (pwd->pw_uid == 0)) {
-@@ -1195,7 +1230,7 @@ void doit(f, fromp)
+@@ -1195,7 +1231,7 @@ void doit(f, fromp)
(void) write(2, "", 1);
@@ -135,7 +144,7 @@
if (port&&(pipe(pv) < 0)) {
error("Can't make pipe.\n");
goto signout_please;
-@@ -1507,6 +1542,15 @@ void doit(f, fromp)
+@@ -1507,6 +1543,15 @@ void doit(f, fromp)
environ = envinit;
@@ -215,13 +224,14 @@
#ifdef KRB5_GET_TICKETS
{"krb5_get_tickets", &login_krb5_get_tickets},
#endif
-@@ -1292,6 +1294,18 @@ int main(argc, argv)
+@@ -1292,6 +1300,19 @@ int main(argc, argv)
if (!unix_needs_passwd())
break;
+#ifdef USE_PAM
+ if (login_use_pam) {
+ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "",
++ hostname,
+ ttyname(STDIN_FILENO)) == PAM_SUCCESS) {
+ break;
+ } else {
@@ -234,14 +244,14 @@
/* we have several sets of code:
1) get v5 tickets alone -DKRB5_GET_TICKETS
2) get v4 tickets alone [** don't! only get them *with* v5 **]
-@@ -1406,6 +1420,24 @@ int main(argc, argv)
+@@ -1406,6 +1427,24 @@ int main(argc, argv)
/* committed to login -- turn off timeout */
(void) alarm((u_int) 0);
+#ifdef USE_PAM
+ if (login_use_pam) {
+ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "",
-+ ttyname(STDIN_FILENO)) != 0) {
++ hostname, ttyname(STDIN_FILENO)) != 0) {
+ printf("Login incorrect\n");
+ sleepexit(1);
+ }
@@ -259,7 +269,7 @@
/*
* If valid so far and root is logging in, see if root logins on
* this terminal are permitted.
-@@ -1446,6 +1478,21 @@ int main(argc, argv)
+@@ -1446,6 +1487,21 @@ int main(argc, argv)
sleepexit(0);
}
#endif
@@ -281,7 +291,7 @@
if (chdir(pwd->pw_dir) < 0) {
printf("No directory %s!\n", pwd->pw_dir);
-@@ -1792,6 +1839,11 @@ int main(argc, argv)
+@@ -1792,6 +1846,11 @@ int main(argc, argv)
}
#endif /* KRB5_GET_TICKETS */
@@ -295,11 +305,11 @@
if (pwd->pw_uid == 0)
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
+++ krb5-1.6.1/src/appl/bsd/pam.c 2007-06-22 14:22:10.000000000 -0400
-@@ -0,0 +1,414 @@
+@@ -0,0 +1,424 @@
+/*
+ * src/appl/bsd/pam.c
+ *
-+ * Copyright 2007 Red Hat, Inc.
++ * Copyright 2007,2009 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
@@ -332,6 +342,7 @@
+ * Convenience wrappers for using PAM.
+ */
+
++#include "autoconf.h"
+#ifdef USE_PAM
+#include <sys/types.h>
+#include <stdio.h>
@@ -549,6 +560,7 @@
+appl_pam_start(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
++ const char *hostname,
+ const char *tty)
+{
+ static int exit_handler_registered;
@@ -577,6 +589,12 @@
+ ret = pam_start(service, login_username,
+ &appl_pam_conv, &appl_pamh);
+ if (ret == 0) {
++ if (hostname != NULL) {
++#ifdef DEBUG
++ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
++#endif
++ pam_set_item(appl_pamh, PAM_RHOST, hostname);
++ }
+ if (tty != NULL) {
+#ifdef DEBUG
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
@@ -602,11 +620,12 @@
+appl_pam_authenticate(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
++ const char *hostname,
+ const char *tty)
+{
+ int ret;
+ ret = appl_pam_start(service, interactive, login_username,
-+ non_interactive_password, tty);
++ non_interactive_password, hostname, tty);
+ if (ret == 0) {
+ ret = pam_authenticate(appl_pamh, 0);
+ }
@@ -616,12 +635,13 @@
+appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *login_username,
+ const char *non_interactive_password,
++ const char *hostname,
+ const char *tty)
+{
+ int ret;
+ appl_pam_pwchange_required = 0;
+ ret = appl_pam_start(service, interactive, login_username,
-+ non_interactive_password, tty);
++ non_interactive_password, hostname, tty);
+ if (ret == 0) {
+#ifdef DEBUG
+ printf("Calling pam_acct_mgmt().\n");
@@ -712,11 +732,11 @@
+#endif
--- /dev/null 2007-06-22 10:29:46.741860805 -0400
+++ krb5-1.6.1/src/appl/bsd/pam.h 2007-06-22 14:27:05.000000000 -0400
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,63 @@
+/*
+ * src/appl/bsd/pam.h
+ *
-+ * Copyright 2007 Red Hat, Inc.
++ * Copyright 2007,2009 Red Hat, Inc.
+ *
+ * All Rights Reserved.
+ *
@@ -761,10 +781,12 @@
+int appl_pam_authenticate(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
++ const char *hostname,
+ const char *tty);
+int appl_pam_acct_mgmt(const char *service, int interactive,
+ const char *local_username,
+ const char *non_interactive_password,
++ const char *hostname,
+ const char *tty);
+int appl_pam_requires_chauthtok(void);
+int appl_pam_chauthtok(void);
@@ -825,7 +847,7 @@
#include <grp.h>
#include <setjmp.h>
#ifndef POSIX_SETJMP
-@@ -803,6 +807,16 @@
+@@ -803,6 +806,21 @@
}
#endif /* KRB5_KRB4_COMPAT */
@@ -833,16 +855,21 @@
+ if (appl_pam_enabled(kcontext, "ftpd")) {
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
+ pw->pw_name, "",
++ hostname,
+ FTP_PAM_SERVICE) != 0) {
+ reply(530, "Login incorrect.");
+ return;
+ }
++ if (appl_pam_requires_chauthtok()) {
++ reply(530, "Password change required.");
++ return;
++ }
+ }
+#endif
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
strncat(buf, "; Access denied.",
sizeof(buf) - strlen(buf) - 1);
-@@ -903,6 +916,10 @@ end_login()
+@@ -903,6 +921,10 @@ end_login()
(void) krb5_seteuid((uid_t)0);
if (logged_in)
pty_logwtmp(ttyline, "", "");
@@ -853,7 +880,7 @@
if (have_creds) {
#ifdef GSSAPI
krb5_cc_destroy(kcontext, ccache);
-@@ -1073,9 +1090,17 @@ pass(passwd)
+@@ -1073,9 +1095,18 @@ pass(passwd)
* kpass fails and the user has no local password
* kpass fails and the provided password doesn't match pw
*/
@@ -865,6 +892,7 @@
+ appl_pam_enabled(kcontext, "ftpd") ?
+ (appl_pam_authenticate(FTP_PAM_SERVICE, 0,
+ pw->pw_name, passwd,
++ hostname,
+ FTP_PAM_SERVICE) != 0) :
+#endif
+ (!kpass(pw->pw_name, passwd) &&
@@ -874,7 +902,7 @@
pw = NULL;
sleep(5);
if (++login_attempts >= 3) {
-@@ -1092,6 +1117,17 @@ pass(passwd)
+@@ -1092,6 +1123,22 @@ pass(passwd)
}
login_attempts = 0; /* this time successful */
@@ -882,17 +910,22 @@
+ if (appl_pam_enabled(kcontext, "ftpd")) {
+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0,
+ pw->pw_name, passwd,
++ hostname,
+ FTP_PAM_SERVICE) != 0) {
+ reply(530, "Login incorrect.");
+ return;
+ }
++ if (appl_pam_requires_chauthtok()) {
++ reply(530, "Password change required.");
++ return;
++ }
+ }
+#endif
+
login(passwd, 0);
return;
}
-@@ -1110,6 +1146,18 @@ login(passwd, logincode)
+@@ -1110,6 +1157,18 @@ login(passwd, logincode)
chown(tkt_string(), pw->pw_uid, pw->pw_gid);
#endif
}
@@ -911,7 +944,7 @@
(void) krb5_setegid((gid_t)pw->pw_gid);
(void) initgroups(pw->pw_name, pw->pw_gid);
-@@ -2125,6 +2173,10 @@ dologout(status)
+@@ -2125,6 +2194,10 @@ dologout(status)
dest_tkt();
#endif
}
@@ -955,7 +988,7 @@
INSTALL_STRIP=
--- krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
+++ krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400
-@@ -1823,3 +1823,82 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
+@@ -1823,3 +1823,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
]))
])dnl
dnl
@@ -975,6 +1008,8 @@
+ withekshellpamservice="$withval",withekshellpamservice=ekshell)
+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
+ withftppamservice="$withval",withftppamservice=gssftp)
++AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
++ withksupamservice="$withval",withksupamservice=ksu)
+old_LIBS="$LIBS"
+if test "$withpam" != no ; then
+ AC_MSG_RESULT([checking for PAM...])
@@ -1025,6 +1060,8 @@
+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
+ [Define to the name of the PAM service name to be used by ftpd.])
++ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
++ [Define to the name of the PAM service name to be used by ksu.])
+ PAM_LIBS="$LIBS"
+ NON_PAM_MAN=".\\\" "
+ PAM_MAN=
@@ -1038,3 +1075,151 @@
+AC_SUBST(PAM_MAN)
+AC_SUBST(NON_PAM_MAN)
+])dnl
+diff -up krb5-1.6.1/src/clients/ksu/Makefile.in krb5-1.6.1/src/clients/ksu/Makefile.in
+--- krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-21 15:07:16.000000000 -0400
++++ krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-23 13:47:36.000000000 -0400
+@@ -15,6 +15,7 @@ SRCS = \
+ $(srcdir)/ccache.c \
+ $(srcdir)/authorization.c \
+ $(srcdir)/main.c \
++ $(srcdir)/../../appl/bsd/pam.c \
+ $(srcdir)/heuristic.c \
+ $(srcdir)/xmalloc.c \
+ $(srcdir)/setenv.c
+@@ -23,13 +24,17 @@ OBJS = \
+ ccache.o \
+ authorization.o \
+ main.o \
++ pam.o \
+ heuristic.o \
+ xmalloc.o @SETENVOBJ@
+
+ all:: ksu
+
+ ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
+- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
++ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
++
++pam.o: $(srcdir)/../../appl/bsd/pam.c
++ $(CC) $(ALL_CFLAGS) -c $<
+
+ clean::
+ $(RM) ksu
+--- krb5-1.6.3/src/clients/ksu/main.c 2006-08-15 15:27:08.000000000 -0400
++++ krb5-1.6.3/src/clients/ksu/main.c 2009-04-23 18:39:03.000000000 -0400
+@@ -25,6 +25,7 @@
+ * KSU was writen by: Ari Medvinsky, ari at isi.edu
+ */
+
++#include "autoconf.h"
+ #include "ksu.h"
+ #include "adm_proto.h"
+ #include <sys/types.h>
+@@ -32,6 +33,11 @@
+ #include <signal.h>
+ #include <grp.h>
+
++#ifdef USE_PAM
++#include "../../appl/bsd/pam.h"
++int force_fork = 0;
++#endif
++
+ /* globals */
+ char * prog_name;
+ int auth_debug =0;
+@@ -791,7 +797,24 @@
+ fprintf(stderr, "program to be execed %s\n",params[0]);
+ }
+
+- if( keep_target_cache ) {
++#ifdef USE_PAM
++ if (appl_pam_enabled(ksu_context, "ksu")) {
++ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
++ NULL, ttyname(STDERR_FILENO)) != 0) {
++ fprintf(stderr, "Access denied for %s.\n", target_user);
++ sweep_up(ksu_context, cc_target);
++ exit(1);
++ }
++ if (appl_pam_requires_chauthtok()) {
++ fprintf(stderr, "Password change required for %s.\n", target_user);
++ sweep_up(ksu_context, cc_target);
++ exit(1);
++ }
++ force_fork++;
++ }
++#endif
++
++ if( keep_target_cache && !force_fork ) {
+ execv(params[0], params);
+ com_err(prog_name, errno, "while trying to execv %s",
+ params[0]);
+@@ -799,6 +822,33 @@
+ exit(1);
+ }else{
+ statusp = 1;
++
++#ifdef USE_PAM
++ if (appl_pam_enabled(ksu_context, "ksu")) {
++ if (appl_pam_session_open() != 0) {
++ fprintf(stderr, "Error opening session for %s.\n", target_user);
++ sweep_up(ksu_context, cc_target);
++ exit(1);
++ }
++#ifdef DEBUG
++ if (auth_debug){
++ printf(" Opened PAM session.\n");
++ }
++#endif
++ if (appl_pam_cred_init()) {
++ fprintf(stderr, "Error initializing credentials for %s.\n",
++ target_user);
++ sweep_up(ksu_context, cc_target);
++ exit(1);
++ }
++#ifdef DEBUG
++ if (auth_debug){
++ printf(" Initialized PAM credentials.\n");
++ }
++#endif
++ }
++#endif
++
+ switch ((child_pid = fork())) {
+ default:
+ if (auth_debug){
+@@ -822,15 +872,34 @@
+ if (ret_pid == -1) {
+ com_err(prog_name, errno, "while calling waitpid");
+ }
+- sweep_up(ksu_context, cc_target);
++ if( !keep_target_cache ) {
++ sweep_up(ksu_context, cc_target);
++ }
+ exit (statusp);
+ case -1:
+ com_err(prog_name, errno, "while trying to fork.");
+ sweep_up(ksu_context, cc_target);
+ exit (1);
+ case 0:
++#ifdef USE_PAM
++ if (appl_pam_enabled(ksu_context, "ksu")) {
++ if (appl_pam_setenv() != 0) {
++ fprintf(stderr, "Error setting up environment for %s.\n",
++ target_user);
++ exit (1);
++ }
++#ifdef DEBUG
++ if (auth_debug){
++ printf(" Set up PAM environment.\n");
++ }
++#endif
++ }
++#endif
+ execv(params[0], params);
+ com_err(prog_name, errno, "while trying to execv %s", params[0]);
++ if( keep_target_cache ) {
++ sweep_up(ksu_context, cc_target);
++ }
+ exit (1);
+ }
+ }
Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.193
retrieving revision 1.194
diff -u -r1.193 -r1.194
--- krb5.spec 21 Apr 2009 18:46:52 -0000 1.193
+++ krb5.spec 23 Apr 2009 22:43:26 -0000 1.194
@@ -44,6 +44,7 @@
Source26: gssftp.pamd
Source27: kshell.pamd
Source28: ekshell.pamd
+Source29: ksu.pamd
Patch3: krb5-1.3-netkit-rsh.patch
Patch4: krb5-1.3-rlogind-environ.patch
@@ -227,6 +228,12 @@
certificate.
%changelog
+* Thu Apr 23 2009 Nalin Dahyabhai <nalin at redhat.com> 1.6.3-104
+- extend PAM support to ksu: perform account and session management for the
+ target user
+- pull up and merge James Leddy's changes to also set PAM_RHOST in PAM-aware
+ network-facing services
+
* Tue Apr 21 2009 Nalin Dahyabhai <nalin at redhat.com> 1.6.3-103
- fix a typo in a ksu error message (Marek Mahut)
- "rev" works the way the test suite expects now, so don't disable tests
@@ -1587,7 +1594,7 @@
# PAM configuration files.
mkdir -p $RPM_BUILD_ROOT/etc/pam.d/
-for pam in kshell ekshell gssftp ; do
+for pam in kshell ekshell gssftp ksu ; do
install -pm 644 $RPM_SOURCE_DIR/$pam.pamd \
$RPM_BUILD_ROOT/etc/pam.d/$pam
done
- Previous message (by thread): rpms/nautilus-cd-burner/devel Makefile, 1.3, 1.4 nautilus-cd-burner.spec, 1.115, 1.116 sources, 1.59, 1.60
- Next message (by thread): rpms/kdelibs/devel kdelibs-4.2.2-popupapplet-kconf_update.patch, 1.2, 1.3 kdelibs.spec, 1.471, 1.472
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list