Hello community, here is the log from the commit of package pam_krb5 checked in at Tue Oct 28 18:12:31 CET 2008. -------- --- pam_krb5/pam_krb5.changes 2008-10-24 14:30:37.000000000 +0200 +++ /mounts/work_src_done/STABLE/pam_krb5/pam_krb5.changes 2008-10-28 15:15:34.245945000 +0100 @@ -1,0 +2,7 @@ +Tue Oct 28 15:09:24 CET 2008 - mc@suse.de + +- simplify switch permissions of refresh credentials + (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif + add pam_krb5-2.3.1-switch-perms-on-refresh.dif) + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif New: ---- pam_krb5-2.3.1-switch-perms-on-refresh.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_krb5.spec ++++++ --- /var/tmp/diff_new_pack.M11763/_old 2008-10-28 18:12:04.000000000 +0100 +++ /var/tmp/diff_new_pack.M11763/_new 2008-10-28 18:12:04.000000000 +0100 @@ -26,19 +26,19 @@ Provides: pam_krb AutoReqProv: on Version: 2.3.1 -Release: 38 +Release: 39 Summary: PAM Module for Kerberos Authentication Url: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 Source2: pam_krb5-po.tar.gz Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif -Patch2: pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif Patch3: pam_krb5-2.3.1-log-choise.dif Patch4: pam_krb5-po-Makevars.dif Patch5: pam_krb5-LINGUAS.dif Patch6: pam_krb5-2.3.1-post.dif Patch7: bug-425861_pam_krb5-2.3.1-ccacheperms.patch Patch8: pam_krb5-2.3.1-fix-pwchange-with-use_shmem.dif +Patch9: pam_krb5-2.3.1-switch-perms-on-refresh.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -56,13 +56,13 @@ %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE} %setup -a 2 -T -D -n pam_krb5-%{version}-%{PAM_RELEASE} %patch1 -%patch2 %patch3 -p1 %patch4 -p1 %patch5 %patch6 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build %{suse_update_config -f} @@ -97,6 +97,10 @@ %attr(755,root,root) /usr/bin/afs5log %changelog +* Tue Oct 28 2008 mc@suse.de +- simplify switch permissions of refresh credentials + (remove pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif + add pam_krb5-2.3.1-switch-perms-on-refresh.dif) * Fri Oct 24 2008 mc@suse.de - write new ticket into shmem after password change if requested. (bnc#438181) ++++++ pam_krb5-2.3.1-switch-perms-on-refresh.dif ++++++ Index: pam_krb5-2.3.1-1/src/auth.c =================================================================== --- pam_krb5-2.3.1-1.orig/src/auth.c +++ pam_krb5-2.3.1-1/src/auth.c @@ -62,6 +62,7 @@ #include "items.h" #include "kuserok.h" #include "log.h" +#include "perms.h" #include "options.h" #include "prompter.h" #include "sly.h" @@ -477,6 +478,7 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) { + struct _pam_krb5_perms *saved_perms; notice("pam_setcred (%s) called", (flags & PAM_ESTABLISH_CRED)?"establish credential": (flags & PAM_REINITIALIZE_CRED)?"reinitialize credential": @@ -486,10 +488,22 @@ pam_sm_setcred(pam_handle_t *pamh, int f return pam_sm_open_session(pamh, flags, argc, argv); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { + saved_perms = _pam_krb5_switch_perms_r2e(); + if (_pam_krb5_sly_looks_unsafe() == 0) { - return _pam_krb5_sly_maybe_refresh(pamh, flags, - argc, argv); + int i = _pam_krb5_sly_maybe_refresh(pamh, flags, argc, argv); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } + saved_perms = NULL; + + return i; } else { + debug("looks unsafe - ignore refresh"); + if (saved_perms != NULL) { + _pam_krb5_restore_perms_r2e(saved_perms); + } + saved_perms = NULL; return PAM_IGNORE; } } Index: pam_krb5-2.3.1-1/src/perms.c =================================================================== --- pam_krb5-2.3.1-1.orig/src/perms.c +++ pam_krb5-2.3.1-1/src/perms.c @@ -87,3 +87,49 @@ _pam_krb5_restore_perms(struct _pam_krb5 } return ret; } + +struct _pam_krb5_perms * +_pam_krb5_switch_perms_r2e(void) +{ + struct _pam_krb5_perms *ret; + ret = malloc(sizeof(*ret)); + if (ret != NULL) { + ret->ruid = getuid(); + ret->euid = geteuid(); + ret->rgid = getgid(); + ret->egid = getegid(); + if (ret->ruid == ret->euid) { + ret->ruid = -1; + ret->euid = -1; + } + if (ret->rgid == ret->egid) { + ret->rgid = -1; + ret->egid = -1; + } + if (setresgid(ret->rgid, ret->rgid, ret->egid) == -1) { + free(ret); + ret = NULL; + } else { + if (setresuid(ret->ruid, ret->ruid, ret->euid) == -1) { + setresgid(ret->rgid, ret->egid, ret->rgid); + free(ret); + ret = NULL; + } + } + } + return ret; +} + +int +_pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved) +{ + int ret = -1; + if (saved != NULL) { + if ((setresuid(saved->ruid, saved->euid, saved->ruid) == 0) && + (setresgid(saved->rgid, saved->egid, saved->rgid) == 0)) { + ret = 0; + } + free(saved); + } + return ret; +} Index: pam_krb5-2.3.1-1/src/perms.h =================================================================== --- pam_krb5-2.3.1-1.orig/src/perms.h +++ pam_krb5-2.3.1-1/src/perms.h @@ -37,4 +37,7 @@ struct _pam_krb5_perms; struct _pam_krb5_perms *_pam_krb5_switch_perms(void); int _pam_krb5_restore_perms(struct _pam_krb5_perms *saved); +struct _pam_krb5_perms *_pam_krb5_switch_perms_r2e(void); +int _pam_krb5_restore_perms_r2e(struct _pam_krb5_perms *saved); + #endif ++++++ pam_krb5-po.tar.gz ++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org