Hello community, here is the log from the commit of package pam_krb5 checked in at Thu Mar 15 15:28:49 CET 2007. -------- --- pam_krb5/pam_krb5.changes 2006-09-25 10:48:41.000000000 +0200 +++ /mounts/work_src_done/STABLE/pam_krb5/pam_krb5.changes 2007-03-15 12:37:52.874598000 +0100 @@ -1,0 +2,9 @@ +Thu Mar 15 12:34:55 CET 2007 - mc@suse.de + +- drop privileges in _pam_krb5_sly_maybe_refresh when + running in set uid and restore them on exit of this + function. This enables us to refresh the ticket + after screen un-lock. + [#124611] + +------------------------------------------------------------------- New: ---- pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_krb5.spec ++++++ --- /var/tmp/diff_new_pack.uq3052/_old 2007-03-15 15:25:24.000000000 +0100 +++ /var/tmp/diff_new_pack.uq3052/_new 2007-03-15 15:25:24.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package pam_krb5 (Version 2.2.11) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -13,17 +13,18 @@ Name: pam_krb5 BuildRequires: krb5-client krb5-devel krb5-server openssl-devel pam-devel %define PAM_RELEASE 1 -License: GPL +License: GNU General Public License (GPL) Group: Productivity/Networking/Security Provides: pam_krb Autoreqprov: on Version: 2.2.11 -Release: 1 +Release: 27 Summary: PAM Module for Kerberos Authentication URL: http://sourceforge.net/projects/pam-krb5/ Source: pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2 Patch1: pam_krb5-2.2.0-0.5-configure_ac.dif Patch2: pam_krb5-2.2.0-2-noafsonarm.patch +Patch3: pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -41,6 +42,7 @@ %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE} %patch1 %patch2 +%patch3 %build %{suse_update_config -f} @@ -72,12 +74,18 @@ %attr(444,root,root) %_mandir/man*/*.* %attr(755,root,root) /usr/bin/afs5log -%changelog -n pam_krb5 +%changelog +* Thu Mar 15 2007 - mc@suse.de +- drop privileges in _pam_krb5_sly_maybe_refresh when + running in set uid and restore them on exit of this + function. This enables us to refresh the ticket + after screen un-lock. + [#124611] * Mon Sep 25 2006 - mc@suse.de - version 2.2.11 - remove two patches with are upstream now -- pam_krb5-2.2.10-0-oldauthtok.dif -- pam_krb5-2.2.10-0-testfix.dif + - pam_krb5-2.2.10-0-oldauthtok.dif + - pam_krb5-2.2.10-0-testfix.dif - make use of --with-os-distribution * Thu Sep 14 2006 - mc@suse.de - fix pam_set_item call for AUTHTOK and OLDAUTHTOK ++++++ pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif ++++++ --- src/auth.c +++ src/auth.c 2007/03/15 10:55:36 @@ -418,9 +418,13 @@ return pam_sm_open_session(pamh, flags, argc, argv); } if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) { - if (_pam_krb5_sly_looks_unsafe() == 0) { + int unsave = _pam_krb5_sly_looks_unsafe(); + + /* unsave == 2 or 3 can be fixed inside of + _pam_krb5_sly_maybe_refresh */ + if (unsave == 0 || unsave == 2 || unsave == 3) { return _pam_krb5_sly_maybe_refresh(pamh, flags, - argc, argv); + argc, argv); } else { return PAM_IGNORE; } --- src/sly.c +++ src/sly.c 2007/03/15 10:46:36 @@ -146,6 +146,21 @@ return 0; } +/* restore dropped privileges */ +int +_restore_privs(uid_t save_euid, gid_t save_egid) +{ + int retuid = 0, retgid = 0; + + retuid = setresuid(getuid(), save_euid, getuid()); + retgid = setresgid(getgid(), save_egid, getgid()); + + debug("restore privileges: UID = %u, EUID = %u\n", getuid(), geteuid()); + debug("restore privileges: GID = %u, EGID = %u\n", getgid(), getegid()); + + return (retuid == -1 || retgid == -1)?-1:0; +} + int _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags, int argc, PAM_KRB5_MAYBE_CONST char **argv) @@ -159,6 +174,20 @@ int i, retval, stored; char *v5ccname, *v4tktfile; + uid_t save_euid = geteuid(); + gid_t save_egid = getegid(); + + + if(_pam_krb5_sly_looks_unsafe() == 2 || _pam_krb5_sly_looks_unsafe() == 3) + { + /* drop privileges temporarily; restore them on every return from this function */ + setresuid(getuid(), getuid(), geteuid()); + setresgid(getgid(), getgid(), getegid()); + + debug("drop privileges temporarily: UID = %u, EUID = %u\n", getuid(), geteuid()); + debug("drop privileges temporarily: GID = %u, EGID = %u\n", getgid(), getegid()); + } + /* Inexpensive checks. */ switch (_pam_krb5_sly_looks_unsafe()) { case 0: @@ -166,18 +195,22 @@ break; case 1: warn("won't refresh credentials while running under sudo"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; case 2: warn("won't refresh credentials while running setuid"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; case 3: warn("won't refresh credentials while running setgid"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; default: warn("not safe to refresh credentials"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; break; } @@ -185,6 +218,7 @@ /* Initialize Kerberos. */ if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) { warn("error initializing Kerberos"); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; } @@ -193,6 +227,7 @@ if (i != PAM_SUCCESS) { warn("could not identify user name"); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return i; } @@ -201,6 +236,7 @@ if (options == NULL) { warn("error parsing options (shouldn't happen)"); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; } if (options->debug) { @@ -222,6 +258,7 @@ } _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return retval; } @@ -233,6 +270,7 @@ _pam_krb5_user_info_free(ctx, userinfo); _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return PAM_IGNORE; } @@ -244,6 +282,7 @@ _pam_krb5_user_info_free(ctx, userinfo); _pam_krb5_options_free(pamh, ctx, options); krb5_free_context(ctx); + _restore_privs(save_euid, save_egid); return PAM_SERVICE_ERR; } @@ -331,5 +370,6 @@ pam_strerror(pamh, retval)); } + _restore_privs(save_euid, save_egid); return retval; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org