Changeset 1807
- Timestamp:
- Apr 16, 2011, 7:59:42 PM (14 years ago)
- Location:
- branches/fc15-dev/server
- Files:
-
- 1 deleted
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch
r1693 r1807 1 1 # scripts.mit.edu krb5 kuserok patch 2 2 # Copyright (C) 2006 Tim Abbott <tabbott@mit.edu> 3 # 2011 Alexander Chernyakhovsky <achernya@mit.edu> 3 4 # 4 5 # This program is free software; you can redistribute it and/or … … 18 19 # See /COPYRIGHT in this repository for more information. 19 20 # 20 --- krb5-1. 6.3/src/lib/krb5/os/kuserok.c.old 2009-04-08 06:17:06.000000000 -040021 +++ krb5-1. 6.3/src/lib/krb5/os/kuserok.c 2009-04-08 06:17:18.000000000 -040022 @@ -3 1,6 +31,7 @@23 #if !defined(_WIN32) 21 --- krb5-1.9/src/lib/krb5/os/kuserok.c.old 2011-04-16 19:09:58.000000000 -0400 22 +++ krb5-1.9/src/lib/krb5/os/kuserok.c 2011-04-16 19:34:23.000000000 -0400 23 @@ -32,6 +32,7 @@ 24 #if !defined(_WIN32) /* Not yet for Windows */ 24 25 #include <stdio.h> 25 26 #include <pwd.h> … … 28 29 #if defined(_AIX) && defined(_IBMR2) 29 30 #include <sys/access.h> 30 @@ -71,7 +72,6 @@ 31 { 31 @@ -100,6 +101,7 @@ 32 32 struct stat sbuf; 33 struct passwd *pwd; 34 - char pbuf[MAXPATHLEN]; 35 krb5_boolean isok = FALSE; 36 FILE *fp; 37 char kuser[MAX_USERNAME]; 38 @@ -79,71 +79,35 @@ 39 char linebuf[BUFSIZ]; 40 char *newline; 41 int gobble; 33 struct passwd pwx, *pwd; 34 FILE *fp = NULL; 42 35 + int pid, status; 43 36 44 /* no account => no access */45 char pwbuf[BUFSIZ];46 struct passwd pwx; 37 if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS, 38 KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE, 39 @@ -110,41 +112,27 @@ 47 40 if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) 48 return(FALSE);49 - (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1); 50 - pbuf[sizeof(pbuf) - 1] = '\0';51 - (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));41 goto cleanup; 42 43 - if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0) 44 - goto cleanup; 52 45 - 53 - if (access(pbuf, F_OK)) { /* not accessible */ 54 - /* 55 - * if he's trying to log in as himself, and there is no .k5login file, 56 - * let him. To find out, call 57 - * krb5_aname_to_localname to convert the principal to a name 58 - * which we can string compare. 59 - */ 60 - if (!(krb5_aname_to_localname(context, principal, 61 - sizeof(kuser), kuser)) 62 - && (strcmp(kuser, luser) == 0)) { 63 - return(TRUE); 64 - } 46 - if (access(filename, F_OK) != 0) { 47 - result = PASS; 48 - goto cleanup; 65 49 - } 66 if (krb5_unparse_name(context, principal, &princname)) 67 return(FALSE); /* no hope of matching */ 50 - 51 if (krb5_unparse_name(context, principal, &princname) != 0) 52 goto cleanup; 68 53 69 - /* open ~/.k5login */ 70 - if ((fp = fopen(pbuf, "r")) == NULL) { 71 - free(princname); 72 - return(FALSE); 73 - } 54 - fp = fopen(filename, "r"); 55 - if (fp == NULL) 56 + if ((pid = fork()) == -1) 57 goto cleanup; 74 58 - set_cloexec_file(fp); 75 - /* 76 - * For security reasons, the .k5login file must be owned either by 77 - * the user himself, or by root. Otherwise, don't grant access. 78 - */ 79 - if (fstat(fileno(fp), &sbuf)) { 80 - fclose(fp); 81 - free(princname); 82 - return(FALSE); 83 + if ((pid = fork()) == -1) { 84 + free(princname); 85 + return(FALSE); 59 - 60 - /* For security reasons, the .k5login file must be owned either by 61 - * the user or by root. */ 62 - if (fstat(fileno(fp), &sbuf)) 63 - goto cleanup; 64 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) 65 - goto cleanup; 66 - 67 - /* Check each line. */ 68 - while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) { 69 - newline = strrchr(linebuf, '\n'); 70 - if (newline != NULL) 71 - *newline = '\0'; 72 - if (strcmp(linebuf, princname) == 0) 73 - result = ACCEPT; 74 - /* Clean up the rest of the line if necessary. */ 75 - if (newline == NULL) 76 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 77 + 78 + if (pid == 0) { 79 + char *args[4]; 80 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 81 + args[0] = ADMOF_PATH; 82 + args[1] = (char *) luser; 83 + args[2] = princname; 84 + args[3] = NULL; 85 + execv(ADMOF_PATH, args); 86 + exit(1); 86 87 } 87 - if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { 88 - fclose(fp); 89 - free(princname); 90 - return(FALSE); 91 + if (pid == 0) { 92 + char *args[4]; 93 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof" 94 + args[0] = ADMOF_PATH; 95 + args[1] = (char *) luser; 96 + args[2] = princname; 97 + args[3] = NULL; 98 + execv(ADMOF_PATH, args); 99 + exit(1); 100 } 101 - 102 - /* check each line */ 103 - while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { 104 - /* null-terminate the input string */ 105 - linebuf[BUFSIZ-1] = '\0'; 106 - newline = NULL; 107 - /* nuke the newline if it exists */ 108 - if ((newline = strchr(linebuf, '\n'))) 109 - *newline = '\0'; 110 - if (!strcmp(linebuf, princname)) { 111 - isok = TRUE; 112 - continue; 113 - } 114 - /* clean up the rest of the line if necessary */ 115 - if (!newline) 116 - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); 88 117 89 + if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) { 118 + isok=TRUE;119 90 + result = ACCEPT; 91 + } 120 92 + 93 cleanup: 121 94 free(princname); 122 - fclose(fp); 123 return(isok); 124 } 125 95 free(filename); -
branches/fc15-dev/server/fedora/Makefile
r1804 r1807 19 19 # See /COPYRIGHT in this repository for more information. 20 20 21 upstream_yum = krb5 krb5.i686 httpd openssh 389-ds-base21 upstream_yum = krb5 krb5.i686 httpd openssh 22 22 hackage = MonadCatchIO-mtl-0.3.0.1 cgi-3001.1.8.1 unix-handle-0.0.0 23 23 upstream_hackage = ghc-MonadCatchIO-mtl ghc-cgi ghc-unix-handle … … 45 45 heartbeat_url = "http://kojipkgs.fedoraproject.org/packages/heartbeat/3.0.0/0.5.0daab7da36a8.hg.fc12/src/heartbeat-3.0.0-0.5.0daab7da36a8.hg.fc12.src.rpm" 46 46 pacemaker_url = "http://kojipkgs.fedoraproject.org/packages/pacemaker/1.0.5/5.fc12/src/pacemaker-1.0.5-5.fc12.src.rpm" 47 zephyr_url = "http://zephyr.1ts.org/export/HEAD/distribution/zephyr-3.0. tar.gz"47 zephyr_url = "http://zephyr.1ts.org/export/HEAD/distribution/zephyr-3.0.1.tar.gz" 48 48 49 49 PKG = $(patsubst %.i686,%,$@) -
branches/fc15-dev/server/fedora/specs/httpd.spec.patch
r1738 r1807 1 1 --- httpd.spec.orig 2010-10-27 08:26:15.000000000 -0400 2 2 +++ httpd.spec 2010-11-18 18:20:43.000000000 -0500 3 @@ - 7,7 +7,7 @@3 @@ -8,7 +8,7 @@ 4 4 Summary: Apache HTTP Server 5 5 Name: httpd 6 6 Version: 2.2.17 7 -Release: 1 %{?dist}.18 +Release: 1 %{?dist}.1.scripts.%{scriptsversion}7 -Release: 10%{?dist}.1 8 +Release: 10%{?dist}.1.scripts.%{scriptsversion} 9 9 URL: http://httpd.apache.org/ 10 10 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 11 11 Source1: index.html 12 @@ -5 5,6 +55,14 @@13 Conflicts: pcre < 4.014 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap 12 @@ -54,6 +54,14 @@ 13 Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} 14 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap, systemd-units 15 15 16 16 +Provides: scripts-httpd … … 25 25 The Apache HTTP Server is a powerful, efficient, and extensible 26 26 web server. 27 @@ -6 5,6 +73,7 @@27 @@ -64,6 +72,7 @@ 28 28 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel 29 29 Requires: apr-devel, apr-util-devel, pkgconfig … … 33 33 %description devel 34 34 The httpd-devel package contains the APXS binary and other files 35 @@ -10 3,6 +112,7 @@36 Requires(post): openssl >= 0.9.7f-4, /bin/cat35 @@ -102,6 +102,7 @@ 36 Requires(post): openssl, /bin/cat 37 37 Requires(pre): httpd 38 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn }38 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} 39 39 +Provides: scripts-mod_ssl 40 40 Obsoletes: stronghold-mod_ssl 41 41 42 42 %description -n mod_ssl 43 @@ -1 30,6 +140,13 @@43 @@ -129,6 +139,13 @@ 44 44 # Patch in vendor/release string 45 45 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 … … 55 55 vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'` 56 56 if test "x${vmmn}" != "x%{mmn}"; then 57 @@ -17 7,10 +194,12 @@57 @@ -176,10 +193,12 @@ 58 58 --with-apr=%{_prefix} --with-apr-util=%{_prefix} \ 59 59 --enable-suexec --with-suexec \ -
branches/fc15-dev/server/fedora/specs/krb5.spec.patch
r1795 r1807 1 1 --- krb5.spec.orig 2011-03-25 17:29:24.000000000 -0400 2 2 +++ krb5.spec 2011-03-25 17:31:15.000000000 -0400 3 @@ - 10,7 +10,7 @@3 @@ -6,7 +6,7 @@ 4 4 Summary: The Kerberos network authentication system 5 5 Name: krb5 6 Version: 1. 7.17 -Release: 18%{?dist}8 +Release: 18%{?dist}.scripts.%{scriptsversion}6 Version: 1.9 7 -Release: 6%{?dist} 8 +Release: 6%{?dist}.scripts.%{scriptsversion} 9 9 # Maybe we should explode from the now-available-to-everybody tarball instead? 10 # http://web.mit.edu/kerberos/dist/krb5/1. 7/krb5-1.7.1-signed.tar10 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9-signed.tar 11 11 Source0: krb5-%{version}.tar.gz 12 @@ - 96,6 +96,8 @@13 Patch 107: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt14 Patch 108: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt12 @@ -53,6 +53,8 @@ 13 Patch74: http://web.mit.edu/kerberos/advisories/2011-002-patch.txt 14 Patch75: http://web.mit.edu/kerberos/advisories/2011-003-patch.txt 15 15 16 16 +Patch1000: krb5-kuserok-scripts.patch … … 19 19 URL: http://web.mit.edu/kerberos/www/ 20 20 Group: System Environment/Libraries 21 @@ - 140,6 +142,7 @@21 @@ -97,6 +99,7 @@ 22 22 %package libs 23 23 Summary: The shared libraries used by Kerberos 5 … … 27 27 %description libs 28 28 Kerberos is a network authentication system. The krb5-libs package 29 @@ -1 684,6 +1687,7 @@30 %patch 106-p1 -b .2011-00131 %patch 107-p1 -b .2011-00232 %patch 108-p1 -b .2011-00329 @@ -192,6 +195,7 @@ 30 %patch73 -p1 -b .2011-001 31 %patch74 -p1 -b .2011-002 32 %patch75 -p1 -b .2011-003 33 33 +%patch1000 -p1 -b .kuserok 34 34 gzip doc/*.ps -
branches/fc15-dev/server/fedora/specs/scripts-base.spec
r1761 r1807 31 31 Requires: httpdmods 32 32 Requires: %{all_archs nss_nonlocal} 33 Requires: scripts-389-ds34 33 %define debug_package %{nil} 35 34 -
branches/fc15-dev/server/fedora/specs/zephyr.spec
r1693 r1807 1 1 Name: zephyr 2 Version: 3.0 2 Version: 3.0.1 3 3 Release: 0.%{scriptsversion}%{?dist} 4 4 Summary: Client programs for the Zephyr real-time messaging system … … 139 139 140 140 %changelog 141 * Sat Apr 16 2011 Alexander Chernyakhovsky <achernya@mit.edu> 3.0.1-0 142 - Zephyr 3.0.1 143 141 144 * Sun Sep 19 2010 Anders Kaseorg <andersk@mit.edu> - 3.0-0 142 145 - Decrease version below a hypothetical Fedora package.
Note: See TracChangeset
for help on using the changeset viewer.