Ignore:
Timestamp:
Apr 16, 2011, 7:59:42 PM (11 years ago)
Author:
achernya
Message:
Necessary changes to build the Scripts RPMs on Fedora 15:

 * Stop scriptsifying 389-ds-base, as it appears to have Mitch's patch
 * Update krb5.spec.patch for krb5-1.9
 * Update the krb5-kuserok-scripts.patch to work with krb5-1.9 (code
   review requested)
 * Update httpd.spec.patch to apply properly to Fedora's newly
   cleaned-up httpd.spec
 * Bump zephyr to version 3.0.1
 
File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/fc15-dev/server/common/patches/krb5-kuserok-scripts.patch

    r1693 r1807  
    11# scripts.mit.edu krb5 kuserok patch
    22# Copyright (C) 2006  Tim Abbott <tabbott@mit.edu>
     3#               2011  Alexander Chernyakhovsky <achernya@mit.edu>
    34#
    45# This program is free software; you can redistribute it and/or
     
    1819# See /COPYRIGHT in this repository for more information.
    1920#
    20 --- krb5-1.6.3/src/lib/krb5/os/kuserok.c.old    2009-04-08 06:17:06.000000000 -0400
    21 +++ krb5-1.6.3/src/lib/krb5/os/kuserok.c        2009-04-08 06:17:18.000000000 -0400
    22 @@ -31,6 +31,7 @@
    23  #if !defined(_WIN32)           /* Not yet for Windows */
     21--- krb5-1.9/src/lib/krb5/os/kuserok.c.old      2011-04-16 19:09:58.000000000 -0400
     22+++ krb5-1.9/src/lib/krb5/os/kuserok.c  2011-04-16 19:34:23.000000000 -0400
     23@@ -32,6 +32,7 @@
     24 #if !defined(_WIN32)            /* Not yet for Windows */
    2425 #include <stdio.h>
    2526 #include <pwd.h>
     
    2829 #if defined(_AIX) && defined(_IBMR2)
    2930 #include <sys/access.h>
    30 @@ -71,7 +72,6 @@
    31  {
     31@@ -100,6 +101,7 @@
    3232     struct stat sbuf;
    33      struct passwd *pwd;
    34 -    char pbuf[MAXPATHLEN];
    35      krb5_boolean isok = FALSE;
    36      FILE *fp;
    37      char kuser[MAX_USERNAME];
    38 @@ -79,71 +79,35 @@
    39      char linebuf[BUFSIZ];
    40      char *newline;
    41      int gobble;
     33     struct passwd pwx, *pwd;
     34     FILE *fp = NULL;
    4235+    int pid, status;
    4336 
    44      /* no account => no access */
    45      char pwbuf[BUFSIZ];
    46      struct passwd pwx;
     37     if (profile_get_boolean(context->profile, KRB5_CONF_LIBDEFAULTS,
     38                             KRB5_CONF_K5LOGIN_AUTHORITATIVE, NULL, TRUE,
     39@@ -110,41 +112,27 @@
    4740     if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0)
    48         return(FALSE);
    49 -    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
    50 -    pbuf[sizeof(pbuf) - 1] = '\0';
    51 -    (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
     41         goto cleanup;
     42 
     43-    if (get_k5login_filename(context, luser, pwd->pw_dir, &filename) != 0)
     44-        goto cleanup;
    5245-
    53 -    if (access(pbuf, F_OK)) {   /* not accessible */
    54 -       /*
    55 -        * if he's trying to log in as himself, and there is no .k5login file,
    56 -        * let him.  To find out, call
    57 -        * krb5_aname_to_localname to convert the principal to a name
    58 -        * which we can string compare.
    59 -        */
    60 -       if (!(krb5_aname_to_localname(context, principal,
    61 -                                     sizeof(kuser), kuser))
    62 -           && (strcmp(kuser, luser) == 0)) {
    63 -           return(TRUE);
    64 -       }
     46-    if (access(filename, F_OK) != 0) {
     47-        result = PASS;
     48-        goto cleanup;
    6549-    }
    66      if (krb5_unparse_name(context, principal, &princname))
    67         return(FALSE);                  /* no hope of matching */
     50-
     51     if (krb5_unparse_name(context, principal, &princname) != 0)
     52         goto cleanup;
    6853 
    69 -    /* open ~/.k5login */
    70 -    if ((fp = fopen(pbuf, "r")) == NULL) {
    71 -       free(princname);
    72 -       return(FALSE);
    73 -    }
     54-    fp = fopen(filename, "r");
     55-    if (fp == NULL)
     56+    if ((pid = fork()) == -1)
     57         goto cleanup;
    7458-    set_cloexec_file(fp);
    75 -    /*
    76 -     * For security reasons, the .k5login file must be owned either by
    77 -     * the user himself, or by root.  Otherwise, don't grant access.
    78 -     */
    79 -    if (fstat(fileno(fp), &sbuf)) {
    80 -       fclose(fp);
    81 -       free(princname);
    82 -       return(FALSE);
    83 +    if ((pid = fork()) == -1) {
    84 +       free(princname);
    85 +       return(FALSE);
     59-
     60-    /* For security reasons, the .k5login file must be owned either by
     61-     * the user or by root. */
     62-    if (fstat(fileno(fp), &sbuf))
     63-        goto cleanup;
     64-    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid))
     65-        goto cleanup;
     66-
     67-    /* Check each line. */
     68-    while (result != ACCEPT && (fgets(linebuf, sizeof(linebuf), fp) != NULL)) {
     69-        newline = strrchr(linebuf, '\n');
     70-        if (newline != NULL)
     71-            *newline = '\0';
     72-        if (strcmp(linebuf, princname) == 0)
     73-            result = ACCEPT;
     74-        /* Clean up the rest of the line if necessary. */
     75-        if (newline == NULL)
     76-            while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     77+   
     78+    if (pid == 0) {
     79+        char *args[4];
     80+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
     81+        args[0] = ADMOF_PATH;
     82+        args[1] = (char *) luser;
     83+        args[2] = princname;
     84+        args[3] = NULL;
     85+        execv(ADMOF_PATH, args);
     86+        exit(1);
    8687     }
    87 -    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
    88 -       fclose(fp);
    89 -       free(princname);
    90 -       return(FALSE);
    91 +    if (pid == 0) {
    92 +       char *args[4];
    93 +#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
    94 +       args[0] = ADMOF_PATH;
    95 +       args[1] = (char *) luser;
    96 +       args[2] = princname;
    97 +       args[3] = NULL;
    98 +       execv(ADMOF_PATH, args);
    99 +       exit(1);
    100      }
    101 -
    102 -    /* check each line */
    103 -    while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
    104 -       /* null-terminate the input string */
    105 -       linebuf[BUFSIZ-1] = '\0';
    106 -       newline = NULL;
    107 -       /* nuke the newline if it exists */
    108 -       if ((newline = strchr(linebuf, '\n')))
    109 -           *newline = '\0';
    110 -       if (!strcmp(linebuf, princname)) {
    111 -           isok = TRUE;
    112 -           continue;
    113 -       }
    114 -       /* clean up the rest of the line if necessary */
    115 -       if (!newline)
    116 -           while (((gobble = getc(fp)) != EOF) && gobble != '\n');
     88 
    11789+    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
    118 +       isok=TRUE;
    119      }
     90+        result = ACCEPT;
     91+    }
    12092+   
     93 cleanup:
    12194     free(princname);
    122 -    fclose(fp);
    123      return(isok);
    124  }
    125  
     95     free(filename);
Note: See TracChangeset for help on using the changeset viewer.