Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 253501 Details for
Bug 371761
credcache created for root, not user, when establishing credentials
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch for 2.2.20 which fetches tokens before calling krb5_kuserok()
pam_krb5-kuserok_tokens.patch (text/plain), 6.37 KB, created by
Nalin Dahyabhai
on 2007-11-09 21:06:15 UTC
(
hide
)
Description:
patch for 2.2.20 which fetches tokens before calling krb5_kuserok()
Filename:
MIME Type:
Creator:
Nalin Dahyabhai
Created:
2007-11-09 21:06:15 UTC
Size:
6.37 KB
patch
obsolete
>Index: src/auth.c >=================================================================== >RCS file: /usr/local/CVS/pam_krb5/src/auth.c,v >retrieving revision 1.31 >retrieving revision 1.34 >diff -u -u -r1.31 -r1.34 >--- src/auth.c 25 Oct 2007 19:23:17 -0000 1.31 >+++ src/auth.c 9 Nov 2007 20:48:53 -0000 1.34 >@@ -43,6 +43,7 @@ > #endif > > #include <sys/types.h> >+#include <errno.h> > #include <stdlib.h> > #include <string.h> > #include <unistd.h> >@@ -70,7 +71,7 @@ > #include "v4.h" > #include "xstr.h" > >-#ident "$Id: auth.c,v 1.31 2007/10/25 19:23:17 nalin Exp $" >+#ident "$Id: auth.c,v 1.34 2007/11/09 20:48:53 nalin Exp $" > > int > pam_sm_authenticate(pam_handle_t *pamh, int flags, >@@ -141,7 +142,8 @@ > } > > /* Check the minimum UID argument. */ >- if ((options->minimum_uid != (uid_t) -1) && >+ if ((options->user_check) && >+ (options->minimum_uid != (uid_t) -1) && > (userinfo->uid < options->minimum_uid)) { > if (options->debug) { > debug("ignoring '%s' -- uid below minimum = %lu", user, >@@ -251,7 +253,8 @@ > } > if (stash->v4present && > (options->ignore_afs == 0) && >- (options->tokens == 1)) { >+ (options->tokens == 1) && >+ tokens_useful()) { > v5_save_for_tokens(ctx, stash, user, userinfo, > options, NULL); > v4_save_for_tokens(ctx, stash, userinfo, >@@ -260,6 +263,16 @@ > v4_destroy(ctx, stash, options); > v5_destroy(ctx, stash, options); > } >+ } else { >+ if ((retval == PAM_SUCCESS) && >+ (options->ignore_afs == 0) && >+ (options->tokens == 1) && >+ tokens_useful()) { >+ v5_save_for_tokens(ctx, stash, user, userinfo, >+ options, NULL); >+ tokens_obtain(ctx, stash, options, userinfo, 1); >+ v5_destroy(ctx, stash, options); >+ } > } > } > >@@ -326,7 +339,8 @@ > } > if (stash->v4present && > (options->ignore_afs == 0) && >- (options->tokens == 1)) { >+ (options->tokens == 1) && >+ tokens_useful()) { > v5_save_for_tokens(ctx, stash, user, userinfo, > options, NULL); > v4_save_for_tokens(ctx, stash, userinfo, >@@ -335,6 +349,16 @@ > v4_destroy(ctx, stash, options); > v5_destroy(ctx, stash, options); > } >+ } else { >+ if ((retval == PAM_SUCCESS) && >+ (options->ignore_afs == 0) && >+ (options->tokens == 1) && >+ tokens_useful()) { >+ v5_save_for_tokens(ctx, stash, user, userinfo, >+ options, NULL); >+ tokens_obtain(ctx, stash, options, userinfo, 1); >+ v5_destroy(ctx, stash, options); >+ } > } > } > >@@ -370,7 +394,8 @@ > } > if (stash->v4present && > (options->ignore_afs == 0) && >- (options->tokens == 1)) { >+ (options->tokens == 1) && >+ tokens_useful()) { > v5_save_for_tokens(ctx, stash, user, userinfo, > options, NULL); > v4_save_for_tokens(ctx, stash, userinfo, >@@ -379,16 +404,50 @@ > v4_destroy(ctx, stash, options); > v5_destroy(ctx, stash, options); > } >+ } else { >+ if ((retval == PAM_SUCCESS) && >+ (options->ignore_afs == 0) && >+ (options->tokens == 1) && >+ tokens_useful()) { >+ v5_save_for_tokens(ctx, stash, user, userinfo, >+ options, NULL); >+ tokens_obtain(ctx, stash, options, userinfo, 1); >+ v5_destroy(ctx, stash, options); >+ } > } > } > > /* If we got this far, check the target user's .k5login file. */ > if ((retval == PAM_SUCCESS) && options->user_check) { >+ if ((options->tokens != 1) && >+ (options->ignore_afs == 0) && >+ tokens_useful()) { >+ v5_save_for_tokens(ctx, stash, user, userinfo, >+ options, NULL); >+ if (stash->v4present) { >+ v4_save_for_tokens(ctx, stash, userinfo, >+ options, NULL); >+ } >+ tokens_obtain(ctx, stash, options, userinfo, 1); >+ } > if (krb5_kuserok(ctx, userinfo->principal_name, user) == 0) { > notice("account checks fail for '%s': user disallowed " > "by .k5login file for '%s'", > userinfo->unparsed_name, user); > retval = PAM_PERM_DENIED; >+ } else { >+ if (options->debug) { >+ debug("'%s' passes .k5login check for '%s'", >+ userinfo->unparsed_name, user); >+ } >+ } >+ if ((options->tokens != 1) && >+ (options->ignore_afs == 0) && >+ tokens_useful()) { >+ if (stash->v4present) { >+ v4_destroy(ctx, stash, options); >+ } >+ v5_destroy(ctx, stash, options); > } > } > >Index: src/acct.c >=================================================================== >RCS file: /usr/local/CVS/pam_krb5/src/acct.c,v >retrieving revision 1.23 >retrieving revision 1.25 >diff -u -u -r1.23 -r1.25 >--- src/acct.c 19 Jul 2007 20:45:54 -0000 1.23 >+++ src/acct.c 9 Nov 2007 20:48:53 -0000 1.25 >@@ -1,5 +1,5 @@ > /* >- * Copyright 2003,2004,2005,2006 Red Hat, Inc. >+ * Copyright 2003,2004,2005,2006,2007 Red Hat, Inc. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -58,11 +58,12 @@ > #include "options.h" > #include "prompter.h" > #include "stash.h" >+#include "tokens.h" > #include "userinfo.h" > #include "v5.h" > #include "v4.h" > >-#ident "$Id: acct.c,v 1.23 2007/07/19 20:45:54 nalin Exp $" >+#ident "$Id: acct.c,v 1.25 2007/11/09 20:48:53 nalin Exp $" > > int > pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, >@@ -115,7 +116,8 @@ > } > > /* Check the minimum UID argument. */ >- if ((options->minimum_uid != (uid_t) -1) && >+ if ((options->user_check) && >+ (options->minimum_uid != (uid_t) -1) && > (userinfo->uid < options->minimum_uid)) { > if (options->debug) { > debug("ignoring '%s' -- uid below minimum = %lu", user, >@@ -224,11 +226,31 @@ > > /* If we got this far, check the target user's .k5login file. */ > if ((retval == PAM_SUCCESS) && options->user_check) { >+ if ((options->ignore_afs == 0) && tokens_useful()) { >+ v5_save_for_tokens(ctx, stash, user, userinfo, >+ options, NULL); >+ if (stash->v4present) { >+ v4_save_for_tokens(ctx, stash, userinfo, >+ options, NULL); >+ } >+ tokens_obtain(ctx, stash, options, userinfo, 1); >+ } > if (krb5_kuserok(ctx, userinfo->principal_name, user) == 0) { > notice("account checks fail for '%s': user disallowed " > "by .k5login file for '%s'", > userinfo->unparsed_name, user); > retval = PAM_PERM_DENIED; >+ } else { >+ if (options->debug) { >+ debug("'%s' passes .k5login check for '%s'", >+ userinfo->unparsed_name, user); >+ } >+ } >+ if ((options->ignore_afs == 0) && tokens_useful()) { >+ if (stash->v4present) { >+ v4_destroy(ctx, stash, options); >+ } >+ v5_destroy(ctx, stash, options); > } > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=253501">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 371761
:
252021
| 253501