diff -ur krb4-1.0.2.orig/lib/auth/pam/Makefile.in krb4-1.0.2/lib/auth/pam/Makefile.in --- krb4-1.0.2.orig/lib/auth/pam/Makefile.in Fri Jun 23 05:20:06 2000 +++ krb4-1.0.2/lib/auth/pam/Makefile.in Wed Sep 13 15:31:05 2000 @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.25.2.1 2000/06/23 03:20:06 assar Exp $ +# $Id: Makefile.in,v 1.28 2000/09/13 13:26:12 bg Exp $ # SHELL = /bin/sh @@ -31,8 +31,8 @@ LIB_res_search = @LIB_res_search@ LIB_dn_expand = @LIB_dn_expand@ -@lib_deps_yes@LIB_DEPS = -L../../kafs -L../../krb -L../../des \ -@lib_deps_yes@ -lkafs -lkrb -ldes \ +@lib_deps_yes@LIB_DEPS = ../../kafs/libkafs_pic.a \ +@lib_deps_yes@ ../../krb/libkrb_pic.a ../../des/libdes_pic.a \ @lib_deps_yes@ $(LIB_res_search) $(LIB_dn_expand) -lpam -lc @lib_deps_no@LIB_DEPS = @@ -82,7 +82,6 @@ $(LIB): $(OBJECTS) rm -f $@ - $(LDSHARED) -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) -# $(LINK) -shared -Wl,-x -o $(LIB) $(OBJECTS) ../../kafs/libkafs.a ../../krb/libkrb.a ../../des/libdes.a + $(LDSHARED) -Wl,-Bsymbolic -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) .PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff -ur krb4-1.0.2.orig/lib/auth/pam/pam.c krb4-1.0.2/lib/auth/pam/pam.c --- krb4-1.0.2.orig/lib/auth/pam/pam.c Sat Mar 11 00:00:14 2000 +++ krb4-1.0.2/lib/auth/pam/pam.c Wed Sep 13 15:31:05 2000 @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include -RCSID("$Id: pam.c,v 1.22.2.1 2000/03/10 23:00:14 assar Exp $"); +RCSID("$Id: pam.c,v 1.25 2000/09/13 13:25:51 bg Exp $"); #endif #include @@ -60,7 +60,7 @@ #endif static void -log_error(int level, const char *format, ...) +psyslog(int level, const char *format, ...) { va_list args; va_start(args, format); @@ -115,7 +115,7 @@ break; if (j >= KRB4_CTRLS) - log_error(LOG_ALERT, "unrecognized option [%s]", *argv); + psyslog(LOG_ALERT, "unrecognized option [%s]", *argv); else ctrl_flags |= krb4_args[j].flag; } @@ -134,7 +134,7 @@ closelog(); } -#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid()) +#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid()) static void set_tkt_string(uid_t uid) @@ -182,9 +182,14 @@ old_euid = geteuid(); setreuid(0, 0); ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL); - if (setreuid(old_ruid, old_euid) != 0) + pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s", + name, inst, realm, krb_verify, + krb_get_err_text(ret)); + if (setreuid(old_ruid, old_euid) != 0 + || getuid() != old_ruid + || geteuid() != old_euid) { - log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); + psyslog(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); exit(1); } @@ -220,7 +225,7 @@ ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); if (ret != PAM_SUCCESS) { - log_error(LOG_ERR , "pam_get_item returned error to get-password"); + psyslog(LOG_ERR , "pam_get_item returned error to get-password"); return ret; } else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS) @@ -271,9 +276,11 @@ struct passwd *pw; uid_t uid = -1; const char *name, *inst; + char realm[REALM_SZ]; + realm[0] = 0; - parse_ctrl(argc, argv); ENTRY("pam_sm_authenticate"); + parse_ctrl(argc, argv); ret = pam_get_user(pamh, &user, "login: "); if (ret != PAM_SUCCESS) @@ -316,11 +323,9 @@ */ if (ret == PAM_SUCCESS && inst[0] != 0) { - char realm[REALM_SZ]; uid_t old_euid = geteuid(); uid_t old_ruid = getuid(); - realm[0] = 0; setreuid(0, 0); /* To read ticket file. */ if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) ret = PAM_SERVICE_ERR; @@ -334,37 +339,52 @@ if (ret != PAM_SUCCESS) { dest_tkt(); /* Passwd known, ok to kill ticket. */ - log_error(LOG_NOTICE, - "%s.%s@%s is not allowed to log in as %s", - name, inst, realm, user); + psyslog(LOG_NOTICE, + "%s.%s@%s is not allowed to log in as %s", + name, inst, realm, user); } - if (setreuid(old_ruid, old_euid) != 0) + if (setreuid(old_ruid, old_euid) != 0 + || getuid() != old_ruid + || geteuid() != old_ruid) { - log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); + psyslog(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); exit(1); } } if (ret == PAM_SUCCESS) - chown(tkt_string(), uid, -1); - - /* Sun dtlogin unlock screen does not call any other pam_* funcs. */ - if (ret == PAM_SUCCESS - && ctrl_on(KRB4_REAFSLOG) - && k_hasafs() - && (pw = getpwnam(user)) != 0) - krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir); + { + psyslog(LOG_INFO, + "%s.%s@%s authenticated as user %s", + name, inst, realm, user); + if (chown(tkt_string(), uid, -1) == -1) + { + dest_tkt(); + psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); + exit(1); + } + } + /* + * Kludge alert!!! Sun dtlogin unlock screen fails to call + * pam_setcred(3) with PAM_REFRESH_CRED after a successful + * authentication attempt, sic. + * + * This hack is designed as a workaround to that problem. + */ + if (ctrl_on(KRB4_REAFSLOG)) + if (ret == PAM_SUCCESS) + pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); + return ret; } int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { - parse_ctrl(argc, argv); ENTRY("pam_sm_setcred"); - pdeb("flags = 0x%x", flags); + parse_ctrl(argc, argv); switch (flags & ~PAM_SILENT) { case 0: @@ -393,7 +413,7 @@ k_unlog(); break; default: - log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); + psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); break; } @@ -403,8 +423,8 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { - parse_ctrl(argc, argv); ENTRY("pam_sm_open_session"); + parse_ctrl(argc, argv); return PAM_SUCCESS; } @@ -413,13 +433,11 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv) { - parse_ctrl(argc, argv); ENTRY("pam_sm_close_session"); + parse_ctrl(argc, argv); /* This isn't really kosher, but it's handy. */ - dest_tkt(); - if (k_hasafs()) - k_unlog(); + pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv); return PAM_SUCCESS; } diff -ur krb4-1.0.2.orig/lib/des/Makefile.in krb4-1.0.2/lib/des/Makefile.in --- krb4-1.0.2.orig/lib/des/Makefile.in Fri Mar 10 23:58:39 2000 +++ krb4-1.0.2/lib/des/Makefile.in Wed Sep 13 15:31:05 2000 @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.53.2.1 2000/03/10 22:58:39 assar Exp $ +# $Id: Makefile.in,v 1.56 2000/09/13 13:27:02 bg Exp $ # SHELL = /bin/sh @@ -115,12 +115,17 @@ realclean: distclean rm -f TAGS +$(LIBNAME)_pic.a: $(LIBOBJ) + rm -f $@ + $(AR) cr $@ $(LIBOBJ) + -$(RANLIB) $@ + $(LIBNAME).a: $(LIBOBJ) rm -f $@ $(AR) cr $@ $(LIBOBJ) -$(RANLIB) $@ -$(LIBNAME).$(SHLIBEXT): $(LIBOBJ) +$(LIBNAME).$(SHLIBEXT): $(LIBOBJ) $(LIBNAME)_pic.a rm -f $@ $(LDSHARED) -o $@ $(LIBOBJ) $(LIB_DEPS) @build_symlink_command@ diff -ur krb4-1.0.2.orig/lib/kafs/Makefile.in krb4-1.0.2/lib/kafs/Makefile.in --- krb4-1.0.2.orig/lib/kafs/Makefile.in Fri Jun 23 05:20:04 2000 +++ krb4-1.0.2/lib/kafs/Makefile.in Wed Sep 13 15:31:05 2000 @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.50.2.1 2000/06/23 03:20:04 assar Exp $ +# $Id: Makefile.in,v 1.52 2000/09/13 13:27:24 bg Exp $ # SHELL = /bin/sh @@ -83,13 +83,17 @@ realclean: distclean rm -f TAGS -$(LIBNAME).a: $(OBJECTS) +$(LIBNAME)_pic.a: $(OBJECTS) rm -f $@ $(AR) cr $@ $(OBJECTS) -$(RANLIB) $@ +$(LIBNAME).a: $(OBJECTS) + rm -f $@ + $(AR) cr $@ $(OBJECTS) + -$(RANLIB) $@ -$(LIBNAME).$(SHLIBEXT): $(OBJECTS) +$(LIBNAME).$(SHLIBEXT): $(OBJECTS) $(LIBNAME)_pic.a rm -f $@ $(LDSHARED) -o $@ $(OBJECTS) $(LIB_DEPS) @build_symlink_command@ diff -ur krb4-1.0.2.orig/lib/krb/Makefile.in krb4-1.0.2/lib/krb/Makefile.in --- krb4-1.0.2.orig/lib/krb/Makefile.in Fri Jun 23 05:20:01 2000 +++ krb4-1.0.2/lib/krb/Makefile.in Wed Sep 13 15:31:05 2000 @@ -1,5 +1,5 @@ # -# $Id: Makefile.in,v 1.113.2.1 2000/06/23 03:20:01 assar Exp $ +# $Id: Makefile.in,v 1.116 2000/09/13 13:27:12 bg Exp $ # SHELL = /bin/sh @@ -292,12 +292,17 @@ realclean: distclean rm -f TAGS +$(LIBNAME)_pic.a: $(OBJECTS) $(SHLIB_LIBADD) + rm -f $@ + $(AR) cr $@ $(OBJECTS) $(SHLIB_LIBADD) + -$(RANLIB) $@ + $(LIBNAME).a: $(OBJECTS) rm -f $@ $(AR) cr $@ $(OBJECTS) -$(RANLIB) $@ -$(LIBNAME).$(SHLIBEXT): $(OBJECTS) $(SHLIB_LIBADD) +$(LIBNAME).$(SHLIBEXT): $(OBJECTS) $(SHLIB_LIBADD) $(LIBNAME)_pic.a rm -f $@ $(LDSHARED) -o $@ $(OBJECTS) $(SHLIB_LIBADD) $(LIB_DEPS) @build_symlink_command@