From 199cac4d2dc5fc2cf388420c816d1aa301f3b3df Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: May 27 2014 21:52:48 +0000
Subject: Back off on ksu fixes for now, caused regressions for FILE:


- back out currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1089035) for now

---

diff --git a/krb5-1.11-pam.patch b/krb5-1.11-pam.patch
index 9e1d516..55c3ddf 100644
--- a/krb5-1.11-pam.patch
+++ b/krb5-1.11-pam.patch
@@ -9,8 +9,7 @@ section of /etc/krb5.conf.
 When enabled, ksu gains a dependency on libpam.
 
 Originally RT#5939, though it's changed since then to perform the account
-and session management before dropping privileges, and to apply on top of
-changes we're proposing for how it handles cache collections.
+and session management before dropping privileges.
 
 diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
 --- krb5-1.8/src/aclocal.m4.pam	2009-11-22 12:00:45.000000000 -0500
@@ -96,7 +95,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
 +#include "autoconf.h"
  #include "ksu.h"
  #include "adm_proto.h"
- #include "../../lib/krb5/os/os-proto.h"
+ #include <sys/types.h>
 @@ -33,6 +34,10 @@
  #include <signal.h>
  #include <grp.h>
@@ -126,13 +125,13 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
 +                                   NULL, source_user,
 +                                   ttyname(STDERR_FILENO)) != 0) {
 +                fprintf(stderr, "Access denied for %s.\n", target_user);
-+                sweep_up(ksu_context, cc_tmp);
++                sweep_up(ksu_context, cc_target);
 +                exit(1);
 +            }
 +            if (appl_pam_requires_chauthtok()) {
 +                fprintf(stderr, "Password change required for %s.\n",
 +                        target_user);
-+                sweep_up(ksu_context, cc_tmp);
++                sweep_up(ksu_context, cc_target);
 +                exit(1);
 +            }
 +            force_fork++;
@@ -143,7 +142,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
          if (krb5_seteuid(target_uid)) {
              com_err(prog_name, errno, _("while switching to target for "
 @@ -651,6 +676,26 @@
-             sweep_up(ksu_context, cc_tmp);
+             sweep_up(ksu_context, cc_target);
              exit(1);
          }
 +#ifdef USE_PAM
@@ -154,13 +153,13 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
 +                                   NULL, source_user,
 +                                   ttyname(STDERR_FILENO)) != 0) {
 +                fprintf(stderr, "Access denied for %s.\n", target_user);
-+                sweep_up(ksu_context, cc_tmp);
++                sweep_up(ksu_context, cc_target);
 +                exit(1);
 +            }
 +            if (appl_pam_requires_chauthtok()) {
 +                fprintf(stderr, "Password change required for %s.\n",
 +                        target_user);
-+                sweep_up(ksu_context, cc_tmp);
++                sweep_up(ksu_context, cc_target);
 +                exit(1);
 +            }
 +            force_fork++;
@@ -177,7 +176,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
 +    if (appl_pam_enabled(ksu_context, "ksu")) {
 +        if (appl_pam_session_open() != 0) {
 +            fprintf(stderr, "Error opening session for %s.\n", target_user);
-+            sweep_up(ksu_context, cc_tmp);
++            sweep_up(ksu_context, cc_target);
 +            exit(1);
 +        }
 +#ifdef DEBUG
@@ -188,7 +187,7 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
 +        if (appl_pam_cred_init()) {
 +            fprintf(stderr, "Error initializing credentials for %s.\n",
 +                    target_user);
-+            sweep_up(ksu_context, cc_tmp);
++            sweep_up(ksu_context, cc_target);
 +            exit(1);
 +        }
 +#ifdef DEBUG
diff --git a/krb5.spec b/krb5.spec
index b83ca53..89e4dfe 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.5
-Release: 5%{?dist}
+Release: 6%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -343,13 +343,13 @@ ln -s NOTICE LICENSE
 %patch302 -p1 -b .kinit-cccol
 %patch303 -p1 -b .keyring-strtol
 
-%patch400 -p1 -b .ksu-intermediates
-%patch401 -p1 -b .Don-t-try-to-stat-not-on-disk-ccache-residuals
-%patch402 -p1 -b .Use-an-in-memory-cache-until-we-need-the-target-s
-%patch403 -p1 -b .Learn-to-destroy-the-ccache-we-re-copying-from
-%patch404 -p1 -b .Try-to-use-the-default_ccache_name-d-as-the-target
-%patch405 -p1 -b .Be-more-careful-of-target-ccache-collections
-%patch406 -p1 -b .Copy-config-entries-to-the-target-ccache
+#%patch400 -p1 -b .ksu-intermediates
+#%patch401 -p1 -b .Don-t-try-to-stat-not-on-disk-ccache-residuals
+#%patch402 -p1 -b .Use-an-in-memory-cache-until-we-need-the-target-s
+#%patch403 -p1 -b .Learn-to-destroy-the-ccache-we-re-copying-from
+#%patch404 -p1 -b .Try-to-use-the-default_ccache_name-d-as-the-target
+#%patch405 -p1 -b .Be-more-careful-of-target-ccache-collections
+#%patch406 -p1 -b .Copy-config-entries-to-the-target-ccache
 
 %patch60 -p1 -b .pam
 
@@ -1072,6 +1072,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon May 27 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.5-6
+- back out currently-proposed changes to teach ksu about credential cache
+  collections and the default_ccache_name setting (#1089035) for now
+
 * Tue Mar 04 2014 Nathaniel McCallum <npmccallum@redhat.com> - 1.11.5-5
 - Backport fix for change password requests when using FAST (RT#7868)