diff --git a/krb5-1.14.1-log_file_permissions.patch b/krb5-1.14.1-log_file_permissions.patch new file mode 100644 index 0000000..2e8795b --- /dev/null +++ b/krb5-1.14.1-log_file_permissions.patch @@ -0,0 +1,63 @@ +From 9914b93516bbce9b1123ed5f9f796b7028944892 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 17 Dec 2015 13:31:39 -0500 +Subject: [PATCH] Create KDC and kadmind log files with mode 0640 + +In krb5_klog_init(), use open() and fdopen() to open log files so that +we can specify a mode. Specify a mode which doesn't include the +group-write, other-read, or other-write bits even if the process umask +allows them. + +[ghudson@mit.edu: wrote commit message, de-indented post-open setup +code] +[rharwood@redhat.com: backport not clean for some reason?] + +ticket: 8344 (new) +--- + src/lib/kadm5/logger.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index 19c4355..f4a9387 100644 + +--- a/src/lib/kadm5/logger.c 2016-01-21 18:52:52.529544902 +0000 ++++ b/src/lib/kadm5/logger.c 2016-01-21 18:57:22.923972419 +0000 +@@ -354,7 +354,7 @@ + const char *logging_profent[3]; + const char *logging_defent[3]; + char **logging_specs; +- int i, ngood; ++ int i, ngood, fd, append; + char *cp, *cp2; + char savec = '\0'; + int error; +@@ -422,18 +422,21 @@ + /* + * Check for append/overwrite, then open the file. + */ +- if (cp[4] == ':' || cp[4] == '=') { +- f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w"); +- if (f) { +- set_cloexec_file(f); +- log_control.log_entries[i].lfu_filep = f; +- log_control.log_entries[i].log_type = K_LOG_FILE; +- log_control.log_entries[i].lfu_fname = &cp[5]; +- } else { ++ append = (cp[4] == ':') ? O_APPEND : 0; ++ if (append || cp[4] == '=') { ++ fd = open(&cp[5], O_CREAT | O_WRONLY | append, ++ S_IRUSR | S_IWUSR | S_IRGRP); ++ if (fd != -1) ++ f = fdopen(fd, append ? "a" : "w"); ++ if (fd == -1 || f == NULL) { + fprintf(stderr,"Couldn't open log file %s: %s\n", + &cp[5], error_message(errno)); + continue; + } ++ set_cloexec_file(f); ++ log_control.log_entries[i].lfu_filep = f; ++ log_control.log_entries[i].log_type = K_LOG_FILE; ++ log_control.log_entries[i].lfu_fname = &cp[5]; + } + } + #ifdef HAVE_SYSLOG diff --git a/krb5.spec b/krb5.spec index 39480a5..83ced18 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14 -Release: 16%{?dist} +Release: 17%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -60,6 +60,7 @@ Patch148: krb5-disable_ofd_locks.patch Patch150: krb5-fix_interposer.patch Patch151: krb5-mechglue_inqure_attrs.patch Patch152: krb5-init_context_null_spnego.patch +Patch153: krb5-1.14.1-log_file_permissions.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -236,6 +237,7 @@ ln NOTICE LICENSE %patch150 -p1 -b .fix_interposer %patch151 -p1 -b .mechglue_inqure_attrs %patch152 -p1 -b .init_context_null_spnego +%patch153 -p1 -b .log_file_permissions # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -766,6 +768,10 @@ exit 0 %changelog +* Thu Jan 21 2016 Robbie Harwood - 1.14-17 +- Make krb5kdc.log not world-readable by default +- Resolves: #1276484 + * Thu Jan 21 2016 Robbie Harwood - 1.14-16 - Allow verification of attributes on krb5.conf