| History log of /src/lib/libpam/modules/pam_ksu |
| Revision | Date | Author | Comments |
| 1.13 | 13-Jul-2025 |
christos | Get ready to handle the openssl move from bsd -> apache2
|
| 1.12 | 04-Feb-2018 |
christos | branches: 1.12.16;
switch everyone to openssl.old
|
| 1.11 | 26-May-2011 |
joerg | Default to -Wno-sign-compare -Wno-pointer-sign for clang.
Push -Wno-array-bounds down to the cases that depend on it.
Selectively disable warnings for 3rd party software or non-trivial
issues to be reviewed later to get clang -Werror to build most of the
tree.
|
| 1.10 | 15-Apr-2011 |
elric | Upgrade Heimdal to 1.5pre1 by switching the build from crypto/dist/heimdal
to crypto/external/bsd/heimdal. The latter was just imported as the head
of the Heimdal tree as of a few days ago.
|
| 1.9 | 20-Jul-2009 |
christos | use the proper libcrypto
|
| 1.8 | 27-Oct-2008 |
mrg | use LIBDPLIBS+= not =.
|
| 1.7 | 27-Oct-2008 |
mrg | don't set LIBDPLIBS in libpam/modules/Makefile - it is not necessary
and it interferes with the compat lib build. don't use LIB_ROOT_DIR.
|
| 1.6 | 25-Apr-2005 |
matt | Remove CPPFLAGS
|
| 1.5 | 25-Apr-2005 |
matt | Add ${DESTDIR}/usr/include/krb5 to CPPFLAGS so <parse_units.h> can be found.
|
| 1.4 | 29-Dec-2004 |
lukem | Use LIBDPLIBS to provide the list of libraries for the modules to depend
upon, because:
* it's MUCH quicker; no need to calculate the OBJDIRS of every library
we might require in every subdir.
(make obj drops from 21s to 3s on my system.)
* it's more robust when building to a fresh DESTDIR.
|
| 1.3 | 29-Dec-2004 |
christos | Link with libraries from the source build directory.
|
| 1.2 | 12-Dec-2004 |
christos | - NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 | 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.1 | 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.12.16.1 | 02-Aug-2025 |
perseant | Sync with HEAD
|
| 1.4 | 26-Feb-2005 |
thorpej | Oops, one more nit.
|
| 1.3 | 26-Feb-2005 |
thorpej | Minor wording consistency nit.
|
| 1.2 | 12-Dec-2004 |
christos | - NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 | 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.1 | 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.11 | 07-Sep-2023 |
riastradh | pam_ksu(8): Allow homedir access during kuserok.
Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.
(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)
I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by:
- verify_krb5_conf -- not relevant
- krb5_config_parse_file -- not used here as far as I can tell,
only by libhdb ldap logic and test code in heimdal
- krb5_set_config_files -- used here only via krb5_init_context,
which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
which shouldn't be happening at this point, so this is almost
certainly unreachable; also it only appears to control whether
some old plugin API can be used, long after we have read the krb5
config controlling which plugins are available, so this is
probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
XXX pullup-10
XXX pullup-9
XXX pullup-8
|
| 1.10 | 20-Jun-2023 |
riastradh | pam_ksu: No need for homedir access.
|
| 1.9 | 27-Feb-2014 |
joerg | branches: 1.9.18; 1.9.28; 1.9.36;
Remove tautological check.
|
| 1.8 | 29-Dec-2013 |
christos | Fix incorrect types
|
| 1.7 | 28-Dec-2013 |
christos | avoid using freed pointers and non-format strings
|
| 1.6 | 25-Apr-2011 |
christos | branches: 1.6.4; 1.6.10;
fix pasto (of no consequence)
|
| 1.5 | 25-Apr-2011 |
christos | - make log_krb5 varyadic and merge the last error message.
- check for NULL context.
- print a more meaningful error when things go south
|
| 1.4 | 24-Apr-2011 |
elric | Stop using functions that are marked as deprecated in Heimdal.
|
| 1.3 | 08-Mar-2009 |
christos | consistency in password prompt setting code (and with ssh)
|
| 1.2 | 12-Dec-2004 |
christos | branches: 1.2.34;
- NetBSD build glue
- Warning fixes
- RCSID's
|
| 1.1 | 12-Dec-2004 |
christos | branches: 1.1.1;
Initial revision
|
| 1.1.1.1 | 12-Dec-2004 |
christos | - Import freebsd's version of libpam as of today (20041212).
- Did not import opie, passwdqc, tacplus. We need to decide what to do
with them.
- Imported radius and ssh, although they will not work until we
import libradius and re-structure our tree to install libssh.
|
| 1.2.34.1 | 13-May-2009 |
jym | Sync with HEAD.
Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
|
| 1.6.10.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.6.4.1 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.9.36.2 | 08-Sep-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #357):
lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.11
pam_ksu(8): Allow homedir access during kuserok.
Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.
(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)
I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by:
- verify_krb5_conf -- not relevant
- krb5_config_parse_file -- not used here as far as I can tell,
only by libhdb ldap logic and test code in heimdal
- krb5_set_config_files -- used here only via krb5_init_context,
which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
which shouldn't be happening at this point, so this is almost
certainly unreachable; also it only appears to control whether
some old plugin API can be used, long after we have read the krb5
config controlling which plugins are available, so this is
probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
|
| 1.9.36.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #207):
lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.10
pam_ksu: No need for homedir access.
|
| 1.9.28.2 | 08-Sep-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1728):
lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.11
pam_ksu(8): Allow homedir access during kuserok.
Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.
(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)
I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by:
- verify_krb5_conf -- not relevant
- krb5_config_parse_file -- not used here as far as I can tell,
only by libhdb ldap logic and test code in heimdal
- krb5_set_config_files -- used here only via krb5_init_context,
which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
which shouldn't be happening at this point, so this is almost
certainly unreachable; also it only appears to control whether
some old plugin API can be used, long after we have read the krb5
config controlling which plugins are available, so this is
probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
|
| 1.9.28.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1653):
lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.10
pam_ksu: No need for homedir access.
|
| 1.9.18.2 | 08-Sep-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1896):
lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.11
pam_ksu(8): Allow homedir access during kuserok.
Otherwise, the default kuserok logic to look at ~targetuser/.k5login
would be blocked by the security measure to thwart NetBSD-SA2023-005.
(There are other ways, e.g. setting SYSTEM-K5LOGIN in /etc/krb5.conf
so the file is /etc/k5login.d/user instead of ~user/.k5login, but
that's not the default configuration and there are plenty of
deployments that rely on ~user/.k5login today.)
I reviewed libkrb5 for homedir access checks. There are three:
1. krb5_config_parse_file_multi, called only by:
- verify_krb5_conf -- not relevant
- krb5_config_parse_file -- not used here as far as I can tell,
only by libhdb ldap logic and test code in heimdal
- krb5_set_config_files -- used here only via krb5_init_context,
which is done at this point
2. plugin_get_hosts in krbhst.c, used to look up hosts for KDC I/O,
which shouldn't be happening at this point, so this is almost
certainly unreachable; also it only appears to control whether
some old plugin API can be used, long after we have read the krb5
config controlling which plugins are available, so this is
probably harmless
3. krb5_kuserok, which is the one we want to allow
Note: This will have to be updated again in the next Heimdal update,
which eliminates the global homedir access flag in favour of making
the default per-context homedir access flag conditional on !issuid.
|
| 1.9.18.1 | 21-Jun-2023 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1845):
lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.10
pam_ksu: No need for homedir access.
|
