rpms/tog-pegasus/F-9 pegasus-2.7.1-local-or-remote-auth.patch, NONE, 1.1 pegasus-2.7.1-pam-wbem.patch, NONE, 1.1 access.conf, 1.1, 1.2 tog-pegasus.spec, 1.57, 1.58 pegasus-2.5.1-pam-wbem.patch, 1.1, NONE pegasus-2.7.0-local-or-remote-auth.patch, 1.1, NONE
Vitezslav Crhonek
vcrhonek at fedoraproject.org
Fri Nov 14 17:36:11 UTC 2008
Author: vcrhonek
Update of /cvs/extras/rpms/tog-pegasus/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25924
Modified Files:
access.conf tog-pegasus.spec
Added Files:
pegasus-2.7.1-local-or-remote-auth.patch
pegasus-2.7.1-pam-wbem.patch
Removed Files:
pegasus-2.5.1-pam-wbem.patch
pegasus-2.7.0-local-or-remote-auth.patch
Log Message:
Fix local-or-remote-auth patch and enhance PAM security settings
pegasus-2.7.1-local-or-remote-auth.patch:
--- NEW FILE pegasus-2.7.1-local-or-remote-auth.patch ---
diff -up pegasus/src/Executor/PAMAuth.h.old pegasus/src/Executor/PAMAuth.h
--- pegasus/src/Executor/PAMAuth.h.old 2007-07-25 21:43:47.000000000 +0200
+++ pegasus/src/Executor/PAMAuth.h 2008-11-11 13:36:19.000000000 +0100
@@ -53,6 +53,9 @@
#include <Executor/Defines.h>
#include <Executor/Socket.h>
+#include <syslog.h>
+typedef bool Boolean;
+
/*
**==============================================================================
**
@@ -397,29 +400,60 @@ static int PAMValidateUserCallback(
*/
static int PAMAuthenticateInProcess(
- const char* username, const char* password)
+ const char* username, const char* password, const Boolean isRemoteUser)
{
PAMData data;
struct pam_conv pconv;
pam_handle_t* handle;
+ int retcode;
data.password = password;
pconv.conv = PAMAuthenticateCallback;
pconv.appdata_ptr = &data;
+ // NOTE: if any pam call should log anything, our syslog socket will be redirected
+ // to the AUTH facility, so we need to redirect it back after each pam call.
+
+ if ((retcode = pam_start("wbem", username, &pconv, &handle)) != PAM_SUCCESS)
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_start failed: %s", pam_strerror(handle, retcode));
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+ isRemoteUser ? "remote" : "local", username);
+ return -1;
+ }
- if (pam_start("wbem", username, &pconv, &handle) != PAM_SUCCESS)
+ if ((retcode = pam_set_item(handle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS)
+ {
+ pam_end(handle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(handle, retcode));
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+ isRemoteUser ? "remote" : "local", username);
return -1;
+ }
- if (pam_authenticate(handle, 0) != PAM_SUCCESS)
+ if ((retcode = pam_authenticate(handle, 0)) != PAM_SUCCESS)
{
pam_end(handle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(handle, retcode));
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+ isRemoteUser ? "remote" : "local", username);
return -1;
}
- if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS)
+ if ((retcode = pam_acct_mgmt(handle, 0)) != PAM_SUCCESS)
{
pam_end(handle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(handle, retcode));
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+ isRemoteUser ? "remote" : "local", username);
return -1;
}
@@ -443,16 +477,34 @@ static int PAMValidateUserInProcess(cons
PAMData data;
struct pam_conv pconv;
pam_handle_t* phandle;
+ int retcode;
pconv.conv = PAMValidateUserCallback;
pconv.appdata_ptr = &data;
- if (pam_start("wbem", username, &pconv, &phandle) != PAM_SUCCESS)
+ if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS)
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode));
return -1;
+ }
+
+ if ((retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS)
+ {
+ pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode));
+ return -1;
+ }
- if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS)
+ if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS)
{
pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode));
return -1;
}
@@ -471,12 +523,12 @@ static int PAMValidateUserInProcess(cons
**==============================================================================
*/
-static int PAMAuthenticate(const char* username, const char* password)
+static int PAMAuthenticate(const char* username, const char* password, const Boolean isRemoteUser)
{
#ifdef PEGASUS_USE_PAM_STANDALONE_PROC
return CimserveraProcessOperation("authenticate", username, password);
#else
- return PAMAuthenticateInProcess(username, password);
+ return PAMAuthenticateInProcess(username, password, isRemoteUser);
#endif
}
diff -up pegasus/src/Pegasus/Common/AuthenticationInfo.h.old pegasus/src/Pegasus/Common/AuthenticationInfo.h
--- pegasus/src/Pegasus/Common/AuthenticationInfo.h.old 2007-09-03 13:27:02.000000000 +0200
+++ pegasus/src/Pegasus/Common/AuthenticationInfo.h 2008-11-11 13:27:58.000000000 +0100
@@ -356,6 +356,22 @@ public:
return _rep->getRemotePrivilegedUserAccessChecked();
}
+ /** Indicate whether the user is Remote
+ */
+ Boolean isRemoteUser() const
+ {
+ CheckRep(_rep);
+ return _rep->isRemoteUser();
+ }
+
+ /** Set the Remote User flag
+ */
+ void setRemoteUser(Boolean isRemoteUser)
+ {
+ CheckRep(_rep);
+ _rep->setRemoteUser(isRemoteUser);
+ }
+
private:
AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep)
diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.old pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp
--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.old 2007-08-22 09:43:37.000000000 +0200
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH
AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag)
: _connectionAuthenticated(false),
- _wasRemotePrivilegedUserAccessChecked(false)
+ _wasRemotePrivilegedUserAccessChecked(false),
+ _isRemoteUser(true)
{
PEG_METHOD_ENTER(
TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep");
@@ -62,6 +63,16 @@ AuthenticationInfoRep::~AuthenticationIn
PEG_METHOD_EXIT();
}
+void AuthenticationInfoRep::setRemoteUser(Boolean isRemoteUser)
+{
+ PEG_METHOD_ENTER(TRC_AUTHENTICATION,
+ "AuthenticationInfoRep::setRemoteUser");
+
+ _isRemoteUser = isRemoteUser;
+
+ PEG_METHOD_EXIT();
+}
+
void AuthenticationInfoRep::setConnectionAuthenticated(
Boolean connectionAuthenticated)
{
diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.old pegasus/src/Pegasus/Common/AuthenticationInfoRep.h
--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.old 2007-08-22 09:43:37.000000000 +0200
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h 2008-11-11 13:27:58.000000000 +0100
@@ -149,6 +149,13 @@ public:
void setSecurityAssociation();
#endif
+ Boolean isRemoteUser() const
+ {
+ return _isRemoteUser;
+ }
+
+ void setRemoteUser(Boolean isRemoteUser);
+
Array<SSLCertificateInfo*> getClientCertificateChain()
{
return _clientCertificate;
@@ -192,6 +199,7 @@ private:
Boolean _wasRemotePrivilegedUserAccessChecked;
Array<SSLCertificateInfo*> _clientCertificate;
+ Boolean _isRemoteUser;
};
PEGASUS_NAMESPACE_END
diff -up pegasus/src/Pegasus/Common/Executor.cpp.old pegasus/src/Pegasus/Common/Executor.cpp
--- pegasus/src/Pegasus/Common/Executor.cpp.old 2008-02-08 20:42:37.000000000 +0100
+++ pegasus/src/Pegasus/Common/Executor.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -122,7 +122,8 @@ public:
virtual int authenticatePassword(
const char* username,
- const char* password) = 0;
+ const char* password,
+ Boolean isRemoteUser) = 0;
virtual int validateUser(
const char* username) = 0;
@@ -470,10 +471,11 @@ public:
virtual int authenticatePassword(
const char* username,
- const char* password)
+ const char* password,
+ Boolean isRemoteUser)
{
#if defined(PEGASUS_PAM_AUTHENTICATION)
- return PAMAuthenticate(username, password);
+ return PAMAuthenticate(username, password, isRemoteUser);
#else
// ATTN: not handled so don't call in this case.
return -1;
@@ -812,7 +814,8 @@ public:
virtual int authenticatePassword(
const char* username,
- const char* password)
+ const char* password,
+ Boolean isRemoteUser)
{
AutoMutex autoMutex(_mutex);
@@ -1080,10 +1083,11 @@ int Executor::reapProviderAgent(
int Executor::authenticatePassword(
const char* username,
- const char* password)
+ const char* password,
+ Boolean isRemoteUser)
{
once(&_executorImplOnce, _initExecutorImpl);
- return _executorImpl->authenticatePassword(username, password);
+ return _executorImpl->authenticatePassword(username, password, isRemoteUser);
}
int Executor::validateUser(
diff -up pegasus/src/Pegasus/Common/Executor.h.old pegasus/src/Pegasus/Common/Executor.h
--- pegasus/src/Pegasus/Common/Executor.h.old 2008-02-08 20:17:58.000000000 +0100
+++ pegasus/src/Pegasus/Common/Executor.h 2008-11-11 13:27:58.000000000 +0100
@@ -185,7 +185,8 @@ public:
*/
static int authenticatePassword(
const char* username,
- const char* password);
+ const char* password,
+ Boolean isRemoteUser);
/** Check whether the given user is valid for the underlying authentcation
mechanism.
diff -up pegasus/src/Pegasus/Common/HTTPConnection.cpp.old pegasus/src/Pegasus/Common/HTTPConnection.cpp
--- pegasus/src/Pegasus/Common/HTTPConnection.cpp.old 2008-01-25 20:03:23.000000000 +0100
+++ pegasus/src/Pegasus/Common/HTTPConnection.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -2117,6 +2117,30 @@ void HTTPConnection::_handleReadEvent()
message->contentLanguages = contentLanguages;
message->dest = _outputMessageQueue->getQueueId();
+ // Allow authenticators to differentiate Remote and Local users:
+ struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ...
+ socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in);
+ uint32_t sock = _socket.get()->getSocket() ;
+ memset(&sin_peer,'\0',slen1);
+ memset(&sin_svr, '\0',slen2);
+ if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 )
+ ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 )
+ )
+ {
+ if( sin_peer.sin_family == AF_INET )
+ {
+ if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
+ // message was sent FROM localhost interface
+ message->isFromRemoteHost = false;
+ }
+ if( sin_svr.sin_family == AF_INET )
+ {
+ if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
+ // message was sent TO localhost interface
+ message->isFromRemoteHost = false;
+ }
+ }
+
//
// The _closeConnection method sets the _connectionClosePending flag.
// If we are executing on the client side and the
diff -up pegasus/src/Pegasus/Common/HTTPMessage.cpp.old pegasus/src/Pegasus/Common/HTTPMessage.cpp
--- pegasus/src/Pegasus/Common/HTTPMessage.cpp.old 2007-08-22 09:43:37.000000000 +0200
+++ pegasus/src/Pegasus/Common/HTTPMessage.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -120,7 +120,8 @@ HTTPMessage::HTTPMessage(
queueId(queueId_),
authInfo(0),
acceptLanguagesDecoded(false),
- contentLanguagesDecoded(false)
+ contentLanguagesDecoded(false),
+ isFromRemoteHost(true)
{
if (cimException_)
cimException = *cimException_;
diff -up pegasus/src/Pegasus/Common/HTTPMessage.h.old pegasus/src/Pegasus/Common/HTTPMessage.h
--- pegasus/src/Pegasus/Common/HTTPMessage.h.old 2007-08-22 09:43:37.000000000 +0200
+++ pegasus/src/Pegasus/Common/HTTPMessage.h 2008-11-11 13:27:58.000000000 +0100
@@ -75,6 +75,7 @@ public:
ContentLanguageList contentLanguages;
Boolean acceptLanguagesDecoded;
Boolean contentLanguagesDecoded;
+ Boolean isFromRemoteHost;
CIMException cimException;
void parse(
diff -up pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.old pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp
--- pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.old 2007-07-25 21:43:49.000000000 +0200
+++ pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -80,7 +80,7 @@ void testExecutorLoopbackImpl()
#endif
PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
- "xnonexistentuserx", "wrongpassword") == -1);
+ "xnonexistentuserx", "wrongpassword", true) == -1);
PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
char challengeFilePath[EXECUTOR_BUFFER_SIZE];
@@ -119,7 +119,7 @@ void testExecutorSocketImpl()
PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0);
PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
- "xnonexistentuserx", "wrongpassword") == -1);
+ "xnonexistentuserx", "wrongpassword", true) == -1);
PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
char challengeFilePath[EXECUTOR_BUFFER_SIZE];
diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.old pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp
--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.old 2008-03-12 07:28:56.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -152,7 +152,7 @@ Boolean BasicAuthenticationHandler::auth
}
authInfo->setRemotePrivilegedUserAccessChecked();
- authenticated = _basicAuthenticator->authenticate(userName, password);
+ authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser());
// Log audit message.
PEG_AUDIT_LOG(logBasicAuthentication(
diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.old pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h
--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.old 2006-01-30 17:18:28.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2008-11-11 13:27:58.000000000 +0100
@@ -67,7 +67,8 @@ public:
*/
virtual Boolean authenticate(
const String& userName,
- const String& password) = 0;
+ const String& password,
+ Boolean isRemoteUser) = 0;
/** Construct and return the HTTP Basic authentication challenge header
@return A string containing the authentication challenge header.
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.old 2007-05-25 20:35:18.000000000 +0200
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2008-11-11 13:27:58.000000000 +0100
@@ -55,7 +55,8 @@ public:
Boolean authenticate(
const String& userName,
- const String& password);
+ const String& password,
+ Boolean isRemoteUser);
Boolean validateUser(const String& userName);
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.old 2007-06-29 19:43:15.000000000 +0200
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -85,7 +85,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
Boolean PAMBasicAuthenticator::authenticate(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::authenticate()");
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.old 2007-05-25 20:35:18.000000000 +0200
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -72,13 +72,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
Boolean PAMBasicAuthenticator::authenticate(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::authenticate()");
if (Executor::authenticatePassword(
- userName.getCString(), password.getCString()) != 0)
+ userName.getCString(), password.getCString(), isRemoteUser) != 0)
{
return false;
}
diff -up pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.old pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp
--- pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.old 2008-01-28 10:33:28.000000000 +0100
+++ pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -241,7 +241,7 @@ Boolean SecureBasicAuthenticator::authen
if (Executor::detectExecutor() == 0)
{
if (Executor::authenticatePassword(
- userName.getCString(), password.getCString()) == 0)
+ userName.getCString(), password.getCString(), true) == 0)
{
authenticated = true;
}
diff -up pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.old pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp
--- pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.old 2007-12-19 14:55:10.000000000 +0100
+++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2008-11-11 13:27:58.000000000 +0100
@@ -403,6 +403,9 @@ void HTTPAuthenticatorDelegator::handleH
Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
"HTTPAuthenticatorDelegator - Authentication processing start"));
+ // Let Authenticators know whether this user is Local or Remote:
+ httpMessage->authInfo->setRemoteUser( httpMessage->isFromRemoteHost );
+
//
// Handle authentication:
//
pegasus-2.7.1-pam-wbem.patch:
--- NEW FILE pegasus-2.7.1-pam-wbem.patch ---
--- pegasus/rpm/wbem.pam-wbem 2006-01-17 14:17:43.000000000 -0500
+++ pegasus/rpm/wbem 2006-04-05 19:26:46.000000000 -0400
@@ -1,13 +1,7 @@
#%PAM-1.0
-auth required $ISA/pam_env.so
-auth sufficient $ISA/pam_unix.so nullok
-auth required $ISA/pam_deny.so
-
-account required $ISA/pam_unix.so
-
-password required $ISA/pam_cracklib.so retry=3 type=
-password sufficient $ISA/pam_unix.so nullok use_authtok md5 shadow
-password required $ISA/pam_deny.so
-
-session required $ISA/pam_limits.so
-session required $ISA/pam_unix.so
+auth required pam_access.so accessfile=/etc/Pegasus/access.conf
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
+session required pam_loginuid.so
Index: access.conf
===================================================================
RCS file: /cvs/extras/rpms/tog-pegasus/F-9/access.conf,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- access.conf 3 Oct 2005 17:56:03 -0000 1.1
+++ access.conf 14 Nov 2008 17:35:41 -0000 1.2
@@ -29,15 +29,20 @@
# The third field must be 'wbemNetwork', to control access by users from
# remote hosts, or 'wbemLocal', to control access by users from the local host.
##############################################################################
-#
+#
# Pegasus PAM Access Rules:
-# 1. The Remote host user access rule:
+# 1. The pegasus user access rule:
# By default, ONLY the pegasus user can use remote network HTTP/S service:
#
--: ALL EXCEPT pegasus:wbemNetwork
++: pegasus : ALL
+#
#
+# 2. The root user access rule:
+# By default, the root user can use pegasus local HTTP/S service:
+#
++: root : wbemLocal
+#
#
-# 2. The Local host user access rule:
-# By default, ONLY the pegasus and root users can use pegasus local HTTP/S service:
+# 3. Disallow anything else:
#
--: ALL EXCEPT pegasus root:wbemLocal
+-: ALL : ALL
Index: tog-pegasus.spec
===================================================================
RCS file: /cvs/extras/rpms/tog-pegasus/F-9/tog-pegasus.spec,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -r1.57 -r1.58
--- tog-pegasus.spec 11 Feb 2008 15:22:36 -0000 1.57
+++ tog-pegasus.spec 14 Nov 2008 17:35:41 -0000 1.58
@@ -41,7 +41,7 @@
%endif
Version: 2.7.0
-Release: 6%{?dist}
+Release: 7%{?dist}
Epoch: 2
#
Summary: OpenPegasus WBEM Services for Linux
@@ -58,6 +58,7 @@
Source2: genOpenPegasusSSLCerts
Source3: pegasus_arch_alternatives
Source4: RedHat.OpenPegasus.Makefile
+Source5: access.conf
#
# 0: Still not fixed by http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5008
Patch0: pegasus-2.7.0-initscript.patch
@@ -69,9 +70,9 @@
# 4: don't see how http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5099 fixed it
Patch4: pegasus-2.6.0-cmpi-provider-lib.patch
# 5: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5010
-Patch5: pegasus-2.7.0-local-or-remote-auth.patch
+Patch5: pegasus-2.7.1-local-or-remote-auth.patch
# 6: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5012
-Patch6: pegasus-2.5.1-pam-wbem.patch
+Patch6: pegasus-2.7.1-pam-wbem.patch
# 7: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5006
Patch7: pegasus-2.5.1-fix_tests.patch
Patch8: pegasus-2.6.0-multilib.patch
@@ -139,7 +140,6 @@
%patch2 -p1 -b .PIE
%patch3 -p1 -b .redhat-config
%patch4 -p1 -b .cmpi-provider-lib
-%patch5 -p1 -b .local-or-remote-auth
%patch6 -p1 -b .pam-wbem
%patch7 -p1 -b .fix-tests
%patch8 -p1 -b .multilib
@@ -147,6 +147,7 @@
%patch10 -p1 -b .cmpiheaders
%patch11 -p1 -b .no_privilege_separation
%patch12 -p1 -b .no_snmp_tests
+%patch5 -p1 -b .local-or-remote-auth
find . -name 'CVS' -exec /bin/rm -rf '{}' ';' >/dev/null 2>&1 ||:;
%build
@@ -154,6 +155,7 @@
cp -fp %SOURCE1 doc
cp -fp %SOURCE2 rpm
cp -fp %SOURCE4 .;
+cp -fp %SOURCE5 rpm
export RPM_ARCH_LIB=%{_lib}
export RPM_ARCH=%{_target_cpu}
@@ -442,6 +444,9 @@
%changelog
+* Fri Nov 14 2008 Vitezslav Crhonek <vcrhonek at redhat.com> - 2:2.7.0-7
+- Fix local-or-remote-auth patch and enhance PAM security settings
+
* Mon Feb 11 2008 Vitezslav Crhonek <vcrhonek at redhat.com> - 2:2.7.0-6
- Rebuild
--- pegasus-2.5.1-pam-wbem.patch DELETED ---
--- pegasus-2.7.0-local-or-remote-auth.patch DELETED ---
More information about the fedora-extras-commits
mailing list