From: Todd C. Miller Date: Wed, 27 Feb 2008 14:26:28 +0000 (+0000) Subject: Disable use of gss_krb5_ccache_name() by default and add X-Git-Tag: SUDO_1_7_0~175 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f20935284b4869c217d082835c181c4ced1e55f7;p=sudo Disable use of gss_krb5_ccache_name() by default and add --enable-gss-krb5-ccache-name configure option to enable it. It seems that gss_krb5_ccache_name() doesn't work properly with some combinations of Heimdal and OpenLDAP. --- diff --git a/INSTALL b/INSTALL index cffca1aa5..15a34c87f 100644 --- a/INSTALL +++ b/INSTALL @@ -539,6 +539,13 @@ The following options are also configurable at runtime: "chaining" sudo commands to get a root shell by doing something like "sudo sudo /bin/sh". + --enable-gss-krb5-ccache-name + Use the gss_krb5_ccache_name() function to set the Kerberos + V credential cache file name. By default, sudo will use + the KRB5CCNAME environment variable to set this. While + gss_krb5_ccache_name() provides a better API to do this it + is not supported by all Kerberos V and SASL combinations. + --enable-log-host Log the hostname in the log file. diff --git a/configure b/configure index 7a8344e1e..ce1ddf9f2 100755 --- a/configure +++ b/configure @@ -1494,8 +1494,10 @@ Optional Features: --enable-log-host Log the hostname in the log file --enable-noargs-shell If sudo is given no arguments run a shell --enable-shell-sets-home - set $HOME to target user in shell mode + Set $HOME to target user in shell mode --disable-path-info Print 'command not allowed' not 'command not found' + --enable-gss-krb5-ccache-name + Use GSS-API to set the Kerberos V cred cache name --enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-fast-install[=PKGS] @@ -4007,6 +4009,14 @@ esac fi +# Check whether --enable-gss_krb5_ccache_name was given. +if test "${enable_gss_krb5_ccache_name+set}" = set; then + enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval +else + check_gss_krb5_ccache_name=no +fi + + # Extract the first word of "egrep", so it can be a program name with args. set dummy egrep; ac_word=$2 { echo "$as_me:$LINENO: checking for $ac_word" >&5 @@ -6170,7 +6180,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6173 "configure"' > conftest.$ac_ext + echo '#line 6183 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -7714,11 +7724,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:7717: $lt_compile\"" >&5) + (eval echo "\"\$as_me:7727: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:7721: \$? = $ac_status" >&5 + echo "$as_me:7731: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8004,11 +8014,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8007: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8017: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8011: \$? = $ac_status" >&5 + echo "$as_me:8021: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8108,11 +8118,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8111: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8121: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8115: \$? = $ac_status" >&5 + echo "$as_me:8125: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10453,7 +10463,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5 + if test X"$check_gss_krb5_ccache_name" = X"yes"; then + { echo "$as_me:$LINENO: checking for gss_krb5_ccache_name in -lgssapi" >&5 echo $ECHO_N "checking for gss_krb5_ccache_name in -lgssapi... $ECHO_C" >&6; } if test "${ac_cv_lib_gssapi_gss_krb5_ccache_name+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -22459,7 +22470,7 @@ if test $ac_cv_lib_gssapi_gss_krb5_ccache_name = yes; then #define HAVE_GSS_KRB5_CCACHE_NAME 1 _ACEOF - LDAP_LIBS="${LDAP_LIBS} -lgssapi" + LDAP_LIBS="${LDAP_LIBS} -lgssapi" else { echo "$as_me:$LINENO: checking for gss_krb5_ccache_name in -lgssapi_krb5" >&5 echo $ECHO_N "checking for gss_krb5_ccache_name in -lgssapi_krb5... $ECHO_C" >&6; } @@ -22527,19 +22538,19 @@ if test $ac_cv_lib_gssapi_krb5_gss_krb5_ccache_name = yes; then #define HAVE_GSS_KRB5_CCACHE_NAME 1 _ACEOF - LDAP_LIBS="${LDAP_LIBS} -lgssapi_krb5" + LDAP_LIBS="${LDAP_LIBS} -lgssapi_krb5" fi fi - # gssapi headers may be separate or part of Kerberos V - found=no - O_CPPFLAGS="$CPPFLAGS" - for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do - test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}" - cat >conftest.$ac_ext <<_ACEOF + # gssapi headers may be separate or part of Kerberos V + found=no + O_CPPFLAGS="$CPPFLAGS" + for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do + test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}" + cat >conftest.$ac_ext <<_ACEOF #include _ACEOF if { (ac_try="$ac_cpp conftest.$ac_ext" @@ -22594,8 +22605,8 @@ rm -f conftest.err conftest.$ac_ext fi rm -f conftest.err conftest.$ac_ext - done - if test X"$found" != X"no"; then + done + if test X"$found" != X"no"; then for ac_header in $found do @@ -22736,7 +22747,7 @@ fi done - if test X"$found" = X"gssapi/gssapi.h"; then + if test X"$found" = X"gssapi/gssapi.h"; then for ac_header in gssapi/gssapi_krb5.h do @@ -22877,11 +22888,12 @@ fi done - fi - else - CPPFLAGS="$O_CPPFLAGS" - { echo "$as_me:$LINENO: WARNING: Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS" >&5 + fi + else + CPPFLAGS="$O_CPPFLAGS" + { echo "$as_me:$LINENO: WARNING: Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS" >&5 echo "$as_me: WARNING: Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS" >&2;} + fi fi SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}" diff --git a/configure.in b/configure.in index 929ecc047..7f44069bc 100644 --- a/configure.in +++ b/configure.in @@ -1126,7 +1126,7 @@ AC_ARG_ENABLE(noargs-shell, AC_MSG_CHECKING(whether to set \$HOME to target user in shell mode) AC_ARG_ENABLE(shell-sets-home, [ --enable-shell-sets-home - set $HOME to target user in shell mode], + Set $HOME to target user in shell mode], [ case "$enableval" in yes) AC_MSG_RESULT(yes) AC_DEFINE(SHELL_SETS_HOME) @@ -1170,6 +1170,12 @@ AC_ARG_WITH(selinux, [ --with-selinux enable SELinux support], ;; esac]) +dnl +dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default +dnl +AC_ARG_ENABLE(gss_krb5_ccache_name, [ --enable-gss-krb5-ccache-name + Use GSS-API to set the Kerberos V cred cache name], [check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no]) + dnl dnl If we don't have egrep we can't do anything... dnl @@ -2348,29 +2354,31 @@ if test ${with_ldap-'no'} != "no"; then AC_CHECK_HEADERS([sasl/sasl.h]) AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include ]) - AC_CHECK_LIB(gssapi, gss_krb5_ccache_name, - AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME) - [LDAP_LIBS="${LDAP_LIBS} -lgssapi"], - AC_CHECK_LIB(gssapi_krb5, gss_krb5_ccache_name, + if test X"$check_gss_krb5_ccache_name" = X"yes"; then + AC_CHECK_LIB(gssapi, gss_krb5_ccache_name, AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME) - [LDAP_LIBS="${LDAP_LIBS} -lgssapi_krb5"]) - ) + [LDAP_LIBS="${LDAP_LIBS} -lgssapi"], + AC_CHECK_LIB(gssapi_krb5, gss_krb5_ccache_name, + AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME) + [LDAP_LIBS="${LDAP_LIBS} -lgssapi_krb5"]) + ) - # gssapi headers may be separate or part of Kerberos V - found=no - O_CPPFLAGS="$CPPFLAGS" - for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do - test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}" - AC_PREPROC_IFELSE([#include ], [found="gssapi/gssapi.h"; break], [AC_PREPROC_IFELSE([#include ], [found="gssapi.h"; break])]) - done - if test X"$found" != X"no"; then - AC_CHECK_HEADERS([$found]) - if test X"$found" = X"gssapi/gssapi.h"; then - AC_CHECK_HEADERS([gssapi/gssapi_krb5.h]) + # gssapi headers may be separate or part of Kerberos V + found=no + O_CPPFLAGS="$CPPFLAGS" + for dir in "" "kerberosV" "krb5" "kerberos5" "kerberosv5"; do + test X"$dir" != X"" && CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}" + AC_PREPROC_IFELSE([#include ], [found="gssapi/gssapi.h"; break], [AC_PREPROC_IFELSE([#include ], [found="gssapi.h"; break])]) + done + if test X"$found" != X"no"; then + AC_CHECK_HEADERS([$found]) + if test X"$found" = X"gssapi/gssapi.h"; then + AC_CHECK_HEADERS([gssapi/gssapi_krb5.h]) + fi + else + CPPFLAGS="$O_CPPFLAGS" + AC_MSG_WARN([Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS]) fi - else - CPPFLAGS="$O_CPPFLAGS" - AC_MSG_WARN([Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS]) fi SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"