mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-22 09:57:41 +00:00
Disable use of gss_krb5_ccache_name() by default and add
--enable-gss-krb5-ccache-name configure option to enable it. It seems that gss_krb5_ccache_name() doesn't work properly with some combinations of Heimdal and OpenLDAP.
This commit is contained in:
Todd C. Miller
parent
9c3a47892b
commit
f20935284b
7
INSTALL
7
INSTALL
@ -539,6 +539,13 @@ The following options are also configurable at runtime:
|
||||
"chaining" sudo commands to get a root shell by doing something
|
||||
like "sudo sudo /bin/sh".
|
||||
|
||||
--enable-gss-krb5-ccache-name
|
||||
Use the gss_krb5_ccache_name() function to set the Kerberos
|
||||
V credential cache file name. By default, sudo will use
|
||||
the KRB5CCNAME environment variable to set this. While
|
||||
gss_krb5_ccache_name() provides a better API to do this it
|
||||
is not supported by all Kerberos V and SASL combinations.
|
||||
|
||||
--enable-log-host
|
||||
Log the hostname in the log file.
|
||||
|
||||
|
||||
32
configure
vendored
32
configure
vendored
@ -1494,8 +1494,10 @@ Optional Features:
|
||||
--enable-log-host Log the hostname in the log file
|
||||
--enable-noargs-shell If sudo is given no arguments run a shell
|
||||
--enable-shell-sets-home
|
||||
set $HOME to target user in shell mode
|
||||
Set $HOME to target user in shell mode
|
||||
--disable-path-info Print 'command not allowed' not 'command not found'
|
||||
--enable-gss-krb5-ccache-name
|
||||
Use GSS-API to set the Kerberos V cred cache name
|
||||
--enable-static[=PKGS] build static libraries [default=no]
|
||||
--enable-shared[=PKGS] build shared libraries [default=yes]
|
||||
--enable-fast-install[=PKGS]
|
||||
@ -4007,6 +4009,14 @@ esac
|
||||
fi
|
||||
|
||||
|
||||
# Check whether --enable-gss_krb5_ccache_name was given.
|
||||
if test "${enable_gss_krb5_ccache_name+set}" = set; then
|
||||
enableval=$enable_gss_krb5_ccache_name; check_gss_krb5_ccache_name=$enableval
|
||||
else
|
||||
check_gss_krb5_ccache_name=no
|
||||
fi
|
||||
|
||||
|
||||
# Extract the first word of "egrep", so it can be a program name with args.
|
||||
set dummy egrep; ac_word=$2
|
||||
{ echo "$as_me:$LINENO: checking for $ac_word" >&5
|
||||
@ -6170,7 +6180,7 @@ ia64-*-hpux*)
|
||||
;;
|
||||
*-*-irix6*)
|
||||
# Find out which ABI we are using.
|
||||
echo '#line 6173 "configure"' > conftest.$ac_ext
|
||||
echo '#line 6183 "configure"' > conftest.$ac_ext
|
||||
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
|
||||
(eval $ac_compile) 2>&5
|
||||
ac_status=$?
|
||||
@ -7714,11 +7724,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:7717: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:7727: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:7721: \$? = $ac_status" >&5
|
||||
echo "$as_me:7731: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -8004,11 +8014,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:8007: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:8017: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>conftest.err)
|
||||
ac_status=$?
|
||||
cat conftest.err >&5
|
||||
echo "$as_me:8011: \$? = $ac_status" >&5
|
||||
echo "$as_me:8021: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s "$ac_outfile"; then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
# So say no if there are warnings other than the usual output.
|
||||
@ -8108,11 +8118,11 @@ else
|
||||
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
|
||||
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
|
||||
-e 's:$: $lt_compiler_flag:'`
|
||||
(eval echo "\"\$as_me:8111: $lt_compile\"" >&5)
|
||||
(eval echo "\"\$as_me:8121: $lt_compile\"" >&5)
|
||||
(eval "$lt_compile" 2>out/conftest.err)
|
||||
ac_status=$?
|
||||
cat out/conftest.err >&5
|
||||
echo "$as_me:8115: \$? = $ac_status" >&5
|
||||
echo "$as_me:8125: \$? = $ac_status" >&5
|
||||
if (exit $ac_status) && test -s out/conftest2.$ac_objext
|
||||
then
|
||||
# The compiler can only warn and ignore the option if not recognized
|
||||
@ -10453,7 +10463,7 @@ else
|
||||
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
|
||||
lt_status=$lt_dlunknown
|
||||
cat > conftest.$ac_ext <<EOF
|
||||
#line 10456 "configure"
|
||||
#line 10466 "configure"
|
||||
#include "confdefs.h"
|
||||
|
||||
#if HAVE_DLFCN_H
|
||||
@ -10553,7 +10563,7 @@ else
|
||||
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
|
||||
lt_status=$lt_dlunknown
|
||||
cat > conftest.$ac_ext <<EOF
|
||||
#line 10556 "configure"
|
||||
#line 10566 "configure"
|
||||
#include "confdefs.h"
|
||||
|
||||
#if HAVE_DLFCN_H
|
||||
@ -22393,6 +22403,7 @@ fi
|
||||
done
|
||||
|
||||
|
||||
if test X"$check_gss_krb5_ccache_name" = X"yes"; then
|
||||
{ echo "$as_me:$LINENO: checking for gss_krb5_ccache_name in -lgssapi" >&5
|
||||
echo $ECHO_N "checking for gss_krb5_ccache_name in -lgssapi... $ECHO_C" >&6; }
|
||||
if test "${ac_cv_lib_gssapi_gss_krb5_ccache_name+set}" = set; then
|
||||
@ -22883,6 +22894,7 @@ done
|
||||
{ echo "$as_me:$LINENO: WARNING: Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS" >&5
|
||||
echo "$as_me: WARNING: Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS" >&2;}
|
||||
fi
|
||||
fi
|
||||
|
||||
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
|
||||
LIBS="$_LIBS"
|
||||
|
||||
10
configure.in
10
configure.in
@ -1126,7 +1126,7 @@ AC_ARG_ENABLE(noargs-shell,
|
||||
AC_MSG_CHECKING(whether to set \$HOME to target user in shell mode)
|
||||
AC_ARG_ENABLE(shell-sets-home,
|
||||
[ --enable-shell-sets-home
|
||||
set $HOME to target user in shell mode],
|
||||
Set $HOME to target user in shell mode],
|
||||
[ case "$enableval" in
|
||||
yes) AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(SHELL_SETS_HOME)
|
||||
@ -1170,6 +1170,12 @@ AC_ARG_WITH(selinux, [ --with-selinux enable SELinux support],
|
||||
;;
|
||||
esac])
|
||||
|
||||
dnl
|
||||
dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
|
||||
dnl
|
||||
AC_ARG_ENABLE(gss_krb5_ccache_name, [ --enable-gss-krb5-ccache-name
|
||||
Use GSS-API to set the Kerberos V cred cache name], [check_gss_krb5_ccache_name=$enableval], [check_gss_krb5_ccache_name=no])
|
||||
|
||||
dnl
|
||||
dnl If we don't have egrep we can't do anything...
|
||||
dnl
|
||||
@ -2348,6 +2354,7 @@ if test ${with_ldap-'no'} != "no"; then
|
||||
AC_CHECK_HEADERS([sasl/sasl.h])
|
||||
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
|
||||
|
||||
if test X"$check_gss_krb5_ccache_name" = X"yes"; then
|
||||
AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
|
||||
AC_DEFINE(HAVE_GSS_KRB5_CCACHE_NAME)
|
||||
[LDAP_LIBS="${LDAP_LIBS} -lgssapi"],
|
||||
@ -2372,6 +2379,7 @@ if test ${with_ldap-'no'} != "no"; then
|
||||
CPPFLAGS="$O_CPPFLAGS"
|
||||
AC_MSG_WARN([Unable to locate gssapi.h, you will have to edit the Makefile and add -I/path/to/gssapi/includes to CPPFLAGS])
|
||||
fi
|
||||
fi
|
||||
|
||||
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
|
||||
LIBS="$_LIBS"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user