diff --git a/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch b/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch index 9a5e106..4a43639 100644 --- a/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch +++ b/SOURCES/0001-Syslog-restored-Augeas-1.1.0-tree-compatibility-for-.patch @@ -97,5 +97,5 @@ index 2ad1c165..329d121e 100644 = "*.* @far.far.away\n" -- -2.17.2 +2.24.1 diff --git a/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch b/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch index c249934..76a118b 100644 --- a/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch +++ b/SOURCES/0002-Revert-Use-Quote-module-in-dovecot.patch @@ -82,5 +82,5 @@ index 33ea16f1..8e8c083b 100644 } } -- -2.17.2 +2.24.1 diff --git a/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch b/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch index fed2fed..781808e 100644 --- a/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch +++ b/SOURCES/0003-Revert-Jaas-add-several-improvements-to-cover-more-v.patch @@ -139,5 +139,5 @@ index 5f2bfb13..d5ede698 100644 - { } } -- -2.17.2 +2.24.1 diff --git a/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch b/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch index 2964e9c..168ca75 100644 --- a/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch +++ b/SOURCES/0004-UpdateDB-autoload-etc-updatedb.conf-with-Simplevars.patch @@ -47,5 +47,5 @@ index 40cd26fb..c7309b16 100644 - -let xfm = transform lns filter -- -2.17.2 +2.24.1 diff --git a/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch b/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch index 9020437..7f02d95 100644 --- a/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch +++ b/SOURCES/0005-Revert-Dnsmasq-add-structure-to-address-and-server-o.patch @@ -134,5 +134,5 @@ index c6a63d96..0abfa6bd 100644 - { "domain" = "qux.net" } - } -- -2.17.2 +2.24.1 diff --git a/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch b/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch index d041f82..a8b8c81 100644 --- a/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch +++ b/SOURCES/0006-Sshd-revert-Sshd-module-to-1.1.0-compatible-add-Sshd.patch @@ -486,5 +486,5 @@ index b4563540..387ac7d2 100644 lens-stunnel.sh \ lens-subversion.sh \ -- -2.17.2 +2.24.1 diff --git a/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch b/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch index f9270c3..f85b4e9 100644 --- a/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch +++ b/SOURCES/0007-Dhcpd-revert-Dhcpd-module-to-1.1.0-compatible-add-Dh.patch @@ -1746,5 +1746,5 @@ index 387ac7d2..315cac9c 100644 lens-dnsmasq.sh \ lens-dovecot.sh \ -- -2.17.2 +2.24.1 diff --git a/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch b/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch index 6f2846a..6cfad47 100644 --- a/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch +++ b/SOURCES/0008-Slapd-revert-Slapd-module-to-1.1.0-compatible-add-Sl.patch @@ -414,5 +414,5 @@ index 315cac9c..65d8993e 100644 lens-solaris_system.sh \ lens-soma.sh \ -- -2.17.2 +2.24.1 diff --git a/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch b/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch index d5f28ac..8dc948d 100644 --- a/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch +++ b/SOURCES/0009-Rhsm-new-lens-to-parse-subscription-manager-s-rhsm.c.patch @@ -254,5 +254,5 @@ index 65d8993e..4d2b2605 100644 lens-rsyncd.sh \ lens-rsyslog.sh \ -- -2.17.2 +2.24.1 diff --git a/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch b/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch index 15481ba..c69e0ba 100644 --- a/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch +++ b/SOURCES/0010-Fix-sudoers-lens-recognize-match_group_by_gid.patch @@ -25,5 +25,5 @@ index 7567772d..0437daae 100644 let parameter_flag = [ del_negate . negate_node? . key parameter_flag_kw ] -- -2.17.2 +2.24.1 diff --git a/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch b/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch index 6ccffd6..05bfbd6 100644 --- a/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch +++ b/SOURCES/0011-src-pathx.c-parse_name-correctly-handle-trailing-whi.patch @@ -158,5 +158,5 @@ index 335e7bf8..dbba29e0 100644 aug_close(aug); -- -2.17.2 +2.24.1 diff --git a/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch b/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch index 85d9a56..9bc8999 100644 --- a/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch +++ b/SOURCES/0012-tests-test-save.c-testSaveNoPermission-skip-when-roo.patch @@ -24,5 +24,5 @@ index 4b6470f2..8775ba54 100644 char *path = NULL; const char *v; -- -2.17.2 +2.24.1 diff --git a/SOURCES/0013-Chrony-allow-signed-numbers.patch b/SOURCES/0013-Chrony-allow-signed-numbers.patch index c5f323f..0b40d71 100644 --- a/SOURCES/0013-Chrony-allow-signed-numbers.patch +++ b/SOURCES/0013-Chrony-allow-signed-numbers.patch @@ -48,5 +48,5 @@ index c4b552eb..905ecee4 100644 { "bindcmdaddress" = "127.0.0.1" } { "bindcmdaddress" = "::1" } -- -2.17.2 +2.24.1 diff --git a/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch b/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch index 9b4e4d3..0ee8860 100644 --- a/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch +++ b/SOURCES/0014-Fix-430-support-Krb5-include-dir.patch @@ -48,5 +48,5 @@ index e17a659a..743bb375 100644 + { "include" = "/etc/krb5.other_conf.d/other.conf" } + { "includedir" = "/etc/krb5.conf.d/" } -- -2.17.2 +2.24.1 diff --git a/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch b/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch index 720905a..162593c 100644 --- a/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch +++ b/SOURCES/0015-Cgconfig-allow-fperm-dperm-in-admin-task.patch @@ -77,5 +77,5 @@ index 6cd0856d..84fd2ded 100644 + { } + -- -2.17.2 +2.24.1 diff --git a/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch b/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch index dada3fd..53b75b6 100644 --- a/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch +++ b/SOURCES/0016-Grub-handle-top-level-boot-directive-494.patch @@ -51,5 +51,5 @@ index f022ef72..8a0d9f4a 100644 { "file" = "HD(1,800,64000,9895c137-d4b2-4e3b-a93b-dc9ac4)" } } { "password" = "$1$M9NLj$p2gs87vwNv48BUu.wAfVw0" -- -2.17.2 +2.24.1 diff --git a/SOURCES/0017-Fstab-allow-leading-whitespace-in-lines-with-spec-54.patch b/SOURCES/0017-Fstab-allow-leading-whitespace-in-lines-with-spec-54.patch index 608225c..bd97a27 100644 --- a/SOURCES/0017-Fstab-allow-leading-whitespace-in-lines-with-spec-54.patch +++ b/SOURCES/0017-Fstab-allow-leading-whitespace-in-lines-with-spec-54.patch @@ -46,5 +46,5 @@ index fa044aea..438f619a 100644 test Fstab.lns get no_passno = no_passno_tree -- -2.17.2 +2.24.1 diff --git a/SOURCES/0018-Grub-tolerate-some-invalid-entries.patch b/SOURCES/0018-Grub-tolerate-some-invalid-entries.patch index 1e8643a..974651b 100644 --- a/SOURCES/0018-Grub-tolerate-some-invalid-entries.patch +++ b/SOURCES/0018-Grub-tolerate-some-invalid-entries.patch @@ -155,5 +155,5 @@ index 8a0d9f4a..75657203 100644 + { "root" = "(hd0,0)" } + { "#error" = "crud foo" } } -- -2.17.2 +2.24.1 diff --git a/SOURCES/0019-Fix-sudoers-lens-always_query_group_plugin-588.patch b/SOURCES/0019-Fix-sudoers-lens-always_query_group_plugin-588.patch index cbdf317..067d4e1 100644 --- a/SOURCES/0019-Fix-sudoers-lens-always_query_group_plugin-588.patch +++ b/SOURCES/0019-Fix-sudoers-lens-always_query_group_plugin-588.patch @@ -22,5 +22,5 @@ index 0437daae..d6140a8b 100644 let parameter_flag = [ del_negate . negate_node? . key parameter_flag_kw ] -- -2.17.2 +2.24.1 diff --git a/SOURCES/0020-New-lens-Anaconda-597.patch b/SOURCES/0020-New-lens-Anaconda-597.patch index cd78b63..6312491 100644 --- a/SOURCES/0020-New-lens-Anaconda-597.patch +++ b/SOURCES/0020-New-lens-Anaconda-597.patch @@ -182,5 +182,5 @@ index 00000000..73318cf6 +visited = 1 + -- -2.17.2 +2.24.1 diff --git a/SOURCES/0021-krb5.aug-Support-realms-that-start-with-numbers-437.patch b/SOURCES/0021-krb5.aug-Support-realms-that-start-with-numbers-437.patch new file mode 100644 index 0000000..a913be4 --- /dev/null +++ b/SOURCES/0021-krb5.aug-Support-realms-that-start-with-numbers-437.patch @@ -0,0 +1,61 @@ +From ddcf2557c169a1d4057f954e822d1e3ecf68b721 Mon Sep 17 00:00:00 2001 +From: Dustin Wheeler +Date: Mon, 6 Feb 2017 08:57:49 -0500 +Subject: [PATCH] [krb5.aug] Support realms that start with numbers (#437) + +Currently, the default kerberos configuration that ships with +Ubuntu has a realm that starts with a number (1TS.ORG). This +causes the parser to fail and prevents krb5.conf from being +available via augtool. + +This patch allows numbers 0-9 as the first character of a +realm. +--- + lenses/krb5.aug | 4 ++-- + lenses/tests/test_krb5.aug | 8 ++++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lenses/krb5.aug b/lenses/krb5.aug +index 8936f3a0..734ddde9 100644 +--- a/lenses/krb5.aug ++++ b/lenses/krb5.aug +@@ -21,8 +21,8 @@ let closebr = del /[ \t]*\}/ "}" + and realms in the [appdefaults] section. + *) + +-let realm_re = /[A-Z][.a-zA-Z0-9-]*/ +-let realm_anycase_re = /[A-Za-z][.a-zA-Z0-9-]*/ ++let realm_re = /[A-Z0-9][.a-zA-Z0-9-]*/ ++let realm_anycase_re = /[A-Za-z0-9][.a-zA-Z0-9-]*/ + let app_re = /[a-z][a-zA-Z0-9_]*/ + let name_re = /[.a-zA-Z0-9_-]+/ + +diff --git a/lenses/tests/test_krb5.aug b/lenses/tests/test_krb5.aug +index 743bb375..f746543b 100644 +--- a/lenses/tests/test_krb5.aug ++++ b/lenses/tests/test_krb5.aug +@@ -92,6 +92,10 @@ module Test_krb5 = + } + } + } ++ 1TS.ORG = { ++ kdc = kerberos.1ts.org ++ admin_server = kerberos.1ts.org ++ } + stanford.edu = { + kdc = krb5auth1.stanford.edu + kdc = krb5auth2.stanford.edu +@@ -367,6 +371,10 @@ test Krb5.lns get fermi_str = + } + } + } ++ { "realm" = "1TS.ORG" ++ { "kdc" = "kerberos.1ts.org" } ++ { "admin_server" = "kerberos.1ts.org" } ++ } + { "realm" = "stanford.edu" + { "kdc" = "krb5auth1.stanford.edu" } + { "kdc" = "krb5auth2.stanford.edu" } +-- +2.24.1 + diff --git a/SOURCES/0022-Added-more-pkinit_-options.patch b/SOURCES/0022-Added-more-pkinit_-options.patch new file mode 100644 index 0000000..5ddf9b5 --- /dev/null +++ b/SOURCES/0022-Added-more-pkinit_-options.patch @@ -0,0 +1,26 @@ +From 864d9e1c4dc95478771244a86809b957daf85ce8 Mon Sep 17 00:00:00 2001 +From: "Jason A. Smith" +Date: Tue, 8 Jan 2019 11:26:38 -0500 +Subject: [PATCH] Added more pkinit_* options. + +--- + lenses/krb5.aug | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lenses/krb5.aug b/lenses/krb5.aug +index 734ddde9..46c22656 100644 +--- a/lenses/krb5.aug ++++ b/lenses/krb5.aug +@@ -85,7 +85,8 @@ let appdefaults = + let realms = + let simple_option = /kdc|admin_server|database_module|default_domain/ + |/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/ +- |/admin_server|ticket_lifetime|pkinit_anchors|krb524_server/ in ++ |/admin_server|ticket_lifetime|pkinit_(anchors|identities|identity|pool)/ ++ |/krb524_server/ in + let subsec_option = /v4_instance_convert/ in + let option = subsec_entry simple_option eq comment in + let subsec = [ indent . key subsec_option . eq_openbr . +-- +2.24.1 + diff --git a/SOURCES/0023-Krb5-improve-dbmodules-and-includes-630.patch b/SOURCES/0023-Krb5-improve-dbmodules-and-includes-630.patch new file mode 100644 index 0000000..adf80bb --- /dev/null +++ b/SOURCES/0023-Krb5-improve-dbmodules-and-includes-630.patch @@ -0,0 +1,133 @@ +From 72a3eae98c4bc1cc7cfe48071034a4f38d34ebbb Mon Sep 17 00:00:00 2001 +From: Pino Toscano +Date: Tue, 4 Feb 2020 17:54:22 +0100 +Subject: [PATCH] Krb5: improve [dbmodules] and includes (#630) + +* Krb5: fix/revamp parsing of [dbmodules] subsection + +The [dbmodules] subsection so far was parsed much like the [dbdefaults] +one, and thus it did not handle realms. + +Revamp it a bit to handle realms, and specify the only keyword not in +realm subsections. + +* Krb5: allow include/includedir directives everywhere + +MIT Kerberos allows this, so do not restrict them only before any other +section. +--- + lenses/krb5.aug | 27 +++++++++++++++++++-------- + lenses/tests/test_krb5.aug | 36 +++++++++++++++++++++++++++++++++++- + 2 files changed, 54 insertions(+), 9 deletions(-) + +diff --git a/lenses/krb5.aug b/lenses/krb5.aug +index 46c22656..6b509c42 100644 +--- a/lenses/krb5.aug ++++ b/lenses/krb5.aug +@@ -21,10 +21,11 @@ let closebr = del /[ \t]*\}/ "}" + and realms in the [appdefaults] section. + *) + ++let include_re = /include(dir)?/ + let realm_re = /[A-Z0-9][.a-zA-Z0-9-]*/ + let realm_anycase_re = /[A-Za-z0-9][.a-zA-Z0-9-]*/ + let app_re = /[a-z][a-zA-Z0-9_]*/ +-let name_re = /[.a-zA-Z0-9_-]+/ ++let name_re = /[.a-zA-Z0-9_-]+/ - include_re + + let value_br = store /[^;# \t\r\n{}]+/ + let value = store /[^;# \t\r\n]+/ +@@ -130,10 +131,19 @@ let dbdefaults = + simple_section "dbdefaults" keys + + let dbmodules = +- let keys = /db_library|ldap_kerberos_container_dn|ldap_kdc_dn/ +- |/ldap_kadmind_dn|ldap_service_password_file|ldap_servers/ +- |/ldap_conns_per_server/ in +- simple_section "dbmodules" keys ++ let subsec_key = /database_name|db_library|disable_last_success/ ++ |/disable_lockout|ldap_conns_per_server|ldap_(kdc|kadmind)_dn/ ++ |/ldap_(kdc|kadmind)_sasl_mech|ldap_(kdc|kadmind)_sasl_authcid/ ++ |/ldap_(kdc|kadmind)_sasl_authzid|ldap_(kdc|kadmind)_sasl_realm/ ++ |/ldap_kerberos_container_dn|ldap_servers/ ++ |/ldap_service_password_file|mapsize|max_readers|nosync/ ++ |/unlockiter/ in ++ let subsec_option = subsec_entry subsec_key eq comment in ++ let key = /db_module_dir/ in ++ let option = entry key eq value comment in ++ let realm = [ indent . label "realm" . store realm_re . ++ eq_openbr . (subsec_option)* . closebr . eol ] in ++ record "dbmodules" (option|realm) + + (* This section is not documented in the krb5.conf manpage, + but the Fermi example uses it. *) +@@ -152,11 +162,12 @@ let kdc = + let pam = + simple_section "pam" name_re + +-let includes = Build.key_value_line /include(dir)?/ Sep.space (store Rx.fspath) ++let includes = Build.key_value_line include_re Sep.space (store Rx.fspath) ++let include_lines = includes . (comment|empty)* + +-let lns = (comment|empty|includes)* . ++let lns = (comment|empty)* . + (libdefaults|login|appdefaults|realms|domain_realm +- |logging|capaths|dbdefaults|dbmodules|instance_mapping|kdc|pam)* ++ |logging|capaths|dbdefaults|dbmodules|instance_mapping|kdc|pam|include_lines)* + + let filter = (incl "/etc/krb5.conf.d/*.conf") + . (incl "/etc/krb5.conf") +diff --git a/lenses/tests/test_krb5.aug b/lenses/tests/test_krb5.aug +index f746543b..10b87605 100644 +--- a/lenses/tests/test_krb5.aug ++++ b/lenses/tests/test_krb5.aug +@@ -1029,7 +1029,7 @@ default_ccache_name = KEYRING:persistent:%{uid}\n" = + { } + { "default_ccache_name" = "KEYRING:persistent:%{uid}" } } + +-(* Include(dir) test *) ++(* Include(dir) tests *) + let include_test = "include /etc/krb5.other_conf.d/other.conf + includedir /etc/krb5.conf.d/ + " +@@ -1037,3 +1037,37 @@ includedir /etc/krb5.conf.d/ + test Krb5.lns get include_test = + { "include" = "/etc/krb5.other_conf.d/other.conf" } + { "includedir" = "/etc/krb5.conf.d/" } ++ ++let include2_test = "[logging] ++ default = FILE:/var/log/krb5libs.log ++ ++include /etc/krb5.other_conf.d/other.conf ++ ++includedir /etc/krb5.conf.d/ ++" ++ ++test Krb5.lns get include2_test = ++ { "logging" ++ { "default" ++ { "file" = "/var/log/krb5libs.log" } } ++ { } ++ } ++ { "include" = "/etc/krb5.other_conf.d/other.conf" } ++ { } ++ { "includedir" = "/etc/krb5.conf.d/" } ++ ++(* [dbmodules] test *) ++let dbmodules_test = "[dbmodules] ++ ATHENA.MIT.EDU = { ++ disable_last_success = true ++ } ++ db_module_dir = /some/path ++" ++ ++test Krb5.lns get dbmodules_test = ++ { "dbmodules" ++ { "realm" = "ATHENA.MIT.EDU" ++ { "disable_last_success" = "true" } ++ } ++ { "db_module_dir" = "/some/path" } ++ } +-- +2.24.1 + diff --git a/SPECS/augeas.spec b/SPECS/augeas.spec index 20e3976..31db7f7 100644 --- a/SPECS/augeas.spec +++ b/SPECS/augeas.spec @@ -1,6 +1,6 @@ Name: augeas Version: 1.4.0 -Release: 9%{?dist} +Release: 9%{?dist}.1 Summary: A library for changing configuration files Group: System Environment/Libraries @@ -27,6 +27,9 @@ Patch17: 0017-Fstab-allow-leading-whitespace-in-lines-with-spec-54.patch Patch18: 0018-Grub-tolerate-some-invalid-entries.patch Patch19: 0019-Fix-sudoers-lens-always_query_group_plugin-588.patch Patch20: 0020-New-lens-Anaconda-597.patch +Patch21: 0021-krb5.aug-Support-realms-that-start-with-numbers-437.patch +Patch22: 0022-Added-more-pkinit_-options.patch +Patch23: 0023-Krb5-improve-dbmodules-and-includes-630.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -90,6 +93,9 @@ The libraries for %{name}. %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 # Patches affect Makefile.am and configure.ac, so rerun autotools. autoreconf @@ -151,6 +157,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/augeas.pc %changelog +* Thu Feb 06 2020 Pino Toscano - 1.4.0-9.el7_7.1 +- Krb5: support realms that start with numbers; add more pkinit_* options; + improve handling of [dbmodules]; allow include/includedir directives + everywhere (RHBZ#1799021) + * Wed Dec 19 2018 Pino Toscano - 1.4.0-9 - Add "Provides: bundled(gnulib)" to augeas-libs, as it embeds gnulib (RHBZ#1653766)