File 0009-UsrEtc-support.patch of Package krb5
From 4d138d9b4393ba1e38a0e8a02daf504adc549feb Mon Sep 17 00:00:00 2001
From: Stefan Schubert <schubi@suse.de>
Date: Fri, 29 Aug 2025 20:29:04 +0200
Subject: [PATCH] UsrEtc support
[scabrero@suse.com: Amend to fix memory leak in os_get_default_config_files()]
[scabrero@suse.com: Add --enable-vendordir, simplify configure.ac]
[scabrero@suse.com: Fix typo]
---
doc/admin/conf_files/krb5_conf.rst | 14 ++++++++++++--
doc/conf.py | 5 ++++-
src/configure.ac | 25 +++++++++++++++++++++++++
src/doc/Makefile.in | 23 +++++++++++++++++++----
src/include/Makefile.in | 4 +++-
src/include/osconf.hin | 4 ++++
src/lib/krb5/os/init_os_ctx.c | 22 +++++++++++++++++++++-
src/man/Makefile.in | 9 ++++++++-
8 files changed, 96 insertions(+), 10 deletions(-)
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index e0c7a6330..a169b6e36 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -7,8 +7,14 @@ The krb5.conf file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms.
-Normally, you should install your krb5.conf file in the directory
-``/etc``. You can override the default location by setting the
+Normally, you should install your individual krb5.conf file in the directory
+``/etc``.
+
+.. only:: use_vendordir
+ If there is no individual one the dafault one |vendorkrb5conf| will
+ be taken.
+
+You can override the default location by setting the
environment variable **KRB5_CONFIG**. Multiple colon-separated
filenames may be specified in **KRB5_CONFIG**; all files which are
present will be read. Starting in release 1.14, directory names can
@@ -1271,6 +1277,10 @@ FILES
|krb5conf|
+.. only:: use_vendordir
+
+ |vendorkrb5conf| if |krb5conf| is not there.
+
SEE ALSO
--------
diff --git a/doc/conf.py b/doc/conf.py
index 60835e936..88eee1d60 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -239,6 +239,7 @@ if 'mansubs' in tags:
localstatedir = '``@LOCALSTATEDIR@``'
runstatedir = '``@RUNSTATEDIR@``'
sysconfdir = '``@SYSCONFDIR@``'
+ vendordir = '``@VENDORDIR@``'
ccache = '``@CCNAME@``'
keytab = '``@KTNAME@``'
ckeytab = '``@CKTNAME@``'
@@ -253,6 +254,7 @@ else:
localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
runstatedir = ':ref:`RUNSTATEDIR <paths>`'
sysconfdir = ':ref:`SYSCONFDIR <paths>`'
+ vendordir = ':ref:`VENDORDIR <paths>`'
ccache = ':ref:`DEFCCNAME <paths>`'
keytab = ':ref:`DEFKTNAME <paths>`'
ckeytab = ':ref:`DEFCKTNAME <paths>`'
@@ -278,8 +280,9 @@ else:
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
+ rst_epilog += '.. |vendorkrb5conf| replace:: %s/krb5.conf\n' % vendordir
+ rst_epilog += '.. |krb5conf| replace:: %s/krb5.conf\n' % sysconfdir
rst_epilog += '''
-.. |krb5conf| replace:: ``/etc/krb5.conf``
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac``
.. |defmkey| replace:: ``aes256-cts-hmac-sha1-96``
diff --git a/src/configure.ac b/src/configure.ac
index 53936759e..d8a902a6f 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1451,6 +1451,31 @@ fi
AC_SUBST(OSX)
AC_SUBST(MACOS_FRAMEWORK)
+# Vendordir
+AC_ARG_WITH([vendordir],
+ AS_HELP_STRING([--with-vendordir=DIR], [Directory for distribution provided configuration files]),
+ [
+ case $with_vendordir in
+ /*)
+ ;;
+ *)
+ AC_MSG_ERROR(You must specify an absolute path to --with-vendordir=DIR)
+ ;;
+ esac
+ VENDORDIR="$with_vendordir"
+ ],
+ [ VENDORDIR="/usr/etc" ])
+AC_DEFINE_UNQUOTED(VENDORDIR, ["$VENDORDIR"], [Location of vendor configuration files])
+AC_SUBST(VENDORDIR)
+
+AC_ARG_ENABLE([vendordir],
+ [AS_HELP_STRING([--enable-vendordir], [Enable support for distribution provided configuration files])],
+ [], [enable_vendordir=no])
+if test "$enable_vendordir" != no; then
+ AC_DEFINE(USE_VENDORDIR, 1, [Define if distribution provided configuration files should be used.])
+ AC_MSG_NOTICE([Used vendor dir: $VENDORDIR])
+fi
+
# Build-time default ccache, keytab, and client keytab names. These
# can be given as variable arguments DEFCCNAME, DEFKTNAME, and
# DEFCKTNAME. Otherwise, we try to get the OS defaults from
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
index a1b0cff0a..d0c8a66cf 100644
--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
@@ -11,6 +11,8 @@ DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
DEFCKTNAME=@DEFCKTNAME@
PKCS11_MODNAME=@PKCS11_MODNAME@
+VENDORDIR=@VENDORDIR@
+USE_VENDORDIR=@USE_VENDORDIR@
RST_SOURCES= _static \
_templates \
@@ -43,7 +45,11 @@ LATEXOPTS=
# make -f Makefile.in SPHINX_ARGS= htmlsrc
html: composite
rm -rf $(docsrc)/html
- $(SPHINX_BUILD) -q rst_composite $(docsrc)/html
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -q rst_composite -t use_vendordir $(docsrc)/html; \
+ else \
+ $(SPHINX_BUILD) -q rst_composite $(docsrc)/html; \
+ fi
# Dummy target for use in an unconfigured source tree.
htmlsrc:
@@ -55,17 +61,25 @@ htmlsrc:
substhtml: composite paths.py
rm -rf html_subst
cp paths.py rst_composite
- $(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -t pathsubs -q -t use_vendordir rst_composite html_subst; \
+ else \
+ $(SPHINX_BUILD) -t pathsubs -q rst_composite html_subst; \
+ fi
# Create an ASCII (okay, UTF-8) version of the NOTICE file
notice.txt: $(docsrc)/conf.py $(docsrc)/notice.rst $(docsrc)/version.py
- $(SPHINX_BUILD) -b text -t notice -q $(docsrc) .
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -b text -t notice -t use_vendordir -q $(docsrc) .; \
+ else \
+ $(SPHINX_BUILD) -b text -t notice -q $(docsrc) .; \
+ fi
NOTICE: notice.txt
cp notice.txt $(top_srcdir)/../NOTICE
$(PDFDIR): composite
- $(SPHINX_BUILD) -b latex -q rst_composite $(PDFDIR)
+ $(SPHINX_BUILD) -b latex -q -t $(USEVENDORDIR) rst_composite $(PDFDIR)
# sphinx-build generates a gmake-specific Makefile that we don't use
mv $(PDFDIR)/Makefile $(PDFDIR)/GMakefile
@@ -116,6 +130,7 @@ paths.py:
echo 'localstatedir = "``$(localstatedir)``"' >> $@
echo 'runstatedir = "``$(runstatedir)``"' >> $@
echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
+ echo 'vendordir = "``$(VENDORDIR)``"' >> $@
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index b9dd98e01..cf4aa0ad6 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -56,6 +56,7 @@ BINDIR = @bindir@
SBINDIR = @sbindir@
LIBDIR = @libdir@
SYSCONFCONF = @SYSCONFCONF@
+VENDORDIR = @VENDORDIR@
PROCESS_REPLACE = -e "s\"@KRB5RCTMPDIR\"$(KRB5RCTMPDIR)\"" \
-e "s\"@PREFIX\"$(INSTALL_PREFIX)\"" \
@@ -69,7 +70,8 @@ PROCESS_REPLACE = -e "s\"@KRB5RCTMPDIR\"$(KRB5RCTMPDIR)\"" \
-e "s\"@RUNSTATEDIR\"$(RUNSTATEDIR)\"" \
-e "s\"@SYSCONFDIR\"$(SYSCONFDIR)\"" \
-e "s\"@DYNOBJEXT\"$(DYNOBJEXT)\"" \
- -e "s\"@SYSCONFCONF\"$(SYSCONFCONF)\""
+ -e "s\"@SYSCONFCONF\"$(SYSCONFCONF)\"" \
+ -e "s\"@VENDORDIR\"$(VENDORDIR)\""
OSCONFSRC = $(srcdir)/osconf.hin
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index c14297535..bad43f116 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -52,6 +52,10 @@
#else
#define DEFAULT_SECURE_PROFILE_PATH "/etc/krb5.conf@SYSCONFCONF"
#define DEFAULT_PROFILE_PATH DEFAULT_SECURE_PROFILE_PATH
+#if defined(USE_VENDORDIR)
+#define DEFAULT_VENDOR_SECURE_PROFILE_PATH "@VENDORDIR/krb5.conf"
+#define DEFAULT_VENDOR_PROFILE_PATH DEFAULT_VENDOR_SECURE_PROFILE_PATH
+#endif /* USE_VENDORDIR */
#endif
#endif /* _WINDOWS */
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index c35007888..f1ef638fc 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -30,6 +30,10 @@
#include "os-proto.h"
#include "../krb/int-proto.h"
+#ifdef USE_VENDORDIR
+#include <sys/stat.h>
+#endif
+
#if defined(_WIN32)
#include <winsock.h>
#include <Shlobj.h>
@@ -294,11 +298,27 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure)
unsigned int ent_len;
const char *s, *t;
+#ifdef USE_VENDORDIR
+ struct stat stats = { 0 };
+#endif /* USE_VENDORDIR */
+
if (secure) {
filepath = DEFAULT_SECURE_PROFILE_PATH;
+#ifdef USE_VENDORDIR
+ if (stat(filepath, &stats) < 0) {
+ filepath = DEFAULT_VENDOR_SECURE_PROFILE_PATH;
+ }
+#endif /* USE_VENDORDIR */
} else {
filepath = secure_getenv("KRB5_CONFIG");
- if (!filepath) filepath = DEFAULT_PROFILE_PATH;
+ if (!filepath) {
+ filepath = DEFAULT_PROFILE_PATH;
+#ifdef USE_VENDORDIR
+ if (stat(filepath, &stats) < 0) {
+ filepath = DEFAULT_VENDOR_PROFILE_PATH;
+ }
+#endif /* USE_VENDORDIR */
+ }
}
/* count the distinct filename components */
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 85cae0914..9f7ccaffa 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -9,6 +9,8 @@ DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
DEFCKTNAME=@DEFCKTNAME@
PKCS11_MODNAME=@PKCS11_MODNAME@
+vendordir=@VENDORDIR@
+USE_VENDORDIR=@USE_VENDORDIR@
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
@@ -26,7 +28,11 @@ docsrc=$(top_srcdir)/../doc
# manpage writer outputs near the end of its output files.
man: $(docsrc)/version.py
rm -rf rst_man
- $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man
+ if test "$(USE_VENDORDIR)" == "1" ; then \
+ $(SPHINX_BUILD) -q -t mansubs -t use_vendordir -b man $(docsrc) rst_man; \
+ else \
+ $(SPHINX_BUILD) -q -t mansubs -b man $(docsrc) rst_man; \
+ fi
for f in rst_man/*.[0-9]; do \
name=`echo $$f | sed -e 's|^.*/\(.*\)\.[0-9]$$|\1|'`; \
sed -e '/^\.\\" $$/d' \
@@ -46,6 +52,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
-e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
-e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
+ -e 's|@VENDOR_DIR@|$(vendordir)|g' \
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
-e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
--
2.52.0
