rpms/gssproxy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream realease

Browse Source 
Added optional support for running GSS-Proxy as an unprivileged user
  Uses new /etc/gss/mech.d configuration directory for gss mechanisms
  Kernel related fixes
  General bug fixing, many minor errors or incorrect behaviours have been corrected
- drop all patches, they are all included upstream
This commit is contained in:
Simo Sorce 2015-03-24 14:38:07 -04:00
parent fc33969124
commit 318733740f
7 changed files with 18 additions and 367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -8,3 +8,4 @@
/gssproxy-0.2.3.tar.gz
/gssproxy-0.3.0.tar.gz
/gssproxy-0.3.1.tar.gz
/gssproxy-0.4.0.tar.gz

36
gssproxy-0.3.1-deadlock_fix.patch
View File

@ -1,36 +0,0 @@
From f39b471f34b381784a1bd1906bf8335ac2c7ef5e Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 11 Mar 2014 18:16:32 -0400
Subject: [PATCH] Properly cleanup mutex on failure.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the call to create socket fails we leave a dangling lock and the client
enters into a deadlock on the next call.
Fixes: https://fedorahosted.org/gss-proxy/ticket/121
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
---
proxy/src/client/gpm_common.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c
index 74296da..4651194 100644
--- a/proxy/src/client/gpm_common.c
+++ b/proxy/src/client/gpm_common.c
@@ -153,6 +153,9 @@ static int gpm_grab_sock(struct gpm_ctx *gpmctx)
ret = gpm_open_socket(gpmctx);
}
+ if (ret) {
+ pthread_mutex_unlock(&gpmctx->lock);
+ }
return ret;
}
--
1.8.5.3

31
gssproxy-0.3.1-flags_handling.patch
View File

@ -1,31 +0,0 @@
From 8b147c9196d9068d0fc5e5a8919b84e8cbb97ef4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 6 Dec 2013 17:51:14 -0500
Subject: [PATCH] Fix config token parsing.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://fedorahosted.org/gss-proxy/ticket/112
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
---
proxy/src/gp_config.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
index 2fc4a6f..ee96975 100644
--- a/proxy/src/gp_config.c
+++ b/proxy/src/gp_config.c
@@ -153,7 +153,6 @@ static int parse_flags(const char *value, uint32_t *storage)
return ENOMEM;
}
- token = strtok_r(str, ", ", &handle);
for (token = strtok_r(str, ", ", &handle);
token != NULL;
token = strtok_r(NULL, ", ", &handle)) {
--
1.8.3.1

39
gssproxy-0.3.1-gssi_inquire_context.patch
View File

@ -1,39 +0,0 @@
From c17f20b949d2e80e596ce21ecd944db80aaa80b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gdeschner@redhat.com>
Date: Wed, 29 Jan 2014 17:59:03 +0100
Subject: [PATCH] Fix potential segfault in gssi_inquire_context().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
---
proxy/src/mechglue/gpp_context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/proxy/src/mechglue/gpp_context.c b/proxy/src/mechglue/gpp_context.c
index 6010724..bb16a93 100644
--- a/proxy/src/mechglue/gpp_context.c
+++ b/proxy/src/mechglue/gpp_context.c
@@ -223,7 +223,7 @@ OM_uint32 gssi_inquire_context(OM_uint32 *minor_status,
maj = gss_inquire_context(&min,
ctx_handle->local,
s_name ? &s_name->local : NULL,
- s_name ? &t_name->local : NULL,
+ t_name ? &t_name->local : NULL,
lifetime_rec,
&mech_oid,
ctx_flags,
@@ -233,7 +233,7 @@ OM_uint32 gssi_inquire_context(OM_uint32 *minor_status,
maj = gpm_inquire_context(&min,
ctx_handle->remote,
s_name ? &s_name->remote : NULL,
- s_name ? &t_name->remote : NULL,
+ t_name ? &t_name->remote : NULL,
lifetime_rec,
&mech_oid,
ctx_flags,
--
1.8.5.3

240
gssproxy-0.3.1-nfsd_startup.patch
View File

@ -1,240 +0,0 @@
From 58a39677c961c72b052eae0b9d94b992254d6e10 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 3 Jan 2014 16:45:35 -0500
Subject: [PATCH 1/2] Add utility functions to read()/write() safely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Automatically handle short reads due to singals interrupting the process.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
---
proxy/src/gp_common.h | 2 ++
proxy/src/gp_util.c | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/proxy/src/gp_common.h b/proxy/src/gp_common.h
index f2b8c3e..3a1b7be 100644
--- a/proxy/src/gp_common.h
+++ b/proxy/src/gp_common.h
@@ -69,6 +69,8 @@ bool gp_same(const char *a, const char *b);
bool gp_boolean_is_true(const char *s);
char *gp_getenv(const char *name);
+ssize_t gp_safe_read(int fd, void *buf, size_t count);
+ssize_t gp_safe_write(int fd, const void *buf, size_t count);
/* NOTE: read the note in gp_util.c before using gp_strerror() */
char *gp_strerror(int errnum);
diff --git a/proxy/src/gp_util.c b/proxy/src/gp_util.c
index 4fbac4e..34f3024 100644
--- a/proxy/src/gp_util.c
+++ b/proxy/src/gp_util.c
@@ -29,6 +29,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
+#include <unistd.h>
bool gp_same(const char *a, const char *b)
{
@@ -125,3 +126,41 @@ char *gp_strerror(int errnum)
errno = saved_errno;
return buf;
}
+
+ssize_t gp_safe_read(int fd, void *buf, size_t count)
+{
+ char *b = (char *)buf;
+ ssize_t len = 0;
+ ssize_t ret;
+
+ do {
+ ret = read(fd, &b[len], count - len);
+ if (ret == -1) {
+ if (errno == EINTR) continue;
+ return ret;
+ }
+ if (ret == 0) break; /* EOF */
+ len += ret;
+ } while (count > len);
+
+ return len;
+}
+
+ssize_t gp_safe_write(int fd, const void *buf, size_t count)
+{
+ const char *b = (const char *)buf;
+ ssize_t len = 0;
+ ssize_t ret;
+
+ do {
+ ret = write(fd, &b[len], count - len);
+ if (ret == -1) {
+ if (errno == EINTR) continue;
+ return ret;
+ }
+ if (ret == 0) break; /* EOF */
+ len += ret;
+ } while (count > len);
+
+ return len;
+}
--
1.8.4.2
From bd8ffcf67be8fdbe14bc49a65a8eafe904119d88 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 3 Jan 2014 12:10:36 -0500
Subject: [PATCH 2/2] Block parent process until child is initialized.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This way the init system will not proceed starting dependencies until gssproxy
is actually ready to serve requests.
In particular this is used to make sure the nfsd proc file has been touched
before the nfsd server is started.
Resolves: https://fedorahosted.org/gss-proxy/ticket/114
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
---
proxy/src/gp_init.c | 42 +++++++++++++++++++++++++++++++++++++++---
proxy/src/gp_proxy.h | 3 ++-
proxy/src/gssproxy.c | 11 +++++++++--
3 files changed, 50 insertions(+), 6 deletions(-)
diff --git a/proxy/src/gp_init.c b/proxy/src/gp_init.c
index 830ae16..6207a78 100644
--- a/proxy/src/gp_init.c
+++ b/proxy/src/gp_init.c
@@ -37,12 +37,22 @@
#include <stdio.h>
#include "gp_proxy.h"
-void init_server(bool daemonize)
+void init_server(bool daemonize, int *wait_fd)
{
pid_t pid, sid;
int ret;
+ *wait_fd = -1;
+
if (daemonize) {
+ int pipefd[2];
+ char buf[1];
+
+ /* create parent-child pipe */
+ ret = pipe(pipefd);
+ if (ret == -1) {
+ exit(EXIT_FAILURE);
+ }
pid = fork();
if (pid == -1) {
@@ -50,10 +60,22 @@ void init_server(bool daemonize)
exit(EXIT_FAILURE);
}
if (pid != 0) {
- /* ok kill the parent */
- exit(EXIT_SUCCESS);
+ /* wait for child to signal it is ready */
+ close(pipefd[1]);
+ ret = gp_safe_read(pipefd[0], buf, 1);
+ if (ret == 1) {
+ /* child signaled all ok */
+ exit(EXIT_SUCCESS);
+ } else {
+ /* lost child, something went wrong */
+ exit(EXIT_FAILURE);
+ }
}
+ /* child */
+ close(pipefd[0]);
+ *wait_fd = pipefd[1];
+
sid = setsid();
if (sid == -1) {
/* setsid error ? abort */
@@ -78,6 +100,20 @@ void init_server(bool daemonize)
gp_logging_init();
}
+void init_done(int wait_fd)
+{
+ char buf = 0;
+ int ret;
+
+ if (wait_fd != -1) {
+ ret = gp_safe_write(wait_fd, &buf, 1);
+ if (ret != 1) {
+ exit(EXIT_FAILURE);
+ }
+ close(wait_fd);
+ }
+}
+
void fini_server(void)
{
closelog();
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index 733fec5..79bebb8 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -106,7 +106,8 @@ struct gp_creds_handle *gp_service_get_creds_handle(struct gp_service *svc);
void free_config(struct gp_config **config);
/* from gp_init.c */
-void init_server(bool daemonize);
+void init_server(bool daemonize, int *wait_fd);
+void init_done(int wait_fd);
void fini_server(void);
verto_ctx *init_event_loop(void);
void init_proc_nfsd(struct gp_config *cfg);
diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c
index 1bf0a0b..80430d6 100644
--- a/proxy/src/gssproxy.c
+++ b/proxy/src/gssproxy.c
@@ -42,6 +42,7 @@ int main(int argc, const char *argv[])
int vflags;
struct gssproxy_ctx *gpctx;
struct gp_sock_ctx *sock_ctx;
+ int wait_fd;
int ret;
int i;
@@ -97,7 +98,7 @@ int main(int argc, const char *argv[])
exit(EXIT_FAILURE);
}
- init_server(gpctx->config->daemonize);
+ init_server(gpctx->config->daemonize, &wait_fd);
write_pid();
@@ -139,9 +140,15 @@ int main(int argc, const char *argv[])
}
}
- /* special call to tell the Linux kernel gss-proxy is available */
+ /* We need to tell nfsd that GSS-Proxy is available before it starts,
+ * as nfsd needs to know GSS-Proxy is in use before the first time it
+ * needs to call accept_sec_context. */
init_proc_nfsd(gpctx->config);
+ /* Now it is safe to tell the init system that we're done starting up,
+ * so it can continue with dependencies and start nfsd */
+ init_done(wait_fd);
+
ret = gp_workers_init(gpctx);
if (ret) {
exit(EXIT_FAILURE);
--
1.8.4.2

36
gssproxy.spec
View File

@ -1,6 +1,6 @@
Name: gssproxy
Version: 0.3.1
Release: 4%{?dist}
Version: 0.4.0
Release: 1%{?dist}
Summary: GSSAPI Proxy
Group: System Environment/Libraries
@ -9,11 +9,6 @@ URL: http://fedorahosted.org/gss-proxy
Source0: http://fedorahosted.org/released/gss-proxy/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
Patch0: gssproxy-0.3.1-flags_handling.patch
Patch1: gssproxy-0.3.1-nfsd_startup.patch
Patch2: gssproxy-0.3.1-deadlock_fix.patch
Patch3: gssproxy-0.3.1-gssi_inquire_context.patch
%global servicename gssproxy
%global pubconfpath %{_sysconfdir}/gssproxy
%global gpstatedir %{_localstatedir}/lib/gssproxy
@ -22,7 +17,7 @@ Patch3: gssproxy-0.3.1-gssi_inquire_context.patch
### Dependencies ###
Requires: krb5-libs >= 1.11.3-25
Requires: krb5-libs >= 1.12.0
Requires: keyutils-libs
Requires: libverto-tevent
Requires(post): systemd-units
@ -41,7 +36,7 @@ BuildRequires: docbook-style-xsl
BuildRequires: doxygen
BuildRequires: gettext-devel
BuildRequires: pkgconfig
BuildRequires: krb5-devel >= 1.11.3-25
BuildRequires: krb5-devel >= 1.12.0
BuildRequires: libselinux-devel
BuildRequires: keyutils-libs-devel
BuildRequires: libini_config-devel >= 1.0.0.1
@ -57,16 +52,10 @@ A proxy for GSSAPI credential handling
%prep
%setup -q
%patch0 -p2 -b .flags_handling
%patch1 -p2 -b .nfsd_startup
%patch2 -p2 -b .deadlock_fix
%patch3 -p2 -b .gssi_inquire_context
%build
autoreconf -f -i
%configure \
--with-pubconf-path=%{pubconfpath} \
--with-init-dir=%{_initrddir} \
--with-initscript=systemd \
--disable-static \
--disable-rpath \
--with-gpp-default-behavior=REMOTE_FIRST
@ -79,10 +68,9 @@ rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la
install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
install -d -m755 %{buildroot}%{_unitdir}
install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech
install -m644 systemd/gssproxy.service %{buildroot}%{_unitdir}/gssproxy.service
mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d
install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
%clean
rm -rf %{buildroot}
@ -97,7 +85,7 @@ rm -rf %{buildroot}
%attr(755,root,root) %dir %{gpstatedir}
%attr(700,root,root) %dir %{gpstatedir}/clients
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech
%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
%{_libdir}/gssproxy/proxymech.so
%{_mandir}/man5/gssproxy.conf.5*
%{_mandir}/man8/gssproxy.8*
@ -113,6 +101,14 @@ rm -rf %{buildroot}
%systemd_postun_with_restart gssproxy.service
%changelog
* Tue Mar 24 2015 Simo Sorce <simo@redhat.com> 0.4.0-1
- New upstream realease
Added optional support for running GSS-Proxy as an unprivileged user
Uses new /etc/gss/mech.d configuration directory for gss mechanisms
Kernel related fixes
General bug fixing, many minor errors or incorrect behaviours have been corrected
- drop all patches, they are all included upstream
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
f455f4e483ecda8274d235942fa8e943 gssproxy-0.3.1.tar.gz
56148136742a0a5c2a4ebbf060ba103f gssproxy-0.4.0.tar.gz