diff --git a/.gitignore b/.gitignore index 3ac9b22..c7cbf91 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /gssproxy-0.4.1.tar.gz /gssproxy-0.5.0.tar.gz /gssproxy-0.5.1.tar.gz +/gssproxy-0.6.0.tar.gz diff --git a/gssproxy-0.5.1-socket_permission_checking.patch b/gssproxy-0.5.1-socket_permission_checking.patch deleted file mode 100644 index 1aa84b2..0000000 --- a/gssproxy-0.5.1-socket_permission_checking.patch +++ /dev/null @@ -1,73 +0,0 @@ -From bbda272145ebbe0cbb65467c1573e583b9e1b7c7 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 3 Jun 2016 14:30:36 +0000 -Subject: [PATCH] Use new socket if uid, pid, or gid changes - -The gssproxy daemon uses SO_PEERCRED to determine credentials of the -connecting process. However, these credentials are set only at the time -connect has called. Therefore they must be reset every time uid or pid -changes. For completeness, we check gid as well. - -Signed-off-by: Robbie Harwood -Reviewed-by: Simo Sorce -Closes #27 ---- - proxy/src/client/gpm_common.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c -index cb4ccdb..0a54dbc 100644 ---- a/proxy/src/client/gpm_common.c -+++ b/proxy/src/client/gpm_common.c -@@ -13,6 +13,12 @@ - struct gpm_ctx { - pthread_mutex_t lock; - int fd; -+ -+ /* these are only meaningful if fd != -1 */ -+ pid_t pid; -+ uid_t uid; -+ gid_t gid; -+ - int next_xid; - }; - -@@ -93,6 +99,9 @@ done: - } - } - gpmctx->fd = fd; -+ gpmctx->pid = getpid(); -+ gpmctx->uid = geteuid(); -+ gpmctx->gid = getegid(); - return ret; - } - -@@ -120,12 +129,25 @@ static void gpm_close_socket(struct gpm_ctx *gpmctx) - static int gpm_grab_sock(struct gpm_ctx *gpmctx) - { - int ret; -+ pid_t p; -+ uid_t u; -+ gid_t g; - - ret = pthread_mutex_lock(&gpmctx->lock); - if (ret) { - return ret; - } - -+ /* Detect fork / setresuid and friends */ -+ p = getpid(); -+ u = geteuid(); -+ g = getegid(); -+ -+ if (gpmctx->fd != -1 && -+ (p != gpmctx->pid || u != gpmctx->uid || g != gpmctx->gid)) { -+ gpm_close_socket(gpmctx); -+ } -+ - if (gpmctx->fd == -1) { - ret = gpm_open_socket(gpmctx); - } --- -2.8.1 - diff --git a/gssproxy.spec b/gssproxy.spec index a0e92b1..29a4737 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy -Version: 0.5.1 -Release: 3%{?dist} +Version: 0.6.0 +Release: 1%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -44,6 +44,13 @@ BuildRequires: popt-devel BuildRequires: findutils BuildRequires: systemd-units +# Tests stuff +# BuildRequires: openldap-clients +# BuildRequires: openldap-servers +# BuildRequires: krb5-server-ldap +# BuildRequires: valgrind +# BuildRequires: socket_wrapper +# BuildRequires: nss_wrapper %description A proxy for GSSAPI credential handling @@ -65,6 +72,9 @@ autoreconf -f -i make %{?_smp_mflags} all make test_proxymech +# %check +# make check + %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} @@ -109,6 +119,9 @@ rm -rf %{buildroot} %systemd_postun_with_restart gssproxy.service %changelog +* Wed Jan 18 2017 Robbie Harwood - 0.6.0-1 +- New upstream release v0.6.0 + * Tue Sep 27 2016 Robbie Harwood - 0.5.1-3 - Adjust libverto dependency to not use a specific backend - Resolves: #1379812 diff --git a/sources b/sources index 45b5ee6..461ce7a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1d19da2c2fa4cd07d1200439019b7251 gssproxy-0.5.1.tar.gz +SHA512 (gssproxy-0.6.0.tar.gz) = 6df20703b6fa0c19df61ef08505e54b0b4f5e9464c8112f2d0dc22b8c182f78a8e2bd02bb92158dbbb3a9eb2b04bae3e070d4f55956577f49ee2c1aa241a0617