From 6add9a054ce5f64f44a608de08397db4d15933eb Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 31 Oct 2019 17:48:44 -0400 Subject: [PATCH] Make syslog of call status configurable --- Make-syslog-of-call-status-configurable.patch | 157 ++++++++++++++++++ gssproxy.spec | 6 +- 2 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 Make-syslog-of-call-status-configurable.patch diff --git a/Make-syslog-of-call-status-configurable.patch b/Make-syslog-of-call-status-configurable.patch new file mode 100644 index 0000000..482cb71 --- /dev/null +++ b/Make-syslog-of-call-status-configurable.patch @@ -0,0 +1,157 @@ +From cc61409b7b20974332549dd028d889b87dbff98d Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 30 Sep 2019 15:00:56 -0400 +Subject: [PATCH] Make syslog of call status configurable + +Add a parameter (syslog_status) to configuration and +CLI (--syslog-status). This logs the results of GSSAPI calls at +LOG_DEBUG. Typically these calls resemble: + + gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS + failure. Minor code may provide more information, No credentials + cache found + +Since these messages worry some admins, turn them off by default. + +Signed-off-by: Robbie Harwood +(cherry picked from commit 116618e1523038691fcb481107ba15ffd42942ac) +--- + man/gssproxy.8.xml | 8 ++++++++ + man/gssproxy.conf.5.xml | 10 ++++++++++ + src/gp_config.c | 6 ++++++ + src/gp_log.c | 9 +++++++-- + src/gp_log.h | 3 +++ + src/gssproxy.c | 6 ++++++ + 6 files changed, 40 insertions(+), 2 deletions(-) + +diff --git a/man/gssproxy.8.xml b/man/gssproxy.8.xml +index 5038411..70f2fd5 100644 +--- a/man/gssproxy.8.xml ++++ b/man/gssproxy.8.xml +@@ -148,6 +148,14 @@ + + + ++ ++ ++ ++ ++ ++ Enable additional logging to syslog. ++ ++ + + + +diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml +index 04059a8..3400e67 100644 +--- a/man/gssproxy.conf.5.xml ++++ b/man/gssproxy.conf.5.xml +@@ -370,6 +370,16 @@ + + + ++ ++ syslog_status (boolean) ++ ++ Enable per-call debugging output to the syslog. ++ This may be useful for investigating problems in ++ applications using gssproxy. ++ Default: syslog_status = false ++ ++ ++ + + trusted (boolean) + Defines whether this service is considered trusted. Use with caution, this enables impersonation. +diff --git a/src/gp_config.c b/src/gp_config.c +index 78474ed..88d5f29 100644 +--- a/src/gp_config.c ++++ b/src/gp_config.c +@@ -611,6 +611,12 @@ int load_config(struct gp_config *cfg) + goto done; + } + ++ ret = gp_config_get_string(ctx, "gssproxy", "syslog_status", &tmpstr); ++ if (ret == 0) ++ gp_syslog_status = gp_boolean_is_true(tmpstr); ++ else if (ret != ENOENT) ++ goto done; ++ + ret = gp_config_get_string(ctx, "gssproxy", "run_as_user", &tmpstr); + if (ret == 0) { + cfg->proxy_user = strdup(tmpstr); +diff --git a/src/gp_log.c b/src/gp_log.c +index b6eb161..e67e8d3 100644 +--- a/src/gp_log.c ++++ b/src/gp_log.c +@@ -5,6 +5,9 @@ + #include + #include + ++/* global logging switch */ ++bool gp_syslog_status = false; ++ + void gp_logging_init(void) + { + openlog("gssproxy", +@@ -55,7 +58,9 @@ void gp_log_status(gss_OID mech, uint32_t maj, uint32_t min) + { + char buf[MAX_LOG_LINE]; + +- gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE); ++ if (!gp_syslog_status) ++ return; + +- GPERROR("%s\n", buf); ++ gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE); ++ syslog(LOG_DEBUG, "%s\n", buf); + } +diff --git a/src/gp_log.h b/src/gp_log.h +index fc8cbdb..31ad648 100644 +--- a/src/gp_log.h ++++ b/src/gp_log.h +@@ -3,9 +3,12 @@ + #ifndef _GP_LOG_H_ + #define _GP_LOG_H_ + ++#include + #include + #include + ++extern bool gp_syslog_status; ++ + #define MAX_LOG_LINE 1024 + #define GPERROR(...) syslog(LOG_ERR, __VA_ARGS__); + #define GPAUDIT(...) syslog(LOG_INFO, __VA_ARGS__); +diff --git a/src/gssproxy.c b/src/gssproxy.c +index 01d4ef9..e58b5db 100644 +--- a/src/gssproxy.c ++++ b/src/gssproxy.c +@@ -158,6 +158,7 @@ int main(int argc, const char *argv[]) + int opt_version = 0; + int opt_debug = 0; + int opt_debug_level = 0; ++ int opt_syslog_status = 0; + verto_ctx *vctx; + verto_ev *ev; + int wait_fd; +@@ -183,6 +184,8 @@ int main(int argc, const char *argv[]) + _("Enable debugging"), NULL}, \ + {"debug-level", '\0', POPT_ARG_INT, &opt_debug_level, 0, \ + _("Set debugging level"), NULL}, \ ++ {"syslog-status", '\0', POPT_ARG_NONE, &opt_syslog_status, 0, \ ++ _("Enable GSSAPI status logging to syslog"), NULL}, \ + {"version", '\0', POPT_ARG_NONE, &opt_version, 0, \ + _("Print version number and exit"), NULL }, \ + POPT_TABLEEND +@@ -212,6 +215,9 @@ int main(int argc, const char *argv[]) + gp_debug_toggle(opt_debug_level); + } + ++ if (opt_syslog_status) ++ gp_syslog_status = true; ++ + if (opt_daemon && opt_interactive) { + fprintf(stderr, "Option -i|--interactive is not allowed together with -D|--daemon\n"); + poptPrintUsage(pc, stderr, 0); diff --git a/gssproxy.spec b/gssproxy.spec index 373bf31..3e8b728 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,7 +1,7 @@ Name: gssproxy Version: 0.8.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: GSSAPI Proxy License: MIT @@ -17,6 +17,7 @@ Source1: rwtab Patch0: Avoid-uninitialized-free-when-allocating-buffers.patch Patch1: Update-NFS-service-name-in-systemd-unit.patch Patch2: Replace-var-run-run-in-gssproxy.service.patch +Patch3: Make-syslog-of-call-status-configurable.patch ### Dependencies ### Requires: krb5-libs >= 1.12.0 @@ -112,6 +113,9 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy %systemd_postun_with_restart gssproxy.service %changelog +* Thu Oct 31 2019 Robbie Harwood - 0.8.2-6 +- Make syslog of call status configurable + * Thu Jul 25 2019 Fedora Release Engineering - 0.8.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild