rpms/gssproxy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release (0.8.3)

Browse Source
This commit is contained in:
Robbie Harwood 2020-04-17 19:47:44 +00:00
parent a720b9ea53
commit 874f9e8561
8 changed files with 9 additions and 295 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -26,3 +26,4 @@
/gssproxy-0.8.1.tar.gz.sha512sum.txt
/gssproxy-0.8.2.tar.gz
/gssproxy-0.8.2.tar.gz.sha512sum.txt
/gssproxy-0.8.3.tar.gz

39
Avoid-uninitialized-free-when-allocating-buffers.patch
View File

@ -1,39 +0,0 @@
From e19466d172e0fd6d86b98b1423e9d99e0be30313 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 1 May 2019 11:27:13 -0400
Subject: [PATCH] Avoid uninitialized free when allocating buffers
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Resolves: #248
(cherry picked from commit eafa3c9272c95646400123f8e4d6fb50cf36d36c)
---
src/gp_export.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/gp_export.c b/src/gp_export.c
index dbfddeb..a5681c0 100644
--- a/src/gp_export.c
+++ b/src/gp_export.c
@@ -300,6 +300,7 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
&data_in,
&enc_handle);
if (ret) {
+ free(enc_handle.ciphertext.data);
ret = EINVAL;
goto done;
}
@@ -308,12 +309,12 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
enc_handle.ciphertext.data,
out);
if (ret) {
+ free(enc_handle.ciphertext.data);
goto done;
}
done:
free(padded);
- free(enc_handle.ciphertext.data);
return ret;
}

30
Delay-gssproxy-start-until-after-network.target.patch
View File

@ -1,30 +0,0 @@
From 004ac514cd238122b25e5bc5b493dc8d4964ad75 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Fri, 27 Dec 2019 13:33:42 -0600
Subject: [PATCH] Delay gssproxy start until after network.target
Systemd docs are unclear in this regard, but it appears that
network.target must be ready before domain sockets can be created.
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
[rharwood@redhat.com: rewrote commit message]
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Merges: #252
(cherry picked from commit 153b2ed51c5059abee507ddd240b5abc288d722c)
---
systemd/gssproxy.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
index 9d3eef0..482fa4e 100644
--- a/systemd/gssproxy.service.in
+++ b/systemd/gssproxy.service.in
@@ -1,7 +1,7 @@
[Unit]
Description=GSSAPI Proxy Daemon
# GSSPROXY will not be started until syslog is
-After=syslog.target
+After=syslog.target network.target
Before=rpc-gssd.service
[Service]

157
Make-syslog-of-call-status-configurable.patch
View File

@ -1,157 +0,0 @@
From cc61409b7b20974332549dd028d889b87dbff98d Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Mon, 30 Sep 2019 15:00:56 -0400
Subject: [PATCH] Make syslog of call status configurable
Add a parameter (syslog_status) to configuration and
CLI (--syslog-status). This logs the results of GSSAPI calls at
LOG_DEBUG. Typically these calls resemble:
gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
failure. Minor code may provide more information, No credentials
cache found
Since these messages worry some admins, turn them off by default.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
(cherry picked from commit 116618e1523038691fcb481107ba15ffd42942ac)
---
man/gssproxy.8.xml | 8 ++++++++
man/gssproxy.conf.5.xml | 10 ++++++++++
src/gp_config.c | 6 ++++++
src/gp_log.c | 9 +++++++--
src/gp_log.h | 3 +++
src/gssproxy.c | 6 ++++++
6 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/man/gssproxy.8.xml b/man/gssproxy.8.xml
index 5038411..70f2fd5 100644
--- a/man/gssproxy.8.xml
+++ b/man/gssproxy.8.xml
@@ -148,6 +148,14 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>--syslog-status</option>
+ </term>
+ <listitem>
+ <para>Enable additional logging to syslog.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>--version</option>
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
index 04059a8..3400e67 100644
--- a/man/gssproxy.conf.5.xml
+++ b/man/gssproxy.conf.5.xml
@@ -370,6 +370,16 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>syslog_status (boolean)</term>
+ <listitem>
+ <para>Enable per-call debugging output to the syslog.
+ This may be useful for investigating problems in
+ applications using gssproxy.</para>
+ <para>Default: syslog_status = false</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>trusted (boolean)</term>
<listitem><para>Defines whether this service is considered trusted. Use with caution, this enables impersonation.</para>
diff --git a/src/gp_config.c b/src/gp_config.c
index 78474ed..88d5f29 100644
--- a/src/gp_config.c
+++ b/src/gp_config.c
@@ -611,6 +611,12 @@ int load_config(struct gp_config *cfg)
goto done;
}
+ ret = gp_config_get_string(ctx, "gssproxy", "syslog_status", &tmpstr);
+ if (ret == 0)
+ gp_syslog_status = gp_boolean_is_true(tmpstr);
+ else if (ret != ENOENT)
+ goto done;
+
ret = gp_config_get_string(ctx, "gssproxy", "run_as_user", &tmpstr);
if (ret == 0) {
cfg->proxy_user = strdup(tmpstr);
diff --git a/src/gp_log.c b/src/gp_log.c
index b6eb161..e67e8d3 100644
--- a/src/gp_log.c
+++ b/src/gp_log.c
@@ -5,6 +5,9 @@
#include <stdio.h>
#include <stdarg.h>
+/* global logging switch */
+bool gp_syslog_status = false;
+
void gp_logging_init(void)
{
openlog("gssproxy",
@@ -55,7 +58,9 @@ void gp_log_status(gss_OID mech, uint32_t maj, uint32_t min)
{
char buf[MAX_LOG_LINE];
- gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE);
+ if (!gp_syslog_status)
+ return;
- GPERROR("%s\n", buf);
+ gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE);
+ syslog(LOG_DEBUG, "%s\n", buf);
}
diff --git a/src/gp_log.h b/src/gp_log.h
index fc8cbdb..31ad648 100644
--- a/src/gp_log.h
+++ b/src/gp_log.h
@@ -3,9 +3,12 @@
#ifndef _GP_LOG_H_
#define _GP_LOG_H_
+#include <stdbool.h>
#include <syslog.h>
#include <gssapi/gssapi.h>
+extern bool gp_syslog_status;
+
#define MAX_LOG_LINE 1024
#define GPERROR(...) syslog(LOG_ERR, __VA_ARGS__);
#define GPAUDIT(...) syslog(LOG_INFO, __VA_ARGS__);
diff --git a/src/gssproxy.c b/src/gssproxy.c
index 01d4ef9..e58b5db 100644
--- a/src/gssproxy.c
+++ b/src/gssproxy.c
@@ -158,6 +158,7 @@ int main(int argc, const char *argv[])
int opt_version = 0;
int opt_debug = 0;
int opt_debug_level = 0;
+ int opt_syslog_status = 0;
verto_ctx *vctx;
verto_ev *ev;
int wait_fd;
@@ -183,6 +184,8 @@ int main(int argc, const char *argv[])
_("Enable debugging"), NULL}, \
{"debug-level", '\0', POPT_ARG_INT, &opt_debug_level, 0, \
_("Set debugging level"), NULL}, \
+ {"syslog-status", '\0', POPT_ARG_NONE, &opt_syslog_status, 0, \
+ _("Enable GSSAPI status logging to syslog"), NULL}, \
{"version", '\0', POPT_ARG_NONE, &opt_version, 0, \
_("Print version number and exit"), NULL }, \
POPT_TABLEEND
@@ -212,6 +215,9 @@ int main(int argc, const char *argv[])
gp_debug_toggle(opt_debug_level);
}
+ if (opt_syslog_status)
+ gp_syslog_status = true;
+
if (opt_daemon && opt_interactive) {
fprintf(stderr, "Option -i|--interactive is not allowed together with -D|--daemon\n");
poptPrintUsage(pc, stderr, 0);

27
Replace-var-run-run-in-gssproxy.service.patch
View File

@ -1,27 +0,0 @@
From 0109ba1868f7c585eca5f41139a7bf43444f5986 Mon Sep 17 00:00:00 2001
From: Orion Poplawski <orion@nwra.com>
Date: Wed, 8 May 2019 08:31:39 -0600
Subject: [PATCH] Replace /var/run -> /run in gssproxy.service
Signed-off-by: Orion Poplawski <orion@nwra.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
Merges: #249
(cherry picked from commit fc17445edc78b9393d26ca6a253fbeb9ed316c1a)
---
systemd/gssproxy.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
index ac37df6..9d3eef0 100644
--- a/systemd/gssproxy.service.in
+++ b/systemd/gssproxy.service.in
@@ -10,7 +10,7 @@ ExecStart=@sbindir@/gssproxy -D
# These two should be used with traditional UNIX forking daemons
# consult systemd.service(5) for more details
Type=forking
-PIDFile=@localstatedir@/run/gssproxy.pid
+PIDFile=/run/gssproxy.pid
ExecReload=/bin/kill -HUP $MAINPID
[Install]

26
Update-NFS-service-name-in-systemd-unit.patch
View File

@ -1,26 +0,0 @@
From aa4f43049d1037d1c23becd78ad2f7dd601132f4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 24 Apr 2019 12:07:47 -0400
Subject: [PATCH] Update NFS service name in systemd unit
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Merges: #247
(cherry picked from commit 1a789a645175d5aea109a3c0831806b94337b20e)
---
systemd/gssproxy.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
index f50f526..ac37df6 100644
--- a/systemd/gssproxy.service.in
+++ b/systemd/gssproxy.service.in
@@ -2,7 +2,7 @@
Description=GSSAPI Proxy Daemon
# GSSPROXY will not be started until syslog is
After=syslog.target
-Before=nfs-secure.service nfs-secure-server.service
+Before=rpc-gssd.service
[Service]
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache

16
gssproxy.spec
View File

@ -1,12 +1,12 @@
Name: gssproxy
Version: 0.8.2
Release: 8%{?dist}
Version: 0.8.3
Release: 1%{?dist}
Summary: GSSAPI Proxy
License: MIT
URL: https://pagure.io/gssproxy
Source0: https://releases.pagure.org/%{name}/%{name}-%{version}.tar.gz
URL: https://github.com/gssapi/gssproxy
Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: rwtab
%global servicename gssproxy
@ -14,11 +14,6 @@ Source1: rwtab
%global gpstatedir %{_localstatedir}/lib/gssproxy
### Patches ###
Patch0: Avoid-uninitialized-free-when-allocating-buffers.patch
Patch1: Update-NFS-service-name-in-systemd-unit.patch
Patch2: Replace-var-run-run-in-gssproxy.service.patch
Patch3: Make-syslog-of-call-status-configurable.patch
Patch4: Delay-gssproxy-start-until-after-network.target.patch
### Dependencies ###
Requires: krb5-libs >= 1.12.0
@ -114,6 +109,9 @@ install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy
%systemd_postun_with_restart gssproxy.service
%changelog
* Fri Apr 17 2020 Robbie Harwood <rharwood@redhat.com> - 0.8.3-1
- New upstream release (0.8.3)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.8.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

8
sources
View File

@ -1,7 +1 @@
SHA512 (gssproxy-0.8.0.tar.gz) = f3b8f053d6750d7ee6ab2bfb6bfc4dc1ac2e2f354f923590340bb3c522f57cc881df5a2850750bc00c0dcacf2ae173549dc3bb9ece4512cf2f39869527afc2ec
SHA512 (gssproxy-0.8.0.tar.gz.sha512sum.txt) = e31628602f6b4261c1f828c31b30649075c9016088371e82d09daf70461f82f329cc9f2e49d5cd5199b2d7c319829f572251ab7f83bbe0eee104021879518385
SHA512 (rwtab) = 35bf5dda822a025fa4f3c94095abd3ff5279dc263ec870e74517a3eb1a3b331bb71d8894f65dc1b129aefcc3eae9c38033ba6ec41289b5b1abeffeddfb1ac86f
SHA512 (gssproxy-0.8.1.tar.gz) = 31c6fdf8bb4a65d3d538b65d9fc1924dab7ffa48900ad646e93eae3cb99384c40b54da4863000a8550c4f4dcd490720930ddce446f1b6a5fa245cf91522ce7f1
SHA512 (gssproxy-0.8.1.tar.gz.sha512sum.txt) = d4742783b2f16b8c80994d963b94bafb19ce19d65d0e4d2f8c387fc37705308cce6215165afaceaf593a6568b9f848ca049dcfa3091c516b2f45fb7d9479d7bb
SHA512 (gssproxy-0.8.2.tar.gz) = 68ce39b36ee83d77da19e9a9fb322ba901366999828a2b427bc2275c4187b4d2291de140c202cce02bdf53eb5cf64da2fafa022ea482258c102f28b0af5d7c63
SHA512 (gssproxy-0.8.2.tar.gz.sha512sum.txt) = 3839f6ec0a3303d76efb3b7009f85b0f348f0d4c66cfaa11ad736a4cc0a7637429dd5d6ac68325944fe4166c4bee3b568965ec371f12a9361bd1202b0434c3c1
SHA512 (gssproxy-0.8.3.tar.gz) = 144b10ec4e19ad2ded5ae57adf1ca311e2fc6c2b97e202eedde69d82c8d50afc0459ac36c7fc5d5290184eb68547a696b33e8a069fde43478104ac26b2c98bc2