From ea3404c5c158fc4c2a78cef77b838faac7788538 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 7 Jun 2016 16:00:23 +0000
Subject: [PATCH] Acquire new socket for fork/permission drops on clients

---
 ...oxy-0.5.1-socket_permission_checking.patch | 73 +++++++++++++++++++
 gssproxy.spec                                 |  8 +-
 2 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 gssproxy-0.5.1-socket_permission_checking.patch

diff --git a/gssproxy-0.5.1-socket_permission_checking.patch b/gssproxy-0.5.1-socket_permission_checking.patch
new file mode 100644
index 0000000..1aa84b2
--- /dev/null
+++ b/gssproxy-0.5.1-socket_permission_checking.patch
@@ -0,0 +1,73 @@
+From bbda272145ebbe0cbb65467c1573e583b9e1b7c7 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 3 Jun 2016 14:30:36 +0000
+Subject: [PATCH] Use new socket if uid, pid, or gid changes
+
+The gssproxy daemon uses SO_PEERCRED to determine credentials of the
+connecting process.  However, these credentials are set only at the time
+connect has called.  Therefore they must be reset every time uid or pid
+changes.  For completeness, we check gid as well.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Closes #27
+---
+ proxy/src/client/gpm_common.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c
+index cb4ccdb..0a54dbc 100644
+--- a/proxy/src/client/gpm_common.c
++++ b/proxy/src/client/gpm_common.c
+@@ -13,6 +13,12 @@
+ struct gpm_ctx {
+     pthread_mutex_t lock;
+     int fd;
++
++    /* these are only meaningful if fd != -1 */
++    pid_t pid;
++    uid_t uid;
++    gid_t gid;
++
+     int next_xid;
+ };
+ 
+@@ -93,6 +99,9 @@ done:
+         }
+     }
+     gpmctx->fd = fd;
++    gpmctx->pid = getpid();
++    gpmctx->uid = geteuid();
++    gpmctx->gid = getegid();
+     return ret;
+ }
+ 
+@@ -120,12 +129,25 @@ static void gpm_close_socket(struct gpm_ctx *gpmctx)
+ static int gpm_grab_sock(struct gpm_ctx *gpmctx)
+ {
+     int ret;
++    pid_t p;
++    uid_t u;
++    gid_t g;
+ 
+     ret = pthread_mutex_lock(&gpmctx->lock);
+     if (ret) {
+         return ret;
+     }
+ 
++    /* Detect fork / setresuid and friends */
++    p = getpid();
++    u = geteuid();
++    g = getegid();
++
++    if (gpmctx->fd != -1 &&
++        (p != gpmctx->pid || u != gpmctx->uid || g != gpmctx->gid)) {
++        gpm_close_socket(gpmctx);
++    }
++
+     if (gpmctx->fd == -1) {
+         ret = gpm_open_socket(gpmctx);
+     }
+-- 
+2.8.1
+
diff --git a/gssproxy.spec b/gssproxy.spec
index c578c90..2d8054d 100644
--- a/gssproxy.spec
+++ b/gssproxy.spec
@@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.5.0
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	GSSAPI Proxy
 
 Group:		System Environment/Libraries
@@ -14,7 +14,7 @@ BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 %global gpstatedir %{_localstatedir}/lib/gssproxy
 
 ### Patches ###
-
+Patch0: gssproxy-0.5.1-socket_permission_checking.patch
 
 ### Dependencies ###
 Requires: krb5-libs >= 1.12.0
@@ -53,6 +53,7 @@ A proxy for GSSAPI credential handling
 %setup -q
 
 # patch
+%patch0 -p2 -b .socket_permission_checking
 
 %build
 autoreconf -f -i
@@ -108,6 +109,9 @@ rm -rf %{buildroot}
 %systemd_postun_with_restart gssproxy.service
 
 %changelog
+* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-5
+- Acquire new socket for fork/permission drops on clients
+
 * Mon May 09 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-4
 - Do not package mod_auth_gssapi conf file
   - This ensures gssproxy works even when the apache user does not exist