rpms/gssproxy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Acquire new socket for fork/permission drops on clients

Browse Source
This commit is contained in:
Robbie Harwood 2016-06-07 16:00:23 +00:00
parent b03a1f0171
commit ea3404c5c1
2 changed files with 79 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
gssproxy-0.5.1-socket_permission_checking.patch Normal file
View File

@ -0,0 +1,73 @@
From bbda272145ebbe0cbb65467c1573e583b9e1b7c7 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 3 Jun 2016 14:30:36 +0000
Subject: [PATCH] Use new socket if uid, pid, or gid changes
The gssproxy daemon uses SO_PEERCRED to determine credentials of the
connecting process. However, these credentials are set only at the time
connect has called. Therefore they must be reset every time uid or pid
changes. For completeness, we check gid as well.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #27
---
proxy/src/client/gpm_common.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/proxy/src/client/gpm_common.c b/proxy/src/client/gpm_common.c
index cb4ccdb..0a54dbc 100644
--- a/proxy/src/client/gpm_common.c
+++ b/proxy/src/client/gpm_common.c
@@ -13,6 +13,12 @@
struct gpm_ctx {
pthread_mutex_t lock;
int fd;
+
+ /* these are only meaningful if fd != -1 */
+ pid_t pid;
+ uid_t uid;
+ gid_t gid;
+
int next_xid;
};
@@ -93,6 +99,9 @@ done:
}
}
gpmctx->fd = fd;
+ gpmctx->pid = getpid();
+ gpmctx->uid = geteuid();
+ gpmctx->gid = getegid();
return ret;
}
@@ -120,12 +129,25 @@ static void gpm_close_socket(struct gpm_ctx *gpmctx)
static int gpm_grab_sock(struct gpm_ctx *gpmctx)
{
int ret;
+ pid_t p;
+ uid_t u;
+ gid_t g;
ret = pthread_mutex_lock(&gpmctx->lock);
if (ret) {
return ret;
}
+ /* Detect fork / setresuid and friends */
+ p = getpid();
+ u = geteuid();
+ g = getegid();
+
+ if (gpmctx->fd != -1 &&
+ (p != gpmctx->pid || u != gpmctx->uid || g != gpmctx->gid)) {
+ gpm_close_socket(gpmctx);
+ }
+
if (gpmctx->fd == -1) {
ret = gpm_open_socket(gpmctx);
}
--
2.8.1

8
gssproxy.spec
View File

@ -1,6 +1,6 @@
Name: gssproxy Name: gssproxy
Version: 0.5.0 Version: 0.5.0
Release: 4%{?dist} Release: 5%{?dist}
Summary: GSSAPI Proxy Summary: GSSAPI Proxy
Group: System Environment/Libraries Group: System Environment/Libraries
@ -14,7 +14,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
%global gpstatedir %{_localstatedir}/lib/gssproxy %global gpstatedir %{_localstatedir}/lib/gssproxy
### Patches ### ### Patches ###
Patch0: gssproxy-0.5.1-socket_permission_checking.patch
### Dependencies ### ### Dependencies ###
Requires: krb5-libs >= 1.12.0 Requires: krb5-libs >= 1.12.0
@ -53,6 +53,7 @@ A proxy for GSSAPI credential handling
%setup -q %setup -q
# patch # patch
%patch0 -p2 -b .socket_permission_checking
%build %build
autoreconf -f -i autoreconf -f -i
@ -108,6 +109,9 @@ rm -rf %{buildroot}
%systemd_postun_with_restart gssproxy.service %systemd_postun_with_restart gssproxy.service
%changelog %changelog
* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-5
- Acquire new socket for fork/permission drops on clients
* Mon May 09 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-4 * Mon May 09 2016 Robbie Harwood <rharwood@redhat.com> - 0.5.0-4
- Do not package mod_auth_gssapi conf file - Do not package mod_auth_gssapi conf file
- This ensures gssproxy works even when the apache user does not exist - This ensures gssproxy works even when the apache user does not exist