Apply 4.9.0rc2 fixes from upstream
Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches Fixes: https://pagure.io/freeipa/issue/8613 upgrade: provide DOMAIN to the server upgrade dictionary Fixes: https://pagure.io/freeipa/issue/8615
This commit is contained in:
Alexander Bokovoy
parent
3ad697a03a
commit
b91bf7ae0f
98
freeipa-4.9.0-rc2-fixes.patch
Normal file
98
freeipa-4.9.0-rc2-fixes.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From cd2fe2947589aaf8de0e9e64839c8840b68e9664 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Wed, 9 Dec 2020 11:15:20 +0200
|
||||
Subject: [PATCH 1/2] Allow mod_auth_gssapi to create and access ccaches in
|
||||
/run/ipa/ccaches
|
||||
|
||||
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
|
||||
create unique credential caches in /run/ipa/ccaches for every client
|
||||
that connects to IPA with a new session. On F34, mod_auth_gssapi process
|
||||
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
|
||||
it has no access rights.
|
||||
|
||||
The core of the problem is that we have two different paths to obtaining
|
||||
a ccache: one where 'apache' running httpd process creates it directly
|
||||
and one where an internal redirect from 'ipaapi' running httpd process
|
||||
is happening.
|
||||
|
||||
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
|
||||
to '/run/ipa/ccaches'. This fixes the problem.
|
||||
|
||||
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
|
||||
do so, mod_auth_gssapi will do redirects and fail.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8613
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
init/tmpfilesd/ipa.conf.in | 3 ++-
|
||||
install/share/ipa.conf.template | 4 ++--
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in
|
||||
index 183ceeda6..6467e1b93 100644
|
||||
--- a/init/tmpfilesd/ipa.conf.in
|
||||
+++ b/init/tmpfilesd/ipa.conf.in
|
||||
@@ -1,2 +1,3 @@
|
||||
d /run/ipa 0711 root root
|
||||
-d /run/ipa/ccaches 0770 ipaapi ipaapi
|
||||
+d /run/ipa/ccaches 6770 ipaapi ipaapi
|
||||
+a+ /run/ipa/ccaches - - - - g:apache:rwx
|
||||
diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
|
||||
index ca51d2ea3..d74e14d4f 100644
|
||||
--- a/install/share/ipa.conf.template
|
||||
+++ b/install/share/ipa.conf.template
|
||||
@@ -75,7 +75,7 @@ WSGIScriptReloading Off
|
||||
|
||||
GssapiImpersonate On
|
||||
GssapiDelegCcacheDir $IPA_CCACHES
|
||||
- GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
||||
+ GssapiDelegCcachePerms mode:0660
|
||||
GssapiDelegCcacheUnique On
|
||||
GssapiUseS4U2Proxy on
|
||||
GssapiAllowedMech krb5
|
||||
@@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
|
||||
<Location "/ipa/session/login_x509">
|
||||
AuthType none
|
||||
GssapiDelegCcacheDir $IPA_CCACHES
|
||||
- GssapiDelegCcachePerms mode:0660 gid:ipaapi
|
||||
+ GssapiDelegCcachePerms mode:0660
|
||||
GssapiDelegCcacheUnique On
|
||||
SSLVerifyClient require
|
||||
SSLUserName SSL_CLIENT_CERT
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From 786e0823cdc58ad232b8320af94ea9ad89df88d6 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Wed, 9 Dec 2020 13:26:05 +0200
|
||||
Subject: [PATCH 2/2] upgrade: provide DOMAIN to the server upgrade dictionary
|
||||
|
||||
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
|
||||
in the dictionary. Regression was introduced with
|
||||
e731b2725a3772cd037683ff2e08c514fd02019f.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8615
|
||||
Related: https://pagure.io/freeipa/issue/8595
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/upgrade.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
||||
index 18891d53c..00a133a4d 100644
|
||||
--- a/ipaserver/install/server/upgrade.py
|
||||
+++ b/ipaserver/install/server/upgrade.py
|
||||
@@ -1578,6 +1578,7 @@ def upgrade_configuration():
|
||||
IPA_CCACHES=paths.IPA_CCACHES,
|
||||
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
|
||||
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
|
||||
+ DOMAIN=api.env.domain,
|
||||
)
|
||||
|
||||
subject_base = find_subject_base()
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -176,7 +176,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 0.3%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 0.4%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -201,6 +201,8 @@ Patch1002: 1002-4.8.0-Remove-csrgen.patch
|
||||
Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
|
||||
%endif
|
||||
# RHEL spec file only: END
|
||||
Patch0101: freeipa-4.9.0-rc2-fixes.patch
|
||||
|
||||
|
||||
# For the timestamp trick in patch application
|
||||
BuildRequires: diffstat
|
||||
@ -1675,6 +1677,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 9 20:06:03 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.4.rc2
|
||||
- Fix upgrade script for CA rule rewrites
|
||||
- Fix permissions for /run/ipa/ccaches
|
||||
|
||||
* Fri Dec 4 22:17:00 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.3.rc2
|
||||
- Correct SELinux policy requirements
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user