From 61bf0fadcafe9973efa4ed6b42c01c5fdadeb845 Mon Sep 17 00:00:00 2001 From: Steve Dickson Date: Tue, 23 Oct 2012 13:15:54 -0400 Subject: [PATCH] Update to the latest upstream release: rpcbind-0_2_1-rc4 (bz 869365) Signed-off-by: Steve Dickson --- rpcbind-0.2.0-rpcuser.patch | 24 -- ...0.2.1-rc2.patch => rpcbind-0_2_1-rc4.patch | 280 +++++++++++++++++- rpcbind.spec | 9 +- 3 files changed, 276 insertions(+), 37 deletions(-) delete mode 100644 rpcbind-0.2.0-rpcuser.patch rename rpcbind-0.2.1-rc2.patch => rpcbind-0_2_1-rc4.patch (76%) diff --git a/rpcbind-0.2.0-rpcuser.patch b/rpcbind-0.2.0-rpcuser.patch deleted file mode 100644 index b8a0e00..0000000 --- a/rpcbind-0.2.0-rpcuser.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit e81d689a6a8605cfc3b90a62a357705e180f532c -Author: Steve Dickson -Date: Sun Oct 14 12:20:04 2012 -0400 - - Fixed typo in Makefile.am which cause rpcbind to run as root - - Commit 8d7a0708 introduce a regression that cause rpcbind - to run as root instead of the user define by RPCBIND_USER - - Signed-off-by: Steve Dickson - -diff --git a/Makefile.am b/Makefile.am -index 9fa608e..d10c906 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -5,7 +5,7 @@ AM_CPPFLAGS = \ - -DSEVERITY=LOG_INFO \ - -DINET6 \ - -DRPCBIND_STATEDIR="\"$(statedir)\"" \ -- -DRPCUSER="\"$(rpcuser)\"" \ -+ -DRPCBIND_USER="\"$(rpcuser)\"" \ - -D_GNU_SOURCE \ - $(TIRPC_CFLAGS) - diff --git a/rpcbind-0.2.1-rc2.patch b/rpcbind-0_2_1-rc4.patch similarity index 76% rename from rpcbind-0.2.1-rc2.patch rename to rpcbind-0_2_1-rc4.patch index f8adb2c..44b8cb9 100644 --- a/rpcbind-0.2.1-rc2.patch +++ b/rpcbind-0_2_1-rc4.patch @@ -396,7 +396,7 @@ index 98e5d87..7d1c323 100644 `configure --help' for more details. diff --git a/Makefile.am b/Makefile.am -index cd56148..1809e3d 100644 +index cd56148..d10c906 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,2 +1,44 @@ @@ -408,7 +408,7 @@ index cd56148..1809e3d 100644 + -DSEVERITY=LOG_INFO \ + -DINET6 \ + -DRPCBIND_STATEDIR="\"$(statedir)\"" \ -+ -DRPCUSER="\"$(rpcuser)\"" \ ++ -DRPCBIND_USER="\"$(rpcuser)\"" \ + -D_GNU_SOURCE \ + $(TIRPC_CFLAGS) @@ -444,7 +444,7 @@ index cd56148..1809e3d 100644 +rpcinfo_SOURCES = src/rpcinfo.c +rpcinfo_LDADD = $(TIRPC_LIBS) + -+dist_man8_MANS = man/rpcbind.8 ++dist_man8_MANS = man/rpcbind.8 man/rpcinfo.8 diff --git a/autogen.sh b/autogen.sh index 1613b6d..761db90 100755 --- a/autogen.sh @@ -573,7 +573,7 @@ index 84818e9..0000000 -man8_MANS = rpcbind.8 -EXTRA_DIST = $(man8_MANS) diff --git a/man/rpcbind.8 b/man/rpcbind.8 -index 32806d4..c5b8fb7 100644 +index 32806d4..da32701 100644 --- a/man/rpcbind.8 +++ b/man/rpcbind.8 @@ -82,6 +82,8 @@ during operation, and will abort on certain errors if @@ -585,6 +585,14 @@ index 32806d4..c5b8fb7 100644 .It Fl h Specify specific IP addresses to bind to for UDP requests. This option +@@ -141,7 +143,6 @@ All RPC servers must be restarted if + .Nm + is restarted. + .Sh SEE ALSO +-.Xr rpcbind 3 , + .Xr rpcinfo 8 + .Sh LINUX PORT + .Bl Aurelien Charbon diff --git a/src/Makefile.am b/src/Makefile.am deleted file mode 100644 index cc0a85b..0000000 @@ -736,8 +744,167 @@ index 67a0e39..0000000 -/* This defines the uid to run as */ -#undef RPCBIND_USER - +diff --git a/src/pmap_svc.c b/src/pmap_svc.c +index 4736700..337e64d 100644 +--- a/src/pmap_svc.c ++++ b/src/pmap_svc.c +@@ -80,7 +80,7 @@ pmap_service(struct svc_req *rqstp, SVCXPRT *xprt) + if (debugging) + fprintf(stderr, "PMAPPROC_NULL\n"); + #endif +- check_access(xprt, rqstp->rq_proc, NULL, PMAPVERS); ++ check_access(xprt, rqstp->rq_proc, 0, PMAPVERS); + if ((!svc_sendreply(xprt, (xdrproc_t) xdr_void, NULL)) && + debugging) { + if (doabort) { +@@ -201,11 +201,11 @@ pmapproc_change(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt, unsigned long + reg.pm_prog, reg.pm_vers); + #endif + +- if (!check_access(xprt, op, ®, PMAPVERS)) { ++ if (!check_access(xprt, op, reg.pm_prog, PMAPVERS)) { + svcerr_weakauth(xprt); + return (FALSE); + } +- ++ + rpcbreg.r_prog = reg.pm_prog; + rpcbreg.r_vers = reg.pm_vers; + +@@ -276,7 +276,7 @@ pmapproc_getport(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + return (FALSE); + } + +- if (!check_access(xprt, PMAPPROC_GETPORT, ®, PMAPVERS)) { ++ if (!check_access(xprt, PMAPPROC_GETPORT, reg.pm_prog, PMAPVERS)) { + svcerr_weakauth(xprt); + return FALSE; + } +@@ -340,7 +340,7 @@ pmapproc_dump(struct svc_req *rqstp /*__unused*/, SVCXPRT *xprt) + return (FALSE); + } + +- if (!check_access(xprt, PMAPPROC_DUMP, NULL, PMAPVERS)) { ++ if (!check_access(xprt, PMAPPROC_DUMP, 0, PMAPVERS)) { + svcerr_weakauth(xprt); + return FALSE; + } +diff --git a/src/rpcb_svc.c b/src/rpcb_svc.c +index 0514ba5..e350f85 100644 +--- a/src/rpcb_svc.c ++++ b/src/rpcb_svc.c +@@ -75,6 +75,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) + char *result; + xdrproc_t xdr_argument, xdr_result; + void *(*local) __P((void *, struct svc_req *, SVCXPRT *, rpcvers_t)); ++ rpcprog_t setprog = 0; + + rpcbs_procinfo(RPCBVERS_3_STAT, rqstp->rq_proc); + +@@ -88,7 +89,7 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) + fprintf(stderr, "RPCBPROC_NULL\n"); + #endif + /* This call just logs, no actual checks */ +- check_access(transp, rqstp->rq_proc, NULL, RPCBVERS); ++ check_access(transp, rqstp->rq_proc, 0, RPCBVERS); + (void) svc_sendreply(transp, (xdrproc_t)xdr_void, (char *)NULL); + return; + +@@ -166,7 +167,13 @@ rpcb_service_3(struct svc_req *rqstp, SVCXPRT *transp) + (void) fprintf(stderr, "rpcbind: could not decode\n"); + return; + } +- if (!check_access(transp, rqstp->rq_proc, &argument, RPCBVERS)) { ++ ++ if (rqstp->rq_proc == RPCBPROC_SET ++ || rqstp->rq_proc == RPCBPROC_UNSET ++ || rqstp->rq_proc == RPCBPROC_GETADDR) ++ setprog = argument.rpcbproc_set_3_arg.r_prog; ++ ++ if (!check_access(transp, rqstp->rq_proc, setprog, RPCBVERS)) { + svcerr_weakauth(transp); + goto done; + } +diff --git a/src/rpcb_svc_4.c b/src/rpcb_svc_4.c +index 9fd5bef..313e6d1 100644 +--- a/src/rpcb_svc_4.c ++++ b/src/rpcb_svc_4.c +@@ -78,6 +78,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) + char *result; + xdrproc_t xdr_argument, xdr_result; + void *(*local) __P((void *, struct svc_req *, SVCXPRT *, rpcvers_t)); ++ rpcprog_t setprog = 0; + + rpcbs_procinfo(RPCBVERS_4_STAT, rqstp->rq_proc); + +@@ -90,7 +91,7 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) + if (debugging) + fprintf(stderr, "RPCBPROC_NULL\n"); + #endif +- check_access(transp, rqstp->rq_proc, NULL, RPCBVERS4); ++ check_access(transp, rqstp->rq_proc, 0, RPCBVERS4); + (void) svc_sendreply(transp, (xdrproc_t) xdr_void, + (char *)NULL); + return; +@@ -220,7 +221,13 @@ rpcb_service_4(struct svc_req *rqstp, SVCXPRT *transp) + (void) fprintf(stderr, "rpcbind: could not decode\n"); + return; + } +- if (!check_access(transp, rqstp->rq_proc, &argument, RPCBVERS4)) { ++ ++ if (rqstp->rq_proc == RPCBPROC_SET ++ || rqstp->rq_proc == RPCBPROC_UNSET ++ || rqstp->rq_proc == RPCBPROC_GETADDR) ++ setprog = argument.rpcbproc_set_4_arg.r_prog; ++ ++ if (!check_access(transp, rqstp->rq_proc, setprog, RPCBVERS4)) { + svcerr_weakauth(transp); + goto done; + } +diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c +index 291421f..f6bd6bd 100644 +--- a/src/rpcb_svc_com.c ++++ b/src/rpcb_svc_com.c +@@ -1227,6 +1227,8 @@ send_svcsyserr(SVCXPRT *xprt, struct finfo *fi) + return; + } + ++extern SVCAUTH svc_auth_none; ++ + static void + handle_reply(int fd, SVCXPRT *xprt) + { +@@ -1293,7 +1295,10 @@ handle_reply(int fd, SVCXPRT *xprt) + a.rmt_localvers = fi->versnum; + + xprt_set_caller(xprt, fi); ++ xprt->xp_auth = &svc_auth_none; + svc_sendreply(xprt, (xdrproc_t) xdr_rmtcall_result, (char *) &a); ++ SVCAUTH_DESTROY(xprt->xp_auth); ++ xprt->xp_auth = NULL; + done: + if (buffer) + free(buffer); +@@ -1372,10 +1377,13 @@ static char * + getowner(SVCXPRT *transp, char *owner, size_t ownersize) + { + uid_t uid; +- +- if (__rpc_get_local_uid(transp, &uid) < 0) +- snprintf(owner, ownersize, "unknown"); +- else if (uid == 0) ++ ++ if (__rpc_get_local_uid(transp, &uid) < 0) { ++ if (is_localroot(svc_getrpccaller(transp))) ++ snprintf(owner, ownersize, "superuser"); ++ else ++ snprintf(owner, ownersize, "unknown"); ++ } else if (uid == 0) + snprintf(owner, ownersize, "superuser"); + else + snprintf(owner, ownersize, "%d", uid); diff --git a/src/rpcbind.c b/src/rpcbind.c -index 525ffba..24e069b 100644 +index 525ffba..9a0504d 100644 --- a/src/rpcbind.c +++ b/src/rpcbind.c @@ -68,7 +68,6 @@ @@ -767,7 +934,18 @@ index 525ffba..24e069b 100644 err(1, "fork failed"); } -@@ -276,6 +276,7 @@ init_transport(struct netconfig *nconf) +@@ -236,6 +236,10 @@ main(int argc, char *argv[]) + syslog(LOG_ERR, "setgid to '%s' (%d) failed: %m", id, p->pw_gid); + exit(1); + } ++ if (setgroups(0, NULL) == -1) { ++ syslog(LOG_ERR, "dropping supplemental groups failed: %m"); ++ exit(1); ++ } + if (setuid(p->pw_uid) == -1) { + syslog(LOG_ERR, "setuid to '%s' (%d) failed: %m", id, p->pw_uid); + exit(1); +@@ -276,6 +280,7 @@ init_transport(struct netconfig *nconf) int addrlen = 0; int nhostsbak; int checkbind; @@ -775,7 +953,7 @@ index 525ffba..24e069b 100644 struct sockaddr *sa = NULL; u_int32_t host_addr[4]; /* IPv4 or IPv6 */ struct sockaddr_un sun; -@@ -493,6 +494,14 @@ init_transport(struct netconfig *nconf) +@@ -493,6 +498,14 @@ init_transport(struct netconfig *nconf) } oldmask = umask(S_IXUSR|S_IXGRP|S_IXOTH); __rpc_fd2sockinfo(fd, &si); @@ -790,7 +968,7 @@ index 525ffba..24e069b 100644 if (bind(fd, sa, addrlen) < 0) { syslog(LOG_ERR, "cannot bind %s: %m", nconf->nc_netid); if (res != NULL) -@@ -731,7 +740,7 @@ parseargs(int argc, char *argv[]) +@@ -731,7 +744,7 @@ parseargs(int argc, char *argv[]) { int c; oldstyle_local = 1; @@ -799,7 +977,7 @@ index 525ffba..24e069b 100644 switch (c) { case 'a': doabort = 1; /* when debugging, do an abort on */ -@@ -758,13 +767,16 @@ parseargs(int argc, char *argv[]) +@@ -758,13 +771,16 @@ parseargs(int argc, char *argv[]) case 's': runasdaemon = 1; break; @@ -817,6 +995,90 @@ index 525ffba..24e069b 100644 exit (1); } } +diff --git a/src/rpcbind.h b/src/rpcbind.h +index c800577..74f9591 100644 +--- a/src/rpcbind.h ++++ b/src/rpcbind.h +@@ -119,7 +119,7 @@ void rpcbind_abort(void); + void reap(int); + void toggle_verboselog(int); + +-int check_access(SVCXPRT *, rpcproc_t, void *, unsigned int); ++int check_access(SVCXPRT *, rpcproc_t, rpcprog_t, unsigned int); + int check_callit(SVCXPRT *, struct r_rmtcall_args *, int); + void logit(int, struct sockaddr *, rpcproc_t, rpcprog_t, const char *); + int is_loopback(struct netbuf *); +diff --git a/src/security.c b/src/security.c +index 0edeac6..d272f74 100644 +--- a/src/security.c ++++ b/src/security.c +@@ -62,34 +62,21 @@ int log_severity = PORTMAP_LOG_FACILITY|PORTMAP_LOG_SEVERITY; + extern int verboselog; + + int +-check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers) ++check_access(SVCXPRT *xprt, rpcproc_t proc, rpcprog_t prog, unsigned int rpcbvers) + { + struct netbuf *caller = svc_getrpccaller(xprt); + struct sockaddr *addr = (struct sockaddr *)caller->buf; + #ifdef LIBWRAP + struct request_info req; + #endif +- rpcprog_t prog = 0; +- rpcb *rpcbp; +- struct pmap *pmap; + + /* + * The older PMAP_* equivalents have the same numbers, so + * they are accounted for here as well. + */ + switch (proc) { +- case RPCBPROC_GETADDR: + case RPCBPROC_SET: + case RPCBPROC_UNSET: +- if (rpcbvers > PMAPVERS) { +- rpcbp = (rpcb *)args; +- prog = rpcbp->r_prog; +- } else { +- pmap = (struct pmap *)args; +- prog = pmap->pm_prog; +- } +- if (proc == RPCBPROC_GETADDR) +- break; + if (!insecure && !is_loopback(caller)) { + #ifdef RPCBIND_DEBUG + if (debugging) +@@ -101,6 +88,7 @@ check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers) + return 0; + } + break; ++ case RPCBPROC_GETADDR: + case RPCBPROC_CALLIT: + case RPCBPROC_INDIRECT: + case RPCBPROC_DUMP: +@@ -150,8 +138,7 @@ is_loopback(struct netbuf *nbuf) + "Checking caller's adress (port = %d)\n", + ntohs(sin->sin_port)); + #endif +- return ((sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) && +- (ntohs(sin->sin_port) < IPPORT_RESERVED)); ++ return (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)); + #ifdef INET6 + case AF_INET6: + if (!oldstyle_local) +@@ -163,10 +150,9 @@ is_loopback(struct netbuf *nbuf) + "Checking caller's adress (port = %d)\n", + ntohs(sin6->sin6_port)); + #endif +- return ((IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || ++ return (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr) || + (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr) && +- sin6->sin6_addr.s6_addr32[3] == htonl(INADDR_LOOPBACK))) && +- (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED)); ++ sin6->sin6_addr.s6_addr32[3] == htonl(INADDR_LOOPBACK))); + #endif + case AF_LOCAL: + return 1; diff --git a/src/warmstart.c b/src/warmstart.c index 25e5d89..d1bb971 100644 --- a/src/warmstart.c diff --git a/rpcbind.spec b/rpcbind.spec index 2ed5771..e71a94a 100644 --- a/rpcbind.spec +++ b/rpcbind.spec @@ -1,6 +1,6 @@ Name: rpcbind Version: 0.2.0 -Release: 19%{?dist} +Release: 20%{?dist} Summary: Universal Addresses to RPC Program Number Mapper Group: System Environment/Daemons License: BSD @@ -12,8 +12,7 @@ Source1: rpcbind.service Source2: rpcbind.socket Source3: rpcbind.sysconfig -Patch001: rpcbind-0_2_1-rc3.patch -Patch002: rpcbind-0.2.0-rpcuser.patch +Patch001: rpcbind-0_2_1-rc4.patch Requires: glibc-common setup Conflicts: man-pages < 2.43-12 @@ -35,7 +34,6 @@ RPC calls on a server on that machine. %prep %setup -q %patch001 -p1 -%patch002 -p1 %build %ifarch s390 s390x @@ -135,6 +133,9 @@ fi %dir %attr(700,rpc,rpc) /var/lib/rpcbind %changelog +* Tue Oct 23 2012 Steve Dickson - 0.2.0-20 +- Update to the latest upstream release: rpcbind-0_2_1-rc4 (bz 869365) + * Tue Oct 16 2012 Steve Dickson - 0.2.0-19 - Renamed RPCBINDOPTS to RPCBIND_ARGS for backward compatibility (bz 861025)