diff --git a/0001-Fix-various-issues-detected-by-static-analysis.patch b/0001-Fix-various-issues-detected-by-static-analysis.patch new file mode 100644 index 0000000000000000000000000000000000000000..123e08754e9ee5cb517d5aef3e937ce13e431404 --- /dev/null +++ b/0001-Fix-various-issues-detected-by-static-analysis.patch @@ -0,0 +1,173 @@ +From bc36b704fa426a6dcbd9ea0518697b4072a466e1 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 6 Aug 2024 10:38:01 +0200 +Subject: [PATCH] Fix various issues detected by static analysis + +Signed-off-by: Julien Rische +(cherry picked from commit be676f3c6338971d953c8da52f4172040c5e06a4) +--- + src/client/gpm_accept_sec_context.c | 1 + + src/gp_creds.c | 1 + + src/gp_rpc_init_sec_context.c | 2 ++ + tests/interposetest.c | 5 +++-- + tests/t_accept.c | 2 +- + tests/userproxytest.c | 35 +++++++++++++++++------------ + 6 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/src/client/gpm_accept_sec_context.c b/src/client/gpm_accept_sec_context.c +index ab20b03..d508615 100644 +--- a/src/client/gpm_accept_sec_context.c ++++ b/src/client/gpm_accept_sec_context.c +@@ -105,6 +105,7 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status, + if (outbuf) { + *output_token = *outbuf; + free(outbuf); ++ outbuf = NULL; + } + if (ret_flags) { + *ret_flags = ctx->ctx_flags; +diff --git a/src/gp_creds.c b/src/gp_creds.c +index 843d1a3..1a0258a 100644 +--- a/src/gp_creds.c ++++ b/src/gp_creds.c +@@ -800,6 +800,7 @@ done: + gss_release_cred(&discard, &user_cred); + gss_release_name(&discard, &target_name); + gss_delete_sec_context(&discard, &initiator_context, NULL); ++ gss_delete_sec_context(&discard, &acceptor_context, NULL); + gss_release_buffer(&discard, &init_token); + gss_release_buffer(&discard, &accept_token); + gss_release_name(&discard, &req_name); +diff --git a/src/gp_rpc_init_sec_context.c b/src/gp_rpc_init_sec_context.c +index f362dbc..7fe7365 100644 +--- a/src/gp_rpc_init_sec_context.c ++++ b/src/gp_rpc_init_sec_context.c +@@ -33,6 +33,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall, + }; + uint32_t gccn_before = 0; + uint32_t gccn_after = 0; ++ uint32_t discard; + int ret; + + isca = &arg->init_sec_context; +@@ -192,6 +193,7 @@ done: + + GPRPCDEBUG(gssx_res_init_sec_context, iscr); + ++ gss_delete_sec_context(&discard, &ctx, NULL); + gss_release_name(&ret_min, &target_name); + gss_release_oid(&ret_min, &mech_type); + gss_release_cred(&ret_min, &ich); +diff --git a/tests/interposetest.c b/tests/interposetest.c +index 0cdd473..7ab8ecc 100644 +--- a/tests/interposetest.c ++++ b/tests/interposetest.c +@@ -377,7 +377,7 @@ void run_server(struct aproc *data) + uint32_t ret_min; + gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT; + gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL; +- gss_name_t src_name; ++ gss_name_t src_name = GSS_C_NO_NAME; + gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER; + gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL; + gss_OID_set mech_set = GSS_C_NO_OID_SET; +@@ -591,7 +591,8 @@ void run_server(struct aproc *data) + goto done; + } + +- fprintf(stdout, "Server, RECV: %s\n", (char *)out_token.value); ++ fprintf(stdout, "Server, RECV: %*s\n", (int)out_token.length, ++ (char *)out_token.value); + + gss_release_buffer(&ret_min, &out_token); + +diff --git a/tests/t_accept.c b/tests/t_accept.c +index 3afb7ac..8a663fe 100644 +--- a/tests/t_accept.c ++++ b/tests/t_accept.c +@@ -9,7 +9,7 @@ int main(int argc, const char *argv[]) + gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT; + gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER; +- gss_name_t src_name; ++ gss_name_t src_name = GSS_C_NO_NAME; + uint32_t ret_maj; + uint32_t ret_min; + int ret = -1; +diff --git a/tests/userproxytest.c b/tests/userproxytest.c +index 8aea41a..8c863c6 100644 +--- a/tests/userproxytest.c ++++ b/tests/userproxytest.c +@@ -33,14 +33,19 @@ int mock_activation_sockets(void) + unlink(addr.sun_path); + + fd = socket(AF_UNIX, SOCK_STREAM, 0); +- if (fd == -1) return -1; ++ if (fd == -1) { ++ ret = -1; ++ goto done; ++ } + + ret = bind(fd, (struct sockaddr *)&addr, sizeof(addr)); +- if (ret == -1) return -1; ++ if (ret == -1) goto done; + + ret = listen(fd, 1); +- if (ret == -1) return -1; ++ if (ret == -1) goto done; + ++done: ++ if (ret == -1) close(fd); + return 0; + } + +@@ -75,19 +80,19 @@ int wait_and_check_output(int outfd, int timeout) + useconds_t interval = 100 * 1000; /* 100 msec */ + char outbuf[1024]; + char *line; +- FILE *out; +- int ret; ++ FILE *out = NULL; ++ int err, ret = -1; + + /* make pipe non blocking */ +- ret = fcntl(outfd, F_SETFL, O_NONBLOCK); +- if (ret) return -1; ++ err = fcntl(outfd, F_SETFL, O_NONBLOCK); ++ if (err) goto done; + + out = fdopen(outfd, "r"); +- if (!out) return -1; ++ if (!out) goto done; + + while (now < start + timeout) { +- ret = usleep(interval); +- if (ret) return -1; ++ err = usleep(interval); ++ if (err) goto done; + + line = fgets(outbuf, 1023, out); + if (line) { +@@ -101,13 +106,15 @@ int wait_and_check_output(int outfd, int timeout) + now = time(NULL); + } + +- fclose(out); +- + for (int i = 0; checks[i].match != NULL; i++) { +- if (checks[i].matched == false) return -1; ++ if (checks[i].matched == false) goto done; + } + +- return 0; ++ ret = 0; ++ ++done: ++ if (out) fclose(out); ++ return ret; + } + + int child(int outpipe[]) +-- +2.45.2 + diff --git a/0002-Make-systemd-use-0700-mode-on-cache-folders.patch b/0002-Make-systemd-use-0700-mode-on-cache-folders.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1fd196b594525205b915d5f927fe56a0f329330 --- /dev/null +++ b/0002-Make-systemd-use-0700-mode-on-cache-folders.patch @@ -0,0 +1,31 @@ +From 25147fe553525762f5dc9fcddb6ec92071fdcd3d Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 7 Aug 2024 10:27:39 +0200 +Subject: [PATCH] Make systemd use 0700 mode on cache folders + +The provided gssproxy.service unit configures /var/lib/gssproxy/clients +and /var/lib/gssproxy/rcache as "StateDirectory". However, systemd +applies mode 0755 by default on such folders. "StateDirectoryMode" has +to be set too to restrict access to root only. + +Signed-off-by: Julien Rische +(cherry picked from commit b954728937c09a40409279d1247679aa5d39c7c8) +--- + systemd/gssproxy.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in +index 14d2185..b8f1f77 100644 +--- a/systemd/gssproxy.service.in ++++ b/systemd/gssproxy.service.in +@@ -6,6 +6,7 @@ Before=rpc-gssd.service + + [Service] + StateDirectory=gssproxy/clients gssproxy/rcache ++StateDirectoryMode=0700 + Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache + ExecStart=@sbindir@/gssproxy -D + # These two should be used with traditional UNIX forking daemons +-- +2.45.2 + diff --git a/0003-gssproxy-Change-daemon-to-Type-notify-with-systemd.patch b/0003-gssproxy-Change-daemon-to-Type-notify-with-systemd.patch new file mode 100644 index 0000000000000000000000000000000000000000..9659c47432664212626861769ecf99d041793b88 --- /dev/null +++ b/0003-gssproxy-Change-daemon-to-Type-notify-with-systemd.patch @@ -0,0 +1,244 @@ +From 0dde99a29d6f0883448b34fddf5f516166d97169 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?David=20H=C3=A4rdeman?= +Date: Fri, 20 Oct 2023 01:31:23 +0200 +Subject: [PATCH] [gssproxy] Change daemon to Type=notify with systemd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This avoids the need for daemonization, pid files, etc and also provides nicer +output from systemctl. The notify integration is already prepared to work with +Type=notify-reload (which is a bit too recent to make the default at the +moment, requires systemd 253+). + +With this patch applied: + + root@qtest1:~# systemctl status gssproxy + ● gssproxy.service - GSSAPI Proxy Daemon + Loaded: loaded (/lib/systemd/system/gssproxy.service; enabled; preset: enabled) + Active: active (running) since Fri 2023-10-20 12:59:32 CEST; 4s ago + Main PID: 58516 (gssproxy) + Status: "Running, 1 service(s) configured" + ... + root@qtest1:~# ls -1 /etc/gssproxy/ + 24-nfs-server.conf + gssproxy.conf + root@qtest1:~# vi /etc/gssproxy/50-nfs-client.conf + root@qtest1:~# ls -1 /etc/gssproxy/ + 24-nfs-server.conf + 50-nfs-client.conf + gssproxy.conf + root@qtest1:~# systemctl reload gssproxy + root@qtest1:~# systemctl status gssproxy + ● gssproxy.service - GSSAPI Proxy Daemon + Loaded: loaded (/lib/systemd/system/gssproxy.service; enabled; preset: enabled) + Active: active (running) since Fri 2023-10-20 12:59:32 CEST; 1min 39s ago + Process: 58576 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) + Main PID: 58516 (gssproxy) + Status: "Running, 2 service(s) configured" + ... + +Signed-off-by: David Härdeman +(cherry picked from commit 92e87872846c400598db30fb1759cd7c6f00db34) +--- + contrib/gssproxy.spec.in | 1 + + src/gp_common.h | 10 ++++++++++ + src/gp_init.c | 21 +++++++++++++++++++-- + src/gp_mgmt.c | 3 +++ + src/gp_util.c | 29 +++++++++++++++++++++++++++++ + systemd/gssproxy.service.in | 9 ++++----- + systemd/gssuserproxy.service.in | 2 +- + 7 files changed, 67 insertions(+), 8 deletions(-) + +diff --git a/contrib/gssproxy.spec.in b/contrib/gssproxy.spec.in +index 7f01f1f..a2c2267 100644 +--- a/contrib/gssproxy.spec.in ++++ b/contrib/gssproxy.spec.in +@@ -44,6 +44,7 @@ BuildRequires: libcap-devel + BuildRequires: popt-devel + BuildRequires: findutils + BuildRequires: systemd-units ++BuildRequires: systemd-devel + + + %description +diff --git a/src/gp_common.h b/src/gp_common.h +index 18b6eb4..8a53d64 100644 +--- a/src/gp_common.h ++++ b/src/gp_common.h +@@ -46,6 +46,16 @@ + /* max out at 1MB for now */ + #define MAX_RPC_SIZE 1024*1024 + ++#ifdef HAVE_SYSTEMD_DAEMON ++#include ++#else ++__inline__ int sd_notifyf(int unset_environment UNUSED, const char *format UNUSED, ...) ++{ ++ return 0; ++} ++#endif ++ ++uint64_t time_now_usec(void); + bool gp_same(const char *a, const char *b); + bool gp_boolean_is_true(const char *s); + char *gp_getenv(const char *name); +diff --git a/src/gp_init.c b/src/gp_init.c +index 5e7074f..131bf08 100644 +--- a/src/gp_init.c ++++ b/src/gp_init.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + #ifdef HAVE_CAP + +@@ -260,10 +261,19 @@ static void hup_handler(verto_ctx *vctx UNUSED, verto_ev *ev) + + gpctx = verto_get_private(ev); + ++ sd_notifyf(0, "RELOADING=1\n" ++ "MONOTONIC_USEC=%" PRIu64 "\n" ++ "STATUS=Reloading configuration\n", ++ time_now_usec()); ++ + GPDEBUG("Received SIGHUP; re-reading config.\n"); + new_config = read_config(gpctx->config_file, gpctx->config_dir, + gpctx->config_socket, gpctx->daemonize); + if (!new_config) { ++ sd_notifyf(0, "READY=1\n" ++ "STATUS=Running, %i service(s) configured" ++ " (failed to re-read config)\n", ++ gpctx->config->num_svcs); + GPERROR("Error reading new configuration on SIGHUP; keeping old " + "configuration instead!\n"); + return; +@@ -281,12 +291,16 @@ static void hup_handler(verto_ctx *vctx UNUSED, verto_ev *ev) + + free_config(&old_config); + ++ sd_notifyf(0, "READY=1\n" ++ "STATUS=Running, %i service(s) configured\n", ++ gpctx->config->num_svcs); + GPDEBUG("New config loaded successfully.\n"); + return; + } + + static void break_loop(verto_ctx *vctx, verto_ev *ev UNUSED) + { ++ sd_notifyf(0, "STOPPING=1\nSTATUS=Signal received, stopping\n"); + GPDEBUG("Exiting after receiving a signal\n"); + verto_break(vctx); + } +@@ -354,11 +368,14 @@ fail: + * is done. */ + static void delayed_init(verto_ctx *vctx UNUSED, verto_ev *ev) + { +- struct gssproxy_ctx *gpctx; ++ struct gssproxy_ctx *gpctx = verto_get_private(ev); ++ ++ sd_notifyf(0, "READY=1\n" ++ "STATUS=Running, %i service(s) configured\n", ++ gpctx->config->num_svcs); + + GPDEBUG("Initialization complete.\n"); + +- gpctx = verto_get_private(ev); + idle_handler(gpctx); + } + +diff --git a/src/gp_mgmt.c b/src/gp_mgmt.c +index 9f03ed2..57466c1 100644 +--- a/src/gp_mgmt.c ++++ b/src/gp_mgmt.c +@@ -18,6 +18,9 @@ static void idle_terminate(verto_ctx *vctx, verto_ev *ev) + { + struct gssproxy_ctx *gpctx = verto_get_private(ev); + ++ sd_notifyf(0, "STOPPING=1\nSTATUS=Idle for %ld seconds, stopping\n", ++ (long)gpctx->term_timeout/1000); ++ + GPDEBUG("Terminating, after idling for %ld seconds!\n", + (long)gpctx->term_timeout/1000); + verto_break(vctx); +diff --git a/src/gp_util.c b/src/gp_util.c +index 9b55244..cff7f13 100644 +--- a/src/gp_util.c ++++ b/src/gp_util.c +@@ -7,9 +7,38 @@ + #include + #include + #include ++#include ++#include + + #include "gp_common.h" + ++#define USEC_INFINITY ((uint64_t)UINT64_MAX) ++#define NSEC_PER_USEC ((uint64_t)1000ULL) ++#define USEC_PER_SEC ((uint64_t)1000000ULL) ++uint64_t time_now_usec(void) ++{ ++ struct timespec ts; ++ ++ if (clock_gettime(CLOCK_MONOTONIC, &ts) < 0) { ++ goto out; ++ } ++ ++ if (ts.tv_sec < 0 || ts.tv_nsec < 0) { ++ goto out; ++ } ++ ++ if ((uint64_t)ts.tv_sec > ++ (UINT64_MAX - (ts.tv_nsec / NSEC_PER_USEC)) / USEC_PER_SEC) { ++ goto out; ++ } ++ ++ return (uint64_t)ts.tv_sec * USEC_PER_SEC + ++ (uint64_t)ts.tv_nsec / NSEC_PER_USEC; ++ ++out: ++ return USEC_INFINITY; ++} ++ + bool gp_same(const char *a, const char *b) + { + if (a == b || (a && b && strcmp(a, b) == 0)) { +diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in +index b8f1f77..693b569 100644 +--- a/systemd/gssproxy.service.in ++++ b/systemd/gssproxy.service.in +@@ -8,11 +8,10 @@ Before=rpc-gssd.service + StateDirectory=gssproxy/clients gssproxy/rcache + StateDirectoryMode=0700 + Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache +-ExecStart=@sbindir@/gssproxy -D +-# These two should be used with traditional UNIX forking daemons +-# consult systemd.service(5) for more details +-Type=forking +-PIDFile=/run/gssproxy.pid ++ExecStart=@sbindir@/gssproxy -i ++# This can be changed to notify-reload and ExecReload= can be removed once ++# systemd 253 is common enough ++Type=notify + ExecReload=/bin/kill -HUP $MAINPID + + ProtectSystem=full +diff --git a/systemd/gssuserproxy.service.in b/systemd/gssuserproxy.service.in +index 4a00098..7852523 100644 +--- a/systemd/gssuserproxy.service.in ++++ b/systemd/gssuserproxy.service.in +@@ -3,7 +3,7 @@ Description=GSS User Proxy + Documentation=man:gssproxy(8) + + [Service] +-Type=exec ++Type=notify + StandardError=journal + ExecStart=@sbindir@/gssproxy -i -u + Restart=on-failure +-- +2.47.1 + diff --git a/gssproxy-0.9.1.tar.gz b/gssproxy-0.9.1.tar.gz deleted file mode 100644 index d9767b6100198a6f2cae0967c8598ef232885c38..0000000000000000000000000000000000000000 Binary files a/gssproxy-0.9.1.tar.gz and /dev/null differ diff --git a/gssproxy-0.9.2.tar.gz b/gssproxy-0.9.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..867c62ef9693bbb8952d1daca0ca85233073ac49 Binary files /dev/null and b/gssproxy-0.9.2.tar.gz differ diff --git a/gssproxy.spec b/gssproxy.spec index ab1eb78c84359cf0042e26c71699f295189433ba..79c11f9e8c3171dd46c102337892ff47d48c1cd8 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -1,11 +1,11 @@ -%define anolis_release 2 +%define anolis_release 10 %global pubconfpath %{_sysconfdir}/gssproxy %global gpstatedir %{_localstatedir}/lib/gssproxy %global gpsockpath %{_rundir}/gssproxy.default.sock Name: gssproxy -Version: 0.9.1 +Version: 0.9.2 Release: %{anolis_release}%{?dist} Summary: Daemon for managing gss-api requests License: MIT @@ -15,6 +15,12 @@ Source1: rwtab Source2: gssproxy.sock.compat.conf Requires: krb5-libs >= 1.12.0 keyutils-libs libverto-module-base libini_config >= 1.2.0 + +### Patches ### +Patch0001: 0001-Fix-various-issues-detected-by-static-analysis.patch +Patch0002: 0002-Make-systemd-use-0700-mode-on-cache-folders.patch +Patch0003: 0003-gssproxy-Change-daemon-to-Type-notify-with-systemd.patch + Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units @@ -120,6 +126,9 @@ fi %doc README.md BUILD.txt version.m4 %changelog +* Tue Feb 18 2025 Xiaoping Liu - 0.9.2-10 +- Sync up from CentOS Stream gssproxy-0.9.2-10 (jrische@redhat.com) + * Mon Apr 10 2023 yuanhui - 0.9.1-2 - Optimize the spec file