packages/gssproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:58c01fe2324e0e4200d660969cc3d48cb1516e10
Branches Tags
packages:main
..
compare: packages:f3d39d6aafb02db1f1e1b18af7d305ae00af9d57
Branches Tags
packages:main

No commits in common. "58c01fe2324e0e4200d660969cc3d48cb1516e10" and "f3d39d6aafb02db1f1e1b18af7d305ae00af9d57" have entirely different histories.
58c01fe232 ... f3d39d6aaf

8 changed files with 6 additions and 404 deletions
Show Stats Expand all files Collapse all files

47
backport-Do-not-close-fd-if-it-was-never-set.patch
View File

@ -1,47 +0,0 @@
From 9d013b1bcc6277842824b25241e8652a865a2944 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 18 Oct 2023 15:55:13 -0400
Subject: [PATCH] Do not close fd if it was never set
Fixes Coverity 403648: Argument cannot be negative
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/gp_init.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/gp_init.c b/src/gp_init.c
index 8d72c3e..5e7074f 100644
--- a/src/gp_init.c
+++ b/src/gp_init.c
@@ -379,12 +379,14 @@ int init_event_fini(struct gssproxy_ctx *gpctx)
static int try_init_proc_nfsd(void)
{
char buf[] = "1";
- int fd, ret;
static bool poked = false;
static bool warned_once = false;
+ int fd = 1;
+ int ret;
- if (poked)
+ if (poked) {
return 0;
+ }
fd = open(LINUX_PROC_USE_GSS_PROXY_FILE, O_RDWR);
if (fd == -1) {
@@ -411,7 +413,9 @@ static int try_init_proc_nfsd(void)
ret = 0;
out:
- close(fd);
+ if (fd != -1) {
+ close(fd);
+ }
return ret;
}
--
2.43.0

77
backport-More-typo-fixes-to-silence-Debian-lintian-typo-in-ma.patch
View File

@ -1,77 +0,0 @@
From 159794c918c2e2c0e3d7a1d1a4feadf3151ebc80 Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Fri, 16 Sep 2022 16:22:25 +0200
Subject: [PATCH] More typo fixes to silence Debian lintian
typo-in-manual-page.
Signed-off-by: Simon Josefsson <simon@josefsson.org>
---
man/gssproxy-mech.8.xml.in | 4 ++--
man/gssproxy.conf.5.xml | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/man/gssproxy-mech.8.xml.in b/man/gssproxy-mech.8.xml.in
index 6be38f9..87e5d8e 100644
--- a/man/gssproxy-mech.8.xml.in
+++ b/man/gssproxy-mech.8.xml.in
@@ -36,7 +36,7 @@
<filename>/etc/gss/mech</filename> configuration file.
</para>
<para>
- The interposer plugin allows to intercept the entire GSSAPI
+ The interposer plugin allows one to intercept the entire GSSAPI
communication and detour to the <command>gssproxy</command>
daemon. When the interposer plugin is installed two other
conditions need to be met in order to activate it:
@@ -112,7 +112,7 @@
<term>REMOTE_ONLY</term>
<listitem>
<para>This setting is currently not fully implemented and
- therefor not supported.
+ therefore not supported.
</para>
</listitem>
</varlistentry>
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
index 261c9f6..0e9b3b1 100644
--- a/man/gssproxy.conf.5.xml
+++ b/man/gssproxy.conf.5.xml
@@ -98,7 +98,7 @@
option may cause a service definition to mask
access to following services. To avoid issues
change the order of services in your
- configuation file so that services with
+ configuration file so that services with
allow_any_uid enabled are listed last, or define
a custom socket for other services.</para>
<para>Default: false</para>
@@ -146,7 +146,7 @@
<varlistentry>
<term>cred_store (string)</term>
<listitem>
- <para>This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service.</para>
+ <para>This parameter allows one to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service.</para>
<para>The syntax of the cred_store parameter is as
follows:
<![CDATA[cred_store = <cred_store_option>:<cred_store_value>]]></para>
@@ -272,7 +272,7 @@
flag name or value.
</para>
<para>
- NOTE: Because often gssproxy is used to withold
+ NOTE: Because often gssproxy is used to withhold
access to credentials the Delegate Flag is filtered
by default. To allow a service to delegate
credentials use the first example below.
@@ -381,7 +381,7 @@
<varlistentry>
<term>socket (string)</term>
<listitem>
- <para>This parameter allows to create a per-service socket file over which gssproxy client and server components communicate.
+ <para>This parameter allows one to create a per-service socket file over which gssproxy client and server components communicate.
</para>
<para>When this parameter is not set, gssproxy will
use a compiled-in default.</para>
--
2.27.0

28
backport-Remove-from-the-correct-list.patch
View File

@ -1,28 +0,0 @@
From a9f3b002da2405eb93876610608f968d8108a2b6 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 11 Mar 2024 17:17:00 -0400
Subject: [PATCH] Remove from the correct list
Fixes #92
Signed-off-by: Simo Sorce <simo@redhat.com>
---
src/gp_workers.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/gp_workers.c b/src/gp_workers.c
index 78e8347..0519777 100644
--- a/src/gp_workers.c
+++ b/src/gp_workers.c
@@ -189,7 +189,7 @@ void gp_workers_free(struct gp_workers *w)
while (w->busy_list) {
/* pick threads one by one */
t = w->busy_list;
- LIST_DEL(w->free_list, t);
+ LIST_DEL(w->busy_list, t);
/* wake up threads, then join them */
/* ======> COND_MUTEX */
--
2.33.0

28
backport-Typo-doc-fix.patch
View File

@ -1,28 +0,0 @@
From 090aa9442c141e967e6e86455d50bccd2142ab0a Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Tue, 13 Sep 2022 17:12:51 +0200
Subject: [PATCH] Typo doc fix.
Silences Debian lintian typo-in-manual-page.
Signed-off-by: Simon Josefsson <simon@josefsson.org>
---
man/gssproxy.conf.5.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
index e778583..261c9f6 100644
--- a/man/gssproxy.conf.5.xml
+++ b/man/gssproxy.conf.5.xml
@@ -186,7 +186,7 @@
<varlistentry>
<term>cred_usage (string)</term>
<listitem>
- <para>Allow to restrict the kind of operations permitted for this service.</para>
+ <para>Allow one to restrict the kind of operations permitted for this service.</para>
<para>The allowed options are: initiate, accept, both</para>
<para>Default: cred_usage = both </para>
</listitem>
--
2.27.0

194
backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch
View File

@ -1,194 +0,0 @@
From fb8737b2c48d67a63a66abfa090e92f21765a94f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20H=C3=A4rdeman?= <david@hardeman.nu>
Date: Wed, 18 Oct 2023 16:25:06 +0200
Subject: [PATCH] [gssproxy] retry writing to /proc/net/rpc/use-gss-proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This improves the handling of cases where the auth_rpcgss module has not yet
been loaded when gssproxy is started.
Signed-off-by: David Härdeman <david@hardeman.nu>
---
src/gp_init.c | 102 +++++++++++++++++++++++++++++++++++++------------
src/gp_proxy.h | 4 +-
src/gssproxy.c | 2 +-
3 files changed, 82 insertions(+), 26 deletions(-)
diff --git a/src/gp_init.c b/src/gp_init.c
index 1cc7e28..8d72c3e 100644
--- a/src/gp_init.c
+++ b/src/gp_init.c
@@ -277,7 +277,7 @@ static void hup_handler(verto_ctx *vctx UNUSED, verto_ev *ev)
}
/* conditionally reload kernel interface */
- init_proc_nfsd(gpctx->config);
+ init_proc_nfsd(gpctx);
free_config(&old_config);
@@ -376,31 +376,26 @@ int init_event_fini(struct gssproxy_ctx *gpctx)
return 0;
}
-void init_proc_nfsd(struct gp_config *cfg)
+static int try_init_proc_nfsd(void)
{
char buf[] = "1";
- bool enabled = false;
int fd, ret;
- static int poked = 0;
+ static bool poked = false;
+ static bool warned_once = false;
- /* check first if any service enabled kernel support */
- for (int i = 0; i < cfg->num_svcs; i++) {
- if (cfg->svcs[i]->kernel_nfsd) {
- enabled = true;
- break;
- }
- }
-
- if (!enabled || poked) {
- return;
- }
+ if (poked)
+ return 0;
fd = open(LINUX_PROC_USE_GSS_PROXY_FILE, O_RDWR);
if (fd == -1) {
ret = errno;
- GPDEBUG("Kernel doesn't support GSS-Proxy (can't open %s: %d (%s))\n",
- LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret));
- goto fail;
+ if (!warned_once) {
+ GPDEBUG("Kernel doesn't support GSS-Proxy "
+ "(can't open %s: %d (%s))\n",
+ LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret));
+ warned_once = true;
+ }
+ goto out;
}
ret = write(fd, buf, 1);
@@ -408,15 +403,74 @@ void init_proc_nfsd(struct gp_config *cfg)
ret = errno;
GPDEBUG("Failed to write to %s: %d (%s)\n",
LINUX_PROC_USE_GSS_PROXY_FILE, ret, gp_strerror(ret));
- close(fd);
- goto fail;
+ goto out;
}
- poked = 1;
+ GPDEBUG("Kernel GSS-Proxy support enabled\n");
+ poked = true;
+ ret = 0;
+
+out:
close(fd);
- return;
-fail:
- GPDEBUG("Problem with kernel communication! NFS server will not work\n");
+ return ret;
+}
+
+static void delayed_proc_nfsd(verto_ctx *vctx UNUSED, verto_ev *ev)
+{
+ struct gssproxy_ctx *gpctx;
+ int ret;
+
+ gpctx = verto_get_private(ev);
+
+ ret = try_init_proc_nfsd();
+ if (ret == 0) {
+ verto_del(gpctx->retry_proc_ev);
+ gpctx->retry_proc_ev = NULL;
+ }
+}
+
+int init_proc_nfsd(struct gssproxy_ctx *gpctx)
+{
+ bool enabled = false;
+ int ret;
+
+ /* check first if any service enabled kernel support */
+ for (int i = 0; i < gpctx->config->num_svcs; i++) {
+ if (gpctx->config->svcs[i]->kernel_nfsd) {
+ enabled = true;
+ break;
+ }
+ }
+
+ if (!enabled) {
+ goto out;
+ }
+
+ ret = try_init_proc_nfsd();
+ if (ret == 0) {
+ goto out;
+ }
+
+ /* failure, but the auth_rpcgss module might not be loaded yet */
+ if (!gpctx->retry_proc_ev) {
+ gpctx->retry_proc_ev = verto_add_timeout(gpctx->vctx,
+ VERTO_EV_FLAG_PERSIST,
+ delayed_proc_nfsd, 10 * 1000);
+ if (!gpctx->retry_proc_ev) {
+ fprintf(stderr, "Failed to register delayed_proc_nfsd event!\n");
+ } else {
+ verto_set_private(gpctx->retry_proc_ev, gpctx, NULL);
+ }
+ }
+
+ return 1;
+
+out:
+ if (gpctx->retry_proc_ev) {
+ verto_del(gpctx->retry_proc_ev);
+ gpctx->retry_proc_ev = NULL;
+ }
+ return 0;
}
void write_pid(void)
diff --git a/src/gp_proxy.h b/src/gp_proxy.h
index c8b55ef..4e0e9c3 100644
--- a/src/gp_proxy.h
+++ b/src/gp_proxy.h
@@ -84,6 +84,8 @@ struct gssproxy_ctx {
time_t term_timeout;
verto_ev *term_ev; /* termination ev in user mode */
+ verto_ev *retry_proc_ev; /* retry telling the kernel to use GSS-Proxy */
+
ssize_t readstats;
ssize_t writestats;
time_t last_activity;
@@ -120,7 +122,7 @@ void fini_server(void);
int init_sockets(struct gssproxy_ctx *gpctx, struct gp_config *old_config);
int init_userproxy_socket(struct gssproxy_ctx *gpctx);
void init_event_loop(struct gssproxy_ctx *gpctx);
-void init_proc_nfsd(struct gp_config *cfg);
+int init_proc_nfsd(struct gssproxy_ctx *gpctx);
int init_event_fini(struct gssproxy_ctx *gpctx);
void write_pid(void);
int drop_privs(struct gp_config *cfg);
diff --git a/src/gssproxy.c b/src/gssproxy.c
index e216ec5..3e5326c 100644
--- a/src/gssproxy.c
+++ b/src/gssproxy.c
@@ -168,7 +168,7 @@ int main(int argc, const char *argv[])
* as nfsd needs to know GSS-Proxy is in use before the first time it
* needs to call accept_sec_context. */
if (!gpctx->userproxymode) {
- init_proc_nfsd(gpctx->config);
+ init_proc_nfsd(gpctx);
}
/* Now it is safe to tell the init system that we're done starting up,
--
2.43.0

BIN
gssproxy-0.8.4.tar.gz Normal file
View File

Binary file not shown.

BIN
gssproxy-0.9.1.tar.gz
View File

Binary file not shown.

36
gssproxy.spec
View File

@ -3,18 +3,13 @@
%global gpstatedir %{_localstatedir}/lib/gssproxy %global gpstatedir %{_localstatedir}/lib/gssproxy
Name: gssproxy Name: gssproxy
Version: 0.9.1 Version: 0.8.4
Release: 4 Release: 1
Summary: GSSAPI Proxy Summary: GSSAPI Proxy
License: MIT License: MIT
URL: https://github.com/gssapi/gssproxy URL: https://github.com/gssapi/gssproxy
Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch1: backport-Typo-doc-fix.patch
Patch2: backport-More-typo-fixes-to-silence-Debian-lintian-typo-in-ma.patch
Patch3: backport-Remove-from-the-correct-list.patch
Patch4: backport-gssproxy-retry-writing-to-proc-net-rpc-use-gss-proxy.patch
Patch5: backport-Do-not-close-fd-if-it-was-never-set.patch
Requires: krb5 keyutils libverto-module-base libini_config Requires: krb5 keyutils libverto-module-base libini_config
Requires(post): systemd Requires(post): systemd
@ -25,8 +20,6 @@ Conflicts: selinux-policy < 3.13.1-283.5
BuildRequires: autoconf automake libtool m4 libxslt libxml2 docbook-style-xsl doxygen findutils systemd-units git popt-devel BuildRequires: autoconf automake libtool m4 libxslt libxml2 docbook-style-xsl doxygen findutils systemd-units git popt-devel
BuildRequires: gettext-devel pkgconfig krb5-devel >= 1.12.0 libselinux-devel keyutils-libs-devel libini_config-devel >= 1.2.0 libverto-devel BuildRequires: gettext-devel pkgconfig krb5-devel >= 1.12.0 libselinux-devel keyutils-libs-devel libini_config-devel >= 1.2.0 libverto-devel
# for gssuserproxy.service --idle-timeout
BuildRequires: systemd-devel
%description %description
This is a proxy for GSSAPI which deals with credential handling This is a proxy for GSSAPI which deals with credential handling
@ -57,8 +50,8 @@ rm -rf %{buildroot}
rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la rm -f %{buildroot}%{_libdir}/gssproxy/proxymech.la
install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
install -m644 examples/99-network-fs-clients.conf %{buildroot}%{_sysconfdir}/gssproxy/99-network-fs-clients.conf install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf
install -D -m644 examples/proxymech.conf %{buildroot}%{_sysconfdir}/gss/mech.d/proxymech.conf install -D -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
install -m644 examples/24-nfs-server.conf %{buildroot}%{_sysconfdir}/gssproxy/24-nfs-server.conf install -m644 examples/24-nfs-server.conf %{buildroot}%{_sysconfdir}/gssproxy/24-nfs-server.conf
mkdir -p %{buildroot}%{gpstatedir}/rcache mkdir -p %{buildroot}%{gpstatedir}/rcache
@ -74,16 +67,14 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
%files %files
%license COPYING %license COPYING
%{_unitdir}/gssproxy.service %{_unitdir}/gssproxy.service
%{_userunitdir}/gssuserproxy.service
%{_userunitdir}/gssuserproxy.socket
%{_sbindir}/gssproxy %{_sbindir}/gssproxy
%attr(755,root,root) %dir %{pubconfpath} %attr(755,root,root) %dir %{pubconfpath}
%attr(755,root,root) %dir %{gpstatedir} %attr(755,root,root) %dir %{gpstatedir}
%attr(700,root,root) %dir %{gpstatedir}/clients %attr(700,root,root) %dir %{gpstatedir}/clients
%attr(700,root,root) %dir %{gpstatedir}/rcache %attr(700,root,root) %dir %{gpstatedir}/rcache
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-network-fs-clients.conf %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf
%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/proxymech.conf %attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/24-nfs-server.conf %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/24-nfs-server.conf
%dir %{_libdir}/gssproxy %dir %{_libdir}/gssproxy
%{_libdir}/gssproxy/proxymech.so %{_libdir}/gssproxy/proxymech.so
@ -94,21 +85,6 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache
%{_mandir}/man8/gssproxy-mech.8* %{_mandir}/man8/gssproxy-mech.8*
%changelog %changelog
* Tue May 13 2025 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-4
- backport upstream patch to retry writing to /proc/net/rpc/use-gss-proxy
* Wed Mar 27 2024 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-3
- backport upstream patch to remove node from correct list
* Mon Apr 10 2023 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-2
- add BuildRequires:systemd-devel for option idle-timeout
* Mon Oct 24 2022 yixiangzhike <yixiangzhike007@163.com> - 0.9.1-1
- update to 0.9.1
* Tue Oct 18 2022 yixiangzhike <yixiangzhike007@163.com> - 0.8.4-2
- typo doc fix
* Tue Nov 30 2021 yixiangzhike <yixiangzhike007@163.com> - 0.8.4-1 * Tue Nov 30 2021 yixiangzhike <yixiangzhike007@163.com> - 0.8.4-1
- update to 0.8.4 - update to 0.8.4