Compare commits
No commits in common. 'i10c-beta' and 'c9' have entirely different histories.
@ -1 +1 @@
|
||||
SOURCES/gssproxy-0.9.2.tar.gz
|
||||
SOURCES/gssproxy-0.8.4.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
7e2f5f24964237d7dc5ccc0271052a689e21975b SOURCES/gssproxy-0.9.2.tar.gz
|
||||
6a20883849aff4de0aa57c4beca5af8a2a1d685e SOURCES/gssproxy-0.8.4.tar.gz
|
||||
|
||||
@ -0,0 +1,139 @@
|
||||
From 7945bd756c5e41ec223c058b2c698809f04f3c77 Mon Sep 17 00:00:00 2001
|
||||
From: Scott Mayhew <smayhew@redhat.com>
|
||||
Date: Thu, 2 Sep 2021 12:44:27 -0400
|
||||
Subject: [PATCH] Add an option for minimum lifetime
|
||||
|
||||
It's possible for gssproxy to return a cached credential with a very
|
||||
small remaining lifetime. This can be problematic for NFS clients since
|
||||
it requires a round trip to the NFS server to establish a GSS context.
|
||||
Add a min_lifetime option that represents the lowest value that the
|
||||
lifetime of the cached credential can be. Any lower than that, and
|
||||
gp_check_cred() returns GSS_S_CREDENTIALS_EXPIRED, so that
|
||||
gp_add_krb5_creds() is forced to try to obtain a new credential.
|
||||
|
||||
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
|
||||
---
|
||||
examples/99-nfs-client.conf.in | 1 +
|
||||
man/gssproxy.conf.5.xml | 15 +++++++++++++++
|
||||
src/gp_config.c | 12 ++++++++++++
|
||||
src/gp_creds.c | 12 ++++++++++--
|
||||
src/gp_proxy.h | 1 +
|
||||
5 files changed, 39 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/examples/99-nfs-client.conf.in b/examples/99-nfs-client.conf.in
|
||||
index c0985d9..9dd1891 100644
|
||||
--- a/examples/99-nfs-client.conf.in
|
||||
+++ b/examples/99-nfs-client.conf.in
|
||||
@@ -7,3 +7,4 @@
|
||||
allow_any_uid = yes
|
||||
trusted = yes
|
||||
euid = 0
|
||||
+ min_lifetime = 60
|
||||
diff --git a/man/gssproxy.conf.5.xml b/man/gssproxy.conf.5.xml
|
||||
index 67dce68..f02b1d3 100644
|
||||
--- a/man/gssproxy.conf.5.xml
|
||||
+++ b/man/gssproxy.conf.5.xml
|
||||
@@ -331,6 +331,21 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>min_lifetime (integer)</term>
|
||||
+ <listitem>
|
||||
+ <para>Minimum lifetime of a cached credential, in seconds.</para>
|
||||
+ <para>If non-zero, when gssproxy is deciding whether to use
|
||||
+ a cached credential, it will compare the lifetime of the
|
||||
+ cached credential to this value. If the lifetime of the
|
||||
+ cached credential is lower, gssproxy will treat the cached
|
||||
+ credential as expired and will attempt to obtain a new
|
||||
+ credential.
|
||||
+ </para>
|
||||
+ <para>Default: min_lifetime = 15</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>program (string)</term>
|
||||
<listitem>
|
||||
diff --git a/src/gp_config.c b/src/gp_config.c
|
||||
index 88d5f29..6a6aa90 100644
|
||||
--- a/src/gp_config.c
|
||||
+++ b/src/gp_config.c
|
||||
@@ -32,6 +32,7 @@ struct gp_flag_def flag_names[] = {
|
||||
|
||||
#define DEFAULT_FILTERED_FLAGS GSS_C_DELEG_FLAG
|
||||
#define DEFAULT_ENFORCED_FLAGS 0
|
||||
+#define DEFAULT_MIN_LIFETIME 15
|
||||
|
||||
static void free_str_array(const char ***a, int *count)
|
||||
{
|
||||
@@ -538,6 +539,17 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ cfg->svcs[n]->min_lifetime = DEFAULT_MIN_LIFETIME;
|
||||
+ ret = gp_config_get_int(ctx, secname, "min_lifetime", &valnum);
|
||||
+ if (ret == 0) {
|
||||
+ if (valnum >= 0) {
|
||||
+ cfg->svcs[n]->min_lifetime = valnum;
|
||||
+ } else {
|
||||
+ GPDEBUG("Invalid value '%d' for min_lifetime in [%s], ignoring.\n",
|
||||
+ valnum, secname);
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
safefree(secname);
|
||||
}
|
||||
diff --git a/src/gp_creds.c b/src/gp_creds.c
|
||||
index 92a6f13..843d1a3 100644
|
||||
--- a/src/gp_creds.c
|
||||
+++ b/src/gp_creds.c
|
||||
@@ -492,6 +492,7 @@ done:
|
||||
}
|
||||
|
||||
static uint32_t gp_check_cred(uint32_t *min,
|
||||
+ struct gp_service *svc,
|
||||
gss_cred_id_t in_cred,
|
||||
gssx_name *desired_name,
|
||||
gss_cred_usage_t cred_usage)
|
||||
@@ -563,7 +564,14 @@ static uint32_t gp_check_cred(uint32_t *min,
|
||||
if (lifetime == 0) {
|
||||
ret_maj = GSS_S_CREDENTIALS_EXPIRED;
|
||||
} else {
|
||||
- ret_maj = GSS_S_COMPLETE;
|
||||
+ if (svc->min_lifetime && lifetime < svc->min_lifetime) {
|
||||
+ GPDEBUG("%s: lifetime (%u) less than min_lifetime (%u) "
|
||||
+ "for service \"%s\" - returning\n",
|
||||
+ __func__, lifetime, svc->min_lifetime, svc->name);
|
||||
+ ret_maj = GSS_S_CREDENTIALS_EXPIRED;
|
||||
+ } else {
|
||||
+ ret_maj = GSS_S_COMPLETE;
|
||||
+ }
|
||||
}
|
||||
|
||||
done:
|
||||
@@ -622,7 +630,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
|
||||
* function completely */
|
||||
|
||||
/* just check if it is a valid krb5 cred */
|
||||
- ret_maj = gp_check_cred(&ret_min, in_cred, desired_name, cred_usage);
|
||||
+ ret_maj = gp_check_cred(&ret_min, gpcall->service, in_cred, desired_name, cred_usage);
|
||||
if (ret_maj == GSS_S_COMPLETE) {
|
||||
return GSS_S_COMPLETE;
|
||||
} else if (ret_maj == GSS_S_CREDENTIALS_EXPIRED ||
|
||||
diff --git a/src/gp_proxy.h b/src/gp_proxy.h
|
||||
index 3f58a43..f56d640 100644
|
||||
--- a/src/gp_proxy.h
|
||||
+++ b/src/gp_proxy.h
|
||||
@@ -45,6 +45,7 @@ struct gp_service {
|
||||
gss_cred_usage_t cred_usage;
|
||||
uint32_t filter_flags;
|
||||
uint32_t enforce_flags;
|
||||
+ uint32_t min_lifetime;
|
||||
char *program;
|
||||
|
||||
uint32_t mechs;
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -1,173 +0,0 @@
|
||||
From bc36b704fa426a6dcbd9ea0518697b4072a466e1 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Tue, 6 Aug 2024 10:38:01 +0200
|
||||
Subject: [PATCH] Fix various issues detected by static analysis
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
(cherry picked from commit be676f3c6338971d953c8da52f4172040c5e06a4)
|
||||
---
|
||||
src/client/gpm_accept_sec_context.c | 1 +
|
||||
src/gp_creds.c | 1 +
|
||||
src/gp_rpc_init_sec_context.c | 2 ++
|
||||
tests/interposetest.c | 5 +++--
|
||||
tests/t_accept.c | 2 +-
|
||||
tests/userproxytest.c | 35 +++++++++++++++++------------
|
||||
6 files changed, 29 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/src/client/gpm_accept_sec_context.c b/src/client/gpm_accept_sec_context.c
|
||||
index ab20b03..d508615 100644
|
||||
--- a/src/client/gpm_accept_sec_context.c
|
||||
+++ b/src/client/gpm_accept_sec_context.c
|
||||
@@ -105,6 +105,7 @@ OM_uint32 gpm_accept_sec_context(OM_uint32 *minor_status,
|
||||
if (outbuf) {
|
||||
*output_token = *outbuf;
|
||||
free(outbuf);
|
||||
+ outbuf = NULL;
|
||||
}
|
||||
if (ret_flags) {
|
||||
*ret_flags = ctx->ctx_flags;
|
||||
diff --git a/src/gp_creds.c b/src/gp_creds.c
|
||||
index 843d1a3..1a0258a 100644
|
||||
--- a/src/gp_creds.c
|
||||
+++ b/src/gp_creds.c
|
||||
@@ -800,6 +800,7 @@ done:
|
||||
gss_release_cred(&discard, &user_cred);
|
||||
gss_release_name(&discard, &target_name);
|
||||
gss_delete_sec_context(&discard, &initiator_context, NULL);
|
||||
+ gss_delete_sec_context(&discard, &acceptor_context, NULL);
|
||||
gss_release_buffer(&discard, &init_token);
|
||||
gss_release_buffer(&discard, &accept_token);
|
||||
gss_release_name(&discard, &req_name);
|
||||
diff --git a/src/gp_rpc_init_sec_context.c b/src/gp_rpc_init_sec_context.c
|
||||
index f362dbc..7fe7365 100644
|
||||
--- a/src/gp_rpc_init_sec_context.c
|
||||
+++ b/src/gp_rpc_init_sec_context.c
|
||||
@@ -33,6 +33,7 @@ int gp_init_sec_context(struct gp_call_ctx *gpcall,
|
||||
};
|
||||
uint32_t gccn_before = 0;
|
||||
uint32_t gccn_after = 0;
|
||||
+ uint32_t discard;
|
||||
int ret;
|
||||
|
||||
isca = &arg->init_sec_context;
|
||||
@@ -192,6 +193,7 @@ done:
|
||||
|
||||
GPRPCDEBUG(gssx_res_init_sec_context, iscr);
|
||||
|
||||
+ gss_delete_sec_context(&discard, &ctx, NULL);
|
||||
gss_release_name(&ret_min, &target_name);
|
||||
gss_release_oid(&ret_min, &mech_type);
|
||||
gss_release_cred(&ret_min, &ich);
|
||||
diff --git a/tests/interposetest.c b/tests/interposetest.c
|
||||
index 0cdd473..7ab8ecc 100644
|
||||
--- a/tests/interposetest.c
|
||||
+++ b/tests/interposetest.c
|
||||
@@ -377,7 +377,7 @@ void run_server(struct aproc *data)
|
||||
uint32_t ret_min;
|
||||
gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT;
|
||||
gss_cred_id_t cred_handle = GSS_C_NO_CREDENTIAL;
|
||||
- gss_name_t src_name;
|
||||
+ gss_name_t src_name = GSS_C_NO_NAME;
|
||||
gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
|
||||
gss_cred_id_t deleg_cred = GSS_C_NO_CREDENTIAL;
|
||||
gss_OID_set mech_set = GSS_C_NO_OID_SET;
|
||||
@@ -591,7 +591,8 @@ void run_server(struct aproc *data)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- fprintf(stdout, "Server, RECV: %s\n", (char *)out_token.value);
|
||||
+ fprintf(stdout, "Server, RECV: %*s\n", (int)out_token.length,
|
||||
+ (char *)out_token.value);
|
||||
|
||||
gss_release_buffer(&ret_min, &out_token);
|
||||
|
||||
diff --git a/tests/t_accept.c b/tests/t_accept.c
|
||||
index 3afb7ac..8a663fe 100644
|
||||
--- a/tests/t_accept.c
|
||||
+++ b/tests/t_accept.c
|
||||
@@ -9,7 +9,7 @@ int main(int argc, const char *argv[])
|
||||
gss_ctx_id_t context_handle = GSS_C_NO_CONTEXT;
|
||||
gss_buffer_desc in_token = GSS_C_EMPTY_BUFFER;
|
||||
gss_buffer_desc out_token = GSS_C_EMPTY_BUFFER;
|
||||
- gss_name_t src_name;
|
||||
+ gss_name_t src_name = GSS_C_NO_NAME;
|
||||
uint32_t ret_maj;
|
||||
uint32_t ret_min;
|
||||
int ret = -1;
|
||||
diff --git a/tests/userproxytest.c b/tests/userproxytest.c
|
||||
index 8aea41a..8c863c6 100644
|
||||
--- a/tests/userproxytest.c
|
||||
+++ b/tests/userproxytest.c
|
||||
@@ -33,14 +33,19 @@ int mock_activation_sockets(void)
|
||||
unlink(addr.sun_path);
|
||||
|
||||
fd = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
- if (fd == -1) return -1;
|
||||
+ if (fd == -1) {
|
||||
+ ret = -1;
|
||||
+ goto done;
|
||||
+ }
|
||||
|
||||
ret = bind(fd, (struct sockaddr *)&addr, sizeof(addr));
|
||||
- if (ret == -1) return -1;
|
||||
+ if (ret == -1) goto done;
|
||||
|
||||
ret = listen(fd, 1);
|
||||
- if (ret == -1) return -1;
|
||||
+ if (ret == -1) goto done;
|
||||
|
||||
+done:
|
||||
+ if (ret == -1) close(fd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -75,19 +80,19 @@ int wait_and_check_output(int outfd, int timeout)
|
||||
useconds_t interval = 100 * 1000; /* 100 msec */
|
||||
char outbuf[1024];
|
||||
char *line;
|
||||
- FILE *out;
|
||||
- int ret;
|
||||
+ FILE *out = NULL;
|
||||
+ int err, ret = -1;
|
||||
|
||||
/* make pipe non blocking */
|
||||
- ret = fcntl(outfd, F_SETFL, O_NONBLOCK);
|
||||
- if (ret) return -1;
|
||||
+ err = fcntl(outfd, F_SETFL, O_NONBLOCK);
|
||||
+ if (err) goto done;
|
||||
|
||||
out = fdopen(outfd, "r");
|
||||
- if (!out) return -1;
|
||||
+ if (!out) goto done;
|
||||
|
||||
while (now < start + timeout) {
|
||||
- ret = usleep(interval);
|
||||
- if (ret) return -1;
|
||||
+ err = usleep(interval);
|
||||
+ if (err) goto done;
|
||||
|
||||
line = fgets(outbuf, 1023, out);
|
||||
if (line) {
|
||||
@@ -101,13 +106,15 @@ int wait_and_check_output(int outfd, int timeout)
|
||||
now = time(NULL);
|
||||
}
|
||||
|
||||
- fclose(out);
|
||||
-
|
||||
for (int i = 0; checks[i].match != NULL; i++) {
|
||||
- if (checks[i].matched == false) return -1;
|
||||
+ if (checks[i].matched == false) goto done;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ ret = 0;
|
||||
+
|
||||
+done:
|
||||
+ if (out) fclose(out);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
int child(int outpipe[])
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1,31 +0,0 @@
|
||||
From 25147fe553525762f5dc9fcddb6ec92071fdcd3d Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Wed, 7 Aug 2024 10:27:39 +0200
|
||||
Subject: [PATCH] Make systemd use 0700 mode on cache folders
|
||||
|
||||
The provided gssproxy.service unit configures /var/lib/gssproxy/clients
|
||||
and /var/lib/gssproxy/rcache as "StateDirectory". However, systemd
|
||||
applies mode 0755 by default on such folders. "StateDirectoryMode" has
|
||||
to be set too to restrict access to root only.
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
(cherry picked from commit b954728937c09a40409279d1247679aa5d39c7c8)
|
||||
---
|
||||
systemd/gssproxy.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
|
||||
index 14d2185..b8f1f77 100644
|
||||
--- a/systemd/gssproxy.service.in
|
||||
+++ b/systemd/gssproxy.service.in
|
||||
@@ -6,6 +6,7 @@ Before=rpc-gssd.service
|
||||
|
||||
[Service]
|
||||
StateDirectory=gssproxy/clients gssproxy/rcache
|
||||
+StateDirectoryMode=0700
|
||||
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
|
||||
ExecStart=@sbindir@/gssproxy -D
|
||||
# These two should be used with traditional UNIX forking daemons
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -1 +0,0 @@
|
||||
L /var/lib/gssproxy/default.sock - - - - /run/gssproxy.default.sock
|
||||
Loading…
Reference in new issue