c44ce4
Name:		gssproxy
31d59b
Version:	0.7.0
31d59b
Release:	4%{?dist}
c44ce4
Summary:	GSSAPI Proxy
c44ce4
c44ce4
Group:		System Environment/Libraries
c44ce4
License:	MIT
31d59b
URL:		https://pagure.io/gssproxy
31d59b
Source0:	https://releases.pagure.org/gssproxy/gssproxy-%{version}.tar.gz
c44ce4
BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
c44ce4
c44ce4
%global servicename gssproxy
c44ce4
%global pubconfpath %{_sysconfdir}/gssproxy
c44ce4
%global gpstatedir %{_localstatedir}/lib/gssproxy
c44ce4
c44ce4
### Patches ###
31d59b
Patch0: Properly-renew-expired-credentials.patch
31d59b
Patch1: Change-impersonator-check-code.patch
31d59b
Patch2: Allow-connection-to-self-when-impersonator-set.patch
31d59b
Patch3: Make-proc-file-failure-loud-but-nonfatal.patch
c44ce4
c44ce4
### Dependencies ###
c44ce4
31d59b
Requires: krb5-libs >= 1.15
c44ce4
Requires: keyutils-libs
31d59b
Requires: libverto-module-base
c44ce4
Requires(post): systemd-units
c44ce4
Requires(preun): systemd-units
c44ce4
Requires(postun): systemd-units
c44ce4
c44ce4
### Build Dependencies ###
c44ce4
c44ce4
BuildRequires: autoconf
c44ce4
BuildRequires: automake
69b15c
BuildRequires: coreutils
c44ce4
BuildRequires: docbook-style-xsl
c44ce4
BuildRequires: doxygen
69b15c
BuildRequires: findutils
c44ce4
BuildRequires: gettext-devel
c44ce4
BuildRequires: keyutils-libs-devel
31d59b
BuildRequires: krb5-devel >= 1.15
c44ce4
BuildRequires: libini_config-devel >= 1.0.0.1
69b15c
BuildRequires: libselinux-devel
69b15c
BuildRequires: libtool
c44ce4
BuildRequires: libverto-devel
69b15c
BuildRequires: libxml2
69b15c
BuildRequires: libxslt
69b15c
BuildRequires: m4
69b15c
BuildRequires: pkgconfig
c44ce4
BuildRequires: popt-devel
69b15c
BuildRequires: sed
c44ce4
BuildRequires: systemd-units
c44ce4
c44ce4
c44ce4
%description
c44ce4
A proxy for GSSAPI credential handling
c44ce4
69b15c
c44ce4
%prep
c44ce4
%setup -q
31d59b
%patch0 -p2 -b .Properly-renew-expired-credentials
31d59b
%patch1 -p2 -b .Change-impersonator-check-code
31d59b
%patch2 -p2 -b .Allow-connection-to-self-when-impersonator-set
31d59b
%patch3 -p2 -b .Make-proc-file-failure-loud-but-nonfatal
4c520e
c44ce4
%build
c44ce4
autoreconf -f -i
c44ce4
%configure \
c44ce4
    --with-pubconf-path=%{pubconfpath} \
69b15c
    --with-initscript=systemd \
c44ce4
    --disable-static \
c44ce4
    --disable-rpath \
2c9800
    --with-gpp-default-behavior=REMOTE_FIRST \
2c9800
    CFLAGS="$CFLAGS -fPIE -fstack-protector-all" \
2c9800
    LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,now"
c44ce4
make %{?_smp_mflags} all
c44ce4
make test_proxymech
c44ce4
c44ce4
%install
69b15c
rm -rf -- "%{buildroot}"
c44ce4
make install DESTDIR=%{buildroot}
69b15c
rm -f -- %{buildroot}%{_libdir}/gssproxy/proxymech.la
c44ce4
install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy
c44ce4
install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf
31d59b
install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf
69b15c
mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d
69b15c
install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf
69b15c
mkdir -p %{buildroot}/var/lib/gssproxy/rcache
c44ce4
c44ce4
%clean
69b15c
rm -rf -- "%{buildroot}"
c44ce4
c44ce4
c44ce4
%files
c44ce4
%defattr(-,root,root,-)
c44ce4
%doc COPYING
c44ce4
%{_unitdir}/gssproxy.service
c44ce4
%{_sbindir}/gssproxy
c44ce4
%attr(755,root,root) %dir %{pubconfpath}
c44ce4
%attr(755,root,root) %dir %{gpstatedir}
c44ce4
%attr(700,root,root) %dir %{gpstatedir}/clients
c44ce4
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf
31d59b
%attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf
69b15c
%attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf
69b15c
%attr(700,root,root) %dir /var/lib/gssproxy/rcache
c44ce4
%{_libdir}/gssproxy/proxymech.so
c44ce4
%{_mandir}/man5/gssproxy.conf.5*
c44ce4
%{_mandir}/man8/gssproxy.8*
c44ce4
%{_mandir}/man8/gssproxy-mech.8*
c44ce4
69b15c
c44ce4
%post
c44ce4
%systemd_post gssproxy.service
c44ce4
69b15c
c44ce4
%preun
c44ce4
%systemd_preun gssproxy.service
c44ce4
69b15c
c44ce4
%postun
c44ce4
%systemd_postun_with_restart gssproxy.service
c44ce4
69b15c
c44ce4
%changelog
31d59b
* Wed May 31 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-4
31d59b
- Make proc file failure loud but nonfatal
31d59b
- Resolves: #1449238
31d59b
31d59b
* Tue Mar 28 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-3
31d59b
- Stop shipping NFS server snippet (nfs-utils takes it instead)
31d59b
- Resolves: #1379836
31d59b
31d59b
* Tue Mar 14 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-2
31d59b
- Fix credential handling with mod_auth_gssapi that we broke
31d59b
- Resolves: #1379836
31d59b
31d59b
* Fri Mar 10 2017 Robbie Harwood <rharwood@redhat.com> 0.7.0-1
31d59b
- New upstream version - 0.7.0
31d59b
- Resolves: #1379836
31d59b
31d59b
* Tue Feb 28 2017 Robbie Harwood <rharwood@redhat.com> 0.6.2-4
31d59b
- Include fixes for NULL-termination
31d59b
- Resolves: #1379836
31d59b
31d59b
* Thu Feb 23 2017 Robbie Harwood <rharwod@redhat.com> 0.6.2-3
31d59b
- Document debug_level option
31d59b
- Resolves: #1379836
31d59b
31d59b
* Tue Feb 21 2017 Robbie Harwood <rharwood@redhat.com> 0.6.2-2
31d59b
- Enable running the test suite
31d59b
- Resolves: #1379836
31d59b
31d59b
* Thu Feb 16 2017 Robbie Harwood <rharwood@redhat.com> 0.6.2-1
31d59b
- Rebase to latest version since we have krb5-1.15
31d59b
- Resolves: #1379836
31d59b
- Resolves: #1344518
31d59b
- Resolves: #1366782
31d59b
- Resolves: #1379005
31d59b
- Resolves: #1379482
31d59b
- Resolves: #1379616
31d59b
- Resolves: #1380490
31d59b
- Resolves: #1378600
31d59b
- Resolves: #1285012
31d59b
- Resolves: #1333813
31d59b
2c9800
* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-13
2c9800
- Third try is the charm
2c9800
- Resolves: #1092515
2c9800
2c9800
* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-12
2c9800
- Restore _FORTIFY_SOURCE behavior
2c9800
- Resolves: #1092515
2c9800
2c9800
* Tue Sep 06 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-11
2c9800
- Actually harden build with PIE and RELRO
2c9800
- Resolves: #1092515
2c9800
2c9800
* Fri Jun 10 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-10
2c9800
- Fix behavior with multiple keys in a keytab
2c9800
- Resolves: #1285012
2c9800
2c9800
* Tue Jun 07 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-9
98d1c9
- Re-open socket in mechglue if client forks/changes privilege
2c9800
- Resolves: #1340259
2c9800
2c9800
* Wed Mar 30 2016 Robbie Harwood <rharwood@redhat.com> 0.4.1-8
2c9800
- Make GSS-Proxy work with krb5-1.14
2c9800
- resolves: #1292487
98d1c9
69b15c
* Tue Sep 29 2015 Simo Sorce <simo@redhat.com> 0.4.1-7
69b15c
- Fix loop cause by imporper EINTR handling
69b15c
- resolves: #1266564
69b15c
69b15c
* Mon Aug 24 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-6
69b15c
- Remove extra whitespaces from #1208640/#1194299 patches
69b15c
- spec file cleanup
69b15c
related: #1208640 #1194299
69b15c
69b15c
* Wed Aug 19 2015 Robbie Harwood <rharwood@redhat.com> 0.4.1-5
69b15c
- Carry service/HTTP default conf section
69b15c
- resolves: #1208640
69b15c
69b15c
* Wed Aug 19 2015 Robbie Harwood <rharwood@redhat.com> 0.4.1-4
69b15c
- Set default rcache location patch
69b15c
- resolves: #1194299
69b15c
69b15c
* Mon Jul 13 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-3
69b15c
- Bug #1213852 ("[gssproxy] NFS clients cannot mount with
69b15c
  sec=krb5 if the NFS server is running gssproxy") was
69b15c
  fixed by the rebase to 0.4.1 in bug ("[RFE] Rebase
69b15c
  gssproxy to the latest to match expectations of other
69b15c
  projects").
69b15c
  Note that the same bug was also fixed in the kernel with
69b15c
  "9507271 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT
69b15c
  decoding failures" (see
69b15c
  https://bugzilla.redhat.com/show_bug.cgi?id=1213852#c2
69b15c
  and RH Bug #1120860 ("[NFS] NFS clients cannot mount with
69b15c
  sec=krb5 if the NFS server is running gssproxy")) to
69b15c
  handle various corner cases not covered by gssproxy,
69b15c
  for example individual krb5 ticket fields exceeding
69b15c
  the kernel's buffer size.
69b15c
69b15c
* Thu Jul 9 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-2
69b15c
- The following bugs have been fixed by the rebase to 0.4.1
69b15c
  in bug ("[RFE] Rebase gssproxy to the latest to match
69b15c
  expectations of other projects"):
69b15c
  - Bug #1196371 ("rpc.gssd segfaults in gssproxy (proxymech.so)")
69b15c
    Upstream tickets { #137, #144 }
69b15c
  - Bug #1053730 ("KrbLocalUserMapping does not work with
69b15c
    Apache & GSS-Proxy")
69b15c
    Upstream ticket #101
69b15c
  - Bug #1168962 ("gssproxy is not working with httpd on ppc64 and s390x")
69b15c
    Upstream ticket #146
69b15c
69b15c
* Thu Jul 9 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-1
69b15c
- Add patch to remove -fno-strict-aliasing (gssproxy ticket #140,
69b15c
  a dependicy for the fix for bug #1092515 (see below))
69b15c
- Add patch to fix bug #1092515 ("gssproxy - PIE and RELRO check")
69b15c
69b15c
* Fri Jun 5 2015 Roland Mainz <rmainz@redhat.com> 0.4.1-0
69b15c
- Rebase gssproxy to 0.4.1 per bug #1132389 ("[RFE] Rebase
69b15c
  gssproxy to the latest to match expectations of other
69b15c
  projects").
69b15c
f77ce6
* Fri Jan 23 2015 Simo Sorce <ssorce@redhat.com> 0.3.0-10
f77ce6
- Fix crash bug affecting updated rpc.gssd
f77ce6
- resolves: #1184531
f77ce6
4c520e
* Wed Mar 12 2014 Guenther Deschner <gdeschner@redhat.com> 0.3.0-9
4c520e
- Fix potential mutex deadlock
4c520e
- resolves: #1075268
4c520e
4c520e
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.3.0-8
4c520e
- Mass rebuild 2014-01-24
4c520e
4c520e
* Thu Jan 16 2014 Guenther Deschner <gdeschner@redhat.com> 0.3.0-7
4c520e
- Fix nfsd startup
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/114
4c520e
- resolves: #1053710
4c520e
4c520e
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.3.0-6
4c520e
- Mass rebuild 2013-12-27
4c520e
4c520e
* Tue Dec 17 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-5
4c520e
- Fix flags handling.
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/112
4c520e
- related: #1031710
4c520e
4c520e
* Wed Nov 27 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-4
4c520e
- Use secure_getenv
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/110
4c520e
- resolves: #1032684
4c520e
- Use strerror_r instead of strerror
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/111
4c520e
- resolves: #1033350
4c520e
4c520e
* Tue Nov 19 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-3
4c520e
- Fix flags handling in gss_init_sec_context()
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/106
4c520e
- resolves: #1031713
4c520e
- Fix OID handling in gss_inquire_cred_by_mech()
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/107
4c520e
- resolves: #1031712
4c520e
- Fix continuation processing for not yet fully established contexts.
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/108
4c520e
- resolves: #1031711
4c520e
- Add flags filtering and flags enforcing.
4c520e
- resolves: https://fedorahosted.org/gss-proxy/ticket/109
4c520e
- resolves: #1031710
4c520e
c44ce4
* Wed Oct 23 2013 Guenther Deschner <gdeschner@redhat.com> 0.3.0-0
c44ce4
- New upstream release 0.3.0:
c44ce4
  * Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC)
c44ce4
  * Add support for new rpc.gssd mode of operation that forks and changes uid
c44ce4
  * Add 2 new options allow_any_uid and cred_usage
c44ce4
c44ce4
* Fri Oct 18 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-8
c44ce4
- Fix default proxymech documentation and fix LOCAL_FIRST implementation
c44ce4
- resolves: https://fedorahosted.org/gss-proxy/ticket/105
c44ce4
c44ce4
* Wed Jul 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-6
c44ce4
- Add better default gssproxy.conf file for nfs client and server usage
c44ce4
c44ce4
* Thu Jun 06 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.3-5
c44ce4
- New upstream release
c44ce4
c44ce4
* Fri May 31 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-5
c44ce4
- Require libverto-tevent to make sure libverto initialization succeeds
c44ce4
c44ce4
* Wed May 29 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-4
c44ce4
- Modify systemd unit files for nfs-secure services
c44ce4
c44ce4
* Wed May 22 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-3
c44ce4
- Fix cred_store handling w/o client keytab
c44ce4
c44ce4
* Thu May 16 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.2-2
c44ce4
- New upstream release
c44ce4
c44ce4
* Tue May 07 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.1-2
c44ce4
- New upstream release
c44ce4
c44ce4
* Wed Apr 24 2013 Guenther Deschner <gdeschner@redhat.com> 0.2.0-1
c44ce4
- New upstream release
c44ce4
c44ce4
* Mon Apr 01 2013 Simo Sorce <simo@redhat.com> - 0.1.0-0
c44ce4
- New upstream release
c44ce4
c44ce4
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.3-8
c44ce4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
c44ce4
c44ce4
* Tue Nov 06 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.3-7
c44ce4
- Update to 0.0.3
c44ce4
c44ce4
* Wed Aug 22 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-6
c44ce4
- Use new systemd-rpm macros
c44ce4
- resolves: #850139
c44ce4
c44ce4
* Wed Jul 18 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-5
c44ce4
- More spec file fixes
c44ce4
c44ce4
* Mon Jul 16 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-4
c44ce4
- Fix systemd service file
c44ce4
c44ce4
* Fri Jul 13 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.2-3
c44ce4
- Fix various packaging issues
c44ce4
c44ce4
* Mon Jul 02 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.1-2
c44ce4
- Add systemd packaging
c44ce4
c44ce4
* Wed Mar 28 2012 Guenther Deschner <gdeschner@redhat.com> 0.0.1-1
c44ce4
- Various fixes
c44ce4
c44ce4
* Mon Dec 12 2011 Simo Sorce <simo@redhat.com> - 0.0.2-0
c44ce4
- Automated build of the gssproxy daemon