From 4a6754126c0243f35f4e3129c78533de4935dd77 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:05:58 +0000 Subject: import gssproxy-0.7.0-29.el7 --- diff --git a/SOURCES/Change-impersonator-check-code.patch b/SOURCES/Change-impersonator-check-code.patch index 4cc5de9..27cf421 100644 --- a/SOURCES/Change-impersonator-check-code.patch +++ b/SOURCES/Change-impersonator-check-code.patch @@ -13,8 +13,8 @@ Merges: #172 (cherry picked from commit 73b50c0b2799f0aed53337a6516b8e1a27279ebf) --- proxy/configure.ac | 3 + - proxy/src/gp_creds.c | 145 ++++++++++++++++++++++++++++++++----------- - 2 files changed, 111 insertions(+), 37 deletions(-) + proxy/src/gp_creds.c | 147 ++++++++++++++++++++++++++++++++----------- + 2 files changed, 112 insertions(+), 38 deletions(-) diff --git a/proxy/configure.ac b/proxy/configure.ac index 63c0edf..c52dbb6 100644 @@ -74,12 +74,8 @@ index 171a724..95a1c48 100644 goto done; } -- /* if we find an impersonator entry we bail as that is not authorized, -- * if it were then gpcall->service->allow_const_deleg would have caused -- * the ealier check to return GSS_S_COMPLETE already */ - err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator", - &config); -- if (!err) { ++ err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator", ++ &config); + if (err == 0) { + *impersonator = strndup(config.data, config.length); + if (!*impersonator) { @@ -89,14 +85,10 @@ index 171a724..95a1c48 100644 + ret_min = 0; + ret_maj = GSS_S_COMPLETE; + } - krb5_free_data_contents(context, &config); -- ret_min = 0; -- ret_maj = GSS_S_UNAUTHORIZED; -- } else if (err != KRB5_CC_NOTFOUND) { ++ krb5_free_data_contents(context, &config); + } else { - ret_min = err; - ret_maj = GSS_S_FAILURE; -- } else { ++ ret_min = err; ++ ret_maj = GSS_S_FAILURE; + } + +done: @@ -186,13 +178,22 @@ index 171a724..95a1c48 100644 + ret_maj = get_impersonator_name(&ret_min, cred, &impersonator); + if (ret_maj) goto done; + -+ /* if we find an impersonator entry we bail as that is not authorized, -+ * if it were then gpcall->service->allow_const_deleg would have caused -+ * the ealier check to return GSS_S_COMPLETE already */ + /* if we find an impersonator entry we bail as that is not authorized, + * if it were then gpcall->service->allow_const_deleg would have caused + * the ealier check to return GSS_S_COMPLETE already */ +- err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator", +- &config); +- if (!err) { +- krb5_free_data_contents(context, &config); + if (impersonator != NULL) { ret_min = 0; + ret_maj = GSS_S_UNAUTHORIZED; +- } else if (err != KRB5_CC_NOTFOUND) { +- ret_min = err; +- ret_maj = GSS_S_FAILURE; +- } else { +- ret_min = 0; - ret_maj = GSS_S_COMPLETE; -+ ret_maj = GSS_S_UNAUTHORIZED; } done: diff --git a/SOURCES/Make-syslog-of-call-status-configurable.patch b/SOURCES/Make-syslog-of-call-status-configurable.patch new file mode 100644 index 0000000..3d39c21 --- /dev/null +++ b/SOURCES/Make-syslog-of-call-status-configurable.patch @@ -0,0 +1,160 @@ +From 1948864cc8ace15d2e0bbb527091cca6a025676e Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Mon, 30 Sep 2019 15:00:56 -0400 +Subject: [PATCH] Make syslog of call status configurable + +Add a parameter (syslog_status) to configuration and +CLI (--syslog-status). This logs the results of GSSAPI calls at +LOG_DEBUG. Typically these calls resemble: + + gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS + failure. Minor code may provide more information, No credentials + cache found + +Since these messages worry some admins, turn them off by default. + +Signed-off-by: Robbie Harwood +(cherry picked from commit 116618e1523038691fcb481107ba15ffd42942ac) +(cherry picked from commit cc61409b7b20974332549dd028d889b87dbff98d) +(cherry picked from commit 07b32184ee337ec06a405724b4b88cad22829c6d) +[conflict: gssproxy.conf.5.xml over program being added] +--- + proxy/man/gssproxy.8.xml | 8 ++++++++ + proxy/man/gssproxy.conf.5.xml | 10 ++++++++++ + proxy/src/gp_config.c | 6 ++++++ + proxy/src/gp_log.c | 9 +++++++-- + proxy/src/gp_log.h | 3 +++ + proxy/src/gssproxy.c | 6 ++++++ + 6 files changed, 40 insertions(+), 2 deletions(-) + +diff --git a/proxy/man/gssproxy.8.xml b/proxy/man/gssproxy.8.xml +index 21f7e6a..4019135 100644 +--- a/proxy/man/gssproxy.8.xml ++++ b/proxy/man/gssproxy.8.xml +@@ -151,6 +151,14 @@ + + + ++ ++ ++ ++ ++ ++ Enable additional logging to syslog. ++ ++ + + + +diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml +index 7874c6e..79f64e7 100644 +--- a/proxy/man/gssproxy.conf.5.xml ++++ b/proxy/man/gssproxy.conf.5.xml +@@ -361,6 +361,16 @@ + + + ++ ++ syslog_status (boolean) ++ ++ Enable per-call debugging output to the syslog. ++ This may be useful for investigating problems in ++ applications using gssproxy. ++ Default: syslog_status = false ++ ++ ++ + + trusted (boolean) + Defines whether this service is considered trusted. Use with caution, this enables impersonation. +diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c +index cd057a0..57dcfc6 100644 +--- a/proxy/src/gp_config.c ++++ b/proxy/src/gp_config.c +@@ -586,6 +586,12 @@ int load_config(struct gp_config *cfg) + goto done; + } + ++ ret = gp_config_get_string(ctx, "gssproxy", "syslog_status", &tmpstr); ++ if (ret == 0) ++ gp_syslog_status = gp_boolean_is_true(tmpstr); ++ else if (ret != ENOENT) ++ goto done; ++ + ret = gp_config_get_string(ctx, "gssproxy", "run_as_user", &tmpstr); + if (ret == 0) { + cfg->proxy_user = strdup(tmpstr); +diff --git a/proxy/src/gp_log.c b/proxy/src/gp_log.c +index b6eb161..e67e8d3 100644 +--- a/proxy/src/gp_log.c ++++ b/proxy/src/gp_log.c +@@ -5,6 +5,9 @@ + #include + #include + ++/* global logging switch */ ++bool gp_syslog_status = false; ++ + void gp_logging_init(void) + { + openlog("gssproxy", +@@ -55,7 +58,9 @@ void gp_log_status(gss_OID mech, uint32_t maj, uint32_t min) + { + char buf[MAX_LOG_LINE]; + +- gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE); ++ if (!gp_syslog_status) ++ return; + +- GPERROR("%s\n", buf); ++ gp_fmt_status(mech, maj, min, buf, MAX_LOG_LINE); ++ syslog(LOG_DEBUG, "%s\n", buf); + } +diff --git a/proxy/src/gp_log.h b/proxy/src/gp_log.h +index fc8cbdb..31ad648 100644 +--- a/proxy/src/gp_log.h ++++ b/proxy/src/gp_log.h +@@ -3,9 +3,12 @@ + #ifndef _GP_LOG_H_ + #define _GP_LOG_H_ + ++#include + #include + #include + ++extern bool gp_syslog_status; ++ + #define MAX_LOG_LINE 1024 + #define GPERROR(...) syslog(LOG_ERR, __VA_ARGS__); + #define GPAUDIT(...) syslog(LOG_INFO, __VA_ARGS__); +diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c +index 3221615..5112ebf 100644 +--- a/proxy/src/gssproxy.c ++++ b/proxy/src/gssproxy.c +@@ -157,6 +157,7 @@ int main(int argc, const char *argv[]) + int opt_version = 0; + int opt_debug = 0; + int opt_debug_level = 0; ++ int opt_syslog_status = 0; + verto_ctx *vctx; + verto_ev *ev; + int wait_fd; +@@ -182,6 +183,8 @@ int main(int argc, const char *argv[]) + _("Enable debugging"), NULL}, \ + {"debug-level", '\0', POPT_ARG_INT, &opt_debug_level, 0, \ + _("Set debugging level"), NULL}, \ ++ {"syslog-status", '\0', POPT_ARG_NONE, &opt_syslog_status, 0, \ ++ _("Enable GSSAPI status logging to syslog"), NULL}, \ + {"version", '\0', POPT_ARG_NONE, &opt_version, 0, \ + _("Print version number and exit"), NULL }, \ + POPT_TABLEEND +@@ -211,6 +214,9 @@ int main(int argc, const char *argv[]) + gp_debug_toggle(opt_debug_level); + } + ++ if (opt_syslog_status) ++ gp_syslog_status = true; ++ + if (opt_daemon && opt_interactive) { + fprintf(stderr, "Option -i|--interactive is not allowed together with -D|--daemon\n"); + poptPrintUsage(pc, stderr, 0); diff --git a/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch b/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch index ff32fb0..f1099e8 100644 --- a/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch +++ b/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch @@ -11,9 +11,9 @@ Reviewed-by: Simo Sorce Merges: #221 (cherry picked from commit 670240a6cd4d5e2ecf13e481621098693cdbaa89) --- - proxy/src/mechglue/gpp_creds.c | 77 ++++++++++++++++++++++++--------- + proxy/src/mechglue/gpp_creds.c | 81 +++++++++++++++++++++++---------- proxy/src/mechglue/gss_plugin.h | 2 +- - 2 files changed, 57 insertions(+), 22 deletions(-) + 2 files changed, 59 insertions(+), 24 deletions(-) diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c index 3ebd726..187ada7 100644 @@ -86,19 +86,21 @@ index 3ebd726..187ada7 100644 * principal name, they are blackholed. We either have to change the * name (at which point the file grows forever) or flash the cache on * every update. */ +- ret = krb5_cc_initialize(ctx, ccache, cred.client); +- if (ret != 0) { + ret = krb5_cc_default(ctx, &ccache); + if (ret) -+ goto done; + goto done; +- } + - ret = krb5_cc_initialize(ctx, ccache, cred.client); -- if (ret != 0) { ++ ret = krb5_cc_initialize(ctx, ccache, cred.client); + if (ret != 0) + goto done; + + ret = krb5_cc_store_cred(ctx, ccache, &cred); + goto done; -+ } -+ + } + + ret = krb5_cc_cache_match(ctx, cred.client, &ccache); + if (ret == KRB5_CC_NOTFOUND) { + /* A new ccache within the collection whose name is based off the @@ -111,15 +113,15 @@ index 3ebd726..187ada7 100644 + cc_type = strndup(cc_name, p - cc_name); + if (!cc_type) { + ret = ENOMEM; - goto done; - } ++ goto done; ++ } + + ret = krb5_cc_new_unique(ctx, cc_type, NULL, &ccache); + free(cc_type); - } ++ } + if (ret) + goto done; - ++ ret = krb5_cc_store_cred(ctx, ccache, &cred); + if (ret) + goto done; diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec index 154df99..26640ff 100644 --- a/SPECS/gssproxy.spec +++ b/SPECS/gssproxy.spec @@ -1,6 +1,6 @@ Name: gssproxy Version: 0.7.0 -Release: 28%{?dist} +Release: 29%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries @@ -63,6 +63,7 @@ Patch45: Change-the-way-we-handle-encrypted-buffers.patch Patch46: Avoid-uninitialized-free-when-allocating-buffers.patch Patch47: Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch Patch48: Fix-double-free-of-popt-context-when-querying-versio.patch +Patch49: Make-syslog-of-call-status-configurable.patch ### Dependencies ### @@ -157,6 +158,7 @@ A proxy for GSSAPI credential handling %patch46 -p2 -b .Avoid-uninitialized-free-when-allocating-buffers %patch47 -p2 -b .Update-docs-to-reflect-actual-behavior-of-krb5_princ %patch48 -p2 -b .Fix-double-free-of-popt-context-when-querying-versio +%patch49 -p2 -b .Make-syslog-of-call-status-configurable %build autoreconf -f -i @@ -219,6 +221,10 @@ rm -rf -- "%{buildroot}" %changelog +* Mon Apr 06 2020 Robbie Harwood 0.7.0-29 +- Make syslog of call status configurable +- Resolves: #1373421 + * Thu Sep 19 2019 Robbie Harwood 0.7.0-28 - Fix double free of popt context when querying version - Resolves: #1752810