Name: gssproxy Version: 0.7.0 Release: 28%{?dist} Summary: GSSAPI Proxy Group: System Environment/Libraries License: MIT URL: https://pagure.io/gssproxy Source0: https://releases.pagure.org/gssproxy/gssproxy-%{version}.tar.gz Source1: rwtab BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %global servicename gssproxy %global pubconfpath %{_sysconfdir}/gssproxy %global gpstatedir %{_localstatedir}/lib/gssproxy ### Patches ### Patch0: Properly-renew-expired-credentials.patch Patch1: Change-impersonator-check-code.patch Patch2: Allow-connection-to-self-when-impersonator-set.patch Patch3: Make-proc-file-failure-loud-but-nonfatal.patch Patch4: Turn-on-Wextra.patch Patch5: Fix-unused-variables.patch Patch6: Fix-mismatched-sign-comparisons.patch Patch7: Fix-error-checking-on-get_impersonator_fallback.patch Patch8: Remove-gpm_release_ctx-to-fix-double-unlock.patch Patch9: Appease-gcc-7-s-fallthrough-detection.patch Patch10: Fix-memory-leak.patch Patch11: Fix-most-memory-leaks.patch Patch12: Fix-segfault-when-no-config-files-are-present.patch Patch13: Update-systemd-file.patch Patch14: Fix-error-handling-in-gp_config_from_dir.patch Patch15: Fix-silent-crash-with-duplicate-config-sections.patch Patch16: Do-not-call-gpm_grab_sock-twice.patch Patch18: Only-empty-FILE-ccaches-when-storing-remote-creds.patch Patch19: Handle-outdated-encrypted-ccaches.patch Patch20: Separate-cred-and-ccache-manipulation-in-gpp_store_r.patch Patch21: Properly-locate-credentials-in-collection-caches-in-.patch Patch22: Properly-initialize-ccaches-before-storing-into-them.patch Patch23: Include-header-for-writev.patch Patch24: Tolerate-NULL-pointers-in-gp_same.patch Patch25: Add-Client-ID-to-debug-messages.patch Patch26: client-Switch-to-non-blocking-sockets.patch Patch27: server-Add-detailed-request-logging.patch Patch28: Fix-potential-free-of-non-heap-address.patch Patch29: Prevent-uninitialized-read-in-error-path-of-XDR-cont.patch Patch30: Simplify-setting-NONBLOCK-on-socket.patch Patch31: Fix-handling-of-non-EPOLLIN-EPOLLOUT-events.patch Patch32: Fix-error-handling-in-gpm_send_buffer-gpm_recv_buffe.patch Patch33: Emit-debug-on-queue-errors.patch Patch34: Conditionally-reload-kernel-interface-on-SIGHUP.patch Patch35: Don-t-leak-mech_type-when-CONTINUE_NEEDED-from-init_.patch Patch36: Always-use-the-encype-we-selected.patch Patch37: Clarify-debug-and-debug_level-in-man-pages.patch Patch38: Always-choose-highest-requested-debug-level.patch Patch39: Use-pthread-keys-for-thread-local-storage.patch Patch40: Close-epoll-fd-within-the-lock.patch Patch41: Add-a-safety-timeout-to-epoll.patch Patch42: Always-initialize-out-cred-in-gp_import_gssx_cred.patch Patch43: Handle-gss_import_cred-failure-when-importing-gssx-c.patch Patch44: Include-length-when-using-krb5_c_decrypt.patch Patch45: Change-the-way-we-handle-encrypted-buffers.patch Patch46: Avoid-uninitialized-free-when-allocating-buffers.patch Patch47: Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch Patch48: Fix-double-free-of-popt-context-when-querying-versio.patch ### Dependencies ### # From rhbz#1458913 and rhbz#1507607 (and friends) Requires: libini_config >= 1.3.1-31 Requires: krb5-libs >= 1.15 Requires: keyutils-libs Requires: libverto-module-base Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units # Currently from rhbz#1458850 and friends Conflicts: selinux-policy < 3.13.1-166.el7.noarch ### Build Dependencies ### BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils BuildRequires: docbook-style-xsl BuildRequires: doxygen BuildRequires: findutils BuildRequires: gettext-devel BuildRequires: keyutils-libs-devel BuildRequires: krb5-devel >= 1.15 BuildRequires: libini_config-devel >= 1.3.1-28 BuildRequires: libselinux-devel BuildRequires: libtool BuildRequires: libverto-devel BuildRequires: libxml2 BuildRequires: libxslt BuildRequires: m4 BuildRequires: pkgconfig BuildRequires: popt-devel BuildRequires: sed BuildRequires: systemd-units %description A proxy for GSSAPI credential handling %prep %setup -q %patch0 -p2 -b .Properly-renew-expired-credentials %patch1 -p2 -b .Change-impersonator-check-code %patch2 -p2 -b .Allow-connection-to-self-when-impersonator-set %patch3 -p2 -b .Make-proc-file-failure-loud-but-nonfatal %patch4 -p2 -b .Turn-on-Wextra %patch5 -p2 -b .Fix-unused-variables %patch6 -p2 -b .Fix-mismatched-sign-comparisons %patch7 -p2 -b .Fix-error-checking-on-get_impersonator_fallback %patch8 -p2 -b .Remove-gpm_release_ctx-to-fix-double-unlock %patch9 -p2 -b .Appease-gcc-7-s-fallthrough-detection %patch10 -p2 -b .Fix-memory-leak %patch11 -p2 -b .Fix-most-memory-leaks %patch12 -p2 -b .Fix-segfault-when-no-config-files-are-present %patch13 -p2 -b .Update-systemd-file %patch14 -p2 -b .Fix-error-handling-in-gp_config_from_dir %patch15 -p2 -b .Fix-silent-crash-with-duplicate-config-sections %patch16 -p2 -b .Do-not-call-gpm_grab_sock-twice %patch18 -p2 -b .Only-empty-FILE-ccaches-when-storing-remote-creds %patch19 -p2 -b .Handle-outdated-encrypted-ccaches %patch20 -p2 -b .Separate-cred-and-ccache-manipulation-in-gpp_store_r %patch21 -p2 -b .Properly-locate-credentials-in-collection-caches-in- %patch22 -p2 -b .Properly-initialize-ccaches-before-storing-into-them %patch23 -p2 -b .Include-header-for-writev %patch24 -p2 -b .Tolerate-NULL-pointers-in-gp_same %patch25 -p2 -b .Add-Client-ID-to-debug-messages %patch26 -p2 -b .client-Switch-to-non-blocking-sockets %patch27 -p2 -b .server-Add-detailed-request-logging %patch28 -p2 -b .Fix-potential-free-of-non-heap-address %patch29 -p2 -b .Prevent-uninitialized-read-in-error-path-of-XDR-cont %patch30 -p2 -b .Simplify-setting-NONBLOCK-on-socket %patch31 -p2 -b .Fix-handling-of-non-EPOLLIN-EPOLLOUT-events %patch32 -p2 -b .Fix-error-handling-in-gpm_send_buffer-gpm_recv_buffe %patch33 -p2 -b .Emit-debug-on-queue-errors %patch34 -p2 -b .Conditionally-reload-kernel-interface-on-SIGHUP %patch35 -p2 -b .Don-t-leak-mech_type-when-CONTINUE_NEEDED-from-init_ %patch36 -p2 -b .Always-use-the-encype-we-selected %patch37 -p2 -b .Clarify-debug-and-debug_level-in-man-pages %patch38 -p2 -b .Always-choose-highest-requested-debug-level %patch39 -p2 -b .Use-pthread-keys-for-thread-local-storage %patch40 -p2 -b .Close-epoll-fd-within-the-lock %patch41 -p2 -b .Add-a-safety-timeout-to-epoll %patch42 -p2 -b .Always-initialize-out-cred-in-gp_import_gssx_cred %patch43 -p2 -b .Handle-gss_import_cred-failure-when-importing-gssx-c %patch44 -p2 -b .Include-length-when-using-krb5_c_decrypt %patch45 -p2 -b .Change-the-way-we-handle-encrypted-buffers %patch46 -p2 -b .Avoid-uninitialized-free-when-allocating-buffers %patch47 -p2 -b .Update-docs-to-reflect-actual-behavior-of-krb5_princ %patch48 -p2 -b .Fix-double-free-of-popt-context-when-querying-versio %build autoreconf -f -i %configure \ --with-pubconf-path=%{pubconfpath} \ --with-initscript=systemd \ --disable-static \ --disable-rpath \ --with-gpp-default-behavior=REMOTE_FIRST \ CFLAGS="$CFLAGS -fPIE -fstack-protector-all" \ LDFLAGS="$LDFLAGS -fPIE -pie -Wl,-z,now" make %{?_smp_mflags} all make test_proxymech %install rm -rf -- "%{buildroot}" make install DESTDIR=%{buildroot} rm -f -- %{buildroot}%{_libdir}/gssproxy/proxymech.la install -d -m755 %{buildroot}%{_sysconfdir}/gssproxy install -m644 examples/gssproxy.conf %{buildroot}%{_sysconfdir}/gssproxy/gssproxy.conf install -m644 examples/99-nfs-client.conf %{buildroot}%{_sysconfdir}/gssproxy/99-nfs-client.conf mkdir -p %{buildroot}%{_sysconfdir}/gss/mech.d install -m644 examples/mech %{buildroot}%{_sysconfdir}/gss/mech.d/gssproxy.conf mkdir -p %{buildroot}/var/lib/gssproxy/rcache mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d install -m644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d/gssproxy %clean rm -rf -- "%{buildroot}" %files %defattr(-,root,root,-) %doc COPYING %{_unitdir}/gssproxy.service %{_sbindir}/gssproxy %attr(755,root,root) %dir %{pubconfpath} %attr(755,root,root) %dir %{gpstatedir} %attr(700,root,root) %dir %{gpstatedir}/clients %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/gssproxy.conf %attr(0600,root,root) %config(noreplace) /%{_sysconfdir}/gssproxy/99-nfs-client.conf %attr(0644,root,root) %config(noreplace) /%{_sysconfdir}/gss/mech.d/gssproxy.conf %attr(700,root,root) %dir /var/lib/gssproxy/rcache %{_libdir}/gssproxy/proxymech.so %{_mandir}/man5/gssproxy.conf.5* %{_mandir}/man8/gssproxy.8* %{_mandir}/man8/gssproxy-mech.8* %config(noreplace) %{_sysconfdir}/rwtab.d/gssproxy %post %systemd_post gssproxy.service %preun %systemd_preun gssproxy.service %postun %systemd_postun_with_restart gssproxy.service %changelog * Thu Sep 19 2019 Robbie Harwood 0.7.0-28 - Fix double free of popt context when querying version - Resolves: #1752810 * Mon Jul 22 2019 Robbie Harwood 0.7.0-27 - Update docs to reflect actual behavior of krb5_principal - Resolves: #1553094 * Wed May 01 2019 Robbie Harwood 0.7.0-26 - Avoid uninitialized free when allocating buffers - Resolves: #1699331 * Tue Apr 30 2019 Robbie Harwood 0.7.0-25 - Fix explicit NULL deref on some enctypes - Resolves: #1699331 * Mon Mar 18 2019 Robbie Harwood 0.7.0-24 - Add a safety timeout to epoll - Resolves: #1687899 * Mon Dec 17 2018 Robbie Harwood 0.7.0-23 - Use pthread keys for thread local storage - Resolves: #1618375 * Tue Dec 11 2018 Robbie Harwood 0.7.0-22 - Add hack to support read-only root - Resolves: #1542567 * Fri Jun 08 2018 Robbie Harwood 0.7.0-21 - Always choose highest requested debug level - Resolves: #1505741 * Fri Apr 27 2018 Robbie Harwood 0.7.0-20 - Clean up debug man page + behavior - Resolves: #1554249 * Fri Apr 27 2018 Robbie Harwood 0.7.0-19 - Always use the encype we selected - Resolves: #1549684 * Fri Apr 27 2018 Robbie Harwood 0.7.0-18 - Don't leak mech_type when CONTINUE_NEEDED from init_sec_context - Resolves: #1553819 * Wed Dec 13 2017 Robbie Harwood 0.7.0-17 - Conditionally reload kernel interface on SIGHUP - Resolves: #1507817 * Tue Dec 12 2017 Robbie Harwood 0.7.0-16 - Backport epoll() logic - Resolves: #1507817 * Wed Dec 06 2017 Robbie Harwood 0.7.0-15 - Properly initialize ccaches before storing into them - Resolves: #1488629 * Fri Dec 01 2017 Robbie Harwood 0.7.0-14 - Properly locate credentials in collection caches in mechglue - Resolves: #1488629 * Tue Oct 31 2017 Robbie Harwood 0.7.0-13 - Handle outdated encrypted ccaches - Resolves: #1488629 * Tue Oct 31 2017 Robbie Harwood 0.7.0-12 - Handle outdated encrypted ccaches - Resolves: #1488629 * Mon Oct 30 2017 Robbie Harwood 0.7.0-11 - Fix error message handling in gp_config_from_dir() - Resolves: #1458913 * Fri Oct 27 2017 Robbie Harwood 0.7.0-10 - Fix concurrency issue around server socket handling - Resolves: #1462974 * Tue Oct 17 2017 Robbie Harwood 0.7.0-9 - Log useful warning and merge when config file has duplicate sections - Resolves: #1458913 * Mon Oct 02 2017 Robbie Harwood 0.7.0-8 - Add Conflicts: line for old selinux-policy - Resolves: #1458850 * Thu Sep 21 2017 Robbie Harwood 0.7.0-7 - Backport NFS-related gssproxy.service changes - Resolves: #1326440 * Mon Sep 11 2017 Robbie Harwood 0.7.0-6 - Fix segfault when no config files are present - Resolves: #1451255 * Thu Aug 17 2017 Robbie Harwood 0.7.0-5 - Backport hardening improvements - Resolves: #1462974 * Wed May 31 2017 Robbie Harwood 0.7.0-4 - Make proc file failure loud but nonfatal - Resolves: #1449238 * Tue Mar 28 2017 Robbie Harwood 0.7.0-3 - Stop shipping NFS server snippet (nfs-utils takes it instead) - Resolves: #1379836 * Tue Mar 14 2017 Robbie Harwood 0.7.0-2 - Fix credential handling with mod_auth_gssapi that we broke - Resolves: #1379836 * Fri Mar 10 2017 Robbie Harwood 0.7.0-1 - New upstream version - 0.7.0 - Resolves: #1379836 * Tue Feb 28 2017 Robbie Harwood 0.6.2-4 - Include fixes for NULL-termination - Resolves: #1379836 * Thu Feb 23 2017 Robbie Harwood 0.6.2-3 - Document debug_level option - Resolves: #1379836 * Tue Feb 21 2017 Robbie Harwood 0.6.2-2 - Enable running the test suite - Resolves: #1379836 * Thu Feb 16 2017 Robbie Harwood 0.6.2-1 - Rebase to latest version since we have krb5-1.15 - Resolves: #1379836 - Resolves: #1344518 - Resolves: #1366782 - Resolves: #1379005 - Resolves: #1379482 - Resolves: #1379616 - Resolves: #1380490 - Resolves: #1378600 - Resolves: #1285012 - Resolves: #1333813 * Tue Sep 06 2016 Robbie Harwood 0.4.1-13 - Third try is the charm - Resolves: #1092515 * Tue Sep 06 2016 Robbie Harwood 0.4.1-12 - Restore _FORTIFY_SOURCE behavior - Resolves: #1092515 * Tue Sep 06 2016 Robbie Harwood 0.4.1-11 - Actually harden build with PIE and RELRO - Resolves: #1092515 * Fri Jun 10 2016 Robbie Harwood 0.4.1-10 - Fix behavior with multiple keys in a keytab - Resolves: #1285012 * Tue Jun 07 2016 Robbie Harwood 0.4.1-9 - Re-open socket in mechglue if client forks/changes privilege - Resolves: #1340259 * Wed Mar 30 2016 Robbie Harwood 0.4.1-8 - Make GSS-Proxy work with krb5-1.14 - resolves: #1292487 * Tue Sep 29 2015 Simo Sorce 0.4.1-7 - Fix loop cause by imporper EINTR handling - resolves: #1266564 * Mon Aug 24 2015 Roland Mainz 0.4.1-6 - Remove extra whitespaces from #1208640/#1194299 patches - spec file cleanup related: #1208640 #1194299 * Wed Aug 19 2015 Robbie Harwood 0.4.1-5 - Carry service/HTTP default conf section - resolves: #1208640 * Wed Aug 19 2015 Robbie Harwood 0.4.1-4 - Set default rcache location patch - resolves: #1194299 * Mon Jul 13 2015 Roland Mainz 0.4.1-3 - Bug #1213852 ("[gssproxy] NFS clients cannot mount with sec=krb5 if the NFS server is running gssproxy") was fixed by the rebase to 0.4.1 in bug ("[RFE] Rebase gssproxy to the latest to match expectations of other projects"). Note that the same bug was also fixed in the kernel with "9507271 svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures" (see https://bugzilla.redhat.com/show_bug.cgi?id=1213852#c2 and RH Bug #1120860 ("[NFS] NFS clients cannot mount with sec=krb5 if the NFS server is running gssproxy")) to handle various corner cases not covered by gssproxy, for example individual krb5 ticket fields exceeding the kernel's buffer size. * Thu Jul 9 2015 Roland Mainz 0.4.1-2 - The following bugs have been fixed by the rebase to 0.4.1 in bug ("[RFE] Rebase gssproxy to the latest to match expectations of other projects"): - Bug #1196371 ("rpc.gssd segfaults in gssproxy (proxymech.so)") Upstream tickets { #137, #144 } - Bug #1053730 ("KrbLocalUserMapping does not work with Apache & GSS-Proxy") Upstream ticket #101 - Bug #1168962 ("gssproxy is not working with httpd on ppc64 and s390x") Upstream ticket #146 * Thu Jul 9 2015 Roland Mainz 0.4.1-1 - Add patch to remove -fno-strict-aliasing (gssproxy ticket #140, a dependicy for the fix for bug #1092515 (see below)) - Add patch to fix bug #1092515 ("gssproxy - PIE and RELRO check") * Fri Jun 5 2015 Roland Mainz 0.4.1-0 - Rebase gssproxy to 0.4.1 per bug #1132389 ("[RFE] Rebase gssproxy to the latest to match expectations of other projects"). * Fri Jan 23 2015 Simo Sorce 0.3.0-10 - Fix crash bug affecting updated rpc.gssd - resolves: #1184531 * Wed Mar 12 2014 Guenther Deschner 0.3.0-9 - Fix potential mutex deadlock - resolves: #1075268 * Fri Jan 24 2014 Daniel Mach - 0.3.0-8 - Mass rebuild 2014-01-24 * Thu Jan 16 2014 Guenther Deschner 0.3.0-7 - Fix nfsd startup - resolves: https://fedorahosted.org/gss-proxy/ticket/114 - resolves: #1053710 * Fri Dec 27 2013 Daniel Mach - 0.3.0-6 - Mass rebuild 2013-12-27 * Tue Dec 17 2013 Guenther Deschner 0.3.0-5 - Fix flags handling. - resolves: https://fedorahosted.org/gss-proxy/ticket/112 - related: #1031710 * Wed Nov 27 2013 Guenther Deschner 0.3.0-4 - Use secure_getenv - resolves: https://fedorahosted.org/gss-proxy/ticket/110 - resolves: #1032684 - Use strerror_r instead of strerror - resolves: https://fedorahosted.org/gss-proxy/ticket/111 - resolves: #1033350 * Tue Nov 19 2013 Guenther Deschner 0.3.0-3 - Fix flags handling in gss_init_sec_context() - resolves: https://fedorahosted.org/gss-proxy/ticket/106 - resolves: #1031713 - Fix OID handling in gss_inquire_cred_by_mech() - resolves: https://fedorahosted.org/gss-proxy/ticket/107 - resolves: #1031712 - Fix continuation processing for not yet fully established contexts. - resolves: https://fedorahosted.org/gss-proxy/ticket/108 - resolves: #1031711 - Add flags filtering and flags enforcing. - resolves: https://fedorahosted.org/gss-proxy/ticket/109 - resolves: #1031710 * Wed Oct 23 2013 Guenther Deschner 0.3.0-0 - New upstream release 0.3.0: * Add support for impersonation (depends on s4u2self/s4u2proxy on the KDC) * Add support for new rpc.gssd mode of operation that forks and changes uid * Add 2 new options allow_any_uid and cred_usage * Fri Oct 18 2013 Guenther Deschner 0.2.3-8 - Fix default proxymech documentation and fix LOCAL_FIRST implementation - resolves: https://fedorahosted.org/gss-proxy/ticket/105 * Wed Jul 24 2013 Guenther Deschner 0.2.3-6 - Add better default gssproxy.conf file for nfs client and server usage * Thu Jun 06 2013 Guenther Deschner 0.2.3-5 - New upstream release * Fri May 31 2013 Guenther Deschner 0.2.2-5 - Require libverto-tevent to make sure libverto initialization succeeds * Wed May 29 2013 Guenther Deschner 0.2.2-4 - Modify systemd unit files for nfs-secure services * Wed May 22 2013 Guenther Deschner 0.2.2-3 - Fix cred_store handling w/o client keytab * Thu May 16 2013 Guenther Deschner 0.2.2-2 - New upstream release * Tue May 07 2013 Guenther Deschner 0.2.1-2 - New upstream release * Wed Apr 24 2013 Guenther Deschner 0.2.0-1 - New upstream release * Mon Apr 01 2013 Simo Sorce - 0.1.0-0 - New upstream release * Thu Feb 14 2013 Fedora Release Engineering - 0.0.3-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Tue Nov 06 2012 Guenther Deschner 0.0.3-7 - Update to 0.0.3 * Wed Aug 22 2012 Guenther Deschner 0.0.2-6 - Use new systemd-rpm macros - resolves: #850139 * Wed Jul 18 2012 Guenther Deschner 0.0.2-5 - More spec file fixes * Mon Jul 16 2012 Guenther Deschner 0.0.2-4 - Fix systemd service file * Fri Jul 13 2012 Guenther Deschner 0.0.2-3 - Fix various packaging issues * Mon Jul 02 2012 Guenther Deschner 0.0.1-2 - Add systemd packaging * Wed Mar 28 2012 Guenther Deschner 0.0.1-1 - Various fixes * Mon Dec 12 2011 Simo Sorce - 0.0.2-0 - Automated build of the gssproxy daemon