!74 [sync] PR-73: Fix trafficserver service error

From: @openeuler-sync-bot Reviewed-by: @wang--ge Signed-off-by: @wang--ge
2024-12-03 08:36:41 +00:00 · 2024-12-03 08:36:41 +00:00 · 2e7df68d17
commit 2e7df68d17
parent 522b143f4e 796a863a61
2 changed files with 33 additions and 1 deletions
--- a/Invoke-initgroups-iff-we-got-enough-privileges.patch
+++ b/Invoke-initgroups-iff-we-got-enough-privileges.patch
@ -0,0 +1,28 @@
+From d4dda9b5583d19e2eee268fec59aa487d61fc079 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Valent=C3=ADn=20Guti=C3=A9rrez?= <vgutierrez@wikimedia.org>
+Date: Thu, 21 Nov 2024 03:54:03 +0100
+Subject: [PATCH] Invoke initgroups() iff we got enough privileges (#11869)
+ (#11872)
+
+Follow up of #11855, that rendered unusable ATS as root when spawned via traffic_manager.
+---
+ src/tscore/ink_cap.cc | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
+index 0f0d6f869e2..f464daad3b1 100644
+--- a/src/tscore/ink_cap.cc
+++ b/src/tscore/ink_cap.cc
+@@ -156,8 +156,10 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
+ #endif
+ 
+   // Always repopulate the supplementary group list for the new user.
+-  if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+-    Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+  if (geteuid() == 0) { // check that we have enough rights to call initgroups()
+    if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+      Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+    }
+   }
+ 
+   switch (level) {
--- a/trafficserver.spec
+++ b/trafficserver.spec
@ -2,7 +2,7 @@
 %global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 Name:                trafficserver
 Version:             9.2.5
-Release:             2
+Release:             3
 Summary:             Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
 License:             Apache-2.0
 URL:                 https://trafficserver.apache.org/
@ -17,6 +17,7 @@ Patch0006:           add-loong64-support.patch
 Patch0007:           CVE-2024-38479.patch
 Patch0008:           CVE-2024-50305.patch
 Patch0009:           CVE-2024-50306.patch
+Patch0010:           Invoke-initgroups-iff-we-got-enough-privileges.patch
 BuildRequires:       expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
 BuildRequires:       libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
 BuildRequires:       libcap-devel cmake libunwind-devel automake chrpath
@ -137,6 +138,9 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
 %{_datadir}/pkgconfig/trafficserver.pc

 %changelog
+* Tue Dec 03 2024 yaoxin <yao_xin001@hoperun.com> - 9.2.5-3
+- Fix trafficserver service error
+
 * Fri Nov 15 2024 wangkai <13474090681@163.com> - 9.2.5-2
 - Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305
 - Replace openEuler with vendor