packages/trafficserver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!74 [sync] PR-73: Fix trafficserver service error

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2024-12-03 08:36:41 +00:00 committed by Gitee
commit 2e7df68d17
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Invoke-initgroups-iff-we-got-enough-privileges.patch Normal file
View File

@ -0,0 +1,28 @@
From d4dda9b5583d19e2eee268fec59aa487d61fc079 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Valent=C3=ADn=20Guti=C3=A9rrez?= <vgutierrez@wikimedia.org>
Date: Thu, 21 Nov 2024 03:54:03 +0100
Subject: [PATCH] Invoke initgroups() iff we got enough privileges (#11869)
(#11872)
Follow up of #11855, that rendered unusable ATS as root when spawned via traffic_manager.
---
src/tscore/ink_cap.cc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/tscore/ink_cap.cc b/src/tscore/ink_cap.cc
index 0f0d6f869e2..f464daad3b1 100644
--- a/src/tscore/ink_cap.cc
+++ b/src/tscore/ink_cap.cc
@@ -156,8 +156,10 @@ impersonate(const struct passwd *pwd, ImpersonationLevel level)
#endif
// Always repopulate the supplementary group list for the new user.
- if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
- Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+ if (geteuid() == 0) { // check that we have enough rights to call initgroups()
+ if (initgroups(pwd->pw_name, pwd->pw_gid) != 0) {
+ Fatal("switching to user %s, failed to initialize supplementary groups ID %ld", pwd->pw_name, (long)pwd->pw_gid);
+ }
}
switch (level) {

6
trafficserver.spec
View File

@ -2,7 +2,7 @@
%global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler} %global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
Name: trafficserver Name: trafficserver
Version: 9.2.5 Version: 9.2.5
Release: 2 Release: 3
Summary: Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache Summary: Apache Traffic Server, a reverse, forward and transparent HTTP proxy cache
License: Apache-2.0 License: Apache-2.0
URL: https://trafficserver.apache.org/ URL: https://trafficserver.apache.org/
@ -17,6 +17,7 @@ Patch0006: add-loong64-support.patch
Patch0007: CVE-2024-38479.patch Patch0007: CVE-2024-38479.patch
Patch0008: CVE-2024-50305.patch Patch0008: CVE-2024-50305.patch
Patch0009: CVE-2024-50306.patch Patch0009: CVE-2024-50306.patch
Patch0010: Invoke-initgroups-iff-we-got-enough-privileges.patch
BuildRequires: expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel BuildRequires: expat-devel hwloc-devel openssl-devel pcre-devel zlib-devel xz-devel
BuildRequires: libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker BuildRequires: libcurl-devel ncurses-devel gcc gcc-c++ perl-ExtUtils-MakeMaker
BuildRequires: libcap-devel cmake libunwind-devel automake chrpath BuildRequires: libcap-devel cmake libunwind-devel automake chrpath
@ -137,6 +138,9 @@ getent passwd ats >/dev/null || useradd -r -u 176 -g ats -d / -s /sbin/nologin -
%{_datadir}/pkgconfig/trafficserver.pc %{_datadir}/pkgconfig/trafficserver.pc
%changelog %changelog
* Tue Dec 03 2024 yaoxin <yao_xin001@hoperun.com> - 9.2.5-3
- Fix trafficserver service error
* Fri Nov 15 2024 wangkai <13474090681@163.com> - 9.2.5-2 * Fri Nov 15 2024 wangkai <13474090681@163.com> - 9.2.5-2
- Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305 - Fix CVE-2024-38479, CVE-2024-50306, CVE-2024-50305
- Replace openEuler with vendor - Replace openEuler with vendor