From 8345e6f1d4fdc93d1367de3a0104f4e4eb167010 Mon Sep 17 00:00:00 2001 From: yixiangzhike Date: Fri, 31 Oct 2025 14:07:59 +0800 Subject: [PATCH] make systemd use 0700 mode on cache folders (cherry picked from commit 40bdb3ff161a18d9666b8b157ed58a5a88bce13a) --- ...stemd-use-0700-mode-on-cache-folders.patch | 30 +++++++++++++++++++ gssproxy.spec | 6 +++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 backport-Make-systemd-use-0700-mode-on-cache-folders.patch diff --git a/backport-Make-systemd-use-0700-mode-on-cache-folders.patch b/backport-Make-systemd-use-0700-mode-on-cache-folders.patch new file mode 100644 index 0000000..4ba759b --- /dev/null +++ b/backport-Make-systemd-use-0700-mode-on-cache-folders.patch @@ -0,0 +1,30 @@ +From b954728937c09a40409279d1247679aa5d39c7c8 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 7 Aug 2024 10:27:39 +0200 +Subject: [PATCH] Make systemd use 0700 mode on cache folders + +The provided gssproxy.service unit configures /var/lib/gssproxy/clients +and /var/lib/gssproxy/rcache as "StateDirectory". However, systemd +applies mode 0755 by default on such folders. "StateDirectoryMode" has +to be set too to restrict access to root only. + +Signed-off-by: Julien Rische +--- + systemd/gssproxy.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in +index 0db9a9d..9b8c45a 100644 +--- a/systemd/gssproxy.service.in ++++ b/systemd/gssproxy.service.in +@@ -6,6 +6,7 @@ Before=rpc-gssd.service + + [Service] + StateDirectory=gssproxy/clients gssproxy/rcache ++StateDirectoryMode=0700 + Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache + ExecStart=@sbindir@/gssproxy -D + # These two should be used with traditional UNIX forking daemons +-- +2.43.0 + diff --git a/gssproxy.spec b/gssproxy.spec index adb9374..279faf7 100644 --- a/gssproxy.spec +++ b/gssproxy.spec @@ -7,7 +7,7 @@ Name: gssproxy Version: 0.9.2 -Release: 4 +Release: 5 Summary: GSSAPI Proxy License: MIT URL: https://github.com/gssapi/gssproxy @@ -15,6 +15,7 @@ Source0: https://github.com/gssapi/%{name}/releases/download/v%{version}/%{name} Patch1: backport-Remove-from-the-correct-list.patch Patch2: backport-Fix-various-issues-detected-by-static-analysis.patch +Patch3: backport-Make-systemd-use-0700-mode-on-cache-folders.patch Requires: krb5 keyutils libverto-module-base libini_config %{?systemd_requires} @@ -107,6 +108,9 @@ mkdir -p %{buildroot}%{gpstatedir}/rcache %{_mandir}/man8/gssproxy-mech.8* %changelog +* Fri Oct 31 2025 yixiangzhike - 0.9.2-5 +- make systemd use 0700 mode on cache folders + * Thu Sep 25 2025 yixiangzhike - 0.9.2-4 - backport upstream patch to fix various issues detected by static analysis -- Gitee