From 8078618c1ea9932b80f43981df4232f246e0680c Mon Sep 17 00:00:00 2001 From: Scott Cantor Date: Thu, 25 Aug 2011 00:26:06 +0000 Subject: [PATCH] https://issues.shibboleth.net/jira/browse/SSPCPP-353 --- configs/shibd-redhat.in | 89 ++++++++++++++++++++++----------- configs/shibd-suse.in | 13 +++-- plugins/GSSAPIAttributeExtractor.cpp | 1 + plugins/internal.h | 1 - plugins/plugins.cpp | 1 + shibboleth.spec.in | 96 ++++++++++++++++++++++++++---------- 6 files changed, 138 insertions(+), 63 deletions(-) diff --git a/configs/shibd-redhat.in b/configs/shibd-redhat.in index a13b2d7..716bdbd 100644 --- a/configs/shibd-redhat.in +++ b/configs/shibd-redhat.in @@ -12,30 +12,26 @@ . /etc/rc.d/init.d/functions shibd="@-PREFIX-@/sbin/shibd" SHIBD_USER=root -pidfile=@-PKGRUNDIR-@/shibd.pid prog=shibd -#VER=`cat /etc/redhat-release | awk '{print $3}' | awk -F . '{print $1}'` -RETVAL=0 +pidfile=@-PKGRUNDIR-@/shibd.pid +lockfile=/var/lock/subsys/$prog -if [ -f /etc/sysconfig/shibd ] ; then - . /etc/sysconfig/shibd -fi +[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog start() { echo -n $"Starting $prog: " - if [ -f /var/lock/subsys/shibd ] ; then + if [ -f $lockfile ] ; then if [ -f $pidfile ]; then read kpid < $pidfile if checkpid $kpid 2>&1; then echo "process already running" - return -1 + return 1; else echo "lock file found but no process running for pid $kpid, continuing" fi fi fi -#_RHEL6_ export LD_LIBRARY_PATH=/opt/shibboleth/lib:$LD_LIBRARY_PATH export SHIBD_PID=$pidfile touch $pidfile chown $SHIBD_USER:$SHIBD_USER $pidfile @@ -43,12 +39,12 @@ start() { /sbin/restorecon $pidfile fi # Handle transition from root to non-root packages. - chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/* + chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/* 2>/dev/null || : daemon --user $SHIBD_USER $shibd -p $pidfile -f -w 30 RETVAL=$? echo - [ $RETVAL = 0 ] && touch /var/lock/subsys/shibd + [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } @@ -58,29 +54,62 @@ stop() { RETVAL=$? echo - [ $RETVAL = 0 ] && rm -f /var/lock/subsys/shibd $pidfile + [ $RETVAL -eq 0 ] && rm -f $lockfile $pidfile + return $RETVAL } -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - status) - status $shibd - RETVAL=$? - ;; - restart) +restart() { stop sleep 5 start - ;; - *) - echo $"Usage: $prog {start|stop|status|restart}" - exit 1 +} + +reload() { + restart +} + +force_reload() { + restart +} + +rh_status() { + # run checks to determine if the service is running or use generic status + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + stop) + rh_status_q || exit 0 + $1 + ;; + restart) + $1 + ;; + reload) + rh_status_q || exit 7 + $1 + ;; + force-reload) + force_reload + ;; + status) + rh_status + ;; + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 esac -exit $RETVAL +exit $? diff --git a/configs/shibd-suse.in b/configs/shibd-suse.in index 4353379..ed26f9e 100644 --- a/configs/shibd-suse.in +++ b/configs/shibd-suse.in @@ -26,21 +26,20 @@ SCRIPTNAME=/etc/init.d/$NAME PID_FILE=@-PKGRUNDIR-@/shibd.pid SHIBD_USER=root DAEMON_OPTS="" - + # Force removal of socket DAEMON_OPTS="$DAEMON_OPTS -f" # Use defined configuration file DAEMON_OPTS="$DAEMON_OPTS -c $SHIB_CONFIG" - -# Set uid to run as -DAEMON_OPTS="$DAEMON_OPTS -u $SHIBD_USER" # Specify pid file to use DAEMON_OPTS="$DAEMON_OPTS -p $PID_FILE" # Specify wait time to use DAEMON_OPTS="$DAEMON_OPTS -w 30" + +[ -e /etc/sysconfig/$NAME ] && . /etc/sysconfig/$NAME # Exit if the package is not installed. test -x "$DAEMON" || exit 5 @@ -52,8 +51,8 @@ rc_reset case "$1" in start) - # Handle transition from root to non-root packages. - chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/* + # Handle transition from root to non-root packages. + chown $SHIBD_USER:$SHIBD_USER @-PKGRUNDIR-@/* 2>/dev/null || : echo -n "Starting $DESC ($NAME)" ## Start daemon with startproc(8). If this fails @@ -61,7 +60,7 @@ case "$1" in # NOTE: startproc return 0, even if service is # already running to match LSB spec. - /sbin/startproc -p $PID_FILE $DAEMON $DAEMON_OPTS > /dev/null 2>&1 + /sbin/startproc -u $SHIBD_USER -p $PID_FILE $DAEMON $DAEMON_OPTS > /dev/null 2>&1 # Remember status and be verbose rc_status -v diff --git a/plugins/GSSAPIAttributeExtractor.cpp b/plugins/GSSAPIAttributeExtractor.cpp index 341e92e..0ed36bc 100644 --- a/plugins/GSSAPIAttributeExtractor.cpp +++ b/plugins/GSSAPIAttributeExtractor.cpp @@ -61,6 +61,7 @@ using namespace shibsp; using namespace opensaml::saml2md; using namespace opensaml; using namespace xmltooling; +using namespace xercesc; using namespace std; namespace shibsp { diff --git a/plugins/internal.h b/plugins/internal.h index d86ae49..c979c75 100644 --- a/plugins/internal.h +++ b/plugins/internal.h @@ -43,6 +43,5 @@ #include using namespace xmltooling::logging; -using namespace xercesc; #endif /* __plugins_internal_h__ */ diff --git a/plugins/plugins.cpp b/plugins/plugins.cpp index 91ff8de..19a437d 100644 --- a/plugins/plugins.cpp +++ b/plugins/plugins.cpp @@ -31,6 +31,7 @@ using namespace shibsp; using namespace xmltooling; +using namespace xercesc; using namespace std; #ifdef WIN32 diff --git a/shibboleth.spec.in b/shibboleth.spec.in index 521392c..7f7baaa 100644 --- a/shibboleth.spec.in +++ b/shibboleth.spec.in @@ -11,7 +11,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root Requires: openssl PreReq: xmltooling-schemas, opensaml-schemas %if 0%{?suse_version} > 1030 && 0%{?suse_version} < 1130 -PreReq: %{insserv_prereq} +PreReq: %{insserv_prereq} %{fillup_prereq} BuildRequires: libXerces-c-devel >= 2.8.0 %else BuildRequires: libxerces-c-devel >= 2.8.0 @@ -33,13 +33,15 @@ BuildRequires: gcc-c++, zlib-devel %{!?_without_builtinapache:BuildRequires: httpd-devel} BuildRequires: redhat-rpm-config Requires(pre): shadow-utils +Requires(post): chkconfig +Requires(preun): chkconfig, initscripts %endif %if "%{_vendor}" == "suse" Requires(pre): pwdutils %{!?_without_builtinapache:BuildRequires: apache2-devel} %endif -%define runuser shibboleth +%define runuser shibd %if "%{_vendor}" == "suse" %define pkgdocdir %{_docdir}/%{name} %else @@ -91,16 +93,6 @@ This package includes files needed for development with Shibboleth. $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/native.logger %endif -%if 0%{?rhel} >= 6 || 0%{?centos_version} >= 600 - %{__sed} -i "s/#_RHEL6_//g" \ - $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-redhat - %{__sed} -i "s/\/opt\/shibboleth\/lib/\/opt\/shibboleth\/%{_lib}/g" \ - $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/shibd-redhat - chrpath -d $RPM_BUILD_ROOT%{_sbindir}/shibd - chrpath -d $RPM_BUILD_ROOT%{_bindir}/mdquery - chrpath -d $RPM_BUILD_ROOT%{_bindir}/resolvertest -%endif - # Plug the SP into the built-in Apache on a recognized system. touch rpm.filelist APACHE_CONFIG="no" @@ -125,13 +117,44 @@ if [ "$APACHE_CONFIG" != "no" ] ; then if [ "$APACHE_CONFD" != "no" ] ; then %{__mkdir} -p $RPM_BUILD_ROOT$APACHE_CONFD %{__cp} -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/$APACHE_CONFIG $RPM_BUILD_ROOT$APACHE_CONFD/shib.conf - echo "%config(noreplace) $APACHE_CONFD/shib.conf" > rpm.filelist + echo "%config(noreplace) $APACHE_CONFD/shib.conf" >> rpm.filelist fi fi +# Establish location of sysconfig file, if any. +SYSCONFIG_SHIBD="no" +%if "%{_vendor}" == "redhat" + %{__mkdir} -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig + echo "%config(noreplace) %{_sysconfdir}/sysconfig/shibd" >> rpm.filelist + SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/shibd" +%endif +%if "%{_vendor}" == "suse" + %{__mkdir} -p $RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates + echo "%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" >> rpm.filelist + SYSCONFIG_SHIBD="$RPM_BUILD_ROOT%{_localstatedir}/adm/fillup-templates/sysconfig.shibd" +%endif +if [ "$SYSCONFIG_SHIBD" != "no" ] ; then + # Populate the sysconfig file. + cat > $SYSCONFIG_SHIBD <= 6 || 0%{?centos_version} >= 600 + cat >> $SYSCONFIG_SHIBD </dev/null || : +else + sh ./keygen.sh -b -u %{runuser} -g %{runuser} +fi + +# Fix ownership of log files (even on new installs, if they're left from an older one). +%{__chown} %{runuser}:%{runuser} %{_localstatedir}/log/%{name}/* 2>/dev/null || : %if "%{_vendor}" == "redhat" if [ "$1" -gt "1" ] ; then @@ -184,7 +214,10 @@ sh ./keygen.sh -b -u %{runuser} -g %{runuser} # This adds the proper /etc/rc*.d links for the script /sbin/chkconfig --add shibd + # On upgrade, restart components if they're already running. + # This gets repeated now down in %postun, and the next release + # should remove this copy. If we yank it now, we'll break upgrades. if [ "$1" -gt "1" ] ; then /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null} @@ -193,13 +226,16 @@ sh ./keygen.sh -b -u %{runuser} -g %{runuser} %endif %if "%{_vendor}" == "suse" # This adds the proper /etc/rc*.d links for the script + # and populates the sysconfig/shibd file. cd / + %{fillup_only -n shibd} %insserv_force_if_yast shibd %endif %preun +# On final removal, stop shibd and remove service, restart Apache if running. %if "%{_vendor}" == "redhat" - if [ "$1" = 0 ] ; then + if [ "$1" -eq 0 ] ; then /sbin/service shibd stop >/dev/null 2>&1 /sbin/chkconfig --del shibd %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null} @@ -207,7 +243,7 @@ sh ./keygen.sh -b -u %{runuser} -g %{runuser} %endif %if "%{_vendor}" == "suse" %stop_on_removal shibd - if [ "$1" = 0 ] ; then + if [ "$1" -eq 0 ] ; then %{!?_without_builtinapache:/etc/init.d/apache2 status 1>/dev/null && /etc/init.d/apache2 restart 1>/dev/null} fi %endif @@ -217,11 +253,19 @@ exit 0 %ifnos solaris2.8 solaris2.9 solaris2.10 /sbin/ldconfig %endif +%if "%{_vendor}" == "redhat" + # On upgrade, restart components if they're already running. + if [ "$1" -ge "1" ] ; then + /etc/init.d/shibd status 1>/dev/null && /etc/init.d/shibd restart 1>/dev/null + %{!?_without_builtinapache:/etc/init.d/httpd status 1>/dev/null && /etc/init.d/httpd restart 1>/dev/null} + exit 0 + fi +%endif %if "%{_vendor}" == "suse" -cd / -%restart_on_update shibd -%{!?_without_builtinapache:%restart_on_update apache2} -%{insserv_cleanup} + cd / + %restart_on_update shibd + %{!?_without_builtinapache:%restart_on_update apache2} + %{insserv_cleanup} %endif %posttrans @@ -279,11 +323,13 @@ fi %doc %{pkgdocdir}/api %changelog -* Tue Aug 9 2011 Scott Cantor - 2.5-1 +* Wed Aug 24 2011 Scott Cantor - 2.5-1 - Move logo and stylesheet to version-independent tree - Make shib.conf noreplace - Post-fixup of Alias commands in older shib.conf -- Run shibd as non-root +- Changes to run shibd as non-root shibboleth user +- Move init customizations to /etc/sysconfig/shibd +- Copy shibd restart for Red Hat to postun * Sun Jun 26 2011 Scott Cantor - 2.4.3-1 - Log files shouldn't be world readable. -- 2.1.4