diff --git a/targetd-require-password.patch b/targetd-require-password.patch new file mode 100644 index 0000000..1c28ff8 --- /dev/null +++ b/targetd-require-password.patch @@ -0,0 +1,32 @@ +commit dcd48f3252d1accec2f11571968b4ce0a01be23f +Author: Andy Grover +Date: Tue Apr 16 12:08:47 2013 -0700 + + Fail if password not set in config file + + Signed-off-by: Andy Grover + +diff --git a/targetd b/targetd +index 9e85e16..632714a 100755 +--- a/targetd ++++ b/targetd +@@ -43,7 +43,7 @@ config_path = "/etc/target/targetd.yaml" + default_config = dict( + pool_name = "vg-targetd", + user = "admin", +- password = "targetd", ++ # security: no default password + target_name = "iqn.2003-01.org.linux-iscsi.%s:targetd" % socket.gethostname(), + ssl = False, + ssl_cert = "/etc/target/targetd_cert.pem", +@@ -64,6 +64,10 @@ if os.getuid() != 0: + print "targetd must run as root." + sys.exit(-1) + ++if 'password' not in config: ++ print "password not set in %s, aborting" % config_path ++ sys.exit(-1) ++ + # fail early if can't access vg + test_vg = lvm.vgOpen(config['pool_name'], "w") + test_vg.close() diff --git a/targetd-use-std-ssl.patch b/targetd-use-std-ssl.patch new file mode 100644 index 0000000..b3e0596 --- /dev/null +++ b/targetd-use-std-ssl.patch @@ -0,0 +1,54 @@ +diff --git a/targetd b/targetd +index 6e51941..9e85e16 100755 +--- a/targetd ++++ b/targetd +@@ -34,7 +34,7 @@ import yaml + import time + from targetcli import UIRoot + from configshell import ConfigShell +-import tlslite ++import ssl + + setproctitle.setproctitle("targetd") + +@@ -400,31 +400,17 @@ class TargetHandler(BaseHTTPRequestHandler): + class ThreadedHTTPServer(ThreadingMixIn, HTTPServer, object): + """Handle requests in a separate thread.""" + +-class TLSThreadedHTTPServer(tlslite.TLSSocketServerMixIn, ThreadedHTTPServer): ++class TLSThreadedHTTPServer(ThreadedHTTPServer): + """Also use TLS to encrypt the connection""" + +- def __init__(self, *args, **kwargs): +- super(TLSThreadedHTTPServer, self).__init__(*args, **kwargs) +- s = open(config['ssl_cert']).read() +- x509 = tlslite.X509() +- x509.parse(s) +- self.certChain = tlslite.X509CertChain([x509]) +- +- s = open(config['ssl_key']).read() +- self.privateKey = tlslite.parsePEMKey(s, private=True) +- +- self.sessionCache = tlslite.SessionCache() +- +- def handshake(self, tlsConnection): +- try: +- tlsConnection.handshakeServer(certChain=self.certChain, +- privateKey=self.privateKey, +- sessionCache=self.sessionCache) +- tlsConnection.ignoreAbruptClose = True +- return True +- except tlslite.TLSError, error: +- print "Handshake failure:", str(error) +- return False ++ def finish_request(self, sock, addr): ++ sockssl = ssl.wrap_socket( ++ sock, server_side=True, ++ keyfile=config["ssl_key"], ++ certfile=config["ssl_cert"], ++ ciphers="HIGH:-aNULL:-eNULL:-PSK", ++ suppress_ragged_eofs=True) ++ return self.RequestHandlerClass(sockssl, addr, self) + + + if config['ssl']: diff --git a/targetd.spec b/targetd.spec index 484fb1f..6db469a 100644 --- a/targetd.spec +++ b/targetd.spec @@ -3,11 +3,13 @@ License: GPLv3 Group: System Environment/Libraries Summary: Service to make storage remotely configurable Version: 0.3.1 -Release: 2%{?dist} +Release: 3%{?dist} URL: https://github.com/agrover/targetd Source: https://github.com/downloads/agrover/%{name}/%{name}-%{version}.tar.gz Source1: targetd.service Source2: targetd.yaml +Patch0: targetd-use-std-ssl.patch +Patch1: targetd-require-password.patch BuildArch: noarch Requires: targetcli PyYAML python-setproctitle python-tlslite Requires: python-lvm >= 1.9 @@ -24,6 +26,8 @@ those volumes over iSCSI. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build gzip --stdout targetd.8 > targetd.8.gz @@ -66,6 +70,11 @@ fi %config(noreplace) %{_sysconfdir}/target/targetd.yaml %changelog +* Mon Apr 15 2013 Andy Grover - 0.3.1-3 +- Add patch + * use-std-ssl.patch + * require-password.patch + * Fri Feb 15 2013 Fedora Release Engineering - 0.3.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild