Add option to specify allowed usage.

Credentials can often be used both to accept and to initiate contexts. With this option admins can allow a specific usage only. This is to avoid allowing an unprivileged process to fool a remote client by allowing it to impersonate a server, when we only want to allow this service to use credentials to initiate contexts. Reviewed-by: Günther Deschner <gdeschner@redhat.com
author: Simo Sorce <simo@redhat.com> 2013-10-14 16:41:13 -0400
committer: Günther Deschner <gdeschner@redhat.com> 2013-10-18 15:46:24 +0200
commit: 3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9 (patch)
tree: c0d10556b81aa7b585138c1a4641643fafdda220 /proxy/src/gp_proxy.h
parent: a324853818fd75d7ec11c68de9d499f37228b26a (diff)
download: gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.gz
gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.xz
gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index a5b3a28..5f42ffa 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -55,6 +55,7 @@ struct gp_service {
     bool kernel_nfsd;
     char *socket;
     SELINUX_CTX selinux_ctx;
+    gss_cred_usage_t cred_usage;
 
     uint32_t mechs;
     struct gp_cred_krb5 krb5;
author	Simo Sorce <simo@redhat.com>	2013-10-14 16:41:13 -0400
committer	Günther Deschner <gdeschner@redhat.com>	2013-10-18 15:46:24 +0200
commit	3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9 (patch)
tree	c0d10556b81aa7b585138c1a4641643fafdda220 /proxy/src/gp_proxy.h
parent	a324853818fd75d7ec11c68de9d499f37228b26a (diff)
download	gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.gz gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.tar.xz gss-proxy-3f587569f2fdd9ec4db05748c5ed5ebbfc1ab5c9.zip