summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* docs: Fill in GSSPROXY_BEHAVIOR default setting from configure option.master-fixes3Günther Deschner2013-10-172-4/+12
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* docs: autogenerate proxymech manpage.Günther Deschner2013-10-172-1/+2
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* setup KRB5RCACHEDIR so that krb5 replay caches are created in a defined place.Günther Deschner2013-10-162-0/+2
| | | | | resolves: https://fedorahosted.org/gss-proxy/ticket/100 Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Fix resource leak in gpm_accept_sec_context().Günther Deschner2013-10-151-8/+8
| | | | | | | Resolves Coverity CID #12027. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Use right signedness for creds buffer.Günther Deschner2013-08-281-2/+2
| | | | | | | gp_export_creds_*() functions are using a arrays of int32_t values, however this array holds uids and gids which are unsigned integers. Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Fix selinux option checkSimo Sorce2013-08-261-1/+1
| | | | | | Found by coverity (CID 11894) Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add service match using SeLinux ContextSimo Sorce2013-07-027-13/+160
| | | | | | | | | | | | Using getpeercon we can know the elinux context of the process talking to gssproxy. Use this information as an optional additional filter to match processes to service definitions. If a selinux_context option with a full user;role;type context is specified into a service section, then the connecting process must also be running under the specified selinux context in order to be allowed to connect. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Coverity fixes.Simo Sorce2013-06-273-10/+10
| | | | | | | | | | | Fix a 4 coverity issues, ranging from memory leaks, to uninitialized variables, to potential NULL derefernce. Also a TOCTOU report that is in one of the accessory test scripts. The bug itself is not reallya TOCTOU, but the check done in the script is unecessary, so I just removed it. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Further improve debugging, mention servicename, socket and euid.Günther Deschner2013-06-241-1/+4
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Properly check socket for connection matching.Simo Sorce2013-06-211-3/+8
| | | | | | | | | We always need to chekc if the socket matches otherwise the worng service may be selected if a specific socket is being used but a service allowing the same euid is confgured to use the deault socket as well. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Split nfs server and client servicesSimo Sorce2013-06-211-3/+8
| | | | | | | | | | | | | | The NFS server uses a special socket for the kernel communication. Split configuration in 2 distinct services so we can use specific options that may be different between server and client. The 3 main differences so far are: 1. socket: default for client, custom for server 2. kernel_nfd option only for server 3. ccache and client keytab options only for client Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Bump version for 0.2.3 release.Günther Deschner2013-06-061-1/+1
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Fix nfsd socketSimo Sorce2013-06-061-0/+1
| | | | | | | | | | | The Kernel expect the knfsd socket in a specific plce that is not where our standard socket is created. Add a knfsd specific socket in the default configuration. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> Resolves: https://fedorahosted.org/gss-proxy/ticket/93
* Add Requires: libini_config >= 1.0.0.1 to the rpm spec file.Günther Deschner2013-06-061-0/+2
| | | | | | | | | | Otherwise we would allow to be installed with an outdated and non-working libiniconfig version. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Resolves: https://fedorahosted.org/gss-proxy/ticket/92
* Use verbose ding-libs error reporting when config parsing failed.Günther Deschner2013-06-051-1/+9
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Require libverto-tevent to make sure libverto initialization succeedsGünther Deschner2013-06-031-0/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* gssproxy: report an error message on event loop failure.Günther Deschner2013-06-031-0/+2
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* systemd: add require for the nfs kernel modules.Günther Deschner2013-06-031-0/+1
| | | | | | | | This assures the right startup and checking order for gssproxy and kernel nfs gssproxy client interface. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* systemd: Make sure we start before nfs-secure services.Günther Deschner2013-05-291-0/+1
| | | | | | | They might want to use gssproxy so we need to run in advance. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add "make test_proxymech" to provided specfile.Günther Deschner2013-05-221-0/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix realloc size in gp_get_cred_environment().Günther Deschner2013-05-221-2/+3
| | | | | | | | This fixes a segfault when no client_keytab is passed in via cred_store api. See https://fedorahosted.org/gss-proxy/ticket/85 for details. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make sure dlopen.sh is part of the tarballGünther Deschner2013-05-221-1/+1
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Bump version for 0.2.2 release.Günther Deschner2013-05-221-1/+1
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Fix documentation of "mechs" parameter in gssproxy.conf(5).Günther Deschner2013-05-161-3/+3
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Overwrite existing GSS_USE_PROXY variable in the server.Günther Deschner2013-05-161-1/+1
| | | | | | | This is required to make sure we never recurse into ourselves. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix socket error handling.Simo Sorce2013-05-161-44/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 1. Grab the socket lock for the whole conversation. We need to keep the lock until the whole conversation is over. Otherwise we may have concurrency issues where communication gets intermixed and errors in one thread can cause a thread to hang. Here is what we observed: thread 1: grabs lock and send a request. thread 2: grabs lock and sends a request server: thread 2 request causes a fatal error and the server close the connection thread 2: grabs the lock and waits for a reply. thread 2: gets the error and returns to caller with it (connection is closed). thread 1: grabs the lock (which reopens the closed channel) and reads ... ... forever as the server has already killed all the previous state. 2. Fail immediately on short reads for the initial 4 byte length header. If the first 4 bytes do not come at once don't bother retrying. In 99.9% of the cases what we are witnessing here is a fatal error from the proxy that closed the socket. Reopening the scket cannot accomplish anything as the request sent down the channel is tied to the specific socket, so once the socket is closed there is no hope to ever get back a reply. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Fix secondary socket detection at runtime.Simo Sorce2013-05-161-1/+1
| | | | | | | | We were failing to find the right service as the test was reversed. It works with the default socket as it is not stored per service. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Disable gss_export_name_composite() for now.Günther Deschner2013-05-162-3/+6
| | | | | | | | | | We first need to fix our tests and implementation. Temporary workaround for: https://fedorahosted.org/gss-proxy/ticket/81 Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Neutralize gssi_export_name.Simo Sorce2013-05-161-22/+2
| | | | | | | | We do not want to generate an exported name buffer. Let's the mechglue code in MIT generate it for use from the display name. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add dlopen script to check for unresolved symbols.Günther Deschner2013-05-152-0/+82
| | | | | | | | Vendors can call "make test_proxymech" from their specfile to make sure proxymech.so can be properly loaded by the GSSAPI. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix two memleaks in the configuration code.Günther Deschner2013-05-151-1/+2
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Don't forget to free gp_ini_context struct in load_config().Günther Deschner2013-05-151-0/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Use counter when freeing cred_store configuration.Günther Deschner2013-05-151-4/+11
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix typo in gssi_import_name_by_mech().Günther Deschner2013-05-151-2/+2
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix reallocation in gp_dinglibs_get_string_array().Günther Deschner2013-05-151-1/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix unresolved symbol gp_boolean_is_true() in mechglue plugin.Günther Deschner2013-05-152-3/+3
| | | | | | | | At the same time, rename gp_common.c to gp_util.c to make it more visible there is no relation to gp_common.h. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make error message in read_config() more precise, we fail in that case.Günther Deschner2013-05-151-1/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add --with-gpp-default-behavior configure switch.Günther Deschner2013-05-153-5/+32
| | | | | | | | Only LOCAL_ONLY,LOCAL_FIRST and REMOTE_FIRST allowed. REMOTE_ONLY is recognized but configure aborts as long as it is not supported. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Bump version for 0.2.1 release.Günther Deschner2013-05-071-1/+1
| | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com>
* Add --with-gpstate-path=PATH configure switch.Günther Deschner2013-05-064-4/+22
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make sure non-root users can access gpstatedir.Günther Deschner2013-04-261-1/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com>
* Use gp_boolean_is_true from interposer plugin's GSS_USE_PROXY check.Günther Deschner2013-04-261-1/+2
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make gp_boolean_is_true non-static.Günther Deschner2013-04-263-12/+13
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Rename option_is_set to gp_boolean_is_true.Günther Deschner2013-04-261-4/+4
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Bump version for 0.2.0 releasemaster-docsSimo Sorce2013-04-231-1/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Add gssproxy-mech.8 manpage to spec fileSimo Sorce2013-04-231-0/+1
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Require nothing less than MIT krb5 1.11.2Simo Sorce2013-04-231-2/+2
| | | | | | | | | | | Actually one feature requires the upstream master branch to be fully functional. In fedora this patch [1] has been backported to 1.11.2 to have the full functionality available. Once upstream will release 1.12 that will become the minimum reuirement. [1] https://github.com/krb5/krb5/commit/38cc076579888695a5820ceb44fe43020f5b61e1 Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix typo in gssproxy.8 manpageSimo Sorce2013-04-231-1/+1
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add new gssproxy-mech.8 manpage to describe the interposer pluginGünther Deschner2013-04-234-4/+150
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add more documentation in the gssproxy.conf manpage.Günther Deschner2013-04-231-0/+176
| | | | | | | Document options, sections, substitutions and default values. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-03 17:53:07 +0000