summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Use mutivalued "cred_store" parameter, deprecate unused parameters.Günther Deschner2013-04-232-27/+36
| | | | | | | | | | | | | | | | The krb5_{ccache,keytab,client_keytab} parameters are replaced with a multivalued "cred_store" parameter instead. krb5_keytab = /etc/krb5.keytab becomes: cred_store = keytab:/etc/krb5.keytab Likewise for the "krb5_ccache" and "krb5_client_keytab" parameters. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com>
* Add gp_config_get_string_array() and an implementation in dinglibs backend.Günther Deschner2013-04-234-0/+104
| | | | | | | | | | | | | This call returns an allocated array of strings. It allows to return multiple values for a single parameter like: param = value1 param = value2 This cannot be supported with iniparser, so we have to remove iniparser support. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix potential double-frees in load_services().Günther Deschner2013-04-231-6/+5
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add --all option to interposetestGünther Deschner2013-04-231-1/+14
| | | | | | | test all possible proxy mode combinations only when --all is given. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* When checking for gssrpc libs also add gssapi library paths.Günther Deschner2013-04-111-1/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Silence a configure warning by adding AM_PROG_AR.Günther Deschner2013-04-111-0/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix memory leak in gp_service_free().Günther Deschner2013-04-111-0/+1
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Special case client_keytab for root userSimo Sorce2013-04-101-2/+7
| | | | | | | | Use /etc/krb5.keytab when nfsd service tries to acquire creds and no id is specified in desired_name. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Use new GSSAPI Credential Store APISimo Sorce2013-04-102-50/+38
| | | | | | | | | | This is the only thread safe way to pass in aribitrary values for all the bits of environment we want to use when doing impersonation within gss-proxy. Requires MIT version 1.12 for the client_keytab part to be operational. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add generic function to get creds defaultsSimo Sorce2013-04-103-25/+66
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Move string formatting in a separate functionSimo Sorce2013-04-101-57/+66
| | | | | | | This way it can be reused for keytab path names too Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Carefully process desired name based on serviceSimo Sorce2013-04-103-39/+36
| | | | | | | | | | | | In case the name type is GSS_C_NT_STRING_UID_NAME or GSS_NT_MACHINE_UID_NAME we want to be able to impersonate the user referenced by the uid. This is allowed exclusively for trusted services otherwise a generic unprivileged application would be allowed to impersonate any user if there are credentials available on the system or client keytabs installed. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add krb5_client_keytab config optionSimo Sorce2013-04-102-0/+9
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Import names as remote name by default.Simo Sorce2013-04-101-14/+21
| | | | | | | | | | | Always use remote name by default, otherwise canonicalization will loose information about the original name, for example it will convert names of the special type GSS_C_NT_STRING_UID_NAME or GSS_NT_MACHINE_UID_NAME in a non reversible way and the proxy will not be a le to use them as intended (for impersonation by trusted services). Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Replace deprecated libtool macrosSimo Sorce2013-04-101-2/+1
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Release 0.1.1Simo Sorce2013-04-081-1/+1
|
* Prefer ini_config library support over iniparser support.Günther Deschner2013-04-085-15/+20
| | | | | | | Abort if none of these libraries are found. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add dinglibs ini configuration detection and backend.Günther Deschner2013-04-085-0/+302
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Abstract configuration layer for gssproxy.Günther Deschner2013-04-086-58/+326
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Add missing newlines to GPDEBUG statements.Günther Deschner2013-04-081-7/+7
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix tabs in configure.acSimo Sorce2013-04-081-6/+6
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Remove unused variablesSimo Sorce2013-04-032-4/+0
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix use of unintialized variableSimo Sorce2013-04-031-1/+1
| | | | | | Found by Coverity Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix a few more resource leaksSimo Sorce2013-04-032-2/+3
| | | | | | Still a couple resource leaks after the last Coverity scan Signed-off-by: Simo Sorce <simo@redhat.com>
* Use send() in client library to avoid SIGPIPESimo Sorce2013-04-031-2/+2
| | | | | | | | | | | The client library lives in applications that may not be blocking or ignoring SIGPIPE. Using write() can cause SIGPIPE to be raised in the application if the proxy is restarted. If the application does not catch the signal then it is terminated. Make sure this does not happen by using send() with the MSG_NOSIGNAL flag. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix dereference after null checks found by CoveritySimo Sorce2013-04-034-6/+13
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix missing break statement found by CoveritySimo Sorce2013-04-031-0/+2
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix infinite loop due to bad sign of variableSimo Sorce2013-04-031-1/+1
| | | | | | | | | | | Change the i variable to be a signed integer ot the loop will never end because and unsigned integer decremented past 0 simply wraps to a very big integer. The condition that would break the loop can never be true therefore the code would loop forever until eventually a double free would cause a crash. Found by Coverity. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix resource leaks found by CoveritySimo Sorce2013-04-0312-37/+61
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix reporting of wrong error codesSimo Sorce2013-04-032-0/+6
| | | | | | Found by Coverity as 'Argument cannot be negative' type of error. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix dereference before null error fund by CoveritySimo Sorce2013-04-031-1/+3
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix uninizialized variables found by CoveritySimo Sorce2013-04-035-16/+15
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix locally dead code error found by coveritySimo Sorce2013-04-031-4/+3
| | | | | | | By setting closewait to 0 after waitpid we would loop forever not the max 10 times we intended to. Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix copy and paste error found by CoveritySimo Sorce2013-04-031-2/+2
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Fix unchecked return values found by CoveritySimo Sorce2013-04-033-4/+24
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Set version to 0.1Simo Sorce2013-04-011-1/+1
|
* Add client side support to set allowed enctypesSimo Sorce2013-03-271-1/+92
| | | | | | | | | When using remote credentials, intercept set_cred_option calls and register an option into the existing set of crdentials with the request to set allowed entypes at the first use of said crdentials. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add extension to set allowable enctypesSimo Sorce2013-03-271-0/+39
| | | | | | | | | | | | | | | The krb5 mechanism has a non standard extention to allow setting a list of allowed enctypes to use with a particular set of crdentials. This patch adds an extension, registerd by a client as a gssx_cred's option, so that at the first use of this crdentials the proxy can try to set the requsted options. For now failure to set the option is only logged in debug mode and the operation to import credentials does not fail if the allowed enctypes cannot be set. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Add helper function to check for krb5 oidSimo Sorce2013-03-272-0/+15
| | | | | | | | | | The krb5 mechanism supports multiple oids for historical reasons. Add a function to generically check if a mech oid is any of the krb5 mechanism known oids for functions that do not care which exact oid is being used of the krb5 family. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Improve ccache formatting.Simo Sorce2013-03-272-14/+42
| | | | | | | | | | Add %U support which will insert the user uid number instead of name. Fix %% support by actually removing one of the % charcters Fix %<invalid> sequence by actually bailing out if one is found. Add GPDEBUG statements to indicate what went wrong. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Test all possible proxy mode combinations.Günther Deschner2013-03-271-3/+16
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Make it easier to test gssproxy behavior settings.Günther Deschner2013-03-271-40/+95
| | | | | | | | | Adds options to set a sepcific proxy behavior for both the client and the server subprocesses by setting the GSSPROXY_BEHAVIOR environment variable after forking. Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix write_pid debug messageSimo Sorce2013-03-271-1/+1
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com>
* Use token wrapper in gpp_remote_lo_local_ctxSimo Sorce2013-03-221-4/+39
| | | | | We need to do the wrapping in order to get back an actual local context. Otherwise we get back an interposed context from gssapi.
* Create helper function to wrap tokenSimo Sorce2013-03-223-20/+34
| | | | Wrap the token in a helper function so that the code can be reused elsewhere.
* Packaging fixesAndreas Schneider2013-03-221-10/+8
| | | | | Signed-off-by: Günther Deschner <gdeschner@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Fix systemd config file for gssproxy.Günther Deschner2013-03-221-1/+1
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Add systemd packaging to gssproxy spec file.Günther Deschner2013-03-221-9/+22
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Add various fixes to gssproxy.spec.Günther Deschner2013-03-221-80/+35
| | | | Reviewed-by: Simo Sorce <simo@redhat.com>
* Write pid file at startup.Simo Sorce2013-03-226-18/+55
|
generated by cgit (git 2.34.1) at 2024-05-17 09:02:41 +0000