sssd.git/src/p11_child, branch certificate_mapping Unnamed repository; edit this file to name it for gitweb. Rename dp_backend.h to backend.h 2016-06-20T12:48:46+00:00 Pavel Březina pbrezina@redhat.com 2016-01-20T12:07:23+00:00 cc2d77d5218c188119fa954c856e858cbde76947 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
p11: add OCSP default responder options 2016-06-09T09:58:17+00:00 Sumit Bose sbose@redhat.com 2016-04-12T16:14:08+00:00 53ef8f81b60929a6c866efdd133627e7d7d61705 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
p11: add no_verification option 2016-06-09T09:58:12+00:00 Sumit Bose sbose@redhat.com 2016-03-24T19:42:12+00:00 aa35995ef056aa8ae052a47c62c6750b7adf065e Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DEBUG: Add missing new lines 2015-12-14T09:10:16+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-12-11T11:12:03+00:00 de1131abe5ba7aaeb59f81fc3a9cd2a71c0b52dd Reviewed-by: Petr Cech <pcech@redhat.com> 
Reviewed-by: Petr Cech <pcech@redhat.com>
p11: enable ocsp checks 2015-11-26T15:39:49+00:00 Sumit Bose sbose@redhat.com 2015-11-05T17:20:27+00:00 544a20de7667f05c1a406c4dea0706b0ab507430 This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.

Resolves https://fedorahosted.org/sssd/ticket/2812

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
p11: check if cert is valid before selecting it 2015-11-26T15:34:32+00:00 Sumit Bose sbose@redhat.com 2015-11-05T16:43:52+00:00 d0de7701d44c7a75210a9cb04634913ce3a94bfb Currently the first certificate was selected and if it was not valid p11_child just returned an error. With this patch the validity is checked first and the first valid certificate is selected. Resolves https://fedorahosted.org/sssd/ticket/2801 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Currently the first certificate was selected and if it was not valid
p11_child just returned an error. With this patch the validity is
checked first and the first valid certificate is selected.

Resolves https://fedorahosted.org/sssd/ticket/2801

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
p11: allow p11_child to run completely unprivileged 2015-11-20T13:56:34+00:00 Sumit Bose sbose@redhat.com 2015-10-30T15:29:31+00:00 3be9e26dcd169d44ae105f1b8a0674464c700b77 To only operation of p11_child which requires special privileges is the communication to pcscd which handles the Smartcard access. pcscd uses policy-kit for access control so access can easily be configured by dropping config snippets into the right directory. If SSSD is configured to run as un-privileged user this patch creates the needed config snippet for policy-kit and installs it in a suitable directory. As a result p11_child does not have to be installed with SETUID or SETGID bits set. Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.

If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.

Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
P11_CHILD_NSS: More restrictive permissions 2015-10-14T11:27:18+00:00 Petr Cech pcech@redhat.com 2015-10-06T11:05:57+00:00 ae627e216689b0a5834f36aaaa007ed584ef033d p11_child_nss runs as root and we must be carefull about security. This patch adds more restrictive permissions on it. There is no reason for 0077, so we use 0177 umask. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
p11_child_nss runs as root and we must be carefull about security. This
patch adds more restrictive permissions on it. There is no reason for
0077, so we use 0177 umask.

Resolves:
https://fedorahosted.org/sssd/ticket/2424

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK) 2015-10-14T11:27:13+00:00 Petr Cech pcech@redhat.com 2015-10-05T14:12:36+00:00 f8e337540d280f944098cd4dd7d670e2f7166b54 There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.

Resolves:
https://fedorahosted.org/sssd/ticket/2424

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
p11child: set restrictive umask and clear environment 2015-08-17T12:02:59+00:00 Jakub Hrozek jhrozek@redhat.com 2015-08-05T15:25:20+00:00 13f30f69eec02d0c0aaccc7b544dee1326a5e9d4 https://fedorahosted.org/sssd/ticket/2754 Before doing any calls, set a very restrictive umask and clear environment variables to harden p11child execution. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
https://fedorahosted.org/sssd/ticket/2754

Before doing any calls, set a very restrictive umask and clear
environment variables to harden p11child execution.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>