summaryrefslogtreecommitdiffstats
path: root/src/p11_child
Commit message (Collapse)AuthorAgeFilesLines
* Rename dp_backend.h to backend.hPavel Březina2016-06-201-1/+1
| | | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* p11: add OCSP default responder optionsSumit Bose2016-06-091-0/+33
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: add no_verification optionSumit Bose2016-06-091-21/+23
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DEBUG: Add missing new linesLukas Slebodnik2015-12-141-4/+4
| | | | Reviewed-by: Petr Cech <pcech@redhat.com>
* p11: enable ocsp checksSumit Bose2015-11-261-2/+23
| | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: check if cert is valid before selecting itSumit Bose2015-11-261-10/+12
| | | | | | | | | | Currently the first certificate was selected and if it was not valid p11_child just returned an error. With this patch the validity is checked first and the first valid certificate is selected. Resolves https://fedorahosted.org/sssd/ticket/2801 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: allow p11_child to run completely unprivilegedSumit Bose2015-11-201-21/+6
| | | | | | | | | | | | | | | | To only operation of p11_child which requires special privileges is the communication to pcscd which handles the Smartcard access. pcscd uses policy-kit for access control so access can easily be configured by dropping config snippets into the right directory. If SSSD is configured to run as un-privileged user this patch creates the needed config snippet for policy-kit and installs it in a suitable directory. As a result p11_child does not have to be installed with SETUID or SETGID bits set. Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* P11_CHILD_NSS: More restrictive permissionsPetr Cech2015-10-141-1/+5
| | | | | | | | | | | p11_child_nss runs as root and we must be carefull about security. This patch adds more restrictive permissions on it. There is no reason for 0077, so we use 0177 umask. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)Petr Cech2015-10-141-1/+1
| | | | | | | | | | | There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11child: set restrictive umask and clear environmentJakub Hrozek2015-08-171-0/+3
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2754 Before doing any calls, set a very restrictive umask and clear environment variables to harden p11child execution. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add NSS version of p11_childSumit Bose2015-07-311-0/+636
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-22 12:31:17 +0000