gss-proxy.git, branch strerror Work on gss-proxy before it lands upstream Use gp_strerror() everywhere instead of strerror() 2013-11-21T17:14:36+00:00 Simo Sorce simo@redhat.com 2013-11-21T17:14:36+00:00 3209aacd6a5a0b375ce8b9ae28e70503d61810ec 






Add Thread-safe implementation of strerror()
2013-11-21T17:10:00+00:00

Simo Sorce
simo@redhat.com

2013-11-21T16:59:40+00:00

1c4bcda3d1d468f8ad47341f6562f31bb8f51a9d

Unfortunately strerror() is not thread safe so we have to juggle with
strerror_r() which is a can of worms as 2 incompatible implementations
are available depending on what is defined at compile time.

Try to do something sane.





Unfortunately strerror() is not thread safe so we have to juggle with
strerror_r() which is a can of worms as 2 incompatible implementations
are available depending on what is defined at compile time.

Try to do something sane.







Use secure_getenv in client and mechglue module
2013-11-21T12:48:25+00:00

Simo Sorce
simo@redhat.com

2013-11-20T16:58:22+00:00

23f4ee4359d10f66e1938ce6b1d92d3cc77865ff

proxymehc.so may be used in setuid binaries so follow best security
practices and use secure_getenv() if available.
Fallback to poorman emulation when secure_getenv() is not available.

Resolves: https://fedorahosted.org/gss-proxy/ticket/110

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





proxymehc.so may be used in setuid binaries so follow best security
practices and use secure_getenv() if available.
Fallback to poorman emulation when secure_getenv() is not available.

Resolves: https://fedorahosted.org/gss-proxy/ticket/110

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







creds: Allow admins to define only client creds
2013-11-20T14:50:12+00:00

Simo Sorce
simo@redhat.com

2013-11-16T23:54:28+00:00

a272091dfd568cb96738cc96ea01bbf7f24ee62c

When a service is configured with cred_usage = initiate it is
ok to allow only client credentials to be defined.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





When a service is configured with cred_usage = initiate it is
ok to allow only client credentials to be defined.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







config: Do not modify const strings
2013-11-20T14:48:45+00:00

Simo Sorce
simo@redhat.com

2013-11-16T22:08:06+00:00

1d78d1af3da7eeb15aa1f054b740f31a12f48f31

Take a copy here, the option string is const and strtok_r() is not a safe
function as it may change the string it manipulates.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





Take a copy here, the option string is const and strtok_r() is not a safe
function as it may change the string it manipulates.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







man: Describe new flag filtering/enforcing options
2013-11-20T14:26:13+00:00

Simo Sorce
simo@redhat.com

2013-11-16T22:27:52+00:00

c8386418a754211da5ddf5469a0f1c0fddf21240

Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







server: Implement flag filtering enforcement
2013-11-20T14:26:08+00:00

Simo Sorce
simo@redhat.com

2013-11-16T22:09:45+00:00

3df6ac81f4a6d8cf6ff514e7d7f2cbe58840c393

Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







config: Add code to source flag filters
2013-11-20T14:25:12+00:00

Simo Sorce
simo@redhat.com

2013-11-16T22:01:24+00:00

6a096c0a0a37d2fa9e0b03edce05929a7d98f390

2 New configuration options are made available:
- filter_flags
- enforce_flags

Any GSS Flags listed in the filter_flags option is forcibly filtered
out before a gss_init_sec_context() call is invoked.
Any GSS Flags listed in the enforce_flags option is forcibly added
to the list of flags requested by a gss_init_sec_context() call is
invoked.

Flags can be either literals or numeric and must be preceded by the
sign + (to add to the list) or - (to remove from the list).

Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





2 New configuration options are made available:
- filter_flags
- enforce_flags

Any GSS Flags listed in the filter_flags option is forcibly filtered
out before a gss_init_sec_context() call is invoked.
Any GSS Flags listed in the enforce_flags option is forcibly added
to the list of flags requested by a gss_init_sec_context() call is
invoked.

Flags can be either literals or numeric and must be preceded by the
sign + (to add to the list) or - (to remove from the list).

Resolves: https://fedorahosted.org/gss-proxy/ticket/109

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







Try impersonation even when a name is not provided
2013-11-20T13:37:03+00:00

Simo Sorce
simo@redhat.com

2013-11-14T01:03:53+00:00

32b1d5aa0497c4e3677b4575cc7e299590df5618

In some cases a name may not be provided, still try to perform
impersonation if the service is configured that way.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





In some cases a name may not be provided, still try to perform
impersonation if the service is configured that way.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>







Autoinitialize creds on init_sec_context
2013-11-20T13:36:57+00:00

Simo Sorce
simo@redhat.com

2013-11-14T00:54:27+00:00

591fad86aba3520a76eaf75aa0fd5e585fac94a5

If the remote client tries to initialize the context without first
acquiring credentials, try to acquire appropriate credentials if
the service allows it.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>





If the remote client tries to initialize the context without first
acquiring credentials, try to acquire appropriate credentials if
the service allows it.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>