gss-proxy.git, branch usermode Work on gss-proxy before it lands upstream Block parent process until child is initialized. 2014-01-04T15:26:53+00:00 Simo Sorce simo@redhat.com 2014-01-03T17:10:36+00:00 393570b45816b690cb16fd1286d0705142ef2d62 This way the init system will not proceed starting dependencies until gssproxy is actually ready to serve requests. In particular this is used to make sure the nfsd proc file has been touched before the nfsd server is started. Resolves: https://fedorahosted.org/gss-proxy/ticket/114 Signed-off-by: Simo Sorce <simo@redhat.com> 
This way the init system will not proceed starting dependencies until gssproxy
is actually ready to serve requests.
In particular this is used to make sure the nfsd proc file has been touched
before the nfsd server is started.

Resolves: https://fedorahosted.org/gss-proxy/ticket/114

Signed-off-by: Simo Sorce <simo@redhat.com>
Add utility functions to read()/write() safely 2014-01-03T21:47:02+00:00 Simo Sorce simo@redhat.com 2014-01-03T21:45:35+00:00 8f9db4fcd44df680029ed5a493cda7cdcd9c91ee Automatically handle short reads due to singals interrupting the process. Signed-off-by: Simo Sorce <simo@redhat.com> 
Automatically handle short reads due to singals interrupting the process.

Signed-off-by: Simo Sorce <simo@redhat.com>
Add support for dropping privileges 2013-12-26T21:08:58+00:00 Simo Sorce simo@redhat.com 2013-12-22T21:13:56+00:00 0bc3f5213743030206d0f40b342599d87a68b474 If the 'proxy user' configuation option is set in the [gssproxy] section then GSS Proxy will drop privileges to the specified after setting up all the sockets. Care must be taken to make sure all the resources the daemon need access to (keytabs, ccache directories, etc..) are accessible as the proxy user. Implements: https://fedorahosted.org/gss-proxy/ticket/102 Signed-off-by: Simo Sorce <simo@redhat.com> 
If the 'proxy user' configuation option is set in the [gssproxy] section then
GSS Proxy will drop privileges to the specified after setting up all the
sockets.

Care must be taken to make sure all the resources the daemon need access to
(keytabs, ccache directories, etc..) are accessible as the proxy user.

Implements: https://fedorahosted.org/gss-proxy/ticket/102

Signed-off-by: Simo Sorce <simo@redhat.com>
Fix config token parsing. 2013-12-09T15:22:52+00:00 Simo Sorce simo@redhat.com 2013-12-06T22:51:14+00:00 8b147c9196d9068d0fc5e5a8919b84e8cbb97ef4 Resolves: https://fedorahosted.org/gss-proxy/ticket/112 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
Resolves: https://fedorahosted.org/gss-proxy/ticket/112

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Change version to 0.3.1 2013-11-26T12:22:52+00:00 Günther Deschner gdeschner@redhat.com 2013-11-26T12:22:52+00:00 b13ef8ad6e5a400a1bbe2933dd5562760e0b194c Signed-off-by: Günther Deschner <gdeschner@redhat.com> 
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Use gp_strerror() everywhere instead of strerror() 2013-11-22T13:41:24+00:00 Simo Sorce simo@redhat.com 2013-11-21T17:14:36+00:00 db8099da53167ca4ebf3b9f5ef0c702ddfe8b366 https://fedorahosted.org/gss-proxy/ticket/111 Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
https://fedorahosted.org/gss-proxy/ticket/111

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Add Thread-safe implementation of strerror() 2013-11-22T13:40:42+00:00 Simo Sorce simo@redhat.com 2013-11-21T16:59:40+00:00 27ae6c5b8b37a8086800cd1a4edbb01a7fddfad6 Unfortunately strerror() is not thread safe so we have to juggle with strerror_r() which is a can of worms as 2 incompatible implementations are available depending on what is defined at compile time. Try to do something sane. https://fedorahosted.org/gss-proxy/ticket/111 Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
Unfortunately strerror() is not thread safe so we have to juggle with
strerror_r() which is a can of worms as 2 incompatible implementations
are available depending on what is defined at compile time.

Try to do something sane.

https://fedorahosted.org/gss-proxy/ticket/111

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Use secure_getenv in client and mechglue module 2013-11-21T12:48:25+00:00 Simo Sorce simo@redhat.com 2013-11-20T16:58:22+00:00 23f4ee4359d10f66e1938ce6b1d92d3cc77865ff proxymehc.so may be used in setuid binaries so follow best security practices and use secure_getenv() if available. Fallback to poorman emulation when secure_getenv() is not available. Resolves: https://fedorahosted.org/gss-proxy/ticket/110 Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
proxymehc.so may be used in setuid binaries so follow best security
practices and use secure_getenv() if available.
Fallback to poorman emulation when secure_getenv() is not available.

Resolves: https://fedorahosted.org/gss-proxy/ticket/110

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
creds: Allow admins to define only client creds 2013-11-20T14:50:12+00:00 Simo Sorce simo@redhat.com 2013-11-16T23:54:28+00:00 a272091dfd568cb96738cc96ea01bbf7f24ee62c When a service is configured with cred_usage = initiate it is ok to allow only client credentials to be defined. Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
When a service is configured with cred_usage = initiate it is
ok to allow only client credentials to be defined.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>
config: Do not modify const strings 2013-11-20T14:48:45+00:00 Simo Sorce simo@redhat.com 2013-11-16T22:08:06+00:00 1d78d1af3da7eeb15aa1f054b740f31a12f48f31 Take a copy here, the option string is const and strtok_r() is not a safe function as it may change the string it manipulates. Reviewed-by: Günther Deschner <gdeschner@redhat.com> 
Take a copy here, the option string is const and strtok_r() is not a safe
function as it may change the string it manipulates.

Reviewed-by: Günther Deschner <gdeschner@redhat.com>