diff options
| author | Simo Sorce <simo@redhat.com> | 2017-01-04 09:13:42 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2017-01-13 15:50:06 -0500 |
| commit | d1d97ef1520eaedc27af679fe7906c038ae7f0e4 (patch) | |
| tree | 2d100d109934a7b00c3e44958ff2bf807c17a197 | |
| parent | c333d574e900984ef7f5b8822dbbe5801afe9cf3 (diff) | |
| download | gss-proxy-d1d97ef1520eaedc27af679fe7906c038ae7f0e4.tar.gz gss-proxy-d1d97ef1520eaedc27af679fe7906c038ae7f0e4.tar.xz gss-proxy-d1d97ef1520eaedc27af679fe7906c038ae7f0e4.zip | |
Add control to permit/deny protocol transition
Denies by default.
Signed-off-by: Simo Sorce <simo@redhat.com>
| -rw-r--r-- | proxy/man/gssproxy.conf.5.xml | 12 | ||||
| -rw-r--r-- | proxy/src/gp_config.c | 8 | ||||
| -rw-r--r-- | proxy/src/gp_creds.c | 13 | ||||
| -rw-r--r-- | proxy/src/gp_proxy.h | 1 |
4 files changed, 27 insertions, 7 deletions
diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml index 9a79894..6d44e8a 100644 --- a/proxy/man/gssproxy.conf.5.xml +++ b/proxy/man/gssproxy.conf.5.xml @@ -102,6 +102,18 @@ </varlistentry> <varlistentry> + <term>allow_protocol_transition (boolean)</term> + <listitem> + <para>Allow clients to request a ticket to self for an arbitrary user.</para> + <para>This option controls whether s4u2self requests are allowed for the + requesting client. The configured keytab is used as the service + identity for which a ticket is requested. The KDC still needs to allow + the operation for it to succeed.</para> + <para>Default: false</para> + </listitem> + </varlistentry> + + <varlistentry> <term>cred_usage (string)</term> <listitem> <para>Allow to restrict the kind of operations permitted for this service.</para> diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c index 42ab973..1493fab 100644 --- a/proxy/src/gp_config.c +++ b/proxy/src/gp_config.c @@ -371,6 +371,14 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx) } } + ret = gp_config_get_string(ctx, secname, + "allow_protocol_transition", &value); + if (ret == 0) { + if (gp_boolean_is_true(value)) { + cfg->svcs[n]->allow_proto_trans = true; + } + } + ret = gp_config_get_string(ctx, secname, "trusted", &value); if (ret == 0) { if (gp_boolean_is_true(value)) { diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c index 8af5a9d..8fafa66 100644 --- a/proxy/src/gp_creds.c +++ b/proxy/src/gp_creds.c @@ -203,17 +203,16 @@ static bool try_impersonate(struct gp_service *svc, gss_cred_usage_t cred_usage, enum gp_aqcuire_cred_type acquire_type) { - if (acquire_type == ACQ_IMPNAME) { + if (acquire_type == ACQ_IMPNAME && + (svc->allow_proto_trans || svc->trusted)) { return true; } - if (!svc->impersonate) { - return false; - } - if (cred_usage == GSS_C_ACCEPT) { - return false; + if (svc->impersonate && + (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH)) { + return true; } - return true; + return false; } static int gp_get_cred_environment(struct gp_call_ctx *gpcall, diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h index abcd201..4216b72 100644 --- a/proxy/src/gp_proxy.h +++ b/proxy/src/gp_proxy.h @@ -30,6 +30,7 @@ struct gp_service { char *name; uid_t euid; bool any_uid; + bool allow_proto_trans; bool trusted; bool kernel_nfsd; bool impersonate; |