diff options
author | Robbie Harwood (frozencemetery) <rharwood@redhat.com> | 2015-08-26 17:41:37 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-09-04 15:16:58 -0400 |
commit | 75049219ea44cfe2c3ede1b9958bed9926b57818 (patch) | |
tree | ca2ff8ba5312611ede1ffc8d227b559b59c53f92 | |
parent | bf53dbf2201a9e87c185f7948a08a290b176234c (diff) | |
download | gss-proxy-75049219ea44cfe2c3ede1b9958bed9926b57818.tar.gz gss-proxy-75049219ea44cfe2c3ede1b9958bed9926b57818.tar.xz gss-proxy-75049219ea44cfe2c3ede1b9958bed9926b57818.zip |
Error on `allow_any_uid` issues
As per gssproxy.conf(5), setting allow_any_uid without also setting socket or
selinux_context is known to cause problems.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | proxy/src/gp_config.c | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c index 61e32b8..d4cf33e 100644 --- a/proxy/src/gp_config.c +++ b/proxy/src/gp_config.c @@ -206,6 +206,48 @@ static int setup_service_creds_handle(struct gp_service *svc) return 0; } +static int check_services(const struct gp_config *cfg) +{ + int i, j; + struct gp_service *isvc, *jsvc; + const char *isock, *jsock; + int ret = 0; + + /* [gssproxy] section does not get placed in svcs */ + for (i = 0; i < cfg->num_svcs; i++) { + isvc = cfg->svcs[i]; + isock = isvc->socket; + if (!isock) { + isock = GP_SOCKET_NAME; + } + + for (j = 0; j < i; j++) { + jsvc = cfg->svcs[j]; + jsock = jsvc->socket; + if (!jsock) { + jsock = GP_SOCKET_NAME; + } + + if (!gp_same(isock, jsock) || + !gp_selinux_ctx_equal(isvc->selinux_ctx, jsvc->selinux_ctx)) { + continue; + } + + if (jsvc->any_uid) { + ret = 1; + GPERROR("%s sets allow_any_uid with the same socket and " + "selinux_context as %s!\n", jsvc->name, isvc->name); + } else if (jsvc->euid == isvc->euid) { + ret = 1; + GPERROR("socket, selinux_context, and euid for %s and %s " + "should not match!\n", isvc->name, jsvc->name); + } + } + } + + return ret; +} + static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx) { int num_sec; @@ -419,7 +461,7 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx) return ENOENT; } - ret = 0; + ret = check_services(cfg); done: safefree(secname); |