Add support for dropping privileges

If the 'proxy user' configuation option is set in the [gssproxy] section then GSS Proxy will drop privileges to the specified after setting up all the sockets. Care must be taken to make sure all the resources the daemon need access to (keytabs, ccache directories, etc..) are accessible as the proxy user. Implements: https://fedorahosted.org/gss-proxy/ticket/102 Signed-off-by: Simo Sorce <simo@redhat.com>
author: Simo Sorce <simo@redhat.com> 2013-12-22 16:13:56 -0500
committer: Simo Sorce <simo@redhat.com> 2013-12-26 16:08:58 -0500
commit: 0bc3f5213743030206d0f40b342599d87a68b474 (patch)
tree: bf0624720df297ceeea4ec203a59e793d0d02434 /proxy/src/gssproxy.c
parent: 8b147c9196d9068d0fc5e5a8919b84e8cbb97ef4 (diff)
download: gss-proxy-0bc3f5213743030206d0f40b342599d87a68b474.tar.gz
gss-proxy-0bc3f5213743030206d0f40b342599d87a68b474.tar.xz
gss-proxy-0bc3f5213743030206d0f40b342599d87a68b474.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c
index 1fca922..1bf0a0b 100644
--- a/proxy/src/gssproxy.c
+++ b/proxy/src/gssproxy.c
@@ -142,6 +142,11 @@ int main(int argc, const char *argv[])
     /* special call to tell the Linux kernel gss-proxy is available */
     init_proc_nfsd(gpctx->config);
 
+    ret = drop_privs(gpctx->config);
+    if (ret) {
+        exit(EXIT_FAILURE);
+    }
+
     ret = gp_workers_init(gpctx);
     if (ret) {
         exit(EXIT_FAILURE);
author	Simo Sorce <simo@redhat.com>	2013-12-22 16:13:56 -0500
committer	Simo Sorce <simo@redhat.com>	2013-12-26 16:08:58 -0500
commit	0bc3f5213743030206d0f40b342599d87a68b474 (patch)
tree	bf0624720df297ceeea4ec203a59e793d0d02434 /proxy/src/gssproxy.c
parent	8b147c9196d9068d0fc5e5a8919b84e8cbb97ef4 (diff)
download	gss-proxy-0bc3f5213743030206d0f40b342599d87a68b474.tar.gz gss-proxy-0bc3f5213743030206d0f40b342599d87a68b474.tar.xz gss-proxy-0bc3f5213743030206d0f40b342599d87a68b474.zip