| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
proxymehc.so may be used in setuid binaries so follow best security
practices and use secure_getenv() if available.
Fallback to poorman emulation when secure_getenv() is not available.
Resolves: https://fedorahosted.org/gss-proxy/ticket/110
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
| |
Vendors can call "make test_proxymech" from their specfile to make sure
proxymech.so can be properly loaded by the GSSAPI.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
At the same time, rename gp_common.c to gp_util.c to make it more visible
there is no relation to gp_common.h.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This way different processes running as the same user can be configured as
different servervices
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
| |
Install by default working nfs configuration.
For RPM also install by default file to configure interposer plugin.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
| |
This avoids issues with libraris like libtirpc as gssrpc renames all the
symbols to avoid clashes with system libraries.
|
|
|
|
| |
This is needed because gssrpc doesn't have one.
|
|
|
|
| |
The file is not installed automatically yet.
|
|
|
|
|
|
|
| |
This allows us to remove the ring_buffer hack and become completely
stateless as well as remove a possible DoS avenue.
R.I.P. Ring Buffer :-)
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Use the new spi call in order to be able to properly implement
a context locally.
|
| |
|
|
|
|
|
|
|
| |
For now return fixed list of mechanisms.
Later on we can try to fetch this list from the proxy.
Also split RPC client code from actual plugin
|
| |
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Make space for the actual mechglue plugin interface. The mechglue interface
will use the client library to communicate with the gss-proxy but will
reimplement all GSSAPI SPI as wrappers in order to properly handle fallbacks to
local mechanism and other input/output transformations.
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
|
|
|
| |
Acked-by: Simo Sorce <simo@redhat.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The test program is now testing almost all functions so change name to reflect
reaility.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Also fix name conversion functions, to properly handle exporting/importing
names.
|
| |
|