| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Credentials can often be used both to accept and to initiate contexts.
With this option admins can allow a specific usage only.
This is to avoid allowing an unprivileged process to fool a remote
client by allowing it to impersonate a server, when we only want to
allow this service to use credentials to initiate contexts.
Reviewed-by: Günther Deschner <gdeschner@redhat.com
|
|
|
|
|
|
|
|
|
|
|
| |
The rpc.gssd daemon is changing to fork and change uid to the unprivileged
user it wants to authenticate, this means gssproxy needs to allow connection
from any euid. When this is done though, the trusted flag needs to be dropped,
if the connecting euid does not match the default trusted uid to prevent
improper impersonation.
Resolves: https://fedorahosted.org/gss-proxy/ticket/103
Reviewed-by: Günther Deschner <gdeschner@redhat.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The NFS server uses a special socket for the kernel communication.
Split configuration in 2 distinct services so we can use specific options that
may be different between server and client.
The 3 main differences so far are:
1. socket: default for client, custom for server
2. kernel_nfd option only for server
3. ccache and client keytab options only for client
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The Kernel expect the knfsd socket in a specific plce that is not where
our standard socket is created.
Add a knfsd specific socket in the default configuration.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
Resolves: https://fedorahosted.org/gss-proxy/ticket/93
|
|
|
|
|
| |
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
Install by default working nfs configuration.
For RPM also install by default file to configure interposer plugin.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
|
|
|
|
|
|
| |
The kernel uses the fixed path named /var/run/gssproxy.sock
Make this default a configure time option and default to it.
Also remove the option to change the socket at configure time,
neither the kernel nor proxymech.so can cope with a change anyway.
|
|
|
|
|
|
|
|
| |
The Linux kernel now requires the gss-proxy to signal when it is available.
This is done by writing 1 to the file /proc/net/rpc/use-gss-proxy
Once this happens the kernel will try to attach to the gss-proxy socket
and use it instead of the classic rpc.svcgssd daemon.
|
|
|
|
| |
The file is not installed automatically yet.
|
|
|
|
|
|
|
| |
Keeping 2 separate sections for credentials and services seem to just make
things really confusing. The off chance of reusing a 'credential' section is
dwarfed by the confusion cause by keeping them separate. Having to copy a full
service section is not a big deal so KISS wins here.
|
| |
|
|
|