| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
This will help understanding why gss-proxy interposed programs are
failing.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
| |
When a service is configured with cred_usage = initiate it is
ok to allow only client credentials to be defined.
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
| |
Resolves: https://fedorahosted.org/gss-proxy/ticket/109
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
| |
In some cases a name may not be provided, still try to perform
impersonation if the service is configured that way.
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
By setting the impersonate flag to true, the acquisition of credentials will
be done using constrained delegation (s4uself + s4u2proxy).
To work this needs MIT Kereberos 1.11.4 or later.
Previous versions have a bug in the import_cred function that prevents the
library from properly importing previously exported delegated credentials.
Resolves: https://fedorahosted.org/gss-proxy/ticket/95
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
| |
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Credentials can often be used both to accept and to initiate contexts.
With this option admins can allow a specific usage only.
This is to avoid allowing an unprivileged process to fool a remote
client by allowing it to impersonate a server, when we only want to
allow this service to use credentials to initiate contexts.
Reviewed-by: Günther Deschner <gdeschner@redhat.com
|
| |
|
|
|
|
|
|
|
|
|
| |
The rpc.gssd daemon is changing to fork and change uid to the unprivileged
user it wants to authenticate, this means gssproxy needs to allow connection
from any euid. When this is done though, the trusted flag needs to be dropped,
if the connecting euid does not match the default trusted uid to prevent
improper impersonation.
Resolves: https://fedorahosted.org/gss-proxy/ticket/103
Reviewed-by: Günther Deschner <gdeschner@redhat.com
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We always need to chekc if the socket matches otherwise the worng service may
be selected if a specific socket is being used but a service allowing the same
euid is confgured to use the deault socket as well.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
| |
This fixes a segfault when no client_keytab is passed in via cred_store api.
See https://fedorahosted.org/gss-proxy/ticket/85 for details.
Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
| |
We were failing to find the right service as the test was reversed.
It works with the default socket as it is not stored per service.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
| |
This way different processes running as the same user can be configured as
different servervices
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The credential store design goal is to allow administrators to set arbitrary
strings without additional applications knowledge. This allows extending the
number of crdential types GSSAPI can be made to support without having to
recompile applications to add explicit support.
Only explicitly check for cred store values that ned special treatment and let
admins decide what to put in cred_store.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
| |
Use /etc/krb5.keytab when nfsd service tries to acquire creds and
no id is specified in desired_name.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This is the only thread safe way to pass in aribitrary values for all the bits
of environment we want to use when doing impersonation within gss-proxy.
Requires MIT version 1.12 for the client_keytab part to be operational.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
| |
This way it can be reused for keytab path names too
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In case the name type is GSS_C_NT_STRING_UID_NAME or GSS_NT_MACHINE_UID_NAME
we want to be able to impersonate the user referenced by the uid.
This is allowed exclusively for trusted services otherwise a generic
unprivileged application would be allowed to impersonate any user if there are
credentials available on the system or client keytabs installed.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add %U support which will insert the user uid number instead of name.
Fix %% support by actually removing one of the % charcters
Fix %<invalid> sequence by actually bailing out if one is found.
Add GPDEBUG statements to indicate what went wrong.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>
|
| |
|
|
|
| |
These includes are necessary when switching to gssrpc because they
are not automatically dragged in via dependencies in system rpc.h
|
| |
|
