From d1d97ef1520eaedc27af679fe7906c038ae7f0e4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 4 Jan 2017 09:13:42 -0500
Subject: Add control to permit/deny protocol transition

Denies by default.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 proxy/man/gssproxy.conf.5.xml | 12 ++++++++++++
 proxy/src/gp_config.c         |  8 ++++++++
 proxy/src/gp_creds.c          | 13 ++++++-------
 proxy/src/gp_proxy.h          |  1 +
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
index 9a79894..6d44e8a 100644
--- a/proxy/man/gssproxy.conf.5.xml
+++ b/proxy/man/gssproxy.conf.5.xml
@@ -101,6 +101,18 @@
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>allow_protocol_transition (boolean)</term>
+                    <listitem>
+                        <para>Allow clients to request a ticket to self for an arbitrary user.</para>
+                        <para>This option controls whether s4u2self requests are allowed for the
+                              requesting client. The configured keytab is used as the service
+                              identity for which a ticket is requested. The KDC still needs to allow
+                              the operation for it to succeed.</para>
+                        <para>Default: false</para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>cred_usage (string)</term>
                     <listitem>
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
index 42ab973..1493fab 100644
--- a/proxy/src/gp_config.c
+++ b/proxy/src/gp_config.c
@@ -371,6 +371,14 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
                 }
             }
 
+            ret = gp_config_get_string(ctx, secname,
+                                       "allow_protocol_transition", &value);
+            if (ret == 0) {
+                if (gp_boolean_is_true(value)) {
+                    cfg->svcs[n]->allow_proto_trans = true;
+                }
+            }
+
             ret = gp_config_get_string(ctx, secname, "trusted", &value);
             if (ret == 0) {
                 if (gp_boolean_is_true(value)) {
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
index 8af5a9d..8fafa66 100644
--- a/proxy/src/gp_creds.c
+++ b/proxy/src/gp_creds.c
@@ -203,17 +203,16 @@ static bool try_impersonate(struct gp_service *svc,
                             gss_cred_usage_t cred_usage,
                             enum gp_aqcuire_cred_type acquire_type)
 {
-    if (acquire_type == ACQ_IMPNAME) {
+    if (acquire_type == ACQ_IMPNAME &&
+        (svc->allow_proto_trans || svc->trusted)) {
         return true;
     }
-    if (!svc->impersonate) {
-        return false;
-    }
-    if (cred_usage == GSS_C_ACCEPT) {
-        return false;
+    if (svc->impersonate &&
+        (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH)) {
+        return true;
     }
 
-    return true;
+    return false;
 }
 
 static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index abcd201..4216b72 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -30,6 +30,7 @@ struct gp_service {
     char *name;
     uid_t euid;
     bool any_uid;
+    bool allow_proto_trans;
     bool trusted;
     bool kernel_nfsd;
     bool impersonate;
-- 
cgit