From a324853818fd75d7ec11c68de9d499f37228b26a Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Mon, 14 Oct 2013 16:20:11 -0400
Subject: Allow arbitrary users to connect to a service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The rpc.gssd daemon is changing to fork and change uid to the unprivileged
user it wants to authenticate, this means gssproxy needs to allow connection
from any euid. When this is done though, the trusted flag needs to be dropped,
if the connecting euid does not match the default trusted uid to prevent
improper impersonation.

Resolves: https://fedorahosted.org/gss-proxy/ticket/103
Reviewed-by: Günther Deschner <gdeschner@redhat.com
---
 proxy/src/gp_rpc_process.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'proxy/src/gp_rpc_process.c')

diff --git a/proxy/src/gp_rpc_process.c b/proxy/src/gp_rpc_process.c
index 18f8dc6..74dada1 100644
--- a/proxy/src/gp_rpc_process.c
+++ b/proxy/src/gp_rpc_process.c
@@ -333,14 +333,14 @@ static const char *gp_rpc_procname(uint32_t proc)
     return gp_xdr_set[proc].proc_name;
 }
 
-static int gp_rpc_execute(struct gssproxy_ctx *gpctx,
-                          struct gp_service *gpsvc, uint32_t proc,
+static int gp_rpc_execute(struct gp_call_ctx *gpcall, uint32_t proc,
                           union gp_rpc_arg *arg, union gp_rpc_res *res)
 {
     GPDEBUG("gp_rpc_execute: executing %d (%s) for service \"%s\", euid: %d, socket: %s\n",
-        proc, gp_rpc_procname(proc), gpsvc->name, gpsvc->euid, gpsvc->socket);
+        proc, gp_rpc_procname(proc), gpcall->service->name,
+        gp_conn_get_uid(gpcall->connection), gpcall->service->socket);
 
-    return gp_xdr_set[proc].exec_fn(gpctx, gpsvc, arg, res);
+    return gp_xdr_set[proc].exec_fn(gpcall, arg, res);
 }
 
 static int gp_rpc_return_buffer(XDR *xdr_reply_ctx, char *reply_buffer,
@@ -371,8 +371,7 @@ static void gp_rpc_free_xdrs(int proc,
     xdr_free(gp_xdr_set[proc].res_fn, (char *)res);
 }
 
-int gp_rpc_process_call(struct gssproxy_ctx *gpctx,
-                        struct gp_service *gpsvc,
+int gp_rpc_process_call(struct gp_call_ctx *gpcall,
                         uint8_t *inbuf, size_t inlen,
                         uint8_t **outbuf, size_t *outlen)
 {
@@ -398,7 +397,7 @@ int gp_rpc_process_call(struct gssproxy_ctx *gpctx,
     ret = gp_rpc_decode_call(&xdr_call_ctx, &xid, &proc, &arg, &acc, &rej);
     if (!ret) {
         /* execute request */
-        ret = gp_rpc_execute(gpctx, gpsvc, proc, &arg, &res);
+        ret = gp_rpc_execute(gpcall, proc, &arg, &res);
         if (ret) {
             acc = GP_RPC_SYSTEM_ERR;
             ret = EINVAL;
-- 
cgit