This is an automated email from the git hooks/post-receive script.
rharwood pushed a commit to branch master
in repository gssproxy.
commit 6fb14b1c9c111b3aab9dbc34ead7db5c77024351
Author: Simo Sorce <simo(a)redhat.com>
Date: Wed Jan 4 09:13:42 2017 -0500
Add control to permit/deny protocol transition
Denies by default.
Signed-off-by: Simo Sorce <simo(a)redhat.com>
Reviewed-by: Robbie Harwood <rharwood(a)redhat.com>
---
proxy/man/gssproxy.conf.5.xml | 12 ++++++++++++
proxy/src/gp_config.c | 8 ++++++++
proxy/src/gp_creds.c | 13 ++++++-------
proxy/src/gp_proxy.h | 1 +
4 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
index 9a79894..6d44e8a 100644
--- a/proxy/man/gssproxy.conf.5.xml
+++ b/proxy/man/gssproxy.conf.5.xml
@@ -102,6 +102,18 @@
</varlistentry>
<varlistentry>
+ <term>allow_protocol_transition (boolean)</term>
+ <listitem>
+ <para>Allow clients to request a ticket to self for an
arbitrary user.</para>
+ <para>This option controls whether s4u2self requests are
allowed for the
+ requesting client. The configured keytab is used as the
service
+ identity for which a ticket is requested. The KDC still
needs to allow
+ the operation for it to succeed.</para>
+ <para>Default: false</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>cred_usage (string)</term>
<listitem>
<para>Allow to restrict the kind of operations permitted
for this service.</para>
diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
index 7135cb4..8a449c7 100644
--- a/proxy/src/gp_config.c
+++ b/proxy/src/gp_config.c
@@ -371,6 +371,14 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context
*ctx)
}
}
+ ret = gp_config_get_string(ctx, secname,
+ "allow_protocol_transition",
&value);
+ if (ret == 0) {
+ if (gp_boolean_is_true(value)) {
+ cfg->svcs[n]->allow_proto_trans = true;
+ }
+ }
+
ret = gp_config_get_string(ctx, secname, "trusted", &value);
if (ret == 0) {
if (gp_boolean_is_true(value)) {
diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
index 8af5a9d..8fafa66 100644
--- a/proxy/src/gp_creds.c
+++ b/proxy/src/gp_creds.c
@@ -203,17 +203,16 @@ static bool try_impersonate(struct gp_service *svc,
gss_cred_usage_t cred_usage,
enum gp_aqcuire_cred_type acquire_type)
{
- if (acquire_type == ACQ_IMPNAME) {
+ if (acquire_type == ACQ_IMPNAME &&
+ (svc->allow_proto_trans || svc->trusted)) {
return true;
}
- if (!svc->impersonate) {
- return false;
- }
- if (cred_usage == GSS_C_ACCEPT) {
- return false;
+ if (svc->impersonate &&
+ (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH)) {
+ return true;
}
- return true;
+ return false;
}
static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h
index abcd201..4216b72 100644
--- a/proxy/src/gp_proxy.h
+++ b/proxy/src/gp_proxy.h
@@ -30,6 +30,7 @@ struct gp_service {
char *name;
uid_t euid;
bool any_uid;
+ bool allow_proto_trans;
bool trusted;
bool kernel_nfsd;
bool impersonate;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.