[gssproxy] 05/07: Add control to permit/deny protocol transition

This is an automated email from the git hooks/post-receive script. rharwood pushed a commit to branch master in repository gssproxy. commit 6fb14b1c9c111b3aab9dbc34ead7db5c77024351 Author: Simo Sorce <simo(a)redhat.com&gt; Date: Wed Jan 4 09:13:42 2017 -0500 Add control to permit/deny protocol transition Denies by default. Signed-off-by: Simo Sorce <simo(a)redhat.com&gt; Reviewed-by: Robbie Harwood <rharwood(a)redhat.com&gt; --- proxy/man/gssproxy.conf.5.xml | 12 ++++++++++++ proxy/src/gp_config.c | 8 ++++++++ proxy/src/gp_creds.c | 13 ++++++------- proxy/src/gp_proxy.h | 1 + 4 files changed, 27 insertions(+), 7 deletions(-) diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml index 9a79894..6d44e8a 100644 --- a/proxy/man/gssproxy.conf.5.xml +++ b/proxy/man/gssproxy.conf.5.xml @@ -102,6 +102,18 @@ </varlistentry> <varlistentry> + <term>allow_protocol_transition (boolean)</term> + <listitem> + <para>Allow clients to request a ticket to self for an arbitrary user.</para> + <para>This option controls whether s4u2self requests are allowed for the + requesting client. The configured keytab is used as the service + identity for which a ticket is requested. The KDC still needs to allow + the operation for it to succeed.</para> + <para>Default: false</para> + </listitem> + </varlistentry> + + <varlistentry> <term>cred_usage (string)</term> <listitem> <para>Allow to restrict the kind of operations permitted for this service.</para> diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c index 7135cb4..8a449c7 100644 --- a/proxy/src/gp_config.c +++ b/proxy/src/gp_config.c @@ -371,6 +371,14 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx) } } + ret = gp_config_get_string(ctx, secname, + "allow_protocol_transition", &value); + if (ret == 0) { + if (gp_boolean_is_true(value)) { + cfg->svcs[n]->allow_proto_trans = true; + } + } + ret = gp_config_get_string(ctx, secname, "trusted", &value); if (ret == 0) { if (gp_boolean_is_true(value)) { diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c index 8af5a9d..8fafa66 100644 --- a/proxy/src/gp_creds.c +++ b/proxy/src/gp_creds.c @@ -203,17 +203,16 @@ static bool try_impersonate(struct gp_service *svc, gss_cred_usage_t cred_usage, enum gp_aqcuire_cred_type acquire_type) { - if (acquire_type == ACQ_IMPNAME) { + if (acquire_type == ACQ_IMPNAME && + (svc->allow_proto_trans || svc->trusted)) { return true; } - if (!svc->impersonate) { - return false; - } - if (cred_usage == GSS_C_ACCEPT) { - return false; + if (svc->impersonate && + (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH)) { + return true; } - return true; + return false; } static int gp_get_cred_environment(struct gp_call_ctx *gpcall, diff --git a/proxy/src/gp_proxy.h b/proxy/src/gp_proxy.h index abcd201..4216b72 100644 --- a/proxy/src/gp_proxy.h +++ b/proxy/src/gp_proxy.h @@ -30,6 +30,7 @@ struct gp_service { char *name; uid_t euid; bool any_uid; + bool allow_proto_trans; bool trusted; bool kernel_nfsd; bool impersonate; -- To stop receiving notification emails like this one, please contact the administrator of this repository.