On Fri, 2013-10-18 at 15:49 +0200, Günther Deschner wrote:
Thanks, reviewed and pushed to master, will be in future 0.3.0.
Thanks!
Next time, I think it would make more sense to split out the
preparing
prototype changes to separate patches so one can review the real meat of
this patch easier.
Yeah, you could have nacked though, I'd been glad to change the patches.
Simo.
Guenther
On 15/10/13 14:37, Simo Sorce wrote:
> These 2 patches add support for serving arbitrary UIDs from the
> GSS-Proxy.
>
> This is needed to support a change in rpc.gssd, which will start
> changing uid to impersonate users before performing GSSAPI operations.
>
> Patch 1 propagates the actual ui connecting and restrict that
> trustworthiness of the client if it is not the configured uid.
> Adds a new option called 'allow_any_uid' that needs to be enabled to
> allow matching of a service to an otherwise not matching service.
>
> This also means that sections with allow_any_uid = yes should be defined
> last otherwise they may match early (unless selinux_context is also
> defined and it prevents matching). In case of conflicts different
> sockets may be used.
>
> This implements #103
>
> Patch 2 implements an additional restriction to what a client can do.
> Because untrusted clients can connect we can now restrict what a client
> can do with the defined credentials. This way an untrusted client can
> for example only use credentials for initiation but not for accepting
> contexts. This is useful in the NFS case where we do define as default
> the host keytab but we do not want a random process to be allowed to
> trick a remote client to connect to it claiming it is the host/ service.
>
> This implements #104
>
> Simo.
>
>
>
> _______________________________________________
> gss-proxy mailing list
> gss-proxy(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/gss-proxy
>
--
Simo Sorce * Red Hat, Inc * New York