| cc2d77d5218c188119fa954c856e858cbde76947 |
|
20-Jun-2016 |
Pavel Březina <pbrezina@redhat.com> |
Rename dp_backend.h to backend.h
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
| 53ef8f81b60929a6c866efdd133627e7d7d61705 |
|
09-Jun-2016 |
Sumit Bose <sbose@redhat.com> |
p11: add OCSP default responder options
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| aa35995ef056aa8ae052a47c62c6750b7adf065e |
|
09-Jun-2016 |
Sumit Bose <sbose@redhat.com> |
p11: add no_verification option
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| de1131abe5ba7aaeb59f81fc3a9cd2a71c0b52dd |
|
14-Dec-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
DEBUG: Add missing new lines
Reviewed-by: Petr Cech <pcech@redhat.com> |
| 544a20de7667f05c1a406c4dea0706b0ab507430 |
|
26-Nov-2015 |
Sumit Bose <sbose@redhat.com> |
p11: enable ocsp checks
This patch enables the Online Certificate Status Protocol in NSS and
adds an option to disable it if needed. To make further tuning of
certificate verification more easy it is not an option on its own but an
option to the new certificate_verification configuration option.
Resolves https://fedorahosted.org/sssd/ticket/2812
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| d0de7701d44c7a75210a9cb04634913ce3a94bfb |
|
26-Nov-2015 |
Sumit Bose <sbose@redhat.com> |
p11: check if cert is valid before selecting it
Currently the first certificate was selected and if it was not valid
p11_child just returned an error. With this patch the validity is
checked first and the first valid certificate is selected.
Resolves https://fedorahosted.org/sssd/ticket/2801
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| 3be9e26dcd169d44ae105f1b8a0674464c700b77 |
|
20-Nov-2015 |
Sumit Bose <sbose@redhat.com> |
p11: allow p11_child to run completely unprivileged
To only operation of p11_child which requires special privileges is the
communication to pcscd which handles the Smartcard access. pcscd uses
policy-kit for access control so access can easily be configured by
dropping config snippets into the right directory.
If SSSD is configured to run as un-privileged user this patch creates
the needed config snippet for policy-kit and installs it in a suitable
directory. As a result p11_child does not have to be installed with
SETUID or SETGID bits set.
Resolves https://fedorahosted.org/sssd/ticket/2755 by making it obsolete
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| ae627e216689b0a5834f36aaaa007ed584ef033d |
|
14-Oct-2015 |
Petr Cech <pcech@redhat.com> |
P11_CHILD_NSS: More restrictive permissions
p11_child_nss runs as root and we must be carefull about security. This
patch adds more restrictive permissions on it. There is no reason for
0077, so we use 0177 umask.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| f8e337540d280f944098cd4dd7d670e2f7166b54 |
|
14-Oct-2015 |
Petr Cech <pcech@redhat.com> |
REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
There are many calls of umask function with 077 argument. This patch
add new constant SSS_DFL_X_UMASK which stands fot 077. So all
occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
| 13f30f69eec02d0c0aaccc7b544dee1326a5e9d4 |
|
17-Aug-2015 |
Jakub Hrozek <jhrozek@redhat.com> |
p11child: set restrictive umask and clear environment
https://fedorahosted.org/sssd/ticket/2754
Before doing any calls, set a very restrictive umask and clear
environment variables to harden p11child execution.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> |
| 45726939a48e605b0166521f94300ae04981a3a7 |
|
31-Jul-2015 |
Sumit Bose <sbose@redhat.com> |
Add NSS version of p11_child
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |