| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
| |
Commit 22a59d2d8b48cb2762362bd71e24293a53bca09a added basic seccomp
support to zhm. Since zhm currently runs as root and handles network
traffic, any sandboxing we can get is a good idea. Take a dependency
on libseccomp-dev and enable seccomp support for zhm. This breaks
building on kFreeBSD, but this package doesn’t currently build there
anyway, so it’s not making things any worse.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent zhm from doing some evil things while it runs (e.g., ptracing)
by implementing a basic seccomp-bpf filter. The filter still allows a
lot of potentially dangerous operations (e.g., unlink(2)), but this is
a good start.
The filter is based partly on a close reading of the zhm and libhesiod
source code and partly on empirical evidence from running zhm under
strace. I’ve run zhm with this filter for several days without
incident, but some edge cases (e.g., server failover) are still
untested.
configure decides whether or not to enable seccomp by looking for
libseccomp. By default, it treats seccomp as an enhancement and enables
it opportunistically. Builders can force seccomp to be enabled or
disabled by passing --with-seccomp or --without-seccomp, respectively,
to configure.
|
|
|
|
| |
"#ifd" is not a valid preprocessor symbol.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
I need to learn to be more careful when throwing around the word "properly".
|
| |
|
|
|
|
|
|
|
|
| |
If no hostname is specified, use 127.0.0.1, rather than trying to infer the
IP address of the local host from the system hostname, because as computers
are considerably cheaper and lighter than they were in 1987, they are
somewhat more often on the network on an address that doesn't match their
hostname.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Just in case there's a system krb5-config and we're being told to use some
other one..
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Having more plausible claimants to the title of "python zephyr module"
installed was interfering with builds.
|
| |
|
| |
|
| |
|
|
|
|
| |
This is unlikely to ever get merged, but it'll be handy for roost.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows for authentication checking to continue working even when tickets
expire or are renewed.
Also include key expiration logic. This is possibly overly conservative and
paranoid by a couple orders of magnitude.
Intentionally do not use SERVACK because they're mildly annoying to get at and
aren't authenticated. When we receive a notice authenticated with a key, we
know the server has received it. From there, we can infer that sufficiently old
keys are stale. We can't remove stale keys immediately because some older
notices may still be in flight, but after a grace period they can go.
The timeout is set to 60 seconds, which is fairly high, but matches
Z_ReadWait's timeout.
|
|
|
|
|
|
|
| |
The start of proper session key management in libzephyr. A new Z_AuthProc is
added which appends the key into a queue. ZSubscribeTo and
ZSubscribeToSansDefaults are modified to use it. For now, it's extremely simple
and makes no attempt to expire old keys.
|
|
|
|
| |
Explicitly takes a krb5_creds as input.
|
|
|
|
|
|
|
| |
Basing it on krb4's CLOCK_SKEW value doesn't make any sense. We pick 900
because it is just over 128 + 256 + 512, the longest group of three timeouts in
the retransmit schedule used by the zephyrd. This allows us to miss two packets
in a row and still be fine.
|
|
|
|
|
|
| |
If we see a duplicated packet, that means the server missed (or raced with) our
CLIENTACK, which means we should update the timestamp on the entry to reset the
aging.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This effectively reverts 170736db76139ed9fff9dbf70a55d4ba4f25d9bd. That commit
didn't work anyway. It fails to update packet_len, so we computed the
Z_InputQ's header_len wrong and fail to truncate the garbage anyway. Plus
packets like that likely come from a broken cross-realm zephyrd without
f276622ace757977fec43633e43577350e0cf6fe, so we want to drop them.
That patch has yet to be in a released libzephyr, so if there are other sources
of notices with trailing garbage, no one was relying on them working anyway.
On the contrary, we were relying on them NOT working in that it masks broken
cross-realm zephyrds.
|
|
|
|
|
| |
The holelist isn't kept sorted; we used to always append to the end. But it's a
singly-linked list, so prepending to it is going to be much much simpler.
|
|
|
|
| |
messing it up
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Although the previous commit should make it very unlikely we screw up the
subscription sharding, be defensive about waiting for SERVACKs. ZSubscribeTo
does mess up, Z_SendFragmentedNotice will shard with a z_multiuid. In that
case, although the second packet will get a SERVACK, Z_ReadWait kindly drops it
on the floor. The ZIfNotice will then just hang.
Tested by bumping zwgc's BATCH_SIZE up to 200, reverting the previous commit,
and strace.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Header lengths are not constant-size because Zcode escapes bytes 0xFF and 0x00
into two bytes. If we end up filling up close to all the space we have and
Z_SendFragmentedNotice then computes a header length larger than ours by
enough, the message gets fragmented.
Getting it fragmented is especially unfortunate because only the first of a
fragmented notice ever has a SERVACK survive. (They all get SERVACKs, but
libzephyr kindly drops all but the first on the floor.)
This isn't a watertight fix; we may get really really unlucky and blow up 13
bytes in the authenticator and checksum. But that's not likely, and a proper
fix would involve either computing based on the maximum possible authenticator
size (wasteful and hard to bound tightly) or changing to protocol to use a less
inappropriate encoding.
|
| |
|
|
|
|
| |
Looks like it's the same as free right now, but may as well call the right one.
|