oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
30,844 Commits 2 Branches 2 Tags
e75e5492527460a74bbf4aa3d61062fa00e64c4c
Commit Graph

39 Commits

Author SHA1 Message Date
Taylor R Campbell
e75e549252 Use AI_NUMERICSERV if block_dns, and use local getaddrinfo to audit. 
This change has two parts:

1. Provide our own local implementation of numeric-only getaddrinfo
   in auditdns.c used to audit for DNS leaks, rather than deferring
   to dlsym(RTLD_NEXT, "getaddrinfo"), in terms of inet_pton.

   To keep review and implementation simple, this is limited to
   AI_NUMERICHOST _and_ AI_NUMERICSERV -- this requires that we
   arrange to pass AI_NUMERICSERV in callers too.

2. Wherever we implement block_dns, set AI_NUMERICSERV in addition to
   AI_NUMERICHOST as needed by the new auditdns.c getaddrinfo.

   (In principle this might also avoid other network leaks -- POSIX
   guarantees no name resolution service will be invoked, and gives
   NIS+ as an example.)

   One tiny semantic change to avoid tripping over the auditor:
   kadmin(8) now uses the string "749" rather than the string
   "kerberos-adm".  (Currently we don't audit kadmin(8) for DNS leaks
   but let's avoid leaving a rake to step on.)  Every other caller I
   found is already guaranteed to pass a numeric service rather than
   named service to getaddrinfo.

fix https://github.com/heimdal/heimdal/issues/1212
 2024-01-09 16:06:32 -06:00
Taylor R Campbell
fd77c4000d Ensure all calls to getaddrinfo are headed by a block_dns check. 
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
 2024-01-08 10:22:02 -06:00
Nicolas Williams
fc964cd545 klist: Fix warnings 2022-01-14 17:59:49 -06:00
Jeffrey Altman
28b9283709 kadmin: enable keepalive mode on incoming sockets 
Change-Id: I07d0e0c866f1081002b3e20ca9198055f98fe7d1
 2020-07-24 01:32:34 -04:00
Nicolas Williams
7fa85e6d6d Round #3 of scan-build warnings cleanup 2016-11-16 23:27:27 -06:00
Nicolas Williams
644b45939e kadmind: fix leak 2016-02-29 19:13:12 -06:00
Nicolas Williams
b48bed5f42 Daemons detach atomically to avoid having to wait 
Tests that start daemons have to "wait" for them to start.

This commit makes Heimdal daemons prep to detach (when requested) by
forking early, then having the child signal readiness to the parent when
the child really is ready.  The parent exits only which the child is
ready.  This means that tests will no longer need to wait for daemons.

However, tests will still need a pidfile or such so they can stop the
daemons.

Note that the --detach options should not be used on OS X from launchd,
only from tests.
 2015-03-24 11:49:59 -05:00
Ken Dreyer
11c9e28192 kadmin: handle systemd setpgid failure 
When running as a service under systemd, kadmin cannot successfully use
setpgid().  The call fails with EPERM. Do not treat this as a fatal
error; instead, allow kadmind to continue starting up.
 2014-05-31 02:03:38 -06:00
Love Hornquist Astrand
f5f9014c90 Warning fixes from Christos Zoulas 
- shadowed variables
- signed/unsigned confusion
- const lossage
- incomplete structure initializations
- unused code
 2011-04-29 20:25:05 -07:00
Love Hornquist Astrand
a85c548fd1 wait for dead children, and then abandon the live ones 2010-10-30 12:15:04 -07:00
Love Hornquist Astrand
2a2b229efc reap all zombie children, promted by bug report from Patrik Lundin 2010-10-27 19:34:28 -07:00
Love Hornquist Astrand
433b1d5073 drop RCSID 2010-03-16 12:52:58 -07:00
Love Hornquist Astrand
b914fd57c5 remove NO_INETD by shuffling code around 2009-12-25 06:37:57 +01:00
Love Hornquist Astrand
be73fa4687 use krb5_socket_t 2009-12-23 14:12:38 +01:00
Love Hornquist Astrand
160ddd0e43 use rk_closesocket 2009-12-23 14:06:37 +01:00
Asanka Herath
4eb90e1c8c Use correct socket glue 2009-12-21 18:02:32 -05:00
Love Hornquist Astrand
86f4c66efd Merge branch 'master' into wip/win32-port2 2009-11-25 05:41:14 -08:00
Asanka Herath
b191b1e12f Make kdc build on windows 
Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2009-11-24 22:19:37 -08:00
Asanka Herath
a1942c1bad Use SOCKET data type instead of ints for sockets in kadmin 
Also use the new mini_inetd() API
 2009-11-24 10:17:51 -08:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
20f5affab7 Use unsigned where appropriate. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22878 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-04-07 18:51:00 +00:00
Love Hörnquist Åstrand
85efde1d67 Use socket_set_reuseaddr and socket_set_ipv6only. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16007 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-09-01 18:49:57 +00:00
Love Hörnquist Åstrand
5654000990 lower amount of shadow and const warnings 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15587 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-07-07 22:06:50 +00:00
Johan Danielsson
2450e7b7f8 nuke kerberos 4 kadmin goo 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13845 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-05-13 17:46:20 +00:00
Johan Danielsson
fed79b33b9 add option to disable kerberos 4 kadmin 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11489 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2002-10-21 13:21:24 +00:00
Assar Westerlund
ee7b297ea4 (start_server): fix krb5_eai_to_heim_errno call 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9958 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2001-05-16 22:06:44 +00:00
Assar Westerlund
cfc67df100 update to new krb5_sockaddr2address 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9938 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2001-05-14 06:16:07 +00:00
Assar Westerlund
e89f92ca36 (spawn_child): close the newly created socket in the packet, it's not 
used.  from <shadow@dementia.org>


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9579 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2001-01-29 08:43:01 +00:00
Assar Westerlund
7dcc3f2d3f (spawn_child): use a struct sockaddr_storage 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9425 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-12-31 02:50:42 +00:00
Assar Westerlund
7d066146ec (wait_for_connection): check for fd's being too large to select on 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9190 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-11-15 23:07:50 +00:00
Assar Westerlund
9f942d2755 use socklen_t instead of int where appropriate. From <thorpej@netbsd.org> 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8907 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-08-06 23:03:10 +00:00
Assar Westerlund
4e5af56545 use sa_size instead of sa_len, some systems define this to emulate 
anonymous unions


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8847 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-27 05:22:14 +00:00
Johan Danielsson
d5bd139156 make the parent process wait for children and terminate after 
receiving a signal, also terminate on SIGINT


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8777 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-22 15:41:07 +00:00
Johan Danielsson
950ad5b73d (wait_term): if we're doing something, set just set a flag otherwise 
exit rightaway


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8738 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-21 23:28:10 +00:00
Assar Westerlund
8687021cc9 remove sys/select.h. make signal handlers type-correct and static 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8725 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-20 22:37:45 +00:00
Assar Westerlund
490b6764e4 (start_server): fix printf format 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8718 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-20 12:31:00 +00:00
Johan Danielsson
20d9b29400 put all processes in a new process group 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8687 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-17 16:14:06 +00:00
Johan Danielsson
08b9e3c3dc socket creation functions 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8642 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-07-11 13:02:34 +00:00