mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-05-13 11:50:06 +00:00
de31bfe8a0
The auth daemon's gRPC socket was world-writable and accepted any local UID that could connect to it. On a multi-tenant host any user on the box could speak the gRPC API and run an arbitrary username/ password through PAM -- effectively an unauthenticated PAM oracle. Create the socket with mode 0660 (Umask(0117)) and gate Accept on SO_PEERCRED: only the daemon's own UID is allowed by default, plus any operator-supplied --allow-uid / --allow-gid. Privilege-separated deployments (rdpgw and rdpgw-auth as different users) need to list the gateway's UID, or share a group; the existing path otherwise would have been permissive. The peer-credentials check is Linux-only; the non-Linux build keeps the listener as-is and logs a warning, since rdpgw-auth itself requires libpam and is effectively Linux-only in practice.
61 lines
2.2 KiB
Modula-2
61 lines
2.2 KiB
Modula-2
module github.com/bolkedebruin/rdpgw
|
|
|
|
go 1.24.2
|
|
|
|
require (
|
|
github.com/andrewheberle/rdpsign v1.1.0
|
|
github.com/bolkedebruin/gokrb5/v8 v8.5.0
|
|
github.com/coreos/go-oidc/v3 v3.9.0
|
|
github.com/fatih/structs v1.1.0
|
|
github.com/go-jose/go-jose/v4 v4.1.4
|
|
github.com/go-viper/mapstructure/v2 v2.4.0
|
|
github.com/google/uuid v1.6.0
|
|
github.com/gorilla/mux v1.8.1
|
|
github.com/gorilla/sessions v1.2.2
|
|
github.com/gorilla/websocket v1.5.1
|
|
github.com/jcmturner/gofork v1.7.6
|
|
github.com/jcmturner/goidentity/v6 v6.0.1
|
|
github.com/knadh/koanf/parsers/yaml v0.1.0
|
|
github.com/knadh/koanf/providers/confmap v0.1.0
|
|
github.com/knadh/koanf/providers/env v0.1.0
|
|
github.com/knadh/koanf/providers/file v0.1.0
|
|
github.com/knadh/koanf/v2 v2.1.0
|
|
github.com/m7913d/go-ntlm v0.0.1
|
|
github.com/msteinert/pam/v2 v2.0.0
|
|
github.com/patrickmn/go-cache v2.1.0+incompatible
|
|
github.com/prometheus/client_golang v1.19.0
|
|
github.com/spf13/afero v1.14.0
|
|
github.com/stretchr/testify v1.10.0
|
|
github.com/thought-machine/go-flags v1.6.3
|
|
golang.org/x/crypto v0.46.0
|
|
golang.org/x/oauth2 v0.34.0
|
|
golang.org/x/sys v0.39.0
|
|
google.golang.org/grpc v1.79.3
|
|
google.golang.org/protobuf v1.36.10
|
|
)
|
|
|
|
require (
|
|
github.com/beorn7/perks v1.0.1 // indirect
|
|
github.com/cespare/xxhash/v2 v2.3.0 // indirect
|
|
github.com/davecgh/go-spew v1.1.1 // indirect
|
|
github.com/fsnotify/fsnotify v1.7.0 // indirect
|
|
github.com/go-jose/go-jose/v3 v3.0.5 // indirect
|
|
github.com/gorilla/securecookie v1.1.2 // indirect
|
|
github.com/hashicorp/go-uuid v1.0.3 // indirect
|
|
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
|
|
github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
|
|
github.com/jcmturner/rpc/v2 v2.0.3 // indirect
|
|
github.com/knadh/koanf/maps v0.1.1 // indirect
|
|
github.com/kr/text v0.2.0 // indirect
|
|
github.com/mitchellh/copystructure v1.2.0 // indirect
|
|
github.com/mitchellh/reflectwalk v1.0.2 // indirect
|
|
github.com/pmezard/go-difflib v1.0.0 // indirect
|
|
github.com/prometheus/client_model v0.6.0 // indirect
|
|
github.com/prometheus/common v0.50.0 // indirect
|
|
github.com/prometheus/procfs v0.13.0 // indirect
|
|
golang.org/x/net v0.48.0 // indirect
|
|
golang.org/x/text v0.32.0 // indirect
|
|
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
|
|
gopkg.in/yaml.v3 v3.0.1 // indirect
|
|
)
|