|
 |
905b4d |
From 377741700be52a7f496231ab808a673e3e8ff10e Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Sun, 23 Nov 2014 21:07:58 +0100
|
|
|
905b4d |
Subject: [PATCH 117/117] PAM: Move is_uid_trusted from pam_ctx to preq
|
|
|
905b4d |
|
|
|
905b4d |
Keeping a per-request flag in a global structure is really dangerous.
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/responder/pam/pamsrv.h | 2 +-
|
|
|
905b4d |
src/responder/pam/pamsrv_cmd.c | 23 ++++++++++++-----------
|
|
|
905b4d |
2 files changed, 13 insertions(+), 12 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
|
905b4d |
index f92e7f7db0964777c26d69c7c08471a19de8ade3..066f35a428a9af81d665309b4ab5a80cf69561ba 100644
|
|
|
905b4d |
--- a/src/responder/pam/pamsrv.h
|
|
|
905b4d |
+++ b/src/responder/pam/pamsrv.h
|
|
|
905b4d |
@@ -39,7 +39,6 @@ struct pam_ctx {
|
|
|
905b4d |
hash_table_t *id_table;
|
|
|
905b4d |
size_t trusted_uids_count;
|
|
|
905b4d |
uid_t *trusted_uids;
|
|
|
905b4d |
- bool is_uid_trusted;
|
|
|
905b4d |
|
|
|
905b4d |
/* List of domains that are accessible even for untrusted users. */
|
|
|
905b4d |
char **public_domains;
|
|
|
905b4d |
@@ -58,6 +57,7 @@ struct pam_auth_req {
|
|
|
905b4d |
|
|
|
905b4d |
pam_dp_callback_t *callback;
|
|
|
905b4d |
|
|
|
905b4d |
+ bool is_uid_trusted;
|
|
|
905b4d |
bool check_provider;
|
|
|
905b4d |
void *data;
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
|
905b4d |
index b60ccba2d4ff669e7ed0252923a53755410851e3..02720018b91e1319346a023eca571913b544284a 100644
|
|
|
905b4d |
--- a/src/responder/pam/pamsrv_cmd.c
|
|
|
905b4d |
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
|
905b4d |
@@ -849,15 +849,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
|
|
905b4d |
talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx);
|
|
|
905b4d |
struct tevent_req *req;
|
|
|
905b4d |
|
|
|
905b4d |
- pctx->is_uid_trusted = is_uid_trusted(cctx->client_euid,
|
|
|
905b4d |
- pctx->trusted_uids_count,
|
|
|
905b4d |
- pctx->trusted_uids);
|
|
|
905b4d |
-
|
|
|
905b4d |
- if (!pctx->is_uid_trusted) {
|
|
|
905b4d |
- DEBUG(SSSDBG_MINOR_FAILURE, "uid %"PRIu32" is not trusted.\n",
|
|
|
905b4d |
- cctx->client_euid);
|
|
|
905b4d |
- }
|
|
|
905b4d |
-
|
|
|
905b4d |
preq = talloc_zero(cctx, struct pam_auth_req);
|
|
|
905b4d |
if (!preq) {
|
|
|
905b4d |
return ENOMEM;
|
|
|
905b4d |
@@ -872,6 +863,16 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
|
|
|
905b4d |
}
|
|
|
905b4d |
pd = preq->pd;
|
|
|
905b4d |
|
|
|
905b4d |
+ preq->is_uid_trusted = is_uid_trusted(cctx->client_euid,
|
|
|
905b4d |
+ pctx->trusted_uids_count,
|
|
|
905b4d |
+ pctx->trusted_uids);
|
|
|
905b4d |
+
|
|
|
905b4d |
+ if (!preq->is_uid_trusted) {
|
|
|
905b4d |
+ DEBUG(SSSDBG_MINOR_FAILURE, "uid %"PRIu32" is not trusted.\n",
|
|
|
905b4d |
+ cctx->client_euid);
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
+
|
|
|
905b4d |
pd->cmd = pam_cmd;
|
|
|
905b4d |
pd->priv = cctx->priv;
|
|
|
905b4d |
|
|
|
905b4d |
@@ -1304,7 +1305,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
/* Untrusted users can access only public domains. */
|
|
|
905b4d |
- if (!pctx->is_uid_trusted &&
|
|
|
905b4d |
+ if (!preq->is_uid_trusted &&
|
|
|
905b4d |
!is_domain_public(preq->pd->domain, pctx->public_domains,
|
|
|
905b4d |
pctx->public_domains_count)) {
|
|
|
905b4d |
DEBUG(SSSDBG_MINOR_FAILURE,
|
|
|
905b4d |
@@ -1317,7 +1318,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
|
|
905b4d |
|
|
|
905b4d |
/* skip this domain if not requested and the user is trusted
|
|
|
905b4d |
* as untrusted users can't request a domain */
|
|
|
905b4d |
- if (pctx->is_uid_trusted &&
|
|
|
905b4d |
+ if (preq->is_uid_trusted &&
|
|
|
905b4d |
!is_domain_requested(preq->pd, preq->pd->domain)) {
|
|
|
905b4d |
preq->pd->pam_status = PAM_USER_UNKNOWN;
|
|
|
905b4d |
pam_reply(preq);
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|