From 377741700be52a7f496231ab808a673e3e8ff10e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 23 Nov 2014 21:07:58 +0100
Subject: [PATCH 117/117] PAM: Move is_uid_trusted from pam_ctx to preq
Keeping a per-request flag in a global structure is really dangerous.
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/pam/pamsrv.h | 2 +-
src/responder/pam/pamsrv_cmd.c | 23 ++++++++++++-----------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index f92e7f7db0964777c26d69c7c08471a19de8ade3..066f35a428a9af81d665309b4ab5a80cf69561ba 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -39,7 +39,6 @@ struct pam_ctx {
hash_table_t *id_table;
size_t trusted_uids_count;
uid_t *trusted_uids;
- bool is_uid_trusted;
/* List of domains that are accessible even for untrusted users. */
char **public_domains;
@@ -58,6 +57,7 @@ struct pam_auth_req {
pam_dp_callback_t *callback;
+ bool is_uid_trusted;
bool check_provider;
void *data;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index b60ccba2d4ff669e7ed0252923a53755410851e3..02720018b91e1319346a023eca571913b544284a 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -849,15 +849,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx);
struct tevent_req *req;
- pctx->is_uid_trusted = is_uid_trusted(cctx->client_euid,
- pctx->trusted_uids_count,
- pctx->trusted_uids);
-
- if (!pctx->is_uid_trusted) {
- DEBUG(SSSDBG_MINOR_FAILURE, "uid %"PRIu32" is not trusted.\n",
- cctx->client_euid);
- }
-
preq = talloc_zero(cctx, struct pam_auth_req);
if (!preq) {
return ENOMEM;
@@ -872,6 +863,16 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
pd = preq->pd;
+ preq->is_uid_trusted = is_uid_trusted(cctx->client_euid,
+ pctx->trusted_uids_count,
+ pctx->trusted_uids);
+
+ if (!preq->is_uid_trusted) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "uid %"PRIu32" is not trusted.\n",
+ cctx->client_euid);
+ }
+
+
pd->cmd = pam_cmd;
pd->priv = cctx->priv;
@@ -1304,7 +1305,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
}
/* Untrusted users can access only public domains. */
- if (!pctx->is_uid_trusted &&
+ if (!preq->is_uid_trusted &&
!is_domain_public(preq->pd->domain, pctx->public_domains,
pctx->public_domains_count)) {
DEBUG(SSSDBG_MINOR_FAILURE,
@@ -1317,7 +1318,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
/* skip this domain if not requested and the user is trusted
* as untrusted users can't request a domain */
- if (pctx->is_uid_trusted &&
+ if (preq->is_uid_trusted &&
!is_domain_requested(preq->pd, preq->pd->domain)) {
preq->pd->pam_status = PAM_USER_UNKNOWN;
pam_reply(preq);
--
1.9.3