From 0620f73a3c4b494112b75eeedfed4933e231382f Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 10 Dec 2014 12:02:47 +0100 Subject: [PATCH 135/138] PAM: Missing argument to domains= should fail auth When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl --- src/sss_client/pam_sss.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d64e826daeb80be8998ef3b410047e3a44051b07..fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains); + /* Fail all authentication on misconfigured domains= parameter. The admin + * probably wanted to restrict authentication, so it's safer to fail */ + if (domains && strcmp(domains, "") == 0) { + return PAM_SYSTEM_ERR; + } + pi.requested_domains = domains; ret = get_pam_items(pamh, &pi); -- 1.9.3