|
 |
905b4d |
From 0620f73a3c4b494112b75eeedfed4933e231382f Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Wed, 10 Dec 2014 12:02:47 +0100
|
|
|
905b4d |
Subject: [PATCH 135/138] PAM: Missing argument to domains= should fail auth
|
|
|
905b4d |
|
|
|
905b4d |
When the administrator sets the domains= list, he usually wants to
|
|
|
905b4d |
restrict the set of domains. An empty list is an undefined configuration
|
|
|
905b4d |
and it's safer to fail then.
|
|
|
905b4d |
|
|
|
905b4d |
https://fedorahosted.org/sssd/ticket/2516
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/sss_client/pam_sss.c | 6 ++++++
|
|
|
905b4d |
1 file changed, 6 insertions(+)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
|
905b4d |
index d64e826daeb80be8998ef3b410047e3a44051b07..fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc 100644
|
|
|
905b4d |
--- a/src/sss_client/pam_sss.c
|
|
|
905b4d |
+++ b/src/sss_client/pam_sss.c
|
|
|
905b4d |
@@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
905b4d |
|
|
|
905b4d |
eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains);
|
|
|
905b4d |
|
|
|
905b4d |
+ /* Fail all authentication on misconfigured domains= parameter. The admin
|
|
|
905b4d |
+ * probably wanted to restrict authentication, so it's safer to fail */
|
|
|
905b4d |
+ if (domains && strcmp(domains, "") == 0) {
|
|
|
905b4d |
+ return PAM_SYSTEM_ERR;
|
|
|
905b4d |
+ }
|
|
|
905b4d |
+
|
|
|
905b4d |
pi.requested_domains = domains;
|
|
|
905b4d |
|
|
|
905b4d |
ret = get_pam_items(pamh, &pi);
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|