From 0620f73a3c4b494112b75eeedfed4933e231382f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 10 Dec 2014 12:02:47 +0100
Subject: [PATCH 135/138] PAM: Missing argument to domains= should fail auth

When the administrator sets the domains= list, he usually wants to
restrict the set of domains. An empty list is an undefined configuration
and it's safer to fail then.

https://fedorahosted.org/sssd/ticket/2516

Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
 src/sss_client/pam_sss.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d64e826daeb80be8998ef3b410047e3a44051b07..fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 
     eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains);
 
+    /* Fail all authentication on misconfigured domains= parameter. The admin
+     * probably wanted to restrict authentication, so it's safer to fail */
+    if (domains && strcmp(domains, "") == 0) {
+        return PAM_SYSTEM_ERR;
+    }
+
     pi.requested_domains = domains;
 
     ret = get_pam_items(pamh, &pi);
-- 
1.9.3