diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-10 12:02:47 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-13 23:41:34 +0100 |
commit | 0620f73a3c4b494112b75eeedfed4933e231382f (patch) | |
tree | 22f4835988299f0bb8cc67697aeffd0aca5ad9e9 | |
parent | f5ecf965b20acf977ad7e8e2ff97b57dd9c94000 (diff) | |
download | sssd-0620f73a3c4b494112b75eeedfed4933e231382f.tar.gz sssd-0620f73a3c4b494112b75eeedfed4933e231382f.tar.xz sssd-0620f73a3c4b494112b75eeedfed4933e231382f.zip |
PAM: Missing argument to domains= should fail auth
When the administrator sets the domains= list, he usually wants to
restrict the set of domains. An empty list is an undefined configuration
and it's safer to fail then.
https://fedorahosted.org/sssd/ticket/2516
Reviewed-by: Pavel Reichl <preichl@redhat.com>
-rw-r--r-- | src/sss_client/pam_sss.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d64e826da..fdf6c9e6d 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains); + /* Fail all authentication on misconfigured domains= parameter. The admin + * probably wanted to restrict authentication, so it's safer to fail */ + if (domains && strcmp(domains, "") == 0) { + return PAM_SYSTEM_ERR; + } + pi.requested_domains = domains; ret = get_pam_items(pamh, &pi); |