summaryrefslogtreecommitdiffstats
path: root/src/responder/pam/pamsrv_cmd.c
diff options
context:
space:
mode:
authorDaniel Gollub <dgollub at brocade.com>2014-09-27 12:06:44 +0100
committerJakub Hrozek <jhrozek@redhat.com>2014-09-29 18:27:16 +0200
commit663fd9bcdcc6b299785ba3434532cd7e6c462bff (patch)
tree6ade5b5e821fce75a1c58b63b882aa133b96c755 /src/responder/pam/pamsrv_cmd.c
parent830ded27453015080a54d6ba85fd4999ee7e9af1 (diff)
downloadsssd-663fd9bcdcc6b299785ba3434532cd7e6c462bff.tar.gz
sssd-663fd9bcdcc6b299785ba3434532cd7e6c462bff.tar.xz
sssd-663fd9bcdcc6b299785ba3434532cd7e6c462bff.zip
PAM: Add domains= option to pam_sss
Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
-rw-r--r--src/responder/pam/pamsrv_cmd.c51
1 files changed, 50 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index eb6953a74..c135e3c49 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -44,6 +44,28 @@ enum pam_verbosity {
static void pam_reply(struct pam_auth_req *preq);
+static bool is_domain_requested(struct pam_data *pd, const char *domain_name)
+{
+ int i;
+
+ /* If none specific domains got requested via pam, all domains are allowed.
+ * Which mimics the default/original behaviour.
+ */
+ if (!pd->requested_domains) {
+ return true;
+ }
+
+ for (i = 0; pd->requested_domains[i]; i++) {
+ if (strcmp(domain_name, pd->requested_domains[i])) {
+ continue;
+ }
+
+ return true;
+ }
+
+ return false;
+}
+
static int extract_authtok_v2(struct sss_auth_token *tok,
size_t data_size, uint8_t *body, size_t blen,
size_t *c)
@@ -143,6 +165,7 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
int ret;
uint32_t start;
uint32_t terminator;
+ char *requested_domains;
if (blen < 4*sizeof(uint32_t)+2) {
DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n");
@@ -194,6 +217,20 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
ret = extract_string(&pd->rhost, size, body, blen, &c);
if (ret != EOK) return ret;
break;
+ case SSS_PAM_ITEM_REQUESTED_DOMAINS:
+ ret = extract_string(&requested_domains, size, body, blen,
+ &c);
+ if (ret != EOK) return ret;
+
+ ret = split_on_separator(pd, requested_domains, ',', true,
+ true, &pd->requested_domains,
+ NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to parse requested_domains list!\n");
+ return ret;
+ }
+ break;
case SSS_PAM_ITEM_CLI_PID:
ret = extract_uint32_t(&pd->cli_pid, size,
body, blen, &c);
@@ -879,6 +916,12 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
ret = ENOENT;
goto done;
}
+
+ /* skip this domain if not requested */
+ if (!is_domain_requested(pd, pd->domain)) {
+ ret = ENOENT;
+ goto done;
+ }
} else {
for (dom = preq->cctx->rctx->domains;
dom;
@@ -896,6 +939,11 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
continue;
}
+ /* skip this domain if not requested */
+ if (!is_domain_requested(pd, dom->name)) {
+ continue;
+ }
+
ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
dom, pd->user);
if (ncret == ENOENT) {
@@ -910,7 +958,8 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
"User [%s@%s] filtered out (negative cache). "
"Trying next domain.\n", pd->user, dom->name);
}
- if (!dom) {
+
+ if (!dom || !is_domain_requested(pd, dom->name)) {
ret = ENOENT;
goto done;
}