diff options
| author | Daniel Gollub <dgollub at brocade.com> | 2014-09-27 12:06:44 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-29 18:27:16 +0200 |
| commit | 663fd9bcdcc6b299785ba3434532cd7e6c462bff (patch) | |
| tree | 6ade5b5e821fce75a1c58b63b882aa133b96c755 /src/responder/pam/pamsrv_cmd.c | |
| parent | 830ded27453015080a54d6ba85fd4999ee7e9af1 (diff) | |
| download | sssd-663fd9bcdcc6b299785ba3434532cd7e6c462bff.tar.gz sssd-663fd9bcdcc6b299785ba3434532cd7e6c462bff.tar.xz sssd-663fd9bcdcc6b299785ba3434532cd7e6c462bff.zip | |
PAM: Add domains= option to pam_sss
Design document:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Fixes:
https://fedorahosted.org/sssd/ticket/1021
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index eb6953a74..c135e3c49 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -44,6 +44,28 @@ enum pam_verbosity { static void pam_reply(struct pam_auth_req *preq); +static bool is_domain_requested(struct pam_data *pd, const char *domain_name) +{ + int i; + + /* If none specific domains got requested via pam, all domains are allowed. + * Which mimics the default/original behaviour. + */ + if (!pd->requested_domains) { + return true; + } + + for (i = 0; pd->requested_domains[i]; i++) { + if (strcmp(domain_name, pd->requested_domains[i])) { + continue; + } + + return true; + } + + return false; +} + static int extract_authtok_v2(struct sss_auth_token *tok, size_t data_size, uint8_t *body, size_t blen, size_t *c) @@ -143,6 +165,7 @@ static int pam_parse_in_data_v2(struct pam_data *pd, int ret; uint32_t start; uint32_t terminator; + char *requested_domains; if (blen < 4*sizeof(uint32_t)+2) { DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n"); @@ -194,6 +217,20 @@ static int pam_parse_in_data_v2(struct pam_data *pd, ret = extract_string(&pd->rhost, size, body, blen, &c); if (ret != EOK) return ret; break; + case SSS_PAM_ITEM_REQUESTED_DOMAINS: + ret = extract_string(&requested_domains, size, body, blen, + &c); + if (ret != EOK) return ret; + + ret = split_on_separator(pd, requested_domains, ',', true, + true, &pd->requested_domains, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse requested_domains list!\n"); + return ret; + } + break; case SSS_PAM_ITEM_CLI_PID: ret = extract_uint32_t(&pd->cli_pid, size, body, blen, &c); @@ -879,6 +916,12 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) ret = ENOENT; goto done; } + + /* skip this domain if not requested */ + if (!is_domain_requested(pd, pd->domain)) { + ret = ENOENT; + goto done; + } } else { for (dom = preq->cctx->rctx->domains; dom; @@ -896,6 +939,11 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) continue; } + /* skip this domain if not requested */ + if (!is_domain_requested(pd, dom->name)) { + continue; + } + ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout, dom, pd->user); if (ncret == ENOENT) { @@ -910,7 +958,8 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) "User [%s@%s] filtered out (negative cache). " "Trying next domain.\n", pd->user, dom->name); } - if (!dom) { + + if (!dom || !is_domain_requested(pd, dom->name)) { ret = ENOENT; goto done; } |