PAM: Missing argument to domains= should fail auth

When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com>
author: Jakub Hrozek <jhrozek@redhat.com> 2014-12-10 12:02:47 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2014-12-13 23:00:15 +0100
commit: 134bff159119b0f62492133983ba637957e26fab (patch)
tree: 00cf72f64e5f1d36c67ab464320ff3945d17a1ef /src/sss_client
parent: 0453f1a262aadffec2574f93faf28b339d5ed394 (diff)
download: sssd-134bff159119b0f62492133983ba637957e26fab.tar.gz
sssd-134bff159119b0f62492133983ba637957e26fab.tar.xz
sssd-134bff159119b0f62492133983ba637957e26fab.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d64e826da..fdf6c9e6d 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 
     eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains);
 
+    /* Fail all authentication on misconfigured domains= parameter. The admin
+     * probably wanted to restrict authentication, so it's safer to fail */
+    if (domains && strcmp(domains, "") == 0) {
+        return PAM_SYSTEM_ERR;
+    }
+
     pi.requested_domains = domains;
 
     ret = get_pam_items(pamh, &pi);
author	Jakub Hrozek <jhrozek@redhat.com>	2014-12-10 12:02:47 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2014-12-13 23:00:15 +0100
commit	134bff159119b0f62492133983ba637957e26fab (patch)
tree	00cf72f64e5f1d36c67ab464320ff3945d17a1ef /src/sss_client
parent	0453f1a262aadffec2574f93faf28b339d5ed394 (diff)
download	sssd-134bff159119b0f62492133983ba637957e26fab.tar.gz sssd-134bff159119b0f62492133983ba637957e26fab.tar.xz sssd-134bff159119b0f62492133983ba637957e26fab.zip