diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-10 12:02:47 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-13 23:00:15 +0100 |
commit | 134bff159119b0f62492133983ba637957e26fab (patch) | |
tree | 00cf72f64e5f1d36c67ab464320ff3945d17a1ef /src | |
parent | 0453f1a262aadffec2574f93faf28b339d5ed394 (diff) | |
download | sssd-134bff159119b0f62492133983ba637957e26fab.tar.gz sssd-134bff159119b0f62492133983ba637957e26fab.tar.xz sssd-134bff159119b0f62492133983ba637957e26fab.zip |
PAM: Missing argument to domains= should fail auth
When the administrator sets the domains= list, he usually wants to
restrict the set of domains. An empty list is an undefined configuration
and it's safer to fail then.
https://fedorahosted.org/sssd/ticket/2516
Reviewed-by: Pavel Reichl <preichl@redhat.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/sss_client/pam_sss.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d64e826da..fdf6c9e6d 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains); + /* Fail all authentication on misconfigured domains= parameter. The admin + * probably wanted to restrict authentication, so it's safer to fail */ + if (domains && strcmp(domains, "") == 0) { + return PAM_SYSTEM_ERR; + } + pi.requested_domains = domains; ret = get_pam_items(pamh, &pi); |