summaryrefslogtreecommitdiffstats
path: root/src/responder/pam/pamsrv_cmd.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
-rw-r--r--src/responder/pam/pamsrv_cmd.c67
1 files changed, 26 insertions, 41 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 6eed4f9..ea084d5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -898,17 +898,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
goto done;
}
- /* Untrusted users can access only public domains. */
- if (!pctx->is_uid_trusted &&
- !is_domain_public(pd->domain, pctx->public_domains,
- pctx->public_domains_count)) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Untrusted user %"PRIu32" cannot access unpublic domain %s.\n",
- cctx->client_euid, pd->domain);
- ret = EPERM;
- goto done;
- }
-
ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
preq->domain, pd->user);
if (ncret == EEXIST) {
@@ -916,34 +905,12 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
ret = ENOENT;
goto done;
}
-
- /* skip this domain if not requested */
- if (!is_domain_requested(pd, pd->domain)) {
- ret = ENOENT;
- goto done;
- }
} else {
for (dom = preq->cctx->rctx->domains;
dom;
dom = get_next_domain(dom, false)) {
if (dom->fqnames) continue;
- /* Untrusted users can access only public domains. */
- if (!pctx->is_uid_trusted &&
- !is_domain_public(dom->name, pctx->public_domains,
- pctx->public_domains_count)) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Untrusted user %"PRIu32" cannot access unpublic domain %s."
- " Trying next domain.\n",
- cctx->client_euid, dom->name);
- continue;
- }
-
- /* skip this domain if not requested */
- if (!is_domain_requested(pd, dom->name)) {
- continue;
- }
-
ncret = sss_ncache_check_user(pctx->ncache, pctx->neg_timeout,
dom, pd->user);
if (ncret == ENOENT) {
@@ -959,7 +926,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
"Trying next domain.\n", pd->user, dom->name);
}
- if (!dom || !is_domain_requested(pd, dom->name)) {
+ if (!dom) {
ret = ENOENT;
goto done;
}
@@ -1055,14 +1022,9 @@ static int pam_check_user_search(struct pam_auth_req *preq)
while (dom) {
/* if it is a domainless search, skip domains that require fully
- * qualified names instead, also untrusted users can access only
- * public domains */
+ * qualified names instead */
while (dom && !preq->pd->domain && !preq->pd->name_is_upn
- && (dom->fqnames ||
- (!pctx->is_uid_trusted &&
- !is_domain_public(dom->name,
- pctx->public_domains,
- pctx->public_domains_count)))) {
+ && dom->fqnames) {
dom = get_next_domain(dom, false);
}
@@ -1334,11 +1296,34 @@ done:
static void pam_dom_forwarder(struct pam_auth_req *preq)
{
int ret;
+ struct pam_ctx *pctx =
+ talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
if (!preq->pd->domain) {
preq->pd->domain = preq->domain->name;
}
+ /* Untrusted users can access only public domains. */
+ if (!pctx->is_uid_trusted &&
+ !is_domain_public(preq->pd->domain, pctx->public_domains,
+ pctx->public_domains_count)) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Untrusted user %"PRIu32" cannot access non-public domain %s.\n",
+ preq->cctx->client_euid, preq->pd->domain);
+ preq->pd->pam_status = PAM_PERM_DENIED;
+ pam_reply(preq);
+ return;
+ }
+
+ /* skip this domain if not requested and the user is trusted
+ * as untrusted users can't request a domain */
+ if (pctx->is_uid_trusted &&
+ !is_domain_requested(preq->pd, preq->pd->domain)) {
+ preq->pd->pam_status = PAM_USER_UNKNOWN;
+ pam_reply(preq);
+ return;
+ }
+
if (!NEED_CHECK_PROVIDER(preq->domain->provider)) {
preq->callback = pam_reply;
ret = LOCAL_pam_handler(preq);