diff options
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/pam/pamsrv.h | 2 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 23 |
2 files changed, 13 insertions, 12 deletions
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index f92e7f7db..066f35a42 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -39,7 +39,6 @@ struct pam_ctx { hash_table_t *id_table; size_t trusted_uids_count; uid_t *trusted_uids; - bool is_uid_trusted; /* List of domains that are accessible even for untrusted users. */ char **public_domains; @@ -58,6 +57,7 @@ struct pam_auth_req { pam_dp_callback_t *callback; + bool is_uid_trusted; bool check_provider; void *data; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index ea084d56a..a924c4da5 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -849,15 +849,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx); struct tevent_req *req; - pctx->is_uid_trusted = is_uid_trusted(cctx->client_euid, - pctx->trusted_uids_count, - pctx->trusted_uids); - - if (!pctx->is_uid_trusted) { - DEBUG(SSSDBG_MINOR_FAILURE, "uid %"PRIu32" is not trusted.\n", - cctx->client_euid); - } - preq = talloc_zero(cctx, struct pam_auth_req); if (!preq) { return ENOMEM; @@ -872,6 +863,16 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) } pd = preq->pd; + preq->is_uid_trusted = is_uid_trusted(cctx->client_euid, + pctx->trusted_uids_count, + pctx->trusted_uids); + + if (!preq->is_uid_trusted) { + DEBUG(SSSDBG_MINOR_FAILURE, "uid %"PRIu32" is not trusted.\n", + cctx->client_euid); + } + + pd->cmd = pam_cmd; pd->priv = cctx->priv; @@ -1304,7 +1305,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) } /* Untrusted users can access only public domains. */ - if (!pctx->is_uid_trusted && + if (!preq->is_uid_trusted && !is_domain_public(preq->pd->domain, pctx->public_domains, pctx->public_domains_count)) { DEBUG(SSSDBG_MINOR_FAILURE, @@ -1317,7 +1318,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) /* skip this domain if not requested and the user is trusted * as untrusted users can't request a domain */ - if (pctx->is_uid_trusted && + if (preq->is_uid_trusted && !is_domain_requested(preq->pd, preq->pd->domain)) { preq->pd->pam_status = PAM_USER_UNKNOWN; pam_reply(preq); |