diff options
author | Sumit Bose <sbose@redhat.com> | 2016-07-04 15:52:00 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-06 19:12:04 +0200 |
commit | 2ca45dfa0144fea08bd360dafded57bc90111e68 (patch) | |
tree | 6756031cfef255a7dfd12ab5e8c1eadfd1a926e6 /src/krb5_plugin | |
parent | 2658ad37cd04f211aa28b1d71acb27c4edfb03da (diff) | |
download | sssd-2ca45dfa0144fea08bd360dafded57bc90111e68.tar.gz sssd-2ca45dfa0144fea08bd360dafded57bc90111e68.tar.xz sssd-2ca45dfa0144fea08bd360dafded57bc90111e68.zip |
localauth: make plugin non-authoritative on failures
According to the documentation in localauth_plugin.h "aname will be
considered authorized if at least one module returns 0 and all other
modules return KRB5_PLUGIN_NO_HANDLE." So it is safe to always return
KRB5_PLUGIN_NO_HANDLE because a different plugin has to return 0 to
allow access to the given principal.
Resolves https://fedorahosted.org/sssd/ticket/2788
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/krb5_plugin')
-rw-r--r-- | src/krb5_plugin/sssd_krb5_localauth_plugin.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/krb5_plugin/sssd_krb5_localauth_plugin.c b/src/krb5_plugin/sssd_krb5_localauth_plugin.c index 1e77d5227..13ab07d13 100644 --- a/src/krb5_plugin/sssd_krb5_localauth_plugin.c +++ b/src/krb5_plugin/sssd_krb5_localauth_plugin.c @@ -49,7 +49,8 @@ static krb5_error_code sss_userok(krb5_context context, kerr = krb5_unparse_name(context, aname, &princ_str); if (kerr != 0) { - return kerr; + ret = kerr; + goto done; } if (strcasecmp(princ_str, lname) == 0) { @@ -98,6 +99,10 @@ done: krb5_free_unparsed_name(context, princ_str); free(buffer); + if (ret != 0) { + return KRB5_PLUGIN_NO_HANDLE; + } + return ret; } |