[Pkg-openldap-devel] [openldap] 184/281: ITS#8080 nssov: only allow root to become pwdmgr
Ryan Tandy
rtandy-guest at moszumanska.debian.org
Thu Jul 9 01:42:59 UTC 2015
This is an automated email from the git hooks/post-receive script.
rtandy-guest pushed a commit to branch master
in repository openldap.
commit 9f50911265d0f167cce21a27603a083d9a5f3b16
Author: Ryan Tandy <ryan at nardis.ca>
Date: Mon Mar 16 04:44:21 2015 +0000
ITS#8080 nssov: only allow root to become pwdmgr
---
contrib/slapd-modules/nssov/nssov.c | 4 ++--
contrib/slapd-modules/nssov/nssov.h | 4 ++--
contrib/slapd-modules/nssov/pam.c | 18 ++++++++++++++++--
3 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c
index 0c9325b..05b6adc 100644
--- a/contrib/slapd-modules/nssov/nssov.c
+++ b/contrib/slapd-modules/nssov/nssov.c
@@ -369,11 +369,11 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op)
case NSLCD_ACTION_SERVICE_ALL: (void)nssov_service_all(ni,fp,op); break;
case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nssov_shadow_byname(ni,fp,op); break;
case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break;
- case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op); break;
+ case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op,uid); break;
case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break;
case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break;
case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break;
- case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op); break;
+ case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op,uid); break;
case NSLCD_ACTION_CONFIG_GET: (void)nssov_config(ni,fp,op); break;
default:
Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0);
diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h
index 509bdef..f13378e 100644
--- a/contrib/slapd-modules/nssov/nssov.h
+++ b/contrib/slapd-modules/nssov/nssov.h
@@ -239,11 +239,11 @@ int nssov_service_bynumber(nssov_info *ni,TFILE *fp,Operation *op);
int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op);
int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op);
int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op);
-int pam_authc(nssov_info *ni,TFILE *fp,Operation *op);
+int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op);
int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op);
int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op);
-int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op);
+int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
/* config initialization */
#define NSSOV_INIT(db) \
diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index 487e193..a455331 100644
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -209,7 +209,7 @@ finish:
return rc;
}
-int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
+int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
int32_t tmpint32;
int rc;
@@ -263,6 +263,13 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
pi.authz = NSLCD_PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
+ } else if (calleruid != 0) {
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
+ "caller is not root", 0, 0);
+ ber_str2bv("only root may do that", 0, 0, &pi.msg);
+ pi.authz = NSLCD_PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
+ goto finish;
} else {
/* use pwdmgr dn */
ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn);
@@ -708,7 +715,7 @@ int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C);
}
-int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
+int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
struct berval npw;
int32_t tmpint32;
@@ -770,6 +777,13 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
rc = NSLCD_PAM_PERM_DENIED;
goto done;
} else if (!ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) {
+ if (calleruid != 0) {
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n",
+ "caller is not root", 0, 0);
+ ber_str2bv("only root may do that", 0, 0, &pi.msg);
+ rc = NSLCD_PAM_PERM_DENIED;
+ goto done;
+ }
/* root user requesting pwmod, convert uid to dn */
pi.ispwdmgr = 1;
rc = pam_uid2dn(ni, op, &pi);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git
More information about the Pkg-openldap-devel
mailing list