mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-03 02:41:24 +08:00
ITS#8080 nssov: only allow root to become pwdmgr
This commit is contained in:
parent
7e3177070a
commit
957d4770eb
@ -369,11 +369,11 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op)
|
|||||||
case NSLCD_ACTION_SERVICE_ALL: (void)nssov_service_all(ni,fp,op); break;
|
case NSLCD_ACTION_SERVICE_ALL: (void)nssov_service_all(ni,fp,op); break;
|
||||||
case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nssov_shadow_byname(ni,fp,op); break;
|
case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nssov_shadow_byname(ni,fp,op); break;
|
||||||
case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break;
|
case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break;
|
||||||
case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op); break;
|
case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op,uid); break;
|
||||||
case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break;
|
case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break;
|
||||||
case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break;
|
case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break;
|
||||||
case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break;
|
case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break;
|
||||||
case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op); break;
|
case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op,uid); break;
|
||||||
case NSLCD_ACTION_CONFIG_GET: (void)nssov_config(ni,fp,op); break;
|
case NSLCD_ACTION_CONFIG_GET: (void)nssov_config(ni,fp,op); break;
|
||||||
default:
|
default:
|
||||||
Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0);
|
Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0);
|
||||||
|
@ -239,11 +239,11 @@ int nssov_service_bynumber(nssov_info *ni,TFILE *fp,Operation *op);
|
|||||||
int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op);
|
int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op);
|
||||||
int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op);
|
int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op);
|
||||||
int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op);
|
int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op);
|
||||||
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op);
|
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
|
||||||
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op);
|
int pam_authz(nssov_info *ni,TFILE *fp,Operation *op);
|
||||||
int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op);
|
int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op);
|
||||||
int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op);
|
int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op);
|
||||||
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op);
|
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
|
||||||
|
|
||||||
/* config initialization */
|
/* config initialization */
|
||||||
#define NSSOV_INIT(db) \
|
#define NSSOV_INIT(db) \
|
||||||
|
@ -209,7 +209,7 @@ finish:
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
|
int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
|
||||||
{
|
{
|
||||||
int32_t tmpint32;
|
int32_t tmpint32;
|
||||||
int rc;
|
int rc;
|
||||||
@ -263,6 +263,13 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
|
|||||||
pi.authz = NSLCD_PAM_PERM_DENIED;
|
pi.authz = NSLCD_PAM_PERM_DENIED;
|
||||||
rc = NSLCD_PAM_PERM_DENIED;
|
rc = NSLCD_PAM_PERM_DENIED;
|
||||||
goto finish;
|
goto finish;
|
||||||
|
} else if (calleruid != 0) {
|
||||||
|
Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
|
||||||
|
"caller is not root", 0, 0);
|
||||||
|
ber_str2bv("only root may do that", 0, 0, &pi.msg);
|
||||||
|
pi.authz = NSLCD_PAM_PERM_DENIED;
|
||||||
|
rc = NSLCD_PAM_PERM_DENIED;
|
||||||
|
goto finish;
|
||||||
} else {
|
} else {
|
||||||
/* use pwdmgr dn */
|
/* use pwdmgr dn */
|
||||||
ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn);
|
ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn);
|
||||||
@ -708,7 +715,7 @@ int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
|
|||||||
return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C);
|
return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C);
|
||||||
}
|
}
|
||||||
|
|
||||||
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
|
int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
|
||||||
{
|
{
|
||||||
struct berval npw;
|
struct berval npw;
|
||||||
int32_t tmpint32;
|
int32_t tmpint32;
|
||||||
@ -770,6 +777,13 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
|
|||||||
rc = NSLCD_PAM_PERM_DENIED;
|
rc = NSLCD_PAM_PERM_DENIED;
|
||||||
goto done;
|
goto done;
|
||||||
} else if (!ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) {
|
} else if (!ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) {
|
||||||
|
if (calleruid != 0) {
|
||||||
|
Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n",
|
||||||
|
"caller is not root", 0, 0);
|
||||||
|
ber_str2bv("only root may do that", 0, 0, &pi.msg);
|
||||||
|
rc = NSLCD_PAM_PERM_DENIED;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
/* root user requesting pwmod, convert uid to dn */
|
/* root user requesting pwmod, convert uid to dn */
|
||||||
pi.ispwdmgr = 1;
|
pi.ispwdmgr = 1;
|
||||||
rc = pam_uid2dn(ni, op, &pi);
|
rc = pam_uid2dn(ni, op, &pi);
|
||||||
|
Loading…
Reference in New Issue
Block a user