diff options
author | Sumit Bose <sbose@redhat.com> | 2009-04-23 16:33:39 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-04-27 07:03:08 -0400 |
commit | 1cabd594f224825bd0eae543216d87801091c33c (patch) | |
tree | 8fec444497a911e377d42de9e156eacb54a184b9 /server/providers | |
parent | a03f9612e6560d4aa32e2813cce1bad88b550713 (diff) | |
download | sssd-1cabd594f224825bd0eae543216d87801091c33c.tar.gz sssd-1cabd594f224825bd0eae543216d87801091c33c.tar.bz2 sssd-1cabd594f224825bd0eae543216d87801091c33c.zip |
fix for pam proxy chauthtok
When a user from a domain served by the proxy backend changes his
password with passwd the passwd command asks for the old password,
but it is not validated by the pam_chauthtok call in the proxy
backend, because it is running as root.
If the request is coming the unpriviledged socket we now call
pam_authenticate explicitly before pam_chauthtok.
Diffstat (limited to 'server/providers')
-rw-r--r-- | server/providers/data_provider.h | 1 | ||||
-rw-r--r-- | server/providers/dp_auth_util.c | 3 | ||||
-rw-r--r-- | server/providers/proxy.c | 26 |
3 files changed, 21 insertions, 9 deletions
diff --git a/server/providers/data_provider.h b/server/providers/data_provider.h index 2c828fab..9278e396 100644 --- a/server/providers/data_provider.h +++ b/server/providers/data_provider.h @@ -115,6 +115,7 @@ struct pam_data { struct response_data *resp_list; bool offline_auth; + int priv; }; void pam_print_data(int l, struct pam_data *pd); diff --git a/server/providers/dp_auth_util.c b/server/providers/dp_auth_util.c index 99e57e2e..630dafe8 100644 --- a/server/providers/dp_auth_util.c +++ b/server/providers/dp_auth_util.c @@ -34,6 +34,7 @@ void pam_print_data(int l, struct pam_data *pd) DEBUG(l, ("authtok size: %d\n", pd->authtok_size)); DEBUG(l, ("newauthtok type: %d\n", pd->newauthtok_type)); DEBUG(l, ("newauthtok size: %d\n", pd->newauthtok_size)); + DEBUG(l, ("priv: %d\n", pd->priv)); } int pam_add_response(struct pam_data *pd, enum response_type type, @@ -74,6 +75,7 @@ bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &(pd->newauthtok), pd->newauthtok_size, + DBUS_TYPE_INT32, &(pd->priv), DBUS_TYPE_INVALID); return ret; @@ -99,6 +101,7 @@ bool dp_unpack_pam_request(DBusMessage *msg, struct pam_data *pd, DBusError *dbu DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &(pd->newauthtok), &(pd->newauthtok_size), + DBUS_TYPE_INT32, &(pd->priv), DBUS_TYPE_INVALID); return ret; diff --git a/server/providers/proxy.c b/server/providers/proxy.c index 907f044e..0fea89df 100644 --- a/server/providers/proxy.c +++ b/server/providers/proxy.c @@ -66,8 +66,8 @@ struct proxy_auth_ctx { }; struct authtok_conv { - char *authtok; - char *oldauthtok; + uint32_t authtok_size; + uint8_t *authtok; }; static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, @@ -90,7 +90,11 @@ static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, case PAM_PROMPT_ECHO_OFF: DEBUG(4, ("Conversation message: [%s]\n", msgm[i]->msg)); reply[i].resp_retcode = 0; - reply[i].resp = strdup(auth_data->authtok); + reply[i].resp = calloc(auth_data->authtok_size + 1, + sizeof(char)); + if (reply[i].resp == NULL) goto failed; + memcpy(reply[i].resp, auth_data->authtok, auth_data->authtok_size); + break; default: DEBUG(1, ("Conversation style %d not supported.\n", @@ -142,9 +146,8 @@ static void proxy_pam_handler(struct be_req *req) { } switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: -/* FIXME: \0 missing at the end */ - auth_data->authtok=(char *) pd->authtok; - auth_data->oldauthtok=NULL; + auth_data->authtok_size = pd->authtok_size; + auth_data->authtok = pd->authtok; pam_status=pam_authenticate(pamh, 0); break; case SSS_PAM_SETCRED: @@ -160,9 +163,14 @@ static void proxy_pam_handler(struct be_req *req) { pam_status=pam_close_session(pamh, 0); break; case SSS_PAM_CHAUTHTOK: -/* FIXME: \0 missing at the end */ - auth_data->authtok=(char *) pd->newauthtok; - auth_data->oldauthtok=(char *) pd->authtok; + if (pd->priv != 1) { + auth_data->authtok_size = pd->authtok_size; + auth_data->authtok = pd->authtok; + pam_status=pam_authenticate(pamh, 0); + if (pam_status != PAM_SUCCESS) break; + } + auth_data->authtok_size = pd->newauthtok_size; + auth_data->authtok = pd->newauthtok; pam_status=pam_chauthtok(pamh, 0); break; default: |