pac responder: limit access by checking UIDs

A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
author: Sumit Bose <sbose@redhat.com> 2012-07-05 10:50:08 +0200
committer: Stephen Gallagher <sgallagh@redhat.com> 2012-07-10 09:07:26 -0400
commit: 2d257ccf620ce1b611f89cec8f0a94c88c2f2881 (patch)
tree: 6e3c67e2922c366d3b60ae477d2e2dd8fbbd6763 /src/config
parent: a56156c13c71a96166b0a8f3921e67f36470f8d7 (diff)
download: sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.tar.gz
sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.tar.bz2
sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.zip
3 files changed, 11 insertions, 2 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index f6030678..18586ad6 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -88,6 +88,9 @@ option_strings = {
     # [ssh]
     'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
 
+    # [pac]
+    'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
+
     # [provider]
     'id_provider' : _('Identity provider'),
     'auth_provider' : _('Authentication provider'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index c1fbe481..dc4bcc96 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -1178,7 +1178,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
             'pam',
             'sudo',
             'autofs',
-            'ssh']
+            'ssh',
+            'pac']
         for section in control_list:
             self.assertTrue(sssdconfig.has_section(section),
                             "Section [%s] missing" %
@@ -1270,7 +1271,8 @@ class SSSDConfigTestSSSDConfig(unittest.TestCase):
             'nss',
             'sudo',
             'autofs',
-            'ssh']
+            'ssh',
+            'pac']
         service_list = sssdconfig.list_services()
         for service in control_list:
             self.assertTrue(service in service_list,
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index f1cd067d..35ebb2e4 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -63,6 +63,10 @@ autofs_negative_timeout = int, None, false
 # ssh service
 ssh_hash_known_hosts = bool, None, false
 
+[pac]
+# PAC responder
+allowed_uids = str, None, false
+
 [provider]
 #Available provider types
 id_provider = str, None, true
author	Sumit Bose <sbose@redhat.com>	2012-07-05 10:50:08 +0200
committer	Stephen Gallagher <sgallagh@redhat.com>	2012-07-10 09:07:26 -0400
commit	2d257ccf620ce1b611f89cec8f0a94c88c2f2881 (patch)
tree	6e3c67e2922c366d3b60ae477d2e2dd8fbbd6763 /src/config
parent	a56156c13c71a96166b0a8f3921e67f36470f8d7 (diff)
download	sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.tar.gz sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.tar.bz2 sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.zip