diff options
author | Sumit Bose <sbose@redhat.com> | 2012-07-05 10:50:08 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-07-10 09:07:26 -0400 |
commit | 2d257ccf620ce1b611f89cec8f0a94c88c2f2881 (patch) | |
tree | 6e3c67e2922c366d3b60ae477d2e2dd8fbbd6763 /src/man/sssd.conf.5.xml | |
parent | a56156c13c71a96166b0a8f3921e67f36470f8d7 (diff) | |
download | sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.tar.gz sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.tar.bz2 sssd-2d257ccf620ce1b611f89cec8f0a94c88c2f2881.zip |
pac responder: limit access by checking UIDs
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
Diffstat (limited to 'src/man/sssd.conf.5.xml')
-rw-r--r-- | src/man/sssd.conf.5.xml | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 26748856..ed2d1e05 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -792,10 +792,6 @@ <refsect2 id='PAC_RESPONDER' condition="with_pac_responder"> <title>PAC responder configuration options</title> <para> - Currently there are no PAC responder specific configuration - options. - </para> - <para> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/experimental.xml" /> </para> @@ -822,6 +818,33 @@ groups.</para></listitem> </itemizedlist> </para> + <para> + These options can be used to configure the PAC responder. + </para> + <variablelist> + <varlistentry> + <term>allowed_uids (string)</term> + <listitem> + <para> + Specifies the comma-separated list of UID values or + user names that are allowed to access the PAC + responder. User names are resolved to UIDs at + startup. + </para> + <para> + Default: 0 (only the root user is allowed to access + the PAC responder) + </para> + <para> + Please note that although the UID 0 is used as the + default it will be overwritten with this option. If + you still want to allow the root user to access the + PAC responder, which would be the typical case, you + have to add 0 to the list of allowed UIDs as well. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2> </refsect1> |