From 2d257ccf620ce1b611f89cec8f0a94c88c2f2881 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 5 Jul 2012 10:50:08 +0200
Subject: pac responder: limit access by checking UIDs

A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.

Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.

Fixes: https://fedorahosted.org/sssd/ticket/1382
---
 src/config/etc/sssd.api.conf | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src/config/etc')

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index f1cd067d..35ebb2e4 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -63,6 +63,10 @@ autofs_negative_timeout = int, None, false
 # ssh service
 ssh_hash_known_hosts = bool, None, false
 
+[pac]
+# PAC responder
+allowed_uids = str, None, false
+
 [provider]
 #Available provider types
 id_provider = str, None, true
-- 
cgit