On 09/29/2014 05:18 PM, Lukas Slebodnik wrote:
On (27/09/14 12:39), Pavel Reichl wrote:
Attached patch now contains both options.
Thanks.
On 09/25/2014 03:57 PM, Pavel Reichl wrote:
Hello,
please see attached patch which adds first of two options proposed in https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Thanks!
From 78a61eb76d9ccf1d060a621f987dc666b9db6e42 Mon Sep 17 00:00:00 2001 From: Pavel Reichl preichl@redhat.com Date: Thu, 25 Sep 2014 14:52:31 +0100 Subject: [PATCH] PAM: new options pam_trusted_users & pam_public_domains
pam_public_domains option is a list of numerical UIDs or user names that are trusted.
pam_public_domains option is a list of domains accessible even for untrusted users.
Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
src/confdb/confdb.h | 2 + src/config/SSSDConfig/__init__.py.in | 2 + src/config/etc/sssd.api.conf | 2 + src/man/sssd.conf.5.xml | 46 ++++++++++++++++++ src/responder/pam/pamsrv.c | 94 ++++++++++++++++++++++++++++++++++++ src/responder/pam/pamsrv.h | 7 +++ src/responder/pam/pamsrv_cmd.c | 80 ++++++++++++++++++++++++++++-- src/util/domain_info_utils.c | 60 +++++++++++++++++++++++ src/util/util.h | 5 ++ 9 files changed, 295 insertions(+), 3 deletions(-)
//snip
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index ad091e46e6cde1e12f554dde6470cf138412606e..3ff5fad82240c2c8a7e28c47397a20700b50ec04 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -836,6 +836,52 @@ fallback_homedir = /home/%u </para> </listitem> </varlistentry>
<varlistentry><term>pam_trusted_users (string)</term><listitem><para>Specifies the comma-separated list of UID values oruser names that are allowed to access the PAMresponder. User names are resolved to UIDs atstartup.</para><para>Default: all (All users are allowed to accessthe PAM responder)</para><para>Please note that UID 0 is always allowed to accessthe PAM responder even in case it is not in thepam_trusted_users list.</para><para>Also please note that if there is a user name inpam_trusted_users list which fails to be resolvedit will cause that SSSD will not be started.</para></listitem></varlistentry><varlistentry><term>pam_public_domains (string)</term><listitem><para>Specifies the comma-separated list of domain namesthat are accessible even to untrusted users.</para><para>Two special values for pam_public_domains optionare defined:</para><para>none (Untrusted users are not allowed to accessany domains PAM repsponder.)</para>just one special value is described here. The second one "all" is not described.
<para>Default: none</para></listitem></varlistentry></variablelist> </refsect2>//snip
struct pam_auth_dp_req { diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 561bd3d9678c73fdfa52592b5a0c502a46e89b5f..ebeaeeb1893b8f4078e3837f304b74dd46df7ec4 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -762,6 +762,45 @@ static int pam_auth_req_destructor(struct pam_auth_req *preq) return 0; }
+static bool is_uid_trusted(int32_t uid,
^^^^^^^ It is better to have uid as unsigned value ("uint32_t")
size_t trusted_uids_count,uid_t *trusted_uids)+{
- size_t i;
- /* root is always trusted */
- if (uid == 0) {
return true;- }
- /* All uids are allowed */
- if (trusted_uids_count == 0) {
return true;- }
- for(i = 0; i < trusted_uids_count; i++) {
if (trusted_uids[i] == uid) {return true;}- }
- return false;
+}
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
OK, thanks for review. I made changes you requested in both mails.