return rc;
}
-int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
+int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
int32_t tmpint32;
int rc;
pi.authz = NSLCD_PAM_PERM_DENIED;
rc = NSLCD_PAM_PERM_DENIED;
goto finish;
+ } else if (calleruid != 0) {
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
+ "caller is not root", 0, 0);
+ ber_str2bv("only root may do that", 0, 0, &pi.msg);
+ pi.authz = NSLCD_PAM_PERM_DENIED;
+ rc = NSLCD_PAM_PERM_DENIED;
+ goto finish;
} else {
/* use pwdmgr dn */
ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn);
return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C);
}
-int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
+int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
{
struct berval npw;
int32_t tmpint32;
rc = NSLCD_PAM_PERM_DENIED;
goto done;
} else if (!ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) {
+ if (calleruid != 0) {
+ Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n",
+ "caller is not root", 0, 0);
+ ber_str2bv("only root may do that", 0, 0, &pi.msg);
+ rc = NSLCD_PAM_PERM_DENIED;
+ goto done;
+ }
/* root user requesting pwmod, convert uid to dn */
pi.ispwdmgr = 1;
rc = pam_uid2dn(ni, op, &pi);
projects / openldap / blobdiff