From: Howard Chu <hyc@openldap.org>
Date: Mon, 20 Apr 2009 03:53:09 +0000 (+0000)
Subject: Added uidnumber checks
X-Git-Tag: ACLCHECK_0~609
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=d8778432cf36cf9046569a8bc97aa23bd6300041;p=openldap

Added uidnumber checks
---

diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c
index d2cfcbc4df..b735465e7c 100644
--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -217,6 +217,8 @@ static struct berval hostmsg =
 	BER_BVC("Access denied for this host");
 static struct berval svcmsg =
 	BER_BVC("Access denied for this service");
+static struct berval uidmsg =
+	BER_BVC("Access denied by UID check");
 
 int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 {
@@ -338,7 +340,8 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 
 	/* We need to check the user's entry for these bits */
 	if ((ni->ni_pam_opts & (NI_PAM_USERHOST|NI_PAM_USERSVC)) ||
-		ni->ni_pam_template_ad ) {
+		ni->ni_pam_template_ad ||
+		ni->ni_pam_min_uid || ni->ni_pam_max_uid ) {
 		rc = be_entry_get_rw( op, &dn, NULL, NULL, 0, &e );
 		if (rc != LDAP_SUCCESS) {
 			rc = PAM_USER_UNKNOWN;
@@ -366,6 +369,33 @@ int pam_authz(nssov_info *ni,TFILE *fp,Operation *op)
 		}
 	}
 
+/* from passwd.c */
+#define UIDN_KEY	2
+
+	if (ni->ni_pam_min_uid || ni->ni_pam_max_uid) {
+		int id;
+		char *tmp;
+		nssov_mapinfo *mi = &ni->ni_maps[NM_host];
+		a = attr_find(e->e_attrs, mi->mi_attrs[UIDN_KEY].an_desc);
+		if (!a) {
+			rc = PAM_PERM_DENIED;
+			authzmsg = uidmsg;
+			goto finish;
+		}
+		id = (int)strtol(a->a_vals[0].bv_val,&tmp,0);
+		if (a->a_vals[0].bv_val[0] == '\0' || *tmp != '\0') {
+			rc = PAM_PERM_DENIED;
+			authzmsg = uidmsg;
+			goto finish;
+		}
+		if ((ni->ni_pam_min_uid && id < ni->ni_pam_min_uid) ||
+			(ni->ni_pam_max_uid && id > ni->ni_pam_max_uid)) {
+			rc = PAM_PERM_DENIED;
+			authzmsg = uidmsg;
+			goto finish;
+		}
+	}
+
 	if (ni->ni_pam_template_ad) {
 		a = attr_find(e->e_attrs, ni->ni_pam_template_ad);
 		if (a)