From: Ryan Tandy Date: Mon, 16 Mar 2015 04:44:21 +0000 (+0000) Subject: ITS#8080 nssov: only allow root to become pwdmgr X-Git-Tag: OPENLDAP_REL_ENG_2_4_41~63 X-Git-Url: https://git.sur5r.net/?p=openldap;a=commitdiff_plain;h=9f50911265d0f167cce21a27603a083d9a5f3b16 ITS#8080 nssov: only allow root to become pwdmgr --- diff --git a/contrib/slapd-modules/nssov/nssov.c b/contrib/slapd-modules/nssov/nssov.c index 0c9325bddf..05b6adc899 100644 --- a/contrib/slapd-modules/nssov/nssov.c +++ b/contrib/slapd-modules/nssov/nssov.c @@ -369,11 +369,11 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op) case NSLCD_ACTION_SERVICE_ALL: (void)nssov_service_all(ni,fp,op); break; case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nssov_shadow_byname(ni,fp,op); break; case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nssov_shadow_all(ni,fp,op); break; - case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op); break; + case NSLCD_ACTION_PAM_AUTHC: (void)pam_authc(ni,fp,op,uid); break; case NSLCD_ACTION_PAM_AUTHZ: (void)pam_authz(ni,fp,op); break; case NSLCD_ACTION_PAM_SESS_O: if (uid==0) (void)pam_sess_o(ni,fp,op); break; case NSLCD_ACTION_PAM_SESS_C: if (uid==0) (void)pam_sess_c(ni,fp,op); break; - case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op); break; + case NSLCD_ACTION_PAM_PWMOD: (void)pam_pwmod(ni,fp,op,uid); break; case NSLCD_ACTION_CONFIG_GET: (void)nssov_config(ni,fp,op); break; default: Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0); diff --git a/contrib/slapd-modules/nssov/nssov.h b/contrib/slapd-modules/nssov/nssov.h index 509bdef5bc..f13378e73b 100644 --- a/contrib/slapd-modules/nssov/nssov.h +++ b/contrib/slapd-modules/nssov/nssov.h @@ -239,11 +239,11 @@ int nssov_service_bynumber(nssov_info *ni,TFILE *fp,Operation *op); int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op); int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op); int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op); -int pam_authc(nssov_info *ni,TFILE *fp,Operation *op); +int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid); int pam_authz(nssov_info *ni,TFILE *fp,Operation *op); int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op); int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op); -int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op); +int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid); /* config initialization */ #define NSSOV_INIT(db) \ diff --git a/contrib/slapd-modules/nssov/pam.c b/contrib/slapd-modules/nssov/pam.c index 487e193060..a455331ed3 100644 --- a/contrib/slapd-modules/nssov/pam.c +++ b/contrib/slapd-modules/nssov/pam.c @@ -209,7 +209,7 @@ finish: return rc; } -int pam_authc(nssov_info *ni,TFILE *fp,Operation *op) +int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) { int32_t tmpint32; int rc; @@ -263,6 +263,13 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op) pi.authz = NSLCD_PAM_PERM_DENIED; rc = NSLCD_PAM_PERM_DENIED; goto finish; + } else if (calleruid != 0) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n", + "caller is not root", 0, 0); + ber_str2bv("only root may do that", 0, 0, &pi.msg); + pi.authz = NSLCD_PAM_PERM_DENIED; + rc = NSLCD_PAM_PERM_DENIED; + goto finish; } else { /* use pwdmgr dn */ ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn); @@ -708,7 +715,7 @@ int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op) return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C); } -int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op) +int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid) { struct berval npw; int32_t tmpint32; @@ -770,6 +777,13 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op) rc = NSLCD_PAM_PERM_DENIED; goto done; } else if (!ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) { + if (calleruid != 0) { + Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n", + "caller is not root", 0, 0); + ber_str2bv("only root may do that", 0, 0, &pi.msg); + rc = NSLCD_PAM_PERM_DENIED; + goto done; + } /* root user requesting pwmod, convert uid to dn */ pi.ispwdmgr = 1; rc = pam_uid2dn(ni, op, &pi);