Re: [SSSD] [PATCH] Patches related to restricting domain access from PAM services

Fri, 12 Dec 2014 04:43:52 -0800 

On Thu, Dec 11, 2014 at 07:43:14PM +0100, Pavel Reichl wrote:
> 
> On 12/11/2014 11:41 AM, Jakub Hrozek wrote:
> > From 077971dc3d8cefc8df123ed1e1018f06d7679545 Mon Sep 17 00:00:00 2001
> >From: Jakub Hrozek<jhro...@redhat.com>
> >Date: Thu, 11 Dec 2014 11:19:58 +0100
> >Subject: [PATCH 3/4] MAN: Misspelled username in pam_trusted_users is not
> >  fatal
> >
> >The man page claimed that failing to resolve an user name results in
> >failure to start SSSD, but it's not the case and shouldn't be, because
> >marking a user as trusted only elevates privileges, so it's safe to
> >ignore that failure.
> >---
> >  src/man/sssd.conf.5.xml | 5 -----
> >  1 file changed, 5 deletions(-)
> >
> >diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
> >index 
> >3525d78caff28fd05cc18061d023fec3c50d1a47..2002ccc7caf7013ead5b97c463fba46b734090ae
> > 100644
> >--- a/src/man/sssd.conf.5.xml
> >+++ b/src/man/sssd.conf.5.xml
> >@@ -907,11 +907,6 @@ fallback_homedir =/home/%u
> >                              the PAM responder even in case it is not in the
> >                              pam_trusted_users list.
> >                          </para>
> >-                        <para>
> >-                            Also please note that if there is a user name in
> >-                            pam_trusted_users list which fails to be 
> >resolved
> >-                            it will cause that SSSD will not be started.
> >-                        </para>
> >                      </listitem>
> >                  </varlistentry>
> >                  <varlistentry>
> >-- 1.9.3
> Hello Jakub,
> patches LGTM, I have just a little problem with 3rd patch - actually I think
> that the man page describes what really happens - this is form my
> sss_pam.log:
> 
> (Thu Dec 11 18:35:21 2014) [sssd[pam]] [sss_process_init] (0x0400):
> Responder Initialization complete
> (Thu Dec 11 18:35:21 2014) [sssd[pam]] [sss_user_by_name_or_uid] (0x0040):
> [xxxxxxxxx] is neither a valid UID nor a user name which could be resolved
> by getpwnam().
> (Thu Dec 11 18:35:21 2014) [sssd[pam]] [csv_string_to_uid_array] (0x0040):
> List item [xxxxxxxxx] is neither a valid UID nor a user name which could be
> resolved by getpwnam().
> (Thu Dec 11 18:35:21 2014) [sssd[pam]] [get_trusted_uids] (0x0010): Failed
> to set allowed UIDs.
> (Thu Dec 11 18:35:21 2014) [sssd[pam]] [pam_process_init] (0x0010):
> get_trusted_uids failed: 22:[Invalid argument].
> (Thu Dec 11 18:35:21 2014) [sssd[pam]] [sss_responder_ctx_destructor]
> (0x0400): Responder is being shut down
> 
> 

Oops, I must test better next time. Attached patch just makes sure that
we document properly what is and what is not checked.

>From caf8d5ba9f871accc5748a515ff794266a5d7e0b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 10 Dec 2014 11:35:18 +0100
Subject: [PATCH 1/4] PAM: Domain names are case-insensitive

The pam_public_domains option and matching the domain requested by a
trusted process was done in a case-sensitive manner which is different
from how we match domain names in SSSD normally.
---
 src/responder/pam/pamsrv_cmd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 
a924c4da570757a82d10c538644748f469446630..7cab7b2b4be99833d1446a25e1411898a9e5e67b
 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -56,7 +56,7 @@ static bool is_domain_requested(struct pam_data *pd, const 
char *domain_name)
     }
 
     for (i = 0; pd->requested_domains[i]; i++) {
-        if (strcmp(domain_name, pd->requested_domains[i])) {
+        if (strcasecmp(domain_name, pd->requested_domains[i])) {
             continue;
         }
 
@@ -831,7 +831,7 @@ static bool is_domain_public(char *name,
     size_t i;
 
     for(i=0; i < public_dom_names_count; i++) {
-        if (strcmp(name, public_dom_names[i]) == 0) {
+        if (strcasecmp(name, public_dom_names[i]) == 0) {
             return true;
         }
     }
-- 
1.9.3


>From cd04ed98af669a07f0b6c6a2e9c2b845781493fd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 10 Dec 2014 12:02:47 +0100
Subject: [PATCH 2/4] PAM: Missing argument to domains= should fail auth

---
 src/sss_client/pam_sss.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 
d64e826daeb80be8998ef3b410047e3a44051b07..fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc
 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1487,6 +1487,12 @@ static int pam_sss(enum sss_cli_command task, 
pam_handle_t *pamh,
 
     eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains);
 
+    /* Fail all authentication on misconfigured domains= parameter. The admin
+     * probably wanted to restrict authentication, so it's safer to fail */
+    if (domains && strcmp(domains, "") == 0) {
+        return PAM_SYSTEM_ERR;
+    }
+
     pi.requested_domains = domains;
 
     ret = get_pam_items(pamh, &pi);
-- 
1.9.3


>From 9003d20fdee6542003c1ab13e0f40aec4804878c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 11 Dec 2014 11:28:57 +0100
Subject: [PATCH 3/4] RESPONDER: Log failures to resolve user names in
 csv_string_to_uid_array

---
 src/responder/common/responder_common.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/responder/common/responder_common.c 
b/src/responder/common/responder_common.c
index 
6646fa2587a8299de40eaef35830351136b8149a..a5a44478759e0d515e8437c3bb9bcd78dbb1e4f5
 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -215,6 +215,9 @@ errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const 
char *csv_string,
                 DEBUG(SSSDBG_OP_FAILURE, "List item [%s] is neither a valid "
                                          "UID nor a user name which could be "
                                          "resolved by getpwnam().\n", list[c]);
+                sss_log(SSS_LOG_WARNING, "List item [%s] is neither a valid "
+                                         "UID nor a user name which could be "
+                                         "resolved by getpwnam().\n", list[c]);
                 goto done;
             }
         }
-- 
1.9.3


>From c5a98dae7272c681ef82fb9d939d7c7e9e1304fc Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Fri, 12 Dec 2014 13:29:19 +0100
Subject: [PATCH 4/4] MAN: Make it clean that only usernames are check with
 pam_trusted_users

https://fedorahosted.org/sssd/ticket/2530
---
 src/man/sssd.conf.5.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 
3525d78caff28fd05cc18061d023fec3c50d1a47..4687a5cf5ab29e11ff69d206892c36aa683f5433
 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -911,6 +911,7 @@ fallback_homedir = /home/%u
                             Also please note that if there is a user name in
                             pam_trusted_users list which fails to be resolved
                             it will cause that SSSD will not be started.
+                            Numerical IDs are not checked for validity.
                         </para>
                     </listitem>
                 </varlistentry>
-- 
1.9.3


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to