ITS#8080 nssov: only allow root to become pwdmgr

9f509112 · Ryan Tandy · Quanah Gibson-Mount · 44e7c30e · 9f509112 · 9f509112
Commit 9f509112 authored Mar 16, 2015 by Ryan Tandy Committed by Quanah Gibson-Mount Mar 23, 2015
--- a/contrib/slapd-modules/nssov/nssov.c
+++ b/contrib/slapd-modules/nssov/nssov.c
@@ -369,11 +369,11 @@ static void handleconnection(nssov_info *ni,int sock,Operation *op)
    case NSLCD_ACTION_SERVICE_ALL:      (void)nssov_service_all(ni,fp,op); break;
    case NSLCD_ACTION_SHADOW_BYNAME:    if (uid==0) (void)nssov_shadow_byname(ni,fp,op); break;
    case NSLCD_ACTION_SHADOW_ALL:       if (uid==0) (void)nssov_shadow_all(ni,fp,op); break;
-	case NSLCD_ACTION_PAM_AUTHC:		(void)pam_authc(ni,fp,op); break;
+	case NSLCD_ACTION_PAM_AUTHC:		(void)pam_authc(ni,fp,op,uid); break;
 	case NSLCD_ACTION_PAM_AUTHZ:		(void)pam_authz(ni,fp,op); break;
 	case NSLCD_ACTION_PAM_SESS_O:		if (uid==0) (void)pam_sess_o(ni,fp,op); break;
 	case NSLCD_ACTION_PAM_SESS_C:		if (uid==0) (void)pam_sess_c(ni,fp,op); break;
-	case NSLCD_ACTION_PAM_PWMOD:		(void)pam_pwmod(ni,fp,op); break;
+	case NSLCD_ACTION_PAM_PWMOD:		(void)pam_pwmod(ni,fp,op,uid); break;
 	case NSLCD_ACTION_CONFIG_GET:			(void)nssov_config(ni,fp,op); break;
    default:
      Debug( LDAP_DEBUG_ANY,"nssov: invalid request id: %d",(int)action,0,0);

--- a/contrib/slapd-modules/nssov/nssov.h
+++ b/contrib/slapd-modules/nssov/nssov.h
@@ -239,11 +239,11 @@ int nssov_service_bynumber(nssov_info *ni,TFILE *fp,Operation *op);
 int nssov_service_all(nssov_info *ni,TFILE *fp,Operation *op);
 int nssov_shadow_byname(nssov_info *ni,TFILE *fp,Operation *op);
 int nssov_shadow_all(nssov_info *ni,TFILE *fp,Operation *op);
-int pam_authc(nssov_info *ni,TFILE *fp,Operation *op);
+int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);
 int pam_authz(nssov_info *ni,TFILE *fp,Operation *op);
 int pam_sess_o(nssov_info *ni,TFILE *fp,Operation *op);
 int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op);
-int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op);
+int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid);

 /* config initialization */
 #define NSSOV_INIT(db) \

--- a/contrib/slapd-modules/nssov/pam.c
+++ b/contrib/slapd-modules/nssov/pam.c
@@ -209,7 +209,7 @@ finish:
 	return rc;
 }

-int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
+int pam_authc(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
 {
 	int32_t tmpint32;
 	int rc;
@@ -263,6 +263,13 @@ int pam_authc(nssov_info *ni,TFILE *fp,Operation *op)
 			pi.authz = NSLCD_PAM_PERM_DENIED;
 			rc = NSLCD_PAM_PERM_DENIED;
 			goto finish;
+		} else if (calleruid != 0) {
+			Debug(LDAP_DEBUG_TRACE,"nssov_pam_authc(prelim check): %s\n",
+				"caller is not root", 0, 0);
+			ber_str2bv("only root may do that", 0, 0, &pi.msg);
+			pi.authz = NSLCD_PAM_PERM_DENIED;
+			rc = NSLCD_PAM_PERM_DENIED;
+			goto finish;
 		} else {
 			/* use pwdmgr dn */
 			ber_str2bv(ni->ni_pam_pwdmgr_dn.bv_val, 0, 0, &pi.dn);
@@ -708,7 +715,7 @@ int pam_sess_c(nssov_info *ni,TFILE *fp,Operation *op)
 	return pam_sess(ni,fp,op,NSLCD_ACTION_PAM_SESS_C);
 }

-int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
+int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op,uid_t calleruid)
 {
 	struct berval npw;
 	int32_t tmpint32;
@@ -770,6 +777,13 @@ int pam_pwmod(nssov_info *ni,TFILE *fp,Operation *op)
 		rc = NSLCD_PAM_PERM_DENIED;
 		goto done;
 	} else if (!ber_bvcmp(&pi.dn, &ni->ni_pam_pwdmgr_dn)) {
+		if (calleruid != 0) {
+			Debug(LDAP_DEBUG_TRACE,"nssov_pam_pwmod(): %s\n",
+				"caller is not root", 0, 0);
+			ber_str2bv("only root may do that", 0, 0, &pi.msg);
+			rc = NSLCD_PAM_PERM_DENIED;
+			goto done;
+		}
 		/* root user requesting pwmod, convert uid to dn */
 		pi.ispwdmgr = 1;
 		rc = pam_uid2dn(ni, op, &pi);