On Tue, 2013-05-07 at 11:44 -0700, Andrew Ayer wrote:
> Perhaps a lightweight ACL syntax like:
> 
>       allow|deny MAP from user USER|group GROUP|all
[...]

That seems an interesting approach, especially when combined with the
attribute mapping. It will be some work to implement though so don't
hold your breath ;)

> > As a quick fix I could also make a patch that also returns the shadow
> > information to requests from processes with group shadow. Such a patch
> > could perhaps be considered for wheezy (if approved by the stable
> > release team).
> 
> That seems like a nice quick fix.

Attached is a patch that should work for 0.8.10-4.

Note that getting the client credentials works on most platforms except
GNU Hurd (and Solaris 8).

Thanks,

-- 
-- arthur - [email protected] - http://people.debian.org/~adejong --
Description: Allow shadow lookups for group shadow
 This allows shadow lookups by any process with group id shadow in addition to
 shadow lookups by the root user.
 .
 This is Debian specific because it hard-codes the shadow group id to 42.
Author: Arthur de Jong <[email protected]>
Bug-Debian: http://bugs.debian.org/706913
Forwarded: not-needed

--- a/nslcd/nslcd.c
+++ b/nslcd/nslcd.c
@@ -380,6 +380,9 @@ static int read_header(TFILE *fp,int32_t
   return 0;
 }
 
+/* Debian specific !!! */
+#define GID_SHADOW 42
+
 /* read a request message, returns <0 in case of errors,
    this function closes the socket */
 static void handleconnection(int sock,MYLDAP_SESSION *session)
@@ -441,9 +444,9 @@ static void handleconnection(int sock,MY
     case NSLCD_ACTION_SERVICE_BYNAME:   (void)nslcd_service_byname(fp,session); break;
     case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp,session); break;
     case NSLCD_ACTION_SERVICE_ALL:      (void)nslcd_service_all(fp,session); break;
-    case NSLCD_ACTION_SHADOW_BYNAME:    if (uid==0) (void)nslcd_shadow_byname(fp,session);
+    case NSLCD_ACTION_SHADOW_BYNAME:    if ((uid==0)||(gid==GID_SHADOW)) (void)nslcd_shadow_byname(fp,session);
                                         else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break;
-    case NSLCD_ACTION_SHADOW_ALL:       if (uid==0) (void)nslcd_shadow_all(fp,session);
+    case NSLCD_ACTION_SHADOW_ALL:       if ((uid==0)||(gid==GID_SHADOW)) (void)nslcd_shadow_all(fp,session);
                                         else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break;
     case NSLCD_ACTION_PAM_AUTHC:        (void)nslcd_pam_authc(fp,session,uid); break;
     case NSLCD_ACTION_PAM_AUTHZ:        (void)nslcd_pam_authz(fp,session); break;

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to