On Tue, 2013-05-07 at 11:44 -0700, Andrew Ayer wrote: > Perhaps a lightweight ACL syntax like: > > allow|deny MAP from user USER|group GROUP|all [...]
That seems an interesting approach, especially when combined with the attribute mapping. It will be some work to implement though so don't hold your breath ;) > > As a quick fix I could also make a patch that also returns the shadow > > information to requests from processes with group shadow. Such a patch > > could perhaps be considered for wheezy (if approved by the stable > > release team). > > That seems like a nice quick fix. Attached is a patch that should work for 0.8.10-4. Note that getting the client credentials works on most platforms except GNU Hurd (and Solaris 8). Thanks, -- -- arthur - [email protected] - http://people.debian.org/~adejong --
Description: Allow shadow lookups for group shadow This allows shadow lookups by any process with group id shadow in addition to shadow lookups by the root user. . This is Debian specific because it hard-codes the shadow group id to 42. Author: Arthur de Jong <[email protected]> Bug-Debian: http://bugs.debian.org/706913 Forwarded: not-needed --- a/nslcd/nslcd.c +++ b/nslcd/nslcd.c @@ -380,6 +380,9 @@ static int read_header(TFILE *fp,int32_t return 0; } +/* Debian specific !!! */ +#define GID_SHADOW 42 + /* read a request message, returns <0 in case of errors, this function closes the socket */ static void handleconnection(int sock,MYLDAP_SESSION *session) @@ -441,9 +444,9 @@ static void handleconnection(int sock,MY case NSLCD_ACTION_SERVICE_BYNAME: (void)nslcd_service_byname(fp,session); break; case NSLCD_ACTION_SERVICE_BYNUMBER: (void)nslcd_service_bynumber(fp,session); break; case NSLCD_ACTION_SERVICE_ALL: (void)nslcd_service_all(fp,session); break; - case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0) (void)nslcd_shadow_byname(fp,session); + case NSLCD_ACTION_SHADOW_BYNAME: if ((uid==0)||(gid==GID_SHADOW)) (void)nslcd_shadow_byname(fp,session); else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break; - case NSLCD_ACTION_SHADOW_ALL: if (uid==0) (void)nslcd_shadow_all(fp,session); + case NSLCD_ACTION_SHADOW_ALL: if ((uid==0)||(gid==GID_SHADOW)) (void)nslcd_shadow_all(fp,session); else log_log(LOG_DEBUG,"denied shadow request by non-root user"); break; case NSLCD_ACTION_PAM_AUTHC: (void)nslcd_pam_authc(fp,session,uid); break; case NSLCD_ACTION_PAM_AUTHZ: (void)nslcd_pam_authz(fp,session); break;
signature.asc
Description: This is a digitally signed message part

