On Mon, Nov 24, 2014 at 04:38:20PM +0100, Jakub Hrozek wrote: > Hi, > > When I was working on https://fedorahosted.org/sssd/ticket/2501 I > noticed several things I didn't like. Most importnantly, the checks were > done on several places -- I think security decisions should be done at > one place only ideally so any changes don't miss other calls. > > I'll be sending other patches soon, but this one is important to get in > soon. > > In particular, the issue would hit when you try to authenticate as a > user from a domain that is second on the list. In pam_dom_forwarder, we > might change the pd->dom pointer, bypassing the check done previously. > > Additionally, the restricted domains are only checked if the process is > trusted. Shall I split that to a new patch? > > Please also let me know if the performance implication outlined in the > ticket seems like an important one.
ACK bye, Sumit _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
