On Tue, Nov 25, 2014 at 05:55:18PM +0100, Sumit Bose wrote: > On Mon, Nov 24, 2014 at 04:38:20PM +0100, Jakub Hrozek wrote: > > Hi, > > > > When I was working on https://fedorahosted.org/sssd/ticket/2501 I > > noticed several things I didn't like. Most importnantly, the checks were > > done on several places -- I think security decisions should be done at > > one place only ideally so any changes don't miss other calls. > > > > I'll be sending other patches soon, but this one is important to get in > > soon. > > > > In particular, the issue would hit when you try to authenticate as a > > user from a domain that is second on the list. In pam_dom_forwarder, we > > might change the pd->dom pointer, bypassing the check done previously. > > > > Additionally, the restricted domains are only checked if the process is > > trusted. Shall I split that to a new patch? > > > > Please also let me know if the performance implication outlined in the > > ticket seems like an important one. > > ACK > > bye, > Sumit
* master: fb106682e0277955e203ad074a368ddeb121fed3 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
