URL: https://github.com/SSSD/sssd/pull/928 Author: pbrezina Title: #928: pam_sss: treat whitespace name as missing name if allow_missing_name is set Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/928/head:pr928 git checkout pr928
From 4d454dc2b0aed494709dba9b1fb77cf8e84bc97c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Tue, 5 Nov 2019 14:28:41 +0100 Subject: [PATCH] pam_sss: treat whitespace name as missing name if allow_missing_name is set Resolves: https://pagure.io/SSSD/sssd/issue/4101 --- src/sss_client/pam_sss.c | 29 +++++++++++++++++++++++----- src/tests/intg/test_pam_responder.py | 27 ++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 7643e307ae..d4f0a89174 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -32,6 +32,7 @@ #include <errno.h> #include <locale.h> #include <stdbool.h> +#include <ctype.h> #include <security/pam_modules.h> #include <security/pam_appl.h> @@ -1191,6 +1192,23 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, return PAM_SUCCESS; } +bool is_string_empty_or_whitespace(const char *str) +{ + int i; + + if (str == NULL) { + return true; + } + + for (i = 0; str[i] != '\0'; i++) { + if (!isspace(str[i])) { + return false; + } + } + + return true; +} + static int get_pam_items(pam_handle_t *pamh, uint32_t flags, struct pam_items *pi) { @@ -1215,14 +1233,15 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags, ret = PAM_SUCCESS; } if (ret != PAM_SUCCESS) return ret; - if (pi->pam_user == NULL) { - if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) { + if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) { + if (is_string_empty_or_whitespace(pi->pam_user)) { pi->pam_user = ""; - } else { - D(("No user found, aborting.")); - return PAM_BAD_ITEM; } } + if (pi->pam_user == NULL) { + D(("No user found, aborting.")); + return PAM_BAD_ITEM; + } if (strcmp(pi->pam_user, "root") == 0) { D(("pam_sss will not handle root.")); return PAM_USER_UNKNOWN; diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py index ad6bec7474..9b5e650cae 100644 --- a/src/tests/intg/test_pam_responder.py +++ b/src/tests/intg/test_pam_responder.py @@ -621,6 +621,33 @@ def test_sc_auth_missing_name(simple_pam_cert_auth, env_for_sssctl): assert err.find("pam_authenticate for user [user1]: Success") != -1 +def test_sc_auth_missing_name_whitespace(simple_pam_cert_auth, env_for_sssctl): + """ + Test pam_sss allow_missing_name feature. + """ + + sssctl = subprocess.Popen(["sssctl", "user-checks", " ", + "--action=auth", + "--service=pam_sss_allow_missing_name"], + universal_newlines=True, + env=env_for_sssctl, stdin=subprocess.PIPE, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + try: + out, err = sssctl.communicate(input="123456") + except: + sssctl.kill() + out, err = sssctl.communicate() + + sssctl.stdin.close() + sssctl.stdout.close() + + if sssctl.wait() != 0: + raise Exception("sssctl failed") + + assert err.find("pam_authenticate for user [user1]: Success") != -1 + + def test_sc_auth_name_format(simple_pam_cert_auth_name_format, env_for_sssctl): """ Test that full_name_format is respected with pam_sss allow_missing_name
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org