diff options
Diffstat (limited to 'go/src/nshd/nslcd_backend/db_pam.go')
-rw-r--r-- | go/src/nshd/nslcd_backend/db_pam.go | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/go/src/nshd/nslcd_backend/db_pam.go b/go/src/nshd/nslcd_backend/db_pam.go index 96a5567..bec3fbf 100644 --- a/go/src/nshd/nslcd_backend/db_pam.go +++ b/go/src/nshd/nslcd_backend/db_pam.go @@ -17,6 +17,7 @@ package nslcd_backend import ( + "context" "fmt" "os" @@ -24,7 +25,7 @@ import ( "nshd/util" p "git.lukeshu.com/go/libnslcd/nslcd_proto" - s "golang.org/x/sys/unix" + "git.lukeshu.com/go/libnslcd/nslcd_server" "git.lukeshu.com/go/libgnulinux/crypt" "git.lukeshu.com/go/libsystemd/sd_daemon" @@ -71,13 +72,18 @@ func (o *Hackers) canChangePassword(user nshd_files.User, oldpassword string) bo // call NSS getspnam(3), which will call our Shadow_ByName()), but // pam_ldap.so calls this as a pre-flight check for // pam_sm_chauthtok()/PAM_PwMod(). -func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication { +func (o *Hackers) PAM_Authentication(ctx context.Context, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication { o.lock.RLock() ret := make(chan p.PAM_Authentication) go func() { defer o.lock.RUnlock() defer close(ret) + cred, ok := nslcd_server.PeerCredFromContext(ctx) + if !ok { + return + } + if len(req.UserName) == 0 && len(req.Password) == 0 && cred.Uid == 0 { // Being called by root; root can do what root // wants. @@ -119,13 +125,18 @@ func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authenticat return ret } -func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_PwMod { +func (o *Hackers) PAM_PwMod(ctx context.Context, req p.Request_PAM_PwMod) <-chan p.PAM_PwMod { ret := make(chan p.PAM_PwMod) o.lock.Lock() go func() { defer o.lock.Unlock() defer close(ret) + cred, ok := nslcd_server.PeerCredFromContext(ctx) + if !ok { + return + } + uid := o.name2uid(req.UserName) if uid < 0 { return |