1 files changed, 14 insertions, 3 deletions

diff --git a/go/src/nshd/nslcd_backend/db_pam.go b/go/src/nshd/nslcd_backend/db_pam.go
index 96a5567..bec3fbf 100644
--- a/go/src/nshd/nslcd_backend/db_pam.go
+++ b/go/src/nshd/nslcd_backend/db_pam.go
@@ -17,6 +17,7 @@
 package nslcd_backend
 
 import (
+	"context"
 	"fmt"
 	"os"
 
@@ -24,7 +25,7 @@ import (
 	"nshd/util"
 
 	p "git.lukeshu.com/go/libnslcd/nslcd_proto"
-	s "golang.org/x/sys/unix"
+	"git.lukeshu.com/go/libnslcd/nslcd_server"
 
 	"git.lukeshu.com/go/libgnulinux/crypt"
 	"git.lukeshu.com/go/libsystemd/sd_daemon"
@@ -71,13 +72,18 @@ func (o *Hackers) canChangePassword(user nshd_files.User, oldpassword string) bo
 // call NSS getspnam(3), which will call our Shadow_ByName()), but
 // pam_ldap.so calls this as a pre-flight check for
 // pam_sm_chauthtok()/PAM_PwMod().
-func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication {
+func (o *Hackers) PAM_Authentication(ctx context.Context, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication {
 	o.lock.RLock()
 	ret := make(chan p.PAM_Authentication)
 	go func() {
 		defer o.lock.RUnlock()
 		defer close(ret)
 
+		cred, ok := nslcd_server.PeerCredFromContext(ctx)
+		if !ok {
+			return
+		}
+
 		if len(req.UserName) == 0 && len(req.Password) == 0 && cred.Uid == 0 {
 			// Being called by root; root can do what root
 			// wants.
@@ -119,13 +125,18 @@ func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authenticat
 	return ret
 }
 
-func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_PwMod {
+func (o *Hackers) PAM_PwMod(ctx context.Context, req p.Request_PAM_PwMod) <-chan p.PAM_PwMod {
 	ret := make(chan p.PAM_PwMod)
 	o.lock.Lock()
 	go func() {
 		defer o.lock.Unlock()
 		defer close(ret)
 
+		cred, ok := nslcd_server.PeerCredFromContext(ctx)
+		if !ok {
+			return
+		}
+
 		uid := o.name2uid(req.UserName)
 		if uid < 0 {
 			return