diff options
Diffstat (limited to 'go/src/nshd/nslcd_backend')
-rw-r--r-- | go/src/nshd/nslcd_backend/db_config.go | 5 | ||||
-rw-r--r-- | go/src/nshd/nslcd_backend/db_group.go | 11 | ||||
-rw-r--r-- | go/src/nshd/nslcd_backend/db_pam.go | 17 | ||||
-rw-r--r-- | go/src/nshd/nslcd_backend/db_passwd.go | 9 | ||||
-rw-r--r-- | go/src/nshd/nslcd_backend/db_shadow.go | 18 |
5 files changed, 43 insertions, 17 deletions
diff --git a/go/src/nshd/nslcd_backend/db_config.go b/go/src/nshd/nslcd_backend/db_config.go index d00bf02..e59e811 100644 --- a/go/src/nshd/nslcd_backend/db_config.go +++ b/go/src/nshd/nslcd_backend/db_config.go @@ -17,11 +17,12 @@ package nslcd_backend import ( + "context" + p "git.lukeshu.com/go/libnslcd/nslcd_proto" - s "golang.org/x/sys/unix" ) -func (o *Hackers) Config_Get(cred s.Ucred, req p.Request_Config_Get) <-chan p.Config { +func (o *Hackers) Config_Get(ctx context.Context, req p.Request_Config_Get) <-chan p.Config { o.lock.RLock() ret := make(chan p.Config) go func() { diff --git a/go/src/nshd/nslcd_backend/db_group.go b/go/src/nshd/nslcd_backend/db_group.go index 04c7e3b..e6c259b 100644 --- a/go/src/nshd/nslcd_backend/db_group.go +++ b/go/src/nshd/nslcd_backend/db_group.go @@ -17,10 +17,11 @@ package nslcd_backend import ( + "context" + "nshd/util" p "git.lukeshu.com/go/libnslcd/nslcd_proto" - s "golang.org/x/sys/unix" ) func (o *Hackers) groupByName(name string, users bool) p.Group { @@ -69,7 +70,7 @@ func (o *Hackers) groupByGid(gid int32, users bool) p.Group { } } -func (o *Hackers) Group_ByName(cred s.Ucred, req p.Request_Group_ByName) <-chan p.Group { +func (o *Hackers) Group_ByName(ctx context.Context, req p.Request_Group_ByName) <-chan p.Group { o.lock.RLock() ret := make(chan p.Group) go func() { @@ -85,7 +86,7 @@ func (o *Hackers) Group_ByName(cred s.Ucred, req p.Request_Group_ByName) <-chan return ret } -func (o *Hackers) Group_ByGid(cred s.Ucred, req p.Request_Group_ByGid) <-chan p.Group { +func (o *Hackers) Group_ByGid(ctx context.Context, req p.Request_Group_ByGid) <-chan p.Group { o.lock.RLock() ret := make(chan p.Group) go func() { @@ -102,7 +103,7 @@ func (o *Hackers) Group_ByGid(cred s.Ucred, req p.Request_Group_ByGid) <-chan p. } // note that the BYMEMBER call returns an empty members list -func (o *Hackers) Group_ByMember(cred s.Ucred, req p.Request_Group_ByMember) <-chan p.Group { +func (o *Hackers) Group_ByMember(ctx context.Context, req p.Request_Group_ByMember) <-chan p.Group { o.lock.RLock() ret := make(chan p.Group) go func() { @@ -123,7 +124,7 @@ func (o *Hackers) Group_ByMember(cred s.Ucred, req p.Request_Group_ByMember) <-c return ret } -func (o *Hackers) Group_All(cred s.Ucred, req p.Request_Group_All) <-chan p.Group { +func (o *Hackers) Group_All(ctx context.Context, req p.Request_Group_All) <-chan p.Group { o.lock.RLock() ret := make(chan p.Group) go func() { diff --git a/go/src/nshd/nslcd_backend/db_pam.go b/go/src/nshd/nslcd_backend/db_pam.go index 96a5567..bec3fbf 100644 --- a/go/src/nshd/nslcd_backend/db_pam.go +++ b/go/src/nshd/nslcd_backend/db_pam.go @@ -17,6 +17,7 @@ package nslcd_backend import ( + "context" "fmt" "os" @@ -24,7 +25,7 @@ import ( "nshd/util" p "git.lukeshu.com/go/libnslcd/nslcd_proto" - s "golang.org/x/sys/unix" + "git.lukeshu.com/go/libnslcd/nslcd_server" "git.lukeshu.com/go/libgnulinux/crypt" "git.lukeshu.com/go/libsystemd/sd_daemon" @@ -71,13 +72,18 @@ func (o *Hackers) canChangePassword(user nshd_files.User, oldpassword string) bo // call NSS getspnam(3), which will call our Shadow_ByName()), but // pam_ldap.so calls this as a pre-flight check for // pam_sm_chauthtok()/PAM_PwMod(). -func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication { +func (o *Hackers) PAM_Authentication(ctx context.Context, req p.Request_PAM_Authentication) <-chan p.PAM_Authentication { o.lock.RLock() ret := make(chan p.PAM_Authentication) go func() { defer o.lock.RUnlock() defer close(ret) + cred, ok := nslcd_server.PeerCredFromContext(ctx) + if !ok { + return + } + if len(req.UserName) == 0 && len(req.Password) == 0 && cred.Uid == 0 { // Being called by root; root can do what root // wants. @@ -119,13 +125,18 @@ func (o *Hackers) PAM_Authentication(cred s.Ucred, req p.Request_PAM_Authenticat return ret } -func (o *Hackers) PAM_PwMod(cred s.Ucred, req p.Request_PAM_PwMod) <-chan p.PAM_PwMod { +func (o *Hackers) PAM_PwMod(ctx context.Context, req p.Request_PAM_PwMod) <-chan p.PAM_PwMod { ret := make(chan p.PAM_PwMod) o.lock.Lock() go func() { defer o.lock.Unlock() defer close(ret) + cred, ok := nslcd_server.PeerCredFromContext(ctx) + if !ok { + return + } + uid := o.name2uid(req.UserName) if uid < 0 { return diff --git a/go/src/nshd/nslcd_backend/db_passwd.go b/go/src/nshd/nslcd_backend/db_passwd.go index 535c7e1..7405623 100644 --- a/go/src/nshd/nslcd_backend/db_passwd.go +++ b/go/src/nshd/nslcd_backend/db_passwd.go @@ -17,8 +17,9 @@ package nslcd_backend import ( + "context" + p "git.lukeshu.com/go/libnslcd/nslcd_proto" - s "golang.org/x/sys/unix" ) /* Note that the output password hash value should be one of: @@ -34,7 +35,7 @@ import ( in", but fails to authorize; passing the buck to the next database. */ -func (o *Hackers) Passwd_ByName(cred s.Ucred, req p.Request_Passwd_ByName) <-chan p.Passwd { +func (o *Hackers) Passwd_ByName(ctx context.Context, req p.Request_Passwd_ByName) <-chan p.Passwd { o.lock.RLock() ret := make(chan p.Passwd) go func() { @@ -52,7 +53,7 @@ func (o *Hackers) Passwd_ByName(cred s.Ucred, req p.Request_Passwd_ByName) <-cha return ret } -func (o *Hackers) Passwd_ByUID(cred s.Ucred, req p.Request_Passwd_ByUID) <-chan p.Passwd { +func (o *Hackers) Passwd_ByUID(ctx context.Context, req p.Request_Passwd_ByUID) <-chan p.Passwd { o.lock.RLock() ret := make(chan p.Passwd) go func() { @@ -70,7 +71,7 @@ func (o *Hackers) Passwd_ByUID(cred s.Ucred, req p.Request_Passwd_ByUID) <-chan return ret } -func (o *Hackers) Passwd_All(cred s.Ucred, req p.Request_Passwd_All) <-chan p.Passwd { +func (o *Hackers) Passwd_All(ctx context.Context, req p.Request_Passwd_All) <-chan p.Passwd { o.lock.RLock() ret := make(chan p.Passwd) go func() { diff --git a/go/src/nshd/nslcd_backend/db_shadow.go b/go/src/nshd/nslcd_backend/db_shadow.go index ab1d68f..6cf6dbc 100644 --- a/go/src/nshd/nslcd_backend/db_shadow.go +++ b/go/src/nshd/nslcd_backend/db_shadow.go @@ -17,17 +17,24 @@ package nslcd_backend import ( + "context" + p "git.lukeshu.com/go/libnslcd/nslcd_proto" - s "golang.org/x/sys/unix" + "git.lukeshu.com/go/libnslcd/nslcd_server" ) -func (o *Hackers) Shadow_ByName(cred s.Ucred, req p.Request_Shadow_ByName) <-chan p.Shadow { +func (o *Hackers) Shadow_ByName(ctx context.Context, req p.Request_Shadow_ByName) <-chan p.Shadow { o.lock.RLock() ret := make(chan p.Shadow) go func() { defer o.lock.RUnlock() defer close(ret) + cred, ok := nslcd_server.PeerCredFromContext(ctx) + if !ok { + return + } + if cred.Uid != 0 { return } @@ -48,13 +55,18 @@ func (o *Hackers) Shadow_ByName(cred s.Ucred, req p.Request_Shadow_ByName) <-cha return ret } -func (o *Hackers) Shadow_All(cred s.Ucred, req p.Request_Shadow_All) <-chan p.Shadow { +func (o *Hackers) Shadow_All(ctx context.Context, req p.Request_Shadow_All) <-chan p.Shadow { o.lock.RLock() ret := make(chan p.Shadow) go func() { defer o.lock.RUnlock() defer close(ret) + cred, ok := nslcd_server.PeerCredFromContext(ctx) + if !ok { + return + } + if cred.Uid != 0 { return } |