lists.arthurdejong.org
RSS feed

nss-pam-ldapd commit: r1634 - in nss-pam-ldapd: . man nslcd

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd commit: r1634 - in nss-pam-ldapd: . man nslcd

Author: arthur
Date: Tue Mar 13 19:29:28 2012
New Revision: 1634
URL: http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1634&view=revision

Log:
make whether or not to do case-sensitive filtering configuratble (patch by 
Matthew L. Dailey)

Modified:
   nss-pam-ldapd/AUTHORS
   nss-pam-ldapd/man/nslcd.conf.5.xml
   nss-pam-ldapd/nslcd/cfg.c
   nss-pam-ldapd/nslcd/cfg.h
   nss-pam-ldapd/nslcd/common.h
   nss-pam-ldapd/nslcd/group.c
   nss-pam-ldapd/nslcd/netgroup.c
   nss-pam-ldapd/nslcd/passwd.c
   nss-pam-ldapd/nslcd/protocol.c
   nss-pam-ldapd/nslcd/rpc.c
   nss-pam-ldapd/nslcd/service.c
   nss-pam-ldapd/nslcd/shadow.c

Modified: nss-pam-ldapd/AUTHORS
==============================================================================
--- nss-pam-ldapd/AUTHORS       Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/AUTHORS       Tue Mar 13 19:29:28 2012        (r1634)
@@ -116,3 +116,4 @@
 Jeroen Schot <schot@A-Eskwadraat.nl>
 Tom Judge <tom@tomjudge.com>
 Maxim Vetrov <muxas@mail.ru>
+Matthew L. Dailey <matthew.l.dailey@dartmouth.edu>

Modified: nss-pam-ldapd/man/nslcd.conf.5.xml
==============================================================================
--- nss-pam-ldapd/man/nslcd.conf.5.xml  Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/man/nslcd.conf.5.xml  Tue Mar 13 19:29:28 2012        (r1634)
@@ -702,6 +702,22 @@
      </listitem>
     </varlistentry>
 
+    <varlistentry id="ignorecase">
+     <term><option>ignorecase</option> yes|no</term>
+     <listitem>
+      <para>
+       This specifies whether or not to perform searches for group,
+       netgroup, passwd, protocols, rpc, services and shadow maps using
+       case-insensitive matching.
+       Setting this to <literal>yes</literal> could open up the system
+       to authorisation vulnerabilities and introduce nscd cache poisoning
+       vulnerabilities which allow denial of service.
+       The default is to perform case-sensitve filtering of LDAP search
+       results for the above maps.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry id="pam_authz_search">
      <term><option>pam_authz_search</option>
            <replaceable>FILTER</replaceable></term>

Modified: nss-pam-ldapd/nslcd/cfg.c
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.c   Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/cfg.c   Tue Mar 13 19:29:28 2012        (r1634)
@@ -89,6 +89,7 @@
   cfg->ldc_threads=5;
   cfg->ldc_uid=NOUID;
   cfg->ldc_gid=NOGID;
+  cfg->ldc_ignorecase=0;
   for (i=0;i<(NSS_LDAP_CONFIG_URI_MAX+1);i++)
   {
     cfg->ldc_uris[i].uri=NULL;
@@ -863,6 +864,11 @@
       get_gid(filename,lnr,keyword,&line,&cfg->ldc_gid);
       get_eol(filename,lnr,keyword,&line);
     }
+    else if (strcasecmp(keyword,"ignorecase")==0)
+    {
+      get_boolean(filename,lnr,keyword,&line,&cfg->ldc_ignorecase);
+      get_eol(filename,lnr,keyword,&line);
+    }
     /* general connection options */
     else if (strcasecmp(keyword,"uri")==0)
     {

Modified: nss-pam-ldapd/nslcd/cfg.h
==============================================================================
--- nss-pam-ldapd/nslcd/cfg.h   Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/cfg.h   Tue Mar 13 19:29:28 2012        (r1634)
@@ -86,6 +86,8 @@
   uid_t ldc_uid;
   /* the group id nslcd should be run as */
   gid_t ldc_gid;
+  /* whether or not case should be ignored in lookups */
+  int ldc_ignorecase;
   /* NULL terminated list of URIs */
   struct myldap_uri ldc_uris[NSS_LDAP_CONFIG_URI_MAX+1];
   /* protocol version */

Modified: nss-pam-ldapd/nslcd/common.h
==============================================================================
--- nss-pam-ldapd/nslcd/common.h        Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/common.h        Tue Mar 13 19:29:28 2012        (r1634)
@@ -265,4 +265,10 @@
     return 0; \
   }
 
+/* macro to compare strings
+   Use the ignorecase config option to determine whether or not to do a
+   case-sensitive match */
+#define STR_CMP(str1,str2) \
+  (nslcd_cfg->ldc_ignorecase == 1 ? strcasecmp(str1,str2) : strcmp(str1,str2))
+
 #endif /* not NSLCD__COMMON_H */

Modified: nss-pam-ldapd/nslcd/group.c
==============================================================================
--- nss-pam-ldapd/nslcd/group.c Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/group.c Tue Mar 13 19:29:28 2012        (r1634)
@@ -187,7 +187,7 @@
       log_log(LOG_WARNING,"%s: %s: denied by validnames option",
                           myldap_get_dn(entry),attmap_group_cn);
     }
-    else if ((reqname==NULL)||(strcmp(reqname,names[i])==0))
+    else if ((reqname==NULL)||(STR_CMP(reqname,names[i])==0))
     {
       for (j=0;j<numgids;j++)
       {

Modified: nss-pam-ldapd/nslcd/netgroup.c
==============================================================================
--- nss-pam-ldapd/nslcd/netgroup.c      Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/netgroup.c      Tue Mar 13 19:29:28 2012        (r1634)
@@ -220,7 +220,7 @@
                         myldap_get_dn(entry),attmap_netgroup_cn);
     return 0;
   }
-  for (i=0;(names[i]!=NULL)&&(strcmp(reqname,names[i])!=0);i++)
+  for (i=0;(names[i]!=NULL)&&(STR_CMP(reqname,names[i])!=0);i++)
     /* nothing here */ ;
   if (names[i]==NULL)
     return 0; /* the name was not found */

Modified: nss-pam-ldapd/nslcd/passwd.c
==============================================================================
--- nss-pam-ldapd/nslcd/passwd.c        Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/passwd.c        Tue Mar 13 19:29:28 2012        (r1634)
@@ -556,7 +556,7 @@
   attmap_get_value(entry,attmap_passwd_loginShell,shell,sizeof(shell));
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
-    if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
+    if ((requser==NULL)||(STR_CMP(requser,usernames[i])==0))
     {
       if (!isvalidname(usernames[i]))
       {

Modified: nss-pam-ldapd/nslcd/protocol.c
==============================================================================
--- nss-pam-ldapd/nslcd/protocol.c      Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/protocol.c      Tue Mar 13 19:29:28 2012        (r1634)
@@ -123,9 +123,9 @@
   if (name==NULL)
     name=aliases[0];
   /* check case of returned protocol entry */
-  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  if ((reqname!=NULL)&&(STR_CMP(reqname,name)!=0))
   {
-    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+    for (i=0;(aliases[i]!=NULL)&&(STR_CMP(reqname,aliases[i])!=0);i++)
       /* nothing here */ ;
     if (aliases[i]==NULL)
       return 0; /* neither the name nor any of the aliases matched */

Modified: nss-pam-ldapd/nslcd/rpc.c
==============================================================================
--- nss-pam-ldapd/nslcd/rpc.c   Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/rpc.c   Tue Mar 13 19:29:28 2012        (r1634)
@@ -124,9 +124,9 @@
   if (name==NULL)
     name=aliases[0];
   /* check case of returned rpc entry */
-  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  if ((reqname!=NULL)&&(STR_CMP(reqname,name)!=0))
   {
-    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+    for (i=0;(aliases[i]!=NULL)&&(STR_CMP(reqname,aliases[i])!=0);i++)
       /* nothing here */ ;
     if (aliases[i]==NULL)
       return 0; /* neither the name nor any of the aliases matched */

Modified: nss-pam-ldapd/nslcd/service.c
==============================================================================
--- nss-pam-ldapd/nslcd/service.c       Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/service.c       Tue Mar 13 19:29:28 2012        (r1634)
@@ -152,9 +152,9 @@
   if (name==NULL)
     name=aliases[0];
   /* check case of returned servies entry */
-  if ((reqname!=NULL)&&(strcmp(reqname,name)!=0))
+  if ((reqname!=NULL)&&(STR_CMP(reqname,name)!=0))
   {
-    for (i=0;(aliases[i]!=NULL)&&(strcmp(reqname,aliases[i])!=0);i++)
+    for (i=0;(aliases[i]!=NULL)&&(STR_CMP(reqname,aliases[i])!=0);i++)
       /* nothing here */ ;
     if (aliases[i]==NULL)
       return 0; /* neither the name nor any of the aliases matched */
@@ -196,7 +196,7 @@
   }
   /* write the entries */
   for (i=0;protocols[i]!=NULL;i++)
-    if 
((reqprotocol==NULL)||(*reqprotocol=='\0')||(strcmp(reqprotocol,protocols[i])==0))
+    if 
((reqprotocol==NULL)||(*reqprotocol=='\0')||(STR_CMP(reqprotocol,protocols[i])==0))
     {
       WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
       WRITE_STRING(fp,name);

Modified: nss-pam-ldapd/nslcd/shadow.c
==============================================================================
--- nss-pam-ldapd/nslcd/shadow.c        Tue Mar 13 19:03:25 2012        (r1633)
+++ nss-pam-ldapd/nslcd/shadow.c        Tue Mar 13 19:29:28 2012        (r1634)
@@ -307,7 +307,7 @@
                         &inactdays,&expiredate,&flag);
   /* write the entries */
   for (i=0;usernames[i]!=NULL;i++)
-    if ((requser==NULL)||(strcmp(requser,usernames[i])==0))
+    if ((requser==NULL)||(STR_CMP(requser,usernames[i])==0))
     {
       WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
       WRITE_STRING(fp,usernames[i]);
-- 
To unsubscribe send an email to
nss-pam-ldapd-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-commits/