git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Sat, 14 Jan 2017 21:16:29 +0000 (16:16 -0500)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 20 Feb 2017 12:22:15 +0000 (13:22 +0100)
commit	a9743bf25e661d66ca7537adfe457e75afc947c4
tree	adde18db58b28b327386f99f26ab96aab3c6f5d3	tree \| snapshot
parent	c4c359736e3ab7f06a21f1eab09e6fd4cf2bef2f	commit \| diff

Fix user's group membership check in interactive service to work with domains

Currently the username unqualified by the domain is used to validate
a user which fails for domain users. Instead authorize the user

(i) if the built-in admin group or ovpn_admin group is in the process token
(ii) else if the user's SID is in the built-in admin or ovpn_admin groups

The second check is needed to recognize dynamic updates to group membership
on the local machine that will not be reflected in the token.

These checks do not require connection to a domain controller and will
work even when user is logged in with cached credentials.

Trac: #810

v2: include the token check as described above

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1484428589-7882-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13877.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e82733a1ab78062feca28578fe505b275a2356a6)

src/openvpnserv/interactive.c		diff \| blob \| blame \| history
src/openvpnserv/validate.c		diff \| blob \| blame \| history
src/openvpnserv/validate.h		diff \| blob \| blame \| history