git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Sat, 14 Jan 2017 21:16:29 +0000 (16:16 -0500)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 20 Feb 2017 11:00:09 +0000 (12:00 +0100)
commit	e82733a1ab78062feca28578fe505b275a2356a6
tree	e9df31ee73ece4be5a99400b67e684187626e4d5	tree
parent	6ddc43d1bf9b3ea3ee5db8c50d56a98fe4db4c97	commit \| diff

Fix user's group membership check in interactive service to work with domains

Currently the username unqualified by the domain is used to validate
a user which fails for domain users. Instead authorize the user

(i) if the built-in admin group or ovpn_admin group is in the process token
(ii) else if the user's SID is in the built-in admin or ovpn_admin groups

The second check is needed to recognize dynamic updates to group membership
on the local machine that will not be reflected in the token.

These checks do not require connection to a domain controller and will
work even when user is logged in with cached credentials.

Trac: #810

v2: include the token check as described above

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1484428589-7882-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13877.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpnserv/interactive.c		diff \| blob \| blame \| history
src/openvpnserv/validate.c		diff \| blob \| blame \| history
src/openvpnserv/validate.h		diff \| blob \| blame \| history