Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ws: Accept upper-case login names for ssh/polkit agent challenges
Identity management domain users are usually case insensitive, in particular the domain part. E. g. with FreeIPA, "user@domain" and "user@DOMAIN" mean exactly the same. With AD, even the user name is case insensitive, and in fact the canonical name starts with an upper case ("Administrator@DOMAIN"). Linux' canonical form (reverse resolution of uids, or `$USER`) is lower-case, though. This led to a failed "original vs. challenge subject" string comparison in authorize_check_user(), resulting in sessions not getting root privileges. To fix this, if a direct comparison fails, compare again against the lower-case form of the credential's user name. This avoids having to decode the subject's hex string and thus introducing more protocol assumptions. Note that native Linux user names are case sensitive, i. e. "user" and "User" are both legitimate and different. This comparison is just a plausibility check for not accidentally logging into a remote machine that has a different user name and spilling the password. It's acceptable to introduce the corner case for auto-logging into remote machines if the remote user name only differs in case. Revert the workaround for this bug from commit c5ee044, and explicitly test a variation in case. https://bugzilla.redhat.com/show_bug.cgi?id=1825749 Closes #13934
- Loading branch information