summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Hodrien <J.H.Hodrien@leeds.ac.uk>2011-07-29 10:04:05 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-08-08 10:29:19 -0400
commitbe82c8f75f195e8415d0afd29265504068792d39 (patch)
tree67e8914c91480fb1319b405ded8cb0225bcd8649
parentb0c10eb7a9aff9063af106cc704ca1260f4024ac (diff)
downloadsssd-1.5.1-47.el6.tar.gz
sssd-1.5.1-47.el6.tar.xz
sssd-1.5.1-47.el6.zip
Add vetoed_shells optionsssd-1.5.1-47.el6
There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher <sgallagh@redhat.com> Prevent segfault if vetoed_shells are specified without allowed_shells https://fedorahosted.org/sssd/ticket/954
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/man/sssd.conf.5.xml8
-rw-r--r--src/responder/nss/nsssrv.c4
-rw-r--r--src/responder/nss/nsssrv.h1
-rw-r--r--src/responder/nss/nsssrv_cmd.c44
6 files changed, 44 insertions, 15 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c2ae9fcb7..5e50991f3 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -74,6 +74,7 @@
#define CONFDB_NSS_FILTER_GROUPS "filter_groups"
#define CONFDB_NSS_PWFIELD "pwfield"
#define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir"
+#define CONFDB_NSS_VETOED_SHELL "vetoed_shells"
#define CONFDB_NSS_ALLOWED_SHELL "allowed_shells"
#define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 920a8a056..93a108ebd 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -60,6 +60,7 @@ option_strings = {
'pwfield' : _('The value of the password field the NSS provider should return'),
'override_homedir' : _('Override homedir value from the identity provider with this value'),
'allowed_shells' : _('The list of shells users are allowed to log in with'),
+ 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'),
'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
# [pam]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index b4f384657..e03805561 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -424,6 +424,14 @@
</listitem>
</varlistentry>
<varlistentry>
+ <term>vetoed_shells (string)</term>
+ <listitem>
+ <para>
+ Replace any instance of these shells with the shell_fallback
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term>shell_fallback (string)</term>
<listitem>
<para>
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index dde2e95ef..cb0acfe13 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx,
&nctx->allowed_shells);
if (ret != EOK && ret != ENOENT) goto done;
+ ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_VETOED_SHELL,
+ &nctx->vetoed_shells);
+ if (ret != EOK && ret != ENOENT) goto done;
ret = nss_get_etc_shells(nctx, &nctx->etc_shells);
if (ret != EOK) goto done;
diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h
index f9aff5669..01a2810cd 100644
--- a/src/responder/nss/nsssrv.h
+++ b/src/responder/nss/nsssrv.h
@@ -60,6 +60,7 @@ struct nss_ctx {
char *override_homedir;
char **allowed_shells;
+ char **vetoed_shells;
char **etc_shells;
char *shell_fallback;
};
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index aa1b471d5..2aa7a9126 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -314,26 +314,40 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx,
user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
if (!user_shell) return NULL;
- if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell);
-
- for (i=0; nctx->etc_shells[i]; i++) {
- if (strcmp(user_shell, nctx->etc_shells[i]) == 0) {
- DEBUG(9, ("Shell %s found in /etc/shells\n",
- nctx->etc_shells[i]));
- break;
+ if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell);
+
+ if (nctx->vetoed_shells) {
+ for (i=0; nctx->vetoed_shells[i]; i++) {
+ if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) {
+ DEBUG(5, ("The shell '%s' is vetoed. "
+ "Using fallback\n", user_shell));
+ return talloc_strdup(mem_ctx, nctx->shell_fallback);
+ }
}
}
- if (nctx->etc_shells[i]) {
- DEBUG(9, ("Using original shell '%s'\n", user_shell));
- return talloc_strdup(mem_ctx, user_shell);
+ if (nctx->etc_shells) {
+ for (i=0; nctx->etc_shells[i]; i++) {
+ if (strcmp(user_shell, nctx->etc_shells[i]) == 0) {
+ DEBUG(9, ("Shell %s found in /etc/shells\n",
+ nctx->etc_shells[i]));
+ break;
+ }
+ }
+
+ if (nctx->etc_shells[i]) {
+ DEBUG(9, ("Using original shell '%s'\n", user_shell));
+ return talloc_strdup(mem_ctx, user_shell);
+ }
}
- for (i=0; nctx->allowed_shells[i]; i++) {
- if (strcmp(nctx->allowed_shells[i], user_shell) == 0) {
- DEBUG(5, ("The shell '%s' is allowed but does not exist. "
- "Using fallback\n", user_shell));
- return talloc_strdup(mem_ctx, nctx->shell_fallback);
+ if (nctx->allowed_shells) {
+ for (i=0; nctx->allowed_shells[i]; i++) {
+ if (strcmp(nctx->allowed_shells[i], user_shell) == 0) {
+ DEBUG(5, ("The shell '%s' is allowed but does not exist. "
+ "Using fallback\n", user_shell));
+ return talloc_strdup(mem_ctx, nctx->shell_fallback);
+ }
}
}