summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-06-22 08:26:46 -0400
committerStephen Gallagher <sgallagh@redhat.com>2012-06-25 07:36:40 -0400
commit538006b5ebead2198a2ca7aa082873c772472a99 (patch)
treea38fa1a7ccf122f46eba7a22a9964ab417a492f3
parent065771c9859df9c4137daa5187be3aa5633b3cd5 (diff)
downloadsssd-538006b5ebead2198a2ca7aa082873c772472a99.tar.gz
sssd-538006b5ebead2198a2ca7aa082873c772472a99.tar.xz
sssd-538006b5ebead2198a2ca7aa082873c772472a99.zip
SELinux user maps: pick just one map
This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360
-rw-r--r--src/responder/pam/pamsrv_cmd.c23
1 files changed, 11 insertions, 12 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 2d0324e5b..20de738fc 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -461,12 +461,6 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
goto done;
}
} else {
- file_content = talloc_strdup(tmp_ctx, "");
- if (file_content == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
/* Iterate through the order array and try to find SELinux users
* in fetched maps. The order array contains all SELinux users
* allowed in the domain in the same order they should appear
@@ -484,8 +478,11 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
tmp_str = sss_selinux_map_get_seuser(usermaps[j]);
if (tmp_str && !strcasecmp(tmp_str, order_array[i])) {
- file_content = talloc_asprintf_append(file_content, "%s\n",
- tmp_str);
+ /* If file_content contained something, overwrite it.
+ * This record has higher priority.
+ */
+ talloc_zfree(file_content);
+ file_content = talloc_strdup(tmp_ctx, tmp_str);
if (file_content == NULL) {
ret = ENOMEM;
goto done;
@@ -496,10 +493,12 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
}
}
- len = strlen(file_content);
- if (len > 0) {
- ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len,
- (uint8_t *)file_content);
+ if (file_content) {
+ len = strlen(file_content);
+ if (len > 0) {
+ ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len,
+ (uint8_t *)file_content);
+ }
}
done: