diff options
author | John Hodrien <J.H.Hodrien@leeds.ac.uk> | 2011-07-29 10:04:05 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-08-02 07:47:59 -0400 |
commit | 6daf03f2597d6a0177cac74dbfcdd502521cf2e2 (patch) | |
tree | 976c28b75f130262cf7804139410ebeb0346beff /src/responder | |
parent | 7afe9f88aa7fb2f04d9ae5fbe6bed8890dfd5e9a (diff) | |
download | sssd-6daf03f2597d6a0177cac74dbfcdd502521cf2e2.tar.gz sssd-6daf03f2597d6a0177cac74dbfcdd502521cf2e2.tar.xz sssd-6daf03f2597d6a0177cac74dbfcdd502521cf2e2.zip |
Add vetoed_shells option
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r-- | src/responder/nss/nsssrv.c | 4 | ||||
-rw-r--r-- | src/responder/nss/nsssrv.h | 1 | ||||
-rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 13 |
3 files changed, 17 insertions, 1 deletions
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index dde2e95ef..cb0acfe13 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->allowed_shells); if (ret != EOK && ret != ENOENT) goto done; + ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &nctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto done; ret = nss_get_etc_shells(nctx, &nctx->etc_shells); if (ret != EOK) goto done; diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h index f9aff5669..01a2810cd 100644 --- a/src/responder/nss/nsssrv.h +++ b/src/responder/nss/nsssrv.h @@ -60,6 +60,7 @@ struct nss_ctx { char *override_homedir; char **allowed_shells; + char **vetoed_shells; char **etc_shells; char *shell_fallback; }; diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index aa1b471d5..415e7a31a 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -314,7 +314,18 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx, user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); if (!user_shell) return NULL; - if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell); + if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell); + + if (nctx->vetoed_shells) + { + for (i=0; nctx->vetoed_shells[i]; i++) { + if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) { + DEBUG(5, ("The shell '%s' is vetoed. " + "Using fallback\n", user_shell)); + return talloc_strdup(mem_ctx, nctx->shell_fallback); + } + } + } for (i=0; nctx->etc_shells[i]; i++) { if (strcmp(user_shell, nctx->etc_shells[i]) == 0) { |