summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/nss/nsssrv.c89
-rw-r--r--src/responder/nss/nsssrv.h5
-rw-r--r--src/responder/nss/nsssrv_cmd.c183
3 files changed, 273 insertions, 4 deletions
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index dfb0312e8..dde2e95ef 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -48,6 +48,9 @@
#define DEFAULT_PWFIELD "*"
+#define SHELL_REALLOC_INCREMENT 5
+#define SHELL_REALLOC_MAX 50
+
struct sbus_method monitor_nss_methods[] = {
{ MON_CLI_METHOD_PING, monitor_common_pong },
{ MON_CLI_METHOD_RES_INIT, monitor_common_res_init },
@@ -63,6 +66,71 @@ struct sbus_interface monitor_nss_interface = {
NULL
};
+static errno_t nss_get_etc_shells(TALLOC_CTX *mem_ctx, char ***_shells)
+{
+ int i = 0;
+ char *sh;
+ char **shells = NULL;
+ TALLOC_CTX *tmp_ctx;
+ errno_t ret;
+ int size;
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return ENOMEM;
+
+ shells = talloc_array(tmp_ctx, char *, SHELL_REALLOC_INCREMENT);
+ if (!shells) {
+ ret = ENOMEM;
+ goto done;
+ }
+ size = SHELL_REALLOC_INCREMENT;
+
+ setusershell();
+ while ((sh = getusershell())) {
+ shells[i] = talloc_strdup(shells, sh);
+ if (!shells[i]) {
+ endusershell();
+ ret = ENOMEM;
+ goto done;
+ }
+ DEBUG(6, ("Found shell %s in /etc/shells\n", shells[i]));
+ i++;
+
+ if (i == size) {
+ size += SHELL_REALLOC_INCREMENT;
+ if (size > SHELL_REALLOC_MAX) {
+ DEBUG(0, ("Reached maximum number of shells [%d]. "
+ "Users may be denied access. "
+ "Please check /etc/shells for sanity\n",
+ SHELL_REALLOC_MAX));
+ break;
+ }
+ shells = talloc_realloc(NULL, shells, char *,
+ size);
+ if (!shells) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+ }
+ endusershell();
+
+ if (i + 1 < size) {
+ shells = talloc_realloc(NULL, shells, char *, i + 1);
+ if (!shells) {
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+ shells[i] = NULL;
+
+ *_shells = talloc_move(mem_ctx, &shells);
+ ret = EOK;
+done:
+ talloc_zfree(tmp_ctx);
+ return ret;
+}
+
static int nss_get_config(struct nss_ctx *nctx,
struct resp_ctx *rctx,
struct confdb_ctx *cdb)
@@ -94,7 +162,7 @@ static int nss_get_config(struct nss_ctx *nctx,
if (ret != EOK) goto done;
if (nctx->cache_refresh_percent < 0 ||
nctx->cache_refresh_percent > 99) {
- DEBUG(0,("Configuration error: entry_cache_nowait_percentage is"
+ DEBUG(0,("Configuration error: entry_cache_nowait_percentage is "
"invalid. Disabling feature.\n"));
nctx->cache_refresh_percent = 0;
}
@@ -110,6 +178,25 @@ static int nss_get_config(struct nss_ctx *nctx,
&nctx->pwfield);
if (ret != EOK) goto done;
+ ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_OVERRIDE_HOMEDIR, NULL,
+ &nctx->override_homedir);
+ if (ret != EOK) goto done;
+
+ ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_ALLOWED_SHELL,
+ &nctx->allowed_shells);
+ if (ret != EOK && ret != ENOENT) goto done;
+
+ ret = nss_get_etc_shells(nctx, &nctx->etc_shells);
+ if (ret != EOK) goto done;
+
+ ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+ CONFDB_NSS_SHELL_FALLBACK,
+ CONFDB_DEFAULT_SHELL_FALLBACK,
+ &nctx->shell_fallback);
+ if (ret != EOK) goto done;
+
ret = 0;
done:
talloc_free(tmpctx);
diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h
index 062d937fc..f9aff5669 100644
--- a/src/responder/nss/nsssrv.h
+++ b/src/responder/nss/nsssrv.h
@@ -57,6 +57,11 @@ struct nss_ctx {
bool filter_users_in_groups;
char *pwfield;
+
+ char *override_homedir;
+ char **allowed_shells;
+ char **etc_shells;
+ char *shell_fallback;
};
struct nss_packet;
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 2f9186064..74c56a311 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -169,6 +169,178 @@ struct setent_ctx {
/****************************************************************************
* PASSWD db related functions
***************************************************************************/
+char *expand_homedir_template(TALLOC_CTX *mem_ctx, const char *template,
+ const char *username, uint32_t uid,
+ const char *domain)
+{
+ char *copy;
+ char *p;
+ char *n;
+ char *result = NULL;
+ char *res = NULL;
+ TALLOC_CTX *tmp_ctx = NULL;
+
+ if (template == NULL) {
+ DEBUG(1, ("Missing template.\n"));
+ return NULL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) return NULL;
+
+ copy = talloc_strdup(tmp_ctx, template);
+ if (copy == NULL) {
+ DEBUG(1, ("talloc_strdup failed.\n"));
+ goto done;
+ }
+
+ result = talloc_strdup(tmp_ctx, "");
+ if (result == NULL) {
+ DEBUG(1, ("talloc_strdup failed.\n"));
+ goto done;
+ }
+
+ p = copy;
+ while ( (n = strchr(p, '%')) != NULL) {
+ *n = '\0';
+ n++;
+ if ( *n == '\0' ) {
+ DEBUG(1, ("format error, single %% at the end of the template.\n"));
+ goto done;
+ }
+ switch( *n ) {
+ case 'u':
+ if (username == NULL) {
+ DEBUG(1, ("Cannot expand user name template "
+ "because user name is empty.\n"));
+ goto done;
+ }
+ result = talloc_asprintf_append(result, "%s%s", p,
+ username);
+ break;
+
+ case 'U':
+ if (uid == 0) {
+ DEBUG(1, ("Cannot expand uid template "
+ "because uid is invalid.\n"));
+ goto done;
+ }
+ result = talloc_asprintf_append(result, "%s%d", p,
+ uid);
+ break;
+
+ case 'd':
+ if (domain == NULL) {
+ DEBUG(1, ("Cannot expand domain name template "
+ "because domain name is empty.\n"));
+ goto done;
+ }
+ result = talloc_asprintf_append(result, "%s%s", p,
+ domain);
+ break;
+
+ case 'f':
+ if (domain == NULL || username == NULL) {
+ DEBUG(1, ("Cannot expand fully qualified name template "
+ "because domain or user name is empty.\n"));
+ goto done;
+ }
+ result = talloc_asprintf_append(result, "%s%s@%s", p,
+ username, domain);
+ break;
+
+ case '%':
+ result = talloc_asprintf_append(result, "%s%%", p);
+ break;
+
+ default:
+ DEBUG(1, ("format error, unknown template [%%%c].\n", *n));
+ goto done;
+ }
+
+ if (result == NULL) {
+ DEBUG(1, ("talloc_asprintf_append failed.\n"));
+ goto done;
+ }
+
+ p = n + 1;
+ }
+
+ result = talloc_asprintf_append(result, "%s", p);
+ if (result == NULL) {
+ DEBUG(1, ("talloc_asprintf_append failed.\n"));
+ goto done;
+ }
+
+ res = talloc_move(mem_ctx, &result);
+done:
+ talloc_zfree(tmp_ctx);
+ return res;
+}
+
+static gid_t get_gid_override(struct ldb_message *msg,
+ struct sss_domain_info *dom)
+{
+ return dom->override_gid ?
+ dom->override_gid :
+ ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
+}
+
+static const char *get_homedir_override(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ struct nss_ctx *nctx,
+ struct sss_domain_info *dom,
+ const char *name,
+ uint32_t uid)
+{
+ if (dom->override_homedir) {
+ return expand_homedir_template(mem_ctx, dom->override_homedir,
+ name, uid, dom->name);
+ } else if (nctx->override_homedir) {
+ return expand_homedir_template(mem_ctx, nctx->override_homedir,
+ name, uid, dom->name);
+ }
+
+ return talloc_strdup(mem_ctx,
+ ldb_msg_find_attr_as_string(msg, SYSDB_HOMEDIR, NULL));
+}
+
+static const char *get_shell_override(TALLOC_CTX *mem_ctx,
+ struct ldb_message *msg,
+ struct nss_ctx *nctx)
+{
+ const char *user_shell;
+ int i;
+
+ user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
+ if (!user_shell) return NULL;
+ if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell);
+
+ for (i=0; nctx->etc_shells[i]; i++) {
+ if (strcmp(user_shell, nctx->etc_shells[i]) == 0) {
+ DEBUG(9, ("Shell %s found in /etc/shells\n",
+ nctx->etc_shells[i]));
+ break;
+ }
+ }
+
+ if (nctx->etc_shells[i]) {
+ DEBUG(9, ("Using original shell '%s'\n", user_shell));
+ return talloc_strdup(mem_ctx, user_shell);
+ }
+
+ for (i=0; nctx->allowed_shells[i]; i++) {
+ if (strcmp(nctx->allowed_shells[i], user_shell) == 0) {
+ DEBUG(5, ("The shell '%s' is allowed but does not exist. "
+ "Using fallback\n", user_shell));
+ return talloc_strdup(mem_ctx, nctx->shell_fallback);
+ }
+ }
+
+ DEBUG(5, ("The shell '%s' is not allowed and does not exist.\n",
+ user_shell));
+ return talloc_strdup(mem_ctx, NOLOGIN_SHELL);
+}
static int fill_pwent(struct sss_packet *packet,
struct sss_domain_info *dom,
@@ -195,6 +367,7 @@ static int fill_pwent(struct sss_packet *packet,
const char *namefmt = nctx->rctx->names->fq_fmt;
bool packet_initialized = false;
int ncret;
+ TALLOC_CTX *tmp_ctx = NULL;
if (add_domain) dom_len = strlen(domain);
@@ -202,11 +375,14 @@ static int fill_pwent(struct sss_packet *packet,
num = 0;
for (i = 0; i < *count; i++) {
+ talloc_zfree(tmp_ctx);
+ tmp_ctx = talloc_new(NULL);
+
msg = msgs[i];
name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
- gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
+ gid = get_gid_override(msg, dom);
if (!name || !uid || !gid) {
DEBUG(2, ("Incomplete or fake user object for %s[%llu]! Skipping\n",
@@ -233,8 +409,8 @@ static int fill_pwent(struct sss_packet *packet,
}
gecos = ldb_msg_find_attr_as_string(msg, SYSDB_GECOS, NULL);
- homedir = ldb_msg_find_attr_as_string(msg, SYSDB_HOMEDIR, NULL);
- shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
+ homedir = get_homedir_override(tmp_ctx, msg, nctx, dom, name, uid);
+ shell = get_shell_override(tmp_ctx, msg, nctx);
if (!gecos) gecos = "";
if (!homedir) homedir = "/";
@@ -298,6 +474,7 @@ static int fill_pwent(struct sss_packet *packet,
num++;
}
+ talloc_zfree(tmp_ctx);
done:
*count = i;