From 312818233ce48471c56d1a7589579892d9726e3b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Wed, 9 May 2012 12:43:06 -0400
Subject: NSS: Add default_shell option

This option will allow administrators to set a default shell to be
used if a user does not have one set in the identity provider.

https://fedorahosted.org/sssd/ticket/1289
---
 src/confdb/confdb.h            |  1 +
 src/config/SSSDConfig.py       |  1 +
 src/config/etc/sssd.api.conf   |  1 +
 src/man/sssd.conf.5.xml        | 15 +++++++++++++++
 src/responder/nss/nsssrv.c     |  7 +++++++
 src/responder/nss/nsssrv.h     |  1 +
 src/responder/nss/nsssrv_cmd.c |  8 +++++++-
 7 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c816d5334..2468f7e50 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -85,6 +85,7 @@
 #define CONFDB_NSS_VETOED_SHELL  "vetoed_shells"
 #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells"
 #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
+#define CONFDB_NSS_DEFAULT_SHELL "default_shell"
 
 /* PAM */
 #define CONFDB_PAM_CONF_ENTRY "config/pam"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 894837d40..a44e138f6 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -67,6 +67,7 @@ option_strings = {
     'allowed_shells' : _('The list of shells users are allowed to log in with'),
     'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'),
     'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
+    'default_shell': _('Shell to use if the provider does not list one'),
 
     # [pam]
     'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ca946dab0..a1caa7b53 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -36,6 +36,7 @@ fallback_homedir = str, None, false
 allowed_shells = list, str, false
 vetoed_shells = list, str, false
 shell_fallback = str, None, false
+default_shell = str, None, false
 get_domains_timeout = int, None, false
 
 [pam]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 24c6a74a5..1332f2891 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -516,6 +516,21 @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>default_shell</term>
+                    <listitem>
+                        <para>
+                            The default shell to use if the provider does not
+                            return one during lookup. This option supercedes
+                            any other shell options if it takes effect.
+                        </para>
+                        <para>
+                            Default: not set (Return NULL if no shell is
+                            specified and rely on libc to substitute something
+                            sensible when necessary, usually /bin/sh)
+                        </para>
+                    </listitem>
+                </varlistentry>
                 <varlistentry>
                     <term>get_domains_timeout (int)</term>
                     <listitem>
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index c8ee444a8..9cb4a5697 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -192,6 +192,7 @@ static int nss_get_config(struct nss_ctx *nctx,
                                     CONFDB_NSS_VETOED_SHELL,
                                     &nctx->vetoed_shells);
     if (ret != EOK && ret != ENOENT) goto done;
+
     ret = nss_get_etc_shells(nctx, &nctx->etc_shells);
     if (ret != EOK) goto done;
 
@@ -201,6 +202,12 @@ static int nss_get_config(struct nss_ctx *nctx,
                             &nctx->shell_fallback);
     if (ret != EOK) goto done;
 
+    ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+                            CONFDB_NSS_DEFAULT_SHELL,
+                            NULL,
+                            &nctx->default_shell);
+    if (ret != EOK) goto done;
+
     ret = 0;
 done:
     return ret;
diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h
index 5b5ae50b9..58cd3da0f 100644
--- a/src/responder/nss/nsssrv.h
+++ b/src/responder/nss/nsssrv.h
@@ -66,6 +66,7 @@ struct nss_ctx {
     char **vetoed_shells;
     char **etc_shells;
     char *shell_fallback;
+    char *default_shell;
 
     struct sss_mc_ctx *pwd_mc_ctx;
     struct sss_mc_ctx *grp_mc_ctx;
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index d448fa859..263499bfe 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -161,7 +161,13 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx,
     int i;
 
     user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
-    if (!user_shell) return NULL;
+    if (!user_shell) {
+        /* Check whether there is a default shell specified */
+        if (nctx->default_shell) {
+            return talloc_strdup(mem_ctx, nctx->default_shell);
+        }
+        return NULL;
+    }
     if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell);
 
     if (nctx->vetoed_shells) {
-- 
cgit