From 695bca9d2f73096254308e0883fcc74b2631850e Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 19 Jul 2012 15:50:52 -0400 Subject: NSS: Add override_shell option If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087 --- src/confdb/confdb.c | 10 ++++++++++ src/confdb/confdb.h | 2 ++ src/config/SSSDConfig/__init__.py.in | 1 + src/config/SSSDConfigTest.py | 2 ++ src/config/etc/sssd.api.conf | 2 ++ src/man/sssd.conf.5.xml | 14 ++++++++++++++ src/responder/nss/nsssrv.c | 5 +++++ src/responder/nss/nsssrv.h | 1 + src/responder/nss/nsssrv_cmd.c | 14 ++++++++++++-- 9 files changed, 49 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index ab0d00480..37a5758c7 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1064,6 +1064,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_OVERRIDE_SHELL, NULL); + if (tmp != NULL) { + domain->override_shell = talloc_strdup(domain, tmp); + if (!domain->override_shell) { + ret = ENOMEM; + goto done; + } + } + ret = get_entry_as_bool(res->msgs[0], &domain->case_sensitive, CONFDB_DOMAIN_CASE_SENSITIVE, true); if(ret != EOK) { diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 6f6b730ae..d06ec7a35 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -87,6 +87,7 @@ #define CONFDB_NSS_PWFIELD "pwfield" #define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir" #define CONFDB_NSS_FALLBACK_HOMEDIR "fallback_homedir" +#define CONFDB_NSS_OVERRIDE_SHELL "override_shell" #define CONFDB_NSS_VETOED_SHELL "vetoed_shells" #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells" #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" @@ -207,6 +208,7 @@ struct sss_domain_info { const char *override_homedir; const char *fallback_homedir; const char *subdomain_homedir; + const char *override_shell; uint32_t user_timeout; uint32_t group_timeout; diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 18586ad6e..1daa3907c 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -65,6 +65,7 @@ option_strings = { 'pwfield' : _('The value of the password field the NSS provider should return'), 'override_homedir' : _('Override homedir value from the identity provider with this value'), 'fallback_homedir' : _('Substitute empty homedir value from the identity provider with this value'), + 'override_shell': _('Override shell value from the identity provider with this value'), 'allowed_shells' : _('The list of shells users are allowed to log in with'), 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'), 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index dc4bcc967..9f77188bb 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -505,6 +505,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'case_sensitive', 'override_homedir', 'fallback_homedir', + 'override_shell', 'pwd_expiration_warning', 'id_provider', 'auth_provider', @@ -837,6 +838,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'case_sensitive', 'override_homedir', 'fallback_homedir', + 'override_shell', 'pwd_expiration_warning', 'id_provider', 'auth_provider', diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 35ebb2e48..fe5a09623 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -34,6 +34,7 @@ filter_users_in_groups = bool, None, false pwfield = str, None, false override_homedir = str, None, false fallback_homedir = str, None, false +override_shell = str, None, false allowed_shells = list, str, false vetoed_shells = list, str, false shell_fallback = str, None, false @@ -105,6 +106,7 @@ override_gid = int, None, false case_sensitive = bool, None, false override_homedir = str, None, false fallback_homedir = str, None, false +override_shell = str, None, false #Entry cache timeouts entry_cache_user_timeout = int, None, false diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 26f05eae6..a6e5e82b9 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -485,6 +485,20 @@ override_homedir = /home/%u + + override_shell (string) + + + Override the login shell for all users. This + option can be specified globally in the [nss] + section or per-domain. + + + Default: not set (SSSD will use the value + retrieved from LDAP) + + + allowed_shells (string) diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index cd2060e45..64267e868 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -182,6 +182,11 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->fallback_homedir); if (ret != EOK) goto done; + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_OVERRIDE_SHELL, NULL, + &nctx->override_shell); + if (ret != EOK && ret != ENOENT) goto done; + ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_ALLOWED_SHELL, &nctx->allowed_shells); diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h index 58cd3da0f..a8b2c3c97 100644 --- a/src/responder/nss/nsssrv.h +++ b/src/responder/nss/nsssrv.h @@ -63,6 +63,7 @@ struct nss_ctx { char *override_homedir; char *fallback_homedir; char **allowed_shells; + char *override_shell; char **vetoed_shells; char **etc_shells; char *shell_fallback; diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 5c5f8060b..64fd7a587 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -155,11 +155,21 @@ static const char *get_homedir_override(TALLOC_CTX *mem_ctx, static const char *get_shell_override(TALLOC_CTX *mem_ctx, struct ldb_message *msg, - struct nss_ctx *nctx) + struct nss_ctx *nctx, + struct sss_domain_info *dom) { const char *user_shell; int i; + /* Check whether we are unconditionally overriding the server + * for the login shell. + */ + if (dom->override_shell) { + return dom->override_shell; + } else if (nctx->override_shell) { + return nctx->override_shell; + } + user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); if (!user_shell) { /* Check whether there is a default shell specified */ @@ -303,7 +313,7 @@ static int fill_pwent(struct sss_packet *packet, } else { to_sized_string(&homedir, tmpstr); } - tmpstr = get_shell_override(tmp_ctx, msg, nctx); + tmpstr = get_shell_override(tmp_ctx, msg, nctx, dom); if (!tmpstr) { to_sized_string(&shell, ""); } else { -- cgit