From be82c8f75f195e8415d0afd29265504068792d39 Mon Sep 17 00:00:00 2001 From: John Hodrien Date: Fri, 29 Jul 2011 10:04:05 -0400 Subject: Add vetoed_shells option There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher Prevent segfault if vetoed_shells are specified without allowed_shells https://fedorahosted.org/sssd/ticket/954 --- src/confdb/confdb.h | 1 + src/config/SSSDConfig.py | 1 + src/man/sssd.conf.5.xml | 8 ++++++++ src/responder/nss/nsssrv.c | 4 ++++ src/responder/nss/nsssrv.h | 1 + src/responder/nss/nsssrv_cmd.c | 44 ++++++++++++++++++++++++++++-------------- 6 files changed, 44 insertions(+), 15 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index c2ae9fcb7..5e50991f3 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -74,6 +74,7 @@ #define CONFDB_NSS_FILTER_GROUPS "filter_groups" #define CONFDB_NSS_PWFIELD "pwfield" #define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir" +#define CONFDB_NSS_VETOED_SHELL "vetoed_shells" #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells" #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 920a8a056..93a108ebd 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -60,6 +60,7 @@ option_strings = { 'pwfield' : _('The value of the password field the NSS provider should return'), 'override_homedir' : _('Override homedir value from the identity provider with this value'), 'allowed_shells' : _('The list of shells users are allowed to log in with'), + 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'), 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), # [pam] diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index b4f384657..e03805561 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -423,6 +423,14 @@ + + vetoed_shells (string) + + + Replace any instance of these shells with the shell_fallback + + + shell_fallback (string) diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index dde2e95ef..cb0acfe13 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->allowed_shells); if (ret != EOK && ret != ENOENT) goto done; + ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &nctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto done; ret = nss_get_etc_shells(nctx, &nctx->etc_shells); if (ret != EOK) goto done; diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h index f9aff5669..01a2810cd 100644 --- a/src/responder/nss/nsssrv.h +++ b/src/responder/nss/nsssrv.h @@ -60,6 +60,7 @@ struct nss_ctx { char *override_homedir; char **allowed_shells; + char **vetoed_shells; char **etc_shells; char *shell_fallback; }; diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index aa1b471d5..2aa7a9126 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -314,26 +314,40 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx, user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); if (!user_shell) return NULL; - if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell); - - for (i=0; nctx->etc_shells[i]; i++) { - if (strcmp(user_shell, nctx->etc_shells[i]) == 0) { - DEBUG(9, ("Shell %s found in /etc/shells\n", - nctx->etc_shells[i])); - break; + if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell); + + if (nctx->vetoed_shells) { + for (i=0; nctx->vetoed_shells[i]; i++) { + if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) { + DEBUG(5, ("The shell '%s' is vetoed. " + "Using fallback\n", user_shell)); + return talloc_strdup(mem_ctx, nctx->shell_fallback); + } } } - if (nctx->etc_shells[i]) { - DEBUG(9, ("Using original shell '%s'\n", user_shell)); - return talloc_strdup(mem_ctx, user_shell); + if (nctx->etc_shells) { + for (i=0; nctx->etc_shells[i]; i++) { + if (strcmp(user_shell, nctx->etc_shells[i]) == 0) { + DEBUG(9, ("Shell %s found in /etc/shells\n", + nctx->etc_shells[i])); + break; + } + } + + if (nctx->etc_shells[i]) { + DEBUG(9, ("Using original shell '%s'\n", user_shell)); + return talloc_strdup(mem_ctx, user_shell); + } } - for (i=0; nctx->allowed_shells[i]; i++) { - if (strcmp(nctx->allowed_shells[i], user_shell) == 0) { - DEBUG(5, ("The shell '%s' is allowed but does not exist. " - "Using fallback\n", user_shell)); - return talloc_strdup(mem_ctx, nctx->shell_fallback); + if (nctx->allowed_shells) { + for (i=0; nctx->allowed_shells[i]; i++) { + if (strcmp(nctx->allowed_shells[i], user_shell) == 0) { + DEBUG(5, ("The shell '%s' is allowed but does not exist. " + "Using fallback\n", user_shell)); + return talloc_strdup(mem_ctx, nctx->shell_fallback); + } } } -- cgit