diff options
author | Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> | 2017-03-21 11:45:37 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-07-27 10:33:13 +0200 |
commit | 836dae913497e150bd0ec11eee1e256e4fcc0bb7 (patch) | |
tree | 58dadcd65e4ed7ea0c3c4f9c195326ea85048e85 | |
parent | 382a972a80ac571cdbf70d88571f6de49fe1cd23 (diff) | |
download | sssd-836dae913497e150bd0ec11eee1e256e4fcc0bb7.tar.gz sssd-836dae913497e150bd0ec11eee1e256e4fcc0bb7.tar.xz sssd-836dae913497e150bd0ec11eee1e256e4fcc0bb7.zip |
NSS: Substitute session recording shell
Substitute the configured session recording shell when unconditional
session recording is enabled (scope = all), or when selective session
recording is enabled (scope = some), and the user has the
sessionRecording attribute set to true.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-rw-r--r-- | src/responder/nss/nss_protocol_pwent.c | 48 |
1 files changed, 47 insertions, 1 deletions
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index 6c1de3123..db5c071e2 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -120,6 +120,46 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, } static errno_t +nss_get_shell(struct nss_ctx *nss_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + const char *name, + uint32_t uid, + const char **_shell) +{ + const char *shell = NULL; + + if (nss_ctx->rctx->sr_conf.scope == SESSION_RECORDING_SCOPE_ALL) { + shell = SESSION_RECORDING_SHELL; + } else if (nss_ctx->rctx->sr_conf.scope == + SESSION_RECORDING_SCOPE_SOME) { + const char *sr_enabled; + sr_enabled = ldb_msg_find_attr_as_string( + msg, SYSDB_SESSION_RECORDING, NULL); + if (sr_enabled == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "%s attribute not found for %s[%u]! Skipping\n", + SYSDB_SESSION_RECORDING, name, uid); + return EINVAL; + } else if (strcmp(sr_enabled, "TRUE") == 0) { + shell = SESSION_RECORDING_SHELL; + } else if (strcmp(sr_enabled, "FALSE") != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Skipping %s[%u] " + "because its %s attribute value is invalid: %s\n", + name, uid, SYSDB_SESSION_RECORDING, sr_enabled); + return EINVAL; + } + } + if (shell == NULL) { + shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain); + } + + *_shell = shell; + return EOK; +} + +static errno_t nss_get_pwent(TALLOC_CTX *mem_ctx, struct nss_ctx *nss_ctx, struct sss_domain_info *domain, @@ -156,7 +196,13 @@ nss_get_pwent(TALLOC_CTX *mem_ctx, gecos = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_GECOS, NULL); homedir = nss_get_homedir(mem_ctx, nss_ctx, domain, msg, name, upn, uid); - shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain); + ret = nss_get_shell(nss_ctx, domain, msg, name, uid, &shell); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed retrieving shell for %s[%u], skipping [%d]: %s\n", + name, uid, ret, sss_strerror(ret)); + return ret; + } /* Convert to sized strings. */ ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name); |