diff options
| author | Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> | 2017-03-29 16:07:52 +0300 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-07-27 10:32:14 +0200 |
| commit | c31065ecc0793e836066035d0c692b050b5f6f55 (patch) | |
| tree | 5cfc7089fbcb0fb484df15207d66fb98b3e2d596 | |
| parent | cb89693cf5ccdedf69fa304c6d43d618a7bc18b2 (diff) | |
| download | sssd-c31065ecc0793e836066035d0c692b050b5f6f55.tar.gz sssd-c31065ecc0793e836066035d0c692b050b5f6f55.tar.xz sssd-c31065ecc0793e836066035d0c692b050b5f6f55.zip | |
NSS: Move shell options to common responder
Move all the shell-related options from the NSS responder context to the
common responder context, so they can be used by other responders for
retrieving original user shell, when it is overrided for session
recording.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
| -rw-r--r-- | src/responder/common/responder.h | 7 | ||||
| -rw-r--r-- | src/responder/common/responder_common.c | 100 | ||||
| -rw-r--r-- | src/responder/nss/nss_private.h | 6 | ||||
| -rw-r--r-- | src/responder/nss/nss_protocol_pwent.c | 42 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv.c | 99 |
5 files changed, 128 insertions, 126 deletions
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index b0e3e05b9..7a998967f 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -139,6 +139,13 @@ struct resp_ctx { char *default_domain; char override_space; + char **allowed_shells; + char *override_shell; + char **vetoed_shells; + char **etc_shells; + char *shell_fallback; + char *default_shell; + uint32_t cache_req_num; void *pvt_ctx; diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c index 74c424c7b..edf6a34bd 100644 --- a/src/responder/common/responder_common.c +++ b/src/responder/common/responder_common.c @@ -50,6 +50,9 @@ #include <systemd/sd-daemon.h> #endif +#define SHELL_REALLOC_INCREMENT 5 +#define SHELL_REALLOC_MAX 50 + static errno_t set_close_on_exec(int fd) { int v; @@ -1062,6 +1065,72 @@ done: return ret; } +static errno_t sss_get_etc_shells(TALLOC_CTX *mem_ctx, char ***_shells) +{ + int i = 0; + char *sh; + char **shells = NULL; + TALLOC_CTX *tmp_ctx; + errno_t ret; + int size; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + shells = talloc_array(tmp_ctx, char *, SHELL_REALLOC_INCREMENT); + if (!shells) { + ret = ENOMEM; + goto done; + } + size = SHELL_REALLOC_INCREMENT; + + setusershell(); + while ((sh = getusershell())) { + shells[i] = talloc_strdup(shells, sh); + if (!shells[i]) { + endusershell(); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Found shell %s in /etc/shells\n", shells[i]); + i++; + + if (i == size) { + size += SHELL_REALLOC_INCREMENT; + if (size > SHELL_REALLOC_MAX) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Reached maximum number of shells [%d]. " + "Users may be denied access. " + "Please check /etc/shells for sanity\n", + SHELL_REALLOC_MAX); + break; + } + shells = talloc_realloc(NULL, shells, char *, + size); + if (!shells) { + ret = ENOMEM; + goto done; + } + } + } + endusershell(); + + if (i + 1 < size) { + shells = talloc_realloc(NULL, shells, char *, i + 1); + if (!shells) { + ret = ENOMEM; + goto done; + } + } + shells[i] = NULL; + + *_shells = talloc_move(mem_ctx, &shells); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + int sss_process_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct confdb_ctx *cdb, @@ -1201,6 +1270,37 @@ int sss_process_init(TALLOC_CTX *mem_ctx, ret, sss_strerror(ret)); } + /* Read shell settings */ + ret = confdb_get_string(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_OVERRIDE_SHELL, NULL, + &rctx->override_shell); + if (ret != EOK && ret != ENOENT) goto fail; + + ret = confdb_get_string_as_list(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ALLOWED_SHELL, + &rctx->allowed_shells); + if (ret != EOK && ret != ENOENT) goto fail; + + ret = confdb_get_string_as_list(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &rctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto fail; + + ret = sss_get_etc_shells(rctx, &rctx->etc_shells); + if (ret != EOK) goto fail; + + ret = confdb_get_string(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_SHELL_FALLBACK, + CONFDB_DEFAULT_SHELL_FALLBACK, + &rctx->shell_fallback); + if (ret != EOK) goto fail; + + ret = confdb_get_string(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_DEFAULT_SHELL, + NULL, + &rctx->default_shell); + if (ret != EOK) goto fail; + ret = sss_monitor_init(rctx, rctx->ev, monitor_intf, svc_name, svc_version, MT_SVC_SERVICE, rctx, &rctx->last_request_time, diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h index 13de83226..a0b573d6e 100644 --- a/src/responder/nss/nss_private.h +++ b/src/responder/nss/nss_private.h @@ -74,12 +74,6 @@ struct nss_ctx { char *override_homedir; char *fallback_homedir; char *homedir_substr; - char **allowed_shells; - char *override_shell; - char **vetoed_shells; - char **etc_shells; - char *shell_fallback; - char *default_shell; const char **extra_attributes; /* Enumeration. */ diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index b355d4fc9..cb11ea3d4 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -121,7 +121,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, static const char * nss_get_shell_override(struct ldb_message *msg, - struct nss_ctx *nss_ctx, + struct resp_ctx *rctx, struct sss_domain_info *domain) { const char *shell; @@ -131,8 +131,8 @@ nss_get_shell_override(struct ldb_message *msg, * the server for the login shell. */ if (domain->override_shell) { return domain->override_shell; - } else if (nss_ctx->override_shell) { - return nss_ctx->override_shell; + } else if (rctx->override_shell) { + return rctx->override_shell; } shell = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_SHELL, @@ -141,56 +141,56 @@ nss_get_shell_override(struct ldb_message *msg, /* Check whether there is a default shell specified */ if (domain->default_shell) { return domain->default_shell; - } else if (nss_ctx->default_shell) { - return nss_ctx->default_shell; + } else if (rctx->default_shell) { + return rctx->default_shell; } return ""; } - if (nss_ctx->allowed_shells == NULL && nss_ctx->vetoed_shells == NULL) { + if (rctx->allowed_shells == NULL && rctx->vetoed_shells == NULL) { return shell; } - if (nss_ctx->vetoed_shells) { - for (i = 0; nss_ctx->vetoed_shells[i]; i++) { - if (strcmp(nss_ctx->vetoed_shells[i], shell) == 0) { + if (rctx->vetoed_shells) { + for (i = 0; rctx->vetoed_shells[i]; i++) { + if (strcmp(rctx->vetoed_shells[i], shell) == 0) { DEBUG(SSSDBG_FUNC_DATA, "The shell '%s' is vetoed. Using fallback.\n", shell); - return nss_ctx->shell_fallback; + return rctx->shell_fallback; } } } - if (nss_ctx->etc_shells) { - for (i = 0; nss_ctx->etc_shells[i]; i++) { - if (strcmp(shell, nss_ctx->etc_shells[i]) == 0) { + if (rctx->etc_shells) { + for (i = 0; rctx->etc_shells[i]; i++) { + if (strcmp(shell, rctx->etc_shells[i]) == 0) { DEBUG(SSSDBG_TRACE_ALL, "Shell %s found in /etc/shells\n", shell); break; } } - if (nss_ctx->etc_shells[i]) { + if (rctx->etc_shells[i]) { DEBUG(SSSDBG_TRACE_ALL, "Using original shell '%s'\n", shell); return shell; } } - if (nss_ctx->allowed_shells) { - if (strcmp(nss_ctx->allowed_shells[0], "*") == 0) { + if (rctx->allowed_shells) { + if (strcmp(rctx->allowed_shells[0], "*") == 0) { DEBUG(SSSDBG_FUNC_DATA, "The shell '%s' is allowed but does not exist. " "Using fallback\n", shell); - return nss_ctx->shell_fallback; + return rctx->shell_fallback; } else { - for (i = 0; nss_ctx->allowed_shells[i]; i++) { - if (strcmp(nss_ctx->allowed_shells[i], shell) == 0) { + for (i = 0; rctx->allowed_shells[i]; i++) { + if (strcmp(rctx->allowed_shells[i], shell) == 0) { DEBUG(SSSDBG_FUNC_DATA, "The shell '%s' is allowed but does not exist. " "Using fallback\n", shell); - return nss_ctx->shell_fallback; + return rctx->shell_fallback; } } } @@ -239,7 +239,7 @@ nss_get_pwent(TALLOC_CTX *mem_ctx, gecos = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_GECOS, NULL); homedir = nss_get_homedir(mem_ctx, nss_ctx, domain, msg, name, upn, uid); - shell = nss_get_shell_override(msg, nss_ctx, domain); + shell = nss_get_shell_override(msg, nss_ctx->rctx, domain); /* Convert to sized strings. */ ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name); diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index 644e94188..d67b9fac8 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -52,9 +52,6 @@ #define DEFAULT_PWFIELD "*" #define DEFAULT_NSS_FD_LIMIT 8192 -#define SHELL_REALLOC_INCREMENT 5 -#define SHELL_REALLOC_MAX 50 - static int nss_clear_memcache(struct sbus_request *dbus_req, void *data); static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *data); @@ -150,72 +147,6 @@ static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *da return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); } -static errno_t nss_get_etc_shells(TALLOC_CTX *mem_ctx, char ***_shells) -{ - int i = 0; - char *sh; - char **shells = NULL; - TALLOC_CTX *tmp_ctx; - errno_t ret; - int size; - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) return ENOMEM; - - shells = talloc_array(tmp_ctx, char *, SHELL_REALLOC_INCREMENT); - if (!shells) { - ret = ENOMEM; - goto done; - } - size = SHELL_REALLOC_INCREMENT; - - setusershell(); - while ((sh = getusershell())) { - shells[i] = talloc_strdup(shells, sh); - if (!shells[i]) { - endusershell(); - ret = ENOMEM; - goto done; - } - DEBUG(SSSDBG_TRACE_FUNC, "Found shell %s in /etc/shells\n", shells[i]); - i++; - - if (i == size) { - size += SHELL_REALLOC_INCREMENT; - if (size > SHELL_REALLOC_MAX) { - DEBUG(SSSDBG_FATAL_FAILURE, - "Reached maximum number of shells [%d]. " - "Users may be denied access. " - "Please check /etc/shells for sanity\n", - SHELL_REALLOC_MAX); - break; - } - shells = talloc_realloc(NULL, shells, char *, - size); - if (!shells) { - ret = ENOMEM; - goto done; - } - } - } - endusershell(); - - if (i + 1 < size) { - shells = talloc_realloc(NULL, shells, char *, i + 1); - if (!shells) { - ret = ENOMEM; - goto done; - } - } - shells[i] = NULL; - - *_shells = talloc_move(mem_ctx, &shells); - ret = EOK; -done: - talloc_zfree(tmp_ctx); - return ret; -} - static int nss_get_config(struct nss_ctx *nctx, struct confdb_ctx *cdb) { @@ -265,36 +196,6 @@ static int nss_get_config(struct nss_ctx *nctx, if (ret != EOK) goto done; ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_OVERRIDE_SHELL, NULL, - &nctx->override_shell); - if (ret != EOK && ret != ENOENT) goto done; - - ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_ALLOWED_SHELL, - &nctx->allowed_shells); - if (ret != EOK && ret != ENOENT) goto done; - - ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_VETOED_SHELL, - &nctx->vetoed_shells); - if (ret != EOK && ret != ENOENT) goto done; - - ret = nss_get_etc_shells(nctx, &nctx->etc_shells); - if (ret != EOK) goto done; - - ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_SHELL_FALLBACK, - CONFDB_DEFAULT_SHELL_FALLBACK, - &nctx->shell_fallback); - if (ret != EOK) goto done; - - ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, - CONFDB_NSS_DEFAULT_SHELL, - NULL, - &nctx->default_shell); - if (ret != EOK) goto done; - - ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_HOMEDIR_SUBSTRING, CONFDB_DEFAULT_HOMEDIR_SUBSTRING, &nctx->homedir_substr); |