PAM: Export original shell to tlog-rec-session

Add exporting of original user shell (as returned by NSS) as an environment variable for use by tlog-rec-session, when session recording is enabled for the user. This lets tlog-rec-session start the actual user shell, after tlog-rec-session is started in its place. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
author: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> 2017-03-29 16:47:41 +0300
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-07-27 10:33:17 +0200
commit: 49d24ba630544632e29ed397627c97352523165d (patch)
tree: 19472e2a3b29761ae01e22dd3013f6c9f69fc4ca /src/responder
parent: 836dae913497e150bd0ec11eee1e256e4fcc0bb7 (diff)
download: sssd-49d24ba630544632e29ed397627c97352523165d.tar.gz
sssd-49d24ba630544632e29ed397627c97352523165d.tar.xz
sssd-49d24ba630544632e29ed397627c97352523165d.zip
1 files changed, 96 insertions, 0 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1c31b180f..7081aacfd 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -682,6 +682,90 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
 static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
                                     time_t expire_date, time_t delayed_until, bool cached_auth);
 
+/*
+ * Add a request to add a variable to the PAM user environment, containing the
+ * actual (not overridden) user shell, in case session recording is enabled.
+ */
+static int pam_reply_sr_export_shell(struct pam_auth_req *preq,
+                                     const char *var_name)
+{
+    int ret;
+    TALLOC_CTX *ctx = NULL;
+    bool enabled;
+    const char *enabled_str;
+    const char *shell;
+    char *buf;
+
+    /* Create temporary talloc context */
+    ctx = talloc_new(NULL);
+    if (ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    /* Check if session recording is enabled */
+    if (preq->cctx->rctx->sr_conf.scope ==
+            SESSION_RECORDING_SCOPE_NONE) {
+        enabled = false;
+    } else if (preq->cctx->rctx->sr_conf.scope ==
+            SESSION_RECORDING_SCOPE_ALL) {
+        enabled = true;
+    } else {
+        enabled_str = ldb_msg_find_attr_as_string(preq->user_obj,
+                                                  SYSDB_SESSION_RECORDING, NULL);
+        if (enabled_str == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "%s attribute not found\n", SYSDB_SESSION_RECORDING);
+            ret = ENOENT;
+            goto done;
+        } else if (strcmp(enabled_str, "TRUE") == 0) {
+            enabled = true;
+        } else if (strcmp(enabled_str, "FALSE") == 0) {
+            enabled = false;
+        } else {
+            DEBUG(SSSDBG_CRIT_FAILURE, "invalid value of %s attribute: %s\n",
+                  SYSDB_SESSION_RECORDING, enabled_str);
+            ret = ENOENT;
+            goto done;
+        }
+    }
+
+    /* Export original shell if recording is enabled and so it's overridden */
+    if (enabled) {
+        /* Extract the shell */
+        shell = sss_resp_get_shell_override(preq->user_obj,
+                                            preq->cctx->rctx, preq->domain);
+        if (shell == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "user has no shell\n");
+            ret = ENOENT;
+            goto done;
+        }
+
+        /* Format environment entry */
+        buf = talloc_asprintf(ctx, "%s=%s", var_name, shell);
+        if (buf == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        /* Add request to add the entry to user environment */
+        ret = pam_add_response(preq->pd, SSS_PAM_ENV_ITEM,
+                               strlen(buf) + 1, (uint8_t *)buf);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
+            goto done;
+        }
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(ctx);
+    return ret;
+}
+
 static void pam_reply(struct pam_auth_req *preq)
 {
     struct cli_ctx *cctx;
@@ -918,6 +1002,18 @@ static void pam_reply(struct pam_auth_req *preq)
         }
     }
 
+    /*
+     * Export non-overridden shell to tlog-rec-session when opening the session
+     */
+    if (pd->cmd == SSS_PAM_OPEN_SESSION && pd->pam_status == PAM_SUCCESS) {
+        ret = pam_reply_sr_export_shell(preq, "TLOG_REC_SESSION_SHELL");
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "failed to export the shell to tlog-rec-session.\n");
+            goto done;
+        }
+    }
+
     resp_c = 0;
     resp_size = 0;
     resp = pd->resp_list;
author	Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>	2017-03-29 16:47:41 +0300
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-07-27 10:33:17 +0200
commit	49d24ba630544632e29ed397627c97352523165d (patch)
tree	19472e2a3b29761ae01e22dd3013f6c9f69fc4ca /src/responder
parent	836dae913497e150bd0ec11eee1e256e4fcc0bb7 (diff)
download	sssd-49d24ba630544632e29ed397627c97352523165d.tar.gz sssd-49d24ba630544632e29ed397627c97352523165d.tar.xz sssd-49d24ba630544632e29ed397627c97352523165d.zip