1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
/*
SSSD
Session recording utilities
Authors:
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Copyright (C) 2017 Red Hat
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "util/session_recording.h"
#include "util/debug.h"
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
errno_t session_recording_conf_load(TALLOC_CTX *mem_ctx,
struct confdb_ctx *cdb,
struct session_recording_conf *pconf)
{
int ret;
char *str;
struct stat s;
if (cdb == NULL || pconf == NULL) {
ret = EINVAL;
goto done;
}
/* Read session_recording/scope option */
ret = confdb_get_string(cdb, mem_ctx, CONFDB_SESSION_RECORDING_CONF_ENTRY,
CONFDB_SESSION_RECORDING_SCOPE, "none", &str);
if (ret != EOK) goto done;
if (strcasecmp(str, "none") == 0) {
pconf->scope = SESSION_RECORDING_SCOPE_NONE;
} else if (strcasecmp(str, "some") == 0) {
pconf->scope = SESSION_RECORDING_SCOPE_SOME;
} else if (strcasecmp(str, "all") == 0) {
pconf->scope = SESSION_RECORDING_SCOPE_ALL;
} else {
DEBUG(SSSDBG_OP_FAILURE,
"Unknown value for session recording scope: %s\n",
str);
ret = EINVAL;
goto done;
}
/* If session recording is enabled at all */
if (pconf->scope != SESSION_RECORDING_SCOPE_NONE) {
/* Check that the shell exists and is executable */
ret = stat(SESSION_RECORDING_SHELL, &s);
if (ret != 0) {
switch (errno) {
case ENOENT:
DEBUG(SSSDBG_OP_FAILURE,
"Session recording shell \"%s\" not found\n",
SESSION_RECORDING_SHELL);
ret = EINVAL;
goto done;
case EOK:
if ((s.st_mode & 0111) != 0111) {
DEBUG(SSSDBG_OP_FAILURE,
"Session recording shell \"%s\" is not executable\n",
SESSION_RECORDING_SHELL);
ret = EINVAL;
goto done;
}
break;
default:
DEBUG(SSSDBG_OP_FAILURE,
"Failed checking for session recording shell "
"\"%s\": %s\n",
SESSION_RECORDING_SHELL, strerror(errno));
ret = EINVAL;
goto done;
}
}
}
/* Read session_recording/users option */
ret = confdb_get_string_as_list(cdb, mem_ctx,
CONFDB_SESSION_RECORDING_CONF_ENTRY,
CONFDB_SESSION_RECORDING_USERS,
&pconf->users);
if (ret != EOK && ret != ENOENT) goto done;
/* Read session_recording/groups option */
ret = confdb_get_string_as_list(cdb, mem_ctx,
CONFDB_SESSION_RECORDING_CONF_ENTRY,
CONFDB_SESSION_RECORDING_GROUPS,
&pconf->groups);
if (ret != EOK && ret != ENOENT) goto done;
ret = EOK;
done:
return ret;
}
|
