From 1dc99c9d468cfe2a7f7286a8969c586f8740bb9f Mon Sep 17 00:00:00 2001
From: John Hodrien <J.H.Hodrien@leeds.ac.uk>
Date: Fri, 29 Jul 2011 10:04:05 -0400
Subject: Add vetoed_shells option

There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
 src/confdb/confdb.h            |  1 +
 src/config/SSSDConfig.py       |  1 +
 src/man/sssd.conf.5.xml        |  8 ++++++++
 src/responder/nss/nsssrv.c     |  4 ++++
 src/responder/nss/nsssrv.h     |  1 +
 src/responder/nss/nsssrv_cmd.c | 13 ++++++++++++-
 6 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index c2ae9fcb..5e50991f 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -74,6 +74,7 @@
 #define CONFDB_NSS_FILTER_GROUPS "filter_groups"
 #define CONFDB_NSS_PWFIELD  "pwfield"
 #define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir"
+#define CONFDB_NSS_VETOED_SHELL  "vetoed_shells"
 #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells"
 #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback"
 
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 16d3d357..53bd14f0 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -60,6 +60,7 @@ option_strings = {
     'pwfield' : _('The value of the password field the NSS provider should return'),
     'override_homedir' : _('Override homedir value from the identity provider with this value'),
     'allowed_shells' : _('The list of shells users are allowed to log in with'),
+    'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'),
     'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
 
     # [pam]
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index b4f38465..e0380556 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -423,6 +423,14 @@
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>vetoed_shells (string)</term>
+                    <listitem>
+                        <para>
+                            Replace any instance of these shells with the shell_fallback
+                        </para>
+                    </listitem>
+                </varlistentry>
                 <varlistentry>
                     <term>shell_fallback (string)</term>
                     <listitem>
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c
index b9d548e4..ec2f0caf 100644
--- a/src/responder/nss/nsssrv.c
+++ b/src/responder/nss/nsssrv.c
@@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx,
                                     &nctx->allowed_shells);
     if (ret != EOK && ret != ENOENT) goto done;
 
+    ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY,
+                                    CONFDB_NSS_VETOED_SHELL,
+                                    &nctx->vetoed_shells);
+    if (ret != EOK && ret != ENOENT) goto done;
     ret = nss_get_etc_shells(nctx, &nctx->etc_shells);
     if (ret != EOK) goto done;
 
diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h
index f9aff566..01a2810c 100644
--- a/src/responder/nss/nsssrv.h
+++ b/src/responder/nss/nsssrv.h
@@ -60,6 +60,7 @@ struct nss_ctx {
 
     char *override_homedir;
     char **allowed_shells;
+    char **vetoed_shells;
     char **etc_shells;
     char *shell_fallback;
 };
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 57eb9154..5dbd3ca7 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -314,7 +314,18 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx,
 
     user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
     if (!user_shell) return NULL;
-    if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell);
+    if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell);
+
+    if (nctx->vetoed_shells)
+    {
+        for (i=0; nctx->vetoed_shells[i]; i++) {
+            if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) {
+                DEBUG(5, ("The shell '%s' is vetoed. "
+                         "Using fallback\n", user_shell));
+                return talloc_strdup(mem_ctx, nctx->shell_fallback);
+            }
+        }
+    }
 
     for (i=0; nctx->etc_shells[i]; i++) {
         if (strcmp(user_shell, nctx->etc_shells[i]) == 0) {
-- 
cgit