diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-01-02 17:23:08 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-05-13 22:24:09 +0200 |
commit | 770dc892f867639f36f84455d65be6287935a529 (patch) | |
tree | 4b847d89ec0cb984140187bee14bf409066f0ec5 /src/responder/ifp/ifpsrv_cmd.c | |
parent | 60cab26b12df9a2153823972cde0c38ca86e01b9 (diff) | |
download | sssd-770dc892f867639f36f84455d65be6287935a529.tar.gz sssd-770dc892f867639f36f84455d65be6287935a529.tar.xz sssd-770dc892f867639f36f84455d65be6287935a529.zip |
IFP: Per-attribute ACL for users
Introduces a new option called user_attributes that allows to specify
which user attributes are allowed to be queried from the IFP responder.
By default only the default POSIX set is allowed, this option allows to
either add other attributes (+attrname) or remove them from the default
set (-attrname).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/responder/ifp/ifpsrv_cmd.c')
-rw-r--r-- | src/responder/ifp/ifpsrv_cmd.c | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c index 2fc4308b4..cd9ab4441 100644 --- a/src/responder/ifp/ifpsrv_cmd.c +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -96,17 +96,43 @@ static errno_t ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req) { bool parsed; + char **attrs; + int nattrs; + int i, ai; + const char **whitelist = attr_req->ireq->ifp_ctx->user_whitelist; parsed = sbus_request_parse_or_finish(attr_req->ireq->dbus_req, DBUS_TYPE_STRING, &attr_req->name, DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, - &attr_req->attrs, - &attr_req->nattrs, + &attrs, &nattrs, DBUS_TYPE_INVALID); if (parsed == false) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse arguments\n"); return EOK; /* handled */ } + /* Copy the attributes to maintain memory hierarchy with talloc */ + attr_req->attrs = talloc_zero_array(attr_req, const char *, nattrs+1); + if (attr_req->attrs == NULL) { + return ENOMEM; + } + + ai = 0; + for (i = 0; i < nattrs; i++) { + if (ifp_attr_allowed(whitelist, attrs[i]) == false) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Attribute %s not present in the whitelist, skipping\n", + attrs[i]); + continue; + } + + attr_req->attrs[ai] = talloc_strdup(attr_req->attrs, attrs[i]); + if (attr_req->attrs[ai] == NULL) { + return ENOMEM; + } + ai++; + } + return EOK; } |