79 lines
2.2 KiB
Diff
79 lines
2.2 KiB
Diff
|
From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
|
||
|
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
|
Date: Fri, 7 Sep 2018 22:19:26 +0200
|
||
|
|
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
|
||
|
|
|
||
|
|
PAM clients expect that the private socket of the PAM responder is
|
||
|
|
handled by root. With this patch getsockopt_wrapper can return the
|
||
|
|
expected UID and GID to PAM clients.
|
||
|
|
|
||
|
|
Related to https://pagure.io/SSSD/sssd/issue/3500
|
||
|
|
|
||
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||
|
|
---
|
||
|
|
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
|
||
|
|
1 file changed, 34 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
|
||
|
|
index 5109123..2f50889 100644
|
||
|
|
--- a/src/tests/intg/getsockopt_wrapper.c
|
||
|
|
+++ b/src/tests/intg/getsockopt_wrapper.c
|
||
|
|
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
|
||
|
|
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
|
||
|
|
}
|
||
|
|
|
||
|
|
+static bool peer_is_private_pam(int fd)
|
||
|
|
+{
|
||
|
|
+ int ret;
|
||
|
|
+ struct sockaddr_storage addr = { 0 };
|
||
|
|
+ socklen_t addrlen = sizeof(addr);
|
||
|
|
+ struct sockaddr_un *unix_socket;
|
||
|
|
+
|
||
|
|
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
|
||
|
|
+ if (ret != 0) return false;
|
||
|
|
+
|
||
|
|
+ if (addr.ss_family != AF_UNIX) return false;
|
||
|
|
+
|
||
|
|
+ unix_socket = (struct sockaddr_un *)&addr;
|
||
|
|
+
|
||
|
|
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
static uid_t fake_secret_peer(uid_t orig_id)
|
||
|
|
{
|
||
|
|
char *val;
|
||
|
|
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
|
||
|
|
return atoi(val);
|
||
|
|
}
|
||
|
|
|
||
|
|
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
|
||
|
|
+{
|
||
|
|
+ char *val;
|
||
|
|
+
|
||
|
|
+ val = getenv("SSSD_INTG_PEER_UID");
|
||
|
|
+ if (val != NULL) {
|
||
|
|
+ *uid = atoi(val);
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
+ val = getenv("SSSD_INTG_PEER_GID");
|
||
|
|
+ if (val != NULL) {
|
||
|
|
+ *gid = atoi(val);
|
||
|
|
+ }
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
typedef typeof(getsockopt) getsockopt_fn_t;
|
||
|
|
|
||
|
|
static getsockopt_fn_t *orig_getsockopt = NULL;
|
||
|
|
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
|
||
|
|
cr->uid = 0;
|
||
|
|
} else if (is_secrets_socket(sockfd)) {
|
||
|
|
cr->uid = fake_secret_peer(cr->uid);
|
||
|
|
+ } else if (peer_is_private_pam(sockfd)) {
|
||
|
|
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
--
|
||
|
|
2.9.5
|
||
|
|
|