sssd/0055-PAM-return-short-name-...

From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 13:25:35 +0200
Subject: [PATCH 70/83] PAM: return short name for files provider users

If the 'allow_missing_name' option is used with pam_sss and the user
name will be determined based on the certificate content and the mapping
rules the PAM responder will by default return the fully-qualified name
of the user which is then later used by other PAM modules as well.

For local users which are configured to use SSSD for Smartcard
authentication this might cause issues in other PAM modules because they
are not aware of the fully-qualified name and will treat the user as
unknown.

With this patch the PAM responder will return the short name for all
users handled by the files provider.

Related to https://pagure.io/SSSD/sssd/issue/3848

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/pam/pamsrv.h     |  3 ++-
 src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
 src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
 3 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 60aa979..3a927bb 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
 errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
                             struct cert_auth_info **cert_list);
 
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
+                              const char *sysdb_username,
                               struct cert_auth_info *cert_info,
                               enum response_type type);
 
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a22afd2..553bf8f 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
                      preq->current_cert != NULL;
                      preq->current_cert = sss_cai_get_next(preq->current_cert)) {
 
-                    ret = add_pam_cert_response(preq->pd, "",
+                    ret = add_pam_cert_response(preq->pd,
+                                       preq->cctx->rctx->domains, "",
                                        preq->current_cert,
                                        preq->cctx->rctx->domains->user_name_hint
                                             ? SSS_PAM_CERT_INFO_WITH_HINT
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
 
             if (preq->cctx->rctx->domains->user_name_hint
                     && preq->pd->cmd == SSS_PAM_PREAUTH) {
-                ret = add_pam_cert_response(preq->pd, cert_user,
+                ret = add_pam_cert_response(preq->pd,
+                                            preq->cctx->rctx->domains, cert_user,
                                             preq->cert_list,
                                             SSS_PAM_CERT_INFO_WITH_HINT);
                 preq->pd->pam_status = PAM_SUCCESS;
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
              * SSS_PAM_CERT_INFO message to send the name to the caller. */
             if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
                     && preq->pd->logon_name == NULL) {
-                ret = add_pam_cert_response(preq->pd, cert_user,
+                ret = add_pam_cert_response(preq->pd,
+                                            preq->cctx->rctx->domains, cert_user,
                                             preq->cert_list,
                                             SSS_PAM_CERT_INFO);
                 if (ret != EOK) {
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
                                   "the backend.\n");
                         }
 
-                        ret = add_pam_cert_response(preq->pd, cert_user,
+                        ret = add_pam_cert_response(preq->pd,
+                                                    preq->cctx->rctx->domains,
+                                                    cert_user,
                                                     preq->current_cert,
                                                     SSS_PAM_CERT_INFO);
                         if (ret != EOK) {
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 491bd2b..785b29c 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
  * used when running gdm-password. */
 #define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
 
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
+                              const char *sysdb_username,
                               struct cert_auth_info *cert_info,
                               enum response_type type)
 {
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
     char *env = NULL;
     size_t msg_len;
     int ret;
+    char *short_name = NULL;
+    char *domain_name = NULL;
+    const char *cert_info_name = sysdb_username;
+
 
     if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
      * Smartcard. If this type of name is irritating at the PIN prompt or the
      * re_expression config option was set in a way that user@domain cannot be
      * handled anymore some more logic has to be added here. But for the time
-     * being I think using sysdb_username is fine. */
+     * being I think using sysdb_username is fine.
+     * As special case is the files provider which handles local users which
+     * by definition only have a short name. To avoid confusion by other
+     * modules on the PAM stack the short name is returned in this case. */
+
+    if (sysdb_username != NULL) {
+        ret = sss_parse_internal_fqname(pd, sysdb_username,
+                                        &short_name, &domain_name);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
+                                       "using full name.\n",
+                                        sysdb_username, ret, sss_strerror(ret));
+        } else {
+            if (domain_name != NULL
+                    &&  is_files_provider(find_domain_by_name(dom, domain_name,
+                                                              false))) {
+                cert_info_name = short_name;
+            }
+        }
+    }
 
-    ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
+    ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
+    talloc_free(short_name);
+    talloc_free(domain_name);
     if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
         return ret;
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From dbd717fe5b7d8dd640b6ade435b49edb3db5280a Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Tue, 9 Oct 2018 13:25:35 +0200`
			`Subject: [PATCH 70/83] PAM: return short name for files provider users`

			`If the 'allow_missing_name' option is used with pam_sss and the user`
			`name will be determined based on the certificate content and the mapping`
			`rules the PAM responder will by default return the fully-qualified name`
			`of the user which is then later used by other PAM modules as well.`

			`For local users which are configured to use SSSD for Smartcard`
			`authentication this might cause issues in other PAM modules because they`
			`are not aware of the fully-qualified name and will treat the user as`
			`unknown.`

			`With this patch the PAM responder will return the short name for all`
			`users handled by the files provider.`

			`Related to https://pagure.io/SSSD/sssd/issue/3848`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/responder/pam/pamsrv.h \| 3 ++-`
			`src/responder/pam/pamsrv_cmd.c \| 13 +++++++++----`
			`src/responder/pam/pamsrv_p11.c \| 32 +++++++++++++++++++++++++++++---`
			`3 files changed, 40 insertions(+), 8 deletions(-)`

			`diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h`
			`index 60aa979..3a927bb 100644`
			`--- a/src/responder/pam/pamsrv.h`
			`+++ b/src/responder/pam/pamsrv.h`
			`@@ -108,7 +108,8 @@ struct tevent_req pam_check_cert_send(TALLOC_CTX mem_ctx,`
			`errno_t pam_check_cert_recv(struct tevent_req req, TALLOC_CTX mem_ctx,`
			`struct cert_auth_info **cert_list);`

			`-errno_t add_pam_cert_response(struct pam_data pd, const char sysdb_username,`
			`+errno_t add_pam_cert_response(struct pam_data pd, struct sss_domain_info dom,`
			`+ const char *sysdb_username,`
			`struct cert_auth_info *cert_info,`
			`enum response_type type);`

			`diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c`
			`index a22afd2..553bf8f 100644`
			`--- a/src/responder/pam/pamsrv_cmd.c`
			`+++ b/src/responder/pam/pamsrv_cmd.c`
			`@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)`
			`preq->current_cert != NULL;`
			`preq->current_cert = sss_cai_get_next(preq->current_cert)) {`

			`- ret = add_pam_cert_response(preq->pd, "",`
			`+ ret = add_pam_cert_response(preq->pd,`
			`+ preq->cctx->rctx->domains, "",`
			`preq->current_cert,`
			`preq->cctx->rctx->domains->user_name_hint`
			`? SSS_PAM_CERT_INFO_WITH_HINT`
			`@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)`

			`if (preq->cctx->rctx->domains->user_name_hint`
			`&& preq->pd->cmd == SSS_PAM_PREAUTH) {`
			`- ret = add_pam_cert_response(preq->pd, cert_user,`
			`+ ret = add_pam_cert_response(preq->pd,`
			`+ preq->cctx->rctx->domains, cert_user,`
			`preq->cert_list,`
			`SSS_PAM_CERT_INFO_WITH_HINT);`
			`preq->pd->pam_status = PAM_SUCCESS;`
			`@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)`
			`* SSS_PAM_CERT_INFO message to send the name to the caller. */`
			`if (preq->pd->cmd == SSS_PAM_AUTHENTICATE`
			`&& preq->pd->logon_name == NULL) {`
			`- ret = add_pam_cert_response(preq->pd, cert_user,`
			`+ ret = add_pam_cert_response(preq->pd,`
			`+ preq->cctx->rctx->domains, cert_user,`
			`preq->cert_list,`
			`SSS_PAM_CERT_INFO);`
			`if (ret != EOK) {`
			`@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)`
			`"the backend.\n");`
			`}`

			`- ret = add_pam_cert_response(preq->pd, cert_user,`
			`+ ret = add_pam_cert_response(preq->pd,`
			`+ preq->cctx->rctx->domains,`
			`+ cert_user,`
			`preq->current_cert,`
			`SSS_PAM_CERT_INFO);`
			`if (ret != EOK) {`
			`diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c`
			`index 491bd2b..785b29c 100644`
			`--- a/src/responder/pam/pamsrv_p11.c`
			`+++ b/src/responder/pam/pamsrv_p11.c`
			`@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX mem_ctx, const char sysdb_username,`
			`* used when running gdm-password. */`
			`#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"`

			`-errno_t add_pam_cert_response(struct pam_data pd, const char sysdb_username,`
			`+errno_t add_pam_cert_response(struct pam_data pd, struct sss_domain_info dom,`
			`+ const char *sysdb_username,`
			`struct cert_auth_info *cert_info,`
			`enum response_type type)`
			`{`
			`@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data pd, const char sysdb_username,`
			`char *env = NULL;`
			`size_t msg_len;`
			`int ret;`
			`+ char *short_name = NULL;`
			`+ char *domain_name = NULL;`
			`+ const char *cert_info_name = sysdb_username;`
			`+`

			`if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {`
			`DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);`
			`@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data pd, const char sysdb_username,`
			`* Smartcard. If this type of name is irritating at the PIN prompt or the`
			`* re_expression config option was set in a way that user@domain cannot be`
			`* handled anymore some more logic has to be added here. But for the time`
			`- * being I think using sysdb_username is fine. */`
			`+ * being I think using sysdb_username is fine.`
			`+ * As special case is the files provider which handles local users which`
			`+ * by definition only have a short name. To avoid confusion by other`
			`+ * modules on the PAM stack the short name is returned in this case. */`
			`+`
			`+ if (sysdb_username != NULL) {`
			`+ ret = sss_parse_internal_fqname(pd, sysdb_username,`
			`+ &short_name, &domain_name);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "`
			`+ "using full name.\n",`
			`+ sysdb_username, ret, sss_strerror(ret));`
			`+ } else {`
			`+ if (domain_name != NULL`
			`+ && is_files_provider(find_domain_by_name(dom, domain_name,`
			`+ false))) {`
			`+ cert_info_name = short_name;`
			`+ }`
			`+ }`
			`+ }`

			`- ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);`
			`+ ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);`
			`+ talloc_free(short_name);`
			`+ talloc_free(domain_name);`
			`if (ret != EOK) {`
			`DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");`
			`return ret;`
			`--`
			`2.9.5`