From 836dae913497e150bd0ec11eee1e256e4fcc0bb7 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 21 Mar 2017 11:45:37 +0200
Subject: [PATCH 15/93] NSS: Substitute session recording shell
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Substitute the configured session recording shell when unconditional
session recording is enabled (scope = all), or when selective session
recording is enabled (scope = some), and the user has the
sessionRecording attribute set to true.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/responder/nss/nss_protocol_pwent.c | 48 +++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index 6c1de3123238514c0c5d0dae43d4c5fa7d5eff5c..db5c071e2ff172a2267c08c9817fecfbcc7cabc3 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -119,6 +119,46 @@ nss_get_homedir(TALLOC_CTX *mem_ctx,
     return homedir;
 }
 
+static errno_t
+nss_get_shell(struct nss_ctx *nss_ctx,
+              struct sss_domain_info *domain,
+              struct ldb_message *msg,
+              const char *name,
+              uint32_t uid,
+              const char **_shell)
+{
+    const char *shell = NULL;
+
+    if (nss_ctx->rctx->sr_conf.scope == SESSION_RECORDING_SCOPE_ALL) {
+        shell = SESSION_RECORDING_SHELL;
+    } else if (nss_ctx->rctx->sr_conf.scope ==
+               SESSION_RECORDING_SCOPE_SOME) {
+        const char *sr_enabled;
+        sr_enabled = ldb_msg_find_attr_as_string(
+                                    msg, SYSDB_SESSION_RECORDING, NULL);
+        if (sr_enabled == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "%s attribute not found for %s[%u]! Skipping\n",
+                  SYSDB_SESSION_RECORDING, name, uid);
+            return EINVAL;
+        } else if (strcmp(sr_enabled, "TRUE") == 0) {
+            shell = SESSION_RECORDING_SHELL;
+        } else if (strcmp(sr_enabled, "FALSE") != 0) {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Skipping %s[%u] "
+                  "because its %s attribute value is invalid: %s\n",
+                  name, uid, SYSDB_SESSION_RECORDING, sr_enabled);
+            return EINVAL;
+        }
+    }
+    if (shell == NULL) {
+        shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain);
+    }
+
+    *_shell = shell;
+    return EOK;
+}
+
 static errno_t
 nss_get_pwent(TALLOC_CTX *mem_ctx,
               struct nss_ctx *nss_ctx,
@@ -156,7 +196,13 @@ nss_get_pwent(TALLOC_CTX *mem_ctx,
     gecos = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_GECOS,
                                                  NULL);
     homedir = nss_get_homedir(mem_ctx, nss_ctx, domain, msg, name, upn, uid);
-    shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain);
+    ret = nss_get_shell(nss_ctx, domain, msg, name, uid, &shell);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "failed retrieving shell for %s[%u], skipping [%d]: %s\n",
+              name, uid, ret, sss_strerror(ret));
+        return ret;
+    }
 
     /* Convert to sized strings. */
     ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name);
-- 
2.14.1