From 9759333b3dd404c6787ef0186984c5d4256eb5bb Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov Date: Wed, 29 Mar 2017 16:25:19 +0300 Subject: [PATCH 04/93] NSS: Move nss_get_shell_override to responder utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move nss_get_shell_override to common responder utils and rename it to sss_resp_get_shell_override to make it available to other responders. In particular let PAM responder use it to provide original shell when it is overriden for session recording. Reviewed-by: Pavel Březina --- src/responder/common/responder.h | 5 ++ src/responder/common/responder_utils.c | 83 +++++++++++++++++++++++++++++++++ src/responder/nss/nss_protocol_pwent.c | 85 +--------------------------------- 3 files changed, 89 insertions(+), 84 deletions(-) diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h index 7a998967f2761b1c813a866f34cf78d549ede1b9..ba5b73bcc3f3d3bc3cd0cfc19381ef08a046771a 100644 --- a/src/responder/common/responder.h +++ b/src/responder/common/responder.h @@ -404,6 +404,11 @@ char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx); +const char * +sss_resp_get_shell_override(struct ldb_message *msg, + struct resp_ctx *rctx, + struct sss_domain_info *domain); + /** * Helper functions to format output names */ diff --git a/src/responder/common/responder_utils.c b/src/responder/common/responder_utils.c index 7f5c0573087e9c6c885ae158d0677994fd538e2a..521896088b9af904b4d10021d5755f2591fe91ec 100644 --- a/src/responder/common/responder_utils.c +++ b/src/responder/common/responder_utils.c @@ -399,3 +399,86 @@ int resp_resolve_group_names_recv(TALLOC_CTX *mem_ctx, *_initgr_named_res = talloc_steal(mem_ctx, state->initgr_named_res); return EOK; } + +const char * +sss_resp_get_shell_override(struct ldb_message *msg, + struct resp_ctx *rctx, + struct sss_domain_info *domain) +{ + const char *shell; + int i; + + /* Check whether we are unconditionally overriding + * the server for the login shell. */ + if (domain->override_shell) { + return domain->override_shell; + } else if (rctx->override_shell) { + return rctx->override_shell; + } + + shell = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_SHELL, + NULL); + if (shell == NULL) { + /* Check whether there is a default shell specified */ + if (domain->default_shell) { + return domain->default_shell; + } else if (rctx->default_shell) { + return rctx->default_shell; + } + + return ""; + } + + if (rctx->allowed_shells == NULL && rctx->vetoed_shells == NULL) { + return shell; + } + + if (rctx->vetoed_shells) { + for (i = 0; rctx->vetoed_shells[i]; i++) { + if (strcmp(rctx->vetoed_shells[i], shell) == 0) { + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is vetoed. Using fallback.\n", + shell); + return rctx->shell_fallback; + } + } + } + + if (rctx->etc_shells) { + for (i = 0; rctx->etc_shells[i]; i++) { + if (strcmp(shell, rctx->etc_shells[i]) == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Shell %s found in /etc/shells\n", shell); + break; + } + } + + if (rctx->etc_shells[i]) { + DEBUG(SSSDBG_TRACE_ALL, "Using original shell '%s'\n", shell); + return shell; + } + } + + if (rctx->allowed_shells) { + if (strcmp(rctx->allowed_shells[0], "*") == 0) { + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is allowed but does not exist. " + "Using fallback\n", shell); + return rctx->shell_fallback; + } else { + for (i = 0; rctx->allowed_shells[i]; i++) { + if (strcmp(rctx->allowed_shells[i], shell) == 0) { + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is allowed but does not exist. " + "Using fallback\n", shell); + return rctx->shell_fallback; + } + } + } + } + + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is not allowed and does not exist.\n", shell); + + return NOLOGIN_SHELL; +} diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c index cb11ea3d493370552fa5a97fd4ffe2108ff34026..6c1de3123238514c0c5d0dae43d4c5fa7d5eff5c 100644 --- a/src/responder/nss/nss_protocol_pwent.c +++ b/src/responder/nss/nss_protocol_pwent.c @@ -119,89 +119,6 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, return homedir; } -static const char * -nss_get_shell_override(struct ldb_message *msg, - struct resp_ctx *rctx, - struct sss_domain_info *domain) -{ - const char *shell; - int i; - - /* Check whether we are unconditionally overriding - * the server for the login shell. */ - if (domain->override_shell) { - return domain->override_shell; - } else if (rctx->override_shell) { - return rctx->override_shell; - } - - shell = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_SHELL, - NULL); - if (shell == NULL) { - /* Check whether there is a default shell specified */ - if (domain->default_shell) { - return domain->default_shell; - } else if (rctx->default_shell) { - return rctx->default_shell; - } - - return ""; - } - - if (rctx->allowed_shells == NULL && rctx->vetoed_shells == NULL) { - return shell; - } - - if (rctx->vetoed_shells) { - for (i = 0; rctx->vetoed_shells[i]; i++) { - if (strcmp(rctx->vetoed_shells[i], shell) == 0) { - DEBUG(SSSDBG_FUNC_DATA, - "The shell '%s' is vetoed. Using fallback.\n", - shell); - return rctx->shell_fallback; - } - } - } - - if (rctx->etc_shells) { - for (i = 0; rctx->etc_shells[i]; i++) { - if (strcmp(shell, rctx->etc_shells[i]) == 0) { - DEBUG(SSSDBG_TRACE_ALL, - "Shell %s found in /etc/shells\n", shell); - break; - } - } - - if (rctx->etc_shells[i]) { - DEBUG(SSSDBG_TRACE_ALL, "Using original shell '%s'\n", shell); - return shell; - } - } - - if (rctx->allowed_shells) { - if (strcmp(rctx->allowed_shells[0], "*") == 0) { - DEBUG(SSSDBG_FUNC_DATA, - "The shell '%s' is allowed but does not exist. " - "Using fallback\n", shell); - return rctx->shell_fallback; - } else { - for (i = 0; rctx->allowed_shells[i]; i++) { - if (strcmp(rctx->allowed_shells[i], shell) == 0) { - DEBUG(SSSDBG_FUNC_DATA, - "The shell '%s' is allowed but does not exist. " - "Using fallback\n", shell); - return rctx->shell_fallback; - } - } - } - } - - DEBUG(SSSDBG_FUNC_DATA, - "The shell '%s' is not allowed and does not exist.\n", shell); - - return NOLOGIN_SHELL; -} - static errno_t nss_get_pwent(TALLOC_CTX *mem_ctx, struct nss_ctx *nss_ctx, @@ -239,7 +156,7 @@ nss_get_pwent(TALLOC_CTX *mem_ctx, gecos = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_GECOS, NULL); homedir = nss_get_homedir(mem_ctx, nss_ctx, domain, msg, name, upn, uid); - shell = nss_get_shell_override(msg, nss_ctx->rctx, domain); + shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain); /* Convert to sized strings. */ ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name); -- 2.14.1