From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 7 Sep 2018 22:19:26 +0200 Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients PAM clients expect that the private socket of the PAM responder is handled by root. With this patch getsockopt_wrapper can return the expected UID and GID to PAM clients. Related to https://pagure.io/SSSD/sssd/issue/3500 Reviewed-by: Jakub Hrozek --- src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c index 5109123..2f50889 100644 --- a/src/tests/intg/getsockopt_wrapper.c +++ b/src/tests/intg/getsockopt_wrapper.c @@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd) return NULL != strstr(unix_socket->sun_path, "secrets.socket"); } +static bool peer_is_private_pam(int fd) +{ + int ret; + struct sockaddr_storage addr = { 0 }; + socklen_t addrlen = sizeof(addr); + struct sockaddr_un *unix_socket; + + ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen); + if (ret != 0) return false; + + if (addr.ss_family != AF_UNIX) return false; + + unix_socket = (struct sockaddr_un *)&addr; + + return NULL != strstr(unix_socket->sun_path, "private/pam"); +} + static uid_t fake_secret_peer(uid_t orig_id) { char *val; @@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id) return atoi(val); } +static void fake_peer_uid_gid(uid_t *uid, gid_t *gid) +{ + char *val; + + val = getenv("SSSD_INTG_PEER_UID"); + if (val != NULL) { + *uid = atoi(val); + } + + val = getenv("SSSD_INTG_PEER_GID"); + if (val != NULL) { + *gid = atoi(val); + } +} + typedef typeof(getsockopt) getsockopt_fn_t; static getsockopt_fn_t *orig_getsockopt = NULL; @@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname, cr->uid = 0; } else if (is_secrets_socket(sockfd)) { cr->uid = fake_secret_peer(cr->uid); + } else if (peer_is_private_pam(sockfd)) { + fake_peer_uid_gid(&cr->uid, &cr->gid); } } -- 2.9.5