sssd/0031-getsockopt_wrapper-add-support-for-PAM-clients.patch

From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:19:26 +0200
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients

PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
index 5109123..2f50889 100644
--- a/src/tests/intg/getsockopt_wrapper.c
+++ b/src/tests/intg/getsockopt_wrapper.c
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
     return NULL != strstr(unix_socket->sun_path, "secrets.socket");
 }
 
+static bool peer_is_private_pam(int fd)
+{
+    int ret;
+    struct sockaddr_storage addr = { 0 };
+    socklen_t addrlen = sizeof(addr);
+    struct sockaddr_un *unix_socket;
+
+    ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
+    if (ret != 0) return false;
+
+    if (addr.ss_family != AF_UNIX) return false;
+
+    unix_socket = (struct sockaddr_un *)&addr;
+
+    return NULL != strstr(unix_socket->sun_path, "private/pam");
+}
+
 static uid_t fake_secret_peer(uid_t orig_id)
 {
     char *val;
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
     return atoi(val);
 }
 
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
+{
+    char *val;
+
+    val = getenv("SSSD_INTG_PEER_UID");
+    if (val != NULL) {
+        *uid = atoi(val);
+    }
+
+    val = getenv("SSSD_INTG_PEER_GID");
+    if (val != NULL) {
+        *gid = atoi(val);
+    }
+}
+
 typedef typeof(getsockopt) getsockopt_fn_t;
 
 static getsockopt_fn_t *orig_getsockopt = NULL;
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
             cr->uid = 0;
         } else if (is_secrets_socket(sockfd)) {
             cr->uid = fake_secret_peer(cr->uid);
+        } else if (peer_is_private_pam(sockfd)) {
+            fake_peer_uid_gid(&cr->uid, &cr->gid);
         }
     }
 
-- 
2.9.5