sssd/0031-getsockopt_wrapper-add-support-for-PAM-clients.patch
Michal Židek c0971b7e39 Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
2018-10-24 14:40:58 +02:00

79 lines
2.2 KiB
Diff

From d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:19:26 +0200
Subject: [PATCH 36/83] getsockopt_wrapper: add support for PAM clients
PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
index 5109123..2f50889 100644
--- a/src/tests/intg/getsockopt_wrapper.c
+++ b/src/tests/intg/getsockopt_wrapper.c
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
}
+static bool peer_is_private_pam(int fd)
+{
+ int ret;
+ struct sockaddr_storage addr = { 0 };
+ socklen_t addrlen = sizeof(addr);
+ struct sockaddr_un *unix_socket;
+
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
+ if (ret != 0) return false;
+
+ if (addr.ss_family != AF_UNIX) return false;
+
+ unix_socket = (struct sockaddr_un *)&addr;
+
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
+}
+
static uid_t fake_secret_peer(uid_t orig_id)
{
char *val;
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
return atoi(val);
}
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
+{
+ char *val;
+
+ val = getenv("SSSD_INTG_PEER_UID");
+ if (val != NULL) {
+ *uid = atoi(val);
+ }
+
+ val = getenv("SSSD_INTG_PEER_GID");
+ if (val != NULL) {
+ *gid = atoi(val);
+ }
+}
+
typedef typeof(getsockopt) getsockopt_fn_t;
static getsockopt_fn_t *orig_getsockopt = NULL;
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
cr->uid = 0;
} else if (is_secrets_socket(sockfd)) {
cr->uid = fake_secret_peer(cr->uid);
+ } else if (peer_is_private_pam(sockfd)) {
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
}
}
--
2.9.5