sssd/0015-NSS-Substitute-session-recording-shell.patch
2017-09-01 21:34:35 +02:00

88 lines
3.3 KiB
Diff

From 836dae913497e150bd0ec11eee1e256e4fcc0bb7 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 21 Mar 2017 11:45:37 +0200
Subject: [PATCH 15/93] NSS: Substitute session recording shell
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Substitute the configured session recording shell when unconditional
session recording is enabled (scope = all), or when selective session
recording is enabled (scope = some), and the user has the
sessionRecording attribute set to true.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/nss/nss_protocol_pwent.c | 48 +++++++++++++++++++++++++++++++++-
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c
index 6c1de3123238514c0c5d0dae43d4c5fa7d5eff5c..db5c071e2ff172a2267c08c9817fecfbcc7cabc3 100644
--- a/src/responder/nss/nss_protocol_pwent.c
+++ b/src/responder/nss/nss_protocol_pwent.c
@@ -119,6 +119,46 @@ nss_get_homedir(TALLOC_CTX *mem_ctx,
return homedir;
}
+static errno_t
+nss_get_shell(struct nss_ctx *nss_ctx,
+ struct sss_domain_info *domain,
+ struct ldb_message *msg,
+ const char *name,
+ uint32_t uid,
+ const char **_shell)
+{
+ const char *shell = NULL;
+
+ if (nss_ctx->rctx->sr_conf.scope == SESSION_RECORDING_SCOPE_ALL) {
+ shell = SESSION_RECORDING_SHELL;
+ } else if (nss_ctx->rctx->sr_conf.scope ==
+ SESSION_RECORDING_SCOPE_SOME) {
+ const char *sr_enabled;
+ sr_enabled = ldb_msg_find_attr_as_string(
+ msg, SYSDB_SESSION_RECORDING, NULL);
+ if (sr_enabled == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "%s attribute not found for %s[%u]! Skipping\n",
+ SYSDB_SESSION_RECORDING, name, uid);
+ return EINVAL;
+ } else if (strcmp(sr_enabled, "TRUE") == 0) {
+ shell = SESSION_RECORDING_SHELL;
+ } else if (strcmp(sr_enabled, "FALSE") != 0) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Skipping %s[%u] "
+ "because its %s attribute value is invalid: %s\n",
+ name, uid, SYSDB_SESSION_RECORDING, sr_enabled);
+ return EINVAL;
+ }
+ }
+ if (shell == NULL) {
+ shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain);
+ }
+
+ *_shell = shell;
+ return EOK;
+}
+
static errno_t
nss_get_pwent(TALLOC_CTX *mem_ctx,
struct nss_ctx *nss_ctx,
@@ -156,7 +196,13 @@ nss_get_pwent(TALLOC_CTX *mem_ctx,
gecos = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_GECOS,
NULL);
homedir = nss_get_homedir(mem_ctx, nss_ctx, domain, msg, name, upn, uid);
- shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain);
+ ret = nss_get_shell(nss_ctx, domain, msg, name, uid, &shell);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "failed retrieving shell for %s[%u], skipping [%d]: %s\n",
+ name, uid, ret, sss_strerror(ret));
+ return ret;
+ }
/* Convert to sized strings. */
ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name);
--
2.14.1