diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-06-22 08:26:46 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-06-25 07:36:40 -0400 |
commit | 538006b5ebead2198a2ca7aa082873c772472a99 (patch) | |
tree | a38fa1a7ccf122f46eba7a22a9964ab417a492f3 | |
parent | 065771c9859df9c4137daa5187be3aa5633b3cd5 (diff) | |
download | sssd-538006b5ebead2198a2ca7aa082873c772472a99.tar.gz sssd-538006b5ebead2198a2ca7aa082873c772472a99.tar.bz2 sssd-538006b5ebead2198a2ca7aa082873c772472a99.zip |
SELinux user maps: pick just one map
This patch modifies behavior of SSSD when putting together content of
the file for pam_selinux. SSSD will now pick only the first user map in
the priority list which matches to the user logging in. Other maps are
ignored.
https://fedorahosted.org/sssd/ticket/1360
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 23 |
1 files changed, 11 insertions, 12 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 2d0324e5..20de738f 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -461,12 +461,6 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) goto done; } } else { - file_content = talloc_strdup(tmp_ctx, ""); - if (file_content == NULL) { - ret = ENOMEM; - goto done; - } - /* Iterate through the order array and try to find SELinux users * in fetched maps. The order array contains all SELinux users * allowed in the domain in the same order they should appear @@ -484,8 +478,11 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) tmp_str = sss_selinux_map_get_seuser(usermaps[j]); if (tmp_str && !strcasecmp(tmp_str, order_array[i])) { - file_content = talloc_asprintf_append(file_content, "%s\n", - tmp_str); + /* If file_content contained something, overwrite it. + * This record has higher priority. + */ + talloc_zfree(file_content); + file_content = talloc_strdup(tmp_ctx, tmp_str); if (file_content == NULL) { ret = ENOMEM; goto done; @@ -496,10 +493,12 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) } } - len = strlen(file_content); - if (len > 0) { - ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, - (uint8_t *)file_content); + if (file_content) { + len = strlen(file_content); + if (len > 0) { + ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, + (uint8_t *)file_content); + } } done: |