diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-07-27 03:35:38 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-07-27 14:46:16 +0200 |
commit | 300c772767c1b12077cac1d148ac89738b058f97 (patch) | |
tree | 7e16cf4473e554bad8b644e27965bf01b18edff5 | |
parent | 2de495aed26bf75a750a76ca73b9f85d341fe1c5 (diff) | |
download | sssd-300c772767c1b12077cac1d148ac89738b058f97.tar.gz sssd-300c772767c1b12077cac1d148ac89738b058f97.tar.bz2 sssd-300c772767c1b12077cac1d148ac89738b058f97.zip |
Write SELinux config files in responder instead of PAM module
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 100 | ||||
-rw-r--r-- | src/sss_client/pam_sss.c | 95 | ||||
-rw-r--r-- | src/sss_client/sss_cli.h | 4 |
4 files changed, 96 insertions, 105 deletions
diff --git a/Makefile.am b/Makefile.am index c992c972..07128642 100644 --- a/Makefile.am +++ b/Makefile.am @@ -566,6 +566,7 @@ sssd_pam_SOURCES = \ sssd_pam_LDADD = \ $(TDB_LIBS) \ $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ libsss_util.la if BUILD_SUDO @@ -1131,7 +1132,6 @@ pam_sss_la_SOURCES = \ pam_sss_la_LDFLAGS = \ -lpam \ - $(SELINUX_LIBS) \ -module \ -avoid-version \ -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 9c4c7706..31040787 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -33,6 +33,7 @@ #include "responder/pam/pam_helpers.h" #include "db/sysdb.h" #include "db/sysdb_selinux.h" +#include <selinux/selinux.h> enum pam_verbosity { PAM_VERBOSITY_NO_MESSAGES = 0, @@ -353,6 +354,99 @@ fail: return ret; } +#define ALL_SERVICES "*" + +static errno_t write_selinux_string(const char *username, char *string) +{ + char *path = NULL; + char *tmp_path = NULL; + ssize_t written; + int len; + int fd = 0; + mode_t oldmask; + TALLOC_CTX *tmp_ctx; + char *full_string = NULL; + errno_t ret = EOK; + + len = strlen(string); + if (len == 0) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_new() failed\n")); + return ENOMEM; + } + + path = talloc_asprintf(tmp_ctx, "%s/logins/%s", selinux_policy_root(), + username); + if (path == NULL) { + ret = ENOMEM; + goto done; + } + + tmp_path = talloc_asprintf(tmp_ctx, "%sXXXXXX", path); + if (path == NULL) { + ret = ENOMEM; + goto done; + } + + oldmask = umask(022); + fd = mkstemp(tmp_path); + umask(oldmask); + if (fd < 0) { + DEBUG(SSSDBG_OP_FAILURE, ("creating the temp file for SELinux " + "data failed. %s", tmp_path)); + ret = EIO; + goto done; + } + + full_string = talloc_asprintf(tmp_ctx, "%s:%s", ALL_SERVICES, string); + if (full_string == NULL) { + ret = ENOMEM; + goto done; + } + + len = strlen(full_string); + + errno = 0; + written = sss_atomic_write_s(fd, full_string, len); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, ("writing to SELinux data file %s" + "failed [%d]: %s", tmp_path, ret, + strerror(ret))); + goto done; + } + + if (written != len) { + DEBUG(SSSDBG_OP_FAILURE, ("Expected to write %d bytes, wrote %d", + written, len)); + ret = EIO; + goto done; + } + + errno = 0; + if (rename(tmp_path, path) < 0) { + ret = errno; + } else { + ret = EOK; + } + +done: + if (fd > 0) { + close(fd); + if (unlink(tmp_path) < 0) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Could not remove file [%s]", + tmp_path)); + } + } + + talloc_free(tmp_ctx); + return ret; +} + static errno_t get_selinux_string(struct pam_auth_req *preq) { struct sysdb_ctx *sysdb; @@ -494,11 +588,7 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) } if (file_content) { - len = strlen(file_content)+1; - if (len > 0) { - ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, - (uint8_t *)file_content); - } + ret = write_selinux_string(pd->user, file_content); } done: diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 3fecfabe..efbc48b6 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -41,9 +41,6 @@ #include <security/pam_modules.h> #include <security/pam_ext.h> #include <security/pam_modutil.h> -#ifdef HAVE_SELINUX -#include <selinux/selinux.h> -#endif #include "sss_pam_macros.h" #include "sss_cli.h" @@ -57,8 +54,6 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" -#define ALL_SERVICES "*:" -#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -87,7 +82,6 @@ struct pam_items { pid_t cli_pid; const char *login_name; char *domain_name; - char *selinux_user; }; #define DEBUG_MGS_LEN 1024 @@ -967,17 +961,6 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, D(("do_pam_conversation failed.")); } break; - case SSS_PAM_SELINUX_MAP: - if (pi->selinux_user) { - free(pi->selinux_user); - } - pi->selinux_user = (char *)malloc(len + 1); - if (!pi->selinux_user) { - D(("Insufficient memory.")); - return PAM_SYSTEM_ERR; - } - memcpy(pi->selinux_user, &buf[p], len + 1); - break; default: D(("Unknown response type [%d]", type)); } @@ -999,7 +982,6 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY; pi->pam_newauthtok = NULL; pi->pam_newauthtok_size = 0; - pi->selinux_user = NULL; ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service)); if (ret != PAM_SUCCESS) return ret; @@ -1083,16 +1065,6 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, size_t replen; int pam_status = PAM_SYSTEM_ERR; -#ifdef HAVE_SELINUX - char *path = NULL; - char *tmp_path = NULL; - char *services = NULL; - ssize_t written; - int len; - int fd; - mode_t oldmask; -#endif /* HAVE_SELINUX */ - print_pam_items(pi); ret = pack_message_v3(pi, &rd.len, &buf); @@ -1180,68 +1152,6 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); } - } else { - if (pi->selinux_user == NULL) { - pam_status = PAM_SUCCESS; - break; - } - -#ifdef HAVE_SELINUX - if (asprintf(&path, "%s/logins/%s", selinux_policy_root(), - pi->pam_user) < 0 || - asprintf(&tmp_path, "%sXXXXXX", path) < 0) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - oldmask = umask(022); - fd = mkstemp(tmp_path); - umask(oldmask); - if (fd < 0) { - logger(pamh, LOG_ERR, "creating the temp file for SELinux " - "data failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - /* First write filter for all services */ - services = strdup(ALL_SERVICES); - if (services == NULL) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - errno = 0; - written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN); - if (written == -1) { - ret = errno; - logger(pamh, LOG_ERR, "writing to SELinux data file %s" - "failed [%d]: %s", tmp_path, ret, strerror(ret)); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - len = strlen(pi->selinux_user); - - errno = 0; - written = sss_atomic_write_s(fd, pi->selinux_user, len); - if (written == -1) { - ret = errno; - logger(pamh, LOG_ERR, "writing to SELinux data file %s" - "failed [%d]: %s", tmp_path, ret, strerror(ret)); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - if (written != len) { - logger(pamh, LOG_ERR, "Expected to write %d bytes, wrote %d", - written, len); - goto done; - } - - close(fd); - - rename(tmp_path, path); -#endif /* HAVE_SELINUX */ } break; case SSS_PAM_OPEN_SESSION: @@ -1259,11 +1169,6 @@ done: free(buf); } free(repbuf); -#ifdef HAVE_SELINUX - free(path); - free(tmp_path); - free(services); -#endif /* HAVE_SELINUX */ return pam_status; } diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index b634e499..f60bd991 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -368,10 +368,6 @@ enum response_type { * the user.This should only be used in the case where * it is not possile to use SSS_PAM_USER_INFO. * @param A zero terminated string. */ - SSS_PAM_SELINUX_MAP, /**< A content of a SELinux user mapping file. This - * file should be then written to a particular - * subdir in /etc/selinux for pam_selinux to read - * @param A zero terminated string. */ }; /** |