diff options
| author | John Hodrien <J.H.Hodrien@leeds.ac.uk> | 2011-07-29 10:04:05 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-29 10:13:26 -0400 |
| commit | 1dc99c9d468cfe2a7f7286a8969c586f8740bb9f (patch) | |
| tree | 5bde5191ec2a67eea5e62ccda694ae2fafc812a5 /src/responder | |
| parent | 336879aabae137f9a81304f147fb0d43001654b0 (diff) | |
| download | sssd-1dc99c9d468cfe2a7f7286a8969c586f8740bb9f.tar.gz sssd-1dc99c9d468cfe2a7f7286a8969c586f8740bb9f.tar.bz2 sssd-1dc99c9d468cfe2a7f7286a8969c586f8740bb9f.zip | |
Add vetoed_shells option
There may be users in LDAP that have a valid but unwelcome shell
set in their account. This adds a blacklist of shells that should
always be replaced by the fallback_shell.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
Diffstat (limited to 'src/responder')
| -rw-r--r-- | src/responder/nss/nsssrv.c | 4 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv.h | 1 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 13 |
3 files changed, 17 insertions, 1 deletions
diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index b9d548e4..ec2f0caf 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->allowed_shells); if (ret != EOK && ret != ENOENT) goto done; + ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &nctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto done; ret = nss_get_etc_shells(nctx, &nctx->etc_shells); if (ret != EOK) goto done; diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h index f9aff566..01a2810c 100644 --- a/src/responder/nss/nsssrv.h +++ b/src/responder/nss/nsssrv.h @@ -60,6 +60,7 @@ struct nss_ctx { char *override_homedir; char **allowed_shells; + char **vetoed_shells; char **etc_shells; char *shell_fallback; }; diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 57eb9154..5dbd3ca7 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -314,7 +314,18 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx, user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); if (!user_shell) return NULL; - if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell); + if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell); + + if (nctx->vetoed_shells) + { + for (i=0; nctx->vetoed_shells[i]; i++) { + if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) { + DEBUG(5, ("The shell '%s' is vetoed. " + "Using fallback\n", user_shell)); + return talloc_strdup(mem_ctx, nctx->shell_fallback); + } + } + } for (i=0; nctx->etc_shells[i]; i++) { if (strcmp(user_shell, nctx->etc_shells[i]) == 0) { |