diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-07-27 03:35:38 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-07-27 14:46:16 +0200 |
commit | 300c772767c1b12077cac1d148ac89738b058f97 (patch) | |
tree | 7e16cf4473e554bad8b644e27965bf01b18edff5 /src/sss_client | |
parent | 2de495aed26bf75a750a76ca73b9f85d341fe1c5 (diff) | |
download | sssd-300c772767c1b12077cac1d148ac89738b058f97.tar.gz sssd-300c772767c1b12077cac1d148ac89738b058f97.tar.bz2 sssd-300c772767c1b12077cac1d148ac89738b058f97.zip |
Write SELinux config files in responder instead of PAM module
Diffstat (limited to 'src/sss_client')
-rw-r--r-- | src/sss_client/pam_sss.c | 95 | ||||
-rw-r--r-- | src/sss_client/sss_cli.h | 4 |
2 files changed, 0 insertions, 99 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 3fecfabe..efbc48b6 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -41,9 +41,6 @@ #include <security/pam_modules.h> #include <security/pam_ext.h> #include <security/pam_modutil.h> -#ifdef HAVE_SELINUX -#include <selinux/selinux.h> -#endif #include "sss_pam_macros.h" #include "sss_cli.h" @@ -57,8 +54,6 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" -#define ALL_SERVICES "*:" -#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -87,7 +82,6 @@ struct pam_items { pid_t cli_pid; const char *login_name; char *domain_name; - char *selinux_user; }; #define DEBUG_MGS_LEN 1024 @@ -967,17 +961,6 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, D(("do_pam_conversation failed.")); } break; - case SSS_PAM_SELINUX_MAP: - if (pi->selinux_user) { - free(pi->selinux_user); - } - pi->selinux_user = (char *)malloc(len + 1); - if (!pi->selinux_user) { - D(("Insufficient memory.")); - return PAM_SYSTEM_ERR; - } - memcpy(pi->selinux_user, &buf[p], len + 1); - break; default: D(("Unknown response type [%d]", type)); } @@ -999,7 +982,6 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi) pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY; pi->pam_newauthtok = NULL; pi->pam_newauthtok_size = 0; - pi->selinux_user = NULL; ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service)); if (ret != PAM_SUCCESS) return ret; @@ -1083,16 +1065,6 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, size_t replen; int pam_status = PAM_SYSTEM_ERR; -#ifdef HAVE_SELINUX - char *path = NULL; - char *tmp_path = NULL; - char *services = NULL; - ssize_t written; - int len; - int fd; - mode_t oldmask; -#endif /* HAVE_SELINUX */ - print_pam_items(pi); ret = pack_message_v3(pi, &rd.len, &buf); @@ -1180,68 +1152,6 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); } - } else { - if (pi->selinux_user == NULL) { - pam_status = PAM_SUCCESS; - break; - } - -#ifdef HAVE_SELINUX - if (asprintf(&path, "%s/logins/%s", selinux_policy_root(), - pi->pam_user) < 0 || - asprintf(&tmp_path, "%sXXXXXX", path) < 0) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - oldmask = umask(022); - fd = mkstemp(tmp_path); - umask(oldmask); - if (fd < 0) { - logger(pamh, LOG_ERR, "creating the temp file for SELinux " - "data failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - /* First write filter for all services */ - services = strdup(ALL_SERVICES); - if (services == NULL) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - errno = 0; - written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN); - if (written == -1) { - ret = errno; - logger(pamh, LOG_ERR, "writing to SELinux data file %s" - "failed [%d]: %s", tmp_path, ret, strerror(ret)); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - len = strlen(pi->selinux_user); - - errno = 0; - written = sss_atomic_write_s(fd, pi->selinux_user, len); - if (written == -1) { - ret = errno; - logger(pamh, LOG_ERR, "writing to SELinux data file %s" - "failed [%d]: %s", tmp_path, ret, strerror(ret)); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - if (written != len) { - logger(pamh, LOG_ERR, "Expected to write %d bytes, wrote %d", - written, len); - goto done; - } - - close(fd); - - rename(tmp_path, path); -#endif /* HAVE_SELINUX */ } break; case SSS_PAM_OPEN_SESSION: @@ -1259,11 +1169,6 @@ done: free(buf); } free(repbuf); -#ifdef HAVE_SELINUX - free(path); - free(tmp_path); - free(services); -#endif /* HAVE_SELINUX */ return pam_status; } diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index b634e499..f60bd991 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -368,10 +368,6 @@ enum response_type { * the user.This should only be used in the case where * it is not possile to use SSS_PAM_USER_INFO. * @param A zero terminated string. */ - SSS_PAM_SELINUX_MAP, /**< A content of a SELinux user mapping file. This - * file should be then written to a particular - * subdir in /etc/selinux for pam_selinux to read - * @param A zero terminated string. */ }; /** |