summaryrefslogtreecommitdiff
path: root/src/sss_client
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-07-27 03:35:38 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-07-27 14:46:16 +0200
commit300c772767c1b12077cac1d148ac89738b058f97 (patch)
tree7e16cf4473e554bad8b644e27965bf01b18edff5 /src/sss_client
parent2de495aed26bf75a750a76ca73b9f85d341fe1c5 (diff)
downloadsssd-300c772767c1b12077cac1d148ac89738b058f97.tar.gz
sssd-300c772767c1b12077cac1d148ac89738b058f97.tar.bz2
sssd-300c772767c1b12077cac1d148ac89738b058f97.zip
Write SELinux config files in responder instead of PAM module
Diffstat (limited to 'src/sss_client')
-rw-r--r--src/sss_client/pam_sss.c95
-rw-r--r--src/sss_client/sss_cli.h4
2 files changed, 0 insertions, 99 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 3fecfabe..efbc48b6 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -41,9 +41,6 @@
#include <security/pam_modules.h>
#include <security/pam_ext.h>
#include <security/pam_modutil.h>
-#ifdef HAVE_SELINUX
-#include <selinux/selinux.h>
-#endif
#include "sss_pam_macros.h"
#include "sss_cli.h"
@@ -57,8 +54,6 @@
#define FLAGS_USE_AUTHTOK (1 << 2)
#define PWEXP_FLAG "pam_sss:password_expired_flag"
-#define ALL_SERVICES "*:"
-#define ALL_SERVICES_LEN 2
#define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
#define PW_RESET_MSG_MAX_SIZE 4096
@@ -87,7 +82,6 @@ struct pam_items {
pid_t cli_pid;
const char *login_name;
char *domain_name;
- char *selinux_user;
};
#define DEBUG_MGS_LEN 1024
@@ -967,17 +961,6 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
D(("do_pam_conversation failed."));
}
break;
- case SSS_PAM_SELINUX_MAP:
- if (pi->selinux_user) {
- free(pi->selinux_user);
- }
- pi->selinux_user = (char *)malloc(len + 1);
- if (!pi->selinux_user) {
- D(("Insufficient memory."));
- return PAM_SYSTEM_ERR;
- }
- memcpy(pi->selinux_user, &buf[p], len + 1);
- break;
default:
D(("Unknown response type [%d]", type));
}
@@ -999,7 +982,6 @@ static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY;
pi->pam_newauthtok = NULL;
pi->pam_newauthtok_size = 0;
- pi->selinux_user = NULL;
ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service));
if (ret != PAM_SUCCESS) return ret;
@@ -1083,16 +1065,6 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
size_t replen;
int pam_status = PAM_SYSTEM_ERR;
-#ifdef HAVE_SELINUX
- char *path = NULL;
- char *tmp_path = NULL;
- char *services = NULL;
- ssize_t written;
- int len;
- int fd;
- mode_t oldmask;
-#endif /* HAVE_SELINUX */
-
print_pam_items(pi);
ret = pack_message_v3(pi, &rd.len, &buf);
@@ -1180,68 +1152,6 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
pi->pam_user, pam_status,
pam_strerror(pamh,pam_status));
}
- } else {
- if (pi->selinux_user == NULL) {
- pam_status = PAM_SUCCESS;
- break;
- }
-
-#ifdef HAVE_SELINUX
- if (asprintf(&path, "%s/logins/%s", selinux_policy_root(),
- pi->pam_user) < 0 ||
- asprintf(&tmp_path, "%sXXXXXX", path) < 0) {
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- oldmask = umask(022);
- fd = mkstemp(tmp_path);
- umask(oldmask);
- if (fd < 0) {
- logger(pamh, LOG_ERR, "creating the temp file for SELinux "
- "data failed. %s", tmp_path);
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- /* First write filter for all services */
- services = strdup(ALL_SERVICES);
- if (services == NULL) {
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- errno = 0;
- written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN);
- if (written == -1) {
- ret = errno;
- logger(pamh, LOG_ERR, "writing to SELinux data file %s"
- "failed [%d]: %s", tmp_path, ret, strerror(ret));
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
- len = strlen(pi->selinux_user);
-
- errno = 0;
- written = sss_atomic_write_s(fd, pi->selinux_user, len);
- if (written == -1) {
- ret = errno;
- logger(pamh, LOG_ERR, "writing to SELinux data file %s"
- "failed [%d]: %s", tmp_path, ret, strerror(ret));
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- if (written != len) {
- logger(pamh, LOG_ERR, "Expected to write %d bytes, wrote %d",
- written, len);
- goto done;
- }
-
- close(fd);
-
- rename(tmp_path, path);
-#endif /* HAVE_SELINUX */
}
break;
case SSS_PAM_OPEN_SESSION:
@@ -1259,11 +1169,6 @@ done:
free(buf);
}
free(repbuf);
-#ifdef HAVE_SELINUX
- free(path);
- free(tmp_path);
- free(services);
-#endif /* HAVE_SELINUX */
return pam_status;
}
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index b634e499..f60bd991 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -368,10 +368,6 @@ enum response_type {
* the user.This should only be used in the case where
* it is not possile to use SSS_PAM_USER_INFO.
* @param A zero terminated string. */
- SSS_PAM_SELINUX_MAP, /**< A content of a SELinux user mapping file. This
- * file should be then written to a particular
- * subdir in /etc/selinux for pam_selinux to read
- * @param A zero terminated string. */
};
/**