diff options
| -rw-r--r-- | src/confdb/confdb.h | 1 | ||||
| -rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
| -rw-r--r-- | src/man/sssd.conf.5.xml | 8 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv.c | 4 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv.h | 1 | ||||
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 13 |
6 files changed, 27 insertions, 1 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index c2ae9fcb..5e50991f 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -74,6 +74,7 @@ #define CONFDB_NSS_FILTER_GROUPS "filter_groups" #define CONFDB_NSS_PWFIELD "pwfield" #define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir" +#define CONFDB_NSS_VETOED_SHELL "vetoed_shells" #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells" #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 16d3d357..53bd14f0 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -60,6 +60,7 @@ option_strings = { 'pwfield' : _('The value of the password field the NSS provider should return'), 'override_homedir' : _('Override homedir value from the identity provider with this value'), 'allowed_shells' : _('The list of shells users are allowed to log in with'), + 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'), 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), # [pam] diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index b4f38465..e0380556 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -424,6 +424,14 @@ </listitem> </varlistentry> <varlistentry> + <term>vetoed_shells (string)</term> + <listitem> + <para> + Replace any instance of these shells with the shell_fallback + </para> + </listitem> + </varlistentry> + <varlistentry> <term>shell_fallback (string)</term> <listitem> <para> diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index b9d548e4..ec2f0caf 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->allowed_shells); if (ret != EOK && ret != ENOENT) goto done; + ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &nctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto done; ret = nss_get_etc_shells(nctx, &nctx->etc_shells); if (ret != EOK) goto done; diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h index f9aff566..01a2810c 100644 --- a/src/responder/nss/nsssrv.h +++ b/src/responder/nss/nsssrv.h @@ -60,6 +60,7 @@ struct nss_ctx { char *override_homedir; char **allowed_shells; + char **vetoed_shells; char **etc_shells; char *shell_fallback; }; diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 57eb9154..5dbd3ca7 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -314,7 +314,18 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx, user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); if (!user_shell) return NULL; - if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell); + if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell); + + if (nctx->vetoed_shells) + { + for (i=0; nctx->vetoed_shells[i]; i++) { + if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) { + DEBUG(5, ("The shell '%s' is vetoed. " + "Using fallback\n", user_shell)); + return talloc_strdup(mem_ctx, nctx->shell_fallback); + } + } + } for (i=0; nctx->etc_shells[i]; i++) { if (strcmp(user_shell, nctx->etc_shells[i]) == 0) { |