> On Thu, May 31, 2012 at 09:17:18PM +0200, Jan Zeleny wrote: > > At this moment we will support only asterisk, designating "all > > services". > > > > https://fedorahosted.org/sssd/ticket/1360 > > > > Thanks > > Jan > > Nack, you need to initialize services to NULL, otherwise if any > operation before the strdup failed, you would free random pointer.
Good catch, fixed. > You can also use sizeof(ALL_SERVICES)-1 and avoid defining > ALL_SERVICES_LEN (and be safe if ALL_SERVICES changed, not that it's > likely). As you have said, the constant is not likely to be changed. The next planned change is not to use the constant at all and rather dynamically fill this in by PAM responder. Hence I think leaving this is ok. > Does the SELinux feature work at all without the patch? If not, we > should consider moving the ticket to 1.8 The original documentation for the feature was incorrect so it didn't work (or rather it did work but pam_selinux got all confused). This time I tested the feature and it is working. There are still some rough edges but I suppose they are a part of intended behaviour of pam_selinux. To sum up, yes, this should be also backported to 1.8. Patch attached and tested. Thanks Jan
From 017ee8e43b0aa6301420a302e3be25d05924fc35 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <[email protected]> Date: Thu, 31 May 2012 18:08:30 -0400 Subject: [PATCH] Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360 --- src/sss_client/pam_sss.c | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 9dca7e3c7b2f773abf08d5127d63b0bfc52ed06e..87300b70c8b43a66256f25d36e386a74ced65d46 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -57,6 +57,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1084,6 +1086,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, #ifdef HAVE_SELINUX char *path = NULL; char *tmp_path = NULL; + char *services = NULL; ssize_t written; int len; int fd; @@ -1203,6 +1206,22 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + errno = 0; + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN); + if (written == -1) { + ret = errno; + logger(pamh, LOG_ERR, "writing to SELinux data file %s" + "failed [%d]: %s", tmp_path, ret, strerror(ret)); + pam_status = PAM_SYSTEM_ERR; + goto done; + } len = strlen(pi->selinux_user); errno = 0; @@ -1243,6 +1262,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; -- 1.7.6.5
From cf0b96fa074b34f71cd63c0bcce390250e25c410 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <[email protected]> Date: Thu, 31 May 2012 18:08:30 -0400 Subject: [PATCH] Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360 --- src/sss_client/pam_sss.c | 28 ++++++++++++++++++++++++++++ 1 files changed, 28 insertions(+), 0 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 8778fe19ed5d4c9cfec0ad4f9810580162bbfc09..c65bcf98f4da9b49a648c3aecf484e11c867993c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -56,6 +56,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1089,6 +1091,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, char *path = NULL; char *tmp_path = NULL; int pos, len; + char *services = NULL; int fd; mode_t oldmask; #endif /* HAVE_SELINUX */ @@ -1206,6 +1209,30 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + errno = 0; + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + pos = 0; + len = ALL_SERVICES_LEN; + while (pos < len) { + ret = write(fd, services + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + pos = 0; len = strlen(pi->selinux_user); while (pos < len) { @@ -1243,6 +1270,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; -- 1.7.6.5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
