> On Thu, Jun 07, 2012 at 11:47:35AM +0200, Jan Zelený wrote: > > > On Thu, May 31, 2012 at 09:17:18PM +0200, Jan Zeleny wrote: > > > > At this moment we will support only asterisk, designating "all > > > > services". > > > > > > > > https://fedorahosted.org/sssd/ticket/1360 > > > > > > > > Thanks > > > > Jan > > > > > > Nack, you need to initialize services to NULL, otherwise if any > > > operation before the strdup failed, you would free random pointer. > > > > Good catch, fixed. > > > > > You can also use sizeof(ALL_SERVICES)-1 and avoid defining > > > ALL_SERVICES_LEN (and be safe if ALL_SERVICES changed, not that it's > > > likely). > > > > As you have said, the constant is not likely to be changed. The next > > planned change is not to use the constant at all and rather dynamically > > fill this in by PAM responder. Hence I think leaving this is ok. > > > > > Does the SELinux feature work at all without the patch? If not, we > > > should consider moving the ticket to 1.8 > > > > The original documentation for the feature was incorrect so it didn't > > work (or rather it did work but pam_selinux got all confused). This time > > I tested the feature and it is working. There are still some rough edges > > but I suppose they are a part of intended behaviour of pam_selinux. > > > > To sum up, yes, this should be also backported to 1.8. Patch attached and > > tested. > > Sorry, one more thing I didn't notice before, can you move zeroing the > errno right before sss_atomic_write_s() ?
Done in both patches. Thanks Jan
From cf0b96fa074b34f71cd63c0bcce390250e25c410 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <[email protected]> Date: Thu, 31 May 2012 18:08:30 -0400 Subject: [PATCH] Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360 --- src/sss_client/pam_sss.c | 28 ++++++++++++++++++++++++++++ 1 files changed, 28 insertions(+), 0 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 8778fe19ed5d4c9cfec0ad4f9810580162bbfc09..c65bcf98f4da9b49a648c3aecf484e11c867993c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -56,6 +56,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1089,6 +1091,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, char *path = NULL; char *tmp_path = NULL; int pos, len; + char *services = NULL; int fd; mode_t oldmask; #endif /* HAVE_SELINUX */ @@ -1206,6 +1209,30 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + pos = 0; + len = ALL_SERVICES_LEN; + while (pos < len) { + errno = 0; + ret = write(fd, services + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + pos = 0; len = strlen(pi->selinux_user); while (pos < len) { @@ -1243,6 +1270,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; -- 1.7.6.5
From ba220dbe9f88e1b6015a131e9dad4b78d2a3a7cc Mon Sep 17 00:00:00 2001 From: Jan Zeleny <[email protected]> Date: Thu, 31 May 2012 18:08:30 -0400 Subject: [PATCH] Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360 --- src/sss_client/pam_sss.c | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 9dca7e3c7b2f773abf08d5127d63b0bfc52ed06e..3cffbb2e7f02e720def3dba6e77e4d08235c3b11 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -57,6 +57,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1084,6 +1086,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, #ifdef HAVE_SELINUX char *path = NULL; char *tmp_path = NULL; + char *services; ssize_t written; int len; int fd; @@ -1203,6 +1206,22 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + errno = 0; + written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN); + if (written == -1) { + ret = errno; + logger(pamh, LOG_ERR, "writing to SELinux data file %s" + "failed [%d]: %s", tmp_path, ret, strerror(ret)); + pam_status = PAM_SYSTEM_ERR; + goto done; + } len = strlen(pi->selinux_user); errno = 0; @@ -1243,6 +1262,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
