Hi everyone,

The attached patch adds exporting of the original (non-overridden) user shell
to tlog-rec, during the PAM session opening. The shell is exported via adding
variable "TLOG_REC_SHELL" to the user's environment.

This is supposed to be used within the preliminary session recording solution,
which employs tlog [1]. The administrators are supposed to setup session
recording with SSSD by adding local overrides of the user shell to
"/usr/bin/tlog-rec". When tlog-rec is spawned in the role of the shell, it
sets up terminal I/O recording and then spawns the shell specified in
"TLOG_REC_SHELL".

This can be tested by logging as any user and checking if TLOG_REC_SHELL
variable is set to the original (non-overridden) shell.

This is a draft patch and code and design change suggestions are welcome.

Thank you.

Nick

[1] https://github.com/Scribery/tlog
>From 48c40e360ca26b264c9af48e31f2c610f7e6eb3d Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <[email protected]>
Date: Fri, 18 Mar 2016 19:26:18 +0200
Subject: [PATCH] PAM: Export original user shell to tlog-rec

Add exporting of original (non-overridden) user shell to tlog-rec when
sending reply to pam_sss. The shell is exported by adding a variable
named "TLOG_REC_SHELL" to the user environment. Tlog-rec spawns the
specified shell after setting up the terminal I/O recording.
---
 src/responder/pam/pamsrv_cmd.c | 82 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index d86807e..f1cbce9 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -578,6 +578,79 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
     return EOK;
 }
 
+/*
+ * Add a request to add a variable to the PAM user environment, containing the
+ * actual (not overridden) user shell.
+ */
+static int pam_reply_export_shell(struct pam_auth_req *preq,
+                                  const char *var_name)
+{
+    int ret;
+    struct ldb_result *res;
+    TALLOC_CTX *ctx;
+    const struct ldb_message *msg;
+    const char *shell;
+    char *buf;
+
+    /* Create temporary talloc context */
+    ctx = talloc_new(NULL);
+    if (ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    /* Get the non-overridden user entry */
+    ret = sysdb_getpwnam(ctx, preq->domain, preq->pd->user, &res);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_getpwnam failed\n");
+        goto done;
+    }
+    if (res->count > 1) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "sysdb_getpwnam returned multiple results\n");
+        ret = EINVAL;
+        goto done;
+    }
+    if (res->count == 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "sysdb_getpwnam returned no results\n");
+        ret = ENOENT;
+        goto done;
+    }
+
+    /* Extract the shell */
+    msg = res->msgs[0];
+    shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
+    if (shell == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "user has no shell\n");
+        ret = ENOENT;
+        goto done;
+    }
+
+    /* Format environment entry */
+    buf = talloc_asprintf(ctx, "%s=%s", var_name, shell);
+    if (buf == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+        ret = ENOMEM;
+        goto done;
+    }
+
+    /* Add request to add the entry to user environment */
+    ret = pam_add_response(preq->pd, SSS_PAM_ENV_ITEM,
+                           strlen(buf) + 1, (uint8_t *)buf);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    talloc_free(ctx);
+    return ret;
+}
+
 static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
 static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
                                     time_t expire_date, time_t delayed_until, bool cached_auth);
@@ -794,6 +867,15 @@ static void pam_reply(struct pam_auth_req *preq)
         }
     }
 
+    /* Export non-overridden shell to tlog-rec when opening the session */
+    if (pd->cmd == SSS_PAM_OPEN_SESSION && pd->pam_status == PAM_SUCCESS) {
+        ret = pam_reply_export_shell(preq, "TLOG_REC_SHELL");
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "failed to export the shell to tlog-rec.\n");
+            goto done;
+        }
+    }
+
     resp_c = 0;
     resp_size = 0;
     resp = pd->resp_list;
-- 
2.7.0

_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]

Reply via email to