Hi everyone, The attached patch adds exporting of the original (non-overridden) user shell to tlog-rec, during the PAM session opening. The shell is exported via adding variable "TLOG_REC_SHELL" to the user's environment.
This is supposed to be used within the preliminary session recording solution, which employs tlog [1]. The administrators are supposed to setup session recording with SSSD by adding local overrides of the user shell to "/usr/bin/tlog-rec". When tlog-rec is spawned in the role of the shell, it sets up terminal I/O recording and then spawns the shell specified in "TLOG_REC_SHELL". This can be tested by logging as any user and checking if TLOG_REC_SHELL variable is set to the original (non-overridden) shell. This is a draft patch and code and design change suggestions are welcome. Thank you. Nick [1] https://github.com/Scribery/tlog
>From 48c40e360ca26b264c9af48e31f2c610f7e6eb3d Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <[email protected]> Date: Fri, 18 Mar 2016 19:26:18 +0200 Subject: [PATCH] PAM: Export original user shell to tlog-rec Add exporting of original (non-overridden) user shell to tlog-rec when sending reply to pam_sss. The shell is exported by adding a variable named "TLOG_REC_SHELL" to the user environment. Tlog-rec spawns the specified shell after setting up the terminal I/O recording. --- src/responder/pam/pamsrv_cmd.c | 82 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index d86807e..f1cbce9 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -578,6 +578,79 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, return EOK; } +/* + * Add a request to add a variable to the PAM user environment, containing the + * actual (not overridden) user shell. + */ +static int pam_reply_export_shell(struct pam_auth_req *preq, + const char *var_name) +{ + int ret; + struct ldb_result *res; + TALLOC_CTX *ctx; + const struct ldb_message *msg; + const char *shell; + char *buf; + + /* Create temporary talloc context */ + ctx = talloc_new(NULL); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + /* Get the non-overridden user entry */ + ret = sysdb_getpwnam(ctx, preq->domain, preq->pd->user, &res); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_getpwnam failed\n"); + goto done; + } + if (res->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_getpwnam returned multiple results\n"); + ret = EINVAL; + goto done; + } + if (res->count == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_getpwnam returned no results\n"); + ret = ENOENT; + goto done; + } + + /* Extract the shell */ + msg = res->msgs[0]; + shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); + if (shell == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "user has no shell\n"); + ret = ENOENT; + goto done; + } + + /* Format environment entry */ + buf = talloc_asprintf(ctx, "%s=%s", var_name, shell); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + /* Add request to add the entry to user environment */ + ret = pam_add_response(preq->pd, SSS_PAM_ENV_ITEM, + strlen(buf) + 1, (uint8_t *)buf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(ctx); + return ret; +} + static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, time_t expire_date, time_t delayed_until, bool cached_auth); @@ -794,6 +867,15 @@ static void pam_reply(struct pam_auth_req *preq) } } + /* Export non-overridden shell to tlog-rec when opening the session */ + if (pd->cmd == SSS_PAM_OPEN_SESSION && pd->pam_status == PAM_SUCCESS) { + ret = pam_reply_export_shell(preq, "TLOG_REC_SHELL"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "failed to export the shell to tlog-rec.\n"); + goto done; + } + } + resp_c = 0; resp_size = 0; resp = pd->resp_list; -- 2.7.0
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
