URL: https://github.com/SSSD/sssd/pull/200 Author: sumit-bose Title: #200: Improve PAM test client Action: opened
PR body: """ This patch set makes the PAM test client more flexible and adds additional lookups of the user via NSS and InfoPipe. For simplicity this version uses libsss_simpleifp to access InfoPipe. A later version might use libdbus directly to reduce the number of dependencies. Related to https://pagure.io/SSSD/sssd/issue/3292 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/200/head:pr200 git checkout pr200
From 06fbef96bd18f967f6b6a98f93bc8df0b30ef3f0 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Tue, 24 Jan 2017 14:50:20 +0100 Subject: [PATCH 1/5] pam_test_client: add service and environment to PAM test client Related to https://pagure.io/SSSD/sssd/issue/3292 --- src/sss_client/pam_test_client.c | 51 ++++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c index 29d1fcb..edd5e0c 100644 --- a/src/sss_client/pam_test_client.c +++ b/src/sss_client/pam_test_client.c @@ -48,34 +48,44 @@ static struct pam_conv conv = { # error "Missing text based pam conversation function" #endif +#define DEFAULT_ACTION "acct" +#define DEFAULT_SERVICE "system-auth" + int main(int argc, char *argv[]) { pam_handle_t *pamh; char *user; char *action; + char *service; int ret; + size_t c; + char **pam_env; if (argc == 1) { - fprintf(stderr, "missing action and user name, using default\n"); - action = strdup("auth"); - user = strdup("dummy"); + fprintf(stderr, "Usage: pam_test_client USERNAME " + "[auth|acct|setc|chau|open|clos] [pam_service]\n"); + return 0; } else if (argc == 2) { - fprintf(stdout, "using first argument as action and default user name\n"); - action = strdup(argv[1]); - user = strdup("dummy"); - } else { - action = strdup(argv[1]); - user = strdup(argv[2]); + fprintf(stderr,"using first argument as user name and default action " + "and service\n"); + } else if (argc == 3) { + fprintf(stderr, "using first argument as user name, second as action " + "and default service\n"); } - if (action == NULL || user == NULL) { + user = strdup(argv[1]); + action = argc > 2 ? strdup(argv[2]) : strdup(DEFAULT_ACTION); + service = argc > 3 ? strdup(argv[3]) : strdup(DEFAULT_SERVICE); + + if (action == NULL || user == NULL || service == NULL) { fprintf(stderr, "Out of memory!\n"); return 1; } - fprintf(stdout, "action: %s\nuser: %s\n", action,user); + fprintf(stdout, "user: %s\naction: %s\nservice: %s\n", + user, action, service); - ret = pam_start("sss_test", user, &conv, &pamh); + ret = pam_start(service, user, &conv, &pamh); if (ret != PAM_SUCCESS) { fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret)); return 1; @@ -109,7 +119,24 @@ int main(int argc, char *argv[]) { fprintf(stderr, "unknown action\n"); } + fprintf(stderr, "PAM Environment:\n"); + pam_env = pam_getenvlist(pamh); + if (pam_env != NULL && pam_env[0] != NULL) { + for (c = 0; pam_env[c] != NULL; c++) { + fprintf(stderr," - %s\n", pam_env[c]); + free(pam_env[c]); + } + } else { + fprintf(stderr," - no env -\n"); + } + free(pam_env); + + pam_end(pamh, ret); + free(user); + free(action); + free(service); + return 0; } From f186fd00b10182e349d62fecb6efe8f024bbb666 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Wed, 25 Jan 2017 16:50:00 +0100 Subject: [PATCH 2/5] pam_test_client: add SSSD getpwnam lookup Related to https://pagure.io/SSSD/sssd/issue/3292 --- Makefile.am | 10 ++++-- src/sss_client/pam_test_client.c | 75 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 45b04de..b6f3a59 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3252,8 +3252,14 @@ if BUILD_WITH_LIBCURL noinst_PROGRAMS += tcurl-test-tool endif -pam_test_client_SOURCES = src/sss_client/pam_test_client.c -pam_test_client_LDADD = $(PAM_LIBS) $(PAM_MISC_LIBS) +pam_test_client_SOURCES = \ + src/sss_client/pam_test_client.c \ + $(NULL) +pam_test_client_LDADD = \ + $(PAM_LIBS) \ + $(PAM_MISC_LIBS) \ + $(LIBADD_DL) \ + $(NULL) if BUILD_AUTOFS autofs_test_client_SOURCES = \ diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c index edd5e0c..2b2c607 100644 --- a/src/sss_client/pam_test_client.c +++ b/src/sss_client/pam_test_client.c @@ -25,6 +25,11 @@ #include <stdio.h> #include <unistd.h> #include <string.h> +#include <dlfcn.h> +#include <sys/types.h> +#include <pwd.h> +#include <nss.h> +#include <errno.h> #include <security/pam_appl.h> @@ -51,6 +56,69 @@ static struct pam_conv conv = { #define DEFAULT_ACTION "acct" #define DEFAULT_SERVICE "system-auth" +#define DEFAULT_BUFSIZE 4096 + +static int sss_getpwnam_check(const char *user) +{ + void *dl_handle = NULL; + enum nss_status (*getpwnam_r)(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + struct passwd pwd = {0}; + enum nss_status status; + char *buffer = NULL; + size_t buflen; + int nss_errno; + int ret; + + dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); + if (dl_handle == NULL) { + fprintf(stderr, "dlopen failed with [%s].\n", dlerror()); + ret = EIO; + goto done; + } + + getpwnam_r = dlsym(dl_handle, "_nss_sss_getpwnam_r"); + if (getpwnam_r == NULL) { + fprintf(stderr, "dlsym failed with [%s].\n", dlerror()); + ret = EIO; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + fprintf(stderr, "malloc failed.\n"); + ret = ENOMEM; + goto done; + } + + status = getpwnam_r(user, &pwd, buffer, buflen, &nss_errno); + if (status != NSS_STATUS_SUCCESS) { + fprintf(stderr, "sss_getpwnam_r failed with [%d].\n", status); + ret = EIO; + goto done; + } + + fprintf(stdout, "SSSD nss user lookup result:\n"); + fprintf(stdout, " - user name: %s\n", pwd.pw_name); + fprintf(stdout, " - user id: %d\n", pwd.pw_uid); + fprintf(stdout, " - group id: %d\n", pwd.pw_gid); + fprintf(stdout, " - gecos: %s\n", pwd.pw_gecos); + fprintf(stdout, " - home directory: %s\n", pwd.pw_dir); + fprintf(stdout, " - shell: %s\n", pwd.pw_shell); + + ret = 0; + +done: + if (dl_handle != NULL) { + dlclose(dl_handle); + } + + free(buffer); + + return ret; +} + int main(int argc, char *argv[]) { pam_handle_t *pamh; @@ -85,6 +153,13 @@ int main(int argc, char *argv[]) { fprintf(stdout, "user: %s\naction: %s\nservice: %s\n", user, action, service); + if (*user != '\0') { + ret = sss_getpwnam_check(user); + if (ret != 0) { + fprintf(stderr,"User name lookup with [%s] failed.\n", user); + } + } + ret = pam_start(service, user, &conv, &pamh); if (ret != PAM_SUCCESS) { fprintf(stderr, "pam_start failed: %s\n", pam_strerror(pamh, ret)); From 34bd814702ca8bb3d057d04ab7ba4b0b822ffc3b Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 16 Mar 2017 11:37:41 +0100 Subject: [PATCH 3/5] sss_sifp: update method names Related to https://pagure.io/SSSD/sssd/issue/3292 --- src/lib/sifp/sss_sifp_common.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/sifp/sss_sifp_common.c b/src/lib/sifp/sss_sifp_common.c index bd1dc6a..8913d0b 100644 --- a/src/lib/sifp/sss_sifp_common.c +++ b/src/lib/sifp/sss_sifp_common.c @@ -168,7 +168,7 @@ sss_sifp_fetch_user_by_uid(sss_sifp_ctx *ctx, uint64_t _uid = uid; return sss_sifp_fetch_object_by_attr(ctx, IFP_PATH_USERS, IFACE_IFP_USERS, - IFACE_IFP_USERS_USER, "UserByID", + IFACE_IFP_USERS_USER, "ByID", DBUS_TYPE_UINT64, &_uid, _user); } @@ -178,6 +178,6 @@ sss_sifp_fetch_user_by_name(sss_sifp_ctx *ctx, sss_sifp_object **_user) { return sss_sifp_fetch_object_by_name(ctx, IFP_PATH_USERS, IFACE_IFP_USERS, - IFACE_IFP_USERS_USER, "UserByName", + IFACE_IFP_USERS_USER, "ByName", name, _user); } From f26c1a0ec1e78d0bcdd80fc7ca1ccbab934cff72 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 16 Mar 2017 11:38:20 +0100 Subject: [PATCH 4/5] pam_test_client: add InfoPipe user lookup Related to https://pagure.io/SSSD/sssd/issue/3292 --- Makefile.am | 1 + src/sss_client/pam_test_client.c | 71 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/Makefile.am b/Makefile.am index b6f3a59..0aa4497 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3259,6 +3259,7 @@ pam_test_client_LDADD = \ $(PAM_LIBS) \ $(PAM_MISC_LIBS) \ $(LIBADD_DL) \ + libsss_simpleifp.la \ $(NULL) if BUILD_AUTOFS diff --git a/src/sss_client/pam_test_client.c b/src/sss_client/pam_test_client.c index 2b2c607..7d210e8 100644 --- a/src/sss_client/pam_test_client.c +++ b/src/sss_client/pam_test_client.c @@ -30,9 +30,12 @@ #include <pwd.h> #include <nss.h> #include <errno.h> +#include <inttypes.h> #include <security/pam_appl.h> +#include "lib/sifp/sss_sifp.h" + #ifdef HAVE_SECURITY_PAM_MISC_H # include <security/pam_misc.h> #elif defined(HAVE_SECURITY_OPENPAM_H) @@ -58,6 +61,69 @@ static struct pam_conv conv = { #define DEFAULT_BUFSIZE 4096 +static int get_ifp_user(const char *user) +{ + sss_sifp_ctx *sifp; + sss_sifp_error error; + sss_sifp_object *user_obj; + const char *tmp_str; + uint32_t tmp_uint32; + size_t c; + + struct ifp_user_attr { + const char *name; + bool is_string; + } ifp_user_attr[] = { + {"name", true}, + {"uidNumber", false}, + {"gidNumber", false}, + {"gecos", true}, + {"homeDirectory", true}, + {"loginShell", true}, + {NULL, false} + }; + + error = sss_sifp_init(&sifp); + if (error != SSS_SIFP_OK) { + fprintf(stderr, "Unable to connect to the InfoPipe"); + return EFAULT; + } + + error = sss_sifp_fetch_user_by_name(sifp, user, &user_obj); + if (error != SSS_SIFP_OK) { + fprintf(stderr, "Unable to get user object"); + return EIO; + } + + fprintf(stdout, "SSSD InfoPipe user lookup result:\n"); + for (c = 0; ifp_user_attr[c].name != NULL; c++) { + if (ifp_user_attr[c].is_string) { + error = sss_sifp_find_attr_as_string(user_obj->attrs, + ifp_user_attr[c].name, + &tmp_str); + } else { + error = sss_sifp_find_attr_as_uint32(user_obj->attrs, + ifp_user_attr[c].name, + &tmp_uint32); + } + if (error != SSS_SIFP_OK) { + fprintf(stderr, "Unable to get user name attr"); + return EIO; + } + + if (ifp_user_attr[c].is_string) { + fprintf(stdout, " - %s: %s\n", ifp_user_attr[c].name, tmp_str); + } else { + fprintf(stdout, " - %s: %"PRIu32"\n", ifp_user_attr[c].name, + tmp_uint32); + } + } + + sss_sifp_free_object(sifp, &user_obj); + sss_sifp_free(&sifp); + return 0; +} + static int sss_getpwnam_check(const char *user) { void *dl_handle = NULL; @@ -158,6 +224,11 @@ int main(int argc, char *argv[]) { if (ret != 0) { fprintf(stderr,"User name lookup with [%s] failed.\n", user); } + + ret = get_ifp_user(user); + if (ret != 0) { + fprintf(stderr,"InforPipe User lookup with [%s] failed.\n", user); + } } ret = pam_start(service, user, &conv, &pamh); From 7f378273372ccba3d9b4ea6d3e5f919da4ed7d30 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Thu, 16 Mar 2017 10:54:04 +0100 Subject: [PATCH 5/5] pam_test_client: install as sss_pam_test_client Related to https://pagure.io/SSSD/sssd/issue/3292 --- Makefile.am | 7 ++++--- contrib/sssd.spec.in | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 0aa4497..851bca0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -145,6 +145,7 @@ sbin_PROGRAMS = \ sss_override \ sss_seed \ sssctl \ + sss_pam_test_client \ $(NULL) sssdlibexec_PROGRAMS = \ @@ -3241,7 +3242,7 @@ test_inotify_LDADD = \ endif # HAVE_CMOCKA -noinst_PROGRAMS = pam_test_client +noinst_PROGRAMS = if BUILD_SUDO noinst_PROGRAMS += sss_sudo_cli endif @@ -3252,10 +3253,10 @@ if BUILD_WITH_LIBCURL noinst_PROGRAMS += tcurl-test-tool endif -pam_test_client_SOURCES = \ +sss_pam_test_client_SOURCES = \ src/sss_client/pam_test_client.c \ $(NULL) -pam_test_client_LDADD = \ +sss_pam_test_client_LDADD = \ $(PAM_LIBS) \ $(PAM_MISC_LIBS) \ $(LIBADD_DL) \ diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 5bd2beb..8b254d4 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1023,6 +1023,7 @@ done %{_sbindir}/sss_debuglevel %{_sbindir}/sss_seed %{_sbindir}/sssctl +%{_sbindir}/sss_pam_test_client %{_mandir}/man8/sss_groupadd.8* %{_mandir}/man8/sss_groupdel.8* %{_mandir}/man8/sss_groupmod.8*
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
