'[PATCH] SELinux user maps: pick just one map'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-devel
Subject:    [PATCH] SELinux user maps: pick just one map
From:       jzeleny () redhat ! com (Jan Zeleny)
Date:       2012-06-22 12:26:46
Message-ID: mailman.39.1340374360.2806.sssd-devel () lists ! fedorahosted ! org
[Download RAW message or body]

This patch modifies behavior of SSSD when putting together content of
the file for pam_selinux. SSSD will now pick only the first user map in
the priority list which matches to the user logging in. Other maps are
ignored.

https://fedorahosted.org/sssd/ticket/1360
---
 src/responder/pam/pamsrv_cmd.c |   23 +++++++++++------------
 1 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 2d0324e5bce9881b429ef12567150524b66575c3..20de738fc58e3f3938715e85cf0c02639a0dd902 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -461,12 +461,6 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
             goto done;
         }
     } else {
-        file_content = talloc_strdup(tmp_ctx, "");
-        if (file_content == NULL) {
-            ret = ENOMEM;
-            goto done;
-        }
-
         /* Iterate through the order array and try to find SELinux users
          * in fetched maps. The order array contains all SELinux users
          * allowed in the domain in the same order they should appear
@@ -484,8 +478,11 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
                 tmp_str = sss_selinux_map_get_seuser(usermaps[j]);
 
                 if (tmp_str && !strcasecmp(tmp_str, order_array[i])) {
-                    file_content = talloc_asprintf_append(file_content, "%s\n",
-                                                          tmp_str);
+                    /* If file_content contained something, overwrite it.
+                     * This record has higher priority.
+                     */
+                    talloc_zfree(file_content);
+                    file_content = talloc_strdup(tmp_ctx, tmp_str);
                     if (file_content == NULL) {
                         ret = ENOMEM;
                         goto done;
@@ -496,10 +493,12 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
         }
     }
 
-    len = strlen(file_content);
-    if (len > 0) {
-        ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len,
-                               (uint8_t *)file_content);
+    if (file_content) {
+        len = strlen(file_content);
+        if (len > 0) {
+            ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len,
+                                   (uint8_t *)file_content);
+        }
     }
 
 done:
-- 
1.7.7.6


--nextPart4502369.DmfahLuZ6y--

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic