|
 |
71e593 |
From 0b519a28b4ed63153adbabb64e1446652bb8b879 Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Fri, 7 Sep 2018 22:19:26 +0200
|
|
|
71e593 |
Subject: [PATCH 18/19] getsockopt_wrapper: add support for PAM clients
|
|
|
71e593 |
|
|
|
71e593 |
PAM clients expect that the private socket of the PAM responder is
|
|
|
71e593 |
handled by root. With this patch getsockopt_wrapper can return the
|
|
|
71e593 |
expected UID and GID to PAM clients.
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3500
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a)
|
|
|
71e593 |
---
|
|
|
71e593 |
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
|
|
|
71e593 |
1 file changed, 34 insertions(+)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
|
|
|
71e593 |
index 510912346709f57e3fffcbc15a684ccb0b2e90bf..2f508892dec1c00dd73c3a9e5cfdb08bb17e48a0 100644
|
|
|
71e593 |
--- a/src/tests/intg/getsockopt_wrapper.c
|
|
|
71e593 |
+++ b/src/tests/intg/getsockopt_wrapper.c
|
|
|
71e593 |
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
|
|
|
71e593 |
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+static bool peer_is_private_pam(int fd)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ int ret;
|
|
|
71e593 |
+ struct sockaddr_storage addr = { 0 };
|
|
|
71e593 |
+ socklen_t addrlen = sizeof(addr);
|
|
|
71e593 |
+ struct sockaddr_un *unix_socket;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
|
|
|
71e593 |
+ if (ret != 0) return false;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ if (addr.ss_family != AF_UNIX) return false;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ unix_socket = (struct sockaddr_un *)&addr;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
static uid_t fake_secret_peer(uid_t orig_id)
|
|
|
71e593 |
{
|
|
|
71e593 |
char *val;
|
|
|
71e593 |
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
|
|
|
71e593 |
return atoi(val);
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
|
|
|
71e593 |
+{
|
|
|
71e593 |
+ char *val;
|
|
|
71e593 |
+
|
|
|
71e593 |
+ val = getenv("SSSD_INTG_PEER_UID");
|
|
|
71e593 |
+ if (val != NULL) {
|
|
|
71e593 |
+ *uid = atoi(val);
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ val = getenv("SSSD_INTG_PEER_GID");
|
|
|
71e593 |
+ if (val != NULL) {
|
|
|
71e593 |
+ *gid = atoi(val);
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+}
|
|
|
71e593 |
+
|
|
|
71e593 |
typedef typeof(getsockopt) getsockopt_fn_t;
|
|
|
71e593 |
|
|
|
71e593 |
static getsockopt_fn_t *orig_getsockopt = NULL;
|
|
|
71e593 |
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
|
|
|
71e593 |
cr->uid = 0;
|
|
|
71e593 |
} else if (is_secrets_socket(sockfd)) {
|
|
|
71e593 |
cr->uid = fake_secret_peer(cr->uid);
|
|
|
71e593 |
+ } else if (peer_is_private_pam(sockfd)) {
|
|
|
71e593 |
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
|
|
|
71e593 |
}
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|