From 0b519a28b4ed63153adbabb64e1446652bb8b879 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:19:26 +0200
Subject: [PATCH 18/19] getsockopt_wrapper: add support for PAM clients
PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.
Related to https://pagure.io/SSSD/sssd/issue/3500
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a)
---
src/tests/intg/getsockopt_wrapper.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
index 510912346709f57e3fffcbc15a684ccb0b2e90bf..2f508892dec1c00dd73c3a9e5cfdb08bb17e48a0 100644
--- a/src/tests/intg/getsockopt_wrapper.c
+++ b/src/tests/intg/getsockopt_wrapper.c
@@ -45,6 +45,23 @@ static bool is_secrets_socket(int fd)
return NULL != strstr(unix_socket->sun_path, "secrets.socket");
}
+static bool peer_is_private_pam(int fd)
+{
+ int ret;
+ struct sockaddr_storage addr = { 0 };
+ socklen_t addrlen = sizeof(addr);
+ struct sockaddr_un *unix_socket;
+
+ ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
+ if (ret != 0) return false;
+
+ if (addr.ss_family != AF_UNIX) return false;
+
+ unix_socket = (struct sockaddr_un *)&addr;
+
+ return NULL != strstr(unix_socket->sun_path, "private/pam");
+}
+
static uid_t fake_secret_peer(uid_t orig_id)
{
char *val;
@@ -57,6 +74,21 @@ static uid_t fake_secret_peer(uid_t orig_id)
return atoi(val);
}
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
+{
+ char *val;
+
+ val = getenv("SSSD_INTG_PEER_UID");
+ if (val != NULL) {
+ *uid = atoi(val);
+ }
+
+ val = getenv("SSSD_INTG_PEER_GID");
+ if (val != NULL) {
+ *gid = atoi(val);
+ }
+}
+
typedef typeof(getsockopt) getsockopt_fn_t;
static getsockopt_fn_t *orig_getsockopt = NULL;
@@ -84,6 +116,8 @@ int getsockopt(int sockfd, int level, int optname,
cr->uid = 0;
} else if (is_secrets_socket(sockfd)) {
cr->uid = fake_secret_peer(cr->uid);
+ } else if (peer_is_private_pam(sockfd)) {
+ fake_peer_uid_gid(&cr->uid, &cr->gid);
}
}
--
2.14.4