From c8d517bacd47f3d5c706a53561924ac20d0b3321 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:19:26 +0200
Subject: [PATCH 20/21] getsockopt_wrapper: add support for PAM clients

PAM clients expect that the private socket of the PAM responder is
handled by root. With this patch getsockopt_wrapper can return the
expected UID and GID to PAM clients.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked with fixes from commit d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a)
---
 src/tests/intg/getsockopt_wrapper.c | 35 +++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c
index 77c832329..eb8fa56dd 100644
--- a/src/tests/intg/getsockopt_wrapper.c
+++ b/src/tests/intg/getsockopt_wrapper.c
@@ -9,6 +9,7 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <dlfcn.h>
+#include <stdlib.h>
 
 static bool is_dbus_socket(int fd)
 {
@@ -27,6 +28,38 @@ static bool is_dbus_socket(int fd)
     return NULL != strstr(unix_socket->sun_path, "system_bus_socket");
 }
 
+static bool peer_is_private_pam(int fd)
+{
+    int ret;
+    struct sockaddr_storage addr = { 0 };
+    socklen_t addrlen = sizeof(addr);
+    struct sockaddr_un *unix_socket;
+
+    ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen);
+    if (ret != 0) return false;
+
+    if (addr.ss_family != AF_UNIX) return false;
+
+    unix_socket = (struct sockaddr_un *)&addr;
+
+    return NULL != strstr(unix_socket->sun_path, "private/pam");
+}
+
+static void fake_peer_uid_gid(uid_t *uid, gid_t *gid)
+{
+    char *val;
+
+    val = getenv("SSSD_INTG_PEER_UID");
+    if (val != NULL) {
+        *uid = atoi(val);
+    }
+
+    val = getenv("SSSD_INTG_PEER_GID");
+    if (val != NULL) {
+        *gid = atoi(val);
+    }
+}
+
 typedef typeof(getsockopt) getsockopt_fn_t;
 
 static getsockopt_fn_t *orig_getsockopt = NULL;
@@ -52,6 +85,8 @@ int getsockopt(int sockfd, int level, int optname,
         cr = optval;
         if (cr->uid != 0 && is_dbus_socket(sockfd)) {
             cr->uid = 0;
+        } else if (peer_is_private_pam(sockfd)) {
+            fake_peer_uid_gid(&cr->uid, &cr->gid);
         }
     }
 
-- 
2.19.1