From 96f96e74926f48ae5a023af9bed36ba813a7d024 Mon Sep 17 00:00:00 2001
From: Denis Kutin <dekutin@ya.ru>
Date: Sat, 16 Nov 2013 16:48:21 +0400
Subject: [PATCH 20/22] NSS: Possibility to use any shells in 'allowed_shells'

Resolves:
https://fedorahosted.org/sssd/ticket/2219

Signed-off-by: Pavel Reichl <preichl@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
 src/man/sssd.conf.5.xml        | 10 ++++++++++
 src/responder/nss/nsssrv_cmd.c | 19 +++++++++++++------
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index d5734166144a7c3ce7e62914558f8e69121bf774..77690432b841221328d65403830cf4a1ac12dba0 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -617,6 +617,16 @@ fallback_homedir = /home/%u
                             is used.
                         </para>
                         <para>
+                            The wildcard (*) can be used to allow any shell.
+                        </para>
+                        <para>
+                            The (*) is useful if you want to use
+                            shell_fallback in case that user's shell is not
+                            in <quote>/etc/shells</quote> and maintaining list
+                            of all allowed shells in allowed_shells would be
+                            to much overhead.
+                        </para>
+                        <para>
                             An empty string for shell is passed as-is to libc.
                         </para>
                         <para>
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 616f83dda58b11bb7b715e1eb6a2c43e91d2d9da..4ec99c153b25db26d482eec8da6ca52487967abc 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -284,12 +284,19 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx,
     }
 
     if (nctx->allowed_shells) {
-        for (i=0; nctx->allowed_shells[i]; i++) {
-            if (strcmp(nctx->allowed_shells[i], user_shell) == 0) {
-                DEBUG(SSSDBG_FUNC_DATA,
-                      "The shell '%s' is allowed but does not exist. "
-                        "Using fallback\n", user_shell);
-                return talloc_strdup(mem_ctx, nctx->shell_fallback);
+        if (strcmp(nctx->allowed_shells[0], "*") == 0) {
+            DEBUG(SSSDBG_FUNC_DATA,
+                  "The shell '%s' is allowed but does not exist. "
+                  "Using fallback\n", user_shell);
+            return talloc_strdup(mem_ctx, nctx->shell_fallback);
+        } else {
+            for (i=0; nctx->allowed_shells[i]; i++) {
+                if (strcmp(nctx->allowed_shells[i], user_shell) == 0) {
+                    DEBUG(SSSDBG_FUNC_DATA,
+                          "The shell '%s' is allowed but does not exist. "
+                          "Using fallback\n", user_shell);
+                    return talloc_strdup(mem_ctx, nctx->shell_fallback);
+                }
             }
         }
     }
-- 
1.9.3