From c8d517bacd47f3d5c706a53561924ac20d0b3321 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 7 Sep 2018 22:19:26 +0200 Subject: [PATCH 20/21] getsockopt_wrapper: add support for PAM clients PAM clients expect that the private socket of the PAM responder is handled by root. With this patch getsockopt_wrapper can return the expected UID and GID to PAM clients. Related to https://pagure.io/SSSD/sssd/issue/3500 Reviewed-by: Jakub Hrozek (cherry picked with fixes from commit d332c8a0e7a4c7f0b3ee1b2110145a23cbd61c2a) --- src/tests/intg/getsockopt_wrapper.c | 35 +++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c index 77c832329..eb8fa56dd 100644 --- a/src/tests/intg/getsockopt_wrapper.c +++ b/src/tests/intg/getsockopt_wrapper.c @@ -9,6 +9,7 @@ #include #include #include +#include static bool is_dbus_socket(int fd) { @@ -27,6 +28,38 @@ static bool is_dbus_socket(int fd) return NULL != strstr(unix_socket->sun_path, "system_bus_socket"); } +static bool peer_is_private_pam(int fd) +{ + int ret; + struct sockaddr_storage addr = { 0 }; + socklen_t addrlen = sizeof(addr); + struct sockaddr_un *unix_socket; + + ret = getpeername(fd, (struct sockaddr *)&addr, &addrlen); + if (ret != 0) return false; + + if (addr.ss_family != AF_UNIX) return false; + + unix_socket = (struct sockaddr_un *)&addr; + + return NULL != strstr(unix_socket->sun_path, "private/pam"); +} + +static void fake_peer_uid_gid(uid_t *uid, gid_t *gid) +{ + char *val; + + val = getenv("SSSD_INTG_PEER_UID"); + if (val != NULL) { + *uid = atoi(val); + } + + val = getenv("SSSD_INTG_PEER_GID"); + if (val != NULL) { + *gid = atoi(val); + } +} + typedef typeof(getsockopt) getsockopt_fn_t; static getsockopt_fn_t *orig_getsockopt = NULL; @@ -52,6 +85,8 @@ int getsockopt(int sockfd, int level, int optname, cr = optval; if (cr->uid != 0 && is_dbus_socket(sockfd)) { cr->uid = 0; + } else if (peer_is_private_pam(sockfd)) { + fake_peer_uid_gid(&cr->uid, &cr->gid); } } -- 2.19.1