* I have added group support to libselinux
@ 2008-08-01 11:02 Daniel J Walsh
2008-08-05 13:32 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2008-08-01 11:02 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 568 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you create an seusers file using the sudo syntax %groupname,
getseuserbyname will check the user's groups for a match.
Match sequence will be:
username exists
FIRST group match
default
I will be sending a separate patch to allow semanage to add %groupname
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiS7UsACgkQrlYvE4MpobPa7ACgwAZvdg8hD+KRT2hBY0dhna8o
tQ8AmwRgEatZmS8hUuw3Bx/uwdnyG4OG
=IRCg
-----END PGP SIGNATURE-----
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 3174 bytes --]
diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0.70/src/seusers.c
--- nsalibselinux/src/seusers.c 2008-06-12 23:25:14.000000000 -0400
+++ libselinux-2.0.70/src/seusers.c 2008-08-01 06:53:03.000000000 -0400
@@ -89,6 +89,62 @@
int require_seusers hidden = 0;
+#include <pwd.h>
+#include <grp.h>
+
+static gid_t get_default_gid(const char *name) {
+ struct passwd pwstorage, *pwent = NULL;
+ gid_t gid = -1;
+ /* Allocate space for the getpwnam_r buffer */
+ long rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (rbuflen <= 0) return -1;
+ char *rbuf = malloc(rbuflen);
+ if (rbuf == NULL) return -1;
+
+ int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
+ if (retval == 0 || pwent != NULL) {
+ gid = pwent->pw_gid;
+ }
+ free(rbuf);
+ return gid;
+}
+
+static int check_group(const char *group, const char *name, const gid_t gid) {
+ int match = 0;
+ int i, ng = 0;
+ gid_t *groups = NULL;
+ struct group gbuf, *grent = NULL;
+
+ long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+ if (rbuflen <= 0)
+ return 0;
+ char *rbuf = malloc(rbuflen);
+ if (rbuf == NULL)
+ return 0;
+
+ if (getgrnam_r(group, &gbuf, rbuf, rbuflen,
+ &grent) != 0)
+ goto done;
+
+ if (getgrouplist(name, gid, NULL, &ng) < 0) {
+ groups = (gid_t *) malloc(sizeof (gid_t) * ng);
+ if (!groups) goto done;
+ if (getgrouplist(name, gid, groups, &ng) < 0) goto done;
+ }
+
+ for (i = 0; i < ng; i++) {
+ if (grent->gr_gid == groups[i]) {
+ match = 1;
+ goto done;
+ }
+ }
+
+ done:
+ free(groups);
+ free(rbuf);
+ return match;
+}
+
int getseuserbyname(const char *name, char **r_seuser, char **r_level)
{
FILE *cfg = NULL;
@@ -101,9 +157,14 @@
char *username = NULL;
char *seuser = NULL;
char *level = NULL;
+ char *groupseuser = NULL;
+ char *grouplevel = NULL;
char *defaultseuser = NULL;
char *defaultlevel = NULL;
+ gid_t gid = get_default_gid(name);
+ if ( gid == (gid_t) -1 ) goto nomatch;
+
cfg = fopen(selinux_usersconf_path(), "r");
if (!cfg)
goto nomatch;
@@ -124,31 +185,48 @@
if (!strcmp(username, name))
break;
- if (!defaultseuser && !strcmp(username, "__default__")) {
- free(username);
- defaultseuser = seuser;
- defaultlevel = level;
+ if (username[0] == '%' &&
+ !groupseuser &&
+ check_group(&username[1], name, gid)) {
+ groupseuser = seuser;
+ grouplevel = level;
} else {
- free(username);
- free(seuser);
- free(level);
+ if (!defaultseuser &&
+ !strcmp(username, "__default__")) {
+ defaultseuser = seuser;
+ defaultlevel = level;
+ } else {
+ free(seuser);
+ free(level);
+ }
}
+ free(username);
+ username = NULL;
seuser = NULL;
}
- if (buffer)
- free(buffer);
+ free(buffer);
fclose(cfg);
if (seuser) {
free(username);
free(defaultseuser);
free(defaultlevel);
+ free(groupseuser);
+ free(grouplevel);
*r_seuser = seuser;
*r_level = level;
return 0;
}
+ if (groupseuser) {
+ free(defaultseuser);
+ free(defaultlevel);
+ *r_seuser = groupseuser;
+ *r_level = grouplevel;
+ return 0;
+ }
+
if (defaultseuser) {
*r_seuser = defaultseuser;
*r_level = defaultlevel;
[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: I have added group support to libselinux
2008-08-01 11:02 I have added group support to libselinux Daniel J Walsh
@ 2008-08-05 13:32 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2008-08-05 13:32 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Fri, 2008-08-01 at 07:02 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If you create an seusers file using the sudo syntax %groupname,
> getseuserbyname will check the user's groups for a match.
>
> Match sequence will be:
>
> username exists
> FIRST group match
> default
>
> I will be sending a separate patch to allow semanage to add %groupname
Thanks. I applied the following patch on top of your patch. The
changes are:
- only look at the pwent if getpwnam_r returned 0 (success),
- don't skip the rest of the getseuserbyname() lookup if
get_default_gid() fails.
In the first case, pwent might reference garbage, and in the second, I
didn't want a failure there to completely prevent any logins.
Index: libselinux/src/seusers.c
===================================================================
--- libselinux/src/seusers.c (revision 2944)
+++ libselinux/src/seusers.c (working copy)
@@ -102,7 +102,7 @@
if (rbuf == NULL) return -1;
int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
- if (retval == 0 || pwent != NULL) {
+ if (retval == 0 && pwent) {
gid = pwent->pw_gid;
}
free(rbuf);
@@ -163,7 +163,6 @@
char *defaultlevel = NULL;
gid_t gid = get_default_gid(name);
- if ( gid == (gid_t) -1 ) goto nomatch;
cfg = fopen(selinux_usersconf_path(), "r");
if (!cfg)
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-08-05 13:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-08-01 11:02 I have added group support to libselinux Daniel J Walsh
2008-08-05 13:32 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.