Adding support to chsh for non-local shell modification

Adding support to chsh for non-local shell modification

[Cody Maloney]

Hi,

I would like to implement support for non-local shell changing in chsh
at the very least, and possibly support for non-local user attributes
in general for the other attribute modification tools in login-utils.
For my purposes I need LDAP support, but it would probably be better
to make it able to use an arbitrary storage backend.  Ideally an API
would already exist for this, but while one for setting authentication
tokens has evolved (pam_chauthtok) and one for reading user attributes
(Name Service Switch NSS), but none for setting them as far as I can
tell. As such, I think the best route would be just to make a new API
for this.

I thinks this could be done by adding a new configuration file and
module api. The configuration file would contain information on what
user ids to map to which name attribute changing module (and allow
users to specify only some attributes to go to specific modules). The
module api would consist of a single entry point which would take a
string indicating what attribute to change ("shell", etc.), and the
user id. The function could return any of a set of standard error
codes (permission denied, success, user unknown, etc). chsh would move
all passwd file logic outside of itself and into one of these modules,
and use dlopen/dlsym to load the desired function out of the desired
module.

Should I implement this route and send patches for review, or would
there be some other preferred route to getting the feature into
login-utils?

Thanks,
Cody

Re: Adding support to chsh for non-local shell modification

[Karel Zak]

On Tue, Oct 02, 2012 at 07:58:39PM -0700, Cody Maloney wrote:
> I would like to implement support for non-local shell changing in chsh
> at the very least, and possibly support for non-local user attributes
> in general for the other attribute modification tools in login-utils.
> For my purposes I need LDAP support, but it would probably be better
> to make it able to use an arbitrary storage backend.  Ideally an API
> would already exist for this, but while one for setting authentication
> tokens has evolved (pam_chauthtok) and one for reading user attributes
> (Name Service Switch NSS), but none for setting them as far as I can
> tell. As such, I think the best route would be just to make a new API
> for this.

 Already implemented:
     https://fedorahosted.org/libuser/

 it also provides utils like lchfn or lchsh. Not sure, but maybe it
 would be possible to optionally link the default chfn and chsh utils
 with the library too.

 [CC: to Miroslav, author of the library]

    Karel


-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: Adding support to chsh for non-local shell modification

[Cody Maloney]

On Wed, Oct 3, 2012 at 4:24 AM, Karel Zak <kzak@redhat.com> wrote:
> On Tue, Oct 02, 2012 at 07:58:39PM -0700, Cody Maloney wrote:
>> I would like to implement support for non-local shell changing in chsh
>> at the very least, and possibly support for non-local user attributes
>> in general for the other attribute modification tools in login-utils.
>> For my purposes I need LDAP support, but it would probably be better
>> to make it able to use an arbitrary storage backend.  Ideally an API
>> would already exist for this, but while one for setting authentication
>> tokens has evolved (pam_chauthtok) and one for reading user attributes
>> (Name Service Switch NSS), but none for setting them as far as I can
>> tell. As such, I think the best route would be just to make a new API
>> for this.
>
>  Already implemented:
>      https://fedorahosted.org/libuser/
>
>  it also provides utils like lchfn or lchsh. Not sure, but maybe it
>  would be possible to optionally link the default chfn and chsh utils
>  with the library too.

Apologies for the slow response.

Looking at chsh, it definitely looks like it should be relatively easy
to utilize libuser within it and add a configure for disabling the
dependency. If it's okay with both maintainers, both lchsh and chsh
are licensed under the GPL so I'd like to just merge lchsh's code into
chsh (rather than try to write what should be pretty much exactly the
same thing from the API documentation).

If you both approve I'll start working on writing the necessary
patches, first adding support to chsh, then, once those patches are in
a happy state, implementing chfn using the same method.

Cody

Re: Adding support to chsh for non-local shell modification

[Miloslav Trmac]

----- Original Message -----
> Looking at chsh, it definitely looks like it should be relatively easy
> to utilize libuser within it and add a configure for disabling the
> dependency. If it's okay with both maintainers, both lchsh and chsh
> are licensed under the GPL so I'd like to just merge lchsh's code into
> chsh (rather than try to write what should be pretty much exactly the
> same thing from the API documentation).

Yes, that sounds reasonable.  There don't seem to be command-line argument differences, perhaps we might end up with lchsh a symlink to chsh (as long as that can be done compatibly).

> If you both approve I'll start working on writing the necessary
> patches, first adding support to chsh, then, once those patches are in
> a happy state, implementing chfn using the same method.

Please keep me Cc:ed on the patches.

Let me add just a few notes:

1) If (!lu_uses_elevated_privileges()), the program should drop all privileges and skip the PAM authentication.
2) Until either the privileges are dropped or the PAM auth is performed, the program should be extremely paranoid about passing untrusted data to libuser.
3) For even more paranoia, clear LIBUSER_CONF from the environment before doing anything with libuser.
    Mirek