On Tue, Nov 26, 2024 at 5:46 AM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Consider paths with the prefix /usr for shells by including them in the
> list of fallback default shells and by extending the check for a nologin
> shell.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
For these nine patches:
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsemanage/src/genhomedircon.c | 32 +++++++++++++++++++++++---------
> 1 file changed, 23 insertions(+), 9 deletions(-)
>
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 19543799..8782e2cb 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -192,15 +192,23 @@ static semanage_list_t *default_shell_list(void)
> semanage_list_t *list = NULL;
>
> if (semanage_list_push(&list, "/bin/csh")
> + || semanage_list_push(&list, "/usr/bin/csh")
> || semanage_list_push(&list, "/bin/tcsh")
> + || semanage_list_push(&list, "/usr/bin/tcsh")
> || semanage_list_push(&list, "/bin/ksh")
> + || semanage_list_push(&list, "/usr/bin/ksh")
> || semanage_list_push(&list, "/bin/bsh")
> + || semanage_list_push(&list, "/usr/bin/bsh")
> || semanage_list_push(&list, "/bin/ash")
> - || semanage_list_push(&list, "/usr/bin/ksh")
> + || semanage_list_push(&list, "/usr/bin/ash")
> + || semanage_list_push(&list, "/bin/pdksh")
> || semanage_list_push(&list, "/usr/bin/pdksh")
> || semanage_list_push(&list, "/bin/zsh")
> + || semanage_list_push(&list, "/usr/bin/zsh")
> || semanage_list_push(&list, "/bin/sh")
> - || semanage_list_push(&list, "/bin/bash"))
> + || semanage_list_push(&list, "/usr/bin/sh")
> + || semanage_list_push(&list, "/bin/bash")
> + || semanage_list_push(&list, "/usr/bin/bash"))
> goto fail;
>
> return list;
> @@ -210,6 +218,12 @@ static semanage_list_t *default_shell_list(void)
> return NULL;
> }
>
> +static bool is_nologin_shell(const char *path)
> +{
> + return strcmp(path, PATH_NOLOGIN_SHELL) == 0 ||
> + strcmp(path, "/usr" PATH_NOLOGIN_SHELL) == 0;
> +}
> +
> static semanage_list_t *get_shell_list(void)
> {
> FILE *shells;
> @@ -223,13 +237,13 @@ static semanage_list_t *get_shell_list(void)
> return default_shell_list();
> while ((len = getline(&temp, &buff_len, shells)) > 0) {
> if (temp[len-1] == '\n') temp[len-1] = 0;
> - if (strcmp(temp, PATH_NOLOGIN_SHELL)) {
> - if (semanage_list_push(&list, temp)) {
> - free(temp);
> - semanage_list_destroy(&list);
> - fclose(shells);
> - return NULL;
> - }
> + if (is_nologin_shell(temp))
> + continue;
> + if (semanage_list_push(&list, temp)) {
> + free(temp);
> + semanage_list_destroy(&list);
> + fclose(shells);
> + return NULL;
> }
> }
> free(temp);
> --
> 2.45.2
>
>
