diff options
| author | Ray Strode <rstrode@redhat.com> | 2016-09-06 13:54:48 -0400 |
|---|---|---|
| committer | Ray Strode <rstrode@redhat.com> | 2016-09-06 15:49:14 -0400 |
| commit | 653c18f4c3e93c4b742efe10093fc5b1319b1f0b (patch) | |
| tree | 97f85cc59a62c7b3ef9d29b2e4941f02eebba9ac | |
| parent | 316c531e53bf30a0ddf17c038c1943e8fbf76af3 (diff) | |
user-classify: exclude nologin users
Sometimes admins set a user's shell to nologin to hide it from
the user list. This commit fixes accountsservice so that behavior
works again.
| -rw-r--r-- | src/user-classify.c | 77 |
1 files changed, 42 insertions, 35 deletions
diff --git a/src/user-classify.c b/src/user-classify.c index 69e6809..b79a35f 100644 --- a/src/user-classify.c +++ b/src/user-classify.c @@ -25,6 +25,7 @@ #include "user-classify.h" #include <string.h> +#include <unistd.h> static const char *default_excludes[] = { "bin", @@ -84,44 +85,10 @@ user_classify_is_blacklisted (const char *username) #ifdef ENABLE_USER_HEURISTICS static gboolean user_classify_is_excluded_by_heuristics (const gchar *username, - const gchar *shell, const gchar *password_hash) { gboolean ret = FALSE; - if (shell != NULL) { - char *basename, *nologin_basename, *false_basename; - -#ifdef HAVE_GETUSERSHELL - char *valid_shell; - - ret = TRUE; - setusershell (); - while ((valid_shell = getusershell ()) != NULL) { - if (g_strcmp0 (shell, valid_shell) != 0) - continue; - ret = FALSE; - } - endusershell (); -#endif - - basename = g_path_get_basename (shell); - nologin_basename = g_path_get_basename (PATH_NOLOGIN); - false_basename = g_path_get_basename (PATH_FALSE); - - if (shell[0] == '\0') { - ret = TRUE; - } else if (g_strcmp0 (basename, nologin_basename) == 0) { - ret = TRUE; - } else if (g_strcmp0 (basename, false_basename) == 0) { - ret = TRUE; - } - - g_free (basename); - g_free (nologin_basename); - g_free (false_basename); - } - if (password_hash != NULL) { /* skip over the account-is-locked '!' prefix if present */ if (password_hash[0] == '!') @@ -148,6 +115,43 @@ user_classify_is_excluded_by_heuristics (const gchar *username, } #endif /* ENABLE_USER_HEURISTICS */ +static gboolean +is_invalid_shell (const char *shell) +{ + char *basename, *nologin_basename, *false_basename; + int ret = FALSE; + +#ifdef HAVE_GETUSERSHELL + char *valid_shell; + + setusershell (); + while ((valid_shell = getusershell ()) != NULL) { + if (g_strcmp0 (shell, valid_shell) != 0) + continue; + ret = FALSE; + } + endusershell (); +#endif + + basename = g_path_get_basename (shell); + nologin_basename = g_path_get_basename (PATH_NOLOGIN); + false_basename = g_path_get_basename (PATH_FALSE); + + if (shell[0] == '\0') { + ret = TRUE; + } else if (g_strcmp0 (basename, nologin_basename) == 0) { + ret = TRUE; + } else if (g_strcmp0 (basename, false_basename) == 0) { + ret = TRUE; + } + + g_free (basename); + g_free (nologin_basename); + g_free (false_basename); + + return ret; +} + gboolean user_classify_is_human (uid_t uid, const gchar *username, @@ -157,10 +161,13 @@ user_classify_is_human (uid_t uid, if (user_classify_is_blacklisted (username)) return FALSE; + if (shell != NULL && is_invalid_shell (shell)) + return FALSE; + #ifdef ENABLE_USER_HEURISTICS /* only do heuristics on the range 500-1000 to catch one off migration problems in Fedora */ if (uid >= 500 && uid < MINIMUM_UID) { - if (!user_classify_is_excluded_by_heuristics (username, shell, password_hash)) + if (!user_classify_is_excluded_by_heuristics (username, password_hash)) return TRUE; } #endif |