Extend PAM+NSS sharelink access to cover all three access modes in order to

jonasbardino · jonasbardino · commit 41b3fb09e41b · 2025-07-20T12:03:00.000+02:00
support access from sshd+sftpsubsys service, too.

Simply adjusts the existing read-write sharelink test and auth to instead loop
through the three access modes in turn and do the similar test for each. Minor
adjustments to continue until one succeeds or all have been tried.

The existing test+auth code is purposefully kept unindented in this version to
make the diff simple to review. Will follow-up with a separate commit which
only indents to fit loop nesting to keep that change simple as well.
diff --git a/mig/src/include/auth/migauth.h b/mig/src/include/auth/migauth.h
@@ -107,8 +107,14 @@
 #ifndef SHARELINK_LENGTH
 #define SHARELINK_LENGTH 42
 #endif
-#ifndef SHARELINK_SUBDIR
-#define SHARELINK_SUBDIR "read-write"
+#ifndef SHARELINK_RW_DIR
+#define SHARELINK_RW_DIR "read-write"
+#endif
+#ifndef SHARELINK_RO_DIR
+#define SHARELINK_RO_DIR "read-only"
+#endif
+#ifndef SHARELINK_WO_DIR
+#define SHARELINK_WO_DIR "write-only"
 #endif
 #endif                          /* !DISABLE_SHARELINK */
 
diff --git a/mig/src/libnss-mig/libnss_mig.c b/mig/src/libnss-mig/libnss_mig.c
@@ -177,18 +177,23 @@ _nss_mig_getpwnam_r(const char *name,
 #ifdef ENABLE_SHARELINK
     /* Optional anonymous share link access:
        - username must have fixed length matching get_sharelink_length()
-       - get_sharelink_home()/SHARELINK_SUBDIR/username must exist as a symlink
+       - get_sharelink_home()/SHARELINK_X_DIR/username must exist as a symlink
        - username and password must be identical or pub key fit authorized_keys
      */
     if (keep_trying && name_len == get_sharelink_length()) {
         WRITELOGMESSAGE(LOG_DEBUG, "Checking for sharelink: %s\n", name);
+
+        char sharelink_modes[][10] = { SHARELINK_RW_DIR, SHARELINK_RO_DIR, SHARELINK_WO_DIR };
+        for (size_t i = 0; i < sizeof(sharelink_modes) / sizeof(sharelink_modes[0]); i++)
+        {
+
         memset(pathbuf, 0, PATH_BUF_LEN);
         if (PATH_BUF_LEN ==
             snprintf(pathbuf, PATH_BUF_LEN, "%s/%s/%s",
-                     get_sharelink_home(), SHARELINK_SUBDIR, name)) {
+                     get_sharelink_home(), sharelink_modes[i], name)) {
             WRITELOGMESSAGE(LOG_WARNING,
                             "Path construction overflow for: %s/%s/%s\n",
-                            get_sharelink_home(), SHARELINK_SUBDIR, name);
+                            get_sharelink_home(), sharelink_modes[i], name);
             return NSS_STATUS_NOTFOUND;
         }
         /* Make sure prefix of direct sharelink target is user home */
@@ -222,8 +227,12 @@ _nss_mig_getpwnam_r(const char *name,
             is_share = 1;
             pathlen =
                 strlen(get_sharelink_home()) +
-                strlen(SHARELINK_SUBDIR) + name_len + 2;
+                strlen(sharelink_modes[i]) + name_len + 2;
+            break;
         }
+
+        }
+
     }
     WRITELOGMESSAGE(LOG_DEBUG, "Detect sharelink: %d\n", is_share);
 #endif                          /* ENABLE_SHARELINK */
diff --git a/mig/src/libpam-mig/libpam_mig.c b/mig/src/libpam-mig/libpam_mig.c
@@ -708,27 +708,36 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
 #ifdef ENABLE_SHARELINK
     /* Optional anonymous share link access:
        - username must have fixed length matching get_sharelink_length()
-       - get_sharelink_home()/SHARELINK_SUBDIR/username must exist as a symlink
+       - get_sharelink_home()/SHARELINK_X_DIR/username must exist as a symlink
        - username and password must be identical if we get here (key skips PAM)
      */
     WRITELOGMESSAGE(LOG_DEBUG, "Checking for sharelink: %s\n", pUsername);
     if (strlen(pUsername) == get_sharelink_length()) {
         char share_path[MAX_PATH_LENGTH];
+
+        char sharelink_modes[][10] = { SHARELINK_RW_DIR, SHARELINK_RO_DIR, SHARELINK_WO_DIR };
+        for (size_t i = 0; i < sizeof(sharelink_modes) / sizeof(sharelink_modes[0]); i++)
+        {
+
+        memset(share_path, 0, MAX_PATH_LENGTH);
+
         if (MAX_PATH_LENGTH ==
             snprintf(share_path, MAX_PATH_LENGTH, "%s/%s/%s",
-                     get_sharelink_home(), SHARELINK_SUBDIR, pUsername)) {
+                     get_sharelink_home(), sharelink_modes[i], pUsername)) {
             WRITELOGMESSAGE(LOG_WARNING,
                             "Path construction failed for: %s/%s/%s\n",
-                            get_sharelink_home(), SHARELINK_SUBDIR, pUsername);
+                            get_sharelink_home(), sharelink_modes[i], pUsername);
             return pam_sm_authenticate_exit(PAM_AUTH_ERR, pwresp);
         }
         /* NSS lookup assures sharelink target is valid and inside user home */
         /* Just check simple access here to make sure it is a share link */
         if (access(share_path, R_OK) == 0) {
             WRITELOGMESSAGE(LOG_DEBUG,
-                            "Checking sharelink id %s password\n", pUsername);
+                            "Checking %s sharelink id %s password\n", sharelink_modes[i],
+                            pUsername);
             if (strcmp(pUsername, pPassword) == 0) {
-                WRITELOGMESSAGE(LOG_DEBUG, "Return sharelink success\n");
+                WRITELOGMESSAGE(LOG_DEBUG, "Return %s sharelink success\n",
+                                sharelink_modes[i]);
 #ifdef ENABLE_AUTHHANDLER
                 if (false == mig_reg_auth_attempt(MIG_SKIP_TWOFA_CHECK
                                                    | MIG_SKIP_NOTIFY
@@ -759,11 +768,18 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
 #endif                          /* ENABLE_AUTHHANDLER */
                 return pam_sm_authenticate_exit(PAM_AUTH_ERR, pwresp);
             }
+        } else if (i < sizeof(sharelink_modes) - 1) {
+            WRITELOGMESSAGE(LOG_DEBUG,
+                            "Ignore no match on %s sharelink: %s\n", sharelink_modes[i],
+                            pUsername);
         } else {
             WRITELOGMESSAGE(LOG_DEBUG,
                             "No matching sharelink: %s. Try next auth.\n",
                             share_path);
         }
+
+        }
+
     } else {
         WRITELOGMESSAGE(LOG_DEBUG,
                         "Not a sharelink username: %s. Try next auth.\n",
