From 542cb84153c08db1ed3be0cf5467b877bb213343 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 12 Apr 2013 13:47:31 +0200 Subject: [PATCH] Clarify realm permit/deny commands * Deny is not able to add specific users to a blacklist. * Add --withdraw options for removing users from the permitted list * Compatibility to fall through with previous behavior * Better messages when arguments are invalid https://bugs.freedesktop.org/show_bug.cgi?id=62518 --- doc/manual/realm.xml | 50 +++++++++++++++++---------------- tools/realm-logins.c | 78 +++++++++++++++++++++++++++++----------------------- tools/realm.c | 4 +-- 3 files changed, 72 insertions(+), 60 deletions(-) diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml index c5e0c9c..8a85172 100644 --- a/doc/manual/realm.xml +++ b/doc/manual/realm.xml @@ -42,10 +42,10 @@ realm list - realm permit -a -R realm user + realm permit -ax -R realm user - realm deny -a -R realm user + realm deny -a -R realm @@ -301,15 +301,17 @@ $ realm list -$ realm permit -a - - +$ realm permit --all $ realm permit DOMAIN\User +$ realm permit DOMAIN\User2 +$ realm permit --withdraw DOMAIN\User - If more than one realm is configured, then use the - option to specify which realm to permit the users on. + The current login policy and format of the user names can be seen + by using the realm list command. + + The following options can be used: The format of the user name can be seen by using the command. @@ -319,14 +321,20 @@ $ realm permit DOMAIN\User - Permit login according to the realm or - domain policy for logins on this machine. This usually - defaults to allowing any realm user to log in. + Permit logins using realm accounts on + the local machine according to the realm policy.This + usually defaults to allowing any realm user to log + in. - Specify the name of the realm to permit - users to log into. + Specify the of the realm to change login + policy for. + + + + Remove a login from the list of realm + accounts permitted to log into the machine. @@ -335,30 +343,24 @@ $ realm permit DOMAIN\User Deny - Deny local login by users of the realm. + Deny local login by realm accounts. -$ realm deny -a - - -$ realm deny DOMAIN\User +$ realm deny --all - If more than one realm is configured, then use the - option to specify which realm to deny the users' login via. - - The format of the user name can be seen by using the - command. + This command prevents realm accounts from logging into the local + machine. Use realm permit to restrict logins to + specific accounts. The following options can be used: - Deny login by any valid user of the - realm. + This option should be specified diff --git a/tools/realm-logins.c b/tools/realm-logins.c index bea26ed..0b10946 100644 --- a/tools/realm-logins.c +++ b/tools/realm-logins.c @@ -80,11 +80,11 @@ locate_configured_matching_realm (RealmClient *client, } static int -perform_permit_or_deny_logins (RealmClient *client, - const gchar *realm_name, - const gchar **logins, - gint n_logins, - gboolean permit) +perform_permit_specific (RealmClient *client, + const gchar *realm_name, + const gchar **logins, + gint n_logins, + gboolean withdraw) { RealmDbusRealm *realm; SyncClosure sync; @@ -108,8 +108,8 @@ perform_permit_or_deny_logins (RealmClient *client, g_variant_ref_sink (options); realm_dbus_realm_call_change_login_policy (realm, REALM_DBUS_LOGIN_POLICY_PERMITTED, - permit ? (const gchar * const*)add_or_remove : empty, - permit ? empty : (const gchar * const*)add_or_remove, + withdraw ? empty : (const gchar * const*)add_or_remove, + withdraw ? (const gchar * const*)add_or_remove : empty, options, NULL, on_complete_get_result, &sync); g_variant_unref (options); @@ -124,8 +124,7 @@ perform_permit_or_deny_logins (RealmClient *client, g_object_unref (realm); if (error != NULL) { - realm_handle_error (error, - permit ? _("Couldn't permit logins") : _("Couldn't deny logins")); + realm_handle_error (error, _("Couldn't change permitted logins")); return 1; } @@ -133,9 +132,9 @@ perform_permit_or_deny_logins (RealmClient *client, } static int -perform_permit_or_deny_all (RealmClient *client, - const gchar *realm_name, - gboolean permit) +perform_logins_all (RealmClient *client, + const gchar *realm_name, + gboolean permit) { RealmDbusRealm *realm; SyncClosure sync; @@ -171,8 +170,7 @@ perform_permit_or_deny_all (RealmClient *client, g_object_unref (realm); if (error != NULL) { - realm_handle_error (error, "couldn't %s all logins", - permit ? "permit" : "deny"); + realm_handle_error (error, _("Couldn't change permitted logins")); return 1; } @@ -187,13 +185,18 @@ realm_permit_or_deny (RealmClient *client, { GOptionContext *context; gboolean arg_all = FALSE; + gboolean arg_withdraw = FALSE; gchar *realm_name = NULL; GError *error = NULL; - gint ret = 0; + gint ret = 2; + + /* This implements the deprecated commands */ GOptionEntry option_entries[] = { { "all", 'a', 0, G_OPTION_ARG_NONE, &arg_all, - permit ? N_("Permit any domain user login") : N_("Deny any domain user login"), NULL }, + permit ? N_("Permit any realm account login") : N_("Deny any realm account login"), NULL }, + { "withdraw", 'x', 0, G_OPTION_ARG_NONE, &arg_withdraw, + N_("Withdraw permit for a realm account to login"), NULL }, { "realm", 'R', 0, G_OPTION_ARG_STRING, &realm_name, N_("Realm to permit/deny logins for"), NULL }, { NULL, } }; @@ -204,29 +207,36 @@ realm_permit_or_deny (RealmClient *client, g_option_context_add_main_entries (context, realm_global_options, NULL); if (!g_option_context_parse (context, &argc, &argv, &error)) { - g_printerr ("%s: %s\n", g_get_prgname (), error->message); + realm_print_error ("%s", error->message); g_error_free (error); - g_free (realm_name); - g_option_context_free (context); - return 2; - } - if (arg_all) { - if (argc != 1) { - g_printerr ("%s: %s\n", _("No users should be specified with -a or --all"), g_get_prgname ()); - ret = 2; - } else { - ret = perform_permit_or_deny_all (client, realm_name, permit); - } + } else if (arg_all && argc != 1) { + realm_print_error (_("No logins should be specified with -a or --all")); + + } else if (!permit && arg_withdraw) { + realm_print_error (_("The --withdraw or -x arguments cannot be used when denying logins")); + + } else if (arg_all && arg_withdraw) { + realm_print_error (_("Specific logins must be specified with --withdraw")); + + } else if (arg_all) { + ret = perform_logins_all (client, realm_name, permit); + } else if (argc < 2) { - g_printerr ("%s: %s\n", g_get_prgname (), - permit ? _("Specify users to permit") : _("Specify users to deny")); - ret = 2; + if (!permit) + realm_print_error (_("Use --all to deny all logins")); + else + realm_print_error (_("Specify specific users to add or remove from the permitted list")); } else { - ret = perform_permit_or_deny_logins (client, realm_name, - (const gchar **)(argv + 1), - argc - 1, permit); + if (!permit) { + realm_print_error (_("Specifying deny without --all is deprecated. Use realm permit --withdraw")); + arg_withdraw = TRUE; + } + + ret = perform_permit_specific (client, realm_name, + (const gchar **)(argv + 1), + argc - 1, arg_withdraw); } g_free (realm_name); diff --git a/tools/realm.c b/tools/realm.c index 9cb0b62..46aadc0 100644 --- a/tools/realm.c +++ b/tools/realm.c @@ -40,8 +40,8 @@ struct { { "join", realm_join, "realm join -v [-U user] realm-name", N_("Enroll this machine in a realm") }, { "leave", realm_leave, "realm leave -v [-U user] [realm-name]", N_("Unenroll this machine from a realm") }, { "list", realm_list, "realm list", N_("List known realms") }, - { "permit", realm_permit, "realm permit [-a] [-R realm] user ...", N_("Permit user logins") }, - { "deny", realm_deny, "realm deny [-a] [-R realm] user ...", N_("Deny user logins") }, + { "permit", realm_permit, "realm permit [-ax] [-R realm] user ...", N_("Permit user logins") }, + { "deny", realm_deny, "realm deny --all [-R realm]", N_("Deny user logins") }, }; void -- 1.8.1.4