upstream/illumos/illumos-gate: comparison usr/src/lib/libsecdb/common/chkauthattr.c

equal deleted inserted replaced

-:400aca678a81
+:63678502e95e
 */
 /*
 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 */
+#include <alloca.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <sys/types.h>
 #include <sys/stat.h>
-#include <fcntl.h>
-#include <sys/mman.h>
-#include <limits.h>
 #include <pwd.h>
 #include <nss_dbdefs.h>
 #include <deflt.h>
 #include <auth_attr.h>
 #include <prof_attr.h>
 #include <user_attr.h>
+#define	COPYTOSTACK(dst, csrc)		{	\
-static int _is_authorized(const char *, char *);
+		size_t len = strlen(csrc) + 1;	\
-static int _chk_policy_auth(const char *, const char *, char **, int *);
+		dst = alloca(len);		\
-static int _chkprof_for_auth(const char *, const char *, char **, int *);
+		(void) memcpy(dst, csrc, len);	\
-int
+	}
-chkauthattr(const char *authname, const char *username)
-{
+static kva_t *get_default_attrs(const char *);
-	int		auth_granted = 0;
+static void free_default_attrs(kva_t *);
-	char		*auths;
-	char		*profiles;
+/*
-	userattr_t	*user = NULL;
+* Enumeration functions for auths and profiles; the enumeration functions
-	char		*chkedprof[MAXPROFS];
+* take a callback with four arguments:
-	int		chkedprof_cnt = 0;
+*	const char *		profile name (or NULL unless wantattr is false)
-	int		i;
+*	kva_t *			attributes (or NULL unless wantattr is true)
+*	void *			context
-	if (authname == NULL || username == NULL)
+*	void *			pointer to the result
-		return (0);
+* When the call back returns non-zero, the enumeration ends.
+* The function might be NULL but only for profiles as we are always collecting
-	/* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */
+* all the profiles.
-	auth_granted = _chk_policy_auth(authname, username, chkedprof,
+* Both the auths and the profiles arguments may be NULL.
-	    &chkedprof_cnt);
+*
-	if (auth_granted)
+* These should be the only implementation of the algorithm of "finding me
-		goto exit;
+* all the profiles/athorizations/keywords/etc.
+*/
-	if ((user = getusernam(username)) == NULL)
-		goto exit;
+#define	CONSUSER_PROFILE_KW		"consprofile"
+#define	DEF_LOCK_AFTER_RETRIES		"LOCK_AFTER_RETRIES="
-	/* Check against authorizations listed in user_attr */
-	if ((auths = kva_match(user->attr, USERATTR_AUTHS_KW)) != NULL) {
+static struct dfltplcy {
-		auth_granted = _is_authorized(authname, auths);
+	char *attr;
-		if (auth_granted)
+	const char *defkw;
-			goto exit;
+} dfltply[] = {
-	}
+	/* CONSUSER MUST BE FIRST! */
+	{ CONSUSER_PROFILE_KW,			DEF_CONSUSER},
-	/* Check against authorizations specified by profiles */
+	{ PROFATTR_AUTHS_KW,			DEF_AUTH},
-	if ((profiles = kva_match(user->attr, USERATTR_PROFILES_KW)) != NULL)
+	{ PROFATTR_PROFS_KW,			DEF_PROF},
-		auth_granted = _chkprof_for_auth(profiles, authname,
+	{ USERATTR_LIMPRIV_KW,			DEF_LIMITPRIV},
-		    chkedprof, &chkedprof_cnt);
+	{ USERATTR_DFLTPRIV_KW,			DEF_DFLTPRIV},
+	{ USERATTR_LOCK_AFTER_RETRIES_KW,	DEF_LOCK_AFTER_RETRIES}
-exit:
+};
-	/* free memory allocated for checked array */
-	for (i = 0; i < chkedprof_cnt; i++) {
+#define	NDFLTPLY	(sizeof (dfltply)/sizeof (struct dfltplcy))
-		free(chkedprof[i]);
+#define	GETCONSPROF(a)	(kva_match((a), CONSUSER_PROFILE_KW))
-	}
+#define	GETPROF(a)	(kva_match((a), PROFATTR_PROFS_KW))
-	if (user != NULL)
+/*
-		free_userattr(user);
+* Enumerate profiles from listed profiles.
+*/
-	return (auth_granted);
+int
-}
+_enum_common_p(const char *cprofiles,
+int (*cb)(const char *, kva_t *, void *, void *),
-static int
+void *ctxt, void *pres, boolean_t wantattr,
-_chkprof_for_auth(const char *profs, const char *authname,
+int *pcnt, char *profs[MAXPROFS])
-char **chkedprof, int *chkedprof_cnt)
+{
-{
+	char *prof, *last;
+	char *profiles;
-	char *prof, *lasts, *auths, *profiles;
+	profattr_t *pa;
-	profattr_t	*pa;
+	int i;
-	int		i;
+	int res = 0;
-	int		checked = 0;
+	if (cprofiles == NULL)
-	for (prof = strtok_r((char *)profs, ",", &lasts); prof != NULL;
+		return (0);
-	    prof = strtok_r(NULL, ",", &lasts)) {
+	if (*pcnt > 0 && strcmp(profs[*pcnt - 1], PROFILE_STOP) == NULL)
-		checked = 0;
+		return (0);
-		/* check if this profile has been checked */
-		for (i = 0; i < *chkedprof_cnt; i++) {
+	COPYTOSTACK(profiles, cprofiles)
-			if (strcmp(chkedprof[i], prof) == 0) {
-				checked = 1;
+	while (prof = strtok_r(profiles, KV_SEPSTR, &last)) {
-				break;
-			}
+		profiles = NULL;	/* For next iterations of strtok_r */
-		}
+		for (i = 0; i < *pcnt; i++)
-		if (!checked) {
+			if (strcmp(profs[i], prof) == 0)
+				goto cont;
-			chkedprof[*chkedprof_cnt] = strdup(prof);
-			*chkedprof_cnt = *chkedprof_cnt + 1;
+		if (*pcnt >= MAXPROFS)		/* oops: too many profs */
+			return (-1);
-			if ((pa = getprofnam(prof)) == NULL)
-				continue;
+		/* Add it */
+		profs[(*pcnt)++] = strdup(prof);
-			if ((auths = kva_match(pa->attr,
-			    PROFATTR_AUTHS_KW)) != NULL) {
+		if (strcmp(profs[*pcnt - 1], PROFILE_STOP) == 0)
-				if (_is_authorized(authname, auths)) {
+			break;
-					free_profattr(pa);
-					return (1);
+		/* find the profiles for this profile */
-				}
+		pa = getprofnam(prof);
-			}
-			if ((profiles =
+		if (cb != NULL && (!wantattr || pa != NULL && pa->attr != NULL))
-			    kva_match(pa->attr, PROFATTR_PROFS_KW)) != NULL) {
+			res = cb(prof, pa ? pa->attr : NULL, ctxt, pres);
-				/* Check for authorization in subprofiles */
-				if (_chkprof_for_auth(profiles, authname,
+		if (pa != NULL) {
-				    chkedprof, chkedprof_cnt)) {
+			if (res == 0 && pa->attr != NULL) {
-					free_profattr(pa);
+				res = _enum_common_p(GETPROF(pa->attr), cb,
-					return (1);
+				    ctxt, pres, wantattr, pcnt, profs);
-				}
 			}
 			free_profattr(pa);
 		}
-	}
+		if (res != 0)
-	/* authorization not found in any profile */
+			return (res);
-	return (0);
+cont:
+		continue;
+	}
+	return (res);
+}
+/*
+* Enumerate all attributes associated with a username and the profiles
+* associated with the user.
+*/
+static int
+_enum_common(const char *username,
+int (*cb)(const char *, kva_t *, void *, void *),
+void *ctxt, void *pres, boolean_t wantattr)
+{
+	userattr_t *ua;
+	int res = 0;
+	int cnt = 0;
+	char *profs[MAXPROFS];
+	kva_t *kattrs;
+	if (cb == NULL)
+		return (-1);
+	ua = getusernam(username);
+	if (ua != NULL) {
+		if (ua->attr != NULL) {
+			if (wantattr)
+				res = cb(NULL, ua->attr, ctxt, pres);
+			if (res == 0) {
+				res = _enum_common_p(GETPROF(ua->attr),
+				    cb, ctxt, pres, wantattr, &cnt, profs);
+			}
+		}
+		free_userattr(ua);
+		if (res != 0)
+			return (res);
+	}
+	if ((cnt == 0 || strcmp(profs[cnt-1], PROFILE_STOP) != 0) &&
+	    (kattrs = get_default_attrs(username)) != NULL) {
+		res = _enum_common_p(GETCONSPROF(kattrs), cb, ctxt, pres,
+		    wantattr, &cnt, profs);
+		if (res == 0) {
+			res = _enum_common_p(GETPROF(kattrs), cb, ctxt, pres,
+			    wantattr, &cnt, profs);
+		}
+		if (res == 0 && wantattr)
+			res = cb(NULL, kattrs, ctxt, pres);
+		free_default_attrs(kattrs);
+	}
+	free_proflist(profs, cnt);
+	return (res);
+}
+/*
+* Enumerate profiles with a username argument.
+*/
+int
+_enum_profs(const char *username,
+int (*cb)(const char *, kva_t *, void *, void *),
+void *ctxt, void *pres)
+{
+	return (_enum_common(username, cb, ctxt, pres, B_FALSE));
+}
+/*
+* Enumerate attributes with a username argument.
+*/
+int
+_enum_attrs(const char *username,
+int (*cb)(const char *, kva_t *, void *, void *),
+void *ctxt, void *pres)
+{
+	return (_enum_common(username, cb, ctxt, pres, B_TRUE));
+}
+/*
+* Enumerate authorizations in the "auths" argument.
+*/
+static int
+_enum_auths_a(const char *cauths, int (*cb)(const char *, void *, void *),
+void *ctxt, void *pres)
+{
+	char *auth, *last, *auths;
+	int res = 0;
+	if (cauths == NULL || cb == NULL)
+		return (0);
+	COPYTOSTACK(auths, cauths)
+	while (auth = strtok_r(auths, KV_SEPSTR, &last)) {
+		auths = NULL;		/* For next iterations of strtok_r */
+		res = cb(auth, ctxt, pres);
+		if (res != 0)
+			return (res);
+	}
+	return (res);
+}
+/*
+* Magic struct and function to allow using the _enum_attrs functions to
+* enumerate the authorizations.
+*/
+typedef struct ccomm2auth {
+	int (*cb)(const char *, void *, void *);
+	void *ctxt;
+} ccomm2auth;
+/*ARGSUSED*/
+static int
+comm2auth(const char *name, kva_t *attr, void *ctxt, void *pres)
+{
+	ccomm2auth *ca = ctxt;
+	char *auths;
+	/* Note: PROFATTR_AUTHS_KW is equal to USERATTR_AUTHS_KW */
+	auths = kva_match(attr, PROFATTR_AUTHS_KW);
+	return (_enum_auths_a(auths, ca->cb, ca->ctxt, pres));
+}
+/*
+* Enumerate authorizations for username.
+*/
+int
+_enum_auths(const char *username,
+int (*cb)(const char *, void *, void *),
+void *ctxt, void *pres)
+{
+	ccomm2auth c2a;
+	if (cb == NULL)
+		return (-1);
+	c2a.cb = cb;
+	c2a.ctxt = ctxt;
+	return (_enum_common(username, comm2auth, &c2a, pres, B_TRUE));
 }
 int
 _auth_match(const char *pattern, const char *auth)
 {
 	size_t len;
-	char wildcard = KV_WILDCHAR;
 	char *grant;
 	len = strlen(pattern);
 	/*
 	 * If the wildcard is not in the last position in the string, don't
 	 * match against it.
 	 */
-	if (pattern[len-1] != wildcard)
+	if (pattern[len-1] != KV_WILDCHAR)
 		return (0);
 	/*
 	 * If the strings are identical up to the wildcard and auth does not
 	 * end in "grant", then we have a match.
 	return (0);
 }
 static int
-_is_authorized(const char *authname, char *auths)
+_is_authorized(const char *auth, void *authname, void *res)
 {
-	int	found = 0;	/* have we got a match, yet */
+	int *resp = res;
-	char	wildcard = '*';
-	char	*auth;		/* current authorization being compared */
+	if (strcmp(authname, auth) == 0 ||
-	char	*buf;
+	    (strchr(auth, KV_WILDCHAR) != NULL &&
-	char	*lasts;
+	    _auth_match(auth, authname))) {
+		*resp = 1;
-	buf = strdup(auths);
+		return (1);
-	for (auth = strtok_r(auths, ",", &lasts); auth != NULL && !found;
+	}
-	    auth = strtok_r(NULL, ",", &lasts)) {
-		if (strcmp((char *)authname, auth) == 0) {
+	return (0);
-			/* Exact match.  We're done. */
+}
-			found = 1;
-		} else if (strchr(auth, wildcard) != NULL) {
+int
-			if (_auth_match(auth, authname)) {
+chkauthattr(const char *authname, const char *username)
-				found = 1;
+{
-				break;
+	int		auth_granted = 0;
-			}
-		}
+	if (authname == NULL || username == NULL)
-	}
+		return (0);
-	free(buf);
+	(void) _enum_auths(username, _is_authorized, (char *)authname,
+	    &auth_granted);
-	return (found);
-}
+	return (auth_granted);
-/*
-* read /etc/security/policy.conf for AUTHS_GRANTED.
-* return 1 if found matching authname.
-* Otherwise, read PROFS_GRANTED to see if authname exists in any
-* default profiles.
-*/
-static int
-_chk_policy_auth(const char *authname, const char *username, char **chkedprof,
-int *chkedprof_cnt)
-{
-	char	*auths = NULL;
-	char	*profs = NULL;
-	int	ret = 1;
-	if (_get_user_defs(username, &auths, &profs) != 0)
-		return (0);
-	if (auths != NULL) {
-		if (_is_authorized(authname, auths))
-			goto exit;
-	}
-	if (profs != NULL) {
-		if (_chkprof_for_auth(profs, authname, chkedprof,
-		    chkedprof_cnt))
-			goto exit;
-	}
-	ret = 0;
-exit:
-	_free_user_defs(auths, profs);
-	return (ret);
 }
 #define	CONSOLE_USER_LINK "/dev/vt/console_user"
 static int
 	}
 	return (pw.pw_uid == cons.st_uid);
 }
+static void
-int
+free_default_attrs(kva_t *kva)
-_get_user_defs(const char *user, char **def_auth, char **def_prof)
+{
-{
+	int i;
-	char *cp;
-	char *profs;
+	for (i = 0; i < kva->length; i++)
-	void	*defp;
+		free(kva->data[i].value);
-	if ((defp = defopen_r(AUTH_POLICY)) == NULL) {
+	free(kva);
-		if (def_auth != NULL) {
+}
-			*def_auth = NULL;
-		}
+/*
-		if (def_prof != NULL) {
+* Return the default attributes; this are ignored when a STOP profile
-			*def_prof = NULL;
+* was found.
-		}
+*/
-		return (-1);
+static kva_t *
-	}
+get_default_attrs(const char *user)
+{
-	if (def_auth != NULL) {
+	void *defp;
-		if ((cp = defread_r(DEF_AUTH, defp)) != NULL) {
+	kva_t *kva;
-			if ((*def_auth = strdup(cp)) == NULL) {
+	int i;
-				defclose_r(defp);
-				return (-1);
+	kva = malloc(sizeof (kva_t) + sizeof (kv_t) * NDFLTPLY);
-			}
-		} else {
+	if (kva == NULL)
-			*def_auth = NULL;
+		return (NULL);
-		}
-	}
+	kva->data = (kv_t *)(void *)&kva[1];
-	if (def_prof != NULL) {
+	kva->length = 0;
-		if (is_cons_user(user) &&
-		    (cp = defread_r(DEF_CONSUSER, defp)) != NULL) {
+	if ((defp = defopen_r(AUTH_POLICY)) == NULL)
-			if ((*def_prof = strdup(cp)) == NULL) {
+		goto return_null;
-				defclose_r(defp);
-				return (-1);
+	for (i = is_cons_user(user) ? 0 : 1; i < NDFLTPLY; i++) {
-			}
+		char *cp = defread_r(dfltply[i].defkw, defp);
-		}
-		if ((cp = defread_r(DEF_PROF, defp)) != NULL) {
+		if (cp == NULL)
-			int	prof_len;
+			continue;
+		if ((cp = strdup(cp)) == NULL)
-			if (*def_prof == NULL) {
+			goto return_null;
-				if ((*def_prof = strdup(cp)) == NULL) {
-					defclose_r(defp);
+		kva->data[kva->length].key = dfltply[i].attr;
-					return (-1);
+		kva->data[kva->length++].value = cp;
-				}
+	}
-				defclose_r(defp);
-				return (0);
+	(void) defclose_r(defp);
-			}
+	return (kva);
-			/* concatenate def profs with "," separator */
+return_null:
-			prof_len = strlen(*def_prof) + strlen(cp) + 2;
+	if (defp != NULL)
-			if ((profs = malloc(prof_len)) == NULL) {
+		(void) defclose_r(defp);
-				free(*def_prof);
-				*def_prof = NULL;
+	free_default_attrs(kva);
-				defclose_r(defp);
+	return (NULL);
-				return (-1);
+}
-			}
-			(void) snprintf(profs, prof_len, "%s,%s", *def_prof,
-			    cp);
-			free(*def_prof);
-			*def_prof = profs;
-		}
-	}
-	defclose_r(defp);
-	return (0);
-}
-void
-_free_user_defs(char *def_auth, char *def_prof)
-{
-	free(def_auth);
-	free(def_prof);
-}

changeset 12273	63678502e95e
parent 12195	cf3a8ea2dcfd
child 12471	10160519e417