--- a/usr/src/cmd/svc/configd/rc_node.c Wed Apr 28 09:25:44 2010 +0200
+++ b/usr/src/cmd/svc/configd/rc_node.c Wed Apr 28 10:01:37 2010 +0200
@@ -20,8 +20,7 @@
*/
/*
- * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
*/
/*
@@ -114,9 +113,7 @@
* proceed if the user has been assigned at least one of a set of
* authorization strings. The set of enabling authorizations depends on the
* operation and the target object. The set of authorizations assigned to
- * a user is determined by reading /etc/security/policy.conf, querying the
- * user_attr database, and possibly querying the prof_attr database, as per
- * chkauthattr() in libsecdb.
+ * a user is determined by an algorithm defined in libsecdb.
*
* The fastest way to decide whether the two sets intersect is by entering the
* strings into a hash table and detecting collisions, which takes linear time
@@ -360,7 +357,6 @@
#include <libuutil.h>
#include <libscf.h>
#include <libscf_priv.h>
-#include <prof_attr.h>
#include <pthread.h>
#include <pwd.h>
#include <stdio.h>
@@ -369,7 +365,7 @@
#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>
-#include <user_attr.h>
+#include <secdb.h>
#include "configd.h"
@@ -388,8 +384,6 @@
#define AUTH_PROP_MODIFY "modify_authorization"
#define AUTH_PROP_VALUE "value_authorization"
#define AUTH_PROP_READ "read_authorization"
-/* libsecdb should take care of this. */
-#define RBAC_AUTH_SEP ","
#define MAX_VALID_CHILDREN 3
@@ -1498,29 +1492,24 @@
* perm_granted() returns PERM_GRANTED if the current door caller has one of
* the enabling authorizations in pcp, PERM_DENIED if it doesn't, PERM_GONE if
* the door client went away and PERM_FAIL if an error (usually lack of
- * memory) occurs. check_auth_list() checks an RBAC_AUTH_SEP-separated
- * list of authorizations for existence in pcp, and check_prof_list()
- * checks the authorizations granted to an RBAC_AUTH_SEP-separated list of
- * profiles.
+ * memory) occurs. auth_cb() checks each and every authorizations as
+ * enumerated by _enum_auths. When we find a result other than PERM_DENIED,
+ * we short-cut the enumeration and return non-zero.
*/
-static perm_status_t
-check_auth_list(permcheck_t *pcp, char *authlist)
-{
- char *auth, *lasts;
- perm_status_t ret;
-
- for (auth = (char *)strtok_r(authlist, RBAC_AUTH_SEP, &lasts);
- auth != NULL;
- auth = (char *)strtok_r(NULL, RBAC_AUTH_SEP, &lasts)) {
- if (strchr(auth, KV_WILDCHAR) == NULL)
- ret = pc_exists(pcp, auth);
- else
- ret = pc_match(pcp, auth);
-
- if (ret != PERM_DENIED)
- return (ret);
- }
-
+
+static int
+auth_cb(const char *auth, void *ctxt, void *vres)
+{
+ permcheck_t *pcp = ctxt;
+ int *pret = vres;
+
+ if (strchr(auth, KV_WILDCHAR) == NULL)
+ *pret = pc_exists(pcp, auth);
+ else
+ *pret = pc_match(pcp, auth);
+
+ if (*pret != PERM_DENIED)
+ return (1);
/*
* If we failed, choose the most specific auth string for use in
* the audit event.
@@ -1528,40 +1517,7 @@
assert(pcp->pc_specific != NULL);
pcp->pc_auth_string = pcp->pc_specific->pce_auth;
- return (PERM_DENIED);
-}
-
-static perm_status_t
-check_prof_list(permcheck_t *pcp, char *proflist)
-{
- char *prof, *lasts, *authlist, *subproflist;
- profattr_t *pap;
- perm_status_t ret = PERM_DENIED;
-
- for (prof = strtok_r(proflist, RBAC_AUTH_SEP, &lasts);
- prof != NULL;
- prof = strtok_r(NULL, RBAC_AUTH_SEP, &lasts)) {
- pap = getprofnam(prof);
- if (pap == NULL)
- continue;
-
- authlist = kva_match(pap->attr, PROFATTR_AUTHS_KW);
- if (authlist != NULL)
- ret = check_auth_list(pcp, authlist);
-
- if (ret == PERM_DENIED) {
- subproflist = kva_match(pap->attr, PROFATTR_PROFS_KW);
- if (subproflist != NULL)
- /* depth check to avoid infinite recursion? */
- ret = check_prof_list(pcp, subproflist);
- }
-
- free_profattr(pap);
- if (ret != PERM_DENIED)
- return (ret);
- }
-
- return (ret);
+ return (0); /* Tells that we need to continue */
}
static perm_status_t
@@ -1570,10 +1526,7 @@
ucred_t *uc;
perm_status_t ret = PERM_DENIED;
- int rv;
uid_t uid;
- userattr_t *uap;
- char *authlist, *userattr_authlist, *proflist, *def_prof = NULL;
struct passwd pw;
char pwbuf[1024]; /* XXX should be NSS_BUFLEN_PASSWD */
@@ -1606,50 +1559,11 @@
}
/*
- * Get user's default authorizations from policy.conf
- */
- rv = _get_user_defs(pw.pw_name, &authlist, &def_prof);
-
- if (rv != 0)
- return (PERM_FAIL);
-
- if (authlist != NULL) {
- ret = check_auth_list(pcp, authlist);
-
- if (ret != PERM_DENIED) {
- _free_user_defs(authlist, def_prof);
- return (ret);
- }
- }
-
- /*
- * Put off checking def_prof for later in an attempt to consolidate
- * prof_attr accesses.
+ * Enumerate all the auths defined for the user and return the
+ * result in ret.
*/
-
- uap = getusernam(pw.pw_name);
- if (uap != NULL) {
- /* Get the authorizations from user_attr. */
- userattr_authlist = kva_match(uap->attr, USERATTR_AUTHS_KW);
- if (userattr_authlist != NULL) {
- ret = check_auth_list(pcp, userattr_authlist);
- }
- }
-
- if ((ret == PERM_DENIED) && (def_prof != NULL)) {
- /* Check generic profiles. */
- ret = check_prof_list(pcp, def_prof);
- }
-
- if ((ret == PERM_DENIED) && (uap != NULL)) {
- proflist = kva_match(uap->attr, USERATTR_PROFILES_KW);
- if (proflist != NULL)
- ret = check_prof_list(pcp, proflist);
- }
-
- _free_user_defs(authlist, def_prof);
- if (uap != NULL)
- free_userattr(uap);
+ if (_enum_auths(pw.pw_name, auth_cb, pcp, &ret) < 0)
+ return (PERM_FAIL);
return (ret);
}