1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
26 */
27
28 #include <syslog.h>
29 #include <pwd.h>
30 #include <unistd.h>
31 #include <strings.h>
32 #include <security/pam_appl.h>
33 #include <security/pam_modules.h>
34 #include <libintl.h>
35 #include <pwd.h>
36 #include <user_attr.h>
37 #include <secdb.h>
38 #include <nss_dbdefs.h>
39 #include <security/pam_impl.h>
40
41 static int roleinlist();
42
43 /*
44 * pam_sm_acct_mgmt():
45 * Account management module
46 * This module disallows roles for primary logins and adds special
47 * checks to allow roles for secondary logins.
48 */
49
50 int
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags,int argc,const char ** argv)51 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
52 {
53 uid_t uid;
54 userattr_t *user_entry;
55 char *kva_value;
56 const char *username;
57 const char *auser;
58 const char *rhost;
59 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
60 struct passwd *pw_entry, pwd;
61 char buf[NSS_BUFLEN_PASSWD];
62
63 int i;
64 int debug = 0;
65 int allow_remote = 0;
66
67 (void) pam_get_item(pamh, PAM_USER, (const void **)&username);
68 (void) pam_get_item(pamh, PAM_AUSER, (const void **)&auser);
69 (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
70
71 for (i = 0; i < argc; i++) {
72 if (strcmp(argv[i], "allow_remote") == 0) {
73 allow_remote = 1;
74 } else if (strcmp(argv[i], "debug") == 0) {
75 debug = 1;
76 } else {
77 __pam_log(LOG_AUTH | LOG_ERR,
78 "pam_roles:pam_sm_acct_mgmt: illegal module "
79 "option %s", argv[i]);
80 }
81 }
82
83 if (debug) {
84 const char *ruser;
85 const char *service;
86
87 (void) pam_get_item(pamh, PAM_RUSER, (const void **)&ruser);
88 (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
89 __pam_log(LOG_AUTH | LOG_DEBUG, "pam_roles:pam_sm_acct_mgmt: "
90 "service = %s, allow_remote = %d, user = %s auser = %s "
91 "ruser = %s rhost = %s\n", (service) ? service : "not set",
92 allow_remote, (username) ? username : "not set",
93 (auser) ? auser: "not set", (ruser) ? ruser: "not set",
94 (rhost) ? rhost: "not set");
95 }
96
97 if (username == NULL)
98 return (PAM_USER_UNKNOWN);
99
100 /* stop masquerades by mapping username to uid to username */
101
102 if ((pw_entry = getpwnam_r(username, &pwd, buf, sizeof (buf))) == NULL)
103 return (PAM_USER_UNKNOWN);
104 if ((pw_entry = getpwuid_r(pw_entry->pw_uid, &pwd, buf,
105 sizeof (buf))) == NULL)
106 return (PAM_USER_UNKNOWN);
107 /*
108 * If there's no user_attr entry for the primary user or it's not a
109 * role, no further checks are needed.
110 */
111
112 if (((user_entry = getusernam(pw_entry->pw_name)) == NULL) ||
113 ((kva_value = kva_match((kva_t *)user_entry->attr,
114 USERATTR_TYPE_KW)) == NULL) ||
115 ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) != 0) &&
116 (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) != 0))) {
117 free_userattr(user_entry);
118 return (PAM_IGNORE);
119 }
120 free_userattr(user_entry);
121
122 /* username is a role */
123
124 if (strcmp(username, pw_entry->pw_name) != 0) {
125 __pam_log(LOG_AUTH | LOG_ALERT,
126 "pam_roles:pam_sm_acct_mgmt: user name %s "
127 "maps to user id %d which is user name %s",
128 username, pw_entry->pw_uid, pw_entry->pw_name);
129
130 }
131
132 /* Who's the user requesting the role? */
133
134 if (auser != NULL && *auser != '\0') {
135 /* authenticated requesting user */
136
137 user_entry = getusernam(auser);
138 } else {
139 /* user is implied by real UID */
140
141 if ((uid = getuid()) == 0) {
142 /*
143 * Root user_attr entry cannot have roles.
144 * Force error and deny access.
145 */
146 user_entry = NULL;
147 } else {
148 if ((pw_entry = getpwuid_r(uid, &pwd, buf,
149 sizeof (buf))) == NULL) {
150 return (PAM_USER_UNKNOWN);
151 }
152 user_entry = getusernam(pw_entry->pw_name);
153 }
154 }
155
156 if ((rhost != NULL && *rhost != '\0') &&
157 allow_remote == 0) {
158 /* don't allow remote roles for this service */
159
160 free_userattr(user_entry);
161 return (PAM_PERM_DENIED);
162 }
163
164 /*
165 * If the original user does not have a user_attr entry or isn't
166 * assigned the role being assumed, fail.
167 */
168
169 if ((user_entry == NULL) ||
170 ((kva_value = kva_match((kva_t *)user_entry->attr,
171 USERATTR_ROLES_KW)) == NULL) ||
172 (roleinlist(kva_value, username) == 0)) {
173 free_userattr(user_entry);
174 (void) strlcpy(messages[0], dgettext(TEXT_DOMAIN,
175 "Roles can only be assumed by authorized users"),
176 sizeof (messages[0]));
177 (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages,
178 NULL);
179 return (PAM_PERM_DENIED);
180 }
181
182 free_userattr(user_entry);
183 return (PAM_IGNORE);
184 }
185
186 int
roleinlist(char * list,char * role)187 roleinlist(char *list, char *role)
188 {
189 char *lasts = (char *)NULL;
190 char *rolename = (char *)strtok_r(list, ",", &lasts);
191
192 while (rolename) {
193 if (strcmp(rolename, role) == 0)
194 return (1);
195 else
196 rolename = (char *)strtok_r(NULL, ",", &lasts);
197 }
198 return (0);
199 }
200