xref: /titanic_41/usr/src/cmd/oamuser/user/funcs.c (revision 0b42f15ac52b077791d4ba079e8c163c592c3fda)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright (c) 2013 RackTop Systems.
24  */
25 
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <strings.h>
29 #include <auth_attr.h>
30 #include <prof_attr.h>
31 #include <user_attr.h>
32 #include <project.h>
33 #include <secdb.h>
34 #include <pwd.h>
35 #include <unistd.h>
36 #include <priv.h>
37 #include <errno.h>
38 #include <ctype.h>
39 #include <nss.h>
40 #include <bsm/libbsm.h>
41 #include <tsol/label.h>
42 #include "funcs.h"
43 #include "messages.h"
44 #undef	GROUP
45 #include "userdefs.h"
46 
47 typedef struct ua_key {
48 	const char	*key;
49 	const char	*(*check)(const char *);
50 	const char	*errstr;
51 	char		*newvalue;
52 } ua_key_t;
53 
54 static const char role[] = "role name";
55 static const char prof[] = "profile name";
56 static const char proj[] = "project name";
57 static const char priv[] = "privilege set";
58 static const char auth[] = "authorization";
59 static const char type[] = "user type";
60 static const char lock[] = "lock_after_retries value";
61 static const char label[] = "label";
62 static const char idlecmd[] = "idlecmd value";
63 static const char idletime[] = "idletime value";
64 static const char auditflags[] = "audit mask";
65 static char	  auditerr[256];
66 
67 
68 static const char *check_auth(const char *);
69 static const char *check_prof(const char *);
70 static const char *check_role(const char *);
71 static const char *check_proj(const char *);
72 static const char *check_privset(const char *);
73 static const char *check_type(const char *);
74 static const char *check_lock_after_retries(const char *);
75 static const char *check_label(const char *);
76 static const char *check_idlecmd(const char *);
77 static const char *check_idletime(const char *);
78 static const char *check_auditflags(const char *);
79 
80 int nkeys;
81 
82 static ua_key_t keys[] = {
83 	/* First entry is always set correctly in main() */
84 	{ USERATTR_TYPE_KW,	check_type,	type },
85 	{ USERATTR_AUTHS_KW,	check_auth,	auth },
86 	{ USERATTR_PROFILES_KW,	check_prof,	prof },
87 	{ USERATTR_ROLES_KW,	check_role,	role },
88 	{ USERATTR_DEFAULTPROJ_KW,	check_proj,	proj },
89 	{ USERATTR_LIMPRIV_KW,	check_privset,	priv },
90 	{ USERATTR_DFLTPRIV_KW,	check_privset,	priv },
91 	{ USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries,  lock },
92 	{ USERATTR_CLEARANCE,	check_label,	label },
93 	{ USERATTR_MINLABEL,	check_label,	label },
94 	{ USERATTR_IDLECMD_KW,	check_idlecmd,	idlecmd },
95 	{ USERATTR_IDLETIME_KW,	check_idletime,	idletime },
96 	{ USERATTR_AUDIT_FLAGS_KW, check_auditflags, auditflags },
97 };
98 
99 #define	NKEYS	(sizeof (keys)/sizeof (ua_key_t))
100 
101 /*
102  * Change a key, there are three different call sequences:
103  *
104  *		key, value	- key with option letter, value.
105  *		NULL, value	- -K key=value option.
106  */
107 
108 void
change_key(const char * key,char * value)109 change_key(const char *key, char *value)
110 {
111 	int i;
112 	const char *res;
113 
114 	if (key == NULL) {
115 		key = value;
116 		value = strchr(value, '=');
117 		/* Bad value */
118 		if (value == NULL) {
119 			errmsg(M_INVALID_VALUE);
120 			exit(EX_BADARG);
121 		}
122 		*value++ = '\0';
123 	}
124 
125 	for (i = 0; i < NKEYS; i++) {
126 		if (strcmp(key, keys[i].key) == 0) {
127 			if (keys[i].newvalue != NULL) {
128 				/* Can't set a value twice */
129 				errmsg(M_REDEFINED_KEY, key);
130 				exit(EX_BADARG);
131 			}
132 
133 			if (keys[i].check != NULL &&
134 			    (res = keys[i].check(value)) != NULL) {
135 				errmsg(M_INVALID, res, keys[i].errstr);
136 				exit(EX_BADARG);
137 			}
138 			keys[i].newvalue = value;
139 			nkeys++;
140 			return;
141 		}
142 	}
143 	errmsg(M_INVALID_KEY, key);
144 	exit(EX_BADARG);
145 }
146 
147 /*
148  * Add the keys to the argument vector.
149  */
150 void
addkey_args(char ** argv,int * index)151 addkey_args(char **argv, int *index)
152 {
153 	int i;
154 
155 	for (i = 0; i < NKEYS; i++) {
156 		const char *key = keys[i].key;
157 		char *val = keys[i].newvalue;
158 		size_t len;
159 		char *arg;
160 
161 		if (val == NULL)
162 			continue;
163 
164 		len = strlen(key) + strlen(val) + 2;
165 		arg = malloc(len);
166 
167 		(void) snprintf(arg, len, "%s=%s", key, val);
168 		argv[(*index)++] = "-K";
169 		argv[(*index)++] = arg;
170 	}
171 }
172 
173 /*
174  * Propose a default value for a key and get the actual value back.
175  * If the proposed default value is NULL, return the actual value set.
176  * The key argument is the user_attr key.
177  */
178 char *
getsetdefval(const char * key,char * dflt)179 getsetdefval(const char *key, char *dflt)
180 {
181 	int i;
182 
183 	for (i = 0; i < NKEYS; i++)
184 		if (strcmp(keys[i].key, key) == 0) {
185 			if (keys[i].newvalue != NULL)
186 				return (keys[i].newvalue);
187 			else
188 				return (keys[i].newvalue = dflt);
189 		}
190 	return (NULL);
191 }
192 
193 char *
getusertype(char * cmdname)194 getusertype(char *cmdname)
195 {
196 	static char usertype[MAX_TYPE_LENGTH];
197 	char *cmd;
198 
199 	if ((cmd = strrchr(cmdname, '/')))
200 		++cmd;
201 	else
202 		cmd = cmdname;
203 
204 	/* get user type based on the program name */
205 	if (strncmp(cmd, CMD_PREFIX_USER,
206 	    strlen(CMD_PREFIX_USER)) == 0)
207 		strcpy(usertype, USERATTR_TYPE_NORMAL_KW);
208 	else
209 		strcpy(usertype, USERATTR_TYPE_NONADMIN_KW);
210 
211 	return (usertype);
212 }
213 
214 int
is_role(char * usertype)215 is_role(char *usertype)
216 {
217 	if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0)
218 		return (1);
219 	/* not a role */
220 	return (0);
221 }
222 
223 /*
224  * Verifies the provided list of authorizations are all valid.
225  *
226  * Returns NULL if all authorization names are valid.
227  * Otherwise, returns the invalid authorization name
228  *
229  */
230 static const char *
check_auth(const char * auths)231 check_auth(const char *auths)
232 {
233 	char *authname;
234 	authattr_t *result;
235 	char *tmp;
236 	struct passwd   *pw;
237 	int have_grant = 0;
238 
239 	tmp = strdup(auths);
240 	if (tmp == NULL) {
241 		errmsg(M_NOSPACE);
242 		exit(EX_FAILURE);
243 	}
244 
245 	authname = strtok(tmp, AUTH_SEP);
246 	pw = getpwuid(getuid());
247 	if (pw == NULL) {
248 		return (authname);
249 	}
250 
251 	while (authname != NULL) {
252 		char *suffix;
253 		char *authtoks;
254 
255 		/* Check if user has been granted this authorization */
256 		if (!chkauthattr(authname, pw->pw_name))
257 			return (authname);
258 
259 		/* Remove named object after slash */
260 		if ((suffix = index(authname, KV_OBJECTCHAR)) != NULL)
261 			*suffix = '\0';
262 
263 		/* Find the suffix */
264 		if ((suffix = rindex(authname, '.')) == NULL)
265 			return (authname);
266 
267 		/* Check for existence in auth_attr */
268 		suffix++;
269 		if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */
270 			result = getauthnam(authname);
271 			if (result == NULL) {
272 			/* can't find the auth */
273 				free_authattr(result);
274 				return (authname);
275 			}
276 			free_authattr(result);
277 		}
278 
279 		/* Check if user can delegate this authorization */
280 		if (strcmp(suffix, "grant")) { /* Not a grant option */
281 			authtoks = malloc(strlen(authname) + sizeof ("grant"));
282 			strcpy(authtoks, authname);
283 			have_grant = 0;
284 			while ((suffix = rindex(authtoks, '.')) &&
285 			    !have_grant) {
286 				strcpy(suffix, ".grant");
287 				if (chkauthattr(authtoks, pw->pw_name))
288 					have_grant = 1;
289 				else
290 					*suffix = '\0';
291 			}
292 			if (!have_grant)
293 				return (authname);
294 		}
295 		authname = strtok(NULL, AUTH_SEP);
296 	}
297 	free(tmp);
298 	return (NULL);
299 }
300 
301 /*
302  * Verifies the provided list of profile names are valid.
303  *
304  * Returns NULL if all profile names are valid.
305  * Otherwise, returns the invalid profile name
306  *
307  */
308 static const char *
check_prof(const char * profs)309 check_prof(const char *profs)
310 {
311 	char *profname;
312 	profattr_t *result;
313 	char *tmp;
314 
315 	tmp = strdup(profs);
316 	if (tmp == NULL) {
317 		errmsg(M_NOSPACE);
318 		exit(EX_FAILURE);
319 	}
320 
321 	profname = strtok(tmp, PROF_SEP);
322 	while (profname != NULL) {
323 		result = getprofnam(profname);
324 		if (result == NULL) {
325 		/* can't find the profile */
326 			return (profname);
327 		}
328 		free_profattr(result);
329 		profname = strtok(NULL, PROF_SEP);
330 	}
331 	free(tmp);
332 	return (NULL);
333 }
334 
335 
336 /*
337  * Verifies the provided list of role names are valid.
338  *
339  * Returns NULL if all role names are valid.
340  * Otherwise, returns the invalid role name
341  *
342  */
343 static const char *
check_role(const char * roles)344 check_role(const char *roles)
345 {
346 	char *rolename;
347 	userattr_t *result;
348 	char *utype;
349 	char *tmp;
350 
351 	tmp = strdup(roles);
352 	if (tmp == NULL) {
353 		errmsg(M_NOSPACE);
354 		exit(EX_FAILURE);
355 	}
356 
357 	rolename = strtok(tmp, ROLE_SEP);
358 	while (rolename != NULL) {
359 		result = getusernam(rolename);
360 		if (result == NULL) {
361 		/* can't find the rolename */
362 			return (rolename);
363 		}
364 		/* Now, make sure it is a role */
365 		utype = kva_match(result->attr, USERATTR_TYPE_KW);
366 		if (utype == NULL) {
367 			/* no user type defined. not a role */
368 			free_userattr(result);
369 			return (rolename);
370 		}
371 		if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) {
372 			free_userattr(result);
373 			return (rolename);
374 		}
375 		free_userattr(result);
376 		rolename = strtok(NULL, ROLE_SEP);
377 	}
378 	free(tmp);
379 	return (NULL);
380 }
381 
382 static const char *
check_proj(const char * proj)383 check_proj(const char *proj)
384 {
385 	if (getprojidbyname(proj) < 0) {
386 		return (proj);
387 	} else {
388 		return (NULL);
389 	}
390 }
391 
392 static const char *
check_privset(const char * pset)393 check_privset(const char *pset)
394 {
395 	priv_set_t *tmp;
396 	const char *res;
397 
398 	tmp = priv_str_to_set(pset, ",", &res);
399 
400 	if (tmp != NULL) {
401 		res = NULL;
402 		priv_freeset(tmp);
403 	} else if (res == NULL)
404 		res = strerror(errno);
405 
406 	return (res);
407 }
408 
409 static const char *
check_type(const char * type)410 check_type(const char *type)
411 {
412 	if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 &&
413 	    strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0)
414 		return (type);
415 
416 	return (NULL);
417 }
418 
419 static const char *
check_lock_after_retries(const char * keyval)420 check_lock_after_retries(const char *keyval)
421 {
422 	if (keyval != NULL) {
423 		if ((strcasecmp(keyval, "no") != 0) &&
424 		    (strcasecmp(keyval, "yes") != 0) &&
425 		    (*keyval != '\0'))   {
426 			return (keyval);
427 		}
428 	}
429 	return (NULL);
430 }
431 
432 static const char *
check_label(const char * labelstr)433 check_label(const char *labelstr)
434 {
435 	int	err;
436 	m_label_t *lbl = NULL;
437 
438 	if (!is_system_labeled())
439 		return (NULL);
440 
441 	err = str_to_label(labelstr, &lbl, MAC_LABEL, L_NO_CORRECTION, NULL);
442 	m_label_free(lbl);
443 
444 	if (err == -1)
445 		return (labelstr);
446 
447 	return (NULL);
448 }
449 
450 static const char *
check_idlecmd(const char * cmd)451 check_idlecmd(const char *cmd)
452 {
453 	if ((strcmp(cmd, USERATTR_IDLECMD_LOCK_KW) != 0) &&
454 	    (strcmp(cmd, USERATTR_IDLECMD_LOGOUT_KW) != 0)) {
455 		return (cmd);
456 	}
457 
458 	return (NULL);
459 }
460 
461 static const char *
check_idletime(const char * time)462 check_idletime(const char *time)
463 {
464 	int		c;
465 	unsigned char	*up = (unsigned char *)time;
466 
467 	c = *up;
468 	while (c != '\0') {
469 		if (!isdigit(c))
470 			return (time);
471 		c = *++up;
472 	}
473 
474 	return (NULL);
475 }
476 
477 static const char *
check_auditflags(const char * auditflags)478 check_auditflags(const char *auditflags)
479 {
480 	au_mask_t mask;
481 	char	*flags;
482 	char	*last = NULL;
483 	char	*err = "NULL";
484 
485 	/* if deleting audit_flags */
486 	if (*auditflags == '\0') {
487 		return (NULL);
488 	}
489 
490 	if ((flags = _strdup_null((char *)auditflags)) == NULL) {
491 		errmsg(M_NOSPACE);
492 		exit(EX_FAILURE);
493 	}
494 
495 	if (!__chkflags(_strtok_escape(flags, KV_AUDIT_DELIMIT, &last), &mask,
496 	    B_FALSE, &err)) {
497 		(void) snprintf(auditerr, sizeof (auditerr),
498 		    "always mask \"%s\"", err);
499 		free(flags);
500 		return (auditerr);
501 	}
502 	if (!__chkflags(_strtok_escape(NULL, KV_AUDIT_DELIMIT, &last), &mask,
503 	    B_FALSE, &err)) {
504 		(void) snprintf(auditerr, sizeof (auditerr),
505 		    "never mask \"%s\"", err);
506 		free(flags);
507 		return (auditerr);
508 	}
509 	if (last != NULL) {
510 		(void) snprintf(auditerr, sizeof (auditerr), "\"%s\"",
511 		    auditflags);
512 		free(flags);
513 		return (auditerr);
514 	}
515 	free(flags);
516 
517 	return (NULL);
518 }
519