1 /* 2 * Copyright (c) 1997 - 2001 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kadm5_locl.h" 35 36 RCSID("$Id: acl.c,v 1.13 2001/08/24 04:01:42 assar Exp $"); 37 38 static struct units acl_units[] = { 39 { "all", KADM5_PRIV_ALL }, 40 { "change-password",KADM5_PRIV_CPW }, 41 { "cpw", KADM5_PRIV_CPW }, 42 { "list", KADM5_PRIV_LIST }, 43 { "delete", KADM5_PRIV_DELETE }, 44 { "modify", KADM5_PRIV_MODIFY }, 45 { "add", KADM5_PRIV_ADD }, 46 { "get", KADM5_PRIV_GET }, 47 { NULL } 48 }; 49 50 kadm5_ret_t 51 _kadm5_string_to_privs(const char *s, u_int32_t* privs) 52 { 53 int flags; 54 flags = parse_flags(s, acl_units, 0); 55 if(flags < 0) 56 return KADM5_FAILURE; 57 *privs = flags; 58 return 0; 59 } 60 61 kadm5_ret_t 62 _kadm5_privs_to_string(u_int32_t privs, char *string, size_t len) 63 { 64 if(privs == 0) 65 strlcpy(string, "none", len); 66 else 67 unparse_flags(privs, acl_units + 1, string, len); 68 return 0; 69 } 70 71 /* 72 * retrieve the right for the current caller on `princ' (NULL means all) 73 * and store them in `ret_flags' 74 * return 0 or an error. 75 */ 76 77 static kadm5_ret_t 78 fetch_acl (kadm5_server_context *context, 79 krb5_const_principal princ, 80 unsigned *ret_flags) 81 { 82 FILE *f; 83 krb5_error_code ret = 0; 84 char buf[256]; 85 86 *ret_flags = 0; 87 88 /* no acl file -> no rights */ 89 f = fopen(context->config.acl_file, "r"); 90 if (f == NULL) 91 return 0; 92 93 while(fgets(buf, sizeof(buf), f) != NULL) { 94 char *foo = NULL, *p; 95 krb5_principal this_princ; 96 unsigned flags = 0; 97 98 p = strtok_r(buf, " \t\n", &foo); 99 if(p == NULL) 100 continue; 101 if (*p == '#') /* comment */ 102 continue; 103 ret = krb5_parse_name(context->context, p, &this_princ); 104 if(ret) 105 break; 106 if(!krb5_principal_compare(context->context, 107 context->caller, this_princ)) { 108 krb5_free_principal(context->context, this_princ); 109 continue; 110 } 111 krb5_free_principal(context->context, this_princ); 112 p = strtok_r(NULL, " \t\n", &foo); 113 if(p == NULL) 114 continue; 115 ret = _kadm5_string_to_privs(p, &flags); 116 if (ret) 117 break; 118 p = strtok_r(NULL, "\n", &foo); 119 if (p == NULL) { 120 *ret_flags = flags; 121 break; 122 } 123 if (princ != NULL) { 124 krb5_principal pattern_princ; 125 krb5_boolean match; 126 127 ret = krb5_parse_name (context->context, p, &pattern_princ); 128 if (ret) 129 break; 130 match = krb5_principal_match (context->context, 131 princ, pattern_princ); 132 krb5_free_principal (context->context, pattern_princ); 133 if (match) { 134 *ret_flags = flags; 135 break; 136 } 137 } 138 } 139 fclose(f); 140 return ret; 141 } 142 143 /* 144 * set global acl flags in `context' for the current caller. 145 * return 0 on success or an error 146 */ 147 148 kadm5_ret_t 149 _kadm5_acl_init(kadm5_server_context *context) 150 { 151 krb5_principal princ; 152 krb5_error_code ret; 153 154 ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ); 155 if (ret) 156 return ret; 157 ret = krb5_principal_compare(context->context, context->caller, princ); 158 krb5_free_principal(context->context, princ); 159 if(ret != 0) { 160 context->acl_flags = KADM5_PRIV_ALL; 161 return 0; 162 } 163 164 return fetch_acl (context, NULL, &context->acl_flags); 165 } 166 167 /* 168 * check if `flags' allows `op' 169 * return 0 if OK or an error 170 */ 171 172 static kadm5_ret_t 173 check_flags (unsigned op, 174 unsigned flags) 175 { 176 unsigned res = ~flags & op; 177 178 if(res & KADM5_PRIV_GET) 179 return KADM5_AUTH_GET; 180 if(res & KADM5_PRIV_ADD) 181 return KADM5_AUTH_ADD; 182 if(res & KADM5_PRIV_MODIFY) 183 return KADM5_AUTH_MODIFY; 184 if(res & KADM5_PRIV_DELETE) 185 return KADM5_AUTH_DELETE; 186 if(res & KADM5_PRIV_CPW) 187 return KADM5_AUTH_CHANGEPW; 188 if(res & KADM5_PRIV_LIST) 189 return KADM5_AUTH_LIST; 190 if(res) 191 return KADM5_AUTH_INSUFFICIENT; 192 return 0; 193 } 194 195 /* 196 * return 0 if the current caller in `context' is allowed to perform 197 * `op' on `princ' and otherwise an error 198 * princ == NULL if it's not relevant. 199 */ 200 201 kadm5_ret_t 202 _kadm5_acl_check_permission(kadm5_server_context *context, 203 unsigned op, 204 krb5_const_principal princ) 205 { 206 kadm5_ret_t ret; 207 unsigned princ_flags; 208 209 ret = check_flags (op, context->acl_flags); 210 if (ret == 0) 211 return ret; 212 ret = fetch_acl (context, princ, &princ_flags); 213 if (ret) 214 return ret; 215 return check_flags (op, princ_flags); 216 } 217