xref: /illumos-gate/usr/src/lib/krb5/kadm5/srv/server_acl.c (revision 37e2cd25d56b334a2403f2540a0b0a1e6a40bcd1)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 
7 /*
8  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
9  *
10  *	Openvision retains the copyright to derivative works of
11  *	this source code.  Do *NOT* create a derivative of this
12  *	source code before consulting with your legal department.
13  *	Do *NOT* integrate *ANY* of this source code into another
14  *	product before consulting with your legal department.
15  *
16  *	For further information, read the top-level Openvision
17  *	copyright which is contained in the top-level MIT Kerberos
18  *	copyright.
19  *
20  * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
21  *
22  */
23 
24 
25 /*
26  * kadmin/v5server/srv_acl.c
27  *
28  * Copyright 1995 by the Massachusetts Institute of Technology.
29  * All Rights Reserved.
30  *
31  * Export of this software from the United States of America may
32  *   require a specific license from the United States Government.
33  *   It is the responsibility of any person or organization contemplating
34  *   export to obtain such a license before exporting.
35  *
36  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
37  * distribute this software and its documentation for any purpose and
38  * without fee is hereby granted, provided that the above copyright
39  * notice appear in all copies and that both that copyright notice and
40  * this permission notice appear in supporting documentation, and that
41  * the name of M.I.T. not be used in advertising or publicity pertaining
42  * to distribution of the software without specific, written prior
43  * permission.  Furthermore if you modify this software you must label
44  * your software as modified software and not distribute it in such a
45  * fashion that it might be confused with the original M.I.T. software.
46  * M.I.T. makes no representations about the suitability of
47  * this software for any purpose.  It is provided "as is" without express
48  * or implied warranty.
49  *
50  */
51 
52 /*
53  * srv_acl.c - Handle Kerberos ACL related functions.
54  */
55 #include <stdio.h>
56 #include <syslog.h>
57 #include <sys/param.h>
58 #include "k5-int.h"
59 #include <gssapi_krb5.h>
60 #include <kadm5/server_internal.h>
61 #include <kadm5/admin.h>
62 #include <adm_proto.h> /* SUNWresync121 XXX */
63 #include "server_acl.h"
64 #include <ctype.h>
65 #include <libintl.h> /* SUNWresync121 XXX */
66 
67 typedef struct _acl_op_table {
68     char	ao_op;
69     krb5_int32	ao_mask;
70 } aop_t;
71 
72 typedef struct _acl_entry {
73     struct _acl_entry	*ae_next;
74     char		*ae_name;
75     krb5_boolean	ae_name_bad;
76     krb5_principal	ae_principal;
77     krb5_int32		ae_op_allowed;
78     char		*ae_target;
79     krb5_boolean	ae_target_bad;
80     krb5_principal	ae_target_princ;
81     char		*ae_restriction_string;
82 			/* eg: "-maxlife 3h -service +proxiable" */
83     krb5_boolean	ae_restriction_bad;
84     restriction_t	*ae_restrictions;
85 } aent_t;
86 
87 static const aop_t acl_op_table[] = {
88     { 'a',	ACL_ADD },
89     { 'd',	ACL_DELETE },
90     { 'm',	ACL_MODIFY },
91     { 'c',	ACL_CHANGEPW },
92     { 'i',	ACL_INQUIRE },
93     { 'l',	ACL_LIST },
94     { 'p',	ACL_IPROP },		/* SUNW IProp */
95     { 's',	ACL_SETKEY },
96     { 'u',	ACL_MIGRATE },		/* pam_krb5_migrate */
97     { 'x',	ACL_ALL_MASK },
98     { '*',	ACL_ALL_MASK },
99     { '\0',	0 }
100 };
101 
102 typedef struct _wildstate {
103     int		nwild;
104     krb5_data	*backref[9];
105 } wildstate_t;
106 
107 static aent_t	*acl_list_head = (aent_t *) NULL;
108 static aent_t	*acl_list_tail = (aent_t *) NULL;
109 
110 static const char *acl_acl_file = (char *) NULL;
111 static int acl_inited = 0;
112 static int acl_debug_level = 0;
113 /*
114  * This is the catchall entry.  If nothing else appropriate is found, or in
115  * the case where the ACL file is not present, this entry controls what can
116  * be done.
117  */
118 static const char *acl_catchall_entry = NULL;
119 
120 /* Solaris Kerberos */
121 #define ACL_LINE2LONG_MSG dgettext(TEXT_DOMAIN, \
122 			"%s: line %d too long, truncated\n")
123 #define ACL_OP_BAD_MSG dgettext(TEXT_DOMAIN, \
124 			"Unrecognized ACL operation '%c' in %s\n")
125 #define ACL_SYN_ERR_MSG dgettext(TEXT_DOMAIN, \
126 			"%s: syntax error at line %d <%10s...>\n")
127 #define ACL_CANTOPEN_MSG dgettext(TEXT_DOMAIN, \
128 			"\007cannot open ACL file")
129 
130 
131 /*
132  * kadm5int_acl_get_line() - Get a line from the ACL file.
133  *			Lines ending with \ are continued on the next line
134  */
135 static char *
136 kadm5int_acl_get_line(fp, lnp)
137     FILE	*fp;
138     int		*lnp;		/* caller should set to 1 before first call */
139 {
140     int		i, domore;
141     static int	line_incr = 0;
142     static char acl_buf[BUFSIZ];
143 
144     *lnp += line_incr;
145     line_incr = 0;
146     for (domore = 1; domore && !feof(fp); ) {
147 	/* Copy in the line, with continuations */
148 	for (i=0; ((i < sizeof acl_buf) && !feof(fp)); i++ ) {
149 	    acl_buf[i] = fgetc(fp);
150 	    if (acl_buf[i] == (char)EOF) {
151 		if (i > 0 && acl_buf[i-1] == '\\')
152 		    i--;
153 		break;		/* it gets nulled-out below */
154 	    }
155 	    else if (acl_buf[i] == '\n') {
156 		if (i == 0 || acl_buf[i-1] != '\\')
157 		    break;	/* empty line or normal end of line */
158 		else {
159 		    i -= 2;	/* back up over "\\\n" and continue */
160 		    line_incr++;
161 		}
162 	    }
163 	}
164 	/* Check if we exceeded our buffer size */
165 	if (i == sizeof acl_buf && (i--, !feof(fp))) {
166 	    int	c1 = acl_buf[i], c2;
167 
168 	    krb5_klog_syslog(LOG_ERR, ACL_LINE2LONG_MSG, acl_acl_file, *lnp);
169 	    while ((c2 = fgetc(fp)) != EOF) {
170 		if (c2 == '\n') {
171 		    if (c1 != '\\')
172 			break;
173 		    line_incr++;
174 		}
175 		c1 = c2;
176 	    }
177 	}
178 	acl_buf[i] = '\0';
179 	if (acl_buf[0] == (char) EOF)	/* ptooey */
180 	    acl_buf[0] = '\0';
181 	else
182 	    line_incr++;
183 	if ((acl_buf[0] != '#') && (acl_buf[0] != '\0'))
184 	    domore = 0;
185     }
186     if (domore || (strlen(acl_buf) == 0))
187 	return((char *) NULL);
188     else
189 	return(acl_buf);
190 }
191 
192 /*
193  * kadm5int_acl_parse_line() - Parse the contents of an ACL line.
194  */
195 static aent_t *
196 kadm5int_acl_parse_line(lp)
197     const char *lp;
198 {
199     static char acle_principal[BUFSIZ];
200     static char acle_ops[BUFSIZ];
201     static char acle_object[BUFSIZ];
202     static char acle_restrictions[BUFSIZ];
203     aent_t	*acle;
204     char	*op;
205     int		t, found, opok, nmatch;
206 
207     DPRINT(DEBUG_CALLS, acl_debug_level,
208 	   ("* kadm5int_acl_parse_line(line=%20s)\n", lp));
209     /*
210      * Format is still simple:
211      *  entry ::= [<whitespace>] <principal> <whitespace> <opstring>
212      *		  [<whitespace> <target> [<whitespace> <restrictions>
213      *					  [<whitespace>]]]
214      */
215     acle = (aent_t *) NULL;
216     acle_object[0] = '\0';
217     nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops,
218 		    acle_object, acle_restrictions);
219     if (nmatch >= 2) {
220 	acle = (aent_t *) malloc(sizeof(aent_t));
221 	if (acle) {
222 	    acle->ae_next = (aent_t *) NULL;
223 	    acle->ae_op_allowed = (krb5_int32) 0;
224 	    acle->ae_target =
225 		(nmatch >= 3) ? strdup(acle_object) : (char *) NULL;
226 	    acle->ae_target_bad = 0;
227 	    acle->ae_target_princ = (krb5_principal) NULL;
228 	    opok = 1;
229 	    for (op=acle_ops; *op; op++) {
230 		char rop;
231 
232 		rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op;
233 		found = 0;
234 		for (t=0; acl_op_table[t].ao_op; t++) {
235 		    if (rop == acl_op_table[t].ao_op) {
236 			found = 1;
237 			if (rop == *op)
238 			    acle->ae_op_allowed |= acl_op_table[t].ao_mask;
239 			else
240 			    acle->ae_op_allowed &= ~acl_op_table[t].ao_mask;
241 		    }
242 		}
243 		if (!found) {
244 		    krb5_klog_syslog(LOG_ERR, ACL_OP_BAD_MSG, *op, lp);
245 		    opok = 0;
246 		}
247 	    }
248 	    if (opok) {
249 		acle->ae_name = (char *) malloc(strlen(acle_principal)+1);
250 		if (acle->ae_name) {
251 		    strcpy(acle->ae_name, acle_principal);
252 		    acle->ae_principal = (krb5_principal) NULL;
253 		    acle->ae_name_bad = 0;
254 		    DPRINT(DEBUG_ACL, acl_debug_level,
255 			   ("A ACL entry %s -> opmask %x\n",
256 			    acle->ae_name, acle->ae_op_allowed));
257 		}
258 		else {
259 		    if (acle->ae_target)
260 			free(acle->ae_target);
261 		    free(acle);
262 		    acle = (aent_t *) NULL;
263 		}
264 	    }
265 	    else {
266 		if (acle->ae_target)
267 		    free(acle->ae_target);
268 		free(acle);
269 		acle = (aent_t *) NULL;
270 	    }
271 	    if ( nmatch >= 4 ) {
272 		char	*trailing;
273 
274 		trailing = &acle_restrictions[strlen(acle_restrictions)-1];
275 		while ( isspace((int) *trailing) )
276 		    trailing--;
277 		trailing[1] = '\0';
278 		acle->ae_restriction_string = strdup(acle_restrictions);
279 	    }
280 	    else {
281 		acle->ae_restriction_string = (char *) NULL;
282 	    }
283 	    acle->ae_restriction_bad = 0;
284 	    acle->ae_restrictions = (restriction_t *) NULL;
285 	}
286     }
287     DPRINT(DEBUG_CALLS, acl_debug_level,
288 	   ("X kadm5int_acl_parse_line() = %x\n", (long) acle));
289     return(acle);
290 }
291 
292 /*
293  * kadm5int_acl_parse_restrictions() - Parse optional restrictions field
294  *
295  * Allowed restrictions are:
296  *	[+-]flagname		(recognized by krb5_string_to_flags)
297  *				flag is forced to indicated value
298  *	-clearpolicy		policy is forced clear
299  *	-policy pol		policy is forced to be "pol"
300  *	-{expire,pwexpire,maxlife,maxrenewlife} deltat
301  *				associated value will be forced to
302  *				MIN(deltat, requested value)
303  *
304  * Returns: 0 on success, or system errors
305  */
306 static krb5_error_code
307 kadm5int_acl_parse_restrictions(s, rpp)
308     char		*s;
309     restriction_t	**rpp;
310 {
311     char		*sp, *tp, *ap;
312     static const char	*delims = "\t\n\f\v\r ,";
313     krb5_deltat		dt;
314     krb5_flags		flag;
315     krb5_error_code	code;
316 
317    DPRINT(DEBUG_CALLS, acl_debug_level,
318 	   ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
319 
320     *rpp = (restriction_t *) NULL;
321     code = 0;
322     if (s) {
323 	if (!(sp = strdup(s))	/* Don't munge the original */
324 	    || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) {
325 	    code = ENOMEM;
326 	} else {
327 	    memset(*rpp, 0, sizeof(**rpp));
328 	    for (tp=strtok(sp, delims); tp; tp=strtok((char *)NULL, delims)) {
329 		flag = 0;
330 		if (!krb5_string_to_flags(tp, "+", "-", &flag)) {
331 		    /* OK, but was it in the positive or negative sense? */
332 		    if (flag) {
333 			(*rpp)->require_attrs |= flag;
334 		    } else {
335 			flag = ~0;
336 			(void) krb5_string_to_flags(tp, "+", "-", &flag);
337 			(*rpp)->forbid_attrs |= ~flag;
338 		    }
339 		    (*rpp)->mask |= KADM5_ATTRIBUTES;
340 		} else if (!strcmp(tp, "-clearpolicy")) {
341 		    (*rpp)->mask |= KADM5_POLICY_CLR;
342 		} else {
343 		    /* everything else needs an argument ... */
344 		    if (!(ap = strtok((char *)NULL, delims))) {
345 			code = EINVAL;
346 			break;
347 		    }
348 		    if (!strcmp(tp, "-policy")) {
349 			if (!((*rpp)->policy = strdup(ap))) {
350 			    code = ENOMEM;
351 			    break;
352 			}
353 			(*rpp)->mask |= KADM5_POLICY;
354 		    } else {
355 			/* all other arguments must be a deltat ... */
356 			if (krb5_string_to_deltat(ap, &dt)) {
357 			    code = EINVAL;
358 			    break;
359 			}
360 			if (!strcmp(tp, "-expire")) {
361 			    (*rpp)->princ_lifetime = dt;
362 			    (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME;
363 			} else if (!strcmp(tp, "-pwexpire")) {
364 			    (*rpp)->pw_lifetime = dt;
365 			    (*rpp)->mask |= KADM5_PW_EXPIRATION;
366 			} else if (!strcmp(tp, "-maxlife")) {
367 			    (*rpp)->max_life = dt;
368 			    (*rpp)->mask |= KADM5_MAX_LIFE;
369 			} else if (!strcmp(tp, "-maxrenewlife")) {
370 			    (*rpp)->max_renewable_life = dt;
371 			    (*rpp)->mask |= KADM5_MAX_RLIFE;
372 			} else {
373 			    code = EINVAL;
374 			    break;
375 			}
376 		    }
377 		}
378 	    }
379 	}
380     }
381     if (sp)
382 	free(sp);
383     if (*rpp && code) {
384 	if ((*rpp)->policy)
385 	    free((*rpp)->policy);
386 	free(*rpp);
387 	*rpp = (restriction_t *) NULL;
388     }
389     DPRINT(DEBUG_CALLS, acl_debug_level,
390 	   ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
391 	    code, (*rpp) ? (*rpp)->mask : 0));
392     return code;
393 }
394 
395 /*
396  * kadm5int_acl_impose_restrictions()	- impose restrictions, modifying *recp, *maskp
397  *
398  * Returns: 0 on success;
399  *	    malloc or timeofday errors
400  */
401 krb5_error_code
402 kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
403      krb5_context		kcontext;
404      kadm5_principal_ent_rec	*recp;
405      long			*maskp;
406      restriction_t		*rp;
407 {
408     krb5_error_code	code;
409     krb5_int32		now;
410 
411     DPRINT(DEBUG_CALLS, acl_debug_level,
412 	   ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
413 	    *maskp, (long)rp));
414     if (!rp)
415 	return 0;
416     if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION))
417 	if ((code = krb5_timeofday(kcontext, &now)))
418 	    return code;
419 
420     if (rp->mask & KADM5_ATTRIBUTES) {
421 	recp->attributes |= rp->require_attrs;
422 	recp->attributes &= ~(rp->forbid_attrs);
423 	*maskp |= KADM5_ATTRIBUTES;
424     }
425     if (rp->mask & KADM5_POLICY_CLR) {
426 	*maskp &= ~KADM5_POLICY;
427 	*maskp |= KADM5_POLICY_CLR;
428     } else if (rp->mask & KADM5_POLICY) {
429 	if (recp->policy && strcmp(recp->policy, rp->policy)) {
430 		free(recp->policy);
431 		recp->policy = (char *) NULL;
432 	}
433 	if (!recp->policy) {
434 	    recp->policy = strdup(rp->policy);  /* XDR will free it */
435 	    if (!recp->policy)
436 		return ENOMEM;
437 	}
438 	*maskp |= KADM5_POLICY;
439     }
440     if (rp->mask & KADM5_PRINC_EXPIRE_TIME) {
441 	if (!(*maskp & KADM5_PRINC_EXPIRE_TIME)
442 	    || (recp->princ_expire_time > (now + rp->princ_lifetime)))
443 	    recp->princ_expire_time = now + rp->princ_lifetime;
444 	*maskp |= KADM5_PRINC_EXPIRE_TIME;
445     }
446     if (rp->mask & KADM5_PW_EXPIRATION) {
447 	if (!(*maskp & KADM5_PW_EXPIRATION)
448 	    || (recp->pw_expiration > (now + rp->pw_lifetime)))
449 	    recp->pw_expiration = now + rp->pw_lifetime;
450 	*maskp |= KADM5_PW_EXPIRATION;
451     }
452     if (rp->mask & KADM5_MAX_LIFE) {
453 	if (!(*maskp & KADM5_MAX_LIFE)
454 	    || (recp->max_life > rp->max_life))
455 	    recp->max_life = rp->max_life;
456 	*maskp |= KADM5_MAX_LIFE;
457     }
458     if (rp->mask & KADM5_MAX_RLIFE) {
459 	if (!(*maskp & KADM5_MAX_RLIFE)
460 	    || (recp->max_renewable_life > rp->max_renewable_life))
461 	    recp->max_renewable_life = rp->max_renewable_life;
462 	*maskp |= KADM5_MAX_RLIFE;
463     }
464     DPRINT(DEBUG_CALLS, acl_debug_level,
465 	   ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
466     return 0;
467 }
468 
469 /*
470  * kadm5int_acl_free_entries() - Free all ACL entries.
471  */
472 static void
473 kadm5int_acl_free_entries()
474 {
475     aent_t	*ap;
476     aent_t	*np;
477 
478     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n"));
479     for (ap=acl_list_head; ap; ap = np) {
480 	if (ap->ae_name)
481 	    free(ap->ae_name);
482 	if (ap->ae_principal)
483 	    krb5_free_principal((krb5_context) NULL, ap->ae_principal);
484 	if (ap->ae_target)
485 	    free(ap->ae_target);
486 	if (ap->ae_target_princ)
487 	    krb5_free_principal((krb5_context) NULL, ap->ae_target_princ);
488 	if (ap->ae_restriction_string)
489 	    free(ap->ae_restriction_string);
490 	if (ap->ae_restrictions) {
491 	    if (ap->ae_restrictions->policy)
492 		free(ap->ae_restrictions->policy);
493 	    free(ap->ae_restrictions);
494 	}
495 	np = ap->ae_next;
496 	free(ap);
497     }
498     acl_list_head = acl_list_tail = (aent_t *) NULL;
499     acl_inited = 0;
500     DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n"));
501 }
502 
503 /*
504  * kadm5int_acl_load_acl_file()	- Open and parse the ACL file.
505  */
506 static int
507 kadm5int_acl_load_acl_file()
508 {
509     FILE 	*afp;
510     char 	*alinep;
511     aent_t	**aentpp;
512     int		alineno;
513     int		retval = 1;
514 
515     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n"));
516     /* Open the ACL file for read */
517     afp = fopen(acl_acl_file, "rF"); /* Solaris Kerberos */
518     if (afp) {
519 	alineno = 1;
520 	aentpp = &acl_list_head;
521 
522 	/* Get a non-comment line */
523 	while ((alinep = kadm5int_acl_get_line(afp, &alineno))) {
524 	    /* Parse it */
525 	    *aentpp = kadm5int_acl_parse_line(alinep);
526 	    /* If syntax error, then fall out */
527 	    if (!*aentpp) {
528 		krb5_klog_syslog(LOG_ERR, ACL_SYN_ERR_MSG,
529 			acl_acl_file, alineno, alinep);
530 		retval = 0;
531 		break;
532 	    }
533 	    acl_list_tail = *aentpp;
534 	    aentpp = &(*aentpp)->ae_next;
535 	}
536 
537 	fclose(afp);
538 
539 	if (acl_catchall_entry) {
540 	     *aentpp = kadm5int_acl_parse_line(acl_catchall_entry);
541 	     if (*aentpp) {
542 		  acl_list_tail = *aentpp;
543 	     }
544 	     else {
545 		  retval = 0;
546 		  DPRINT(DEBUG_OPERATION, acl_debug_level,
547 			 ("> catchall acl entry (%s) load failed\n",
548 			  acl_catchall_entry));
549 	     }
550 	}
551     }
552     else {
553 	krb5_klog_syslog(LOG_ERR,  ACL_CANTOPEN_MSG,
554 			 error_message(errno), acl_acl_file);
555 	if (acl_catchall_entry &&
556 	    (acl_list_head = kadm5int_acl_parse_line((char *)acl_catchall_entry))) {
557 	    acl_list_tail = acl_list_head;
558 	}
559 	else {
560 	    retval = 0;
561 	    DPRINT(DEBUG_OPERATION, acl_debug_level,
562 		   ("> catchall acl entry (%s) load failed\n",
563 		    acl_catchall_entry));
564 	}
565     }
566 
567     if (!retval) {
568 	kadm5int_acl_free_entries();
569     }
570     DPRINT(DEBUG_CALLS, acl_debug_level,
571 	   ("X kadm5int_acl_load_acl_file() = %d\n", retval));
572     return(retval);
573 }
574 
575 /*
576  * kadm5int_acl_match_data()	- See if two data entries match.
577  *
578  * Wildcarding is only supported for a whole component.
579  */
580 static krb5_boolean
581 kadm5int_acl_match_data(e1, e2, targetflag, ws)
582     krb5_data	*e1, *e2;
583     int		targetflag;
584     wildstate_t	*ws;
585 {
586     krb5_boolean	retval;
587 
588     DPRINT(DEBUG_CALLS, acl_debug_level,
589 	   ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
590     retval = 0;
591     if (!strncmp(e1->data, "*", e1->length)) {
592 	retval = 1;
593 	if (ws && !targetflag) {
594 	    if (ws->nwild >= 9) {
595 		/* Solaris Kerberos */
596 		DPRINT(DEBUG_ACL, acl_debug_level,
597 		    ("Too many wildcards in ACL entry %s\n", e1->data));
598 	    }
599 	    else
600 		ws->backref[ws->nwild++] = e2;
601 	}
602     }
603     else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') &&
604 	     (e1->data[1] >= '1') && (e1->data[1] <= '9')) {
605 	int	n = e1->data[1] - '1';
606 	if (n >= ws->nwild) {
607 	    /* Solaris Kerberos */
608 	    DPRINT(DEBUG_ACL, acl_debug_level,
609 		   ("Too many backrefs in ACL entry %s\n", e1->data));
610 	}
611 	else if ((ws->backref[n]->length == e2->length) &&
612 		 (!strncmp(ws->backref[n]->data, e2->data, e2->length)))
613 	    retval = 1;
614 
615     }
616     else {
617 	if ((e1->length == e2->length) &&
618 	    (!strncmp(e1->data, e2->data, e1->length)))
619 	    retval = 1;
620     }
621     DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval));
622     return(retval);
623 }
624 
625 /*
626  * kadm5int_acl_find_entry()	- Find a matching entry.
627  */
628 static aent_t *
629 kadm5int_acl_find_entry(kcontext, principal, dest_princ)
630     krb5_context	kcontext;
631     krb5_principal	principal;
632     krb5_principal	dest_princ;
633 {
634     aent_t		*entry;
635     krb5_error_code	kret;
636     int			i;
637     int			matchgood;
638     wildstate_t		state;
639 
640     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
641     memset((char *)&state, 0, sizeof state);
642     for (entry=acl_list_head; entry; entry = entry->ae_next) {
643 	if (entry->ae_name_bad)
644 	    continue;
645 	if (!strcmp(entry->ae_name, "*")) {
646 	    DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n"));
647 	    matchgood = 1;
648 	}
649 	else {
650 	    if (!entry->ae_principal && !entry->ae_name_bad) {
651 		kret = krb5_parse_name(kcontext,
652 				       entry->ae_name,
653 				       &entry->ae_principal);
654 		if (kret)
655 		    entry->ae_name_bad = 1;
656 	    }
657 	    if (entry->ae_name_bad) {
658 		DPRINT(DEBUG_ACL, acl_debug_level,
659 		       ("Bad ACL entry %s\n", entry->ae_name));
660 		continue;
661 	    }
662 	    matchgood = 0;
663 	    if (kadm5int_acl_match_data(&entry->ae_principal->realm,
664 			       &principal->realm, 0, (wildstate_t *)0) &&
665 		(entry->ae_principal->length == principal->length)) {
666 		matchgood = 1;
667 		for (i=0; i<principal->length; i++) {
668 		    if (!kadm5int_acl_match_data(&entry->ae_principal->data[i],
669 					&principal->data[i], 0, &state)) {
670 			matchgood = 0;
671 			break;
672 		    }
673 		}
674 	    }
675 	}
676 	if (!matchgood)
677 	    continue;
678 
679 	/* We've matched the principal.  If we have a target, then try it */
680 	if (entry->ae_target && strcmp(entry->ae_target, "*")) {
681 	    if (!entry->ae_target_princ && !entry->ae_target_bad) {
682 		kret = krb5_parse_name(kcontext, entry->ae_target,
683 				       &entry->ae_target_princ);
684 		if (kret)
685 		    entry->ae_target_bad = 1;
686 	    }
687 	    if (entry->ae_target_bad) {
688 	        DPRINT(DEBUG_ACL, acl_debug_level,
689 		       ("Bad target in ACL entry for %s\n", entry->ae_name));
690 	        entry->ae_name_bad = 1;
691 	        continue;
692 	    }
693 	    if (!dest_princ)
694 	        matchgood = 0;
695 	    else if (entry->ae_target_princ && dest_princ) {
696 	        if (kadm5int_acl_match_data(&entry->ae_target_princ->realm,
697 			           &dest_princ->realm, 1, (wildstate_t *)0) &&
698 		    (entry->ae_target_princ->length == dest_princ->length)) {
699 		    for (i=0; i<dest_princ->length; i++) {
700 		        if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i],
701 			  		    &dest_princ->data[i], 1, &state)) {
702 			    matchgood = 0;
703 			    break;
704 		        }
705 		    }
706 	        }
707 	        else
708 		    matchgood = 0;
709 	    }
710         }
711 	if (!matchgood)
712 	    continue;
713 
714 	if (entry->ae_restriction_string
715 	    && !entry->ae_restriction_bad
716 	    && !entry->ae_restrictions
717 	    && kadm5int_acl_parse_restrictions(entry->ae_restriction_string,
718 				      &entry->ae_restrictions)) {
719 	    DPRINT(DEBUG_ACL, acl_debug_level,
720 		   ("Bad restrictions in ACL entry for %s\n", entry->ae_name));
721 	    entry->ae_restriction_bad = 1;
722 	}
723 	if (entry->ae_restriction_bad) {
724 	    entry->ae_name_bad = 1;
725 	    continue;
726 	}
727 	break;
728     }
729     DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry));
730     return(entry);
731 }
732 
733 /*
734  * kadm5int_acl_init()	- Initialize ACL context.
735  */
736 krb5_error_code
737 kadm5int_acl_init(kcontext, debug_level, acl_file)
738     krb5_context	kcontext;
739     int			debug_level;
740     char		*acl_file;
741 {
742     krb5_error_code	kret;
743 
744     kret = 0;
745     acl_debug_level = debug_level;
746     DPRINT(DEBUG_CALLS, acl_debug_level,
747 	   ("* kadm5int_acl_init(afile=%s)\n",
748 	    ((acl_file) ? acl_file : "(null)")));
749     acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL;
750     acl_inited = kadm5int_acl_load_acl_file();
751 
752     DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret));
753     return(kret);
754 }
755 
756 /*
757  * kadm5int_acl_finish	- Terminate ACL context.
758  */
759 void
760 kadm5int_acl_finish(kcontext, debug_level)
761     krb5_context	kcontext;
762     int			debug_level;
763 {
764     DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n"));
765     kadm5int_acl_free_entries();
766     DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n"));
767 }
768 
769 /*
770  * kadm5int_acl_check()	- Is this operation permitted for this principal?
771  *			this code used not to be based on gssapi.  In order
772  *			to minimize porting hassles, I've put all the
773  *			gssapi hair in this function.  This might not be
774  *			the best medium-term solution.  (The best long-term
775  *			solution is, of course, a real authorization service.)
776  */
777 krb5_boolean
778 kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
779     krb5_context	kcontext;
780     gss_name_t		caller;
781     krb5_int32		opmask;
782     krb5_principal	principal;
783     restriction_t	**restrictions;
784 {
785     krb5_boolean	retval;
786     aent_t		*aentry;
787     gss_buffer_desc	caller_buf;
788     gss_OID		caller_oid;
789     OM_uint32		emaj, emin;
790     krb5_error_code	code;
791     krb5_principal	caller_princ;
792 
793     DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n"));
794 
795     /* Solaris Kerberos */
796     if (restrictions)
797         *restrictions = NULL;
798 
799     if (GSS_ERROR(emaj = gss_display_name(&emin, caller, &caller_buf,
800 					  &caller_oid)))
801        return(1);
802 
803     code = krb5_parse_name(kcontext, (char *) caller_buf.value,
804 			   &caller_princ);
805 
806     gss_release_buffer(&emin, &caller_buf);
807 
808     if (code)
809        return(code);
810 
811     retval = 0;
812 
813     aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
814     if (aentry) {
815 	if ((aentry->ae_op_allowed & opmask) == opmask) {
816 	    retval = 1;
817 	    if (restrictions) {
818 		*restrictions =
819 		    (aentry->ae_restrictions && aentry->ae_restrictions->mask)
820 		    ? aentry->ae_restrictions
821 		    : (restriction_t *) NULL;
822 	    }
823 	}
824     }
825 
826     krb5_free_principal(kcontext, caller_princ);
827 
828     DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n",
829 					  retval));
830     return(retval);
831 }
832 
833 kadm5_ret_t
834 kadm5_get_privs(void *server_handle, long *privs)
835 {
836      CHECK_HANDLE(server_handle);
837 
838      /* this is impossible to do with the current interface.  For now,
839 	return all privs, which will confuse some clients, but not
840 	deny any access to users of "smart" clients which try to cache */
841 
842      *privs = ~0;
843 
844      return KADM5_OK;
845 }
846 
847 /* SUNWresync121 (SEAM1.0) XXX */
848 kadm5_ret_t
849 __kadm5_get_priv(void *server_handle, long *privs, gss_name_t client)
850 {
851 
852 	aent_t		*aentry;
853 	gss_buffer_desc	caller_buff;
854 	gss_OID		caller_oid;
855 	krb5_principal	caller_principal;
856 	OM_uint32	minor, major;
857 	krb5_error_code	k_error;
858 	kadm5_ret_t	retval = KADM5_FAILURE;
859 
860      kadm5_server_handle_t handle = server_handle;
861 
862      CHECK_HANDLE(server_handle);
863 
864 	if (GSS_ERROR(major = gss_display_name(&minor, client, &caller_buff,
865 						&caller_oid)))
866 		return(retval);
867 	k_error = krb5_parse_name(handle->context,
868 					(char *) caller_buff.value,
869 					&caller_principal);
870 	gss_release_buffer(&minor, &caller_buff);
871 
872 	if (k_error)
873 		return(retval);
874 
875 	if (aentry = kadm5int_acl_find_entry(handle->context, caller_principal,
876 					(krb5_principal)NULL))
877 		*privs = aentry->ae_op_allowed;
878 	krb5_free_principal(handle->context, caller_principal);
879 
880 	return (KADM5_OK);
881 }
882