xref: /illumos-gate/usr/src/lib/nsswitch/ldap/common/getgrent.c (revision 6cefaae1e90a413ba01560575bb3998e1a3df40e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <grp.h>
27 #include "ldap_common.h"
28 
29 /* String which may need to be removed from beginning of group password */
30 #define	_CRYPT		"{CRYPT}"
31 #define	_NO_PASSWD_VAL	""
32 
33 /* Group attributes filters */
34 #define	_G_NAME		"cn"
35 #define	_G_GID		"gidnumber"
36 #define	_G_PASSWD	"userpassword"
37 #define	_G_MEM		"memberuid"
38 
39 #define	_F_GETGRNAM	"(&(objectClass=posixGroup)(cn=%s))"
40 #define	_F_GETGRNAM_SSD	"(&(%%s)(cn=%s))"
41 #define	_F_GETGRGID	"(&(objectClass=posixGroup)(gidNumber=%u))"
42 #define	_F_GETGRGID_SSD	"(&(%%s)(gidNumber=%u))"
43 #define	_F_GETGRMEM	"(&(objectClass=posixGroup)(memberUid=%s))"
44 #define	_F_GETGRMEM_SSD	"(&(%%s)(memberUid=%s))"
45 
46 static const char *gr_attrs[] = {
47 	_G_NAME,
48 	_G_GID,
49 	_G_PASSWD,
50 	_G_MEM,
51 	(char *)NULL
52 };
53 
54 
55 /*
56  * _nss_ldap_group2str is the data marshaling method for the group getXbyY
57  * (e.g., getgrnam(), getgrgid(), getgrent()) backend processes. This method
58  * is called after a successful ldap search has been performed. This method
59  * will parse the ldap search values into the file format.
60  * e.g.
61  *
62  * adm::4:root,adm,daemon
63  *
64  */
65 
66 static int
67 _nss_ldap_group2str(ldap_backend_ptr be, nss_XbyY_args_t *argp)
68 {
69 	int		i;
70 	int		nss_result;
71 	int		buflen = 0, len;
72 	int		firstime = 1;
73 	char		*buffer = NULL;
74 	ns_ldap_result_t	*result = be->result;
75 	char		**gname, **passwd, **gid, *password, *end;
76 	char		gid_nobody[NOBODY_STR_LEN];
77 	char		*gid_nobody_v[1];
78 	ns_ldap_attr_t	*members;
79 
80 	(void) snprintf(gid_nobody, sizeof (gid_nobody), "%u", GID_NOBODY);
81 	gid_nobody_v[0] = gid_nobody;
82 
83 	if (result == NULL)
84 		return (NSS_STR_PARSE_PARSE);
85 	buflen = argp->buf.buflen;
86 
87 	if (argp->buf.result != NULL) {
88 		if ((be->buffer = calloc(1, buflen)) == NULL) {
89 			nss_result = NSS_STR_PARSE_PARSE;
90 			goto result_grp2str;
91 		}
92 		buffer = be->buffer;
93 	} else
94 		buffer = argp->buf.buffer;
95 
96 	nss_result = NSS_STR_PARSE_SUCCESS;
97 	(void) memset(buffer, 0, buflen);
98 
99 	gname = __ns_ldap_getAttr(result->entry, _G_NAME);
100 	if (gname == NULL || gname[0] == NULL || (strlen(gname[0]) < 1)) {
101 		nss_result = NSS_STR_PARSE_PARSE;
102 		goto result_grp2str;
103 	}
104 	passwd = __ns_ldap_getAttr(result->entry, _G_PASSWD);
105 	if (passwd == NULL || passwd[0] == NULL || (strlen(passwd[0]) == 0)) {
106 		/* group password could be NULL, replace it with "" */
107 		password = _NO_PASSWD_VAL;
108 	} else {
109 		/*
110 		 * Preen "{crypt}" if necessary.
111 		 * If the password does not include the {crypt} prefix
112 		 * then the password may be plain text.  And thus
113 		 * perhaps crypt(3c) should be used to encrypt it.
114 		 * Currently the password is copied verbatim.
115 		 */
116 		if (strncasecmp(passwd[0], _CRYPT, strlen(_CRYPT)) == 0)
117 			password = passwd[0] + strlen(_CRYPT);
118 		else
119 			password = passwd[0];
120 	}
121 	gid = __ns_ldap_getAttr(result->entry, _G_GID);
122 	if (gid == NULL || gid[0] == NULL || (strlen(gid[0]) < 1)) {
123 		nss_result = NSS_STR_PARSE_PARSE;
124 		goto result_grp2str;
125 	}
126 	/* Validate GID */
127 	if (strtoul(gid[0], &end, 10) > MAXUID)
128 		gid = gid_nobody_v;
129 	len = snprintf(buffer, buflen, "%s:%s:%s:", gname[0], password, gid[0]);
130 	TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
131 
132 	members = __ns_ldap_getAttrStruct(result->entry, _G_MEM);
133 	if (members == NULL || members->attrvalue == NULL) {
134 		/* no member is fine, skip processing the member list */
135 		goto nomember;
136 	}
137 
138 	for (i = 0; i < members->value_count; i++) {
139 		if (members->attrvalue[i] == NULL) {
140 			nss_result = NSS_STR_PARSE_PARSE;
141 			goto result_grp2str;
142 		}
143 		if (firstime) {
144 			len = snprintf(buffer, buflen, "%s",
145 			    members->attrvalue[i]);
146 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
147 			firstime = 0;
148 		} else {
149 			len = snprintf(buffer, buflen, ",%s",
150 			    members->attrvalue[i]);
151 			TEST_AND_ADJUST(len, buffer, buflen, result_grp2str);
152 		}
153 	}
154 nomember:
155 	/* The front end marshaller doesn't need the trailing nulls */
156 	if (argp->buf.result != NULL)
157 		be->buflen = strlen(be->buffer);
158 result_grp2str:
159 	(void) __ns_ldap_freeResult(&be->result);
160 	return (nss_result);
161 }
162 
163 /*
164  * getbynam gets a group entry by name. This function constructs an ldap
165  * search filter using the name invocation parameter and the getgrnam search
166  * filter defined. Once the filter is constructed, we searche for a matching
167  * entry and marshal the data results into struct group for the frontend
168  * process. The function _nss_ldap_group2ent performs the data marshaling.
169  */
170 
171 static nss_status_t
172 getbynam(ldap_backend_ptr be, void *a)
173 {
174 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
175 	char		searchfilter[SEARCHFILTERLEN];
176 	char		userdata[SEARCHFILTERLEN];
177 	char		groupname[SEARCHFILTERLEN];
178 	int		ret;
179 
180 	if (_ldap_filter_name(groupname, argp->key.name, sizeof (groupname)) !=
181 	    0)
182 		return ((nss_status_t)NSS_NOTFOUND);
183 
184 	ret = snprintf(searchfilter, sizeof (searchfilter),
185 	    _F_GETGRNAM, groupname);
186 	if (ret >= sizeof (searchfilter) || ret < 0)
187 		return ((nss_status_t)NSS_NOTFOUND);
188 
189 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRNAM_SSD, groupname);
190 	if (ret >= sizeof (userdata) || ret < 0)
191 		return ((nss_status_t)NSS_NOTFOUND);
192 
193 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
194 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
195 }
196 
197 
198 /*
199  * getbygid gets a group entry by number. This function constructs an ldap
200  * search filter using the name invocation parameter and the getgrgid search
201  * filter defined. Once the filter is constructed, we searche for a matching
202  * entry and marshal the data results into struct group for the frontend
203  * process. The function _nss_ldap_group2ent performs the data marshaling.
204  */
205 
206 static nss_status_t
207 getbygid(ldap_backend_ptr be, void *a)
208 {
209 	nss_XbyY_args_t	*argp = (nss_XbyY_args_t *)a;
210 	char searchfilter[SEARCHFILTERLEN];
211 	char userdata[SEARCHFILTERLEN];
212 	int ret;
213 
214 	if (argp->key.uid > MAXUID)
215 		return ((nss_status_t)NSS_NOTFOUND);
216 
217 	ret = snprintf(searchfilter, sizeof (searchfilter),
218 	    _F_GETGRGID, argp->key.uid);
219 	if (ret >= sizeof (searchfilter) || ret < 0)
220 		return ((nss_status_t)NSS_NOTFOUND);
221 
222 	ret = snprintf(userdata, sizeof (userdata),
223 	    _F_GETGRGID_SSD, argp->key.uid);
224 	if (ret >= sizeof (userdata) || ret < 0)
225 		return ((nss_status_t)NSS_NOTFOUND);
226 
227 	return ((nss_status_t)_nss_ldap_lookup(be, argp,
228 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata));
229 
230 }
231 
232 
233 /*
234  * getbymember returns all groups a user is defined in. This function
235  * uses different architectural procedures than the other group backend
236  * system calls because it's a private interface. This function constructs
237  * an ldap search filter using the name invocation parameter. Once the
238  * filter is constructed, we search for all matching groups counting
239  * and storing each group name, gid, etc. Data marshaling is used for
240  * group processing. The function _nss_ldap_group2ent() performs the
241  * data marshaling.
242  *
243  * (const char *)argp->username;	(size_t)strlen(argp->username);
244  * (gid_t)argp->gid_array;		(int)argp->maxgids;
245  * (int)argp->numgids;
246  */
247 
248 static nss_status_t
249 getbymember(ldap_backend_ptr be, void *a)
250 {
251 	int			i, j, k;
252 	int			gcnt = (int)0;
253 	char			**groupvalue, **membervalue;
254 	nss_status_t		lstat;
255 	struct nss_groupsbymem	*argp = (struct nss_groupsbymem *)a;
256 	char			searchfilter[SEARCHFILTERLEN];
257 	char			userdata[SEARCHFILTERLEN];
258 	char			name[SEARCHFILTERLEN];
259 	ns_ldap_result_t	*result;
260 	ns_ldap_entry_t		*curEntry;
261 	char			*username;
262 	gid_t			gid;
263 	int			ret;
264 
265 	if (strcmp(argp->username, "") == 0 ||
266 	    strcmp(argp->username, "root") == 0)
267 		return ((nss_status_t)NSS_NOTFOUND);
268 
269 	if (_ldap_filter_name(name, argp->username, sizeof (name)) != 0)
270 		return ((nss_status_t)NSS_NOTFOUND);
271 
272 	ret = snprintf(searchfilter, sizeof (searchfilter), _F_GETGRMEM, name);
273 	if (ret >= sizeof (searchfilter) || ret < 0)
274 		return ((nss_status_t)NSS_NOTFOUND);
275 
276 	ret = snprintf(userdata, sizeof (userdata), _F_GETGRMEM_SSD, name);
277 	if (ret >= sizeof (userdata) || ret < 0)
278 		return ((nss_status_t)NSS_NOTFOUND);
279 
280 	gcnt = (int)argp->numgids;
281 	lstat = (nss_status_t)_nss_ldap_nocb_lookup(be, NULL,
282 	    _GROUP, searchfilter, NULL, _merge_SSD_filter, userdata);
283 	if (lstat != (nss_status_t)NS_LDAP_SUCCESS)
284 		return ((nss_status_t)lstat);
285 	if (be->result == NULL)
286 		return (NSS_NOTFOUND);
287 	username = (char *)argp->username;
288 	result = (ns_ldap_result_t *)be->result;
289 	curEntry = (ns_ldap_entry_t *)result->entry;
290 	for (i = 0; i < result->entries_count; i++) {
291 		membervalue = __ns_ldap_getAttr(curEntry, "memberUid");
292 		if (membervalue) {
293 			for (j = 0; membervalue[j]; j++) {
294 				if (strcmp(membervalue[j], username) == NULL) {
295 					groupvalue = __ns_ldap_getAttr(curEntry,
296 					    "gidnumber");
297 					gid = (gid_t)strtol(groupvalue[0],
298 					    (char **)NULL, 10);
299 					if (argp->numgids < argp->maxgids) {
300 						for (k = 0; k < argp->numgids;
301 						    k++) {
302 							if (argp->gid_array[k]
303 							    == gid)
304 						    /* already exists */
305 						break;
306 					}
307 					if (k == argp->numgids)
308 						argp->gid_array[argp->numgids++]
309 						    = gid;
310 					}
311 					break;
312 				}
313 			}
314 		}
315 		curEntry = curEntry->next;
316 	}
317 
318 	(void) __ns_ldap_freeResult((ns_ldap_result_t **)&be->result);
319 	if (gcnt == argp->numgids)
320 		return ((nss_status_t)NSS_NOTFOUND);
321 
322 	/*
323 	 * Return NSS_SUCCESS only if array is full.
324 	 * Explained in <nss_dbdefs.h>.
325 	 */
326 	return ((nss_status_t)((argp->numgids == argp->maxgids)
327 	    ? NSS_SUCCESS
328 	    : NSS_NOTFOUND));
329 }
330 
331 static ldap_backend_op_t gr_ops[] = {
332 	_nss_ldap_destr,
333 	_nss_ldap_endent,
334 	_nss_ldap_setent,
335 	_nss_ldap_getent,
336 	getbynam,
337 	getbygid,
338 	getbymember
339 };
340 
341 
342 /*ARGSUSED0*/
343 nss_backend_t *
344 _nss_ldap_group_constr(const char *dummy1, const char *dummy2,
345 			const char *dummy3)
346 {
347 
348 	return ((nss_backend_t *)_nss_ldap_constr(gr_ops,
349 	    sizeof (gr_ops)/sizeof (gr_ops[0]), _GROUP, gr_attrs,
350 	    _nss_ldap_group2str));
351 }
352