xref: /illumos-gate/usr/src/lib/pam_modules/roles/roles.c (revision ed5289f91b9bf164dccd6c75398362be77a4478d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <syslog.h>
29 #include <pwd.h>
30 #include <unistd.h>
31 #include <strings.h>
32 #include <security/pam_appl.h>
33 #include <security/pam_modules.h>
34 #include <libintl.h>
35 #include <pwd.h>
36 #include <user_attr.h>
37 #include <secdb.h>
38 #include <nss_dbdefs.h>
39 #include <security/pam_impl.h>
40 
41 static int roleinlist();
42 
43 /*
44  * pam_sm_acct_mgmt():
45  *	Account management module
46  *	This module disallows roles for primary logins and adds special
47  *	checks to allow roles for secondary logins.
48  */
49 
50 /*ARGSUSED*/
51 int
52 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
53 {
54 	uid_t uid;
55 	userattr_t *user_entry;
56 	char	*kva_value;
57 	char	*username;
58 	char	*auser;
59 	char	*ruser;
60 	char	*rhost;
61 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
62 	struct passwd *pw_entry, pwd;
63 	char buf[NSS_BUFLEN_PASSWD];
64 
65 	int i;
66 	int debug = 0;
67 	int allow_remote = 0;
68 
69 	(void) pam_get_item(pamh, PAM_USER, (void **)&username);
70 
71 	(void) pam_get_item(pamh, PAM_AUSER, (void **)&auser);
72 
73 	(void) pam_get_item(pamh, PAM_RUSER, (void **)&ruser);
74 
75 	(void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
76 
77 	for (i = 0; i < argc; i++) {
78 		if (strcmp(argv[i], "allow_remote") == 0) {
79 			allow_remote = 1;
80 		} else if (strcmp(argv[i], "debug") == 0) {
81 			debug = 1;
82 		} else {
83 			__pam_log(LOG_AUTH | LOG_ERR,
84 			    "pam_roles:pam_sm_acct_mgmt: illegal module "
85 			    "option %s", argv[i]);
86 		}
87 	}
88 
89 	if (debug) {
90 		char	*service;
91 
92 		(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
93 		__pam_log(LOG_AUTH | LOG_DEBUG, "pam_roles:pam_sm_acct_mgmt: "
94 			"service = %s, allow_remote = %d, user = %s auser = %s "
95 			"ruser = %s rhost = %s\n",
96 			(service) ? service : "not set",
97 			allow_remote,
98 			(username) ? username : "not set",
99 			(auser) ? auser: "not set",
100 			(ruser) ? ruser: "not set",
101 			(rhost) ? rhost: "not set");
102 	}
103 
104 	if (username == NULL)
105 		return (PAM_USER_UNKNOWN);
106 
107 	/* stop masquerades by mapping username to uid to username */
108 
109 	if ((pw_entry = getpwnam_r(username, &pwd, buf, sizeof (buf))) == NULL)
110 		return (PAM_USER_UNKNOWN);
111 	if ((pw_entry = getpwuid_r(pw_entry->pw_uid, &pwd, buf,
112 	    sizeof (buf))) == NULL)
113 		return (PAM_USER_UNKNOWN);
114 	/*
115 	 * If there's no user_attr entry for the primary user or it's not a
116 	 * role, no further checks are needed.
117 	 */
118 
119 	if (((user_entry = getusernam(pw_entry->pw_name)) == NULL) ||
120 	    ((kva_value = kva_match((kva_t *)user_entry->attr,
121 	    USERATTR_TYPE_KW)) == NULL) ||
122 	    ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) != 0) &&
123 	    (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) != 0))) {
124 		free_userattr(user_entry);
125 		return (PAM_IGNORE);
126 	}
127 	free_userattr(user_entry);
128 
129 	/* username is a role */
130 
131 	if (strcmp(username, pw_entry->pw_name) != 0) {
132 		__pam_log(LOG_AUTH | LOG_ALERT,
133 		    "pam_roles:pam_sm_acct_mgmt: user name %s "
134 		    "maps to user id %d which is user name %s",
135 		    username, pw_entry->pw_uid, pw_entry->pw_name);
136 
137 	}
138 
139 	/* Who's the user requesting the role? */
140 
141 	if (auser != NULL && *auser != '\0') {
142 		/* authenticated requesting user */
143 
144 		user_entry = getusernam(auser);
145 	} else if ((ruser != NULL && *ruser != '\0') &&
146 	    (rhost == NULL || *rhost == '\0')) {
147 		/*
148 		 * PAM_RUSER is set but PAM_RHOST is not; this is
149 		 * used by SMC and is a temporary solution until SMC
150 		 * is converted to use the proper PAM_AUSER to specify
151 		 * the "come-from" username.
152 		 */
153 		if (strcmp(username, ruser) == 0) {
154 			return (PAM_IGNORE);
155 		}
156 		user_entry = getusernam(ruser);
157 	} else {
158 		/* user is implied by real UID */
159 
160 		if ((uid = getuid()) == 0) {
161 			/*
162 			 * Root user_attr entry cannot have roles.
163 			 * Force error and deny access.
164 			 */
165 			user_entry = NULL;
166 		} else {
167 			if ((pw_entry = getpwuid_r(uid, &pwd, buf,
168 			    sizeof (buf))) == NULL) {
169 				return (PAM_USER_UNKNOWN);
170 			}
171 			user_entry = getusernam(pw_entry->pw_name);
172 		}
173 	}
174 
175 	if ((rhost != NULL && *rhost != '\0') &&
176 	    allow_remote == 0) {
177 		/* don't allow remote roles for this service */
178 
179 		free_userattr(user_entry);
180 		return (PAM_PERM_DENIED);
181 	}
182 
183 	/*
184 	 * If the original user does not have a user_attr entry or isn't
185 	 * assigned the role being assumed, fail.
186 	 */
187 
188 	if ((user_entry == NULL) ||
189 	    ((kva_value = kva_match((kva_t *)user_entry->attr,
190 	    USERATTR_ROLES_KW)) == NULL) ||
191 	    (roleinlist(kva_value, username) == 0)) {
192 		free_userattr(user_entry);
193 		(void) strlcpy(messages[0], dgettext(TEXT_DOMAIN,
194 		    "Roles can only be assumed by authorized users"),
195 			sizeof (messages[0]));
196 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages,
197 		    NULL);
198 		return (PAM_PERM_DENIED);
199 	}
200 
201 	free_userattr(user_entry);
202 	return (PAM_IGNORE);
203 }
204 
205 int
206 roleinlist(char *list, char *role)
207 {
208 	char *lasts = (char *)NULL;
209 	char *rolename = (char *)strtok_r(list, ",", &lasts);
210 
211 	while (rolename) {
212 		if (strcmp(rolename, role) == 0)
213 			return (1);
214 		else
215 			rolename = (char *)strtok_r(NULL, ",", &lasts);
216 	}
217 	return (0);
218 }
219