1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <syslog.h> 30 #include <pwd.h> 31 #include <unistd.h> 32 #include <strings.h> 33 #include <security/pam_appl.h> 34 #include <security/pam_modules.h> 35 #include <libintl.h> 36 #include <pwd.h> 37 #include <user_attr.h> 38 #include <secdb.h> 39 #include <nss_dbdefs.h> 40 #include <security/pam_impl.h> 41 42 static int roleinlist(); 43 44 /* 45 * pam_sm_acct_mgmt(): 46 * Account management module 47 * This module disallows roles for primary logins and adds special 48 * checks to allow roles for secondary logins. 49 */ 50 51 /*ARGSUSED*/ 52 int 53 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) 54 { 55 uid_t uid; 56 userattr_t *user_entry; 57 char *kva_value; 58 char *username; 59 char *ruser; 60 char *rhost; 61 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 62 struct passwd *pw_entry, pwd; 63 char buf[NSS_BUFLEN_PASSWD]; 64 65 int i; 66 int debug = 0; 67 int allow_remote = 0; 68 69 (void) pam_get_item(pamh, PAM_USER, (void **)&username); 70 71 (void) pam_get_item(pamh, PAM_RUSER, (void **)&ruser); 72 73 (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost); 74 75 for (i = 0; i < argc; i++) { 76 if (strcmp(argv[i], "allow_remote") == 0) { 77 allow_remote = 1; 78 } else if (strcmp(argv[i], "debug") == 0) { 79 debug = 1; 80 } else { 81 __pam_log(LOG_AUTH | LOG_ERR, 82 "pam_roles:pam_sm_acct_mgmt: illegal module " 83 "option %s", argv[i]); 84 } 85 } 86 87 if (debug) { 88 char *service; 89 90 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service); 91 __pam_log(LOG_AUTH | LOG_DEBUG, "pam_roles:pam_sm_acct_mgmt: " 92 "service = %s user = %s ruser = %s rhost = %s\n", 93 (service) ? service : "not set", 94 (username) ? username : "not set", 95 (ruser) ? ruser: "not set", 96 (rhost) ? rhost: "not set"); 97 } 98 99 if (username == NULL) 100 return (PAM_USER_UNKNOWN); 101 102 /* stop masquerades by mapping username to uid to username */ 103 104 if ((pw_entry = getpwnam_r(username, &pwd, buf, sizeof (buf))) == NULL) 105 return (PAM_USER_UNKNOWN); 106 if ((pw_entry = getpwuid_r(pw_entry->pw_uid, &pwd, buf, 107 sizeof (buf))) == NULL) 108 return (PAM_USER_UNKNOWN); 109 /* 110 * If there's no user_attr entry for the primary user or it's not a 111 * role, no further checks are needed. 112 */ 113 114 if (((user_entry = getusernam(pw_entry->pw_name)) == NULL) || 115 ((kva_value = kva_match((kva_t *)user_entry->attr, 116 USERATTR_TYPE_KW)) == NULL) || 117 ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) != 0) && 118 (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) != 0))) { 119 free_userattr(user_entry); 120 return (PAM_IGNORE); 121 } 122 free_userattr(user_entry); 123 124 /* username is a role */ 125 126 if (strcmp(username, pw_entry->pw_name) != 0) { 127 __pam_log(LOG_AUTH | LOG_ALERT, 128 "pam_roles:pam_sm_acct_mgmt: user name %s " 129 "maps to user id %d which is user name %s", 130 username, pw_entry->pw_uid, pw_entry->pw_name); 131 132 } 133 134 /* Who's the user requesting the role? */ 135 136 if (ruser == NULL || *ruser == '\0') { 137 /* user is implied by real UID */ 138 139 if ((uid = getuid()) == 0) { 140 /* 141 * Root user_attr entry cannot have roles. 142 * Force error and deny access. 143 */ 144 user_entry = NULL; 145 } else { 146 if ((pw_entry = getpwuid_r(uid, &pwd, buf, 147 sizeof (buf))) == NULL) { 148 return (PAM_USER_UNKNOWN); 149 } 150 user_entry = getusernam(pw_entry->pw_name); 151 } 152 } else if (rhost == NULL || *rhost == '\0') { 153 /* 154 * PAM_RUSER is set but PAM_RHOST is not; this is 155 * used by SMC and is a temporary solution until a proper 156 * interface is designed that specifies a "come-from" 157 * username. 158 */ 159 if (strcmp(username, ruser) == 0) { 160 return (PAM_IGNORE); 161 } 162 user_entry = getusernam(ruser); 163 } else { 164 user_entry = getusernam(ruser); 165 } 166 167 if (rhost != NULL && allow_remote == 0) { 168 /* don't allow remote roles for this service */ 169 170 free_userattr(user_entry); 171 return (PAM_PERM_DENIED); 172 } 173 174 /* 175 * If the original user does not have a user_attr entry or isn't 176 * assigned the role being assumed, fail. 177 */ 178 179 if ((user_entry == NULL) || 180 ((kva_value = kva_match((kva_t *)user_entry->attr, 181 USERATTR_ROLES_KW)) == NULL) || 182 (roleinlist(kva_value, username) == 0)) { 183 free_userattr(user_entry); 184 (void) strlcpy(messages[0], dgettext(TEXT_DOMAIN, 185 "Roles can only be assumed by authorized users"), 186 sizeof (messages[0])); 187 (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, 188 NULL); 189 return (PAM_PERM_DENIED); 190 } 191 192 free_userattr(user_entry); 193 return (PAM_IGNORE); 194 } 195 196 int 197 roleinlist(char *list, char *role) 198 { 199 char *lasts = (char *)NULL; 200 char *rolename = (char *)strtok_r(list, ",", &lasts); 201 202 while (rolename) { 203 if (strcmp(rolename, role) == 0) 204 return (1); 205 else 206 rolename = (char *)strtok_r(NULL, ",", &lasts); 207 } 208 return (0); 209 } 210