xref: /titanic_44/usr/src/cmd/oamuser/user/funcs.c (revision a7fe1d5bb55904d4c79638b8778bc9dd8ed7fd7b) 
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
53bf5ae9eSrica  * Common Development and Distribution License (the "License").
63bf5ae9eSrica  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22a20ee416SGlenn Faden  * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
23*a7fe1d5bSAndy Stormont  * Copyright (c) 2013 RackTop Systems.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate #include <stdio.h>
277c478bd9Sstevel@tonic-gate #include <stdlib.h>
287c478bd9Sstevel@tonic-gate #include <strings.h>
297c478bd9Sstevel@tonic-gate #include <auth_attr.h>
307c478bd9Sstevel@tonic-gate #include <prof_attr.h>
317c478bd9Sstevel@tonic-gate #include <user_attr.h>
327c478bd9Sstevel@tonic-gate #include <project.h>
337c478bd9Sstevel@tonic-gate #include <secdb.h>
347c478bd9Sstevel@tonic-gate #include <pwd.h>
357c478bd9Sstevel@tonic-gate #include <unistd.h>
367c478bd9Sstevel@tonic-gate #include <priv.h>
377c478bd9Sstevel@tonic-gate #include <errno.h>
383bf5ae9eSrica #include <ctype.h>
3907925104Sgww #include <nss.h>
4007925104Sgww #include <bsm/libbsm.h>
413bf5ae9eSrica #include <tsol/label.h>
427c478bd9Sstevel@tonic-gate #include "funcs.h"
437c478bd9Sstevel@tonic-gate #include "messages.h"
4407925104Sgww #undef	GROUP
457c478bd9Sstevel@tonic-gate #include "userdefs.h"
467c478bd9Sstevel@tonic-gate 
477c478bd9Sstevel@tonic-gate typedef struct ua_key {
487c478bd9Sstevel@tonic-gate 	const char	*key;
497c478bd9Sstevel@tonic-gate 	const char	*(*check)(const char *);
507c478bd9Sstevel@tonic-gate 	const char	*errstr;
517c478bd9Sstevel@tonic-gate 	char		*newvalue;
527c478bd9Sstevel@tonic-gate } ua_key_t;
537c478bd9Sstevel@tonic-gate 
547c478bd9Sstevel@tonic-gate static const char role[] = "role name";
557c478bd9Sstevel@tonic-gate static const char prof[] = "profile name";
567c478bd9Sstevel@tonic-gate static const char proj[] = "project name";
577c478bd9Sstevel@tonic-gate static const char priv[] = "privilege set";
587c478bd9Sstevel@tonic-gate static const char auth[] = "authorization";
597c478bd9Sstevel@tonic-gate static const char type[] = "user type";
607c478bd9Sstevel@tonic-gate static const char lock[] = "lock_after_retries value";
613bf5ae9eSrica static const char label[] = "label";
623bf5ae9eSrica static const char idlecmd[] = "idlecmd value";
633bf5ae9eSrica static const char idletime[] = "idletime value";
6407925104Sgww static const char auditflags[] = "audit mask";
6507925104Sgww static char	  auditerr[256];
667c478bd9Sstevel@tonic-gate 
677c478bd9Sstevel@tonic-gate 
687c478bd9Sstevel@tonic-gate static const char *check_auth(const char *);
697c478bd9Sstevel@tonic-gate static const char *check_prof(const char *);
707c478bd9Sstevel@tonic-gate static const char *check_role(const char *);
717c478bd9Sstevel@tonic-gate static const char *check_proj(const char *);
727c478bd9Sstevel@tonic-gate static const char *check_privset(const char *);
737c478bd9Sstevel@tonic-gate static const char *check_type(const char *);
747c478bd9Sstevel@tonic-gate static const char *check_lock_after_retries(const char *);
753bf5ae9eSrica static const char *check_label(const char *);
763bf5ae9eSrica static const char *check_idlecmd(const char *);
773bf5ae9eSrica static const char *check_idletime(const char *);
7807925104Sgww static const char *check_auditflags(const char *);
797c478bd9Sstevel@tonic-gate 
807c478bd9Sstevel@tonic-gate int nkeys;
817c478bd9Sstevel@tonic-gate 
827c478bd9Sstevel@tonic-gate static ua_key_t keys[] = {
837c478bd9Sstevel@tonic-gate 	/* First entry is always set correctly in main() */
847c478bd9Sstevel@tonic-gate 	{ USERATTR_TYPE_KW,	check_type,	type },
857c478bd9Sstevel@tonic-gate 	{ USERATTR_AUTHS_KW,	check_auth,	auth },
867c478bd9Sstevel@tonic-gate 	{ USERATTR_PROFILES_KW,	check_prof,	prof },
877c478bd9Sstevel@tonic-gate 	{ USERATTR_ROLES_KW,	check_role,	role },
887c478bd9Sstevel@tonic-gate 	{ USERATTR_DEFAULTPROJ_KW,	check_proj,	proj },
897c478bd9Sstevel@tonic-gate 	{ USERATTR_LIMPRIV_KW,	check_privset,	priv },
907c478bd9Sstevel@tonic-gate 	{ USERATTR_DFLTPRIV_KW,	check_privset,	priv },
917c478bd9Sstevel@tonic-gate 	{ USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries,  lock },
923bf5ae9eSrica 	{ USERATTR_CLEARANCE,	check_label,	label },
933bf5ae9eSrica 	{ USERATTR_MINLABEL,	check_label,	label },
943bf5ae9eSrica 	{ USERATTR_IDLECMD_KW,	check_idlecmd,	idlecmd },
953bf5ae9eSrica 	{ USERATTR_IDLETIME_KW,	check_idletime,	idletime },
9607925104Sgww 	{ USERATTR_AUDIT_FLAGS_KW, check_auditflags, auditflags },
977c478bd9Sstevel@tonic-gate };
987c478bd9Sstevel@tonic-gate 
997c478bd9Sstevel@tonic-gate #define	NKEYS	(sizeof (keys)/sizeof (ua_key_t))
1007c478bd9Sstevel@tonic-gate 
1017c478bd9Sstevel@tonic-gate /*
1027c478bd9Sstevel@tonic-gate  * Change a key, there are three different call sequences:
1037c478bd9Sstevel@tonic-gate  *
1047c478bd9Sstevel@tonic-gate  *		key, value	- key with option letter, value.
1057c478bd9Sstevel@tonic-gate  *		NULL, value	- -K key=value option.
1067c478bd9Sstevel@tonic-gate  */
1077c478bd9Sstevel@tonic-gate 
1087c478bd9Sstevel@tonic-gate void
change_key(const char * key,char * value)1097c478bd9Sstevel@tonic-gate change_key(const char *key, char *value)
1107c478bd9Sstevel@tonic-gate {
1117c478bd9Sstevel@tonic-gate 	int i;
1127c478bd9Sstevel@tonic-gate 	const char *res;
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate 	if (key == NULL) {
1157c478bd9Sstevel@tonic-gate 		key = value;
1167c478bd9Sstevel@tonic-gate 		value = strchr(value, '=');
1177c478bd9Sstevel@tonic-gate 		/* Bad value */
1187c478bd9Sstevel@tonic-gate 		if (value == NULL) {
1197c478bd9Sstevel@tonic-gate 			errmsg(M_INVALID_VALUE);
1207c478bd9Sstevel@tonic-gate 			exit(EX_BADARG);
1217c478bd9Sstevel@tonic-gate 		}
1227c478bd9Sstevel@tonic-gate 		*value++ = '\0';
1237c478bd9Sstevel@tonic-gate 	}
1247c478bd9Sstevel@tonic-gate 
1257c478bd9Sstevel@tonic-gate 	for (i = 0; i < NKEYS; i++) {
1267c478bd9Sstevel@tonic-gate 		if (strcmp(key, keys[i].key) == 0) {
1277c478bd9Sstevel@tonic-gate 			if (keys[i].newvalue != NULL) {
1287c478bd9Sstevel@tonic-gate 				/* Can't set a value twice */
1297c478bd9Sstevel@tonic-gate 				errmsg(M_REDEFINED_KEY, key);
1307c478bd9Sstevel@tonic-gate 				exit(EX_BADARG);
1317c478bd9Sstevel@tonic-gate 			}
1327c478bd9Sstevel@tonic-gate 
1337c478bd9Sstevel@tonic-gate 			if (keys[i].check != NULL &&
1347c478bd9Sstevel@tonic-gate 			    (res = keys[i].check(value)) != NULL) {
1357c478bd9Sstevel@tonic-gate 				errmsg(M_INVALID, res, keys[i].errstr);
1367c478bd9Sstevel@tonic-gate 				exit(EX_BADARG);
1377c478bd9Sstevel@tonic-gate 			}
1387c478bd9Sstevel@tonic-gate 			keys[i].newvalue = value;
1397c478bd9Sstevel@tonic-gate 			nkeys++;
1407c478bd9Sstevel@tonic-gate 			return;
1417c478bd9Sstevel@tonic-gate 		}
1427c478bd9Sstevel@tonic-gate 	}
1437c478bd9Sstevel@tonic-gate 	errmsg(M_INVALID_KEY, key);
1447c478bd9Sstevel@tonic-gate 	exit(EX_BADARG);
1457c478bd9Sstevel@tonic-gate }
1467c478bd9Sstevel@tonic-gate 
1477c478bd9Sstevel@tonic-gate /*
1487c478bd9Sstevel@tonic-gate  * Add the keys to the argument vector.
1497c478bd9Sstevel@tonic-gate  */
1507c478bd9Sstevel@tonic-gate void
addkey_args(char ** argv,int * index)1517c478bd9Sstevel@tonic-gate addkey_args(char **argv, int *index)
1527c478bd9Sstevel@tonic-gate {
1537c478bd9Sstevel@tonic-gate 	int i;
1547c478bd9Sstevel@tonic-gate 
1557c478bd9Sstevel@tonic-gate 	for (i = 0; i < NKEYS; i++) {
1567c478bd9Sstevel@tonic-gate 		const char *key = keys[i].key;
1577c478bd9Sstevel@tonic-gate 		char *val = keys[i].newvalue;
1587c478bd9Sstevel@tonic-gate 		size_t len;
1597c478bd9Sstevel@tonic-gate 		char *arg;
1607c478bd9Sstevel@tonic-gate 
1617c478bd9Sstevel@tonic-gate 		if (val == NULL)
1627c478bd9Sstevel@tonic-gate 			continue;
1637c478bd9Sstevel@tonic-gate 
1647c478bd9Sstevel@tonic-gate 		len = strlen(key) + strlen(val) + 2;
1657c478bd9Sstevel@tonic-gate 		arg = malloc(len);
1667c478bd9Sstevel@tonic-gate 
1677c478bd9Sstevel@tonic-gate 		(void) snprintf(arg, len, "%s=%s", key, val);
1687c478bd9Sstevel@tonic-gate 		argv[(*index)++] = "-K";
1697c478bd9Sstevel@tonic-gate 		argv[(*index)++] = arg;
1707c478bd9Sstevel@tonic-gate 	}
1717c478bd9Sstevel@tonic-gate }
1727c478bd9Sstevel@tonic-gate 
1737c478bd9Sstevel@tonic-gate /*
1747c478bd9Sstevel@tonic-gate  * Propose a default value for a key and get the actual value back.
1757c478bd9Sstevel@tonic-gate  * If the proposed default value is NULL, return the actual value set.
1767c478bd9Sstevel@tonic-gate  * The key argument is the user_attr key.
1777c478bd9Sstevel@tonic-gate  */
1787c478bd9Sstevel@tonic-gate char *
getsetdefval(const char * key,char * dflt)1797c478bd9Sstevel@tonic-gate getsetdefval(const char *key, char *dflt)
1807c478bd9Sstevel@tonic-gate {
1817c478bd9Sstevel@tonic-gate 	int i;
1827c478bd9Sstevel@tonic-gate 
1837c478bd9Sstevel@tonic-gate 	for (i = 0; i < NKEYS; i++)
184*a7fe1d5bSAndy Stormont 		if (strcmp(keys[i].key, key) == 0) {
1857c478bd9Sstevel@tonic-gate 			if (keys[i].newvalue != NULL)
1867c478bd9Sstevel@tonic-gate 				return (keys[i].newvalue);
1877c478bd9Sstevel@tonic-gate 			else
1887c478bd9Sstevel@tonic-gate 				return (keys[i].newvalue = dflt);
189*a7fe1d5bSAndy Stormont 		}
1907c478bd9Sstevel@tonic-gate 	return (NULL);
1917c478bd9Sstevel@tonic-gate }
1927c478bd9Sstevel@tonic-gate 
1937c478bd9Sstevel@tonic-gate char *
getusertype(char * cmdname)1947c478bd9Sstevel@tonic-gate getusertype(char *cmdname)
1957c478bd9Sstevel@tonic-gate {
1967c478bd9Sstevel@tonic-gate 	static char usertype[MAX_TYPE_LENGTH];
1977c478bd9Sstevel@tonic-gate 	char *cmd;
1987c478bd9Sstevel@tonic-gate 
199*a7fe1d5bSAndy Stormont 	if ((cmd = strrchr(cmdname, '/')))
2007c478bd9Sstevel@tonic-gate 		++cmd;
2017c478bd9Sstevel@tonic-gate 	else
2027c478bd9Sstevel@tonic-gate 		cmd = cmdname;
2037c478bd9Sstevel@tonic-gate 
2047c478bd9Sstevel@tonic-gate 	/* get user type based on the program name */
2057c478bd9Sstevel@tonic-gate 	if (strncmp(cmd, CMD_PREFIX_USER,
2067c478bd9Sstevel@tonic-gate 	    strlen(CMD_PREFIX_USER)) == 0)
2077c478bd9Sstevel@tonic-gate 		strcpy(usertype, USERATTR_TYPE_NORMAL_KW);
2087c478bd9Sstevel@tonic-gate 	else
2097c478bd9Sstevel@tonic-gate 		strcpy(usertype, USERATTR_TYPE_NONADMIN_KW);
2107c478bd9Sstevel@tonic-gate 
2117c478bd9Sstevel@tonic-gate 	return (usertype);
2127c478bd9Sstevel@tonic-gate }
2137c478bd9Sstevel@tonic-gate 
2147c478bd9Sstevel@tonic-gate int
is_role(char * usertype)2157c478bd9Sstevel@tonic-gate is_role(char *usertype)
2167c478bd9Sstevel@tonic-gate {
2177c478bd9Sstevel@tonic-gate 	if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0)
2187c478bd9Sstevel@tonic-gate 		return (1);
2197c478bd9Sstevel@tonic-gate 	/* not a role */
2207c478bd9Sstevel@tonic-gate 	return (0);
2217c478bd9Sstevel@tonic-gate }
2227c478bd9Sstevel@tonic-gate 
2237c478bd9Sstevel@tonic-gate /*
2247c478bd9Sstevel@tonic-gate  * Verifies the provided list of authorizations are all valid.
2257c478bd9Sstevel@tonic-gate  *
2267c478bd9Sstevel@tonic-gate  * Returns NULL if all authorization names are valid.
2277c478bd9Sstevel@tonic-gate  * Otherwise, returns the invalid authorization name
2287c478bd9Sstevel@tonic-gate  *
2297c478bd9Sstevel@tonic-gate  */
2307c478bd9Sstevel@tonic-gate static const char *
check_auth(const char * auths)2317c478bd9Sstevel@tonic-gate check_auth(const char *auths)
2327c478bd9Sstevel@tonic-gate {
2337c478bd9Sstevel@tonic-gate 	char *authname;
2347c478bd9Sstevel@tonic-gate 	authattr_t *result;
2357c478bd9Sstevel@tonic-gate 	char *tmp;
2367c478bd9Sstevel@tonic-gate 	struct passwd   *pw;
2377c478bd9Sstevel@tonic-gate 	int have_grant = 0;
2387c478bd9Sstevel@tonic-gate 
2397c478bd9Sstevel@tonic-gate 	tmp = strdup(auths);
240cb8a054bSGlenn Faden 	if (tmp == NULL) {
241cb8a054bSGlenn Faden 		errmsg(M_NOSPACE);
242cb8a054bSGlenn Faden 		exit(EX_FAILURE);
243cb8a054bSGlenn Faden 	}
2447c478bd9Sstevel@tonic-gate 
2457c478bd9Sstevel@tonic-gate 	authname = strtok(tmp, AUTH_SEP);
2467c478bd9Sstevel@tonic-gate 	pw = getpwuid(getuid());
2477c478bd9Sstevel@tonic-gate 	if (pw == NULL) {
2487c478bd9Sstevel@tonic-gate 		return (authname);
2497c478bd9Sstevel@tonic-gate 	}
2507c478bd9Sstevel@tonic-gate 
2517c478bd9Sstevel@tonic-gate 	while (authname != NULL) {
2527c478bd9Sstevel@tonic-gate 		char *suffix;
2537c478bd9Sstevel@tonic-gate 		char *authtoks;
2547c478bd9Sstevel@tonic-gate 
255cb8a054bSGlenn Faden 		/* Check if user has been granted this authorization */
256cb8a054bSGlenn Faden 		if (!chkauthattr(authname, pw->pw_name))
257cb8a054bSGlenn Faden 			return (authname);
258cb8a054bSGlenn Faden 
259cb8a054bSGlenn Faden 		/* Remove named object after slash */
260cb8a054bSGlenn Faden 		if ((suffix = index(authname, KV_OBJECTCHAR)) != NULL)
261cb8a054bSGlenn Faden 			*suffix = '\0';
262cb8a054bSGlenn Faden 
2637c478bd9Sstevel@tonic-gate 		/* Find the suffix */
2647c478bd9Sstevel@tonic-gate 		if ((suffix = rindex(authname, '.')) == NULL)
2657c478bd9Sstevel@tonic-gate 			return (authname);
2667c478bd9Sstevel@tonic-gate 
2677c478bd9Sstevel@tonic-gate 		/* Check for existence in auth_attr */
2687c478bd9Sstevel@tonic-gate 		suffix++;
2697c478bd9Sstevel@tonic-gate 		if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */
2707c478bd9Sstevel@tonic-gate 			result = getauthnam(authname);
2717c478bd9Sstevel@tonic-gate 			if (result == NULL) {
2727c478bd9Sstevel@tonic-gate 			/* can't find the auth */
2737c478bd9Sstevel@tonic-gate 				free_authattr(result);
2747c478bd9Sstevel@tonic-gate 				return (authname);
2757c478bd9Sstevel@tonic-gate 			}
2767c478bd9Sstevel@tonic-gate 			free_authattr(result);
2777c478bd9Sstevel@tonic-gate 		}
2787c478bd9Sstevel@tonic-gate 
2797c478bd9Sstevel@tonic-gate 		/* Check if user can delegate this authorization */
2807c478bd9Sstevel@tonic-gate 		if (strcmp(suffix, "grant")) { /* Not a grant option */
2817c478bd9Sstevel@tonic-gate 			authtoks = malloc(strlen(authname) + sizeof ("grant"));
2827c478bd9Sstevel@tonic-gate 			strcpy(authtoks, authname);
2837c478bd9Sstevel@tonic-gate 			have_grant = 0;
2847c478bd9Sstevel@tonic-gate 			while ((suffix = rindex(authtoks, '.')) &&
2857c478bd9Sstevel@tonic-gate 			    !have_grant) {
2867c478bd9Sstevel@tonic-gate 				strcpy(suffix, ".grant");
2877c478bd9Sstevel@tonic-gate 				if (chkauthattr(authtoks, pw->pw_name))
2887c478bd9Sstevel@tonic-gate 					have_grant = 1;
2897c478bd9Sstevel@tonic-gate 				else
2907c478bd9Sstevel@tonic-gate 					*suffix = '\0';
2917c478bd9Sstevel@tonic-gate 			}
2927c478bd9Sstevel@tonic-gate 			if (!have_grant)
2937c478bd9Sstevel@tonic-gate 				return (authname);
2947c478bd9Sstevel@tonic-gate 		}
2957c478bd9Sstevel@tonic-gate 		authname = strtok(NULL, AUTH_SEP);
2967c478bd9Sstevel@tonic-gate 	}
297cb8a054bSGlenn Faden 	free(tmp);
2987c478bd9Sstevel@tonic-gate 	return (NULL);
2997c478bd9Sstevel@tonic-gate }
3007c478bd9Sstevel@tonic-gate 
3017c478bd9Sstevel@tonic-gate /*
3027c478bd9Sstevel@tonic-gate  * Verifies the provided list of profile names are valid.
3037c478bd9Sstevel@tonic-gate  *
3047c478bd9Sstevel@tonic-gate  * Returns NULL if all profile names are valid.
3057c478bd9Sstevel@tonic-gate  * Otherwise, returns the invalid profile name
3067c478bd9Sstevel@tonic-gate  *
3077c478bd9Sstevel@tonic-gate  */
3087c478bd9Sstevel@tonic-gate static const char *
check_prof(const char * profs)3097c478bd9Sstevel@tonic-gate check_prof(const char *profs)
3107c478bd9Sstevel@tonic-gate {
3117c478bd9Sstevel@tonic-gate 	char *profname;
3127c478bd9Sstevel@tonic-gate 	profattr_t *result;
3137c478bd9Sstevel@tonic-gate 	char *tmp;
3147c478bd9Sstevel@tonic-gate 
3157c478bd9Sstevel@tonic-gate 	tmp = strdup(profs);
316cb8a054bSGlenn Faden 	if (tmp == NULL) {
317cb8a054bSGlenn Faden 		errmsg(M_NOSPACE);
318cb8a054bSGlenn Faden 		exit(EX_FAILURE);
319cb8a054bSGlenn Faden 	}
3207c478bd9Sstevel@tonic-gate 
3217c478bd9Sstevel@tonic-gate 	profname = strtok(tmp, PROF_SEP);
3227c478bd9Sstevel@tonic-gate 	while (profname != NULL) {
3237c478bd9Sstevel@tonic-gate 		result = getprofnam(profname);
3247c478bd9Sstevel@tonic-gate 		if (result == NULL) {
3257c478bd9Sstevel@tonic-gate 		/* can't find the profile */
3267c478bd9Sstevel@tonic-gate 			return (profname);
3277c478bd9Sstevel@tonic-gate 		}
3287c478bd9Sstevel@tonic-gate 		free_profattr(result);
3297c478bd9Sstevel@tonic-gate 		profname = strtok(NULL, PROF_SEP);
3307c478bd9Sstevel@tonic-gate 	}
331cb8a054bSGlenn Faden 	free(tmp);
3327c478bd9Sstevel@tonic-gate 	return (NULL);
3337c478bd9Sstevel@tonic-gate }
3347c478bd9Sstevel@tonic-gate 
3357c478bd9Sstevel@tonic-gate 
3367c478bd9Sstevel@tonic-gate /*
3377c478bd9Sstevel@tonic-gate  * Verifies the provided list of role names are valid.
3387c478bd9Sstevel@tonic-gate  *
3397c478bd9Sstevel@tonic-gate  * Returns NULL if all role names are valid.
3407c478bd9Sstevel@tonic-gate  * Otherwise, returns the invalid role name
3417c478bd9Sstevel@tonic-gate  *
3427c478bd9Sstevel@tonic-gate  */
3437c478bd9Sstevel@tonic-gate static const char *
check_role(const char * roles)3447c478bd9Sstevel@tonic-gate check_role(const char *roles)
3457c478bd9Sstevel@tonic-gate {
3467c478bd9Sstevel@tonic-gate 	char *rolename;
3477c478bd9Sstevel@tonic-gate 	userattr_t *result;
3487c478bd9Sstevel@tonic-gate 	char *utype;
3497c478bd9Sstevel@tonic-gate 	char *tmp;
3507c478bd9Sstevel@tonic-gate 
3517c478bd9Sstevel@tonic-gate 	tmp = strdup(roles);
352cb8a054bSGlenn Faden 	if (tmp == NULL) {
353cb8a054bSGlenn Faden 		errmsg(M_NOSPACE);
354cb8a054bSGlenn Faden 		exit(EX_FAILURE);
355cb8a054bSGlenn Faden 	}
3567c478bd9Sstevel@tonic-gate 
3577c478bd9Sstevel@tonic-gate 	rolename = strtok(tmp, ROLE_SEP);
3587c478bd9Sstevel@tonic-gate 	while (rolename != NULL) {
3597c478bd9Sstevel@tonic-gate 		result = getusernam(rolename);
3607c478bd9Sstevel@tonic-gate 		if (result == NULL) {
3617c478bd9Sstevel@tonic-gate 		/* can't find the rolename */
3627c478bd9Sstevel@tonic-gate 			return (rolename);
3637c478bd9Sstevel@tonic-gate 		}
3647c478bd9Sstevel@tonic-gate 		/* Now, make sure it is a role */
3657c478bd9Sstevel@tonic-gate 		utype = kva_match(result->attr, USERATTR_TYPE_KW);
3667c478bd9Sstevel@tonic-gate 		if (utype == NULL) {
3677c478bd9Sstevel@tonic-gate 			/* no user type defined. not a role */
3687c478bd9Sstevel@tonic-gate 			free_userattr(result);
3697c478bd9Sstevel@tonic-gate 			return (rolename);
3707c478bd9Sstevel@tonic-gate 		}
3717c478bd9Sstevel@tonic-gate 		if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) {
3727c478bd9Sstevel@tonic-gate 			free_userattr(result);
3737c478bd9Sstevel@tonic-gate 			return (rolename);
3747c478bd9Sstevel@tonic-gate 		}
3757c478bd9Sstevel@tonic-gate 		free_userattr(result);
3767c478bd9Sstevel@tonic-gate 		rolename = strtok(NULL, ROLE_SEP);
3777c478bd9Sstevel@tonic-gate 	}
378cb8a054bSGlenn Faden 	free(tmp);
3797c478bd9Sstevel@tonic-gate 	return (NULL);
3807c478bd9Sstevel@tonic-gate }
3817c478bd9Sstevel@tonic-gate 
3827c478bd9Sstevel@tonic-gate static const char *
check_proj(const char * proj)3837c478bd9Sstevel@tonic-gate check_proj(const char *proj)
3847c478bd9Sstevel@tonic-gate {
3857c478bd9Sstevel@tonic-gate 	if (getprojidbyname(proj) < 0) {
3867c478bd9Sstevel@tonic-gate 		return (proj);
3877c478bd9Sstevel@tonic-gate 	} else {
3887c478bd9Sstevel@tonic-gate 		return (NULL);
3897c478bd9Sstevel@tonic-gate 	}
3907c478bd9Sstevel@tonic-gate }
3917c478bd9Sstevel@tonic-gate 
3927c478bd9Sstevel@tonic-gate static const char *
check_privset(const char * pset)3937c478bd9Sstevel@tonic-gate check_privset(const char *pset)
3947c478bd9Sstevel@tonic-gate {
3957c478bd9Sstevel@tonic-gate 	priv_set_t *tmp;
3967c478bd9Sstevel@tonic-gate 	const char *res;
3977c478bd9Sstevel@tonic-gate 
3987c478bd9Sstevel@tonic-gate 	tmp = priv_str_to_set(pset, ",", &res);
3997c478bd9Sstevel@tonic-gate 
4007c478bd9Sstevel@tonic-gate 	if (tmp != NULL) {
4017c478bd9Sstevel@tonic-gate 		res = NULL;
4027c478bd9Sstevel@tonic-gate 		priv_freeset(tmp);
4037c478bd9Sstevel@tonic-gate 	} else if (res == NULL)
4047c478bd9Sstevel@tonic-gate 		res = strerror(errno);
4057c478bd9Sstevel@tonic-gate 
4067c478bd9Sstevel@tonic-gate 	return (res);
4077c478bd9Sstevel@tonic-gate }
4087c478bd9Sstevel@tonic-gate 
4097c478bd9Sstevel@tonic-gate static const char *
check_type(const char * type)4107c478bd9Sstevel@tonic-gate check_type(const char *type)
4117c478bd9Sstevel@tonic-gate {
4127c478bd9Sstevel@tonic-gate 	if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 &&
4137c478bd9Sstevel@tonic-gate 	    strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0)
4147c478bd9Sstevel@tonic-gate 		return (type);
4157c478bd9Sstevel@tonic-gate 
4167c478bd9Sstevel@tonic-gate 	return (NULL);
4177c478bd9Sstevel@tonic-gate }
4187c478bd9Sstevel@tonic-gate 
4197c478bd9Sstevel@tonic-gate static const char *
check_lock_after_retries(const char * keyval)4207c478bd9Sstevel@tonic-gate check_lock_after_retries(const char *keyval)
4217c478bd9Sstevel@tonic-gate {
4227c478bd9Sstevel@tonic-gate 	if (keyval != NULL) {
4237c478bd9Sstevel@tonic-gate 		if ((strcasecmp(keyval, "no") != 0) &&
4247c478bd9Sstevel@tonic-gate 		    (strcasecmp(keyval, "yes") != 0) &&
4257c478bd9Sstevel@tonic-gate 		    (*keyval != '\0'))   {
4267c478bd9Sstevel@tonic-gate 			return (keyval);
4277c478bd9Sstevel@tonic-gate 		}
4287c478bd9Sstevel@tonic-gate 	}
4297c478bd9Sstevel@tonic-gate 	return (NULL);
4307c478bd9Sstevel@tonic-gate }
4313bf5ae9eSrica 
4323bf5ae9eSrica static const char *
check_label(const char * labelstr)4333bf5ae9eSrica check_label(const char *labelstr)
4343bf5ae9eSrica {
4353bf5ae9eSrica 	int	err;
4363bf5ae9eSrica 	m_label_t *lbl = NULL;
4373bf5ae9eSrica 
4383bf5ae9eSrica 	if (!is_system_labeled())
4393bf5ae9eSrica 		return (NULL);
4403bf5ae9eSrica 
4413bf5ae9eSrica 	err = str_to_label(labelstr, &lbl, MAC_LABEL, L_NO_CORRECTION, NULL);
4423bf5ae9eSrica 	m_label_free(lbl);
4433bf5ae9eSrica 
4443bf5ae9eSrica 	if (err == -1)
4453bf5ae9eSrica 		return (labelstr);
4463bf5ae9eSrica 
4473bf5ae9eSrica 	return (NULL);
4483bf5ae9eSrica }
4493bf5ae9eSrica 
4503bf5ae9eSrica static const char *
check_idlecmd(const char * cmd)4513bf5ae9eSrica check_idlecmd(const char *cmd)
4523bf5ae9eSrica {
4533bf5ae9eSrica 	if ((strcmp(cmd, USERATTR_IDLECMD_LOCK_KW) != 0) &&
4543bf5ae9eSrica 	    (strcmp(cmd, USERATTR_IDLECMD_LOGOUT_KW) != 0)) {
4553bf5ae9eSrica 		return (cmd);
4563bf5ae9eSrica 	}
4573bf5ae9eSrica 
4583bf5ae9eSrica 	return (NULL);
4593bf5ae9eSrica }
4603bf5ae9eSrica 
4613bf5ae9eSrica static const char *
check_idletime(const char * time)4623bf5ae9eSrica check_idletime(const char *time)
4633bf5ae9eSrica {
4643bf5ae9eSrica 	int		c;
4653bf5ae9eSrica 	unsigned char	*up = (unsigned char *)time;
4663bf5ae9eSrica 
4673bf5ae9eSrica 	c = *up;
4683bf5ae9eSrica 	while (c != '\0') {
4693bf5ae9eSrica 		if (!isdigit(c))
4703bf5ae9eSrica 			return (time);
4713bf5ae9eSrica 		c = *++up;
4723bf5ae9eSrica 	}
4733bf5ae9eSrica 
4743bf5ae9eSrica 	return (NULL);
4753bf5ae9eSrica }
47607925104Sgww 
47707925104Sgww static const char *
check_auditflags(const char * auditflags)47807925104Sgww check_auditflags(const char *auditflags)
47907925104Sgww {
48007925104Sgww 	au_mask_t mask;
48107925104Sgww 	char	*flags;
48207925104Sgww 	char	*last = NULL;
48307925104Sgww 	char	*err = "NULL";
48407925104Sgww 
48507925104Sgww 	/* if deleting audit_flags */
48607925104Sgww 	if (*auditflags == '\0') {
48707925104Sgww 		return (NULL);
48807925104Sgww 	}
48907925104Sgww 
49007925104Sgww 	if ((flags = _strdup_null((char *)auditflags)) == NULL) {
49107925104Sgww 		errmsg(M_NOSPACE);
49207925104Sgww 		exit(EX_FAILURE);
49307925104Sgww 	}
49407925104Sgww 
49507925104Sgww 	if (!__chkflags(_strtok_escape(flags, KV_AUDIT_DELIMIT, &last), &mask,
49607925104Sgww 	    B_FALSE, &err)) {
49707925104Sgww 		(void) snprintf(auditerr, sizeof (auditerr),
49807925104Sgww 		    "always mask \"%s\"", err);
49907925104Sgww 		free(flags);
50007925104Sgww 		return (auditerr);
50107925104Sgww 	}
50207925104Sgww 	if (!__chkflags(_strtok_escape(NULL, KV_AUDIT_DELIMIT, &last), &mask,
50307925104Sgww 	    B_FALSE, &err)) {
50407925104Sgww 		(void) snprintf(auditerr, sizeof (auditerr),
50507925104Sgww 		    "never mask \"%s\"", err);
50607925104Sgww 		free(flags);
50707925104Sgww 		return (auditerr);
50807925104Sgww 	}
50907925104Sgww 	if (last != NULL) {
51007925104Sgww 		(void) snprintf(auditerr, sizeof (auditerr), "\"%s\"",
51107925104Sgww 		    auditflags);
51207925104Sgww 		free(flags);
51307925104Sgww 		return (auditerr);
51407925104Sgww 	}
51507925104Sgww 	free(flags);
51607925104Sgww 
51707925104Sgww 	return (NULL);
51807925104Sgww }
519