17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5d3186a0eSjeanm * Common Development and Distribution License (the "License"). 6d3186a0eSjeanm * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*499fd601Sgww * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 277c478bd9Sstevel@tonic-gate 287c478bd9Sstevel@tonic-gate #include <stdio.h> 297c478bd9Sstevel@tonic-gate #include <stdlib.h> 307c478bd9Sstevel@tonic-gate #include <string.h> 317c478bd9Sstevel@tonic-gate #include <sys/types.h> 327c478bd9Sstevel@tonic-gate #include <sys/stat.h> 337c478bd9Sstevel@tonic-gate #include <fcntl.h> 347c478bd9Sstevel@tonic-gate #include <sys/mman.h> 357c478bd9Sstevel@tonic-gate #include <limits.h> 36*499fd601Sgww #include <pwd.h> 37*499fd601Sgww #include <nss_dbdefs.h> 387c478bd9Sstevel@tonic-gate #include <deflt.h> 397c478bd9Sstevel@tonic-gate #include <auth_attr.h> 407c478bd9Sstevel@tonic-gate #include <prof_attr.h> 417c478bd9Sstevel@tonic-gate #include <user_attr.h> 427c478bd9Sstevel@tonic-gate 437c478bd9Sstevel@tonic-gate 447c478bd9Sstevel@tonic-gate static int _is_authorized(const char *, char *); 45*499fd601Sgww static int _chk_policy_auth(const char *, const char *, char **, int *); 467c478bd9Sstevel@tonic-gate static int _chkprof_for_auth(const char *, const char *, char **, int *); 477c478bd9Sstevel@tonic-gate int 487c478bd9Sstevel@tonic-gate chkauthattr(const char *authname, const char *username) 497c478bd9Sstevel@tonic-gate { 507c478bd9Sstevel@tonic-gate int auth_granted = 0; 517c478bd9Sstevel@tonic-gate char *auths; 527c478bd9Sstevel@tonic-gate char *profiles; 53ace0ce48Sjjj userattr_t *user = NULL; 547c478bd9Sstevel@tonic-gate char *chkedprof[MAXPROFS]; 557c478bd9Sstevel@tonic-gate int chkedprof_cnt = 0; 567c478bd9Sstevel@tonic-gate int i; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate if (authname == NULL || username == NULL) 597c478bd9Sstevel@tonic-gate return (0); 607c478bd9Sstevel@tonic-gate 61ace0ce48Sjjj /* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */ 62*499fd601Sgww auth_granted = _chk_policy_auth(authname, username, chkedprof, 63*499fd601Sgww &chkedprof_cnt); 64ace0ce48Sjjj if (auth_granted) 65ace0ce48Sjjj goto exit; 66ace0ce48Sjjj 677c478bd9Sstevel@tonic-gate if ((user = getusernam(username)) == NULL) 68ace0ce48Sjjj goto exit; 697c478bd9Sstevel@tonic-gate 70ace0ce48Sjjj /* Check against authorizations listed in user_attr */ 717c478bd9Sstevel@tonic-gate if ((auths = kva_match(user->attr, USERATTR_AUTHS_KW)) != NULL) { 72ace0ce48Sjjj auth_granted = _is_authorized(authname, auths); 73ace0ce48Sjjj if (auth_granted) 74ace0ce48Sjjj goto exit; 757c478bd9Sstevel@tonic-gate } 767c478bd9Sstevel@tonic-gate 77ace0ce48Sjjj /* Check against authorizations specified by profiles */ 78ace0ce48Sjjj if ((profiles = kva_match(user->attr, USERATTR_PROFILES_KW)) != NULL) 797c478bd9Sstevel@tonic-gate auth_granted = _chkprof_for_auth(profiles, authname, 807c478bd9Sstevel@tonic-gate chkedprof, &chkedprof_cnt); 817c478bd9Sstevel@tonic-gate 82ace0ce48Sjjj exit: 837c478bd9Sstevel@tonic-gate /* free memory allocated for checked array */ 847c478bd9Sstevel@tonic-gate for (i = 0; i < chkedprof_cnt; i++) { 857c478bd9Sstevel@tonic-gate free(chkedprof[i]); 867c478bd9Sstevel@tonic-gate } 877c478bd9Sstevel@tonic-gate 88ace0ce48Sjjj if (user != NULL) 897c478bd9Sstevel@tonic-gate free_userattr(user); 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate return (auth_granted); 927c478bd9Sstevel@tonic-gate } 937c478bd9Sstevel@tonic-gate 947c478bd9Sstevel@tonic-gate static int 957c478bd9Sstevel@tonic-gate _chkprof_for_auth(const char *profs, const char *authname, 967c478bd9Sstevel@tonic-gate char **chkedprof, int *chkedprof_cnt) 977c478bd9Sstevel@tonic-gate { 987c478bd9Sstevel@tonic-gate 997c478bd9Sstevel@tonic-gate char *prof, *lasts, *auths, *profiles; 1007c478bd9Sstevel@tonic-gate profattr_t *pa; 1017c478bd9Sstevel@tonic-gate int i; 1027c478bd9Sstevel@tonic-gate int checked = 0; 1037c478bd9Sstevel@tonic-gate 1047c478bd9Sstevel@tonic-gate for (prof = strtok_r((char *)profs, ",", &lasts); prof != NULL; 1057c478bd9Sstevel@tonic-gate prof = strtok_r(NULL, ",", &lasts)) { 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate checked = 0; 1087c478bd9Sstevel@tonic-gate /* check if this profile has been checked */ 1097c478bd9Sstevel@tonic-gate for (i = 0; i < *chkedprof_cnt; i++) { 1107c478bd9Sstevel@tonic-gate if (strcmp(chkedprof[i], prof) == 0) { 1117c478bd9Sstevel@tonic-gate checked = 1; 1127c478bd9Sstevel@tonic-gate break; 1137c478bd9Sstevel@tonic-gate } 1147c478bd9Sstevel@tonic-gate } 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate if (!checked) { 1177c478bd9Sstevel@tonic-gate 1187c478bd9Sstevel@tonic-gate chkedprof[*chkedprof_cnt] = strdup(prof); 1197c478bd9Sstevel@tonic-gate *chkedprof_cnt = *chkedprof_cnt + 1; 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate if ((pa = getprofnam(prof)) == NULL) 1227c478bd9Sstevel@tonic-gate continue; 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate if ((auths = kva_match(pa->attr, 1257c478bd9Sstevel@tonic-gate PROFATTR_AUTHS_KW)) != NULL) { 1267c478bd9Sstevel@tonic-gate if (_is_authorized(authname, auths)) { 1277c478bd9Sstevel@tonic-gate free_profattr(pa); 1287c478bd9Sstevel@tonic-gate return (1); 1297c478bd9Sstevel@tonic-gate } 1307c478bd9Sstevel@tonic-gate } 1317c478bd9Sstevel@tonic-gate if ((profiles = 1327c478bd9Sstevel@tonic-gate kva_match(pa->attr, PROFATTR_PROFS_KW)) != NULL) { 1337c478bd9Sstevel@tonic-gate /* Check for authorization in subprofiles */ 1347c478bd9Sstevel@tonic-gate if (_chkprof_for_auth(profiles, authname, 1357c478bd9Sstevel@tonic-gate chkedprof, chkedprof_cnt)) { 1367c478bd9Sstevel@tonic-gate free_profattr(pa); 1377c478bd9Sstevel@tonic-gate return (1); 1387c478bd9Sstevel@tonic-gate } 1397c478bd9Sstevel@tonic-gate } 1407c478bd9Sstevel@tonic-gate free_profattr(pa); 1417c478bd9Sstevel@tonic-gate } 1427c478bd9Sstevel@tonic-gate } 1437c478bd9Sstevel@tonic-gate /* authorization not found in any profile */ 1447c478bd9Sstevel@tonic-gate return (0); 1457c478bd9Sstevel@tonic-gate } 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate int 1487c478bd9Sstevel@tonic-gate _auth_match(const char *pattern, const char *auth) 1497c478bd9Sstevel@tonic-gate { 1507c478bd9Sstevel@tonic-gate size_t len; 1517c478bd9Sstevel@tonic-gate char wildcard = KV_WILDCHAR; 1527c478bd9Sstevel@tonic-gate char *grant; 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate len = strlen(pattern); 1557c478bd9Sstevel@tonic-gate 1567c478bd9Sstevel@tonic-gate /* 1577c478bd9Sstevel@tonic-gate * If the wildcard is not in the last position in the string, don't 1587c478bd9Sstevel@tonic-gate * match against it. 1597c478bd9Sstevel@tonic-gate */ 1607c478bd9Sstevel@tonic-gate if (pattern[len-1] != wildcard) 1617c478bd9Sstevel@tonic-gate return (0); 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate /* 1647c478bd9Sstevel@tonic-gate * If the strings are identical up to the wildcard and auth does not 1657c478bd9Sstevel@tonic-gate * end in "grant", then we have a match. 1667c478bd9Sstevel@tonic-gate */ 1677c478bd9Sstevel@tonic-gate if (strncmp(pattern, auth, len-1) == 0) { 1687c478bd9Sstevel@tonic-gate grant = strrchr(auth, '.'); 1697c478bd9Sstevel@tonic-gate if (grant != NULL) { 1707c478bd9Sstevel@tonic-gate if (strncmp(grant + 1, "grant", 5) != NULL) 1717c478bd9Sstevel@tonic-gate return (1); 1727c478bd9Sstevel@tonic-gate } 1737c478bd9Sstevel@tonic-gate } 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate return (0); 1767c478bd9Sstevel@tonic-gate } 1777c478bd9Sstevel@tonic-gate 1787c478bd9Sstevel@tonic-gate static int 1797c478bd9Sstevel@tonic-gate _is_authorized(const char *authname, char *auths) 1807c478bd9Sstevel@tonic-gate { 1817c478bd9Sstevel@tonic-gate int found = 0; /* have we got a match, yet */ 1827c478bd9Sstevel@tonic-gate char wildcard = '*'; 1837c478bd9Sstevel@tonic-gate char *auth; /* current authorization being compared */ 1847c478bd9Sstevel@tonic-gate char *buf; 1857c478bd9Sstevel@tonic-gate char *lasts; 1867c478bd9Sstevel@tonic-gate 1877c478bd9Sstevel@tonic-gate buf = strdup(auths); 1887c478bd9Sstevel@tonic-gate for (auth = strtok_r(auths, ",", &lasts); auth != NULL && !found; 1897c478bd9Sstevel@tonic-gate auth = strtok_r(NULL, ",", &lasts)) { 1907c478bd9Sstevel@tonic-gate if (strcmp((char *)authname, auth) == 0) { 1917c478bd9Sstevel@tonic-gate /* Exact match. We're done. */ 1927c478bd9Sstevel@tonic-gate found = 1; 1937c478bd9Sstevel@tonic-gate } else if (strchr(auth, wildcard) != NULL) { 1947c478bd9Sstevel@tonic-gate if (_auth_match(auth, authname)) { 1957c478bd9Sstevel@tonic-gate found = 1; 1967c478bd9Sstevel@tonic-gate break; 1977c478bd9Sstevel@tonic-gate } 1987c478bd9Sstevel@tonic-gate } 1997c478bd9Sstevel@tonic-gate } 2007c478bd9Sstevel@tonic-gate 2017c478bd9Sstevel@tonic-gate free(buf); 2027c478bd9Sstevel@tonic-gate 2037c478bd9Sstevel@tonic-gate return (found); 2047c478bd9Sstevel@tonic-gate } 2057c478bd9Sstevel@tonic-gate 2067c478bd9Sstevel@tonic-gate 2077c478bd9Sstevel@tonic-gate /* 2087c478bd9Sstevel@tonic-gate * read /etc/security/policy.conf for AUTHS_GRANTED. 2097c478bd9Sstevel@tonic-gate * return 1 if found matching authname. 2107c478bd9Sstevel@tonic-gate * Otherwise, read PROFS_GRANTED to see if authname exists in any 2117c478bd9Sstevel@tonic-gate * default profiles. 2127c478bd9Sstevel@tonic-gate */ 2137c478bd9Sstevel@tonic-gate static int 214*499fd601Sgww _chk_policy_auth(const char *authname, const char *username, char **chkedprof, 215*499fd601Sgww int *chkedprof_cnt) 2167c478bd9Sstevel@tonic-gate { 217*499fd601Sgww char *auths = NULL; 218*499fd601Sgww char *profs = NULL; 2197c478bd9Sstevel@tonic-gate int ret = 1; 2207c478bd9Sstevel@tonic-gate 221*499fd601Sgww if (_get_user_defs(username, &auths, &profs) != 0) 2227c478bd9Sstevel@tonic-gate return (0); 2237c478bd9Sstevel@tonic-gate 2247c478bd9Sstevel@tonic-gate if (auths != NULL) { 2257c478bd9Sstevel@tonic-gate if (_is_authorized(authname, auths)) 2267c478bd9Sstevel@tonic-gate goto exit; 2277c478bd9Sstevel@tonic-gate } 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate if (profs != NULL) { 2307c478bd9Sstevel@tonic-gate if (_chkprof_for_auth(profs, authname, chkedprof, 2317c478bd9Sstevel@tonic-gate chkedprof_cnt)) 2327c478bd9Sstevel@tonic-gate goto exit; 2337c478bd9Sstevel@tonic-gate } 2347c478bd9Sstevel@tonic-gate ret = 0; 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gate exit: 237*499fd601Sgww _free_user_defs(auths, profs); 2387c478bd9Sstevel@tonic-gate return (ret); 2397c478bd9Sstevel@tonic-gate } 240*499fd601Sgww 241*499fd601Sgww #define CONSOLE "/dev/console" 242*499fd601Sgww 243*499fd601Sgww static int 244*499fd601Sgww is_cons_user(const char *user) 245*499fd601Sgww { 246*499fd601Sgww struct stat cons; 247*499fd601Sgww struct passwd pw; 248*499fd601Sgww char pwbuf[NSS_BUFLEN_PASSWD]; 249*499fd601Sgww 250*499fd601Sgww if (user == NULL) { 251*499fd601Sgww return (0); 252*499fd601Sgww } 253*499fd601Sgww if (stat(CONSOLE, &cons) == -1) { 254*499fd601Sgww return (0); 255*499fd601Sgww } 256*499fd601Sgww if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) { 257*499fd601Sgww return (0); 258*499fd601Sgww } 259*499fd601Sgww 260*499fd601Sgww return (pw.pw_uid == cons.st_uid); 261*499fd601Sgww } 262*499fd601Sgww 263*499fd601Sgww 264*499fd601Sgww int 265*499fd601Sgww _get_user_defs(const char *user, char **def_auth, char **def_prof) 266*499fd601Sgww { 267*499fd601Sgww char *cp; 268*499fd601Sgww char *profs; 269*499fd601Sgww 270*499fd601Sgww if (defopen(AUTH_POLICY) != 0) { 271*499fd601Sgww if (def_auth != NULL) { 272*499fd601Sgww *def_auth = NULL; 273*499fd601Sgww } 274*499fd601Sgww if (def_prof != NULL) { 275*499fd601Sgww *def_prof = NULL; 276*499fd601Sgww } 277*499fd601Sgww return (-1); 278*499fd601Sgww } 279*499fd601Sgww 280*499fd601Sgww if (def_auth != NULL) { 281*499fd601Sgww if ((cp = defread(DEF_AUTH)) != NULL) { 282*499fd601Sgww if ((*def_auth = strdup(cp)) == NULL) { 283*499fd601Sgww (void) defopen(NULL); 284*499fd601Sgww return (-1); 285*499fd601Sgww } 286*499fd601Sgww } else { 287*499fd601Sgww *def_auth = NULL; 288*499fd601Sgww } 289*499fd601Sgww } 290*499fd601Sgww if (def_prof != NULL) { 291*499fd601Sgww if (is_cons_user(user) && 292*499fd601Sgww (cp = defread(DEF_CONSUSER)) != NULL) { 293*499fd601Sgww if ((*def_prof = strdup(cp)) == NULL) { 294*499fd601Sgww (void) defopen(NULL); 295*499fd601Sgww return (-1); 296*499fd601Sgww } 297*499fd601Sgww } 298*499fd601Sgww if ((cp = defread(DEF_PROF)) != NULL) { 299*499fd601Sgww int prof_len; 300*499fd601Sgww 301*499fd601Sgww if (*def_prof == NULL) { 302*499fd601Sgww if ((*def_prof = strdup(cp)) == NULL) { 303*499fd601Sgww (void) defopen(NULL); 304*499fd601Sgww return (-1); 305*499fd601Sgww } 306*499fd601Sgww (void) defopen(NULL); 307*499fd601Sgww return (0); 308*499fd601Sgww } 309*499fd601Sgww 310*499fd601Sgww /* concatenate def profs with "," separator */ 311*499fd601Sgww prof_len = strlen(*def_prof) + strlen(cp) + 2; 312*499fd601Sgww if ((profs = malloc(prof_len)) == NULL) { 313*499fd601Sgww free(*def_prof); 314*499fd601Sgww *def_prof = NULL; 315*499fd601Sgww (void) defopen(NULL); 316*499fd601Sgww return (-1); 317*499fd601Sgww } 318*499fd601Sgww (void) snprintf(profs, prof_len, "%s,%s", *def_prof, 319*499fd601Sgww cp); 320*499fd601Sgww free(*def_prof); 321*499fd601Sgww *def_prof = profs; 322*499fd601Sgww } 323*499fd601Sgww } 324*499fd601Sgww 325*499fd601Sgww (void) defopen(NULL); 326*499fd601Sgww return (0); 327*499fd601Sgww } 328*499fd601Sgww 329*499fd601Sgww 330*499fd601Sgww void 331*499fd601Sgww _free_user_defs(char *def_auth, char *def_prof) 332*499fd601Sgww { 333*499fd601Sgww free(def_auth); 334*499fd601Sgww free(def_prof); 335*499fd601Sgww } 336