xref: /titanic_50/usr/src/lib/libsecdb/common/chkauthattr.c (revision b9175c69691c8949bec97fb8f689b7d1efdb05bb)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5d3186a0eSjeanm  * Common Development and Distribution License (the "License").
6d3186a0eSjeanm  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22*b9175c69SKenjiro Tsuji  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate #include <stdio.h>
277c478bd9Sstevel@tonic-gate #include <stdlib.h>
287c478bd9Sstevel@tonic-gate #include <string.h>
297c478bd9Sstevel@tonic-gate #include <sys/types.h>
307c478bd9Sstevel@tonic-gate #include <sys/stat.h>
317c478bd9Sstevel@tonic-gate #include <fcntl.h>
327c478bd9Sstevel@tonic-gate #include <sys/mman.h>
337c478bd9Sstevel@tonic-gate #include <limits.h>
34499fd601Sgww #include <pwd.h>
35499fd601Sgww #include <nss_dbdefs.h>
367c478bd9Sstevel@tonic-gate #include <deflt.h>
377c478bd9Sstevel@tonic-gate #include <auth_attr.h>
387c478bd9Sstevel@tonic-gate #include <prof_attr.h>
397c478bd9Sstevel@tonic-gate #include <user_attr.h>
407c478bd9Sstevel@tonic-gate 
417c478bd9Sstevel@tonic-gate 
427c478bd9Sstevel@tonic-gate static int _is_authorized(const char *, char *);
43499fd601Sgww static int _chk_policy_auth(const char *, const char *, char **, int *);
447c478bd9Sstevel@tonic-gate static int _chkprof_for_auth(const char *, const char *, char **, int *);
457c478bd9Sstevel@tonic-gate int
467c478bd9Sstevel@tonic-gate chkauthattr(const char *authname, const char *username)
477c478bd9Sstevel@tonic-gate {
487c478bd9Sstevel@tonic-gate 	int		auth_granted = 0;
497c478bd9Sstevel@tonic-gate 	char		*auths;
507c478bd9Sstevel@tonic-gate 	char		*profiles;
51ace0ce48Sjjj 	userattr_t	*user = NULL;
527c478bd9Sstevel@tonic-gate 	char		*chkedprof[MAXPROFS];
537c478bd9Sstevel@tonic-gate 	int		chkedprof_cnt = 0;
547c478bd9Sstevel@tonic-gate 	int		i;
557c478bd9Sstevel@tonic-gate 
567c478bd9Sstevel@tonic-gate 	if (authname == NULL || username == NULL)
577c478bd9Sstevel@tonic-gate 		return (0);
587c478bd9Sstevel@tonic-gate 
59ace0ce48Sjjj 	/* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */
60499fd601Sgww 	auth_granted = _chk_policy_auth(authname, username, chkedprof,
61499fd601Sgww 	    &chkedprof_cnt);
62ace0ce48Sjjj 	if (auth_granted)
63ace0ce48Sjjj 		goto exit;
64ace0ce48Sjjj 
657c478bd9Sstevel@tonic-gate 	if ((user = getusernam(username)) == NULL)
66ace0ce48Sjjj 		goto exit;
677c478bd9Sstevel@tonic-gate 
68ace0ce48Sjjj 	/* Check against authorizations listed in user_attr */
697c478bd9Sstevel@tonic-gate 	if ((auths = kva_match(user->attr, USERATTR_AUTHS_KW)) != NULL) {
70ace0ce48Sjjj 		auth_granted = _is_authorized(authname, auths);
71ace0ce48Sjjj 		if (auth_granted)
72ace0ce48Sjjj 			goto exit;
737c478bd9Sstevel@tonic-gate 	}
747c478bd9Sstevel@tonic-gate 
75ace0ce48Sjjj 	/* Check against authorizations specified by profiles */
76ace0ce48Sjjj 	if ((profiles = kva_match(user->attr, USERATTR_PROFILES_KW)) != NULL)
777c478bd9Sstevel@tonic-gate 		auth_granted = _chkprof_for_auth(profiles, authname,
787c478bd9Sstevel@tonic-gate 		    chkedprof, &chkedprof_cnt);
797c478bd9Sstevel@tonic-gate 
80ace0ce48Sjjj exit:
817c478bd9Sstevel@tonic-gate 	/* free memory allocated for checked array */
827c478bd9Sstevel@tonic-gate 	for (i = 0; i < chkedprof_cnt; i++) {
837c478bd9Sstevel@tonic-gate 		free(chkedprof[i]);
847c478bd9Sstevel@tonic-gate 	}
857c478bd9Sstevel@tonic-gate 
86ace0ce48Sjjj 	if (user != NULL)
877c478bd9Sstevel@tonic-gate 		free_userattr(user);
887c478bd9Sstevel@tonic-gate 
897c478bd9Sstevel@tonic-gate 	return (auth_granted);
907c478bd9Sstevel@tonic-gate }
917c478bd9Sstevel@tonic-gate 
927c478bd9Sstevel@tonic-gate static int
937c478bd9Sstevel@tonic-gate _chkprof_for_auth(const char *profs, const char *authname,
947c478bd9Sstevel@tonic-gate     char **chkedprof, int *chkedprof_cnt)
957c478bd9Sstevel@tonic-gate {
967c478bd9Sstevel@tonic-gate 
977c478bd9Sstevel@tonic-gate 	char *prof, *lasts, *auths, *profiles;
987c478bd9Sstevel@tonic-gate 	profattr_t	*pa;
997c478bd9Sstevel@tonic-gate 	int		i;
1007c478bd9Sstevel@tonic-gate 	int		checked = 0;
1017c478bd9Sstevel@tonic-gate 
1027c478bd9Sstevel@tonic-gate 	for (prof = strtok_r((char *)profs, ",", &lasts); prof != NULL;
1037c478bd9Sstevel@tonic-gate 	    prof = strtok_r(NULL, ",", &lasts)) {
1047c478bd9Sstevel@tonic-gate 
1057c478bd9Sstevel@tonic-gate 		checked = 0;
1067c478bd9Sstevel@tonic-gate 		/* check if this profile has been checked */
1077c478bd9Sstevel@tonic-gate 		for (i = 0; i < *chkedprof_cnt; i++) {
1087c478bd9Sstevel@tonic-gate 			if (strcmp(chkedprof[i], prof) == 0) {
1097c478bd9Sstevel@tonic-gate 				checked = 1;
1107c478bd9Sstevel@tonic-gate 				break;
1117c478bd9Sstevel@tonic-gate 			}
1127c478bd9Sstevel@tonic-gate 		}
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate 		if (!checked) {
1157c478bd9Sstevel@tonic-gate 
1167c478bd9Sstevel@tonic-gate 			chkedprof[*chkedprof_cnt] = strdup(prof);
1177c478bd9Sstevel@tonic-gate 			*chkedprof_cnt = *chkedprof_cnt + 1;
1187c478bd9Sstevel@tonic-gate 
1197c478bd9Sstevel@tonic-gate 			if ((pa = getprofnam(prof)) == NULL)
1207c478bd9Sstevel@tonic-gate 				continue;
1217c478bd9Sstevel@tonic-gate 
1227c478bd9Sstevel@tonic-gate 			if ((auths = kva_match(pa->attr,
1237c478bd9Sstevel@tonic-gate 			    PROFATTR_AUTHS_KW)) != NULL) {
1247c478bd9Sstevel@tonic-gate 				if (_is_authorized(authname, auths)) {
1257c478bd9Sstevel@tonic-gate 					free_profattr(pa);
1267c478bd9Sstevel@tonic-gate 					return (1);
1277c478bd9Sstevel@tonic-gate 				}
1287c478bd9Sstevel@tonic-gate 			}
1297c478bd9Sstevel@tonic-gate 			if ((profiles =
1307c478bd9Sstevel@tonic-gate 			    kva_match(pa->attr, PROFATTR_PROFS_KW)) != NULL) {
1317c478bd9Sstevel@tonic-gate 				/* Check for authorization in subprofiles */
1327c478bd9Sstevel@tonic-gate 				if (_chkprof_for_auth(profiles, authname,
1337c478bd9Sstevel@tonic-gate 				    chkedprof, chkedprof_cnt)) {
1347c478bd9Sstevel@tonic-gate 					free_profattr(pa);
1357c478bd9Sstevel@tonic-gate 					return (1);
1367c478bd9Sstevel@tonic-gate 				}
1377c478bd9Sstevel@tonic-gate 			}
1387c478bd9Sstevel@tonic-gate 			free_profattr(pa);
1397c478bd9Sstevel@tonic-gate 		}
1407c478bd9Sstevel@tonic-gate 	}
1417c478bd9Sstevel@tonic-gate 	/* authorization not found in any profile */
1427c478bd9Sstevel@tonic-gate 	return (0);
1437c478bd9Sstevel@tonic-gate }
1447c478bd9Sstevel@tonic-gate 
1457c478bd9Sstevel@tonic-gate int
1467c478bd9Sstevel@tonic-gate _auth_match(const char *pattern, const char *auth)
1477c478bd9Sstevel@tonic-gate {
1487c478bd9Sstevel@tonic-gate 	size_t len;
1497c478bd9Sstevel@tonic-gate 	char wildcard = KV_WILDCHAR;
1507c478bd9Sstevel@tonic-gate 	char *grant;
1517c478bd9Sstevel@tonic-gate 
1527c478bd9Sstevel@tonic-gate 	len = strlen(pattern);
1537c478bd9Sstevel@tonic-gate 
1547c478bd9Sstevel@tonic-gate 	/*
1557c478bd9Sstevel@tonic-gate 	 * If the wildcard is not in the last position in the string, don't
1567c478bd9Sstevel@tonic-gate 	 * match against it.
1577c478bd9Sstevel@tonic-gate 	 */
1587c478bd9Sstevel@tonic-gate 	if (pattern[len-1] != wildcard)
1597c478bd9Sstevel@tonic-gate 		return (0);
1607c478bd9Sstevel@tonic-gate 
1617c478bd9Sstevel@tonic-gate 	/*
1627c478bd9Sstevel@tonic-gate 	 * If the strings are identical up to the wildcard and auth does not
1637c478bd9Sstevel@tonic-gate 	 * end in "grant", then we have a match.
1647c478bd9Sstevel@tonic-gate 	 */
1657c478bd9Sstevel@tonic-gate 	if (strncmp(pattern, auth, len-1) == 0) {
1667c478bd9Sstevel@tonic-gate 		grant = strrchr(auth, '.');
1677c478bd9Sstevel@tonic-gate 		if (grant != NULL) {
1687c478bd9Sstevel@tonic-gate 			if (strncmp(grant + 1, "grant", 5) != NULL)
1697c478bd9Sstevel@tonic-gate 				return (1);
1707c478bd9Sstevel@tonic-gate 		}
1717c478bd9Sstevel@tonic-gate 	}
1727c478bd9Sstevel@tonic-gate 
1737c478bd9Sstevel@tonic-gate 	return (0);
1747c478bd9Sstevel@tonic-gate }
1757c478bd9Sstevel@tonic-gate 
1767c478bd9Sstevel@tonic-gate static int
1777c478bd9Sstevel@tonic-gate _is_authorized(const char *authname, char *auths)
1787c478bd9Sstevel@tonic-gate {
1797c478bd9Sstevel@tonic-gate 	int	found = 0;	/* have we got a match, yet */
1807c478bd9Sstevel@tonic-gate 	char	wildcard = '*';
1817c478bd9Sstevel@tonic-gate 	char	*auth;		/* current authorization being compared */
1827c478bd9Sstevel@tonic-gate 	char	*buf;
1837c478bd9Sstevel@tonic-gate 	char	*lasts;
1847c478bd9Sstevel@tonic-gate 
1857c478bd9Sstevel@tonic-gate 	buf = strdup(auths);
1867c478bd9Sstevel@tonic-gate 	for (auth = strtok_r(auths, ",", &lasts); auth != NULL && !found;
1877c478bd9Sstevel@tonic-gate 	    auth = strtok_r(NULL, ",", &lasts)) {
1887c478bd9Sstevel@tonic-gate 		if (strcmp((char *)authname, auth) == 0) {
1897c478bd9Sstevel@tonic-gate 			/* Exact match.  We're done. */
1907c478bd9Sstevel@tonic-gate 			found = 1;
1917c478bd9Sstevel@tonic-gate 		} else if (strchr(auth, wildcard) != NULL) {
1927c478bd9Sstevel@tonic-gate 			if (_auth_match(auth, authname)) {
1937c478bd9Sstevel@tonic-gate 				found = 1;
1947c478bd9Sstevel@tonic-gate 				break;
1957c478bd9Sstevel@tonic-gate 			}
1967c478bd9Sstevel@tonic-gate 		}
1977c478bd9Sstevel@tonic-gate 	}
1987c478bd9Sstevel@tonic-gate 
1997c478bd9Sstevel@tonic-gate 	free(buf);
2007c478bd9Sstevel@tonic-gate 
2017c478bd9Sstevel@tonic-gate 	return (found);
2027c478bd9Sstevel@tonic-gate }
2037c478bd9Sstevel@tonic-gate 
2047c478bd9Sstevel@tonic-gate 
2057c478bd9Sstevel@tonic-gate /*
2067c478bd9Sstevel@tonic-gate  * read /etc/security/policy.conf for AUTHS_GRANTED.
2077c478bd9Sstevel@tonic-gate  * return 1 if found matching authname.
2087c478bd9Sstevel@tonic-gate  * Otherwise, read PROFS_GRANTED to see if authname exists in any
2097c478bd9Sstevel@tonic-gate  * default profiles.
2107c478bd9Sstevel@tonic-gate  */
2117c478bd9Sstevel@tonic-gate static int
212499fd601Sgww _chk_policy_auth(const char *authname, const char *username, char **chkedprof,
213499fd601Sgww     int *chkedprof_cnt)
2147c478bd9Sstevel@tonic-gate {
215499fd601Sgww 	char	*auths = NULL;
216499fd601Sgww 	char	*profs = NULL;
2177c478bd9Sstevel@tonic-gate 	int	ret = 1;
2187c478bd9Sstevel@tonic-gate 
219499fd601Sgww 	if (_get_user_defs(username, &auths, &profs) != 0)
2207c478bd9Sstevel@tonic-gate 		return (0);
2217c478bd9Sstevel@tonic-gate 
2227c478bd9Sstevel@tonic-gate 	if (auths != NULL) {
2237c478bd9Sstevel@tonic-gate 		if (_is_authorized(authname, auths))
2247c478bd9Sstevel@tonic-gate 			goto exit;
2257c478bd9Sstevel@tonic-gate 	}
2267c478bd9Sstevel@tonic-gate 
2277c478bd9Sstevel@tonic-gate 	if (profs != NULL) {
2287c478bd9Sstevel@tonic-gate 		if (_chkprof_for_auth(profs, authname, chkedprof,
2297c478bd9Sstevel@tonic-gate 		    chkedprof_cnt))
2307c478bd9Sstevel@tonic-gate 			goto exit;
2317c478bd9Sstevel@tonic-gate 	}
2327c478bd9Sstevel@tonic-gate 	ret = 0;
2337c478bd9Sstevel@tonic-gate 
2347c478bd9Sstevel@tonic-gate exit:
235499fd601Sgww 	_free_user_defs(auths, profs);
2367c478bd9Sstevel@tonic-gate 	return (ret);
2377c478bd9Sstevel@tonic-gate }
238499fd601Sgww 
239499fd601Sgww #define	CONSOLE "/dev/console"
240499fd601Sgww 
241499fd601Sgww static int
242499fd601Sgww is_cons_user(const char *user)
243499fd601Sgww {
244499fd601Sgww 	struct stat	cons;
245499fd601Sgww 	struct passwd	pw;
246499fd601Sgww 	char		pwbuf[NSS_BUFLEN_PASSWD];
247499fd601Sgww 
248499fd601Sgww 	if (user == NULL) {
249499fd601Sgww 		return (0);
250499fd601Sgww 	}
251499fd601Sgww 	if (stat(CONSOLE, &cons) == -1) {
252499fd601Sgww 		return (0);
253499fd601Sgww 	}
254499fd601Sgww 	if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
255499fd601Sgww 		return (0);
256499fd601Sgww 	}
257499fd601Sgww 
258499fd601Sgww 	return (pw.pw_uid == cons.st_uid);
259499fd601Sgww }
260499fd601Sgww 
261499fd601Sgww 
262499fd601Sgww int
263499fd601Sgww _get_user_defs(const char *user, char **def_auth, char **def_prof)
264499fd601Sgww {
265499fd601Sgww 	char *cp;
266499fd601Sgww 	char *profs;
267*b9175c69SKenjiro Tsuji 	void	*defp;
268499fd601Sgww 
269*b9175c69SKenjiro Tsuji 	if ((defp = defopen_r(AUTH_POLICY)) == NULL) {
270499fd601Sgww 		if (def_auth != NULL) {
271499fd601Sgww 			*def_auth = NULL;
272499fd601Sgww 		}
273499fd601Sgww 		if (def_prof != NULL) {
274499fd601Sgww 			*def_prof = NULL;
275499fd601Sgww 		}
276499fd601Sgww 		return (-1);
277499fd601Sgww 	}
278499fd601Sgww 
279499fd601Sgww 	if (def_auth != NULL) {
280*b9175c69SKenjiro Tsuji 		if ((cp = defread_r(DEF_AUTH, defp)) != NULL) {
281499fd601Sgww 			if ((*def_auth = strdup(cp)) == NULL) {
282*b9175c69SKenjiro Tsuji 				defclose_r(defp);
283499fd601Sgww 				return (-1);
284499fd601Sgww 			}
285499fd601Sgww 		} else {
286499fd601Sgww 			*def_auth = NULL;
287499fd601Sgww 		}
288499fd601Sgww 	}
289499fd601Sgww 	if (def_prof != NULL) {
290499fd601Sgww 		if (is_cons_user(user) &&
291*b9175c69SKenjiro Tsuji 		    (cp = defread_r(DEF_CONSUSER, defp)) != NULL) {
292499fd601Sgww 			if ((*def_prof = strdup(cp)) == NULL) {
293*b9175c69SKenjiro Tsuji 				defclose_r(defp);
294499fd601Sgww 				return (-1);
295499fd601Sgww 			}
296499fd601Sgww 		}
297*b9175c69SKenjiro Tsuji 		if ((cp = defread_r(DEF_PROF, defp)) != NULL) {
298499fd601Sgww 			int	prof_len;
299499fd601Sgww 
300499fd601Sgww 			if (*def_prof == NULL) {
301499fd601Sgww 				if ((*def_prof = strdup(cp)) == NULL) {
302*b9175c69SKenjiro Tsuji 					defclose_r(defp);
303499fd601Sgww 					return (-1);
304499fd601Sgww 				}
305*b9175c69SKenjiro Tsuji 				defclose_r(defp);
306499fd601Sgww 				return (0);
307499fd601Sgww 			}
308499fd601Sgww 
309499fd601Sgww 			/* concatenate def profs with "," separator */
310499fd601Sgww 			prof_len = strlen(*def_prof) + strlen(cp) + 2;
311499fd601Sgww 			if ((profs = malloc(prof_len)) == NULL) {
312499fd601Sgww 				free(*def_prof);
313499fd601Sgww 				*def_prof = NULL;
314*b9175c69SKenjiro Tsuji 				defclose_r(defp);
315499fd601Sgww 				return (-1);
316499fd601Sgww 			}
317499fd601Sgww 			(void) snprintf(profs, prof_len, "%s,%s", *def_prof,
318499fd601Sgww 			    cp);
319499fd601Sgww 			free(*def_prof);
320499fd601Sgww 			*def_prof = profs;
321499fd601Sgww 		}
322499fd601Sgww 	}
323499fd601Sgww 
324*b9175c69SKenjiro Tsuji 	defclose_r(defp);
325499fd601Sgww 	return (0);
326499fd601Sgww }
327499fd601Sgww 
328499fd601Sgww 
329499fd601Sgww void
330499fd601Sgww _free_user_defs(char *def_auth, char *def_prof)
331499fd601Sgww {
332499fd601Sgww 	free(def_auth);
333499fd601Sgww 	free(def_prof);
334499fd601Sgww }
335