xref: /titanic_50/usr/src/lib/libsecdb/common/chkauthattr.c (revision ceeba6f9f0adf370c2a0f5c81a0d6ef1ba146cb4)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <limits.h>
#include <pwd.h>
#include <nss_dbdefs.h>
#include <deflt.h>
#include <auth_attr.h>
#include <prof_attr.h>
#include <user_attr.h>


static int _is_authorized(const char *, char *);
static int _chk_policy_auth(const char *, const char *, char **, int *);
static int _chkprof_for_auth(const char *, const char *, char **, int *);
int
chkauthattr(const char *authname, const char *username)
{
	int		auth_granted = 0;
	char		*auths;
	char		*profiles;
	userattr_t	*user = NULL;
	char		*chkedprof[MAXPROFS];
	int		chkedprof_cnt = 0;
	int		i;

	if (authname == NULL || username == NULL)
		return (0);

	/* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */
	auth_granted = _chk_policy_auth(authname, username, chkedprof,
	    &chkedprof_cnt);
	if (auth_granted)
		goto exit;

	if ((user = getusernam(username)) == NULL)
		goto exit;

	/* Check against authorizations listed in user_attr */
	if ((auths = kva_match(user->attr, USERATTR_AUTHS_KW)) != NULL) {
		auth_granted = _is_authorized(authname, auths);
		if (auth_granted)
			goto exit;
	}

	/* Check against authorizations specified by profiles */
	if ((profiles = kva_match(user->attr, USERATTR_PROFILES_KW)) != NULL)
		auth_granted = _chkprof_for_auth(profiles, authname,
		    chkedprof, &chkedprof_cnt);

exit:
	/* free memory allocated for checked array */
	for (i = 0; i < chkedprof_cnt; i++) {
		free(chkedprof[i]);
	}

	if (user != NULL)
		free_userattr(user);

	return (auth_granted);
}

static int
_chkprof_for_auth(const char *profs, const char *authname,
    char **chkedprof, int *chkedprof_cnt)
{

	char *prof, *lasts, *auths, *profiles;
	profattr_t	*pa;
	int		i;
	int		checked = 0;

	for (prof = strtok_r((char *)profs, ",", &lasts); prof != NULL;
	    prof = strtok_r(NULL, ",", &lasts)) {

		checked = 0;
		/* check if this profile has been checked */
		for (i = 0; i < *chkedprof_cnt; i++) {
			if (strcmp(chkedprof[i], prof) == 0) {
				checked = 1;
				break;
			}
		}

		if (!checked) {

			chkedprof[*chkedprof_cnt] = strdup(prof);
			*chkedprof_cnt = *chkedprof_cnt + 1;

			if ((pa = getprofnam(prof)) == NULL)
				continue;

			if ((auths = kva_match(pa->attr,
			    PROFATTR_AUTHS_KW)) != NULL) {
				if (_is_authorized(authname, auths)) {
					free_profattr(pa);
					return (1);
				}
			}
			if ((profiles =
			    kva_match(pa->attr, PROFATTR_PROFS_KW)) != NULL) {
				/* Check for authorization in subprofiles */
				if (_chkprof_for_auth(profiles, authname,
				    chkedprof, chkedprof_cnt)) {
					free_profattr(pa);
					return (1);
				}
			}
			free_profattr(pa);
		}
	}
	/* authorization not found in any profile */
	return (0);
}

int
_auth_match(const char *pattern, const char *auth)
{
	size_t len;
	char wildcard = KV_WILDCHAR;
	char *grant;

	len = strlen(pattern);

	/*
	 * If the wildcard is not in the last position in the string, don't
	 * match against it.
	 */
	if (pattern[len-1] != wildcard)
		return (0);

	/*
	 * If the strings are identical up to the wildcard and auth does not
	 * end in "grant", then we have a match.
	 */
	if (strncmp(pattern, auth, len-1) == 0) {
		grant = strrchr(auth, '.');
		if (grant != NULL) {
			if (strncmp(grant + 1, "grant", 5) != NULL)
				return (1);
		}
	}

	return (0);
}

static int
_is_authorized(const char *authname, char *auths)
{
	int	found = 0;	/* have we got a match, yet */
	char	wildcard = '*';
	char	*auth;		/* current authorization being compared */
	char	*buf;
	char	*lasts;

	buf = strdup(auths);
	for (auth = strtok_r(auths, ",", &lasts); auth != NULL && !found;
	    auth = strtok_r(NULL, ",", &lasts)) {
		if (strcmp((char *)authname, auth) == 0) {
			/* Exact match.  We're done. */
			found = 1;
		} else if (strchr(auth, wildcard) != NULL) {
			if (_auth_match(auth, authname)) {
				found = 1;
				break;
			}
		}
	}

	free(buf);

	return (found);
}


/*
 * read /etc/security/policy.conf for AUTHS_GRANTED.
 * return 1 if found matching authname.
 * Otherwise, read PROFS_GRANTED to see if authname exists in any
 * default profiles.
 */
static int
_chk_policy_auth(const char *authname, const char *username, char **chkedprof,
    int *chkedprof_cnt)
{
	char	*auths = NULL;
	char	*profs = NULL;
	int	ret = 1;

	if (_get_user_defs(username, &auths, &profs) != 0)
		return (0);

	if (auths != NULL) {
		if (_is_authorized(authname, auths))
			goto exit;
	}

	if (profs != NULL) {
		if (_chkprof_for_auth(profs, authname, chkedprof,
		    chkedprof_cnt))
			goto exit;
	}
	ret = 0;

exit:
	_free_user_defs(auths, profs);
	return (ret);
}

#define	CONSOLE_USER_LINK "/dev/vt/console_user"

static int
is_cons_user(const char *user)
{
	struct stat	cons;
	struct passwd	pw;
	char		pwbuf[NSS_BUFLEN_PASSWD];

	if (user == NULL) {
		return (0);
	}
	if (stat(CONSOLE_USER_LINK, &cons) == -1) {
		return (0);
	}
	if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
		return (0);
	}

	return (pw.pw_uid == cons.st_uid);
}


int
_get_user_defs(const char *user, char **def_auth, char **def_prof)
{
	char *cp;
	char *profs;
	void	*defp;

	if ((defp = defopen_r(AUTH_POLICY)) == NULL) {
		if (def_auth != NULL) {
			*def_auth = NULL;
		}
		if (def_prof != NULL) {
			*def_prof = NULL;
		}
		return (-1);
	}

	if (def_auth != NULL) {
		if ((cp = defread_r(DEF_AUTH, defp)) != NULL) {
			if ((*def_auth = strdup(cp)) == NULL) {
				defclose_r(defp);
				return (-1);
			}
		} else {
			*def_auth = NULL;
		}
	}
	if (def_prof != NULL) {
		if (is_cons_user(user) &&
		    (cp = defread_r(DEF_CONSUSER, defp)) != NULL) {
			if ((*def_prof = strdup(cp)) == NULL) {
				defclose_r(defp);
				return (-1);
			}
		}
		if ((cp = defread_r(DEF_PROF, defp)) != NULL) {
			int	prof_len;

			if (*def_prof == NULL) {
				if ((*def_prof = strdup(cp)) == NULL) {
					defclose_r(defp);
					return (-1);
				}
				defclose_r(defp);
				return (0);
			}

			/* concatenate def profs with "," separator */
			prof_len = strlen(*def_prof) + strlen(cp) + 2;
			if ((profs = malloc(prof_len)) == NULL) {
				free(*def_prof);
				*def_prof = NULL;
				defclose_r(defp);
				return (-1);
			}
			(void) snprintf(profs, prof_len, "%s,%s", *def_prof,
			    cp);
			free(*def_prof);
			*def_prof = profs;
		}
	}

	defclose_r(defp);
	return (0);
}


void
_free_user_defs(char *def_auth, char *def_prof)
{
	free(def_auth);
	free(def_prof);
}