17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53bf5ae9eSrica * Common Development and Distribution License (the "License"). 63bf5ae9eSrica * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22a20ee416SGlenn Faden * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. 237c478bd9Sstevel@tonic-gate */ 247c478bd9Sstevel@tonic-gate 257c478bd9Sstevel@tonic-gate #include <stdio.h> 267c478bd9Sstevel@tonic-gate #include <stdlib.h> 277c478bd9Sstevel@tonic-gate #include <strings.h> 287c478bd9Sstevel@tonic-gate #include <auth_attr.h> 297c478bd9Sstevel@tonic-gate #include <prof_attr.h> 307c478bd9Sstevel@tonic-gate #include <user_attr.h> 317c478bd9Sstevel@tonic-gate #include <project.h> 327c478bd9Sstevel@tonic-gate #include <secdb.h> 337c478bd9Sstevel@tonic-gate #include <pwd.h> 347c478bd9Sstevel@tonic-gate #include <unistd.h> 357c478bd9Sstevel@tonic-gate #include <priv.h> 367c478bd9Sstevel@tonic-gate #include <errno.h> 373bf5ae9eSrica #include <ctype.h> 38*07925104Sgww #include <nss.h> 39*07925104Sgww #include <bsm/libbsm.h> 403bf5ae9eSrica #include <tsol/label.h> 417c478bd9Sstevel@tonic-gate #include "funcs.h" 427c478bd9Sstevel@tonic-gate #include "messages.h" 43*07925104Sgww #undef GROUP 447c478bd9Sstevel@tonic-gate #include "userdefs.h" 457c478bd9Sstevel@tonic-gate 467c478bd9Sstevel@tonic-gate typedef struct ua_key { 477c478bd9Sstevel@tonic-gate const char *key; 487c478bd9Sstevel@tonic-gate const char *(*check)(const char *); 497c478bd9Sstevel@tonic-gate const char *errstr; 507c478bd9Sstevel@tonic-gate char *newvalue; 517c478bd9Sstevel@tonic-gate } ua_key_t; 527c478bd9Sstevel@tonic-gate 537c478bd9Sstevel@tonic-gate static const char role[] = "role name"; 547c478bd9Sstevel@tonic-gate static const char prof[] = "profile name"; 557c478bd9Sstevel@tonic-gate static const char proj[] = "project name"; 567c478bd9Sstevel@tonic-gate static const char priv[] = "privilege set"; 577c478bd9Sstevel@tonic-gate static const char auth[] = "authorization"; 587c478bd9Sstevel@tonic-gate static const char type[] = "user type"; 597c478bd9Sstevel@tonic-gate static const char lock[] = "lock_after_retries value"; 603bf5ae9eSrica static const char label[] = "label"; 613bf5ae9eSrica static const char idlecmd[] = "idlecmd value"; 623bf5ae9eSrica static const char idletime[] = "idletime value"; 63*07925104Sgww static const char auditflags[] = "audit mask"; 64*07925104Sgww static char auditerr[256]; 657c478bd9Sstevel@tonic-gate 667c478bd9Sstevel@tonic-gate 677c478bd9Sstevel@tonic-gate static const char *check_auth(const char *); 687c478bd9Sstevel@tonic-gate static const char *check_prof(const char *); 697c478bd9Sstevel@tonic-gate static const char *check_role(const char *); 707c478bd9Sstevel@tonic-gate static const char *check_proj(const char *); 717c478bd9Sstevel@tonic-gate static const char *check_privset(const char *); 727c478bd9Sstevel@tonic-gate static const char *check_type(const char *); 737c478bd9Sstevel@tonic-gate static const char *check_lock_after_retries(const char *); 743bf5ae9eSrica static const char *check_label(const char *); 753bf5ae9eSrica static const char *check_idlecmd(const char *); 763bf5ae9eSrica static const char *check_idletime(const char *); 77*07925104Sgww static const char *check_auditflags(const char *); 787c478bd9Sstevel@tonic-gate 797c478bd9Sstevel@tonic-gate int nkeys; 807c478bd9Sstevel@tonic-gate 817c478bd9Sstevel@tonic-gate static ua_key_t keys[] = { 827c478bd9Sstevel@tonic-gate /* First entry is always set correctly in main() */ 837c478bd9Sstevel@tonic-gate { USERATTR_TYPE_KW, check_type, type }, 847c478bd9Sstevel@tonic-gate { USERATTR_AUTHS_KW, check_auth, auth }, 857c478bd9Sstevel@tonic-gate { USERATTR_PROFILES_KW, check_prof, prof }, 867c478bd9Sstevel@tonic-gate { USERATTR_ROLES_KW, check_role, role }, 877c478bd9Sstevel@tonic-gate { USERATTR_DEFAULTPROJ_KW, check_proj, proj }, 887c478bd9Sstevel@tonic-gate { USERATTR_LIMPRIV_KW, check_privset, priv }, 897c478bd9Sstevel@tonic-gate { USERATTR_DFLTPRIV_KW, check_privset, priv }, 907c478bd9Sstevel@tonic-gate { USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries, lock }, 913bf5ae9eSrica { USERATTR_CLEARANCE, check_label, label }, 923bf5ae9eSrica { USERATTR_MINLABEL, check_label, label }, 933bf5ae9eSrica { USERATTR_IDLECMD_KW, check_idlecmd, idlecmd }, 943bf5ae9eSrica { USERATTR_IDLETIME_KW, check_idletime, idletime }, 95*07925104Sgww { USERATTR_AUDIT_FLAGS_KW, check_auditflags, auditflags }, 967c478bd9Sstevel@tonic-gate }; 977c478bd9Sstevel@tonic-gate 987c478bd9Sstevel@tonic-gate #define NKEYS (sizeof (keys)/sizeof (ua_key_t)) 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate /* 1017c478bd9Sstevel@tonic-gate * Change a key, there are three different call sequences: 1027c478bd9Sstevel@tonic-gate * 1037c478bd9Sstevel@tonic-gate * key, value - key with option letter, value. 1047c478bd9Sstevel@tonic-gate * NULL, value - -K key=value option. 1057c478bd9Sstevel@tonic-gate */ 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate void 1087c478bd9Sstevel@tonic-gate change_key(const char *key, char *value) 1097c478bd9Sstevel@tonic-gate { 1107c478bd9Sstevel@tonic-gate int i; 1117c478bd9Sstevel@tonic-gate const char *res; 1127c478bd9Sstevel@tonic-gate 1137c478bd9Sstevel@tonic-gate if (key == NULL) { 1147c478bd9Sstevel@tonic-gate key = value; 1157c478bd9Sstevel@tonic-gate value = strchr(value, '='); 1167c478bd9Sstevel@tonic-gate /* Bad value */ 1177c478bd9Sstevel@tonic-gate if (value == NULL) { 1187c478bd9Sstevel@tonic-gate errmsg(M_INVALID_VALUE); 1197c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1207c478bd9Sstevel@tonic-gate } 1217c478bd9Sstevel@tonic-gate *value++ = '\0'; 1227c478bd9Sstevel@tonic-gate } 1237c478bd9Sstevel@tonic-gate 1247c478bd9Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) { 1257c478bd9Sstevel@tonic-gate if (strcmp(key, keys[i].key) == 0) { 1267c478bd9Sstevel@tonic-gate if (keys[i].newvalue != NULL) { 1277c478bd9Sstevel@tonic-gate /* Can't set a value twice */ 1287c478bd9Sstevel@tonic-gate errmsg(M_REDEFINED_KEY, key); 1297c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1307c478bd9Sstevel@tonic-gate } 1317c478bd9Sstevel@tonic-gate 1327c478bd9Sstevel@tonic-gate if (keys[i].check != NULL && 1337c478bd9Sstevel@tonic-gate (res = keys[i].check(value)) != NULL) { 1347c478bd9Sstevel@tonic-gate errmsg(M_INVALID, res, keys[i].errstr); 1357c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1367c478bd9Sstevel@tonic-gate } 1377c478bd9Sstevel@tonic-gate keys[i].newvalue = value; 1387c478bd9Sstevel@tonic-gate nkeys++; 1397c478bd9Sstevel@tonic-gate return; 1407c478bd9Sstevel@tonic-gate } 1417c478bd9Sstevel@tonic-gate } 1427c478bd9Sstevel@tonic-gate errmsg(M_INVALID_KEY, key); 1437c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1447c478bd9Sstevel@tonic-gate } 1457c478bd9Sstevel@tonic-gate 1467c478bd9Sstevel@tonic-gate /* 1477c478bd9Sstevel@tonic-gate * Add the keys to the argument vector. 1487c478bd9Sstevel@tonic-gate */ 1497c478bd9Sstevel@tonic-gate void 1507c478bd9Sstevel@tonic-gate addkey_args(char **argv, int *index) 1517c478bd9Sstevel@tonic-gate { 1527c478bd9Sstevel@tonic-gate int i; 1537c478bd9Sstevel@tonic-gate 1547c478bd9Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) { 1557c478bd9Sstevel@tonic-gate const char *key = keys[i].key; 1567c478bd9Sstevel@tonic-gate char *val = keys[i].newvalue; 1577c478bd9Sstevel@tonic-gate size_t len; 1587c478bd9Sstevel@tonic-gate char *arg; 1597c478bd9Sstevel@tonic-gate 1607c478bd9Sstevel@tonic-gate if (val == NULL) 1617c478bd9Sstevel@tonic-gate continue; 1627c478bd9Sstevel@tonic-gate 1637c478bd9Sstevel@tonic-gate len = strlen(key) + strlen(val) + 2; 1647c478bd9Sstevel@tonic-gate arg = malloc(len); 1657c478bd9Sstevel@tonic-gate 1667c478bd9Sstevel@tonic-gate (void) snprintf(arg, len, "%s=%s", key, val); 1677c478bd9Sstevel@tonic-gate argv[(*index)++] = "-K"; 1687c478bd9Sstevel@tonic-gate argv[(*index)++] = arg; 1697c478bd9Sstevel@tonic-gate } 1707c478bd9Sstevel@tonic-gate } 1717c478bd9Sstevel@tonic-gate 1727c478bd9Sstevel@tonic-gate /* 1737c478bd9Sstevel@tonic-gate * Propose a default value for a key and get the actual value back. 1747c478bd9Sstevel@tonic-gate * If the proposed default value is NULL, return the actual value set. 1757c478bd9Sstevel@tonic-gate * The key argument is the user_attr key. 1767c478bd9Sstevel@tonic-gate */ 1777c478bd9Sstevel@tonic-gate char * 1787c478bd9Sstevel@tonic-gate getsetdefval(const char *key, char *dflt) 1797c478bd9Sstevel@tonic-gate { 1807c478bd9Sstevel@tonic-gate int i; 1817c478bd9Sstevel@tonic-gate 1827c478bd9Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) 1837c478bd9Sstevel@tonic-gate if (strcmp(keys[i].key, key) == 0) 1847c478bd9Sstevel@tonic-gate if (keys[i].newvalue != NULL) 1857c478bd9Sstevel@tonic-gate return (keys[i].newvalue); 1867c478bd9Sstevel@tonic-gate else 1877c478bd9Sstevel@tonic-gate return (keys[i].newvalue = dflt); 1887c478bd9Sstevel@tonic-gate return (NULL); 1897c478bd9Sstevel@tonic-gate } 1907c478bd9Sstevel@tonic-gate 1917c478bd9Sstevel@tonic-gate char * 1927c478bd9Sstevel@tonic-gate getusertype(char *cmdname) 1937c478bd9Sstevel@tonic-gate { 1947c478bd9Sstevel@tonic-gate static char usertype[MAX_TYPE_LENGTH]; 1957c478bd9Sstevel@tonic-gate char *cmd; 1967c478bd9Sstevel@tonic-gate 1977c478bd9Sstevel@tonic-gate if (cmd = strrchr(cmdname, '/')) 1987c478bd9Sstevel@tonic-gate ++cmd; 1997c478bd9Sstevel@tonic-gate else 2007c478bd9Sstevel@tonic-gate cmd = cmdname; 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate /* get user type based on the program name */ 2037c478bd9Sstevel@tonic-gate if (strncmp(cmd, CMD_PREFIX_USER, 2047c478bd9Sstevel@tonic-gate strlen(CMD_PREFIX_USER)) == 0) 2057c478bd9Sstevel@tonic-gate strcpy(usertype, USERATTR_TYPE_NORMAL_KW); 2067c478bd9Sstevel@tonic-gate else 2077c478bd9Sstevel@tonic-gate strcpy(usertype, USERATTR_TYPE_NONADMIN_KW); 2087c478bd9Sstevel@tonic-gate 2097c478bd9Sstevel@tonic-gate return (usertype); 2107c478bd9Sstevel@tonic-gate } 2117c478bd9Sstevel@tonic-gate 2127c478bd9Sstevel@tonic-gate int 2137c478bd9Sstevel@tonic-gate is_role(char *usertype) 2147c478bd9Sstevel@tonic-gate { 2157c478bd9Sstevel@tonic-gate if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0) 2167c478bd9Sstevel@tonic-gate return (1); 2177c478bd9Sstevel@tonic-gate /* not a role */ 2187c478bd9Sstevel@tonic-gate return (0); 2197c478bd9Sstevel@tonic-gate } 2207c478bd9Sstevel@tonic-gate 2217c478bd9Sstevel@tonic-gate /* 2227c478bd9Sstevel@tonic-gate * Verifies the provided list of authorizations are all valid. 2237c478bd9Sstevel@tonic-gate * 2247c478bd9Sstevel@tonic-gate * Returns NULL if all authorization names are valid. 2257c478bd9Sstevel@tonic-gate * Otherwise, returns the invalid authorization name 2267c478bd9Sstevel@tonic-gate * 2277c478bd9Sstevel@tonic-gate */ 2287c478bd9Sstevel@tonic-gate static const char * 2297c478bd9Sstevel@tonic-gate check_auth(const char *auths) 2307c478bd9Sstevel@tonic-gate { 2317c478bd9Sstevel@tonic-gate char *authname; 2327c478bd9Sstevel@tonic-gate authattr_t *result; 2337c478bd9Sstevel@tonic-gate char *tmp; 2347c478bd9Sstevel@tonic-gate struct passwd *pw; 2357c478bd9Sstevel@tonic-gate int have_grant = 0; 2367c478bd9Sstevel@tonic-gate 2377c478bd9Sstevel@tonic-gate tmp = strdup(auths); 238cb8a054bSGlenn Faden if (tmp == NULL) { 239cb8a054bSGlenn Faden errmsg(M_NOSPACE); 240cb8a054bSGlenn Faden exit(EX_FAILURE); 241cb8a054bSGlenn Faden } 2427c478bd9Sstevel@tonic-gate 2437c478bd9Sstevel@tonic-gate authname = strtok(tmp, AUTH_SEP); 2447c478bd9Sstevel@tonic-gate pw = getpwuid(getuid()); 2457c478bd9Sstevel@tonic-gate if (pw == NULL) { 2467c478bd9Sstevel@tonic-gate return (authname); 2477c478bd9Sstevel@tonic-gate } 2487c478bd9Sstevel@tonic-gate 2497c478bd9Sstevel@tonic-gate while (authname != NULL) { 2507c478bd9Sstevel@tonic-gate char *suffix; 2517c478bd9Sstevel@tonic-gate char *authtoks; 2527c478bd9Sstevel@tonic-gate 253cb8a054bSGlenn Faden /* Check if user has been granted this authorization */ 254cb8a054bSGlenn Faden if (!chkauthattr(authname, pw->pw_name)) 255cb8a054bSGlenn Faden return (authname); 256cb8a054bSGlenn Faden 257cb8a054bSGlenn Faden /* Remove named object after slash */ 258cb8a054bSGlenn Faden if ((suffix = index(authname, KV_OBJECTCHAR)) != NULL) 259cb8a054bSGlenn Faden *suffix = '\0'; 260cb8a054bSGlenn Faden 2617c478bd9Sstevel@tonic-gate /* Find the suffix */ 2627c478bd9Sstevel@tonic-gate if ((suffix = rindex(authname, '.')) == NULL) 2637c478bd9Sstevel@tonic-gate return (authname); 2647c478bd9Sstevel@tonic-gate 2657c478bd9Sstevel@tonic-gate /* Check for existence in auth_attr */ 2667c478bd9Sstevel@tonic-gate suffix++; 2677c478bd9Sstevel@tonic-gate if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */ 2687c478bd9Sstevel@tonic-gate result = getauthnam(authname); 2697c478bd9Sstevel@tonic-gate if (result == NULL) { 2707c478bd9Sstevel@tonic-gate /* can't find the auth */ 2717c478bd9Sstevel@tonic-gate free_authattr(result); 2727c478bd9Sstevel@tonic-gate return (authname); 2737c478bd9Sstevel@tonic-gate } 2747c478bd9Sstevel@tonic-gate free_authattr(result); 2757c478bd9Sstevel@tonic-gate } 2767c478bd9Sstevel@tonic-gate 2777c478bd9Sstevel@tonic-gate /* Check if user can delegate this authorization */ 2787c478bd9Sstevel@tonic-gate if (strcmp(suffix, "grant")) { /* Not a grant option */ 2797c478bd9Sstevel@tonic-gate authtoks = malloc(strlen(authname) + sizeof ("grant")); 2807c478bd9Sstevel@tonic-gate strcpy(authtoks, authname); 2817c478bd9Sstevel@tonic-gate have_grant = 0; 2827c478bd9Sstevel@tonic-gate while ((suffix = rindex(authtoks, '.')) && 2837c478bd9Sstevel@tonic-gate !have_grant) { 2847c478bd9Sstevel@tonic-gate strcpy(suffix, ".grant"); 2857c478bd9Sstevel@tonic-gate if (chkauthattr(authtoks, pw->pw_name)) 2867c478bd9Sstevel@tonic-gate have_grant = 1; 2877c478bd9Sstevel@tonic-gate else 2887c478bd9Sstevel@tonic-gate *suffix = '\0'; 2897c478bd9Sstevel@tonic-gate } 2907c478bd9Sstevel@tonic-gate if (!have_grant) 2917c478bd9Sstevel@tonic-gate return (authname); 2927c478bd9Sstevel@tonic-gate } 2937c478bd9Sstevel@tonic-gate authname = strtok(NULL, AUTH_SEP); 2947c478bd9Sstevel@tonic-gate } 295cb8a054bSGlenn Faden free(tmp); 2967c478bd9Sstevel@tonic-gate return (NULL); 2977c478bd9Sstevel@tonic-gate } 2987c478bd9Sstevel@tonic-gate 2997c478bd9Sstevel@tonic-gate /* 3007c478bd9Sstevel@tonic-gate * Verifies the provided list of profile names are valid. 3017c478bd9Sstevel@tonic-gate * 3027c478bd9Sstevel@tonic-gate * Returns NULL if all profile names are valid. 3037c478bd9Sstevel@tonic-gate * Otherwise, returns the invalid profile name 3047c478bd9Sstevel@tonic-gate * 3057c478bd9Sstevel@tonic-gate */ 3067c478bd9Sstevel@tonic-gate static const char * 3077c478bd9Sstevel@tonic-gate check_prof(const char *profs) 3087c478bd9Sstevel@tonic-gate { 3097c478bd9Sstevel@tonic-gate char *profname; 3107c478bd9Sstevel@tonic-gate profattr_t *result; 3117c478bd9Sstevel@tonic-gate char *tmp; 3127c478bd9Sstevel@tonic-gate 3137c478bd9Sstevel@tonic-gate tmp = strdup(profs); 314cb8a054bSGlenn Faden if (tmp == NULL) { 315cb8a054bSGlenn Faden errmsg(M_NOSPACE); 316cb8a054bSGlenn Faden exit(EX_FAILURE); 317cb8a054bSGlenn Faden } 3187c478bd9Sstevel@tonic-gate 3197c478bd9Sstevel@tonic-gate profname = strtok(tmp, PROF_SEP); 3207c478bd9Sstevel@tonic-gate while (profname != NULL) { 3217c478bd9Sstevel@tonic-gate result = getprofnam(profname); 3227c478bd9Sstevel@tonic-gate if (result == NULL) { 3237c478bd9Sstevel@tonic-gate /* can't find the profile */ 3247c478bd9Sstevel@tonic-gate return (profname); 3257c478bd9Sstevel@tonic-gate } 3267c478bd9Sstevel@tonic-gate free_profattr(result); 3277c478bd9Sstevel@tonic-gate profname = strtok(NULL, PROF_SEP); 3287c478bd9Sstevel@tonic-gate } 329cb8a054bSGlenn Faden free(tmp); 3307c478bd9Sstevel@tonic-gate return (NULL); 3317c478bd9Sstevel@tonic-gate } 3327c478bd9Sstevel@tonic-gate 3337c478bd9Sstevel@tonic-gate 3347c478bd9Sstevel@tonic-gate /* 3357c478bd9Sstevel@tonic-gate * Verifies the provided list of role names are valid. 3367c478bd9Sstevel@tonic-gate * 3377c478bd9Sstevel@tonic-gate * Returns NULL if all role names are valid. 3387c478bd9Sstevel@tonic-gate * Otherwise, returns the invalid role name 3397c478bd9Sstevel@tonic-gate * 3407c478bd9Sstevel@tonic-gate */ 3417c478bd9Sstevel@tonic-gate static const char * 3427c478bd9Sstevel@tonic-gate check_role(const char *roles) 3437c478bd9Sstevel@tonic-gate { 3447c478bd9Sstevel@tonic-gate char *rolename; 3457c478bd9Sstevel@tonic-gate userattr_t *result; 3467c478bd9Sstevel@tonic-gate char *utype; 3477c478bd9Sstevel@tonic-gate char *tmp; 3487c478bd9Sstevel@tonic-gate 3497c478bd9Sstevel@tonic-gate tmp = strdup(roles); 350cb8a054bSGlenn Faden if (tmp == NULL) { 351cb8a054bSGlenn Faden errmsg(M_NOSPACE); 352cb8a054bSGlenn Faden exit(EX_FAILURE); 353cb8a054bSGlenn Faden } 3547c478bd9Sstevel@tonic-gate 3557c478bd9Sstevel@tonic-gate rolename = strtok(tmp, ROLE_SEP); 3567c478bd9Sstevel@tonic-gate while (rolename != NULL) { 3577c478bd9Sstevel@tonic-gate result = getusernam(rolename); 3587c478bd9Sstevel@tonic-gate if (result == NULL) { 3597c478bd9Sstevel@tonic-gate /* can't find the rolename */ 3607c478bd9Sstevel@tonic-gate return (rolename); 3617c478bd9Sstevel@tonic-gate } 3627c478bd9Sstevel@tonic-gate /* Now, make sure it is a role */ 3637c478bd9Sstevel@tonic-gate utype = kva_match(result->attr, USERATTR_TYPE_KW); 3647c478bd9Sstevel@tonic-gate if (utype == NULL) { 3657c478bd9Sstevel@tonic-gate /* no user type defined. not a role */ 3667c478bd9Sstevel@tonic-gate free_userattr(result); 3677c478bd9Sstevel@tonic-gate return (rolename); 3687c478bd9Sstevel@tonic-gate } 3697c478bd9Sstevel@tonic-gate if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) { 3707c478bd9Sstevel@tonic-gate free_userattr(result); 3717c478bd9Sstevel@tonic-gate return (rolename); 3727c478bd9Sstevel@tonic-gate } 3737c478bd9Sstevel@tonic-gate free_userattr(result); 3747c478bd9Sstevel@tonic-gate rolename = strtok(NULL, ROLE_SEP); 3757c478bd9Sstevel@tonic-gate } 376cb8a054bSGlenn Faden free(tmp); 3777c478bd9Sstevel@tonic-gate return (NULL); 3787c478bd9Sstevel@tonic-gate } 3797c478bd9Sstevel@tonic-gate 3807c478bd9Sstevel@tonic-gate static const char * 3817c478bd9Sstevel@tonic-gate check_proj(const char *proj) 3827c478bd9Sstevel@tonic-gate { 3837c478bd9Sstevel@tonic-gate if (getprojidbyname(proj) < 0) { 3847c478bd9Sstevel@tonic-gate return (proj); 3857c478bd9Sstevel@tonic-gate } else { 3867c478bd9Sstevel@tonic-gate return (NULL); 3877c478bd9Sstevel@tonic-gate } 3887c478bd9Sstevel@tonic-gate } 3897c478bd9Sstevel@tonic-gate 3907c478bd9Sstevel@tonic-gate static const char * 3917c478bd9Sstevel@tonic-gate check_privset(const char *pset) 3927c478bd9Sstevel@tonic-gate { 3937c478bd9Sstevel@tonic-gate priv_set_t *tmp; 3947c478bd9Sstevel@tonic-gate const char *res; 3957c478bd9Sstevel@tonic-gate 3967c478bd9Sstevel@tonic-gate tmp = priv_str_to_set(pset, ",", &res); 3977c478bd9Sstevel@tonic-gate 3987c478bd9Sstevel@tonic-gate if (tmp != NULL) { 3997c478bd9Sstevel@tonic-gate res = NULL; 4007c478bd9Sstevel@tonic-gate priv_freeset(tmp); 4017c478bd9Sstevel@tonic-gate } else if (res == NULL) 4027c478bd9Sstevel@tonic-gate res = strerror(errno); 4037c478bd9Sstevel@tonic-gate 4047c478bd9Sstevel@tonic-gate return (res); 4057c478bd9Sstevel@tonic-gate } 4067c478bd9Sstevel@tonic-gate 4077c478bd9Sstevel@tonic-gate static const char * 4087c478bd9Sstevel@tonic-gate check_type(const char *type) 4097c478bd9Sstevel@tonic-gate { 4107c478bd9Sstevel@tonic-gate if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 && 4117c478bd9Sstevel@tonic-gate strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0) 4127c478bd9Sstevel@tonic-gate return (type); 4137c478bd9Sstevel@tonic-gate 4147c478bd9Sstevel@tonic-gate return (NULL); 4157c478bd9Sstevel@tonic-gate } 4167c478bd9Sstevel@tonic-gate 4177c478bd9Sstevel@tonic-gate static const char * 4187c478bd9Sstevel@tonic-gate check_lock_after_retries(const char *keyval) 4197c478bd9Sstevel@tonic-gate { 4207c478bd9Sstevel@tonic-gate if (keyval != NULL) { 4217c478bd9Sstevel@tonic-gate if ((strcasecmp(keyval, "no") != 0) && 4227c478bd9Sstevel@tonic-gate (strcasecmp(keyval, "yes") != 0) && 4237c478bd9Sstevel@tonic-gate (*keyval != '\0')) { 4247c478bd9Sstevel@tonic-gate return (keyval); 4257c478bd9Sstevel@tonic-gate } 4267c478bd9Sstevel@tonic-gate } 4277c478bd9Sstevel@tonic-gate return (NULL); 4287c478bd9Sstevel@tonic-gate } 4293bf5ae9eSrica 4303bf5ae9eSrica static const char * 4313bf5ae9eSrica check_label(const char *labelstr) 4323bf5ae9eSrica { 4333bf5ae9eSrica int err; 4343bf5ae9eSrica m_label_t *lbl = NULL; 4353bf5ae9eSrica 4363bf5ae9eSrica if (!is_system_labeled()) 4373bf5ae9eSrica return (NULL); 4383bf5ae9eSrica 4393bf5ae9eSrica err = str_to_label(labelstr, &lbl, MAC_LABEL, L_NO_CORRECTION, NULL); 4403bf5ae9eSrica m_label_free(lbl); 4413bf5ae9eSrica 4423bf5ae9eSrica if (err == -1) 4433bf5ae9eSrica return (labelstr); 4443bf5ae9eSrica 4453bf5ae9eSrica return (NULL); 4463bf5ae9eSrica } 4473bf5ae9eSrica 4483bf5ae9eSrica static const char * 4493bf5ae9eSrica check_idlecmd(const char *cmd) 4503bf5ae9eSrica { 4513bf5ae9eSrica if ((strcmp(cmd, USERATTR_IDLECMD_LOCK_KW) != 0) && 4523bf5ae9eSrica (strcmp(cmd, USERATTR_IDLECMD_LOGOUT_KW) != 0)) { 4533bf5ae9eSrica return (cmd); 4543bf5ae9eSrica } 4553bf5ae9eSrica 4563bf5ae9eSrica return (NULL); 4573bf5ae9eSrica } 4583bf5ae9eSrica 4593bf5ae9eSrica static const char * 4603bf5ae9eSrica check_idletime(const char *time) 4613bf5ae9eSrica { 4623bf5ae9eSrica int c; 4633bf5ae9eSrica unsigned char *up = (unsigned char *)time; 4643bf5ae9eSrica 4653bf5ae9eSrica c = *up; 4663bf5ae9eSrica while (c != '\0') { 4673bf5ae9eSrica if (!isdigit(c)) 4683bf5ae9eSrica return (time); 4693bf5ae9eSrica c = *++up; 4703bf5ae9eSrica } 4713bf5ae9eSrica 4723bf5ae9eSrica return (NULL); 4733bf5ae9eSrica } 474*07925104Sgww 475*07925104Sgww static const char * 476*07925104Sgww check_auditflags(const char *auditflags) 477*07925104Sgww { 478*07925104Sgww au_mask_t mask; 479*07925104Sgww char *flags; 480*07925104Sgww char *last = NULL; 481*07925104Sgww char *err = "NULL"; 482*07925104Sgww 483*07925104Sgww /* if deleting audit_flags */ 484*07925104Sgww if (*auditflags == '\0') { 485*07925104Sgww return (NULL); 486*07925104Sgww } 487*07925104Sgww 488*07925104Sgww if ((flags = _strdup_null((char *)auditflags)) == NULL) { 489*07925104Sgww errmsg(M_NOSPACE); 490*07925104Sgww exit(EX_FAILURE); 491*07925104Sgww } 492*07925104Sgww 493*07925104Sgww if (!__chkflags(_strtok_escape(flags, KV_AUDIT_DELIMIT, &last), &mask, 494*07925104Sgww B_FALSE, &err)) { 495*07925104Sgww (void) snprintf(auditerr, sizeof (auditerr), 496*07925104Sgww "always mask \"%s\"", err); 497*07925104Sgww free(flags); 498*07925104Sgww return (auditerr); 499*07925104Sgww } 500*07925104Sgww if (!__chkflags(_strtok_escape(NULL, KV_AUDIT_DELIMIT, &last), &mask, 501*07925104Sgww B_FALSE, &err)) { 502*07925104Sgww (void) snprintf(auditerr, sizeof (auditerr), 503*07925104Sgww "never mask \"%s\"", err); 504*07925104Sgww free(flags); 505*07925104Sgww return (auditerr); 506*07925104Sgww } 507*07925104Sgww if (last != NULL) { 508*07925104Sgww (void) snprintf(auditerr, sizeof (auditerr), "\"%s\"", 509*07925104Sgww auditflags); 510*07925104Sgww free(flags); 511*07925104Sgww return (auditerr); 512*07925104Sgww } 513*07925104Sgww free(flags); 514*07925104Sgww 515*07925104Sgww return (NULL); 516*07925104Sgww } 517