17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53bf5ae9eSrica * Common Development and Distribution License (the "License"). 63bf5ae9eSrica * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*cb8a054bSGlenn Faden * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. 237c478bd9Sstevel@tonic-gate */ 247c478bd9Sstevel@tonic-gate 257c478bd9Sstevel@tonic-gate #include <stdio.h> 267c478bd9Sstevel@tonic-gate #include <stdlib.h> 277c478bd9Sstevel@tonic-gate #include <strings.h> 287c478bd9Sstevel@tonic-gate #include <auth_attr.h> 297c478bd9Sstevel@tonic-gate #include <prof_attr.h> 307c478bd9Sstevel@tonic-gate #include <user_attr.h> 317c478bd9Sstevel@tonic-gate #include <project.h> 327c478bd9Sstevel@tonic-gate #include <secdb.h> 337c478bd9Sstevel@tonic-gate #include <pwd.h> 347c478bd9Sstevel@tonic-gate #include <unistd.h> 357c478bd9Sstevel@tonic-gate #include <priv.h> 367c478bd9Sstevel@tonic-gate #include <errno.h> 373bf5ae9eSrica #include <ctype.h> 383bf5ae9eSrica #include <tsol/label.h> 397c478bd9Sstevel@tonic-gate #include "funcs.h" 407c478bd9Sstevel@tonic-gate #include "messages.h" 417c478bd9Sstevel@tonic-gate #include "userdefs.h" 427c478bd9Sstevel@tonic-gate 437c478bd9Sstevel@tonic-gate typedef struct ua_key { 447c478bd9Sstevel@tonic-gate const char *key; 457c478bd9Sstevel@tonic-gate const char *(*check)(const char *); 467c478bd9Sstevel@tonic-gate const char *errstr; 477c478bd9Sstevel@tonic-gate char *newvalue; 487c478bd9Sstevel@tonic-gate } ua_key_t; 497c478bd9Sstevel@tonic-gate 507c478bd9Sstevel@tonic-gate static const char role[] = "role name"; 517c478bd9Sstevel@tonic-gate static const char prof[] = "profile name"; 527c478bd9Sstevel@tonic-gate static const char proj[] = "project name"; 537c478bd9Sstevel@tonic-gate static const char priv[] = "privilege set"; 547c478bd9Sstevel@tonic-gate static const char auth[] = "authorization"; 557c478bd9Sstevel@tonic-gate static const char type[] = "user type"; 567c478bd9Sstevel@tonic-gate static const char lock[] = "lock_after_retries value"; 573bf5ae9eSrica static const char label[] = "label"; 583bf5ae9eSrica static const char idlecmd[] = "idlecmd value"; 593bf5ae9eSrica static const char idletime[] = "idletime value"; 607c478bd9Sstevel@tonic-gate 617c478bd9Sstevel@tonic-gate 627c478bd9Sstevel@tonic-gate static const char *check_auth(const char *); 637c478bd9Sstevel@tonic-gate static const char *check_prof(const char *); 647c478bd9Sstevel@tonic-gate static const char *check_role(const char *); 657c478bd9Sstevel@tonic-gate static const char *check_proj(const char *); 667c478bd9Sstevel@tonic-gate static const char *check_privset(const char *); 677c478bd9Sstevel@tonic-gate static const char *check_type(const char *); 687c478bd9Sstevel@tonic-gate static const char *check_lock_after_retries(const char *); 693bf5ae9eSrica static const char *check_label(const char *); 703bf5ae9eSrica static const char *check_idlecmd(const char *); 713bf5ae9eSrica static const char *check_idletime(const char *); 727c478bd9Sstevel@tonic-gate 737c478bd9Sstevel@tonic-gate int nkeys; 747c478bd9Sstevel@tonic-gate 757c478bd9Sstevel@tonic-gate static ua_key_t keys[] = { 767c478bd9Sstevel@tonic-gate /* First entry is always set correctly in main() */ 777c478bd9Sstevel@tonic-gate { USERATTR_TYPE_KW, check_type, type }, 787c478bd9Sstevel@tonic-gate { USERATTR_AUTHS_KW, check_auth, auth }, 797c478bd9Sstevel@tonic-gate { USERATTR_PROFILES_KW, check_prof, prof }, 807c478bd9Sstevel@tonic-gate { USERATTR_ROLES_KW, check_role, role }, 817c478bd9Sstevel@tonic-gate { USERATTR_DEFAULTPROJ_KW, check_proj, proj }, 827c478bd9Sstevel@tonic-gate { USERATTR_LIMPRIV_KW, check_privset, priv }, 837c478bd9Sstevel@tonic-gate { USERATTR_DFLTPRIV_KW, check_privset, priv }, 847c478bd9Sstevel@tonic-gate { USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries, lock }, 853bf5ae9eSrica { USERATTR_CLEARANCE, check_label, label }, 863bf5ae9eSrica { USERATTR_MINLABEL, check_label, label }, 873bf5ae9eSrica { USERATTR_IDLECMD_KW, check_idlecmd, idlecmd }, 883bf5ae9eSrica { USERATTR_IDLETIME_KW, check_idletime, idletime }, 897c478bd9Sstevel@tonic-gate }; 907c478bd9Sstevel@tonic-gate 917c478bd9Sstevel@tonic-gate #define NKEYS (sizeof (keys)/sizeof (ua_key_t)) 927c478bd9Sstevel@tonic-gate 937c478bd9Sstevel@tonic-gate /* 947c478bd9Sstevel@tonic-gate * Change a key, there are three different call sequences: 957c478bd9Sstevel@tonic-gate * 967c478bd9Sstevel@tonic-gate * key, value - key with option letter, value. 977c478bd9Sstevel@tonic-gate * NULL, value - -K key=value option. 987c478bd9Sstevel@tonic-gate */ 997c478bd9Sstevel@tonic-gate 1007c478bd9Sstevel@tonic-gate void 1017c478bd9Sstevel@tonic-gate change_key(const char *key, char *value) 1027c478bd9Sstevel@tonic-gate { 1037c478bd9Sstevel@tonic-gate int i; 1047c478bd9Sstevel@tonic-gate const char *res; 1057c478bd9Sstevel@tonic-gate 1067c478bd9Sstevel@tonic-gate if (key == NULL) { 1077c478bd9Sstevel@tonic-gate key = value; 1087c478bd9Sstevel@tonic-gate value = strchr(value, '='); 1097c478bd9Sstevel@tonic-gate /* Bad value */ 1107c478bd9Sstevel@tonic-gate if (value == NULL) { 1117c478bd9Sstevel@tonic-gate errmsg(M_INVALID_VALUE); 1127c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1137c478bd9Sstevel@tonic-gate } 1147c478bd9Sstevel@tonic-gate *value++ = '\0'; 1157c478bd9Sstevel@tonic-gate } 1167c478bd9Sstevel@tonic-gate 1177c478bd9Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) { 1187c478bd9Sstevel@tonic-gate if (strcmp(key, keys[i].key) == 0) { 1197c478bd9Sstevel@tonic-gate if (keys[i].newvalue != NULL) { 1207c478bd9Sstevel@tonic-gate /* Can't set a value twice */ 1217c478bd9Sstevel@tonic-gate errmsg(M_REDEFINED_KEY, key); 1227c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1237c478bd9Sstevel@tonic-gate } 1247c478bd9Sstevel@tonic-gate 1257c478bd9Sstevel@tonic-gate if (keys[i].check != NULL && 1267c478bd9Sstevel@tonic-gate (res = keys[i].check(value)) != NULL) { 1277c478bd9Sstevel@tonic-gate errmsg(M_INVALID, res, keys[i].errstr); 1287c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1297c478bd9Sstevel@tonic-gate } 1307c478bd9Sstevel@tonic-gate keys[i].newvalue = value; 1317c478bd9Sstevel@tonic-gate nkeys++; 1327c478bd9Sstevel@tonic-gate return; 1337c478bd9Sstevel@tonic-gate } 1347c478bd9Sstevel@tonic-gate } 1357c478bd9Sstevel@tonic-gate errmsg(M_INVALID_KEY, key); 1367c478bd9Sstevel@tonic-gate exit(EX_BADARG); 1377c478bd9Sstevel@tonic-gate } 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate /* 1407c478bd9Sstevel@tonic-gate * Add the keys to the argument vector. 1417c478bd9Sstevel@tonic-gate */ 1427c478bd9Sstevel@tonic-gate void 1437c478bd9Sstevel@tonic-gate addkey_args(char **argv, int *index) 1447c478bd9Sstevel@tonic-gate { 1457c478bd9Sstevel@tonic-gate int i; 1467c478bd9Sstevel@tonic-gate 1477c478bd9Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) { 1487c478bd9Sstevel@tonic-gate const char *key = keys[i].key; 1497c478bd9Sstevel@tonic-gate char *val = keys[i].newvalue; 1507c478bd9Sstevel@tonic-gate size_t len; 1517c478bd9Sstevel@tonic-gate char *arg; 1527c478bd9Sstevel@tonic-gate 1537c478bd9Sstevel@tonic-gate if (val == NULL) 1547c478bd9Sstevel@tonic-gate continue; 1557c478bd9Sstevel@tonic-gate 1567c478bd9Sstevel@tonic-gate len = strlen(key) + strlen(val) + 2; 1577c478bd9Sstevel@tonic-gate arg = malloc(len); 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate (void) snprintf(arg, len, "%s=%s", key, val); 1607c478bd9Sstevel@tonic-gate argv[(*index)++] = "-K"; 1617c478bd9Sstevel@tonic-gate argv[(*index)++] = arg; 1627c478bd9Sstevel@tonic-gate } 1637c478bd9Sstevel@tonic-gate } 1647c478bd9Sstevel@tonic-gate 1657c478bd9Sstevel@tonic-gate /* 1667c478bd9Sstevel@tonic-gate * Propose a default value for a key and get the actual value back. 1677c478bd9Sstevel@tonic-gate * If the proposed default value is NULL, return the actual value set. 1687c478bd9Sstevel@tonic-gate * The key argument is the user_attr key. 1697c478bd9Sstevel@tonic-gate */ 1707c478bd9Sstevel@tonic-gate char * 1717c478bd9Sstevel@tonic-gate getsetdefval(const char *key, char *dflt) 1727c478bd9Sstevel@tonic-gate { 1737c478bd9Sstevel@tonic-gate int i; 1747c478bd9Sstevel@tonic-gate 1757c478bd9Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) 1767c478bd9Sstevel@tonic-gate if (strcmp(keys[i].key, key) == 0) 1777c478bd9Sstevel@tonic-gate if (keys[i].newvalue != NULL) 1787c478bd9Sstevel@tonic-gate return (keys[i].newvalue); 1797c478bd9Sstevel@tonic-gate else 1807c478bd9Sstevel@tonic-gate return (keys[i].newvalue = dflt); 1817c478bd9Sstevel@tonic-gate return (NULL); 1827c478bd9Sstevel@tonic-gate } 1837c478bd9Sstevel@tonic-gate 1847c478bd9Sstevel@tonic-gate char * 1857c478bd9Sstevel@tonic-gate getusertype(char *cmdname) 1867c478bd9Sstevel@tonic-gate { 1877c478bd9Sstevel@tonic-gate static char usertype[MAX_TYPE_LENGTH]; 1887c478bd9Sstevel@tonic-gate char *cmd; 1897c478bd9Sstevel@tonic-gate 1907c478bd9Sstevel@tonic-gate if (cmd = strrchr(cmdname, '/')) 1917c478bd9Sstevel@tonic-gate ++cmd; 1927c478bd9Sstevel@tonic-gate else 1937c478bd9Sstevel@tonic-gate cmd = cmdname; 1947c478bd9Sstevel@tonic-gate 1957c478bd9Sstevel@tonic-gate /* get user type based on the program name */ 1967c478bd9Sstevel@tonic-gate if (strncmp(cmd, CMD_PREFIX_USER, 1977c478bd9Sstevel@tonic-gate strlen(CMD_PREFIX_USER)) == 0) 1987c478bd9Sstevel@tonic-gate strcpy(usertype, USERATTR_TYPE_NORMAL_KW); 1997c478bd9Sstevel@tonic-gate else 2007c478bd9Sstevel@tonic-gate strcpy(usertype, USERATTR_TYPE_NONADMIN_KW); 2017c478bd9Sstevel@tonic-gate 2027c478bd9Sstevel@tonic-gate return (usertype); 2037c478bd9Sstevel@tonic-gate } 2047c478bd9Sstevel@tonic-gate 2057c478bd9Sstevel@tonic-gate int 2067c478bd9Sstevel@tonic-gate is_role(char *usertype) 2077c478bd9Sstevel@tonic-gate { 2087c478bd9Sstevel@tonic-gate if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0) 2097c478bd9Sstevel@tonic-gate return (1); 2107c478bd9Sstevel@tonic-gate /* not a role */ 2117c478bd9Sstevel@tonic-gate return (0); 2127c478bd9Sstevel@tonic-gate } 2137c478bd9Sstevel@tonic-gate 2147c478bd9Sstevel@tonic-gate /* 2157c478bd9Sstevel@tonic-gate * Verifies the provided list of authorizations are all valid. 2167c478bd9Sstevel@tonic-gate * 2177c478bd9Sstevel@tonic-gate * Returns NULL if all authorization names are valid. 2187c478bd9Sstevel@tonic-gate * Otherwise, returns the invalid authorization name 2197c478bd9Sstevel@tonic-gate * 2207c478bd9Sstevel@tonic-gate */ 2217c478bd9Sstevel@tonic-gate static const char * 2227c478bd9Sstevel@tonic-gate check_auth(const char *auths) 2237c478bd9Sstevel@tonic-gate { 2247c478bd9Sstevel@tonic-gate char *authname; 2257c478bd9Sstevel@tonic-gate authattr_t *result; 2267c478bd9Sstevel@tonic-gate char *tmp; 2277c478bd9Sstevel@tonic-gate struct passwd *pw; 2287c478bd9Sstevel@tonic-gate int have_grant = 0; 2297c478bd9Sstevel@tonic-gate 2307c478bd9Sstevel@tonic-gate tmp = strdup(auths); 231*cb8a054bSGlenn Faden if (tmp == NULL) { 232*cb8a054bSGlenn Faden errmsg(M_NOSPACE); 233*cb8a054bSGlenn Faden exit(EX_FAILURE); 234*cb8a054bSGlenn Faden } 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gate authname = strtok(tmp, AUTH_SEP); 2377c478bd9Sstevel@tonic-gate pw = getpwuid(getuid()); 2387c478bd9Sstevel@tonic-gate if (pw == NULL) { 2397c478bd9Sstevel@tonic-gate return (authname); 2407c478bd9Sstevel@tonic-gate } 2417c478bd9Sstevel@tonic-gate 2427c478bd9Sstevel@tonic-gate while (authname != NULL) { 2437c478bd9Sstevel@tonic-gate char *suffix; 2447c478bd9Sstevel@tonic-gate char *authtoks; 2457c478bd9Sstevel@tonic-gate 246*cb8a054bSGlenn Faden /* Check if user has been granted this authorization */ 247*cb8a054bSGlenn Faden if (!chkauthattr(authname, pw->pw_name)) 248*cb8a054bSGlenn Faden return (authname); 249*cb8a054bSGlenn Faden 250*cb8a054bSGlenn Faden /* Remove named object after slash */ 251*cb8a054bSGlenn Faden if ((suffix = index(authname, KV_OBJECTCHAR)) != NULL) 252*cb8a054bSGlenn Faden *suffix = '\0'; 253*cb8a054bSGlenn Faden 2547c478bd9Sstevel@tonic-gate /* Find the suffix */ 2557c478bd9Sstevel@tonic-gate if ((suffix = rindex(authname, '.')) == NULL) 2567c478bd9Sstevel@tonic-gate return (authname); 2577c478bd9Sstevel@tonic-gate 2587c478bd9Sstevel@tonic-gate /* Check for existence in auth_attr */ 2597c478bd9Sstevel@tonic-gate suffix++; 2607c478bd9Sstevel@tonic-gate if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */ 2617c478bd9Sstevel@tonic-gate result = getauthnam(authname); 2627c478bd9Sstevel@tonic-gate if (result == NULL) { 2637c478bd9Sstevel@tonic-gate /* can't find the auth */ 2647c478bd9Sstevel@tonic-gate free_authattr(result); 2657c478bd9Sstevel@tonic-gate return (authname); 2667c478bd9Sstevel@tonic-gate } 2677c478bd9Sstevel@tonic-gate free_authattr(result); 2687c478bd9Sstevel@tonic-gate } 2697c478bd9Sstevel@tonic-gate 2707c478bd9Sstevel@tonic-gate /* Check if user can delegate this authorization */ 2717c478bd9Sstevel@tonic-gate if (strcmp(suffix, "grant")) { /* Not a grant option */ 2727c478bd9Sstevel@tonic-gate authtoks = malloc(strlen(authname) + sizeof ("grant")); 2737c478bd9Sstevel@tonic-gate strcpy(authtoks, authname); 2747c478bd9Sstevel@tonic-gate have_grant = 0; 2757c478bd9Sstevel@tonic-gate while ((suffix = rindex(authtoks, '.')) && 2767c478bd9Sstevel@tonic-gate !have_grant) { 2777c478bd9Sstevel@tonic-gate strcpy(suffix, ".grant"); 2787c478bd9Sstevel@tonic-gate if (chkauthattr(authtoks, pw->pw_name)) 2797c478bd9Sstevel@tonic-gate have_grant = 1; 2807c478bd9Sstevel@tonic-gate else 2817c478bd9Sstevel@tonic-gate *suffix = '\0'; 2827c478bd9Sstevel@tonic-gate } 2837c478bd9Sstevel@tonic-gate if (!have_grant) 2847c478bd9Sstevel@tonic-gate return (authname); 2857c478bd9Sstevel@tonic-gate } 2867c478bd9Sstevel@tonic-gate authname = strtok(NULL, AUTH_SEP); 2877c478bd9Sstevel@tonic-gate } 288*cb8a054bSGlenn Faden free(tmp); 2897c478bd9Sstevel@tonic-gate return (NULL); 2907c478bd9Sstevel@tonic-gate } 2917c478bd9Sstevel@tonic-gate 2927c478bd9Sstevel@tonic-gate /* 2937c478bd9Sstevel@tonic-gate * Verifies the provided list of profile names are valid. 2947c478bd9Sstevel@tonic-gate * 2957c478bd9Sstevel@tonic-gate * Returns NULL if all profile names are valid. 2967c478bd9Sstevel@tonic-gate * Otherwise, returns the invalid profile name 2977c478bd9Sstevel@tonic-gate * 2987c478bd9Sstevel@tonic-gate */ 2997c478bd9Sstevel@tonic-gate static const char * 3007c478bd9Sstevel@tonic-gate check_prof(const char *profs) 3017c478bd9Sstevel@tonic-gate { 3027c478bd9Sstevel@tonic-gate char *profname; 3037c478bd9Sstevel@tonic-gate profattr_t *result; 3047c478bd9Sstevel@tonic-gate char *tmp; 3057c478bd9Sstevel@tonic-gate 3067c478bd9Sstevel@tonic-gate tmp = strdup(profs); 307*cb8a054bSGlenn Faden if (tmp == NULL) { 308*cb8a054bSGlenn Faden errmsg(M_NOSPACE); 309*cb8a054bSGlenn Faden exit(EX_FAILURE); 310*cb8a054bSGlenn Faden } 3117c478bd9Sstevel@tonic-gate 3127c478bd9Sstevel@tonic-gate profname = strtok(tmp, PROF_SEP); 3137c478bd9Sstevel@tonic-gate while (profname != NULL) { 3147c478bd9Sstevel@tonic-gate result = getprofnam(profname); 3157c478bd9Sstevel@tonic-gate if (result == NULL) { 3167c478bd9Sstevel@tonic-gate /* can't find the profile */ 3177c478bd9Sstevel@tonic-gate return (profname); 3187c478bd9Sstevel@tonic-gate } 3197c478bd9Sstevel@tonic-gate free_profattr(result); 3207c478bd9Sstevel@tonic-gate profname = strtok(NULL, PROF_SEP); 3217c478bd9Sstevel@tonic-gate } 322*cb8a054bSGlenn Faden free(tmp); 3237c478bd9Sstevel@tonic-gate return (NULL); 3247c478bd9Sstevel@tonic-gate } 3257c478bd9Sstevel@tonic-gate 3267c478bd9Sstevel@tonic-gate 3277c478bd9Sstevel@tonic-gate /* 3287c478bd9Sstevel@tonic-gate * Verifies the provided list of role names are valid. 3297c478bd9Sstevel@tonic-gate * 3307c478bd9Sstevel@tonic-gate * Returns NULL if all role names are valid. 3317c478bd9Sstevel@tonic-gate * Otherwise, returns the invalid role name 3327c478bd9Sstevel@tonic-gate * 3337c478bd9Sstevel@tonic-gate */ 3347c478bd9Sstevel@tonic-gate static const char * 3357c478bd9Sstevel@tonic-gate check_role(const char *roles) 3367c478bd9Sstevel@tonic-gate { 3377c478bd9Sstevel@tonic-gate char *rolename; 3387c478bd9Sstevel@tonic-gate userattr_t *result; 3397c478bd9Sstevel@tonic-gate char *utype; 3407c478bd9Sstevel@tonic-gate char *tmp; 3417c478bd9Sstevel@tonic-gate 3427c478bd9Sstevel@tonic-gate tmp = strdup(roles); 343*cb8a054bSGlenn Faden if (tmp == NULL) { 344*cb8a054bSGlenn Faden errmsg(M_NOSPACE); 345*cb8a054bSGlenn Faden exit(EX_FAILURE); 346*cb8a054bSGlenn Faden } 3477c478bd9Sstevel@tonic-gate 3487c478bd9Sstevel@tonic-gate rolename = strtok(tmp, ROLE_SEP); 3497c478bd9Sstevel@tonic-gate while (rolename != NULL) { 3507c478bd9Sstevel@tonic-gate result = getusernam(rolename); 3517c478bd9Sstevel@tonic-gate if (result == NULL) { 3527c478bd9Sstevel@tonic-gate /* can't find the rolename */ 3537c478bd9Sstevel@tonic-gate return (rolename); 3547c478bd9Sstevel@tonic-gate } 3557c478bd9Sstevel@tonic-gate /* Now, make sure it is a role */ 3567c478bd9Sstevel@tonic-gate utype = kva_match(result->attr, USERATTR_TYPE_KW); 3577c478bd9Sstevel@tonic-gate if (utype == NULL) { 3587c478bd9Sstevel@tonic-gate /* no user type defined. not a role */ 3597c478bd9Sstevel@tonic-gate free_userattr(result); 3607c478bd9Sstevel@tonic-gate return (rolename); 3617c478bd9Sstevel@tonic-gate } 3627c478bd9Sstevel@tonic-gate if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) { 3637c478bd9Sstevel@tonic-gate free_userattr(result); 3647c478bd9Sstevel@tonic-gate return (rolename); 3657c478bd9Sstevel@tonic-gate } 3667c478bd9Sstevel@tonic-gate free_userattr(result); 3677c478bd9Sstevel@tonic-gate rolename = strtok(NULL, ROLE_SEP); 3687c478bd9Sstevel@tonic-gate } 369*cb8a054bSGlenn Faden free(tmp); 3707c478bd9Sstevel@tonic-gate return (NULL); 3717c478bd9Sstevel@tonic-gate } 3727c478bd9Sstevel@tonic-gate 3737c478bd9Sstevel@tonic-gate static const char * 3747c478bd9Sstevel@tonic-gate check_proj(const char *proj) 3757c478bd9Sstevel@tonic-gate { 3767c478bd9Sstevel@tonic-gate if (getprojidbyname(proj) < 0) { 3777c478bd9Sstevel@tonic-gate return (proj); 3787c478bd9Sstevel@tonic-gate } else { 3797c478bd9Sstevel@tonic-gate return (NULL); 3807c478bd9Sstevel@tonic-gate } 3817c478bd9Sstevel@tonic-gate } 3827c478bd9Sstevel@tonic-gate 3837c478bd9Sstevel@tonic-gate static const char * 3847c478bd9Sstevel@tonic-gate check_privset(const char *pset) 3857c478bd9Sstevel@tonic-gate { 3867c478bd9Sstevel@tonic-gate priv_set_t *tmp; 3877c478bd9Sstevel@tonic-gate const char *res; 3887c478bd9Sstevel@tonic-gate 3897c478bd9Sstevel@tonic-gate tmp = priv_str_to_set(pset, ",", &res); 3907c478bd9Sstevel@tonic-gate 3917c478bd9Sstevel@tonic-gate if (tmp != NULL) { 3927c478bd9Sstevel@tonic-gate res = NULL; 3937c478bd9Sstevel@tonic-gate priv_freeset(tmp); 3947c478bd9Sstevel@tonic-gate } else if (res == NULL) 3957c478bd9Sstevel@tonic-gate res = strerror(errno); 3967c478bd9Sstevel@tonic-gate 3977c478bd9Sstevel@tonic-gate return (res); 3987c478bd9Sstevel@tonic-gate } 3997c478bd9Sstevel@tonic-gate 4007c478bd9Sstevel@tonic-gate static const char * 4017c478bd9Sstevel@tonic-gate check_type(const char *type) 4027c478bd9Sstevel@tonic-gate { 4037c478bd9Sstevel@tonic-gate if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 && 4047c478bd9Sstevel@tonic-gate strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0) 4057c478bd9Sstevel@tonic-gate return (type); 4067c478bd9Sstevel@tonic-gate 4077c478bd9Sstevel@tonic-gate return (NULL); 4087c478bd9Sstevel@tonic-gate } 4097c478bd9Sstevel@tonic-gate 4107c478bd9Sstevel@tonic-gate static const char * 4117c478bd9Sstevel@tonic-gate check_lock_after_retries(const char *keyval) 4127c478bd9Sstevel@tonic-gate { 4137c478bd9Sstevel@tonic-gate if (keyval != NULL) { 4147c478bd9Sstevel@tonic-gate if ((strcasecmp(keyval, "no") != 0) && 4157c478bd9Sstevel@tonic-gate (strcasecmp(keyval, "yes") != 0) && 4167c478bd9Sstevel@tonic-gate (*keyval != '\0')) { 4177c478bd9Sstevel@tonic-gate return (keyval); 4187c478bd9Sstevel@tonic-gate } 4197c478bd9Sstevel@tonic-gate } 4207c478bd9Sstevel@tonic-gate return (NULL); 4217c478bd9Sstevel@tonic-gate } 4223bf5ae9eSrica 4233bf5ae9eSrica static const char * 4243bf5ae9eSrica check_label(const char *labelstr) 4253bf5ae9eSrica { 4263bf5ae9eSrica int err; 4273bf5ae9eSrica m_label_t *lbl = NULL; 4283bf5ae9eSrica 4293bf5ae9eSrica if (!is_system_labeled()) 4303bf5ae9eSrica return (NULL); 4313bf5ae9eSrica 4323bf5ae9eSrica err = str_to_label(labelstr, &lbl, MAC_LABEL, L_NO_CORRECTION, NULL); 4333bf5ae9eSrica m_label_free(lbl); 4343bf5ae9eSrica 4353bf5ae9eSrica if (err == -1) 4363bf5ae9eSrica return (labelstr); 4373bf5ae9eSrica 4383bf5ae9eSrica return (NULL); 4393bf5ae9eSrica } 4403bf5ae9eSrica 4413bf5ae9eSrica static const char * 4423bf5ae9eSrica check_idlecmd(const char *cmd) 4433bf5ae9eSrica { 4443bf5ae9eSrica if ((strcmp(cmd, USERATTR_IDLECMD_LOCK_KW) != 0) && 4453bf5ae9eSrica (strcmp(cmd, USERATTR_IDLECMD_LOGOUT_KW) != 0)) { 4463bf5ae9eSrica return (cmd); 4473bf5ae9eSrica } 4483bf5ae9eSrica 4493bf5ae9eSrica return (NULL); 4503bf5ae9eSrica } 4513bf5ae9eSrica 4523bf5ae9eSrica static const char * 4533bf5ae9eSrica check_idletime(const char *time) 4543bf5ae9eSrica { 4553bf5ae9eSrica int c; 4563bf5ae9eSrica unsigned char *up = (unsigned char *)time; 4573bf5ae9eSrica 4583bf5ae9eSrica c = *up; 4593bf5ae9eSrica while (c != '\0') { 4603bf5ae9eSrica if (!isdigit(c)) 4613bf5ae9eSrica return (time); 4623bf5ae9eSrica c = *++up; 4633bf5ae9eSrica } 4643bf5ae9eSrica 4653bf5ae9eSrica return (NULL); 4663bf5ae9eSrica } 467