xref: /titanic_51/usr/src/cmd/oamuser/user/funcs.c (revision cb8a054b1ab30d5caa746e6c44f29d4c9d3071c1)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
53bf5ae9eSrica  * Common Development and Distribution License (the "License").
63bf5ae9eSrica  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22*cb8a054bSGlenn Faden  * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
237c478bd9Sstevel@tonic-gate  */
247c478bd9Sstevel@tonic-gate 
257c478bd9Sstevel@tonic-gate #include <stdio.h>
267c478bd9Sstevel@tonic-gate #include <stdlib.h>
277c478bd9Sstevel@tonic-gate #include <strings.h>
287c478bd9Sstevel@tonic-gate #include <auth_attr.h>
297c478bd9Sstevel@tonic-gate #include <prof_attr.h>
307c478bd9Sstevel@tonic-gate #include <user_attr.h>
317c478bd9Sstevel@tonic-gate #include <project.h>
327c478bd9Sstevel@tonic-gate #include <secdb.h>
337c478bd9Sstevel@tonic-gate #include <pwd.h>
347c478bd9Sstevel@tonic-gate #include <unistd.h>
357c478bd9Sstevel@tonic-gate #include <priv.h>
367c478bd9Sstevel@tonic-gate #include <errno.h>
373bf5ae9eSrica #include <ctype.h>
383bf5ae9eSrica #include <tsol/label.h>
397c478bd9Sstevel@tonic-gate #include "funcs.h"
407c478bd9Sstevel@tonic-gate #include "messages.h"
417c478bd9Sstevel@tonic-gate #include "userdefs.h"
427c478bd9Sstevel@tonic-gate 
437c478bd9Sstevel@tonic-gate typedef struct ua_key {
447c478bd9Sstevel@tonic-gate 	const char	*key;
457c478bd9Sstevel@tonic-gate 	const char	*(*check)(const char *);
467c478bd9Sstevel@tonic-gate 	const char	*errstr;
477c478bd9Sstevel@tonic-gate 	char		*newvalue;
487c478bd9Sstevel@tonic-gate } ua_key_t;
497c478bd9Sstevel@tonic-gate 
507c478bd9Sstevel@tonic-gate static const char role[] = "role name";
517c478bd9Sstevel@tonic-gate static const char prof[] = "profile name";
527c478bd9Sstevel@tonic-gate static const char proj[] = "project name";
537c478bd9Sstevel@tonic-gate static const char priv[] = "privilege set";
547c478bd9Sstevel@tonic-gate static const char auth[] = "authorization";
557c478bd9Sstevel@tonic-gate static const char type[] = "user type";
567c478bd9Sstevel@tonic-gate static const char lock[] = "lock_after_retries value";
573bf5ae9eSrica static const char label[] = "label";
583bf5ae9eSrica static const char idlecmd[] = "idlecmd value";
593bf5ae9eSrica static const char idletime[] = "idletime value";
607c478bd9Sstevel@tonic-gate 
617c478bd9Sstevel@tonic-gate 
627c478bd9Sstevel@tonic-gate static const char *check_auth(const char *);
637c478bd9Sstevel@tonic-gate static const char *check_prof(const char *);
647c478bd9Sstevel@tonic-gate static const char *check_role(const char *);
657c478bd9Sstevel@tonic-gate static const char *check_proj(const char *);
667c478bd9Sstevel@tonic-gate static const char *check_privset(const char *);
677c478bd9Sstevel@tonic-gate static const char *check_type(const char *);
687c478bd9Sstevel@tonic-gate static const char *check_lock_after_retries(const char *);
693bf5ae9eSrica static const char *check_label(const char *);
703bf5ae9eSrica static const char *check_idlecmd(const char *);
713bf5ae9eSrica static const char *check_idletime(const char *);
727c478bd9Sstevel@tonic-gate 
737c478bd9Sstevel@tonic-gate int nkeys;
747c478bd9Sstevel@tonic-gate 
757c478bd9Sstevel@tonic-gate static ua_key_t keys[] = {
767c478bd9Sstevel@tonic-gate 	/* First entry is always set correctly in main() */
777c478bd9Sstevel@tonic-gate 	{ USERATTR_TYPE_KW,	check_type,	type },
787c478bd9Sstevel@tonic-gate 	{ USERATTR_AUTHS_KW,	check_auth,	auth },
797c478bd9Sstevel@tonic-gate 	{ USERATTR_PROFILES_KW,	check_prof,	prof },
807c478bd9Sstevel@tonic-gate 	{ USERATTR_ROLES_KW,	check_role,	role },
817c478bd9Sstevel@tonic-gate 	{ USERATTR_DEFAULTPROJ_KW,	check_proj,	proj },
827c478bd9Sstevel@tonic-gate 	{ USERATTR_LIMPRIV_KW,	check_privset,	priv },
837c478bd9Sstevel@tonic-gate 	{ USERATTR_DFLTPRIV_KW,	check_privset,	priv },
847c478bd9Sstevel@tonic-gate 	{ USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries,  lock },
853bf5ae9eSrica 	{ USERATTR_CLEARANCE,	check_label,	label },
863bf5ae9eSrica 	{ USERATTR_MINLABEL,	check_label,	label },
873bf5ae9eSrica 	{ USERATTR_IDLECMD_KW,	check_idlecmd,	idlecmd },
883bf5ae9eSrica 	{ USERATTR_IDLETIME_KW,	check_idletime,	idletime },
897c478bd9Sstevel@tonic-gate };
907c478bd9Sstevel@tonic-gate 
917c478bd9Sstevel@tonic-gate #define	NKEYS	(sizeof (keys)/sizeof (ua_key_t))
927c478bd9Sstevel@tonic-gate 
937c478bd9Sstevel@tonic-gate /*
947c478bd9Sstevel@tonic-gate  * Change a key, there are three different call sequences:
957c478bd9Sstevel@tonic-gate  *
967c478bd9Sstevel@tonic-gate  *		key, value	- key with option letter, value.
977c478bd9Sstevel@tonic-gate  *		NULL, value	- -K key=value option.
987c478bd9Sstevel@tonic-gate  */
997c478bd9Sstevel@tonic-gate 
1007c478bd9Sstevel@tonic-gate void
1017c478bd9Sstevel@tonic-gate change_key(const char *key, char *value)
1027c478bd9Sstevel@tonic-gate {
1037c478bd9Sstevel@tonic-gate 	int i;
1047c478bd9Sstevel@tonic-gate 	const char *res;
1057c478bd9Sstevel@tonic-gate 
1067c478bd9Sstevel@tonic-gate 	if (key == NULL) {
1077c478bd9Sstevel@tonic-gate 		key = value;
1087c478bd9Sstevel@tonic-gate 		value = strchr(value, '=');
1097c478bd9Sstevel@tonic-gate 		/* Bad value */
1107c478bd9Sstevel@tonic-gate 		if (value == NULL) {
1117c478bd9Sstevel@tonic-gate 			errmsg(M_INVALID_VALUE);
1127c478bd9Sstevel@tonic-gate 			exit(EX_BADARG);
1137c478bd9Sstevel@tonic-gate 		}
1147c478bd9Sstevel@tonic-gate 		*value++ = '\0';
1157c478bd9Sstevel@tonic-gate 	}
1167c478bd9Sstevel@tonic-gate 
1177c478bd9Sstevel@tonic-gate 	for (i = 0; i < NKEYS; i++) {
1187c478bd9Sstevel@tonic-gate 		if (strcmp(key, keys[i].key) == 0) {
1197c478bd9Sstevel@tonic-gate 			if (keys[i].newvalue != NULL) {
1207c478bd9Sstevel@tonic-gate 				/* Can't set a value twice */
1217c478bd9Sstevel@tonic-gate 				errmsg(M_REDEFINED_KEY, key);
1227c478bd9Sstevel@tonic-gate 				exit(EX_BADARG);
1237c478bd9Sstevel@tonic-gate 			}
1247c478bd9Sstevel@tonic-gate 
1257c478bd9Sstevel@tonic-gate 			if (keys[i].check != NULL &&
1267c478bd9Sstevel@tonic-gate 			    (res = keys[i].check(value)) != NULL) {
1277c478bd9Sstevel@tonic-gate 				errmsg(M_INVALID, res, keys[i].errstr);
1287c478bd9Sstevel@tonic-gate 				exit(EX_BADARG);
1297c478bd9Sstevel@tonic-gate 			}
1307c478bd9Sstevel@tonic-gate 			keys[i].newvalue = value;
1317c478bd9Sstevel@tonic-gate 			nkeys++;
1327c478bd9Sstevel@tonic-gate 			return;
1337c478bd9Sstevel@tonic-gate 		}
1347c478bd9Sstevel@tonic-gate 	}
1357c478bd9Sstevel@tonic-gate 	errmsg(M_INVALID_KEY, key);
1367c478bd9Sstevel@tonic-gate 	exit(EX_BADARG);
1377c478bd9Sstevel@tonic-gate }
1387c478bd9Sstevel@tonic-gate 
1397c478bd9Sstevel@tonic-gate /*
1407c478bd9Sstevel@tonic-gate  * Add the keys to the argument vector.
1417c478bd9Sstevel@tonic-gate  */
1427c478bd9Sstevel@tonic-gate void
1437c478bd9Sstevel@tonic-gate addkey_args(char **argv, int *index)
1447c478bd9Sstevel@tonic-gate {
1457c478bd9Sstevel@tonic-gate 	int i;
1467c478bd9Sstevel@tonic-gate 
1477c478bd9Sstevel@tonic-gate 	for (i = 0; i < NKEYS; i++) {
1487c478bd9Sstevel@tonic-gate 		const char *key = keys[i].key;
1497c478bd9Sstevel@tonic-gate 		char *val = keys[i].newvalue;
1507c478bd9Sstevel@tonic-gate 		size_t len;
1517c478bd9Sstevel@tonic-gate 		char *arg;
1527c478bd9Sstevel@tonic-gate 
1537c478bd9Sstevel@tonic-gate 		if (val == NULL)
1547c478bd9Sstevel@tonic-gate 			continue;
1557c478bd9Sstevel@tonic-gate 
1567c478bd9Sstevel@tonic-gate 		len = strlen(key) + strlen(val) + 2;
1577c478bd9Sstevel@tonic-gate 		arg = malloc(len);
1587c478bd9Sstevel@tonic-gate 
1597c478bd9Sstevel@tonic-gate 		(void) snprintf(arg, len, "%s=%s", key, val);
1607c478bd9Sstevel@tonic-gate 		argv[(*index)++] = "-K";
1617c478bd9Sstevel@tonic-gate 		argv[(*index)++] = arg;
1627c478bd9Sstevel@tonic-gate 	}
1637c478bd9Sstevel@tonic-gate }
1647c478bd9Sstevel@tonic-gate 
1657c478bd9Sstevel@tonic-gate /*
1667c478bd9Sstevel@tonic-gate  * Propose a default value for a key and get the actual value back.
1677c478bd9Sstevel@tonic-gate  * If the proposed default value is NULL, return the actual value set.
1687c478bd9Sstevel@tonic-gate  * The key argument is the user_attr key.
1697c478bd9Sstevel@tonic-gate  */
1707c478bd9Sstevel@tonic-gate char *
1717c478bd9Sstevel@tonic-gate getsetdefval(const char *key, char *dflt)
1727c478bd9Sstevel@tonic-gate {
1737c478bd9Sstevel@tonic-gate 	int i;
1747c478bd9Sstevel@tonic-gate 
1757c478bd9Sstevel@tonic-gate 	for (i = 0; i < NKEYS; i++)
1767c478bd9Sstevel@tonic-gate 		if (strcmp(keys[i].key, key) == 0)
1777c478bd9Sstevel@tonic-gate 			if (keys[i].newvalue != NULL)
1787c478bd9Sstevel@tonic-gate 				return (keys[i].newvalue);
1797c478bd9Sstevel@tonic-gate 			else
1807c478bd9Sstevel@tonic-gate 				return (keys[i].newvalue = dflt);
1817c478bd9Sstevel@tonic-gate 	return (NULL);
1827c478bd9Sstevel@tonic-gate }
1837c478bd9Sstevel@tonic-gate 
1847c478bd9Sstevel@tonic-gate char *
1857c478bd9Sstevel@tonic-gate getusertype(char *cmdname)
1867c478bd9Sstevel@tonic-gate {
1877c478bd9Sstevel@tonic-gate 	static char usertype[MAX_TYPE_LENGTH];
1887c478bd9Sstevel@tonic-gate 	char *cmd;
1897c478bd9Sstevel@tonic-gate 
1907c478bd9Sstevel@tonic-gate 	if (cmd = strrchr(cmdname, '/'))
1917c478bd9Sstevel@tonic-gate 		++cmd;
1927c478bd9Sstevel@tonic-gate 	else
1937c478bd9Sstevel@tonic-gate 		cmd = cmdname;
1947c478bd9Sstevel@tonic-gate 
1957c478bd9Sstevel@tonic-gate 	/* get user type based on the program name */
1967c478bd9Sstevel@tonic-gate 	if (strncmp(cmd, CMD_PREFIX_USER,
1977c478bd9Sstevel@tonic-gate 	    strlen(CMD_PREFIX_USER)) == 0)
1987c478bd9Sstevel@tonic-gate 		strcpy(usertype, USERATTR_TYPE_NORMAL_KW);
1997c478bd9Sstevel@tonic-gate 	else
2007c478bd9Sstevel@tonic-gate 		strcpy(usertype, USERATTR_TYPE_NONADMIN_KW);
2017c478bd9Sstevel@tonic-gate 
2027c478bd9Sstevel@tonic-gate 	return (usertype);
2037c478bd9Sstevel@tonic-gate }
2047c478bd9Sstevel@tonic-gate 
2057c478bd9Sstevel@tonic-gate int
2067c478bd9Sstevel@tonic-gate is_role(char *usertype)
2077c478bd9Sstevel@tonic-gate {
2087c478bd9Sstevel@tonic-gate 	if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0)
2097c478bd9Sstevel@tonic-gate 		return (1);
2107c478bd9Sstevel@tonic-gate 	/* not a role */
2117c478bd9Sstevel@tonic-gate 	return (0);
2127c478bd9Sstevel@tonic-gate }
2137c478bd9Sstevel@tonic-gate 
2147c478bd9Sstevel@tonic-gate /*
2157c478bd9Sstevel@tonic-gate  * Verifies the provided list of authorizations are all valid.
2167c478bd9Sstevel@tonic-gate  *
2177c478bd9Sstevel@tonic-gate  * Returns NULL if all authorization names are valid.
2187c478bd9Sstevel@tonic-gate  * Otherwise, returns the invalid authorization name
2197c478bd9Sstevel@tonic-gate  *
2207c478bd9Sstevel@tonic-gate  */
2217c478bd9Sstevel@tonic-gate static const char *
2227c478bd9Sstevel@tonic-gate check_auth(const char *auths)
2237c478bd9Sstevel@tonic-gate {
2247c478bd9Sstevel@tonic-gate 	char *authname;
2257c478bd9Sstevel@tonic-gate 	authattr_t *result;
2267c478bd9Sstevel@tonic-gate 	char *tmp;
2277c478bd9Sstevel@tonic-gate 	struct passwd   *pw;
2287c478bd9Sstevel@tonic-gate 	int have_grant = 0;
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate 	tmp = strdup(auths);
231*cb8a054bSGlenn Faden 	if (tmp == NULL) {
232*cb8a054bSGlenn Faden 		errmsg(M_NOSPACE);
233*cb8a054bSGlenn Faden 		exit(EX_FAILURE);
234*cb8a054bSGlenn Faden 	}
2357c478bd9Sstevel@tonic-gate 
2367c478bd9Sstevel@tonic-gate 	authname = strtok(tmp, AUTH_SEP);
2377c478bd9Sstevel@tonic-gate 	pw = getpwuid(getuid());
2387c478bd9Sstevel@tonic-gate 	if (pw == NULL) {
2397c478bd9Sstevel@tonic-gate 		return (authname);
2407c478bd9Sstevel@tonic-gate 	}
2417c478bd9Sstevel@tonic-gate 
2427c478bd9Sstevel@tonic-gate 	while (authname != NULL) {
2437c478bd9Sstevel@tonic-gate 		char *suffix;
2447c478bd9Sstevel@tonic-gate 		char *authtoks;
2457c478bd9Sstevel@tonic-gate 
246*cb8a054bSGlenn Faden 		/* Check if user has been granted this authorization */
247*cb8a054bSGlenn Faden 		if (!chkauthattr(authname, pw->pw_name))
248*cb8a054bSGlenn Faden 			return (authname);
249*cb8a054bSGlenn Faden 
250*cb8a054bSGlenn Faden 		/* Remove named object after slash */
251*cb8a054bSGlenn Faden 		if ((suffix = index(authname, KV_OBJECTCHAR)) != NULL)
252*cb8a054bSGlenn Faden 			*suffix = '\0';
253*cb8a054bSGlenn Faden 
2547c478bd9Sstevel@tonic-gate 		/* Find the suffix */
2557c478bd9Sstevel@tonic-gate 		if ((suffix = rindex(authname, '.')) == NULL)
2567c478bd9Sstevel@tonic-gate 			return (authname);
2577c478bd9Sstevel@tonic-gate 
2587c478bd9Sstevel@tonic-gate 		/* Check for existence in auth_attr */
2597c478bd9Sstevel@tonic-gate 		suffix++;
2607c478bd9Sstevel@tonic-gate 		if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */
2617c478bd9Sstevel@tonic-gate 			result = getauthnam(authname);
2627c478bd9Sstevel@tonic-gate 			if (result == NULL) {
2637c478bd9Sstevel@tonic-gate 			/* can't find the auth */
2647c478bd9Sstevel@tonic-gate 				free_authattr(result);
2657c478bd9Sstevel@tonic-gate 				return (authname);
2667c478bd9Sstevel@tonic-gate 			}
2677c478bd9Sstevel@tonic-gate 			free_authattr(result);
2687c478bd9Sstevel@tonic-gate 		}
2697c478bd9Sstevel@tonic-gate 
2707c478bd9Sstevel@tonic-gate 		/* Check if user can delegate this authorization */
2717c478bd9Sstevel@tonic-gate 		if (strcmp(suffix, "grant")) { /* Not a grant option */
2727c478bd9Sstevel@tonic-gate 			authtoks = malloc(strlen(authname) + sizeof ("grant"));
2737c478bd9Sstevel@tonic-gate 			strcpy(authtoks, authname);
2747c478bd9Sstevel@tonic-gate 			have_grant = 0;
2757c478bd9Sstevel@tonic-gate 			while ((suffix = rindex(authtoks, '.')) &&
2767c478bd9Sstevel@tonic-gate 			    !have_grant) {
2777c478bd9Sstevel@tonic-gate 				strcpy(suffix, ".grant");
2787c478bd9Sstevel@tonic-gate 				if (chkauthattr(authtoks, pw->pw_name))
2797c478bd9Sstevel@tonic-gate 					have_grant = 1;
2807c478bd9Sstevel@tonic-gate 				else
2817c478bd9Sstevel@tonic-gate 					*suffix = '\0';
2827c478bd9Sstevel@tonic-gate 			}
2837c478bd9Sstevel@tonic-gate 			if (!have_grant)
2847c478bd9Sstevel@tonic-gate 				return (authname);
2857c478bd9Sstevel@tonic-gate 		}
2867c478bd9Sstevel@tonic-gate 		authname = strtok(NULL, AUTH_SEP);
2877c478bd9Sstevel@tonic-gate 	}
288*cb8a054bSGlenn Faden 	free(tmp);
2897c478bd9Sstevel@tonic-gate 	return (NULL);
2907c478bd9Sstevel@tonic-gate }
2917c478bd9Sstevel@tonic-gate 
2927c478bd9Sstevel@tonic-gate /*
2937c478bd9Sstevel@tonic-gate  * Verifies the provided list of profile names are valid.
2947c478bd9Sstevel@tonic-gate  *
2957c478bd9Sstevel@tonic-gate  * Returns NULL if all profile names are valid.
2967c478bd9Sstevel@tonic-gate  * Otherwise, returns the invalid profile name
2977c478bd9Sstevel@tonic-gate  *
2987c478bd9Sstevel@tonic-gate  */
2997c478bd9Sstevel@tonic-gate static const char *
3007c478bd9Sstevel@tonic-gate check_prof(const char *profs)
3017c478bd9Sstevel@tonic-gate {
3027c478bd9Sstevel@tonic-gate 	char *profname;
3037c478bd9Sstevel@tonic-gate 	profattr_t *result;
3047c478bd9Sstevel@tonic-gate 	char *tmp;
3057c478bd9Sstevel@tonic-gate 
3067c478bd9Sstevel@tonic-gate 	tmp = strdup(profs);
307*cb8a054bSGlenn Faden 	if (tmp == NULL) {
308*cb8a054bSGlenn Faden 		errmsg(M_NOSPACE);
309*cb8a054bSGlenn Faden 		exit(EX_FAILURE);
310*cb8a054bSGlenn Faden 	}
3117c478bd9Sstevel@tonic-gate 
3127c478bd9Sstevel@tonic-gate 	profname = strtok(tmp, PROF_SEP);
3137c478bd9Sstevel@tonic-gate 	while (profname != NULL) {
3147c478bd9Sstevel@tonic-gate 		result = getprofnam(profname);
3157c478bd9Sstevel@tonic-gate 		if (result == NULL) {
3167c478bd9Sstevel@tonic-gate 		/* can't find the profile */
3177c478bd9Sstevel@tonic-gate 			return (profname);
3187c478bd9Sstevel@tonic-gate 		}
3197c478bd9Sstevel@tonic-gate 		free_profattr(result);
3207c478bd9Sstevel@tonic-gate 		profname = strtok(NULL, PROF_SEP);
3217c478bd9Sstevel@tonic-gate 	}
322*cb8a054bSGlenn Faden 	free(tmp);
3237c478bd9Sstevel@tonic-gate 	return (NULL);
3247c478bd9Sstevel@tonic-gate }
3257c478bd9Sstevel@tonic-gate 
3267c478bd9Sstevel@tonic-gate 
3277c478bd9Sstevel@tonic-gate /*
3287c478bd9Sstevel@tonic-gate  * Verifies the provided list of role names are valid.
3297c478bd9Sstevel@tonic-gate  *
3307c478bd9Sstevel@tonic-gate  * Returns NULL if all role names are valid.
3317c478bd9Sstevel@tonic-gate  * Otherwise, returns the invalid role name
3327c478bd9Sstevel@tonic-gate  *
3337c478bd9Sstevel@tonic-gate  */
3347c478bd9Sstevel@tonic-gate static const char *
3357c478bd9Sstevel@tonic-gate check_role(const char *roles)
3367c478bd9Sstevel@tonic-gate {
3377c478bd9Sstevel@tonic-gate 	char *rolename;
3387c478bd9Sstevel@tonic-gate 	userattr_t *result;
3397c478bd9Sstevel@tonic-gate 	char *utype;
3407c478bd9Sstevel@tonic-gate 	char *tmp;
3417c478bd9Sstevel@tonic-gate 
3427c478bd9Sstevel@tonic-gate 	tmp = strdup(roles);
343*cb8a054bSGlenn Faden 	if (tmp == NULL) {
344*cb8a054bSGlenn Faden 		errmsg(M_NOSPACE);
345*cb8a054bSGlenn Faden 		exit(EX_FAILURE);
346*cb8a054bSGlenn Faden 	}
3477c478bd9Sstevel@tonic-gate 
3487c478bd9Sstevel@tonic-gate 	rolename = strtok(tmp, ROLE_SEP);
3497c478bd9Sstevel@tonic-gate 	while (rolename != NULL) {
3507c478bd9Sstevel@tonic-gate 		result = getusernam(rolename);
3517c478bd9Sstevel@tonic-gate 		if (result == NULL) {
3527c478bd9Sstevel@tonic-gate 		/* can't find the rolename */
3537c478bd9Sstevel@tonic-gate 			return (rolename);
3547c478bd9Sstevel@tonic-gate 		}
3557c478bd9Sstevel@tonic-gate 		/* Now, make sure it is a role */
3567c478bd9Sstevel@tonic-gate 		utype = kva_match(result->attr, USERATTR_TYPE_KW);
3577c478bd9Sstevel@tonic-gate 		if (utype == NULL) {
3587c478bd9Sstevel@tonic-gate 			/* no user type defined. not a role */
3597c478bd9Sstevel@tonic-gate 			free_userattr(result);
3607c478bd9Sstevel@tonic-gate 			return (rolename);
3617c478bd9Sstevel@tonic-gate 		}
3627c478bd9Sstevel@tonic-gate 		if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) {
3637c478bd9Sstevel@tonic-gate 			free_userattr(result);
3647c478bd9Sstevel@tonic-gate 			return (rolename);
3657c478bd9Sstevel@tonic-gate 		}
3667c478bd9Sstevel@tonic-gate 		free_userattr(result);
3677c478bd9Sstevel@tonic-gate 		rolename = strtok(NULL, ROLE_SEP);
3687c478bd9Sstevel@tonic-gate 	}
369*cb8a054bSGlenn Faden 	free(tmp);
3707c478bd9Sstevel@tonic-gate 	return (NULL);
3717c478bd9Sstevel@tonic-gate }
3727c478bd9Sstevel@tonic-gate 
3737c478bd9Sstevel@tonic-gate static const char *
3747c478bd9Sstevel@tonic-gate check_proj(const char *proj)
3757c478bd9Sstevel@tonic-gate {
3767c478bd9Sstevel@tonic-gate 	if (getprojidbyname(proj) < 0) {
3777c478bd9Sstevel@tonic-gate 		return (proj);
3787c478bd9Sstevel@tonic-gate 	} else {
3797c478bd9Sstevel@tonic-gate 		return (NULL);
3807c478bd9Sstevel@tonic-gate 	}
3817c478bd9Sstevel@tonic-gate }
3827c478bd9Sstevel@tonic-gate 
3837c478bd9Sstevel@tonic-gate static const char *
3847c478bd9Sstevel@tonic-gate check_privset(const char *pset)
3857c478bd9Sstevel@tonic-gate {
3867c478bd9Sstevel@tonic-gate 	priv_set_t *tmp;
3877c478bd9Sstevel@tonic-gate 	const char *res;
3887c478bd9Sstevel@tonic-gate 
3897c478bd9Sstevel@tonic-gate 	tmp = priv_str_to_set(pset, ",", &res);
3907c478bd9Sstevel@tonic-gate 
3917c478bd9Sstevel@tonic-gate 	if (tmp != NULL) {
3927c478bd9Sstevel@tonic-gate 		res = NULL;
3937c478bd9Sstevel@tonic-gate 		priv_freeset(tmp);
3947c478bd9Sstevel@tonic-gate 	} else if (res == NULL)
3957c478bd9Sstevel@tonic-gate 		res = strerror(errno);
3967c478bd9Sstevel@tonic-gate 
3977c478bd9Sstevel@tonic-gate 	return (res);
3987c478bd9Sstevel@tonic-gate }
3997c478bd9Sstevel@tonic-gate 
4007c478bd9Sstevel@tonic-gate static const char *
4017c478bd9Sstevel@tonic-gate check_type(const char *type)
4027c478bd9Sstevel@tonic-gate {
4037c478bd9Sstevel@tonic-gate 	if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 &&
4047c478bd9Sstevel@tonic-gate 	    strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0)
4057c478bd9Sstevel@tonic-gate 		return (type);
4067c478bd9Sstevel@tonic-gate 
4077c478bd9Sstevel@tonic-gate 	return (NULL);
4087c478bd9Sstevel@tonic-gate }
4097c478bd9Sstevel@tonic-gate 
4107c478bd9Sstevel@tonic-gate static const char *
4117c478bd9Sstevel@tonic-gate check_lock_after_retries(const char *keyval)
4127c478bd9Sstevel@tonic-gate {
4137c478bd9Sstevel@tonic-gate 	if (keyval != NULL) {
4147c478bd9Sstevel@tonic-gate 		if ((strcasecmp(keyval, "no") != 0) &&
4157c478bd9Sstevel@tonic-gate 		    (strcasecmp(keyval, "yes") != 0) &&
4167c478bd9Sstevel@tonic-gate 		    (*keyval != '\0'))   {
4177c478bd9Sstevel@tonic-gate 			return (keyval);
4187c478bd9Sstevel@tonic-gate 		}
4197c478bd9Sstevel@tonic-gate 	}
4207c478bd9Sstevel@tonic-gate 	return (NULL);
4217c478bd9Sstevel@tonic-gate }
4223bf5ae9eSrica 
4233bf5ae9eSrica static const char *
4243bf5ae9eSrica check_label(const char *labelstr)
4253bf5ae9eSrica {
4263bf5ae9eSrica 	int	err;
4273bf5ae9eSrica 	m_label_t *lbl = NULL;
4283bf5ae9eSrica 
4293bf5ae9eSrica 	if (!is_system_labeled())
4303bf5ae9eSrica 		return (NULL);
4313bf5ae9eSrica 
4323bf5ae9eSrica 	err = str_to_label(labelstr, &lbl, MAC_LABEL, L_NO_CORRECTION, NULL);
4333bf5ae9eSrica 	m_label_free(lbl);
4343bf5ae9eSrica 
4353bf5ae9eSrica 	if (err == -1)
4363bf5ae9eSrica 		return (labelstr);
4373bf5ae9eSrica 
4383bf5ae9eSrica 	return (NULL);
4393bf5ae9eSrica }
4403bf5ae9eSrica 
4413bf5ae9eSrica static const char *
4423bf5ae9eSrica check_idlecmd(const char *cmd)
4433bf5ae9eSrica {
4443bf5ae9eSrica 	if ((strcmp(cmd, USERATTR_IDLECMD_LOCK_KW) != 0) &&
4453bf5ae9eSrica 	    (strcmp(cmd, USERATTR_IDLECMD_LOGOUT_KW) != 0)) {
4463bf5ae9eSrica 		return (cmd);
4473bf5ae9eSrica 	}
4483bf5ae9eSrica 
4493bf5ae9eSrica 	return (NULL);
4503bf5ae9eSrica }
4513bf5ae9eSrica 
4523bf5ae9eSrica static const char *
4533bf5ae9eSrica check_idletime(const char *time)
4543bf5ae9eSrica {
4553bf5ae9eSrica 	int		c;
4563bf5ae9eSrica 	unsigned char	*up = (unsigned char *)time;
4573bf5ae9eSrica 
4583bf5ae9eSrica 	c = *up;
4593bf5ae9eSrica 	while (c != '\0') {
4603bf5ae9eSrica 		if (!isdigit(c))
4613bf5ae9eSrica 			return (time);
4623bf5ae9eSrica 		c = *++up;
4633bf5ae9eSrica 	}
4643bf5ae9eSrica 
4653bf5ae9eSrica 	return (NULL);
4663bf5ae9eSrica }
467