xref: /titanic_52/usr/src/lib/pam_modules/roles/roles.c (revision fa9e4066f08beec538e775443c5be79dd423fcab)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <syslog.h>
30 #include <pwd.h>
31 #include <unistd.h>
32 #include <strings.h>
33 #include <security/pam_appl.h>
34 #include <security/pam_modules.h>
35 #include <libintl.h>
36 #include <pwd.h>
37 #include <user_attr.h>
38 #include <secdb.h>
39 #include <nss_dbdefs.h>
40 #include <security/pam_impl.h>
41 
42 static int roleinlist();
43 
44 /*
45  * pam_sm_acct_mgmt():
46  *	Account management module
47  *	This module disallows roles for primary logins and adds special
48  *	checks to allow roles for secondary logins.
49  */
50 
51 /*ARGSUSED*/
52 int
53 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
54 {
55 	uid_t uid;
56 	userattr_t *user_entry;
57 	char	*kva_value;
58 	char	*username;
59 	char	*ruser;
60 	char	*rhost;
61 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
62 	struct passwd *pw_entry, pwd;
63 	char buf[NSS_BUFLEN_PASSWD];
64 
65 	int i;
66 	int debug = 0;
67 	int allow_remote = 0;
68 
69 	(void) pam_get_item(pamh, PAM_USER, (void **)&username);
70 
71 	(void) pam_get_item(pamh, PAM_RUSER, (void **)&ruser);
72 
73 	(void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
74 
75 	for (i = 0; i < argc; i++) {
76 		if (strcmp(argv[i], "allow_remote") == 0) {
77 			allow_remote = 1;
78 		} else if (strcmp(argv[i], "debug") == 0) {
79 			debug = 1;
80 		} else {
81 			__pam_log(LOG_AUTH | LOG_ERR,
82 			    "pam_roles:pam_sm_acct_mgmt: illegal module "
83 			    "option %s", argv[i]);
84 		}
85 	}
86 
87 	if (debug) {
88 		char	*service;
89 
90 		(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
91 		__pam_log(LOG_AUTH | LOG_DEBUG, "pam_roles:pam_sm_acct_mgmt: "
92 			"service = %s user = %s ruser = %s rhost = %s\n",
93 			(service) ? service : "not set",
94 			(username) ? username : "not set",
95 			(ruser) ? ruser: "not set",
96 			(rhost) ? rhost: "not set");
97 	}
98 
99 	if (username == NULL)
100 		return (PAM_USER_UNKNOWN);
101 
102 	/* stop masquerades by mapping username to uid to username */
103 
104 	if ((pw_entry = getpwnam_r(username, &pwd, buf, sizeof (buf))) == NULL)
105 		return (PAM_USER_UNKNOWN);
106 	if ((pw_entry = getpwuid_r(pw_entry->pw_uid, &pwd, buf,
107 	    sizeof (buf))) == NULL)
108 		return (PAM_USER_UNKNOWN);
109 	/*
110 	 * If there's no user_attr entry for the primary user or it's not a
111 	 * role, no further checks are needed.
112 	 */
113 
114 	if (((user_entry = getusernam(pw_entry->pw_name)) == NULL) ||
115 	    ((kva_value = kva_match((kva_t *)user_entry->attr,
116 	    USERATTR_TYPE_KW)) == NULL) ||
117 	    ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) != 0) &&
118 	    (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) != 0))) {
119 		free_userattr(user_entry);
120 		return (PAM_IGNORE);
121 	}
122 	free_userattr(user_entry);
123 
124 	/* username is a role */
125 
126 	if (strcmp(username, pw_entry->pw_name) != 0) {
127 		__pam_log(LOG_AUTH | LOG_ALERT,
128 		    "pam_roles:pam_sm_acct_mgmt: user name %s "
129 		    "maps to user id %d which is user name %s",
130 		    username, pw_entry->pw_uid, pw_entry->pw_name);
131 
132 	}
133 
134 	/* Who's the user requesting the role? */
135 
136 	if (ruser == NULL || *ruser == '\0') {
137 		/* user is implied by real UID */
138 
139 		if ((uid = getuid()) == 0) {
140 			/*
141 			 * Root user_attr entry cannot have roles.
142 			 * Force error and deny access.
143 			 */
144 			user_entry = NULL;
145 		} else {
146 			if ((pw_entry = getpwuid_r(uid, &pwd, buf,
147 			    sizeof (buf))) == NULL) {
148 				return (PAM_USER_UNKNOWN);
149 			}
150 			user_entry = getusernam(pw_entry->pw_name);
151 		}
152 	} else if (rhost == NULL || *rhost == '\0') {
153 		/*
154 		 * PAM_RUSER is set but PAM_RHOST is not; this is
155 		 * used by SMC and is a temporary solution until a proper
156 		 * interface is designed that specifies a "come-from"
157 		 * username.
158 		 */
159 		if (strcmp(username, ruser) == 0) {
160 			return (PAM_IGNORE);
161 		}
162 		user_entry = getusernam(ruser);
163 	} else {
164 		user_entry = getusernam(ruser);
165 	}
166 
167 	if (rhost != NULL && allow_remote == 0) {
168 		/* don't allow remote roles for this service */
169 
170 		free_userattr(user_entry);
171 		return (PAM_PERM_DENIED);
172 	}
173 
174 	/*
175 	 * If the original user does not have a user_attr entry or isn't
176 	 * assigned the role being assumed, fail.
177 	 */
178 
179 	if ((user_entry == NULL) ||
180 	    ((kva_value = kva_match((kva_t *)user_entry->attr,
181 	    USERATTR_ROLES_KW)) == NULL) ||
182 	    (roleinlist(kva_value, username) == 0)) {
183 		free_userattr(user_entry);
184 		(void) strlcpy(messages[0], dgettext(TEXT_DOMAIN,
185 		    "Roles can only be assumed by authorized users"),
186 			sizeof (messages[0]));
187 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages,
188 		    NULL);
189 		return (PAM_PERM_DENIED);
190 	}
191 
192 	free_userattr(user_entry);
193 	return (PAM_IGNORE);
194 }
195 
196 int
197 roleinlist(char *list, char *role)
198 {
199 	char *lasts = (char *)NULL;
200 	char *rolename = (char *)strtok_r(list, ",", &lasts);
201 
202 	while (rolename) {
203 		if (strcmp(rolename, role) == 0)
204 			return (1);
205 		else
206 			rolename = (char *)strtok_r(NULL, ",", &lasts);
207 	}
208 	return (0);
209 }
210