/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013 RackTop Systems.
*/
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <auth_attr.h>
#include <prof_attr.h>
#include <user_attr.h>
#include <project.h>
#include <secdb.h>
#include <pwd.h>
#include <unistd.h>
#include <priv.h>
#include <errno.h>
#include <ctype.h>
#include <nss.h>
#include <bsm/libbsm.h>
#include <tsol/label.h>
#include "funcs.h"
#include "messages.h"
#undef GROUP
#include "userdefs.h"
typedef struct ua_key {
const char *key;
const char *(*check)(const char *);
const char *errstr;
char *newvalue;
} ua_key_t;
static const char role[] = "role name";
static const char prof[] = "profile name";
static const char proj[] = "project name";
static const char priv[] = "privilege set";
static const char auth[] = "authorization";
static const char type[] = "user type";
static const char lock[] = "lock_after_retries value";
static const char label[] = "label";
static const char idlecmd[] = "idlecmd value";
static const char idletime[] = "idletime value";
static const char auditflags[] = "audit mask";
static char auditerr[256];
static const char *check_auth(const char *);
static const char *check_prof(const char *);
static const char *check_role(const char *);
static const char *check_proj(const char *);
static const char *check_privset(const char *);
static const char *check_type(const char *);
static const char *check_lock_after_retries(const char *);
static const char *check_label(const char *);
static const char *check_idlecmd(const char *);
static const char *check_idletime(const char *);
static const char *check_auditflags(const char *);
int nkeys;
static ua_key_t keys[] = {
/* First entry is always set correctly in main() */
{ USERATTR_TYPE_KW, check_type, type },
{ USERATTR_AUTHS_KW, check_auth, auth },
{ USERATTR_PROFILES_KW, check_prof, prof },
{ USERATTR_ROLES_KW, check_role, role },
{ USERATTR_DEFAULTPROJ_KW, check_proj, proj },
{ USERATTR_LIMPRIV_KW, check_privset, priv },
{ USERATTR_DFLTPRIV_KW, check_privset, priv },
{ USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries, lock },
{ USERATTR_CLEARANCE, check_label, label },
{ USERATTR_MINLABEL, check_label, label },
{ USERATTR_IDLECMD_KW, check_idlecmd, idlecmd },
{ USERATTR_IDLETIME_KW, check_idletime, idletime },
{ USERATTR_AUDIT_FLAGS_KW, check_auditflags, auditflags },
};
#define NKEYS (sizeof (keys)/sizeof (ua_key_t))
/*
* Change a key, there are three different call sequences:
*
* key, value - key with option letter, value.
* NULL, value - -K key=value option.
*/
void
change_key(const char *key, char *value)
{
int i;
const char *res;
if (key == NULL) {
key = value;
value = strchr(value, '=');
/* Bad value */
if (value == NULL) {
errmsg(M_INVALID_VALUE);
exit(EX_BADARG);
}
*value++ = '\0';
}
for (i = 0; i < NKEYS; i++) {
if (strcmp(key, keys[i].key) == 0) {
if (keys[i].newvalue != NULL) {
/* Can't set a value twice */
errmsg(M_REDEFINED_KEY, key);
exit(EX_BADARG);
}
if (keys[i].check != NULL &&
(res = keys[i].check(value)) != NULL) {
errmsg(M_INVALID, res, keys[i].errstr);
exit(EX_BADARG);
}
keys[i].newvalue = value;
nkeys++;
return;
}
}
errmsg(M_INVALID_KEY, key);
exit(EX_BADARG);
}
/*
* Add the keys to the argument vector.
*/
void
addkey_args(char **argv, int *index)
{
int i;
for (i = 0; i < NKEYS; i++) {
const char *key = keys[i].key;
char *val = keys[i].newvalue;
size_t len;
char *arg;
if (val == NULL)
continue;
len = strlen(key) + strlen(val) + 2;
arg = malloc(len);
(void) snprintf(arg, len, "%s=%s", key, val);
argv[(*index)++] = "-K";
argv[(*index)++] = arg;
}
}
/*
* Propose a default value for a key and get the actual value back.
* If the proposed default value is NULL, return the actual value set.
* The key argument is the user_attr key.
*/
char *
getsetdefval(const char *key, char *dflt)
{
int i;
for (i = 0; i < NKEYS; i++)
if (strcmp(keys[i].key, key) == 0) {
if (keys[i].newvalue != NULL)
return (keys[i].newvalue);
else
return (keys[i].newvalue = dflt);
}
return (NULL);
}
char *
getusertype(char *cmdname)
{
static char usertype[MAX_TYPE_LENGTH];
char *cmd;
if ((cmd = strrchr(cmdname, '/')))
++cmd;
else
cmd = cmdname;
/* get user type based on the program name */
if (strncmp(cmd, CMD_PREFIX_USER,
strlen(CMD_PREFIX_USER)) == 0)
strcpy(usertype, USERATTR_TYPE_NORMAL_KW);
else
strcpy(usertype, USERATTR_TYPE_NONADMIN_KW);
return (usertype);
}
int
is_role(char *usertype)
{
if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0)
return (1);
/* not a role */
return (0);
}
/*
* Verifies the provided list of authorizations are all valid.
*
* Returns NULL if all authorization names are valid.
* Otherwise, returns the invalid authorization name
*
*/
static const char *
check_auth(const char *auths)
{
char *authname;
authattr_t *result;
char *tmp;
struct passwd *pw;
int have_grant = 0;
tmp = strdup(auths);
if (tmp == NULL) {
errmsg(M_NOSPACE);
exit(EX_FAILURE);
}
authname = strtok(tmp, AUTH_SEP);
pw = getpwuid(getuid());
if (pw == NULL) {
return (authname);
}
while (authname != NULL) {
char *suffix;
char *authtoks;
/* Check if user has been granted this authorization */
if (!chkauthattr(authname, pw->pw_name))
return (authname);
/* Remove named object after slash */
if ((suffix = index(authname, KV_OBJECTCHAR)) != NULL)
*suffix = '\0';
/* Find the suffix */
if ((suffix = rindex(authname, '.')) == NULL)
return (authname);
/* Check for existence in auth_attr */
suffix++;
if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */
result = getauthnam(authname);
if (result == NULL) {
/* can't find the auth */
free_authattr(result);
return (authname);
}
free_authattr(result);
}
/* Check if user can delegate this authorization */
if (strcmp(suffix, "grant")) { /* Not a grant option */
authtoks = malloc(strlen(authname) + sizeof ("grant"));
strcpy(authtoks, authname);
have_grant = 0;
while ((suffix = rindex(authtoks, '.')) &&
!have_grant) {
strcpy(suffix, ".grant");
if (chkauthattr(authtoks, pw->pw_name))
have_grant = 1;
else
*suffix = '\0';
}
if (!have_grant)
return (authname);
}
authname = strtok(NULL, AUTH_SEP);
}
free(tmp);
return (NULL);
}
/*
* Verifies the provided list of profile names are valid.
*
* Returns NULL if all profile names are valid.
* Otherwise, returns the invalid profile name
*
*/
static const char *
check_prof(const char *profs)
{
char *profname;
profattr_t *result;
char *tmp;
tmp = strdup(profs);
if (tmp == NULL) {
errmsg(M_NOSPACE);
exit(EX_FAILURE);
}
profname = strtok(tmp, PROF_SEP);
while (profname != NULL) {
result = getprofnam(profname);
if (result == NULL) {
/* can't find the profile */
return (profname);
}
free_profattr(result);
profname = strtok(NULL, PROF_SEP);
}
free(tmp);
return (NULL);
}
/*
* Verifies the provided list of role names are valid.
*
* Returns NULL if all role names are valid.
* Otherwise, returns the invalid role name
*
*/
static const char *
check_role(const char *roles)
{
char *rolename;
userattr_t *result;
char *utype;
char *tmp;
tmp = strdup(roles);
if (tmp == NULL) {
errmsg(M_NOSPACE);
exit(EX_FAILURE);
}
rolename = strtok(tmp, ROLE_SEP);
while (rolename != NULL) {
result = getusernam(rolename);
if (result == NULL) {
/* can't find the rolename */
return (rolename);
}
/* Now, make sure it is a role */
utype = kva_match(result->attr, USERATTR_TYPE_KW);
if (utype == NULL) {
/* no user type defined. not a role */
free_userattr(result);
return (rolename);
}
if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) {
free_userattr(result);
return (rolename);
}
free_userattr(result);
rolename = strtok(NULL, ROLE_SEP);
}
free(tmp);
return (NULL);
}
static const char *
check_proj(const char *proj)
{
if (getprojidbyname(proj) < 0) {
return (proj);
} else {
return (NULL);
}
}
static const char *
check_privset(const char *pset)
{
priv_set_t *tmp;
const char *res;
tmp = priv_str_to_set(pset, ",", &res);
if (tmp != NULL) {
res = NULL;
priv_freeset(tmp);
} else if (res == NULL)
res = strerror(errno);
return (res);
}
static const char *
check_type(const char *type)
{
if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 &&
strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0)
return (type);
return (NULL);
}
static const char *
check_lock_after_retries(const char *keyval)
{
if (keyval != NULL) {
if ((strcasecmp(keyval, "no") != 0) &&
(strcasecmp(keyval, "yes") != 0) &&
(*keyval != '\0')) {
return (keyval);
}
}
return (NULL);
}
static const char *
check_label(const char *labelstr)
{
int err;
m_label_t *lbl = NULL;
if (!is_system_labeled())
return (NULL);
err = str_to_label(labelstr, &lbl, MAC_LABEL, L_NO_CORRECTION, NULL);
m_label_free(lbl);
if (err == -1)
return (labelstr);
return (NULL);
}
static const char *
check_idlecmd(const char *cmd)
{
if ((strcmp(cmd, USERATTR_IDLECMD_LOCK_KW) != 0) &&
(strcmp(cmd, USERATTR_IDLECMD_LOGOUT_KW) != 0)) {
return (cmd);
}
return (NULL);
}
static const char *
check_idletime(const char *time)
{
int c;
unsigned char *up = (unsigned char *)time;
c = *up;
while (c != '\0') {
if (!isdigit(c))
return (time);
c = *++up;
}
return (NULL);
}
static const char *
check_auditflags(const char *auditflags)
{
au_mask_t mask;
char *flags;
char *last = NULL;
char *err = "NULL";
/* if deleting audit_flags */
if (*auditflags == '\0') {
return (NULL);
}
if ((flags = _strdup_null((char *)auditflags)) == NULL) {
errmsg(M_NOSPACE);
exit(EX_FAILURE);
}
if (!__chkflags(_strtok_escape(flags, KV_AUDIT_DELIMIT, &last), &mask,
B_FALSE, &err)) {
(void) snprintf(auditerr, sizeof (auditerr),
"always mask \"%s\"", err);
free(flags);
return (auditerr);
}
if (!__chkflags(_strtok_escape(NULL, KV_AUDIT_DELIMIT, &last), &mask,
B_FALSE, &err)) {
(void) snprintf(auditerr, sizeof (auditerr),
"never mask \"%s\"", err);
free(flags);
return (auditerr);
}
if (last != NULL) {
(void) snprintf(auditerr, sizeof (auditerr), "\"%s\"",
auditflags);
free(flags);
return (auditerr);
}
free(flags);
return (NULL);
}