2N/A/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ 2N/A * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology. 2N/A * All Rights Reserved. 2N/A * Export of this software from the United States of America may 2N/A * require a specific license from the United States Government. 2N/A * It is the responsibility of any person or organization contemplating 2N/A * export to obtain such a license before exporting. 2N/A * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 2N/A * distribute this software and its documentation for any purpose and 2N/A * without fee is hereby granted, provided that the above copyright 2N/A * notice appear in all copies and that both that copyright notice and 2N/A * this permission notice appear in supporting documentation, and that 2N/A * the name of M.I.T. not be used in advertising or publicity pertaining 2N/A * to distribution of the software without specific, written prior 2N/A * permission. Furthermore if you modify this software you must label 2N/A * your software as modified software and not distribute it in such a 2N/A * fashion that it might be confused with the original M.I.T. software. 2N/A * M.I.T. makes no representations about the suitability of 2N/A * this software for any purpose. It is provided "as is" without express 2N/A * or implied warranty. 2N/A * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 2N/A * Openvision retains the copyright to derivative works of 2N/A * this source code. Do *NOT* create a derivative of this 2N/A * source code before consulting with your legal department. 2N/A * Do *NOT* integrate *ANY* of this source code into another 2N/A * product before consulting with your legal department. 2N/A * For further information, read the top-level Openvision 2N/A * copyright which is contained in the top-level MIT Kerberos 2N/A * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 2N/A /* eg: "-maxlife 3h -service +proxiable" */ 2N/A * This is the catchall entry. If nothing else appropriate is found, or in 2N/A * the case where the ACL file is not present, this entry controls what can 2N/A/* Solaris Kerberos */ 2N/A "%s: line %d too long, truncated\n")
2N/A "Unrecognized ACL operation '%c' in %s\n")
2N/A "%s: syntax error at line %d <%10s...>\n")
2N/A "\007cannot open ACL file")
2N/A * kadm5int_acl_get_line() - Get a line from the ACL file. 2N/A * Lines ending with \ are continued on the next line 2N/A int *
lnp;
/* caller should set to 1 before first call */ 2N/A /* Copy in the line, with continuations */ 2N/A break;
/* it gets nulled-out below */ 2N/A break;
/* empty line or normal end of line */ 2N/A i -=
2;
/* back up over "\\\n" and continue */ 2N/A /* Check if we exceeded our buffer size */ 2N/A * kadm5int_acl_parse_line() - Parse the contents of an ACL line. 2N/A (
"* kadm5int_acl_parse_line(line=%20s)\n",
lp));
2N/A * Format is still simple: 2N/A * entry ::= [<whitespace>] <principal> <whitespace> <opstring> 2N/A * [<whitespace> <target> [<whitespace> <restrictions> 2N/A (
"A ACL entry %s -> opmask %x\n",
2N/A (
"X kadm5int_acl_parse_line() = %x\n", (
long)
acle));
2N/A * kadm5int_acl_parse_restrictions() - Parse optional restrictions field 2N/A * Allowed restrictions are: 2N/A * [+-]flagname (recognized by krb5_string_to_flags) 2N/A * flag is forced to indicated value 2N/A * -clearpolicy policy is forced clear 2N/A * -policy pol policy is forced to be "pol" 2N/A * -{expire,pwexpire,maxlife,maxrenewlife} deltat 2N/A * associated value will be forced to 2N/A * MIN(deltat, requested value) 2N/A * Returns: 0 on success, or system errors 2N/A (
"* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (
long)
rpp));
2N/A /* OK, but was it in the positive or negative sense? */ 2N/A /* everything else needs an argument ... */ 2N/A /* all other arguments must be a deltat ... */ 2N/A (
"X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
2N/A * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp 2N/A * Returns: 0 on success; 2N/A * malloc or timeofday errors 2N/A (
"* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
2N/A (
"X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *
maskp));
2N/A * kadm5int_acl_free_entries() - Free all ACL entries. 2N/A * kadm5int_acl_load_acl_file() - Open and parse the ACL file. 2N/A /* Open the ACL file for read */ 2N/A /* Get a non-comment line */ 2N/A /* If syntax error, then fall out */ 2N/A (
"> catchall acl entry (%s) load failed\n",
2N/A (
"> catchall acl entry (%s) load failed\n",
2N/A (
"X kadm5int_acl_load_acl_file() = %d\n",
retval));
2N/A * kadm5int_acl_match_data() - See if two data entries match. 2N/A * Wildcarding is only supported for a whole component. 2N/A /* Solaris Kerberos */ 2N/A (
"Too many wildcards in ACL entry %s\n",
e1->
data));
2N/A /* Solaris Kerberos */ 2N/A (
"Too many backrefs in ACL entry %s\n",
e1->
data));
2N/A * kadm5int_acl_find_entry() - Find a matching entry. 2N/A /* We've matched the principal. If we have a target, then try it */ 2N/A * kadm5int_acl_init() - Initialize ACL context. 2N/A (
"* kadm5int_acl_init(afile=%s)\n",
2N/A * kadm5int_acl_finish - Terminate ACL context. 2N/A * kadm5int_acl_check_krb() - Is this operation permitted for this principal? 2N/A * kadm5int_acl_check() - Is this operation permitted for this principal? 2N/A * this code used not to be based on gssapi. In order 2N/A * to minimize porting hassles, I've put all the 2N/A * gssapi hair in this function. This might not be 2N/A * the best medium-term solution. (The best long-term 2N/A * solution is, of course, a real authorization service.) 2N/A /* Solaris Kerberos */ 2N/A /* Solaris Kerberos: fix a mem leak with OID arg that isn't needed */ 2N/A /* this is impossible to do with the current interface. For now, 2N/A return all privs, which will confuse some clients, but not 2N/A deny any access to users of "smart" clients which try to cache */ 2N/A/* SUNWresync121 (SEAM1.0) XXX */