simple_access_check.c revision a0d010f488bf15fb3e170ce04092013fa494401f
842ae4bd224140319ae7feec1872b93dfd491143fielding Simple access control
842ae4bd224140319ae7feec1872b93dfd491143fielding Copyright (C) Sumit Bose <sbose@redhat.com> 2010
04891cf70e0bfc38bfb027541dc821f04c754ff7nd This program is free software; you can redistribute it and/or modify
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding it under the terms of the GNU General Public License as published by
04891cf70e0bfc38bfb027541dc821f04c754ff7nd the Free Software Foundation; either version 3 of the License, or
04891cf70e0bfc38bfb027541dc821f04c754ff7nd (at your option) any later version.
04891cf70e0bfc38bfb027541dc821f04c754ff7nd This program is distributed in the hope that it will be useful,
04891cf70e0bfc38bfb027541dc821f04c754ff7nd but WITHOUT ANY WARRANTY; without even the implied warranty of
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding GNU General Public License for more details.
3568de757bac0b47256647504c186d17ca272f85rbb You should have received a copy of the GNU General Public License
3568de757bac0b47256647504c186d17ca272f85rbb along with this program. If not, see <http://www.gnu.org/licenses/>.
3568de757bac0b47256647504c186d17ca272f85rbbstatic bool
3568de757bac0b47256647504c186d17ca272f85rbb const char *val;
3568de757bac0b47256647504c186d17ca272f85rbb val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL);
3568de757bac0b47256647504c186d17ca272f85rbb return true;
3568de757bac0b47256647504c186d17ca272f85rbb return false;
3568de757bac0b47256647504c186d17ca272f85rbb/* Returns EOK if the result is definitive, EAGAIN if only partial result
3568de757bac0b47256647504c186d17ca272f85rbbsimple_check_users(struct simple_ctx *ctx, const char *username,
3568de757bac0b47256647504c186d17ca272f85rbb /* First, check whether the user is in the allowed users list */
3568de757bac0b47256647504c186d17ca272f85rbb ("User [%s] found in allow list, access granted.\n",
98fb535f829e2a95aabd82420931f476661fa8e3jorton /* Do not return immediately on explicit allow
db12cd62083041bf90945eeb90cc40fbd2340797trawick * We need to make sure none of the user's groups
db12cd62083041bf90945eeb90cc40fbd2340797trawick * are denied.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* If neither allow rule is in place, we'll assume allowed
3568de757bac0b47256647504c186d17ca272f85rbb * unless a deny rule disables us below.
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ("No allow rule, assumuing allow unless explicitly denied\n"));
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding /* Next check whether this user has been specifically denied */
7cd5419264796cfeaf8215383cf0f89130a81fectrawick ("User [%s] found in deny list, access denied.\n",
7cd5419264796cfeaf8215383cf0f89130a81fectrawick /* Return immediately on explicit denial */
3568de757bac0b47256647504c186d17ca272f85rbbsimple_check_groups(struct simple_ctx *ctx, const char **group_names,
3568de757bac0b47256647504c186d17ca272f85rbb /* Now process allow and deny group rules
936a4025e45887d9f366bf54360c51937b6bcacejim * If access was already granted above, we'll skip
936a4025e45887d9f366bf54360c51937b6bcacejim * this redundant rule check
3568de757bac0b47256647504c186d17ca272f85rbb for(j = 0; group_names[j]; j++) {
41634f717c623556a16b27b25d7d909a66fe20f8wrowe /* If any group has matched, we can skip out on the
3568de757bac0b47256647504c186d17ca272f85rbb * processing early
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ("Group [%s] found in allow list, access granted.\n",
3568de757bac0b47256647504c186d17ca272f85rbb /* Finally, process the deny group rules */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz domain = find_subdomain_by_object_name(ctx->domain,
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz for(j = 0; group_names[j]; j++) {
3568de757bac0b47256647504c186d17ca272f85rbb /* If any group has matched, we can skip out on the
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * processing early
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ("Group [%s] found in deny list, access denied.\n",
3568de757bac0b47256647504c186d17ca272f85rbb const char *name;
3568de757bac0b47256647504c186d17ca272f85rbbsimple_resolve_group_check(struct simple_resolve_group_state *state);
3568de757bac0b47256647504c186d17ca272f85rbbstatic void simple_resolve_group_done(struct tevent_req *subreq);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantzstatic struct tevent_req *
6653a33e820463abd4f81915b7a1eba0f602e200brianp /* First check if the group was updated already. If it was (maybe its
3568de757bac0b47256647504c186d17ca272f85rbb * parent was updated first), then just shortcut */
7cd5419264796cfeaf8215383cf0f89130a81fectrawick DEBUG(SSSDBG_TRACE_LIBS, ("Group already updated\n"));
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm ("Cannot check if group was already updated [%d]: %s\n",
dd028aa8111afb6534fece555e8c2d408894671etrawick /* EAGAIN - still needs update */
6653a33e820463abd4f81915b7a1eba0f602e200brianp ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid);
6653a33e820463abd4f81915b7a1eba0f602e200brianp subreq = be_get_account_info_send(state, ev, NULL, ctx->be_ctx, ar);
6653a33e820463abd4f81915b7a1eba0f602e200brianp tevent_req_set_callback(subreq, simple_resolve_group_done, req);
0f081398cf0eef8cc7c66a535d450110a92dc8aefieldingsimple_resolve_group_check(struct simple_resolve_group_state *state)
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,
3568de757bac0b47256647504c186d17ca272f85rbb /* Check the cache by GID again and fetch the name */
3568de757bac0b47256647504c186d17ca272f85rbb ret = sysdb_search_group_by_gid(state, state->domain->sysdb,
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz /* The group is missing, we will try to update it. */
9f979f5c8061f6f6f560d1824e0e378ff5b91931rpluem ("Could not look up group by gid [%"SPRIgid"]: [%d][%s]\n",
9f979f5c8061f6f6f560d1824e0e378ff5b91931rpluem state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ("The group is still non-POSIX\n"));
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddardstatic void simple_resolve_group_done(struct tevent_req *subreq)
7cd5419264796cfeaf8215383cf0f89130a81fectrawick const char *err_msg;
e8f95a682820a599fe41b22977010636be5c2717jim req = tevent_req_callback_data(subreq, struct tevent_req);
98cd3186185bb28ae6c95a3f159899fcf56a663ftrawick state = tevent_req_data(req, struct simple_resolve_group_state);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard DEBUG(SSSDBG_OP_FAILURE, ("be_get_account_info_recv failed\n"));
3cbd177a6c885562f9ad0cf11695f044489c881dgregames ("Cannot refresh data from DP: %u,%u: %s\n",
5a0f707b48da7703cbe6bc087f13a6735b1c742dgregames /* Check the cache by GID again and fetch the name */
7cd5419264796cfeaf8215383cf0f89130a81fectrawick const char **name)
7cd5419264796cfeaf8215383cf0f89130a81fectrawick state = tevent_req_data(req, struct simple_resolve_group_state);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard const char **group_names;
7cd5419264796cfeaf8215383cf0f89130a81fectrawickstatic void simple_check_get_groups_next(struct tevent_req *subreq);
7cd5419264796cfeaf8215383cf0f89130a81fectrawicksimple_check_get_groups_primary(struct simple_check_groups_state *state,
3568de757bac0b47256647504c186d17ca272f85rbbsimple_check_process_group(struct simple_check_groups_state *state,
72b6f1cf3e616473e1c26464b3193b13c2c09e87brianpstatic struct tevent_req *
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard const char *username)
1ce78cf71b5baaf2c1ab48e818cb1f2397df5010trawick const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM,
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard DEBUG(SSSDBG_TRACE_LIBS, ("Looking up groups for user %s\n", username));
3568de757bac0b47256647504c186d17ca272f85rbb /* get domain from username */
3568de757bac0b47256647504c186d17ca272f85rbb state->domain = find_subdomain_by_object_name(ctx->domain, username);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid user %s!\n", username));
4a13940dc2990df0a798718d3a3f9cf1566c2217bjh ret = sysdb_search_user_by_name(state, state->domain->sysdb, state->domain,
4a13940dc2990df0a798718d3a3f9cf1566c2217bjh DEBUG(SSSDBG_MINOR_FAILURE, ("No such user %s\n", username));
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ("Could not look up username [%s]: [%d][%s]\n",
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ("User %s is a member of %zu supplemental groups\n",
4a13940dc2990df0a798718d3a3f9cf1566c2217bjh /* One extra space for terminator, one extra space for private group */
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard state->group_names = talloc_zero_array(state, const char *, group_count + 2);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard state->lookup_groups = talloc_zero_array(state, struct simple_group,
663237d6bcc59ac0997d71d48a1baa55fa29a3d8jim for (i=0; i < group_count; i++) {
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* Some providers (like the AD provider) might perform initgroups
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * without resolving the group names. In order for the simple access
3568de757bac0b47256647504c186d17ca272f85rbb * provider to work correctly, we need to resolve the groups before
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz * performing the access check. In AD provider, the situation is
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * even more tricky b/c the groups HAVE name, but their name
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard * attribute is set to SID and they are set as non-POSIX
3568de757bac0b47256647504c186d17ca272f85rbb gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0);
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz DEBUG(SSSDBG_MINOR_FAILURE, ("User %s has no gid?\n", username));
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ret = simple_check_get_groups_primary(state, gid);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard /* If all groups could have been resolved by name, we are
3568de757bac0b47256647504c186d17ca272f85rbb DEBUG(SSSDBG_TRACE_FUNC, ("All groups had name attribute\n"));
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz DEBUG(SSSDBG_TRACE_FUNC, ("Need to resolve %zu groups\n",
beb70d51e435dc36c56a72b6cd83556c04db9283wrowe subreq = simple_resolve_group_send(req, state->ev, state->ctx,
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard tevent_req_set_callback(subreq, simple_check_get_groups_next, req);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddardstatic void simple_check_get_groups_next(struct tevent_req *subreq)
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard tevent_req_callback_data(subreq, struct tevent_req);
cd8f8c995d415473f3bfb0b329b2450f2a722c3atrawick tevent_req_data(req, struct simple_check_groups_state);
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ret = simple_resolve_group_recv(subreq, state->group_names,
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard ("Could not resolve name of group with GID %"SPRIgid"\n",
c0659e61002e9d6ff77b2dca72540e0af1b2ca64stoddard subreq = simple_resolve_group_send(req, state->ev, state->ctx,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick tevent_req_set_callback(subreq, simple_check_get_groups_next, req);
f886987cd0bd4220c14043c4d9be77ec22902e73trawick DEBUG(SSSDBG_TRACE_INTERNAL, ("All groups resolved. Done.\n"));
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawicksimple_check_process_group(struct simple_check_groups_state *state,
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz const char *name;
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL);
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawick gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0);
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* With the current sysdb layout, every group has a name */
e8f95a682820a599fe41b22977010636be5c2717jim if (posix == true) {
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm DEBUG(SSSDBG_CRIT_FAILURE, ("POSIX group without GID\n"));
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* Non-posix group with a name. Still can be used for access
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm * control as the name should point to the real name, no SID
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm state->group_names[state->num_names] = talloc_strdup(state->group_names,
36c8049de63c446926139936c3d195330a0539cetrawick DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding group %s\n", name));
36c8049de63c446926139936c3d195330a0539cetrawick /* Here are only groups with a name and gid. POSIX group can already
e8f95a682820a599fe41b22977010636be5c2717jim * be used, non-POSIX groups can be resolved */
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm state->group_names[state->num_names] = talloc_strdup(state->group_names,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding group %s\n", name));
36c8049de63c446926139936c3d195330a0539cetrawick /* Try to get group SID and assign it a domain */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick group_sid = ldb_msg_find_attr_as_string(group, SYSDB_SID_STR, NULL);
64c351fd973428b5bb4c28e983fa86875ea4e60fdougm /* We will look it up in main domain. */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick domain = find_subdomain_by_sid(state->ctx->domain, group_sid);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick DEBUG(SSSDBG_CRIT_FAILURE, ("There is no domain information for "
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* It is a non-posix group with a GID. Needs resolving */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick state->lookup_groups[state->num_groups].domain = domain;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick DEBUG(SSSDBG_TRACE_INTERNAL, ("Adding GID %"SPRIgid"\n", gid));
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawicksimple_check_get_groups_primary(struct simple_check_groups_state *state,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ret = sysdb_search_group_by_gid(state, state->domain->sysdb, state->domain,
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ("Could not look up primary group [%"SPRIgid"]: [%d][%s]\n",
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* We have to treat this as non-fatal, because the primary
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * group may be local to the machine and not available in
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * our ID provider.
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick DEBUG(SSSDBG_OP_FAILURE, ("Cannot process primary group\n"));
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick const char ***_group_names)
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick state = tevent_req_data(req, struct simple_check_groups_state);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick *_group_names = talloc_steal(mem_ctx, state->group_names);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick const char *username;
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick const char **group_names;
2e7f1d7da527c09e717251e186deffe55e6fbd0ftrawickstatic void simple_access_check_done(struct tevent_req *subreq);
36c8049de63c446926139936c3d195330a0539cetrawickstruct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx,
f886987cd0bd4220c14043c4d9be77ec22902e73trawick const char *username)
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick DEBUG(SSSDBG_FUNC_DATA, ("Simple access check for %s\n", username));
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ret = simple_check_users(ctx, username, &state->access_granted);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* EAGAIN -- check groups */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* There are no group restrictions, so just return
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * here with whatever we've decided.
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick DEBUG(SSSDBG_TRACE_LIBS, ("No group restrictions, end request\n"));
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick /* The group names might not be available. Fire a request to
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick * gather them. In most cases, the request will just shortcut
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick subreq = simple_check_get_groups_send(state, ev, ctx, username);
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick tevent_req_set_callback(subreq, simple_access_check_done, req);
e8f95a682820a599fe41b22977010636be5c2717jimstatic void simple_access_check_done(struct tevent_req *subreq)
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick tevent_req_callback_data(subreq, struct tevent_req);
44d2e75323651320b480d8bc2f098448a08de4fcwrowe tevent_req_data(req, struct simple_access_check_state);
44d2e75323651320b480d8bc2f098448a08de4fcwrowe /* We know the names now. Run the check. */
44d2e75323651320b480d8bc2f098448a08de4fcwrowe ret = simple_check_get_groups_recv(subreq, state, &state->group_names);
44d2e75323651320b480d8bc2f098448a08de4fcwrowe /* If the user wasn't found, just shortcut */
8bfe865d8d61be4ba4a89e45427a3c4211ebabdctrawick ("Could not collect groups of user %s\n", state->username));
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe ret = simple_check_groups(state->ctx, state->group_names,
f886987cd0bd4220c14043c4d9be77ec22902e73trawick DEBUG(SSSDBG_OP_FAILURE, ("Could not check group access [%d]: %s\n",
1ec8bd0373f11c07688ec9afbbf778cf78a0bc52wrowe /* Now just return whatever we decided */
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantzerrno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted)
28c170ac8e99644de58cad454c6e0f9b4b359be6jerenkrantz ("Access %sgranted\n", state->access_granted ? "" : "not "));