xref: /onnv-gate/usr/src/lib/libnsl/rpc/netnamer.c (revision 0)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 *
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
/* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
/* All Rights Reserved */
/*
 * Portions of this source code were derived from Berkeley
 * 4.3 BSD under license from the Regents of the University of
 * California.
 */
/*
 * ==== hack-attack:  possibly MT-safe but definitely not MT-hot.
 * ==== turn this into a real switch frontend and backends
 *
 * Well, at least the API doesn't involve pointers-to-static.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

/*
 * netname utility routines convert from netnames to unix names (uid, gid)
 *
 * This module is operating system dependent!
 * What we define here will work with any unix system that has adopted
 * the Sun NIS domain architecture.
 */

#undef NIS
#include "mt.h"
#include "rpc_mt.h"
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <rpc/trace.h>
#include <ctype.h>
#include <grp.h>
#include <pwd.h>
#include <string.h>
#include <syslog.h>
#include <sys/param.h>
#include <nsswitch.h>
#include <rpc/rpc.h>
#include <rpcsvc/nis.h>
#include <rpcsvc/ypclnt.h>
#include "nsl_stdio_prv.h"
#include <nss_dbdefs.h>

static const char    OPSYS[]	= "unix";
static const char    NETIDFILE[] = "/etc/netid";
static const char    NETID[]	= "netid.byname";
static const char    PKTABLE[]  = "cred.org_dir";
#define	PKTABLE_LEN 12
#define	OPSYS_LEN 4

#ifndef NGROUPS
#define	NGROUPS 16
#endif

extern int _getgroupsbymember(const char *, gid_t[], int, int);

/*
 * the value for NOBODY_UID is set by the SVID. The following define also
 * appears in netname.c
 */

#define	NOBODY_UID 60001

/*
 *	default publickey policy:
 *		publickey: nis [NOTFOUND = return] files
 */


/*		NSW_NOTSUCCESS  NSW_NOTFOUND   NSW_UNAVAIL    NSW_TRYAGAIN */
#define	DEF_ACTION {__NSW_RETURN, __NSW_RETURN, __NSW_CONTINUE, __NSW_CONTINUE}

static struct __nsw_lookup lookup_files = {"files", DEF_ACTION, NULL, NULL},
		lookup_nis = {"nis", DEF_ACTION, NULL, &lookup_files};
static struct __nsw_switchconfig publickey_default =
			{0, "publickey", 2, &lookup_nis};

static mutex_t serialize_netname_r = DEFAULTMUTEX;

struct netid_userdata {
	uid_t	*uidp;
	gid_t	*gidp;
	int	*gidlenp;
	gid_t	*gidlist;
};

static int
parse_uid(s, argp)
	char *s;
	struct netid_userdata *argp;
{
	uid_t	u;

	trace1(TR_parse_uid, 0);

	if (!s || !isdigit(*s)) {
		syslog(LOG_ERR,
			"netname2user: expecting uid '%s'", s);
		trace1(TR_parse_uid, 1);
		return (__NSW_NOTFOUND); /* xxx need a better error */
	}

	/* Fetch the uid */
	u = (uid_t)(atoi(s));

	if (u == 0) {
		syslog(LOG_ERR, "netname2user: should not have uid 0");
		trace1(TR_parse_uid, 1);
		return (__NSW_NOTFOUND);
	}
	*(argp->uidp) = u;
	trace1(TR_parse_uid, 1);
	return (__NSW_SUCCESS);
}


/* parse a comma separated gid list */
static int
parse_gidlist(p, argp)
	char *p;
	struct netid_userdata *argp;
{
	int len;
	gid_t	g;

	trace1(TR_parse_gidlist, 0);
	if (! p || (! isdigit(*p))) {
		syslog(LOG_ERR,
			"netname2user: missing group id list in '%s'.",
			p);
		trace1(TR_parse_gidlist, 1);
		return (__NSW_NOTFOUND);
	}

	g = (gid_t)(atoi(p));
	*(argp->gidp) = g;

	len = 0;
	while (p = strchr(p, ','))
		argp->gidlist[len++] = (gid_t)atoi(++p);
	*(argp->gidlenp) = len;
	trace1(TR_parse_gidlist, 1);
	return (__NSW_SUCCESS);
}


/*
 * parse_netid_str()
 *
 * Parse uid and group information from the passed string.
 *
 * The format of the string passed is
 * 	uid:gid,grp,grp, ...
 *
 */
static int
parse_netid_str(s, argp)
	char	*s;
	struct netid_userdata *argp;
{
	char	*p;
	int	err;

	trace1(TR_parse_netid_str, 0);

	/* get uid */
	err = parse_uid(s, argp);
	if (err != __NSW_SUCCESS) {
		trace1(TR_parse_netid_str, 1);
		return (err);
	}


	/* Now get the group list */
	p = strchr(s, ':');
	if (!p) {
		syslog(LOG_ERR,
			"netname2user: missing group id list in '%s'",
			s);
		trace1(TR_parse_netid_str, 1);
		return (__NSW_NOTFOUND);
	}
	++p;			/* skip ':' */
	err = parse_gidlist(p, argp);
	trace1(TR_parse_netid_str, 1);
	return (err);
}

static int
parse_uid_gidlist(ustr, gstr, argp)
	char *ustr;
	char *gstr;
	struct netid_userdata *argp;
{
	int	err;

	trace1(TR_parse_uid_gidlist, 0);

	/* get uid */
	err = parse_uid(ustr, argp);
	if (err != __NSW_SUCCESS) {
		trace1(TR_parse_uid_gidlist, 1);
		return (err);
	}

	/* Now get the group list */
	err = parse_gidlist(gstr, argp);
	trace1(TR_parse_uid_gidlist, 1);
	return (err);
}


/*
 * netname2user_files()
 *
 * This routine fetches the netid information from the "files" nameservice.
 * ie /etc/netid.
 */
static int
netname2user_files(err, netname, argp)
int *err;
char *netname;
struct netid_userdata *argp;
{
	char 	buf[512];	/* one line from the file */
	char	*name;
	char	*value;
	char 	*res;
	__NSL_FILE *fd;

	trace1(TR_netname2user_files, 0);
	fd = __nsl_fopen(NETIDFILE, "r");
	if (fd == (__NSL_FILE *)0) {
		*err = __NSW_UNAVAIL;
		trace1(TR_netname2user_files, 1);
		return (0);
	}
	/*
	 * for each line in the file parse it appropriately
	 * file format is :
	 *	netid	uid:grp,grp,grp # for users
	 *	netid	0:hostname	# for hosts
	 */
	while (! __nsl_feof(fd)) {
		res = __nsl_fgets(buf, 512, fd);
		if (res == NULL)
			break;

		/* Skip comments and blank lines */
		if ((*res == '#') || (*res == '\n'))
			continue;

		name = &(buf[0]);
		while (isspace(*name))
			name++;
		if (*name == '\0')	/* blank line continue */
			continue;
		value = name;		/* will contain the value eventually */
		while (! isspace(*value))
			value++;
		if (*value == '\0') {
			syslog(LOG_WARNING,
				"netname2user: badly formatted line in %s.",
				NETIDFILE);
			continue;
		}
		*value++ = '\0'; /* nul terminate the name */

		if (strcasecmp(name, netname) == 0) {
			__nsl_fclose(fd);
			while (isspace(*value))
				value++;
			*err = parse_netid_str(value, argp);
			trace1(TR_netname2user_files, 1);
			return (*err == __NSW_SUCCESS);
		}
	}
	__nsl_fclose(fd);
	*err = __NSW_NOTFOUND;
	trace1(TR_netname2user_files, 1);
	return (0);
}

/*
 * netname2user_nis()
 *
 * This function reads the netid from the NIS (YP) nameservice.
 */
static int
netname2user_nis(err, netname, argp)
	int *err;
	char *netname;
	struct netid_userdata *argp;
{
	char *domain;
	int yperr;
	char *lookup;
	int len;

	trace1(TR_netname2user_nis, 0);
	domain = strchr(netname, '@');
	if (! domain) {
		*err = __NSW_UNAVAIL;
		trace1(TR_netname2user_nis, 1);
		return (0);
	}

	/* Point past the '@' character */
	domain++;
	lookup = NULL;
	yperr = yp_match(domain, (char *)NETID, netname, strlen(netname),
			&lookup, &len);
	switch (yperr) {
		case 0:
			break; /* the successful case */

		default :
			/*
			 *  XXX not sure about yp_match semantics.
			 * should err be set to NOTFOUND here?
			 */
			*err = __NSW_UNAVAIL;
			trace1(TR_netname2user_nis, 1);
			return (0);
	}
	if (lookup) {
		lookup[len] = '\0';
		*err = parse_netid_str(lookup, argp);
		free(lookup);
		trace1(TR_netname2user_nis, 1);
		return (*err == __NSW_SUCCESS);
	} else {
		trace1(TR_netname2user_nis, 1);
		*err = __NSW_NOTFOUND;
		return (0);
	}
}

/*
 * Obtain user information (uid, gidlist) from nisplus.
 * What we're trying to do here is to map a netname into
 * local unix information (uid, gids), relevant in
 * the *local* domain.
 *
 *	 cname   auth_type auth_name public  private
 * ----------------------------------------------------------
 *	nisname   DES     netname   pubkey  prikey
 *	nisname   LOCAL   uid       gidlist
 *
 * 1.  Find out which 'home' domain to look for user's DES entry.
 *	This is gotten from the domain part of the netname.
 * 2.  Get the nisplus principal name from the DES entry in the cred
 *	table of user's home domain.
 * 3.  Use the nisplus principal name and search in the cred table of
 *	the *local* directory for the LOCAL entry.
 *
 * Note that we need this translation of netname to <uid,gidlist> to be
 * secure, so we *must* use authenticated connections.
 */
static int
netname2user_nisplus(err, netname, argp)
	int *err;
	char *netname;
	struct netid_userdata *argp;
{
	char *domain;
	nis_result *res;
	char	sname[NIS_MAXNAMELEN+1]; /*  search criteria + table name */
	char	principal[NIS_MAXNAMELEN+1];
	int len;

	trace1(TR_netname2user_nisplus, 0);


	/* 1.  Get home domain of user. */
	domain = strchr(netname, '@');
	if (! domain) {
		*err = __NSW_UNAVAIL;
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	}
	domain++;  /* skip '@' */


	/* 2.  Get user's nisplus principal name.  */
	if ((strlen(netname)+strlen(domain)+PKTABLE_LEN+32) >
		(size_t)NIS_MAXNAMELEN) {
		*err = __NSW_UNAVAIL;
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	}
	sprintf(sname, "[auth_name=\"%s\",auth_type=DES],%s.%s",
		netname, PKTABLE, domain);
	if (sname[strlen(sname) - 1] != '.')
		strcat(sname, ".");

	/* must use authenticated call here */
	/* XXX but we cant, for now. XXX */
	res = nis_list(sname, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH,
	    NULL, NULL);
	switch (res->status) {
	case NIS_SUCCESS:
	case NIS_S_SUCCESS:
		break;   /* go and do something useful */
	case NIS_NOTFOUND:
	case NIS_PARTIAL:
	case NIS_NOSUCHNAME:
	case NIS_NOSUCHTABLE:
		*err = __NSW_NOTFOUND;
		nis_freeresult(res);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	case NIS_S_NOTFOUND:
	case NIS_TRYAGAIN:
		*err = __NSW_TRYAGAIN;
		syslog(LOG_ERR,
			"netname2user: (nis+ lookup): %s\n",
			nis_sperrno(res->status));
		nis_freeresult(res);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	default:
		*err = __NSW_UNAVAIL;
		syslog(LOG_ERR, "netname2user: (nis+ lookup): %s\n",
			nis_sperrno(res->status));
		nis_freeresult(res);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	}

	if (res->objects.objects_len > 1) {
		/*
		 * A netname belonging to more than one principal?
		 * Something wrong with cred table. should be unique.
		 * Warn user and continue.
		 */
		syslog(LOG_ALERT,
			"netname2user: DES entry for %s in \
			directory %s not unique",
			netname, domain);
	}

	len = ENTRY_LEN(res->objects.objects_val, 0);
	strncpy(principal, ENTRY_VAL(res->objects.objects_val, 0), len);
	principal[len] = '\0';
	nis_freeresult(res);

	if (principal[0] == '\0') {
		*err = __NSW_UNAVAIL;
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	}

	/*
	 *	3.  Use principal name to look up uid/gid information in
	 *	LOCAL entry in **local** cred table.
	 */
	domain = nis_local_directory();
	if ((strlen(principal)+strlen(domain)+PKTABLE_LEN+30) >
		(size_t)NIS_MAXNAMELEN) {
		*err = __NSW_UNAVAIL;
		syslog(LOG_ERR, "netname2user: principal name '%s' too long",
			principal);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	}
	sprintf(sname, "[cname=\"%s\",auth_type=LOCAL],%s.%s",
		principal, PKTABLE, domain);
	if (sname[strlen(sname) - 1] != '.')
		strcat(sname, ".");

	/* must use authenticated call here */
	/* XXX but we cant, for now. XXX */
	res = nis_list(sname, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH,
	    NULL, NULL);
	switch (res->status) {
	case NIS_NOTFOUND:
	case NIS_PARTIAL:
	case NIS_NOSUCHNAME:
	case NIS_NOSUCHTABLE:
		*err = __NSW_NOTFOUND;
		nis_freeresult(res);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	case NIS_S_NOTFOUND:
	case NIS_TRYAGAIN:
		*err = __NSW_TRYAGAIN;
		syslog(LOG_ERR,
			"netname2user: (nis+ lookup): %s\n",
			nis_sperrno(res->status));
		nis_freeresult(res);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	case NIS_SUCCESS:
	case NIS_S_SUCCESS:
		break;   /* go and do something useful */
	default:
		*err = __NSW_UNAVAIL;
		syslog(LOG_ERR, "netname2user: (nis+ lookup): %s\n",
			nis_sperrno(res->status));
		nis_freeresult(res);
		trace1(TR_netname2user_nisplus, 1);
		return (0);
	}

	if (res->objects.objects_len > 1) {
		/*
		 * A principal can have more than one LOCAL entry?
		 * Something wrong with cred table.
		 * Warn user and continue.
		 */
		syslog(LOG_ALERT,
			"netname2user: LOCAL entry for %s in\
				directory %s not unique",
			netname, domain);
	}
	/* nisname	LOCAL	uid 	grp,grp,grp */
	*err = parse_uid_gidlist(ENTRY_VAL(res->objects.objects_val, 2),
					/* uid */
			ENTRY_VAL(res->objects.objects_val, 3), /* gids */
			argp);
	nis_freeresult(res);
	trace1(TR_netname2user_nisplus, 1);
	return (*err == __NSW_SUCCESS);
}

/*
 * Build the uid and gid from the netname for users in LDAP.
 * There is no netid container in LDAP. For this we build
 * the netname to user data dynamically from the passwd and
 * group data. This works only for users in a single domain.
 * This function is an interim solution until we support a
 * netid container in LDAP which enables us to do netname2user
 * resolution for multiple domains.
 */
static int
netname2user_ldap(err, netname, argp)
	int *err;
	char *netname;
	struct netid_userdata *argp;
{

	char buf[NSS_LINELEN_PASSWD];
	char *p1, *p2, *lasts;
	struct passwd pw;
	uid_t uidnu;
	int ngroups = 0;
	int count;
	char pwbuf[NSS_LINELEN_PASSWD];
	gid_t groups[NGROUPS_MAX];

	if (strlcpy(buf, netname, NSS_LINELEN_PASSWD) >= NSS_LINELEN_PASSWD) {
		*err = __NSW_UNAVAIL;
		return (0);
	}

	/* get the uid from the netname */
	if ((p1 = strtok_r(buf, ".", &lasts)) == NULL) {
		*err = __NSW_UNAVAIL;
		return (0);
	}
	if ((p2 = strtok_r(NULL, "@", &lasts)) == NULL) {
		*err = __NSW_UNAVAIL;
		return (0);
	}
	uidnu = atoi(p2);

	/*
	 * check out the primary group and crosscheck the uid
	 * with the passwd data
	 */
	if ((getpwuid_r(uidnu, &pw, pwbuf, sizeof (pwbuf))) == NULL) {
		*err = __NSW_UNAVAIL;
		return (0);
	}

	*(argp->uidp) = pw.pw_uid;
	*(argp->gidp) = pw.pw_gid;

	/* search through all groups for membership */

	groups[0] = pw.pw_gid;

	ngroups = _getgroupsbymember(pw.pw_name, groups, NGROUPS_MAX,
				(pw.pw_gid >= 0) ? 1 : 0);

	if (ngroups < 0) {
		*err = __NSW_UNAVAIL;
		return (0);
	}

	*(argp->gidlenp) = ngroups;

	for (count = 0; count < ngroups; count++) {
		(argp->gidlist[count]) = groups[count];
	}

	*err = __NSW_SUCCESS;
	return (1);

}

/*
 * Convert network-name into unix credential
 */
int
netname2user(netname, uidp, gidp, gidlenp, gidlist)
	const char netname[MAXNETNAMELEN + 1];
	uid_t *uidp;
	gid_t *gidp;
	int *gidlenp;
	gid_t *gidlist;
{
	struct __nsw_switchconfig *conf;
	struct __nsw_lookup *look;
	enum __nsw_parse_err perr;
	int needfree = 1, res;
	struct netid_userdata argp;
	int err;

	trace1(TR_netname2user, 0);

	/*
	 * Take care of the special case of nobody. Compare the netname
	 * to the string "nobody". If they are equal, return the SVID
	 * standard value for nobody.
	 */

	if (strcmp(netname, "nobody") == 0) {
		*uidp = NOBODY_UID;
		*gidp = NOBODY_UID;
		*gidlenp = 0;
		return (1);
	}

	/*
	 * First we do some generic sanity checks on the name we were
	 * passed. This lets us assume they are correct in the backends.
	 *
	 * NOTE: this code only recognizes names of the form :
	 *		unix.UID@domainname
	 */
	if (strncmp(netname, OPSYS, OPSYS_LEN) != 0) {
		trace1(TR_netname2user, 1);
		return (0);
	}
	if (! isdigit(netname[OPSYS_LEN+1])) { /* check for uid string */
		trace1(TR_netname2user, 1);
		return (0);
	}

	argp.uidp = uidp;
	argp.gidp = gidp;
	argp.gidlenp = gidlenp;
	argp.gidlist = gidlist;
	mutex_lock(&serialize_netname_r);

	conf = __nsw_getconfig("publickey", &perr);
	if (! conf) {
		conf = &publickey_default;
		needfree = 0;
	} else
		needfree = 1; /* free the config structure */

	for (look = conf->lookups; look; look = look->next) {
		if (strcmp(look->service_name, "nisplus") == 0)
			res = netname2user_nisplus(&err,
						(char *)netname, &argp);
		else if (strcmp(look->service_name, "nis") == 0)
			res = netname2user_nis(&err, (char *)netname, &argp);
		else if (strcmp(look->service_name, "files") == 0)
			res = netname2user_files(&err, (char *)netname, &argp);
		else if (strcmp(look->service_name, "ldap") == 0)
			res = netname2user_ldap(&err, (char *)netname, &argp);
		else {
			syslog(LOG_INFO,
		"netname2user: unknown nameservice for publickey info '%s'\n",
						look->service_name);
			err = __NSW_UNAVAIL;
		}
		switch (look->actions[err]) {
			case __NSW_CONTINUE :
				break;
			case __NSW_RETURN :
				if (needfree)
					__nsw_freeconfig(conf);
				mutex_unlock(&serialize_netname_r);
				trace1(TR_netname2user, 1);
				return (res);
			default :
				syslog(LOG_ERR,
			"netname2user: Unknown action for nameservice '%s'",
							look->service_name);
		}
	}
	if (needfree)
		__nsw_freeconfig(conf);
	mutex_unlock(&serialize_netname_r);
	trace1(TR_netname2user, 1);
	return (0);
}

/*
 * Convert network-name to hostname (fully qualified)
 * NOTE: this code only recognizes names of the form :
 *		unix.HOST@domainname
 *
 * This is very simple.  Since the netname is of the form:
 *	unix.host@domainname
 * We just construct the hostname using information from the domainname.
 */
int
netname2host(netname, hostname, hostlen)
	const char netname[MAXNETNAMELEN + 1];
	char *hostname;
	int hostlen;
{
	char *p, *domainname;
	int len, dlen;

	trace1(TR_netname2host, 0);

	if (!netname) {
		syslog(LOG_ERR, "netname2host: null netname");
		goto bad_exit;
	}

	if (strncmp(netname, OPSYS, OPSYS_LEN) != 0)
		goto bad_netname;
	p = (char *)netname + OPSYS_LEN;	/* skip OPSYS part */
	if (*p != '.')
		goto bad_netname;
	++p;				/* skip '.' */

	domainname = strchr(p, '@');	/* get domain name */
	if (domainname == 0)
		goto bad_netname;

	len = domainname - p;		/* host sits between '.' and '@' */
	domainname++;			/* skip '@' sign */

	if (len <= 0)
		goto bad_netname;

	if (hostlen < len) {
		syslog(LOG_ERR,
			"netname2host: insufficient space for hostname");
		goto bad_exit;
	}

	if (isdigit(*p))		/* don't want uid here */
		goto bad_netname;

	if (*p == '\0')			/* check for null hostname */
		goto bad_netname;

	strncpy(hostname, p, len);

	/* make into fully qualified hostname by concatenating domain part */
	dlen = strlen(domainname);
	if (hostlen < (len + dlen + 2)) {
		syslog(LOG_ERR,
			"netname2host: insufficient space for hostname");
		goto bad_exit;
	}

	hostname[len] = '.';
	strncpy(hostname+len+1, domainname, dlen);
	hostname[len+dlen+1] = '\0';

	trace1(TR_netname2host, 1);
	return (1);


bad_netname:
	syslog(LOG_ERR, "netname2host: invalid host netname %s", netname);

bad_exit:
	hostname[0] = '\0';
	trace1(TR_netname2host, 1);
	return (0);
}