1*0Sstevel@tonic-gate /* 2*0Sstevel@tonic-gate * CDDL HEADER START 3*0Sstevel@tonic-gate * 4*0Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*0Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*0Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*0Sstevel@tonic-gate * with the License. 8*0Sstevel@tonic-gate * 9*0Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*0Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*0Sstevel@tonic-gate * See the License for the specific language governing permissions 12*0Sstevel@tonic-gate * and limitations under the License. 13*0Sstevel@tonic-gate * 14*0Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*0Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*0Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*0Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*0Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*0Sstevel@tonic-gate * 20*0Sstevel@tonic-gate * CDDL HEADER END 21*0Sstevel@tonic-gate */ 22*0Sstevel@tonic-gate /* 23*0Sstevel@tonic-gate * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24*0Sstevel@tonic-gate * Use is subject to license terms. 25*0Sstevel@tonic-gate */ 26*0Sstevel@tonic-gate 27*0Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*0Sstevel@tonic-gate 29*0Sstevel@tonic-gate #include <stdio.h> 30*0Sstevel@tonic-gate #include <stdlib.h> 31*0Sstevel@tonic-gate #include <strings.h> 32*0Sstevel@tonic-gate #include <auth_attr.h> 33*0Sstevel@tonic-gate #include <prof_attr.h> 34*0Sstevel@tonic-gate #include <user_attr.h> 35*0Sstevel@tonic-gate #include <project.h> 36*0Sstevel@tonic-gate #include <secdb.h> 37*0Sstevel@tonic-gate #include <pwd.h> 38*0Sstevel@tonic-gate #include <unistd.h> 39*0Sstevel@tonic-gate #include <priv.h> 40*0Sstevel@tonic-gate #include <errno.h> 41*0Sstevel@tonic-gate #include "funcs.h" 42*0Sstevel@tonic-gate #include "messages.h" 43*0Sstevel@tonic-gate #include "userdefs.h" 44*0Sstevel@tonic-gate 45*0Sstevel@tonic-gate typedef struct ua_key { 46*0Sstevel@tonic-gate const char *key; 47*0Sstevel@tonic-gate const char *(*check)(const char *); 48*0Sstevel@tonic-gate const char *errstr; 49*0Sstevel@tonic-gate char *newvalue; 50*0Sstevel@tonic-gate } ua_key_t; 51*0Sstevel@tonic-gate 52*0Sstevel@tonic-gate static const char role[] = "role name"; 53*0Sstevel@tonic-gate static const char prof[] = "profile name"; 54*0Sstevel@tonic-gate static const char proj[] = "project name"; 55*0Sstevel@tonic-gate static const char priv[] = "privilege set"; 56*0Sstevel@tonic-gate static const char auth[] = "authorization"; 57*0Sstevel@tonic-gate static const char type[] = "user type"; 58*0Sstevel@tonic-gate static const char lock[] = "lock_after_retries value"; 59*0Sstevel@tonic-gate 60*0Sstevel@tonic-gate 61*0Sstevel@tonic-gate static const char *check_auth(const char *); 62*0Sstevel@tonic-gate static const char *check_prof(const char *); 63*0Sstevel@tonic-gate static const char *check_role(const char *); 64*0Sstevel@tonic-gate static const char *check_proj(const char *); 65*0Sstevel@tonic-gate static const char *check_privset(const char *); 66*0Sstevel@tonic-gate static const char *check_type(const char *); 67*0Sstevel@tonic-gate static const char *check_lock_after_retries(const char *); 68*0Sstevel@tonic-gate 69*0Sstevel@tonic-gate int nkeys; 70*0Sstevel@tonic-gate 71*0Sstevel@tonic-gate static ua_key_t keys[] = { 72*0Sstevel@tonic-gate /* First entry is always set correctly in main() */ 73*0Sstevel@tonic-gate { USERATTR_TYPE_KW, check_type, type }, 74*0Sstevel@tonic-gate { USERATTR_AUTHS_KW, check_auth, auth }, 75*0Sstevel@tonic-gate { USERATTR_PROFILES_KW, check_prof, prof }, 76*0Sstevel@tonic-gate { USERATTR_ROLES_KW, check_role, role }, 77*0Sstevel@tonic-gate { USERATTR_DEFAULTPROJ_KW, check_proj, proj }, 78*0Sstevel@tonic-gate { USERATTR_LIMPRIV_KW, check_privset, priv }, 79*0Sstevel@tonic-gate { USERATTR_DFLTPRIV_KW, check_privset, priv }, 80*0Sstevel@tonic-gate { USERATTR_LOCK_AFTER_RETRIES_KW, check_lock_after_retries, lock }, 81*0Sstevel@tonic-gate }; 82*0Sstevel@tonic-gate 83*0Sstevel@tonic-gate #define NKEYS (sizeof (keys)/sizeof (ua_key_t)) 84*0Sstevel@tonic-gate 85*0Sstevel@tonic-gate /* 86*0Sstevel@tonic-gate * Change a key, there are three different call sequences: 87*0Sstevel@tonic-gate * 88*0Sstevel@tonic-gate * key, value - key with option letter, value. 89*0Sstevel@tonic-gate * NULL, value - -K key=value option. 90*0Sstevel@tonic-gate */ 91*0Sstevel@tonic-gate 92*0Sstevel@tonic-gate void 93*0Sstevel@tonic-gate change_key(const char *key, char *value) 94*0Sstevel@tonic-gate { 95*0Sstevel@tonic-gate int i; 96*0Sstevel@tonic-gate const char *res; 97*0Sstevel@tonic-gate 98*0Sstevel@tonic-gate if (key == NULL) { 99*0Sstevel@tonic-gate key = value; 100*0Sstevel@tonic-gate value = strchr(value, '='); 101*0Sstevel@tonic-gate /* Bad value */ 102*0Sstevel@tonic-gate if (value == NULL) { 103*0Sstevel@tonic-gate errmsg(M_INVALID_VALUE); 104*0Sstevel@tonic-gate exit(EX_BADARG); 105*0Sstevel@tonic-gate } 106*0Sstevel@tonic-gate *value++ = '\0'; 107*0Sstevel@tonic-gate } 108*0Sstevel@tonic-gate 109*0Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) { 110*0Sstevel@tonic-gate if (strcmp(key, keys[i].key) == 0) { 111*0Sstevel@tonic-gate if (keys[i].newvalue != NULL) { 112*0Sstevel@tonic-gate /* Can't set a value twice */ 113*0Sstevel@tonic-gate errmsg(M_REDEFINED_KEY, key); 114*0Sstevel@tonic-gate exit(EX_BADARG); 115*0Sstevel@tonic-gate } 116*0Sstevel@tonic-gate 117*0Sstevel@tonic-gate if (keys[i].check != NULL && 118*0Sstevel@tonic-gate (res = keys[i].check(value)) != NULL) { 119*0Sstevel@tonic-gate errmsg(M_INVALID, res, keys[i].errstr); 120*0Sstevel@tonic-gate exit(EX_BADARG); 121*0Sstevel@tonic-gate } 122*0Sstevel@tonic-gate keys[i].newvalue = value; 123*0Sstevel@tonic-gate nkeys++; 124*0Sstevel@tonic-gate return; 125*0Sstevel@tonic-gate } 126*0Sstevel@tonic-gate } 127*0Sstevel@tonic-gate errmsg(M_INVALID_KEY, key); 128*0Sstevel@tonic-gate exit(EX_BADARG); 129*0Sstevel@tonic-gate } 130*0Sstevel@tonic-gate 131*0Sstevel@tonic-gate /* 132*0Sstevel@tonic-gate * Add the keys to the argument vector. 133*0Sstevel@tonic-gate */ 134*0Sstevel@tonic-gate void 135*0Sstevel@tonic-gate addkey_args(char **argv, int *index) 136*0Sstevel@tonic-gate { 137*0Sstevel@tonic-gate int i; 138*0Sstevel@tonic-gate 139*0Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) { 140*0Sstevel@tonic-gate const char *key = keys[i].key; 141*0Sstevel@tonic-gate char *val = keys[i].newvalue; 142*0Sstevel@tonic-gate size_t len; 143*0Sstevel@tonic-gate char *arg; 144*0Sstevel@tonic-gate 145*0Sstevel@tonic-gate if (val == NULL) 146*0Sstevel@tonic-gate continue; 147*0Sstevel@tonic-gate 148*0Sstevel@tonic-gate len = strlen(key) + strlen(val) + 2; 149*0Sstevel@tonic-gate arg = malloc(len); 150*0Sstevel@tonic-gate 151*0Sstevel@tonic-gate (void) snprintf(arg, len, "%s=%s", key, val); 152*0Sstevel@tonic-gate argv[(*index)++] = "-K"; 153*0Sstevel@tonic-gate argv[(*index)++] = arg; 154*0Sstevel@tonic-gate } 155*0Sstevel@tonic-gate } 156*0Sstevel@tonic-gate 157*0Sstevel@tonic-gate /* 158*0Sstevel@tonic-gate * Propose a default value for a key and get the actual value back. 159*0Sstevel@tonic-gate * If the proposed default value is NULL, return the actual value set. 160*0Sstevel@tonic-gate * The key argument is the user_attr key. 161*0Sstevel@tonic-gate */ 162*0Sstevel@tonic-gate char * 163*0Sstevel@tonic-gate getsetdefval(const char *key, char *dflt) 164*0Sstevel@tonic-gate { 165*0Sstevel@tonic-gate int i; 166*0Sstevel@tonic-gate 167*0Sstevel@tonic-gate for (i = 0; i < NKEYS; i++) 168*0Sstevel@tonic-gate if (strcmp(keys[i].key, key) == 0) 169*0Sstevel@tonic-gate if (keys[i].newvalue != NULL) 170*0Sstevel@tonic-gate return (keys[i].newvalue); 171*0Sstevel@tonic-gate else 172*0Sstevel@tonic-gate return (keys[i].newvalue = dflt); 173*0Sstevel@tonic-gate return (NULL); 174*0Sstevel@tonic-gate } 175*0Sstevel@tonic-gate 176*0Sstevel@tonic-gate char * 177*0Sstevel@tonic-gate getusertype(char *cmdname) 178*0Sstevel@tonic-gate { 179*0Sstevel@tonic-gate static char usertype[MAX_TYPE_LENGTH]; 180*0Sstevel@tonic-gate char *cmd; 181*0Sstevel@tonic-gate 182*0Sstevel@tonic-gate if (cmd = strrchr(cmdname, '/')) 183*0Sstevel@tonic-gate ++cmd; 184*0Sstevel@tonic-gate else 185*0Sstevel@tonic-gate cmd = cmdname; 186*0Sstevel@tonic-gate 187*0Sstevel@tonic-gate /* get user type based on the program name */ 188*0Sstevel@tonic-gate if (strncmp(cmd, CMD_PREFIX_USER, 189*0Sstevel@tonic-gate strlen(CMD_PREFIX_USER)) == 0) 190*0Sstevel@tonic-gate strcpy(usertype, USERATTR_TYPE_NORMAL_KW); 191*0Sstevel@tonic-gate else 192*0Sstevel@tonic-gate strcpy(usertype, USERATTR_TYPE_NONADMIN_KW); 193*0Sstevel@tonic-gate 194*0Sstevel@tonic-gate return (usertype); 195*0Sstevel@tonic-gate } 196*0Sstevel@tonic-gate 197*0Sstevel@tonic-gate int 198*0Sstevel@tonic-gate is_role(char *usertype) 199*0Sstevel@tonic-gate { 200*0Sstevel@tonic-gate if (strcmp(usertype, USERATTR_TYPE_NONADMIN_KW) == 0) 201*0Sstevel@tonic-gate return (1); 202*0Sstevel@tonic-gate /* not a role */ 203*0Sstevel@tonic-gate return (0); 204*0Sstevel@tonic-gate } 205*0Sstevel@tonic-gate 206*0Sstevel@tonic-gate /* 207*0Sstevel@tonic-gate * Verifies the provided list of authorizations are all valid. 208*0Sstevel@tonic-gate * 209*0Sstevel@tonic-gate * Returns NULL if all authorization names are valid. 210*0Sstevel@tonic-gate * Otherwise, returns the invalid authorization name 211*0Sstevel@tonic-gate * 212*0Sstevel@tonic-gate */ 213*0Sstevel@tonic-gate static const char * 214*0Sstevel@tonic-gate check_auth(const char *auths) 215*0Sstevel@tonic-gate { 216*0Sstevel@tonic-gate char *authname; 217*0Sstevel@tonic-gate authattr_t *result; 218*0Sstevel@tonic-gate char *tmp; 219*0Sstevel@tonic-gate struct passwd *pw; 220*0Sstevel@tonic-gate int have_grant = 0; 221*0Sstevel@tonic-gate 222*0Sstevel@tonic-gate tmp = strdup(auths); 223*0Sstevel@tonic-gate 224*0Sstevel@tonic-gate authname = strtok(tmp, AUTH_SEP); 225*0Sstevel@tonic-gate pw = getpwuid(getuid()); 226*0Sstevel@tonic-gate if (pw == NULL) { 227*0Sstevel@tonic-gate return (authname); 228*0Sstevel@tonic-gate } 229*0Sstevel@tonic-gate 230*0Sstevel@tonic-gate while (authname != NULL) { 231*0Sstevel@tonic-gate char *suffix; 232*0Sstevel@tonic-gate char *authtoks; 233*0Sstevel@tonic-gate 234*0Sstevel@tonic-gate /* Find the suffix */ 235*0Sstevel@tonic-gate if ((suffix = rindex(authname, '.')) == NULL) 236*0Sstevel@tonic-gate return (authname); 237*0Sstevel@tonic-gate 238*0Sstevel@tonic-gate /* Check for existence in auth_attr */ 239*0Sstevel@tonic-gate suffix++; 240*0Sstevel@tonic-gate if (strcmp(suffix, KV_WILDCARD)) { /* Not a wildcard */ 241*0Sstevel@tonic-gate result = getauthnam(authname); 242*0Sstevel@tonic-gate if (result == NULL) { 243*0Sstevel@tonic-gate /* can't find the auth */ 244*0Sstevel@tonic-gate free_authattr(result); 245*0Sstevel@tonic-gate return (authname); 246*0Sstevel@tonic-gate } 247*0Sstevel@tonic-gate free_authattr(result); 248*0Sstevel@tonic-gate } 249*0Sstevel@tonic-gate 250*0Sstevel@tonic-gate /* Check if user has been granted this authorization */ 251*0Sstevel@tonic-gate if (!chkauthattr(authname, pw->pw_name)) { 252*0Sstevel@tonic-gate return (authname); 253*0Sstevel@tonic-gate } 254*0Sstevel@tonic-gate 255*0Sstevel@tonic-gate /* Check if user can delegate this authorization */ 256*0Sstevel@tonic-gate if (strcmp(suffix, "grant")) { /* Not a grant option */ 257*0Sstevel@tonic-gate authtoks = malloc(strlen(authname) + sizeof ("grant")); 258*0Sstevel@tonic-gate strcpy(authtoks, authname); 259*0Sstevel@tonic-gate have_grant = 0; 260*0Sstevel@tonic-gate while ((suffix = rindex(authtoks, '.')) && 261*0Sstevel@tonic-gate !have_grant) { 262*0Sstevel@tonic-gate strcpy(suffix, ".grant"); 263*0Sstevel@tonic-gate if (chkauthattr(authtoks, pw->pw_name)) 264*0Sstevel@tonic-gate have_grant = 1; 265*0Sstevel@tonic-gate else 266*0Sstevel@tonic-gate *suffix = '\0'; 267*0Sstevel@tonic-gate } 268*0Sstevel@tonic-gate if (!have_grant) 269*0Sstevel@tonic-gate return (authname); 270*0Sstevel@tonic-gate } 271*0Sstevel@tonic-gate authname = strtok(NULL, AUTH_SEP); 272*0Sstevel@tonic-gate } 273*0Sstevel@tonic-gate return (NULL); 274*0Sstevel@tonic-gate } 275*0Sstevel@tonic-gate 276*0Sstevel@tonic-gate /* 277*0Sstevel@tonic-gate * Verifies the provided list of profile names are valid. 278*0Sstevel@tonic-gate * 279*0Sstevel@tonic-gate * Returns NULL if all profile names are valid. 280*0Sstevel@tonic-gate * Otherwise, returns the invalid profile name 281*0Sstevel@tonic-gate * 282*0Sstevel@tonic-gate */ 283*0Sstevel@tonic-gate static const char * 284*0Sstevel@tonic-gate check_prof(const char *profs) 285*0Sstevel@tonic-gate { 286*0Sstevel@tonic-gate char *profname; 287*0Sstevel@tonic-gate profattr_t *result; 288*0Sstevel@tonic-gate char *tmp; 289*0Sstevel@tonic-gate 290*0Sstevel@tonic-gate tmp = strdup(profs); 291*0Sstevel@tonic-gate 292*0Sstevel@tonic-gate profname = strtok(tmp, PROF_SEP); 293*0Sstevel@tonic-gate while (profname != NULL) { 294*0Sstevel@tonic-gate result = getprofnam(profname); 295*0Sstevel@tonic-gate if (result == NULL) { 296*0Sstevel@tonic-gate /* can't find the profile */ 297*0Sstevel@tonic-gate return (profname); 298*0Sstevel@tonic-gate } 299*0Sstevel@tonic-gate free_profattr(result); 300*0Sstevel@tonic-gate profname = strtok(NULL, PROF_SEP); 301*0Sstevel@tonic-gate } 302*0Sstevel@tonic-gate return (NULL); 303*0Sstevel@tonic-gate } 304*0Sstevel@tonic-gate 305*0Sstevel@tonic-gate 306*0Sstevel@tonic-gate /* 307*0Sstevel@tonic-gate * Verifies the provided list of role names are valid. 308*0Sstevel@tonic-gate * 309*0Sstevel@tonic-gate * Returns NULL if all role names are valid. 310*0Sstevel@tonic-gate * Otherwise, returns the invalid role name 311*0Sstevel@tonic-gate * 312*0Sstevel@tonic-gate */ 313*0Sstevel@tonic-gate static const char * 314*0Sstevel@tonic-gate check_role(const char *roles) 315*0Sstevel@tonic-gate { 316*0Sstevel@tonic-gate char *rolename; 317*0Sstevel@tonic-gate userattr_t *result; 318*0Sstevel@tonic-gate char *utype; 319*0Sstevel@tonic-gate char *tmp; 320*0Sstevel@tonic-gate 321*0Sstevel@tonic-gate tmp = strdup(roles); 322*0Sstevel@tonic-gate 323*0Sstevel@tonic-gate rolename = strtok(tmp, ROLE_SEP); 324*0Sstevel@tonic-gate while (rolename != NULL) { 325*0Sstevel@tonic-gate result = getusernam(rolename); 326*0Sstevel@tonic-gate if (result == NULL) { 327*0Sstevel@tonic-gate /* can't find the rolename */ 328*0Sstevel@tonic-gate return (rolename); 329*0Sstevel@tonic-gate } 330*0Sstevel@tonic-gate /* Now, make sure it is a role */ 331*0Sstevel@tonic-gate utype = kva_match(result->attr, USERATTR_TYPE_KW); 332*0Sstevel@tonic-gate if (utype == NULL) { 333*0Sstevel@tonic-gate /* no user type defined. not a role */ 334*0Sstevel@tonic-gate free_userattr(result); 335*0Sstevel@tonic-gate return (rolename); 336*0Sstevel@tonic-gate } 337*0Sstevel@tonic-gate if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) { 338*0Sstevel@tonic-gate free_userattr(result); 339*0Sstevel@tonic-gate return (rolename); 340*0Sstevel@tonic-gate } 341*0Sstevel@tonic-gate free_userattr(result); 342*0Sstevel@tonic-gate rolename = strtok(NULL, ROLE_SEP); 343*0Sstevel@tonic-gate } 344*0Sstevel@tonic-gate return (NULL); 345*0Sstevel@tonic-gate } 346*0Sstevel@tonic-gate 347*0Sstevel@tonic-gate static const char * 348*0Sstevel@tonic-gate check_proj(const char *proj) 349*0Sstevel@tonic-gate { 350*0Sstevel@tonic-gate if (getprojidbyname(proj) < 0) { 351*0Sstevel@tonic-gate return (proj); 352*0Sstevel@tonic-gate } else { 353*0Sstevel@tonic-gate return (NULL); 354*0Sstevel@tonic-gate } 355*0Sstevel@tonic-gate } 356*0Sstevel@tonic-gate 357*0Sstevel@tonic-gate static const char * 358*0Sstevel@tonic-gate check_privset(const char *pset) 359*0Sstevel@tonic-gate { 360*0Sstevel@tonic-gate priv_set_t *tmp; 361*0Sstevel@tonic-gate const char *res; 362*0Sstevel@tonic-gate 363*0Sstevel@tonic-gate tmp = priv_str_to_set(pset, ",", &res); 364*0Sstevel@tonic-gate 365*0Sstevel@tonic-gate if (tmp != NULL) { 366*0Sstevel@tonic-gate res = NULL; 367*0Sstevel@tonic-gate priv_freeset(tmp); 368*0Sstevel@tonic-gate } else if (res == NULL) 369*0Sstevel@tonic-gate res = strerror(errno); 370*0Sstevel@tonic-gate 371*0Sstevel@tonic-gate return (res); 372*0Sstevel@tonic-gate } 373*0Sstevel@tonic-gate 374*0Sstevel@tonic-gate static const char * 375*0Sstevel@tonic-gate check_type(const char *type) 376*0Sstevel@tonic-gate { 377*0Sstevel@tonic-gate if (strcmp(type, USERATTR_TYPE_NONADMIN_KW) != 0 && 378*0Sstevel@tonic-gate strcmp(type, USERATTR_TYPE_NORMAL_KW) != 0) 379*0Sstevel@tonic-gate return (type); 380*0Sstevel@tonic-gate 381*0Sstevel@tonic-gate return (NULL); 382*0Sstevel@tonic-gate } 383*0Sstevel@tonic-gate 384*0Sstevel@tonic-gate static const char * 385*0Sstevel@tonic-gate check_lock_after_retries(const char *keyval) 386*0Sstevel@tonic-gate { 387*0Sstevel@tonic-gate if (keyval != NULL) { 388*0Sstevel@tonic-gate if ((strcasecmp(keyval, "no") != 0) && 389*0Sstevel@tonic-gate (strcasecmp(keyval, "yes") != 0) && 390*0Sstevel@tonic-gate (*keyval != '\0')) { 391*0Sstevel@tonic-gate return (keyval); 392*0Sstevel@tonic-gate } 393*0Sstevel@tonic-gate } 394*0Sstevel@tonic-gate return (NULL); 395*0Sstevel@tonic-gate } 396