search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix a few 'gcc -fanalyzer' warnings.
[pwmd.git] / src / acl.c
blobc5906c3518fc43276db51ae625d3213dc0863e43
1 /*
2 Copyright (C) 2006-2023 Ben Kibbey <bjk@luxsci.net>
3
4 This file is part of pwmd.
5
6 Pwmd is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License version 2 as
8 published by the Free Software Foundation.
9
10 Pwmd is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with Pwmd. If not, see <http://www.gnu.org/licenses/>.
17 */
18 #ifdef HAVE_CONFIG_H
19 #include <config.h>
20 #endif
21
22 #ifdef HAVE_UNISTD_H
23 #include <unistd.h>
24 #endif
25 #include <sys/types.h>
26 #include <pwd.h>
27 #include <grp.h>
28
29 #include "common.h"
30 #include "acl.h"
31 #include "rcfile.h"
32 #include "util-misc.h"
33 #include "util-string.h"
34 #include "mutex.h"
35 #include "mem.h"
36 #ifdef WITH_GNUTLS
37 #include "tls.h"
38 #endif
39
40 static char *
41 acl_get_proc (pid_t pid, gpg_error_t *rc)
42 {
43 #ifdef WITH_PROC_SYMLINK
44 char buf[64];
45 char path[PATH_MAX];
46 char *p;
47 ssize_t n;
48
49 snprintf (buf, sizeof (buf), "/proc/%lu/%s", (long)pid, WITH_PROC_SYMLINK);
50 n = readlink (buf, path, sizeof (path)-1);
51
52 if (n == -1)
53 {
54 *rc = gpg_error_from_syserror ();
55 log_write ("%s: %s", __FUNCTION__, gpg_strerror (*rc));
56 return NULL;
57 }
58
59 *rc = 0;
60 path[n] = 0;
61
62 p = str_dup (path);
63 if (!p)
64 *rc = GPG_ERR_ENOMEM;
65
66 return p;
67 #else
68 *rc = 0;
69 return NULL;
70 #endif
71 }
72
73 /* Check for further matches of a pathname which may be negated. */
74 static int
75 acl_check_proc_dup (char **users, const char *path)
76 {
77 char **p;
78 int allowed = 0;
79
80 for (p = users; p && *p; p++)
81 {
82 int not = 0;
83 char *s = *p;
84
85 if (*s == '!' || *s == '-')
86 {
87 not = 1;
88 s++;
89 }
90
91 if (*s != '/')
92 continue;
93
94 if (!strcmp (s, path))
95 allowed = !not;
96 }
97
98 return allowed;
99 }
100
101 static int
102 acl_check_proc (char **users, char *user, const char *path, int *have_path)
103 {
104 char *p = user;
105
106 if (*p == '!' || *p == '-')
107 p++;
108
109 if (*p != '/')
110 return 2;
111
112 *have_path = 1;
113 if (!strcmp (user, path))
114 return acl_check_proc_dup (users, user);
115
116 return 0;
117 }
118
119 gpg_error_t
120 do_validate_peer (assuan_context_t ctx, const char *section,
121 assuan_peercred_t *peer, char **rpath)
122 {
123 char **users;
124 int allowed = 0;
125 int have_user = 0;
126 gpg_error_t rc;
127 struct client_s *client = assuan_get_pointer (ctx);
128
129 if (!client)
130 return GPG_ERR_FORBIDDEN;
131
132 #ifdef WITH_GNUTLS
133 if (client->thd->remote)
134 return tls_validate_access (client, section);
135 #endif
136
137 rc = assuan_get_peercred (ctx, peer);
138 if (rc)
139 return rc;
140
141 users = config_get_list (section, "allowed");
142 if (users)
143 {
144 char **cmds = NULL;
145
146 for (char **p = users; !rc && *p; p++)
147 {
148 char *user = *p;
149 int not = 0;
150
151 if (*user == '-' || *user == '!')
152 {
153 not = 1;
154 user++;
155 }
156
157 if (*user == '/')
158 {
159 if (strv_printf (&cmds, "%s%s", not ? "!" : "", user) == 0)
160 {
161 strv_free (cmds);
162 strv_free (users);
163 return GPG_ERR_ENOMEM;
164 }
165 }
166 }
167
168 for (char **p = users; !rc && *p; p++)
169 {
170 char *user = *p;
171
172 if (*user == '/' || (*user == '!' && *(user+1) == '/')
173 || (*user == '-' && *(user+1) == '/'))
174 continue;
175
176 have_user = 1;
177 rc = acl_check_common(client, user, (*peer)->uid, (*peer)->gid,
178 &allowed);
179 }
180
181 /* Skip getting process name from a UID that is not our own to prevent
182 * an ENOENT error since most modern systems hide process details from
183 * other UID's. Access will be allowed based on other tests (filesystem
184 * ACL to the socket, configuration, etc). */
185 int exec_allowed = 0;
186 int have_path = 0;
187 int same_uid = (*peer)->uid == getuid();
188
189 if (allowed && !rc && same_uid)
190 {
191 char *path = acl_get_proc ((*peer)->pid, &rc);
192
193 for (char **p = users; !rc && path && *p; p++)
194 {
195 exec_allowed = acl_check_proc (users, *p, path, &have_path);
196 if (!rc && exec_allowed == 1)
197 break;
198 }
199
200 if (rpath && exec_allowed)
201 *rpath = path;
202 else
203 xfree (path);
204 }
205
206 strv_free (users);
207
208 if (!rc && cmds && (allowed || !have_user) && same_uid)
209 {
210 allowed = 0;
211 if (!client->thd->cmdname)
212 client->thd->cmdname = rpath ? *rpath : NULL;
213
214 for (char **p = cmds; !rc && p && *p && !allowed; p++)
215 {
216 rc = acl_check_common (client, *p, client->thd->peer->uid,
217 client->thd->peer->gid, &allowed);
218 }
219 }
220
221 if (have_path)
222 allowed = allowed && exec_allowed == 1;
223
224 strv_free(cmds);
225 }
226
227 return allowed && !rc ? 0 : rc ? rc : GPG_ERR_FORBIDDEN;
228 }
229
230 /* Test if uid is a member of group 'name'. Invert when 'not' is true. */
231 #ifdef HAVE_GETGRNAM_R
232 static gpg_error_t
233 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
234 {
235 char *buf;
236 struct group gr, *gresult;
237 size_t len = sysconf (_SC_GETGR_R_SIZE_MAX);
238 int err;
239 gpg_error_t rc = 0;
240
241 if (len == -1)
242 len = 16384;
243
244 buf = xmalloc (len);
245 if (!buf)
246 return GPG_ERR_ENOMEM;
247
248 err = getgrnam_r (name, &gr, buf, len, &gresult);
249 if (!err && gresult)
250 {
251 if (gresult->gr_gid == gid)
252 {
253 xfree (buf);
254 *allowed = !not;
255 return 0;
256 }
257
258 for (char **t = gresult->gr_mem; !rc && *t; t++)
259 {
260 char *tbuf;
261 struct passwd pw;
262 struct passwd *result = get_pwd_struct (*t, 0, &pw, &tbuf, &rc);
263
264 if (!rc && result && result->pw_uid == uid)
265 {
266 xfree (tbuf);
267 *allowed = !not;
268 break;
269 }
270
271 xfree (tbuf);
272 }
273
274 xfree (buf);
275 return rc;
276 }
277 else if (err)
278 rc = gpg_error_from_errno (err);
279
280 xfree (buf);
281 return rc ? rc : !gresult ? 0 : GPG_ERR_EACCES;
282 }
283 #else
284 static gpg_error_t
285 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
286 {
287 struct group *gresult = NULL;
288 gpg_error_t rc = 0;
289
290 errno = 0;
291 gresult = getgrnam (name);
292 if (!errno && gresult && gresult->gr_gid == gid)
293 {
294 *allowed = !not;
295 return 0;
296 }
297 else if (errno)
298 rc = gpg_error_from_syserror ();
299
300 if (!gresult)
301 return rc;
302
303 for (char **t = gresult->gr_mem; !rc && *t; t++)
304 {
305 char *buf;
306 struct passwd pw;
307 struct passwd *result = get_pwd_struct (*t, 0, &pw, &buf, &rc);
308
309 if (!rc && result && result->pw_uid == uid)
310 {
311 xfree (buf);
312 *allowed = !not;
313 break;
314 }
315
316 xfree (buf);
317 }
318
319 return rc;
320 }
321 #endif
322
323 gpg_error_t
324 peer_is_invoker(struct client_s *client)
325 {
326 struct invoking_user_s *user;
327 int allowed = 0;
328
329 if (client->thd->state == CLIENT_STATE_UNKNOWN)
330 return GPG_ERR_EACCES;
331
332 for (user = invoking_users; user; user = user->next)
333 {
334 #ifdef WITH_GNUTLS
335 if (client->thd->remote)
336 {
337 if (user->type == INVOKING_TLS
338 && !strcmp(client->thd->tls->fp, user->id))
339 allowed = user->not ? 0 : 1;
340
341 continue;
342 }
343 #endif
344
345 if (user->type == INVOKING_GID)
346 {
347 gpg_error_t rc = acl_check_group (user->id,
348 client->thd->peer->uid,
349 client->thd->peer->gid,
350 user->not, &allowed);
351 if (rc)
352 return rc;
353 }
354 else if (user->type == INVOKING_UID && client->thd->peer->uid == user->uid)
355 allowed = user->not ? 0 : 1;
356 }
357
358 return allowed ? 0 : GPG_ERR_EACCES;
359 }
360
361 gpg_error_t
362 acl_check_common (struct client_s *client, const char *user, uid_t uid,
363 gid_t gid, int *allowed)
364 {
365 int not = 0;
366 int rw = 0;
367 int tls = 0;
368 int cmd = 0;
369 gpg_error_t rc = 0;
370
371 if (!user || !*user)
372 return 0;
373
374 if (*user == '-' || *user == '!')
375 {
376 not = 1;
377 user++;
378 }
379
380 if (*user == '+') // not implemented yet
381 rw = 1;
382
383 if (*user == '#') // TLS fingerprint hash
384 tls = 1;
385
386 if (*user == '/') // client command name path
387 cmd = 1;
388
389 if (rw || tls)
390 user++;
391
392 if (tls)
393 {
394 #ifdef WITH_GNUTLS
395 if (client->thd->remote)
396 {
397 if (!strcasecmp (client->thd->tls->fp, user))
398 *allowed = !not;
399 }
400
401 return 0;
402 #else
403 (void)client;
404 return 0;
405 #endif
406 }
407 #ifdef WITH_GNUTLS
408 else if (client->thd->remote) // Remote client with no FP in the ACL
409 return 0;
410 #endif
411
412 if (*user == '@') // all users in group
413 return acl_check_group (user+1, uid, gid, not, allowed);
414 else if (!cmd)
415 {
416 char *buf;
417 struct passwd pw;
418 struct passwd *pwd = get_pwd_struct (user, 0, &pw, &buf, &rc);
419
420 if (!rc && pwd && pwd->pw_uid == uid)
421 *allowed = !not;
422
423 xfree (buf);
424 }
425
426 if (!rc && cmd && client->thd->cmdname)
427 {
428 if (!strcmp (user, client->thd->cmdname))
429 *allowed = !not;
430 else
431 *allowed = 0;
432 }
433
434 return rc;
435 }
436
437 gpg_error_t
438 validate_peer (struct client_s *cl)
439 {
440 gpg_error_t rc;
441 char *path = NULL;
442
443 #ifdef WITH_GNUTLS
444 if (cl->thd->remote)
445 return tls_validate_access (cl, NULL);
446 #endif
447
448 MUTEX_LOCK (&cn_mutex);
449 pthread_cleanup_push (release_mutex_cb, &cn_mutex);
450 rc = do_validate_peer (cl->ctx, "global", &cl->thd->peer, &path);
451 pthread_cleanup_pop (1);
452 log_write ("peer %s: path=%s, uid=%i, gid=%i, pid=%i, rc=%u",
453 !rc ? _("accepted") : _("rejected"), path,
454 cl->thd->peer->uid, cl->thd->peer->gid,
455 cl->thd->peer->pid, rc);
456
457 if (!rc)
458 cl->thd->cmdname = path;
459 else
460 xfree (path);
461
462 return rc;
463 }
A server for managing passphrases and anything else.