2 * Copyright (c) 1996 by
3 * David Nugent <davidn@blaze.net.au>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, is permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice immediately at the beginning of the file, without modification,
11 * this list of conditions, and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. This work was done expressly for inclusion into FreeBSD. Other use
16 * is permitted provided this notation is included.
17 * 4. Absolutely no warranty of function or purpose is made by the authors.
18 * 5. Modifications may be freely made to this file providing the above
21 * Support allow/deny lists in login class capabilities
23 * $FreeBSD: src/lib/libutil/login_ok.c,v 1.7.2.1 2001/01/10 21:01:30 ghelmer Exp $
24 * $DragonFly: src/lib/libutil/login_ok.c,v 1.3 2005/03/04 05:31:11 cpressey Exp $
27 #include <sys/types.h>
29 #include <sys/resource.h>
30 #include <sys/param.h>
39 #include "login_cap.h"
41 /* -- support functions -- */
45 * This function is intentionally public - reused by TAS.
46 * Returns TRUE (non-zero) if a string matches a pattern
47 * in a given array of patterns. 'flags' is passed directly
52 login_strinlist(char **list
, char const *str
, int flags
)
56 if (str
!= NULL
&& *str
!= '\0') {
59 while (rc
== 0 && list
[i
] != NULL
)
60 rc
= fnmatch(list
[i
++], str
, flags
) == 0;
68 * Locate either or two strings in a given list
72 login_str2inlist(char **ttlst
, const char *str1
, const char *str2
, int flags
)
76 if (login_strinlist(ttlst
, str1
, flags
))
78 else if (login_strinlist(ttlst
, str2
, flags
))
86 * This function is intentinoally public - reused by TAS.
87 * Returns an allocated list of time periods given an array
88 * of time periods in ascii form.
92 login_timelist(login_cap_t
*lc
, char const *cap
, int *ltno
,
96 struct login_time
*lt
= NULL
;
99 if ((tl
= login_getcaplist(lc
, cap
, NULL
)) != NULL
) {
101 while (tl
[j
++] != NULL
)
105 else if ((lt
= realloc(*ltptr
, j
* sizeof(struct login_time
))) != NULL
) {
112 for (--j
; i
< j
; i
++)
113 lt
[i
] = parse_lt(tl
[i
]);
114 lt
[i
].lt_dow
= LTM_NONE
;
123 * This function is a variation of auth_ttyok(), but it checks two
124 * arbitrary capability lists not necessarily related to access.
125 * This hook is provided for the accounted/exclude accounting lists.
129 login_ttyok(login_cap_t
*lc
, const char *tty
, const char *allowcap
,
134 if (lc
!= NULL
&& tty
!= NULL
&& *tty
!= '\0') {
139 te
= getttynam(tty
); /* Need group name */
140 grp
= te
? te
->ty_group
: NULL
;
141 ttl
= login_getcaplist(lc
, allowcap
, NULL
);
143 if (ttl
!= NULL
&& !login_str2inlist(ttl
, tty
, grp
, 0))
144 rc
= 0; /* tty or ttygroup not in allow list */
147 ttl
= login_getcaplist(lc
, denycap
, NULL
);
148 if (ttl
!= NULL
&& login_str2inlist(ttl
, tty
, grp
, 0))
149 rc
= 0; /* tty or ttygroup in deny list */
159 * Determine whether or not login on a tty is accessible for
164 auth_ttyok(login_cap_t
*lc
, const char * tty
)
166 return login_ttyok(lc
, tty
, "ttys.allow", "ttys.deny");
172 * This function is a variation of auth_hostok(), but it checks two
173 * arbitrary capability lists not necessarily related to access.
174 * This hook is provided for the accounted/exclude accounting lists.
178 login_hostok(login_cap_t
*lc
, const char *host
, const char *ip
,
179 const char *allowcap
, const char *denycap
)
181 int rc
= 1; /* Default is ok */
184 ((host
!= NULL
&& *host
!= '\0') || (ip
!= NULL
&& *ip
!= '\0'))) {
187 hl
= login_getcaplist(lc
, allowcap
, NULL
);
188 if (hl
!= NULL
&& !login_str2inlist(hl
, host
, ip
, FNM_CASEFOLD
))
189 rc
= 0; /* host or IP not in allow list */
192 hl
= login_getcaplist(lc
, denycap
, NULL
);
193 if (hl
!= NULL
&& login_str2inlist(hl
, host
, ip
, FNM_CASEFOLD
))
194 rc
= 0; /* host or IP in deny list */
204 * Determine whether or not login from a host is ok
208 auth_hostok(login_cap_t
*lc
, const char *host
, const char *ip
)
210 return login_hostok(lc
, host
, ip
, "host.allow", "host.deny");
216 * Determine whether or not login is ok at a given time
220 auth_timeok(login_cap_t
*lc
, time_t t
)
222 int rc
= 1; /* Default is ok */
224 if (lc
!= NULL
&& t
!= (time_t)0 && t
!= (time_t)-1) {
227 static int ltimesno
= 0;
228 static struct login_time
*ltimes
= NULL
;
230 if ((tptr
= localtime(&t
)) != NULL
) {
231 struct login_time
*lt
;
233 lt
= login_timelist(lc
, "times.allow", <imesno
, <imes
);
234 if (lt
!= NULL
&& in_ltms(lt
, tptr
, NULL
) == -1)
235 rc
= 0; /* not in allowed times list */
238 lt
= login_timelist(lc
, "times.deny", <imesno
, <imes
);
239 if (lt
!= NULL
&& in_ltms(lt
, tptr
, NULL
) != -1)
240 rc
= 0; /* in deny times list */