search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move some TLS stuff to tls.c.
[libpwmd.git] / src / acl.c
blob4f36bbf7aeee8b7ff45a46a305c929d4a9bfe0ac
1 /*
2 Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015,
3 2016
4 Ben Kibbey <bjk@luxsci.net>
5
6 This file is part of pwmd.
7
8 Pwmd is free software: you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation, either version 2 of the License, or
11 (at your option) any later version.
12
13 Pwmd is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with Pwmd. If not, see <http://www.gnu.org/licenses/>.
20 */
21 #ifdef HAVE_CONFIG_H
22 #include <config.h>
23 #endif
24
25 #include <unistd.h>
26 #include <sys/types.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include "common.h"
31 #include "acl.h"
32 #include "rcfile.h"
33 #include "util-misc.h"
34 #include "util-string.h"
35 #include "mutex.h"
36 #include "mem.h"
37 #ifdef WITH_GNUTLS
38 #include "tls.h"
39 #endif
40
41 gpg_error_t
42 do_validate_peer (assuan_context_t ctx, const char *section,
43 assuan_peercred_t *peer)
44 {
45 char **users;
46 int allowed = 0;
47 gpg_error_t rc;
48 struct client_s *client = assuan_get_pointer (ctx);
49
50 if (!client)
51 return GPG_ERR_FORBIDDEN;
52
53 #ifdef WITH_GNUTLS
54 if (client->thd->remote)
55 return tls_validate_access (client, section);
56 #endif
57
58 rc = assuan_get_peercred (ctx, peer);
59 if (rc)
60 return rc;
61
62 users = config_get_list (section, "allowed");
63 if (users)
64 {
65 for (char **p = users; !rc && *p; p++)
66 {
67 rc = acl_check_common(client, *p, (*peer)->uid, (*peer)->gid,
68 &allowed);
69 }
70
71 strv_free (users);
72 }
73 else if (client->no_access_param)
74 allowed = 1;
75
76 return allowed && !rc ? 0 : rc ? rc : GPG_ERR_FORBIDDEN;
77 }
78
79 /* Test if uid is a member of group 'name'. Invert when 'not' is true. */
80 #ifdef HAVE_GETGRNAM_R
81 static gpg_error_t
82 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
83 {
84 char *buf;
85 struct group gr, *gresult;
86 size_t len = sysconf (_SC_GETGR_R_SIZE_MAX);
87 int err;
88 gpg_error_t rc = 0;
89
90 if (len == -1)
91 len = 16384;
92
93 buf = xmalloc (len);
94 if (!buf)
95 return GPG_ERR_ENOMEM;
96
97 err = getgrnam_r (name, &gr, buf, len, &gresult);
98 if (!err && gresult)
99 {
100 if (gresult->gr_gid == gid)
101 {
102 xfree (buf);
103 *allowed = !not;
104 return 0;
105 }
106
107 for (char **t = gresult->gr_mem; !rc && *t; t++)
108 {
109 char *tbuf;
110 struct passwd pw;
111 struct passwd *result = get_pwd_struct (*t, 0, &pw, &tbuf, &rc);
112
113 if (!rc && result && result->pw_uid == uid)
114 {
115 xfree (tbuf);
116 *allowed = !not;
117 break;
118 }
119
120 xfree (tbuf);
121 }
122
123 xfree (buf);
124 return rc;
125 }
126 else if (err)
127 rc = gpg_error_from_errno (err);
128
129 xfree (buf);
130 return rc ? rc : !gresult ? 0 : GPG_ERR_EACCES;
131 }
132 #else
133 static gpg_error_t
134 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
135 {
136 struct group *gresult;
137 gpg_error_t rc = 0;
138
139 errno = 0;
140 gresult = getgrnam (name);
141 if (!errno && gresult && gresult->gr_gid == gid)
142 {
143 *allowed = !not;
144 return 0;
145 }
146 else if (errno)
147 rc = gpg_error_from_syserror ();
148 else if (!gresult)
149 return 0;
150
151 for (char **t = gresult->gr_mem; !rc && *t; t++)
152 {
153 char *buf;
154 struct passwd pw;
155 struct passwd *result = get_pwd_struct (*t, 0, &pw, &buf, &rc);
156
157 if (!rc && result && result->pw_uid == uid)
158 {
159 xfree (buf);
160 *allowed = !not;
161 break;
162 }
163
164 xfree (buf);
165 }
166
167 return rc;
168 }
169 #endif
170
171 gpg_error_t
172 peer_is_invoker(struct client_s *client)
173 {
174 struct invoking_user_s *user;
175 int allowed = 0;
176
177 if (client->thd->state == CLIENT_STATE_UNKNOWN)
178 return GPG_ERR_EACCES;
179
180 for (user = invoking_users; user; user = user->next)
181 {
182 #ifdef WITH_GNUTLS
183 if (client->thd->remote)
184 {
185 if (user->type == INVOKING_TLS
186 && !strcmp(client->thd->tls->fp, user->id))
187 allowed = user->not ? 0 : 1;
188
189 continue;
190 }
191 #endif
192
193 if (user->type == INVOKING_GID)
194 {
195 gpg_error_t rc = acl_check_group (user->id,
196 client->thd->peer->uid,
197 client->thd->peer->gid,
198 user->not, &allowed);
199 if (rc)
200 return rc;
201 }
202 else if (user->type == INVOKING_UID && client->thd->peer->uid == user->uid)
203 allowed = user->not ? 0 : 1;
204 }
205
206 return allowed ? 0 : GPG_ERR_EACCES;
207 }
208
209 #ifdef HAVE_GETGRNAM_R
210 gpg_error_t
211 acl_check_common (struct client_s *client, const char *user, uid_t uid,
212 gid_t gid, int *allowed)
213 {
214 int not = 0;
215 int rw = 0;
216 int tls = 0;
217 gpg_error_t rc = 0;
218
219 if (!user || !*user)
220 return 0;
221
222 if (*user == '-' || *user == '!')
223 not = 1;
224
225 if (*user == '+') // not implemented yet
226 rw = 1;
227
228 if (*user == '#') // TLS fingerprint hash
229 tls = 1;
230
231 if (not || rw || tls)
232 user++;
233
234 if (tls)
235 {
236 #ifdef WITH_GNUTLS
237 if (client->thd->remote)
238 {
239 if (!strcasecmp (client->thd->tls->fp, user))
240 *allowed = !not;
241 }
242
243 return 0;
244 #else
245 return 0;
246 #endif
247 }
248 #ifdef WITH_GNUTLS
249 else if (client->thd->remote) // Remote client with no FP in the ACL
250 return 0;
251 #endif
252
253 if (*user == '@') // all users in group
254 return acl_check_group (user+1, uid, gid, not, allowed);
255 else
256 {
257 char *buf;
258 struct passwd pw;
259 struct passwd *pwd = get_pwd_struct (user, 0, &pw, &buf, &rc);
260
261 if (!rc && pwd && pwd->pw_uid == uid)
262 *allowed = !not;
263
264 xfree (buf);
265 }
266
267 return rc;
268 }
269 #else
270 gpg_error_t
271 acl_check_common (struct client_s *client, const char *user, uid_t uid,
272 gid_t gid, int *allowed)
273 {
274 gpg_error_t rc = 0;
275 int not = 0;
276 int rw = 0;
277 int tls = 0;
278
279 if (!user || !*user)
280 return 0;
281
282 if (*user == '-' || *user == '!')
283 not = 1;
284
285 if (*user == '+') // not implemented yet
286 rw = 1;
287
288 if (*user == '#') // TLS fingerprint hash
289 tls = 1;
290
291 if (not || rw || tls)
292 user++;
293
294 if (tls)
295 {
296 #ifdef WITH_GNUTLS
297 if (client->thd->remote)
298 {
299 if (!strcasecmp (client->thd->tls->fp, user))
300 *allowed = !not;
301 }
302
303 return 0;
304 #else
305 return 0;
306 #endif
307 }
308
309 if (*user == '@') // all users in group
310 return acl_check_group (user+1, uid, gid, not, allowed);
311 else
312 {
313 char *buf;
314 struct passwd pw;
315 struct passwd *result = get_pwd_struct (user, 0, &pw, &buf, &rc);
316
317 if (!rc && result && result->pw_uid == uid)
318 *allowed = !not;
319
320 xfree (buf);
321 }
322
323 return rc;
324 }
325 #endif
326
327 gpg_error_t
328 validate_peer (struct client_s *cl)
329 {
330 gpg_error_t rc;
331
332 #ifdef WITH_GNUTLS
333 if (cl->thd->remote)
334 return tls_validate_access (cl, NULL);
335 #endif
336
337 MUTEX_LOCK (&cn_mutex);
338 pthread_cleanup_push (release_mutex_cb, &cn_mutex);
339 rc = do_validate_peer (cl->ctx, "global", &cl->thd->peer);
340 pthread_cleanup_pop (1);
341 log_write ("peer %s: uid=%i, gid=%i, pid=%i, rc=%u",
342 !rc ? _("accepted") : _("rejected"), cl->thd->peer->uid,
343 cl->thd->peer->gid, cl->thd->peer->pid, rc);
344 return rc;
345 }
An API for pwmd.