search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix EXPIRE status message.
[pwmd.git] / src / acl.c
blob7927a594e0b7eb020bf6fbd967c7ebcc0d78db1c
1 /*
2 Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015,
3 2016, 2017
4 Ben Kibbey <bjk@luxsci.net>
5
6 This file is part of pwmd.
7
8 Pwmd is free software: you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation, either version 2 of the License, or
11 (at your option) any later version.
12
13 Pwmd is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with Pwmd. If not, see <http://www.gnu.org/licenses/>.
20 */
21 #ifdef HAVE_CONFIG_H
22 #include <config.h>
23 #endif
24
25 #include <unistd.h>
26 #include <sys/types.h>
27 #include <pwd.h>
28 #include <grp.h>
29
30 #include "common.h"
31 #include "acl.h"
32 #include "rcfile.h"
33 #include "util-misc.h"
34 #include "util-string.h"
35 #include "mutex.h"
36 #include "mem.h"
37 #ifdef WITH_GNUTLS
38 #include "tls.h"
39 #endif
40
41 gpg_error_t
42 do_validate_peer (assuan_context_t ctx, const char *section,
43 assuan_peercred_t *peer)
44 {
45 char **users;
46 int allowed = 0;
47 gpg_error_t rc;
48 struct client_s *client = assuan_get_pointer (ctx);
49
50 if (!client)
51 return GPG_ERR_FORBIDDEN;
52
53 #ifdef WITH_GNUTLS
54 if (client->thd->remote)
55 return tls_validate_access (client, section);
56 #endif
57
58 rc = assuan_get_peercred (ctx, peer);
59 if (rc)
60 return rc;
61
62 users = config_get_list (section, "allowed");
63 if (users)
64 {
65 for (char **p = users; !rc && *p; p++)
66 {
67 rc = acl_check_common(client, *p, (*peer)->uid, (*peer)->gid,
68 &allowed);
69 }
70
71 strv_free (users);
72 }
73 else if (client->no_access_param)
74 allowed = 1;
75
76 return allowed && !rc ? 0 : rc ? rc : GPG_ERR_FORBIDDEN;
77 }
78
79 /* Test if uid is a member of group 'name'. Invert when 'not' is true. */
80 #ifdef HAVE_GETGRNAM_R
81 static gpg_error_t
82 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
83 {
84 char *buf;
85 struct group gr, *gresult;
86 size_t len = sysconf (_SC_GETGR_R_SIZE_MAX);
87 int err;
88 gpg_error_t rc = 0;
89
90 if (len == -1)
91 len = 16384;
92
93 buf = xmalloc (len);
94 if (!buf)
95 return GPG_ERR_ENOMEM;
96
97 err = getgrnam_r (name, &gr, buf, len, &gresult);
98 if (!err && gresult)
99 {
100 if (gresult->gr_gid == gid)
101 {
102 xfree (buf);
103 *allowed = !not;
104 return 0;
105 }
106
107 for (char **t = gresult->gr_mem; !rc && *t; t++)
108 {
109 char *tbuf;
110 struct passwd pw;
111 struct passwd *result = get_pwd_struct (*t, 0, &pw, &tbuf, &rc);
112
113 if (!rc && result && result->pw_uid == uid)
114 {
115 xfree (tbuf);
116 *allowed = !not;
117 break;
118 }
119
120 xfree (tbuf);
121 }
122
123 xfree (buf);
124 return rc;
125 }
126 else if (err)
127 rc = gpg_error_from_errno (err);
128
129 xfree (buf);
130 return rc ? rc : !gresult ? 0 : GPG_ERR_EACCES;
131 }
132 #else
133 static gpg_error_t
134 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
135 {
136 struct group *gresult;
137 gpg_error_t rc = 0;
138
139 errno = 0;
140 gresult = getgrnam (name);
141 if (!errno && gresult && gresult->gr_gid == gid)
142 {
143 *allowed = !not;
144 return 0;
145 }
146 else if (errno)
147 rc = gpg_error_from_syserror ();
148 else if (!gresult)
149 return 0;
150
151 for (char **t = gresult->gr_mem; !rc && *t; t++)
152 {
153 char *buf;
154 struct passwd pw;
155 struct passwd *result = get_pwd_struct (*t, 0, &pw, &buf, &rc);
156
157 if (!rc && result && result->pw_uid == uid)
158 {
159 xfree (buf);
160 *allowed = !not;
161 break;
162 }
163
164 xfree (buf);
165 }
166
167 return rc;
168 }
169 #endif
170
171 gpg_error_t
172 peer_is_invoker(struct client_s *client)
173 {
174 struct invoking_user_s *user;
175 int allowed = 0;
176
177 if (client->thd->state == CLIENT_STATE_UNKNOWN)
178 return GPG_ERR_EACCES;
179
180 for (user = invoking_users; user; user = user->next)
181 {
182 #ifdef WITH_GNUTLS
183 if (client->thd->remote)
184 {
185 if (user->type == INVOKING_TLS
186 && !strcmp(client->thd->tls->fp, user->id))
187 allowed = user->not ? 0 : 1;
188
189 continue;
190 }
191 #endif
192
193 if (user->type == INVOKING_GID)
194 {
195 gpg_error_t rc = acl_check_group (user->id,
196 client->thd->peer->uid,
197 client->thd->peer->gid,
198 user->not, &allowed);
199 if (rc)
200 return rc;
201 }
202 else if (user->type == INVOKING_UID && client->thd->peer->uid == user->uid)
203 allowed = user->not ? 0 : 1;
204 }
205
206 return allowed ? 0 : GPG_ERR_EACCES;
207 }
208
209 #ifdef HAVE_GETGRNAM_R
210 gpg_error_t
211 acl_check_common (struct client_s *client, const char *user, uid_t uid,
212 gid_t gid, int *allowed)
213 {
214 int not = 0;
215 int rw = 0;
216 int tls = 0;
217 gpg_error_t rc = 0;
218
219 if (!user || !*user)
220 return 0;
221
222 if (*user == '-' || *user == '!')
223 not = 1;
224
225 if (*user == '+') // not implemented yet
226 rw = 1;
227
228 if (*user == '#') // TLS fingerprint hash
229 tls = 1;
230
231 if (not || rw || tls)
232 user++;
233
234 if (tls)
235 {
236 #ifdef WITH_GNUTLS
237 if (client->thd->remote)
238 {
239 if (!strcasecmp (client->thd->tls->fp, user))
240 *allowed = !not;
241 }
242
243 return 0;
244 #else
245 (void)client;
246 return 0;
247 #endif
248 }
249 #ifdef WITH_GNUTLS
250 else if (client->thd->remote) // Remote client with no FP in the ACL
251 return 0;
252 #endif
253
254 if (*user == '@') // all users in group
255 return acl_check_group (user+1, uid, gid, not, allowed);
256 else
257 {
258 char *buf;
259 struct passwd pw;
260 struct passwd *pwd = get_pwd_struct (user, 0, &pw, &buf, &rc);
261
262 if (!rc && pwd && pwd->pw_uid == uid)
263 *allowed = !not;
264
265 xfree (buf);
266 }
267
268 return rc;
269 }
270 #else
271 gpg_error_t
272 acl_check_common (struct client_s *client, const char *user, uid_t uid,
273 gid_t gid, int *allowed)
274 {
275 gpg_error_t rc = 0;
276 int not = 0;
277 int rw = 0;
278 int tls = 0;
279
280 if (!user || !*user)
281 return 0;
282
283 if (*user == '-' || *user == '!')
284 not = 1;
285
286 if (*user == '+') // not implemented yet
287 rw = 1;
288
289 if (*user == '#') // TLS fingerprint hash
290 tls = 1;
291
292 if (not || rw || tls)
293 user++;
294
295 if (tls)
296 {
297 #ifdef WITH_GNUTLS
298 if (client->thd->remote)
299 {
300 if (!strcasecmp (client->thd->tls->fp, user))
301 *allowed = !not;
302 }
303
304 return 0;
305 #else
306 return 0;
307 #endif
308 }
309
310 if (*user == '@') // all users in group
311 return acl_check_group (user+1, uid, gid, not, allowed);
312 else
313 {
314 char *buf;
315 struct passwd pw;
316 struct passwd *result = get_pwd_struct (user, 0, &pw, &buf, &rc);
317
318 if (!rc && result && result->pw_uid == uid)
319 *allowed = !not;
320
321 xfree (buf);
322 }
323
324 return rc;
325 }
326 #endif
327
328 gpg_error_t
329 validate_peer (struct client_s *cl)
330 {
331 gpg_error_t rc;
332
333 #ifdef WITH_GNUTLS
334 if (cl->thd->remote)
335 return tls_validate_access (cl, NULL);
336 #endif
337
338 MUTEX_LOCK (&cn_mutex);
339 pthread_cleanup_push (release_mutex_cb, &cn_mutex);
340 rc = do_validate_peer (cl->ctx, "global", &cl->thd->peer);
341 pthread_cleanup_pop (1);
342 log_write ("peer %s: uid=%i, gid=%i, pid=%i, rc=%u",
343 !rc ? _("accepted") : _("rejected"), cl->thd->peer->uid,
344 cl->thd->peer->gid, cl->thd->peer->pid, rc);
345 return rc;
346 }
A server for managing passphrases and anything else.