src/acl.c

   1 /*
   2     Copyright (C) 2006-2021 Ben Kibbey <bjk@luxsci.net>
   3
   4     This file is part of pwmd.
   5
   6     Pwmd is free software: you can redistribute it and/or modify
   7     it under the terms of the GNU General Public License as published by
   8     the Free Software Foundation, either version 2 of the License, or
   9     (at your option) any later version.
  10
  11     Pwmd is distributed in the hope that it will be useful,
  12     but WITHOUT ANY WARRANTY; without even the implied warranty of
  13     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14     GNU General Public License for more details.
  15
  16     You should have received a copy of the GNU General Public License
  17     along with Pwmd.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19 #ifdef HAVE_CONFIG_H
  20 #include <config.h>
  21 #endif
  22
  23 #include <unistd.h>
  24 #include <sys/types.h>
  25 #include <pwd.h>
  26 #include <grp.h>
  27
  28 #include "common.h"
  29 #include "acl.h"
  30 #include "rcfile.h"
  31 #include "util-misc.h"
  32 #include "util-string.h"
  33 #include "mutex.h"
  34 #include "mem.h"
  35 #ifdef WITH_GNUTLS
  36 #include "tls.h"
  37 #endif
  38
  39 static char *
  40 acl_get_proc (pid_t pid, gpg_error_t *rc)
  41 {
  42 #ifndef __linux__ // FIXME: portability (BSD kvm, solaris, etc)
  43   *rc = 0;
  44   return NULL;
  45 #else
  46   char buf[64];
  47   char path[PATH_MAX];
  48   char *p;
  49   ssize_t n;
  50
  51   snprintf (buf, sizeof (buf), "/proc/%lu/exe", (long)pid);
  52   n = readlink (buf, path, sizeof (path)-1);
  53
  54   if (n == -1)
  55     {
  56       *rc = gpg_error_from_syserror ();
  57       log_write ("%s: %s", __FUNCTION__, gpg_strerror (*rc));
  58       return NULL;
  59     }
  60
  61   *rc = 0;
  62   path[n] = 0;
  63
  64   p = str_dup (path);
  65   if (!p)
  66     *rc = GPG_ERR_ENOMEM;
  67
  68   return p;
  69 #endif
  70 }
  71
  72 /* Check for further matches of a pathname which may be negated. */
  73 static int
  74 acl_check_proc_dup (char **users, const char *path)
  75 {
  76   char **p;
  77   int allowed = 0;
  78
  79   for (p = users; p && *p; p++)
  80     {
  81       int not = 0;
  82       char *s = *p;
  83
  84       if (*s == '!' || *s == '-')
  85         {
  86           not = 1;
  87           s++;
  88         }
  89
  90       if (*s != '/')
  91         continue;
  92
  93       if (!strcmp (s, path))
  94         allowed = !not;
  95     }
  96
  97   return allowed;
  98 }
  99
 100 static int
 101 acl_check_proc (char **users, char *user, const char *path, int *have_path)
 102 {
 103   char *p = user;
 104
 105   if (*p == '!' || *p == '-')
 106     p++;
 107
 108   if (*p != '/')
 109     return 2;
 110
 111   *have_path = 1;
 112   if (!strcmp (user, path))
 113     return acl_check_proc_dup (users, user);
 114
 115   return 0;
 116 }
 117
 118 gpg_error_t
 119 do_validate_peer (assuan_context_t ctx, const char *section,
 120                   assuan_peercred_t *peer, char **rpath)
 121 {
 122   char **users;
 123   int allowed = 0;
 124   gpg_error_t rc;
 125   struct client_s *client = assuan_get_pointer (ctx);
 126
 127   if (!client)
 128     return GPG_ERR_FORBIDDEN;
 129
 130 #ifdef WITH_GNUTLS
 131   if (client->thd->remote)
 132     return tls_validate_access (client, section);
 133 #endif
 134
 135   rc = assuan_get_peercred (ctx, peer);
 136   if (rc)
 137     return rc;
 138
 139   users = config_get_list (section, "allowed");
 140   if (users)
 141     {
 142       for (char **p = users; !rc && *p; p++)
 143         {
 144           rc = acl_check_common(client, *p, (*peer)->uid, (*peer)->gid,
 145                                 &allowed);
 146         }
 147
 148       /* Skip getting process name from a UID that is not our own to prevent
 149        * an ENOENT error since most modern systems hide process details from
 150        * other UID's. Access will be allowed based on other tests (filesystem
 151        * ACL to the socket, configuration, etc). */
 152       if (allowed && !rc && (*peer)->uid == getuid ())
 153         {
 154           int exec_allowed = 0;
 155           char *path = acl_get_proc ((*peer)->pid, &rc);
 156           int have_path = 0;
 157
 158           for (char **p = users; !rc && path && *p; p++)
 159             {
 160               exec_allowed = acl_check_proc (users, *p, path, &have_path);
 161               if (!rc && exec_allowed == 1)
 162                 break;
 163             }
 164
 165           if (rpath)
 166             *rpath = path;
 167           else
 168             xfree (path);
 169
 170           if (have_path)
 171             allowed = exec_allowed == 1;
 172         }
 173
 174       strv_free (users);
 175     }
 176
 177   return allowed && !rc ? 0 : rc ? rc : GPG_ERR_FORBIDDEN;
 178 }
 179
 180 /* Test if uid is a member of group 'name'. Invert when 'not' is true. */
 181 #ifdef HAVE_GETGRNAM_R
 182 static gpg_error_t
 183 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
 184 {
 185   char *buf;
 186   struct group gr, *gresult;
 187   size_t len = sysconf (_SC_GETGR_R_SIZE_MAX);
 188   int err;
 189   gpg_error_t rc = 0;
 190
 191   if (len == -1)
 192     len = 16384;
 193
 194   buf = xmalloc (len);
 195   if (!buf)
 196     return GPG_ERR_ENOMEM;
 197
 198   err = getgrnam_r (name, &gr, buf, len, &gresult);
 199   if (!err && gresult)
 200     {
 201       if (gresult->gr_gid == gid)
 202         {
 203           xfree (buf);
 204           *allowed = !not;
 205           return 0;
 206         }
 207
 208       for (char **t = gresult->gr_mem; !rc && *t; t++)
 209         {
 210           char *tbuf;
 211           struct passwd pw;
 212           struct passwd *result = get_pwd_struct (*t, 0, &pw, &tbuf, &rc);
 213
 214           if (!rc && result && result->pw_uid == uid)
 215             {
 216               xfree (tbuf);
 217               *allowed = !not;
 218               break;
 219             }
 220
 221           xfree (tbuf);
 222         }
 223
 224       xfree (buf);
 225       return rc;
 226     }
 227   else if (err)
 228     rc = gpg_error_from_errno (err);
 229
 230   xfree (buf);
 231   return rc ? rc : !gresult ? 0 : GPG_ERR_EACCES;
 232 }
 233 #else
 234 static gpg_error_t
 235 acl_check_group (const char *name, uid_t uid, gid_t gid, int not, int *allowed)
 236 {
 237   struct group *gresult;
 238   gpg_error_t rc = 0;
 239
 240   errno = 0;
 241   gresult = getgrnam (name);
 242   if (!errno && gresult && gresult->gr_gid == gid)
 243     {
 244       *allowed = !not;
 245       return 0;
 246     }
 247   else if (errno)
 248     rc = gpg_error_from_syserror ();
 249   else if (!gresult)
 250     return 0;
 251
 252   for (char **t = gresult->gr_mem; !rc && *t; t++)
 253     {
 254       char *buf;
 255       struct passwd pw;
 256       struct passwd *result = get_pwd_struct (*t, 0, &pw, &buf, &rc);
 257
 258       if (!rc && result && result->pw_uid == uid)
 259         {
 260           xfree (buf);
 261           *allowed = !not;
 262           break;
 263         }
 264
 265       xfree (buf);
 266     }
 267
 268   return rc;
 269 }
 270 #endif
 271
 272 gpg_error_t
 273 peer_is_invoker(struct client_s *client)
 274 {
 275   struct invoking_user_s *user;
 276   int allowed = 0;
 277
 278   if (client->thd->state == CLIENT_STATE_UNKNOWN)
 279     return GPG_ERR_EACCES;
 280
 281   for (user = invoking_users; user; user = user->next)
 282     {
 283 #ifdef WITH_GNUTLS
 284       if (client->thd->remote)
 285         {
 286           if (user->type == INVOKING_TLS
 287               && !strcmp(client->thd->tls->fp, user->id))
 288             allowed = user->not ? 0 : 1;
 289
 290           continue;
 291         }
 292 #endif
 293
 294       if (user->type == INVOKING_GID)
 295         {
 296           gpg_error_t rc = acl_check_group (user->id,
 297                                             client->thd->peer->uid,
 298                                             client->thd->peer->gid,
 299                                             user->not, &allowed);
 300           if (rc)
 301             return rc;
 302         }
 303       else if (user->type == INVOKING_UID && client->thd->peer->uid == user->uid)
 304         allowed = user->not ? 0 : 1;
 305     }
 306
 307   return allowed ? 0 : GPG_ERR_EACCES;
 308 }
 309
 310 #ifdef HAVE_GETGRNAM_R
 311 gpg_error_t
 312 acl_check_common (struct client_s *client, const char *user, uid_t uid,
 313                   gid_t gid, int *allowed)
 314 {
 315   int not = 0;
 316   int rw = 0;
 317   int tls = 0;
 318   gpg_error_t rc = 0;
 319
 320   if (!user || !*user)
 321     return 0;
 322
 323   if (*user == '-' || *user == '!')
 324     not = 1;
 325
 326   if (*user == '+') // not implemented yet
 327     rw = 1;
 328
 329   if (*user == '#') // TLS fingerprint hash
 330     tls = 1;
 331
 332   if (not || rw || tls)
 333     user++;
 334
 335   if (tls)
 336     {
 337 #ifdef WITH_GNUTLS
 338       if (client->thd->remote)
 339         {
 340           if (!strcasecmp (client->thd->tls->fp, user))
 341             *allowed = !not;
 342         }
 343
 344       return 0;
 345 #else
 346       (void)client;
 347       return 0;
 348 #endif
 349     }
 350 #ifdef WITH_GNUTLS
 351   else if (client->thd->remote) // Remote client with no FP in the ACL
 352     return 0;
 353 #endif
 354
 355   if (*user == '@') // all users in group
 356     return acl_check_group (user+1, uid, gid, not, allowed);
 357   else
 358     {
 359       char *buf;
 360       struct passwd pw;
 361       struct passwd *pwd = get_pwd_struct (user, 0, &pw, &buf, &rc);
 362
 363       if (!rc && pwd && pwd->pw_uid == uid)
 364         *allowed = !not;
 365
 366       xfree (buf);
 367     }
 368
 369   return rc;
 370 }
 371 #else
 372 gpg_error_t
 373 acl_check_common (struct client_s *client, const char *user, uid_t uid,
 374                   gid_t gid, int *allowed)
 375 {
 376   gpg_error_t rc = 0;
 377   int not = 0;
 378   int rw = 0;
 379   int tls = 0;
 380
 381   if (!user || !*user)
 382     return 0;
 383
 384   if (*user == '-' || *user == '!')
 385     not = 1;
 386
 387   if (*user == '+') // not implemented yet
 388     rw = 1;
 389
 390   if (*user == '#') // TLS fingerprint hash
 391     tls = 1;
 392
 393   if (not || rw || tls)
 394     user++;
 395
 396   if (tls)
 397     {
 398 #ifdef WITH_GNUTLS
 399       if (client->thd->remote)
 400         {
 401           if (!strcasecmp (client->thd->tls->fp, user))
 402             *allowed = !not;
 403         }
 404
 405       return 0;
 406 #else
 407       return 0;
 408 #endif
 409     }
 410
 411   if (*user == '@') // all users in group
 412     return acl_check_group (user+1, uid, gid, not, allowed);
 413   else
 414     {
 415       char *buf;
 416       struct passwd pw;
 417       struct passwd *result = get_pwd_struct (user, 0, &pw, &buf, &rc);
 418
 419       if (!rc && result && result->pw_uid == uid)
 420         *allowed = !not;
 421
 422       xfree (buf);
 423     }
 424
 425   return rc;
 426 }
 427 #endif
 428
 429 gpg_error_t
 430 validate_peer (struct client_s *cl)
 431 {
 432   gpg_error_t rc;
 433   char *path = NULL;
 434
 435 #ifdef WITH_GNUTLS
 436   if (cl->thd->remote)
 437     return tls_validate_access (cl, NULL);
 438 #endif
 439
 440   MUTEX_LOCK (&cn_mutex);
 441   pthread_cleanup_push (release_mutex_cb, &cn_mutex);
 442   rc = do_validate_peer (cl->ctx, "global", &cl->thd->peer, &path);
 443   pthread_cleanup_pop (1);
 444   log_write ("peer %s: path=%s, uid=%i, gid=%i, pid=%i, rc=%u",
 445              !rc ? _("accepted") : _("rejected"), path,
 446              cl->thd->peer->uid, cl->thd->peer->gid,
 447              cl->thd->peer->pid, rc);
 448   xfree (path);
 449   return rc;
 450 }