Ejemplo n.º 1
0
static char *authz_owner_get_file_group(request_rec *r)
{
    /* file-group only figures out the file's group and lets
    * other modules do the actual authorization (against a group file/db).
    * Thus, these modules have to hook themselves after
    * mod_authz_owner and of course recognize 'file-group', too.
    */
#if !APR_HAS_USER
    return NULL;
#else  /* APR_HAS_USER */
    char *reason = NULL;
    char *group = NULL;
    apr_finfo_t finfo;
    apr_status_t status = 0;

    if (!r->filename) {
        reason = "no filename available";
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01638)
                      "Authorization of user %s to access %s failed, reason: %s",
                      r->user, r->uri, reason ? reason : "unknown");
        return NULL;
    }

    status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
    if (status != APR_SUCCESS) {
        reason = apr_pstrcat(r->pool, "could not stat file ",
                                r->filename, NULL);
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01639)
                      "Authorization of user %s to access %s failed, reason: %s",
                      r->user, r->uri, reason ? reason : "unknown");
        return NULL;
    }

    if (!(finfo.valid & APR_FINFO_GROUP)) {
        reason = "no file group information available";
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01640)
                      "Authorization of user %s to access %s failed, reason: %s",
                      r->user, r->uri, reason ? reason : "unknown");
        return NULL;
    }

    status = apr_gid_name_get(&group, finfo.group, r->pool);
    if (status != APR_SUCCESS || !group) {
        reason = "could not get name of file group";
        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01641)
                      "Authorization of user %s to access %s failed, reason: %s",
                      r->user, r->uri, reason ? reason : "unknown");
        return NULL;
    }

    return group;
#endif /* APR_HAS_USER */
}
Ejemplo n.º 2
0
static void fail_userinfo(CuTest *tc)
{
    apr_uid_t uid;
    apr_gid_t gid;
    apr_status_t rv;
    char *tmp;

    errno = 0;
    gid = uid = 9999999;
    tmp = NULL;
    rv = apr_uid_name_get(&tmp, uid, p);
    CuAssert(tc, "apr_uid_name_get should fail or "
                "return a user name",
                rv != APR_SUCCESS || tmp != NULL);

    errno = 0;
    tmp = NULL;
    rv = apr_gid_name_get(&tmp, gid, p);
    CuAssert(tc, "apr_gid_name_get should fail or "
             "return a group name",
             rv != APR_SUCCESS || tmp != NULL);
    
    gid = 424242;
    errno = 0;
    rv = apr_gid_get(&gid, "I_AM_NOT_A_GROUP", p);
    CuAssert(tc, "apr_gid_get should fail or "
             "set a group number",
             rv != APR_SUCCESS || gid == 424242);

    gid = uid = 424242;
    errno = 0;
    rv = apr_uid_get(&uid, &gid, "I_AM_NOT_A_USER", p);
    CuAssert(tc, "apr_gid_get should fail or "
             "set a user and group number",
             rv != APR_SUCCESS || uid == 424242 || gid == 4242442);

    errno = 0;
    tmp = NULL;
    rv = apr_uid_homepath_get(&tmp, "I_AM_NOT_A_USER", p);
    CuAssert(tc, "apr_uid_homepath_get should fail or "
             "set a path name",
             rv != APR_SUCCESS || tmp != NULL);
}
Ejemplo n.º 3
0
static void groupname(CuTest *tc)
{
    apr_uid_t uid;
    apr_gid_t gid;
    apr_gid_t retreived_gid;
    apr_status_t rv;
    char *gname = NULL;

    rv = apr_uid_current(&uid, &gid, p);
    CuAssertIntEquals(tc, APR_SUCCESS, rv);

    rv = apr_gid_name_get(&gname, gid, p);
    CuAssertIntEquals(tc, APR_SUCCESS, rv);
    CuAssertPtrNotNull(tc, gname);

    rv = apr_gid_get(&retreived_gid, gname, p);
    CuAssertIntEquals(tc, APR_SUCCESS, rv);

    CuAssertIntEquals(tc, APR_SUCCESS, apr_gid_compare(gid, retreived_gid));
}
Ejemplo n.º 4
0
term_t make_file_info(apr_finfo_t *fi, xpool_t *xp)
{
	apr_status_t rs;
	apr_pool_t *tmp;

	term_t file_info = make_tuple(10, xp);
	term_t *e = tup_elts(file_info);

	e[0] = A_FILE_INFO0;
	e[1] = (fi->valid & APR_FINFO_TYPE) ? intnum(fi->filetype) : A_UNDEFINED;
	e[2] = (fi->valid & APR_FINFO_NAME) ? ztol(fi->name, xp) : A_UNDEFINED;
	e[3] = (fi->valid & APR_FINFO_SIZE) ? long2term(fi->size, xp) : A_UNDEFINED;
	e[4] = (fi->valid & APR_FINFO_MTIME) ? long2term(fi->mtime, xp) : A_UNDEFINED;
	e[5] = (fi->valid & APR_FINFO_CTIME) ? long2term(fi->ctime, xp) : A_UNDEFINED;
	e[6] = (fi->valid & APR_FINFO_ATIME) ? long2term(fi->atime, xp) : A_UNDEFINED;

	e[7] = A_UNDEFINED;
	e[8] = A_UNDEFINED;

	apr_pool_create(&tmp, 0);
	if (fi->valid & APR_FINFO_USER)
	{
		char *user_name;
		rs = apr_uid_name_get(&user_name, fi->user, tmp);
		if (rs == 0)
			e[7] = ztol(user_name, xp);
	}
	if (fi->valid & APR_FINFO_GROUP)
	{
		char *group_name;
		rs = apr_gid_name_get(&group_name, fi->group, tmp);
		if (rs == 0)
			e[8] = ztol(group_name, xp);
	}
	apr_pool_destroy(tmp);

	//TODO: only user or group permissions may be known
	e[9] = (fi->valid & APR_FINFO_PROT)? intnum(fi->protection) : A_UNDEFINED;

	return file_info;
}
Ejemplo n.º 5
0
/* translates groupid to groupname */
MVMString * MVM_proc_gidtoname(MVMThreadContext *tc, MVMint64 groupid) {
    MVMString *result;
    apr_status_t rv;
    char *namestring;
    apr_pool_t *tmp_pool;

    /* need a temporary pool */
    if ((rv = apr_pool_create(&tmp_pool, POOL(tc))) != APR_SUCCESS) {
        MVM_exception_throw_apr_error(tc, rv, "Failed to get group name from gid: ");
    }

    if ((rv = apr_gid_name_get(&namestring, (apr_gid_t)groupid, tmp_pool)) != APR_SUCCESS) {
        apr_pool_destroy(tmp_pool);
        MVM_exception_throw_apr_error(tc, rv, "Failed to get group name from gid: ");
    }

    result = MVM_string_utf8_decode(tc, tc->instance->VMString, namestring, strlen(namestring));

    apr_pool_destroy(tmp_pool);

    return result;
}
Ejemplo n.º 6
0
static int check_file_owner(request_rec *r)
{
    authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config,
                                                        &authz_owner_module);
    int m = r->method_number;
    register int x;
    const char *t, *w;
    const apr_array_header_t *reqs_arr = ap_requires(r);
    require_line *reqs;
    int required_owner = 0;
    apr_status_t status = 0;
    char *reason = NULL;

    if (!reqs_arr) {
        return DECLINED;
    }

    reqs = (require_line *)reqs_arr->elts;
    for (x = 0; x < reqs_arr->nelts; x++) {

        /* if authoritative = On then break if a require already failed. */
        if (reason && conf->authoritative) {
            break;
        }

        if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
            continue;
        }

        t = reqs[x].requirement;
        w = ap_getword_white(r->pool, &t);

        if (!strcmp(w, "file-owner")) {
#if !APR_HAS_USER
            if ((required_owner & ~1) && conf->authoritative) {
                break;
            }

            required_owner |= 1; /* remember the requirement */
            reason = "'Require file-owner' is not supported on this platform.";
            continue;
#else  /* APR_HAS_USER */
            char *owner = NULL;
            apr_finfo_t finfo;

            if ((required_owner & ~1) && conf->authoritative) {
                break;
            }

            required_owner |= 1; /* remember the requirement */

            if (!r->filename) {
                reason = "no filename available";
                continue;
            }

            status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
            if (status != APR_SUCCESS) {
                reason = apr_pstrcat(r->pool, "could not stat file ",
                                     r->filename, NULL);
                continue;
            }

            if (!(finfo.valid & APR_FINFO_USER)) {
                reason = "no file owner information available";
                continue;
            }

            status = apr_uid_name_get(&owner, finfo.user, r->pool);
            if (status != APR_SUCCESS || !owner) {
                reason = "could not get name of file owner";
                continue;
            }

            if (strcmp(owner, r->user)) {
                reason = apr_psprintf(r->pool, "file owner %s does not match.",
                                      owner);
                continue;
            }

            /* this user is authorized */
            return OK;
#endif /* APR_HAS_USER */
        }

        /* file-group only figures out the file's group and lets
         * other modules do the actual authorization (against a group file/db).
         * Thus, these modules have to hook themselves after
         * mod_authz_owner and of course recognize 'file-group', too.
         */
        if (!strcmp(w, "file-group")) {
#if !APR_HAS_USER
            if ((required_owner & ~6) && conf->authoritative) {
                break;
            }

            required_owner |= 2; /* remember the requirement */
            reason = "'Require file-group' is not supported on this platform.";
            continue;
#else  /* APR_HAS_USER */
            char *group = NULL;
            apr_finfo_t finfo;

            if ((required_owner & ~6) && conf->authoritative) {
                break;
            }

            required_owner |= 2; /* remember the requirement */

            if (!r->filename) {
                reason = "no filename available";
                continue;
            }

            status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
            if (status != APR_SUCCESS) {
                reason = apr_pstrcat(r->pool, "could not stat file ",
                                     r->filename, NULL);
                continue;
            }

            if (!(finfo.valid & APR_FINFO_GROUP)) {
                reason = "no file group information available";
                continue;
            }

            status = apr_gid_name_get(&group, finfo.group, r->pool);
            if (status != APR_SUCCESS || !group) {
                reason = "could not get name of file group";
                continue;
            }

            /* store group name in a note and let others decide... */
            apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group);
            required_owner |= 4;
            continue;
#endif /* APR_HAS_USER */
        }
    }

    if (!required_owner || !conf->authoritative) {
        return DECLINED;
    }

    /* allow file-group passed to group db modules either if this is the
     * only applicable requirement here or if a file-owner failed but we're
     * not authoritative.
     * This allows configurations like:
     *
     * AuthzOwnerAuthoritative Off
     * require file-owner
     * require file-group
     *
     * with the semantical meaning of "either owner or group must match"
     * (inclusive or)
     *
     * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead?
     */
    if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) {
        return DECLINED;
    }

    ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                  "Authorization of user %s to access %s failed, reason: %s",
                  r->user, r->uri, reason ? reason : "unknown");

    ap_note_auth_failure(r);
    return HTTP_UNAUTHORIZED;
}
Ejemplo n.º 7
0
APR_DECLARE(apr_status_t) apr_group_name_get(char **groupname, 
                                             apr_gid_t groupid, apr_pool_t *p)
{
    return apr_gid_name_get(groupname, groupid, p);
}