bool DSAccessFile::CheckGroupMembership(const char* inUsername, const char* inGroupName)
{
// In Tiger, group membership is painfully simple: we ask memberd for it!
struct passwd *user = NULL;
struct group *group = NULL;
uuid_t userID;
uuid_t groupID;
int isMember = 0;
// Look up the user using the POSIX APIs: only care about the UID.
user = getpwnam(inUsername);
if ( user == NULL )
return false;
uuid_clear(userID);
if ( mbr_uid_to_uuid(user->pw_uid, userID) )
return false;
// Look up the group using the POSIX APIs: only care about the GID.
group = getgrnam(inGroupName);
endgrent();
if ( group == NULL )
return false;
uuid_clear(groupID);
if ( mbr_gid_to_uuid(group->gr_gid, groupID) )
return false;
// mbr_check_membership() returns 0 on success and error code on failure.
if ( mbr_check_membership(userID, groupID, &isMember) )
return false;
return (bool)isMember;
}
int
main(void)
{
int result;
long retval;
uuid_t *uuid=NULL;
/* check to see if ACLs are supported in the current directory*/
if (-1 == (retval = pathconf(".", _PC_EXTENDED_SECURITY_NP))) {
err(1, "pathconf()");
} else {
if(0 == retval) {
fprintf(stderr,
"ACLs not supported here (retval=%ld)\n",
retval);
exit(1);
}
}
if (NULL == (uuid = (uuid_t *)calloc(1,sizeof(uuid_t))))
err(1, "unable to allocate a uuid");
if (0 != mbr_uid_to_uuid(getuid(), *uuid)) {
perror("mbr_uid_to_uuid()");
free(uuid);
exit(1);
}
result = acl_readonly_example(uuid);
free(uuid);
printf("result=%d\n", result);
return(result);
}
int check_sacl(const char *inUser)
{
#if OSX_SACL
int mbrErr = ENOENT;
int isMember = 0;
uuid_t user_uuid;
uuid_t uu;
mbrErr = mbr_uid_to_uuid(geteuid(), uu);
if (0 == mbrErr)
{
mbrErr = mbr_check_service_membership(uu, "qtss", &isMember);
if (ENOENT == mbrErr) //no acl exists so allow any user.
return kSACLAnyUser;
}
if( (mbrErr = mbr_user_name_to_uuid(inUser, user_uuid)) != 0)
{
return kSACLUnknownUser;
}
if((mbrErr = mbr_check_service_membership(user_uuid, "qtss", &isMember)) != 0)
{
if(mbrErr == ENOENT){ // no ACL exists
return kSACLAuthorized;
} else {
return kSACLNotAuthorized;
}
}
if(isMember == kSACLAuthorized)
{
return kSACLAuthorized;
}
return kSACLNotAuthorized;
#else
return kSACLAuthorized;
#endif
}
/*
* member of the radius group?
*/
static rlm_rcode_t mod_authorize(UNUSED void *instance, REQUEST *request)
{
struct passwd *userdata = NULL;
struct group *groupdata = NULL;
int ismember = 0;
RADCLIENT *rad_client = NULL;
uuid_t uuid;
uuid_t guid_sacl;
uuid_t guid_nasgroup;
int err;
char host_ipaddr[128] = {0};
if (!request || !request->username) {
RDEBUG("OpenDirectory requires a User-Name attribute.");
return RLM_MODULE_NOOP;
}
/* resolve SACL */
uuid_clear(guid_sacl);
groupdata = getgrnam(kRadiusSACLName);
if (groupdata != NULL) {
err = mbr_gid_to_uuid(groupdata->gr_gid, guid_sacl);
if (err != 0) {
ERROR("rlm_opendirectory: The group \"%s\" does not have a GUID.", kRadiusSACLName);
return RLM_MODULE_FAIL;
}
}
else {
RDEBUG("The SACL group \"%s\" does not exist on this system.", kRadiusSACLName);
}
/* resolve client access list */
uuid_clear(guid_nasgroup);
rad_client = request->client;
#if 0
if (rad_client->community[0] != '\0' )
{
/*
* The "community" can be a GUID (Globally Unique ID) or
* a group name
*/
if (uuid_parse(rad_client->community, guid_nasgroup) != 0) {
/* attempt to resolve the name */
groupdata = getgrnam(rad_client->community);
if (!groupdata) {
AUTH("rlm_opendirectory: The group \"%s\" does not exist on this system.", rad_client->community);
return RLM_MODULE_FAIL;
}
err = mbr_gid_to_uuid(groupdata->gr_gid, guid_nasgroup);
if (err != 0) {
AUTH("rlm_opendirectory: The group \"%s\" does not have a GUID.", rad_client->community);
return RLM_MODULE_FAIL;
}
}
}
else
#endif
{
if (!rad_client) {
RDEBUG("The client record could not be found for host %s.",
ip_ntoh(&request->packet->src_ipaddr,
host_ipaddr, sizeof(host_ipaddr)));
}
else {
RDEBUG("The host %s does not have an access group.",
ip_ntoh(&request->packet->src_ipaddr,
host_ipaddr, sizeof(host_ipaddr)));
}
}
if (uuid_is_null(guid_sacl) && uuid_is_null(guid_nasgroup)) {
RDEBUG("no access control groups, all users allowed.");
if (pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY) == NULL) {
pairmake_config("Auth-Type", kAuthType, T_OP_EQ);
RDEBUG("Setting Auth-Type = %s", kAuthType);
}
return RLM_MODULE_OK;
}
/* resolve user */
uuid_clear(uuid);
userdata = getpwnam(request->username->vp_strvalue);
if (userdata != NULL) {
err = mbr_uid_to_uuid(userdata->pw_uid, uuid);
if (err != 0)
uuid_clear(uuid);
}
if (uuid_is_null(uuid)) {
REDEBUG("Could not get the user's uuid",
T_OP_EQ);
return RLM_MODULE_NOTFOUND;
}
if (!uuid_is_null(guid_sacl)) {
err = mbr_check_service_membership(uuid, kRadiusServiceName, &ismember);
if (err != 0) {
REDEBUG("Failed to check group membership", T_OP_EQ);
return RLM_MODULE_FAIL;
}
if (ismember == 0) {
REDEBUG("User is not authorized", T_OP_EQ);
return RLM_MODULE_USERLOCK;
}
}
if (!uuid_is_null(guid_nasgroup)) {
err = mbr_check_membership_refresh(uuid, guid_nasgroup, &ismember);
if (err != 0) {
REDEBUG("Failed to check group membership", T_OP_EQ);
return RLM_MODULE_FAIL;
}
if (ismember == 0) {
REDEBUG("User is not authorized", T_OP_EQ);
return RLM_MODULE_USERLOCK;
}
}
if (pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY) == NULL) {
pairmake_config("Auth-Type", kAuthType, T_OP_EQ);
RDEBUG("Setting Auth-Type = %s", kAuthType);
}
return RLM_MODULE_OK;
}
int
user_in_group(struct passwd *pw, const char *group)
{
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
uuid_t gu, uu;
int ismember;
#else
char **gr_mem;
int i;
#endif
struct group *grp;
int retval = FALSE;
#ifdef HAVE_SETAUTHDB
aix_setauthdb(pw->pw_name);
#endif
grp = sudo_getgrnam(group);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
if (grp == NULL)
goto done;
/* check against user's primary (passwd file) gid */
if (grp->gr_gid == pw->pw_gid) {
retval = TRUE;
goto done;
}
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
/* If we are matching the invoking user use the stashed uuid. */
if (strcmp(pw->pw_name, user_name) == 0) {
if (mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(user_uuid, gu, &ismember) == 0 && ismember) {
retval = TRUE;
goto done;
}
} else {
if (mbr_uid_to_uuid(pw->pw_uid, uu) == 0 &&
mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(uu, gu, &ismember) == 0 && ismember) {
retval = TRUE;
goto done;
}
}
#else /* HAVE_MBR_CHECK_MEMBERSHIP */
# ifdef HAVE_GETGROUPS
/*
* If we are matching the invoking or list user and that user has a
* supplementary group vector, check it.
*/
if (user_ngroups > 0 &&
strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) {
for (i = 0; i < user_ngroups; i++) {
if (grp->gr_gid == user_groups[i]) {
retval = TRUE;
goto done;
}
}
} else
# endif /* HAVE_GETGROUPS */
{
if (grp != NULL && grp->gr_mem != NULL) {
for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
if (strcmp(*gr_mem, pw->pw_name) == 0) {
retval = TRUE;
goto done;
}
}
}
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
done:
if (grp != NULL)
gr_delref(grp);
return retval;
}
acl_t
acl_from_text(const char *buf_p)
{
int i, error = 0, need_tag, ug_tag;
char *buf, *orig_buf;
char *entry, *field, *sub;
uuid_t *uu = NULL;
struct passwd *tpass = NULL;
struct group *tgrp = NULL;
acl_entry_t acl_entry;
acl_flagset_t flags = NULL;
acl_permset_t perms = NULL;
acl_tag_t tag;
acl_t acl_ret;
if (buf_p == NULL)
{
errno = EINVAL;
return NULL;
}
if ((buf = strdup(buf_p)) == NULL)
return NULL;
if ((acl_ret = acl_init(1)) == NULL)
return NULL;
orig_buf = buf;
/* global acl flags
* format: !#acl <version> [<flags>]
*/
if ((entry = strsep(&buf, "\n")) != NULL && *entry)
{
/* field 1: !#acl */
field = strsep(&entry, " ");
if (*field && strncmp(field, "!#acl", strlen("!#acl")))
{
error = EINVAL;
goto exit;
}
/* field 2: <version>
* currently only accepts 1
*/
field = strsep(&entry, " ");
errno = 0;
if (!*field || strtol(field, NULL, 0) != 1)
{
error = EINVAL;
goto exit;
}
/* field 3: <flags>
* optional
*/
if((field = strsep(&entry, " ")) != NULL && *field)
{
acl_get_flagset_np(acl_ret, &flags);
while ((sub = strsep(&field, ",")) && *sub)
{
for (i = 0; acl_flags[i].name != NULL; ++i)
{
if (acl_flags[i].type & ACL_TYPE_ACL
&& !strcmp(acl_flags[i].name, sub))
{
acl_add_flag_np(flags, acl_flags[i].flag);
break;
}
}
if (acl_flags[i].name == NULL)
{
/* couldn't find flag */
error = EINVAL;
goto exit;
}
}
}
} else {
error = EINVAL;
goto exit;
}
/* parse each acl line
* format: <user|group>:
* [<uuid>]:
* [<user|group>]:
* [<uid|gid>]:
* <allow|deny>[,<flags>]
* [:<permissions>[,<permissions>]]
*
* only one of the user/group identifies is required
* the first one found is used
*/
while ((entry = strsep(&buf, "\n")) && *entry)
{
need_tag = 1;
ug_tag = -1;
/* field 1: <user|group> */
field = strsep(&entry, ":");
if(uu)
bzero(uu, sizeof(uuid_t));
else if((uu = calloc(1, sizeof(uuid_t))) == NULL)
{
error = errno;
goto exit;
}
if(acl_create_entry(&acl_ret, &acl_entry))
{
error = errno;
goto exit;
}
if (-1 == acl_get_flagset_np(acl_entry, &flags)
|| -1 == acl_get_permset(acl_entry, &perms))
{
error = errno;
goto exit;
}
switch(*field)
{
case 'u':
if(!strcmp(field, "user"))
ug_tag = ID_TYPE_UID;
break;
case 'g':
if(!strcmp(field, "group"))
ug_tag = ID_TYPE_GID;
break;
default:
error = EINVAL;
goto exit;
}
/* field 2: <uuid> */
if ((field = strsep(&entry, ":")) != NULL && *field)
{
uuid_parse(field, *uu);
need_tag = 0;
}
/* field 3: <username|groupname> */
if ((field = strsep(&entry, ":")) != NULL && *field && need_tag)
{
switch(ug_tag)
{
case ID_TYPE_UID:
if((tpass = getpwnam(field)) != NULL)
if (mbr_uid_to_uuid(tpass->pw_uid, *uu) != 0)
{
error = EINVAL;
goto exit;
}
break;
case ID_TYPE_GID:
if ((tgrp = getgrnam(field)) != NULL)
if (mbr_gid_to_uuid(tgrp->gr_gid, *uu) != 0)
{
error = EINVAL;
goto exit;
}
break;
default:
error = EINVAL;
goto exit;
}
need_tag = 0;
}
/* field 4: <uid|gid> */
if ((field = strsep(&entry, ":")) != NULL && *field && need_tag)
{
uid_t id;
error = 0;
if((id = strtol(field, NULL, 10)) == 0 && error)
{
error = EINVAL;
goto exit;
}
switch(ug_tag)
{
case ID_TYPE_UID:
if((tpass = getpwuid((uid_t)id)) != NULL)
if (mbr_uid_to_uuid(tpass->pw_uid, *uu) != 0)
{
error = EINVAL;
goto exit;
}
break;
case ID_TYPE_GID:
if ((tgrp = getgrgid((gid_t)id)) != NULL)
if (mbr_gid_to_uuid(tgrp->gr_gid, *uu) != 0)
{
error = EINVAL;
goto exit;
}
break;
}
need_tag = 0;
}
/* sanity check: nothing set as qualifier */
if (need_tag)
{
error = EINVAL;
goto exit;
}
/* field 5: <flags> */
if((field = strsep(&entry, ":")) == NULL || !*field)
{
error = EINVAL;
goto exit;
}
for (tag = 0; (sub = strsep(&field, ",")) && *sub;)
{
if (!tag)
{
if (!strcmp(sub, "allow"))
tag = ACL_EXTENDED_ALLOW;
else if (!strcmp(sub, "deny"))
tag = ACL_EXTENDED_DENY;
else {
error = EINVAL;
goto exit;
}
continue;
}
for (i = 0; acl_flags[i].name != NULL; ++i)
{
if (acl_flags[i].type & (ACL_TYPE_FILE | ACL_TYPE_DIR)
&& !strcmp(acl_flags[i].name, sub))
{
acl_add_flag_np(flags, acl_flags[i].flag);
break;
}
}
if (acl_flags[i].name == NULL)
{
/* couldn't find perm */
error = EINVAL;
goto exit;
}
}
/* field 6: <perms> (can be empty) */
if((field = strsep(&entry, ":")) != NULL && *field)
{
while ((sub = strsep(&field, ",")) && *sub)
{
for (i = 0; acl_perms[i].name != NULL; i++)
{
if (acl_perms[i].type & (ACL_TYPE_FILE | ACL_TYPE_DIR)
&& !strcmp(acl_perms[i].name, sub))
{
acl_add_perm(perms, acl_perms[i].perm);
break;
}
}
if (acl_perms[i].name == NULL)
{
/* couldn't find perm */
error = EINVAL;
goto exit;
}
}
}
acl_set_tag_type(acl_entry, tag);
acl_set_qualifier(acl_entry, *uu);
}
exit:
if(uu)
free(uu);
free(orig_buf);
if (error)
{
acl_free(acl_ret);
acl_ret = NULL;
errno = error;
}
return acl_ret;
}
