static char *authz_owner_get_file_group(request_rec *r) { /* file-group only figures out the file's group and lets * other modules do the actual authorization (against a group file/db). * Thus, these modules have to hook themselves after * mod_authz_owner and of course recognize 'file-group', too. */ #if !APR_HAS_USER return NULL; #else /* APR_HAS_USER */ char *reason = NULL; char *group = NULL; apr_finfo_t finfo; apr_status_t status = 0; if (!r->filename) { reason = "no filename available"; ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01638) "Authorization of user %s to access %s failed, reason: %s", r->user, r->uri, reason ? reason : "unknown"); return NULL; } status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool); if (status != APR_SUCCESS) { reason = apr_pstrcat(r->pool, "could not stat file ", r->filename, NULL); ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01639) "Authorization of user %s to access %s failed, reason: %s", r->user, r->uri, reason ? reason : "unknown"); return NULL; } if (!(finfo.valid & APR_FINFO_GROUP)) { reason = "no file group information available"; ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01640) "Authorization of user %s to access %s failed, reason: %s", r->user, r->uri, reason ? reason : "unknown"); return NULL; } status = apr_gid_name_get(&group, finfo.group, r->pool); if (status != APR_SUCCESS || !group) { reason = "could not get name of file group"; ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01641) "Authorization of user %s to access %s failed, reason: %s", r->user, r->uri, reason ? reason : "unknown"); return NULL; } return group; #endif /* APR_HAS_USER */ }
static void fail_userinfo(CuTest *tc) { apr_uid_t uid; apr_gid_t gid; apr_status_t rv; char *tmp; errno = 0; gid = uid = 9999999; tmp = NULL; rv = apr_uid_name_get(&tmp, uid, p); CuAssert(tc, "apr_uid_name_get should fail or " "return a user name", rv != APR_SUCCESS || tmp != NULL); errno = 0; tmp = NULL; rv = apr_gid_name_get(&tmp, gid, p); CuAssert(tc, "apr_gid_name_get should fail or " "return a group name", rv != APR_SUCCESS || tmp != NULL); gid = 424242; errno = 0; rv = apr_gid_get(&gid, "I_AM_NOT_A_GROUP", p); CuAssert(tc, "apr_gid_get should fail or " "set a group number", rv != APR_SUCCESS || gid == 424242); gid = uid = 424242; errno = 0; rv = apr_uid_get(&uid, &gid, "I_AM_NOT_A_USER", p); CuAssert(tc, "apr_gid_get should fail or " "set a user and group number", rv != APR_SUCCESS || uid == 424242 || gid == 4242442); errno = 0; tmp = NULL; rv = apr_uid_homepath_get(&tmp, "I_AM_NOT_A_USER", p); CuAssert(tc, "apr_uid_homepath_get should fail or " "set a path name", rv != APR_SUCCESS || tmp != NULL); }
static void groupname(CuTest *tc) { apr_uid_t uid; apr_gid_t gid; apr_gid_t retreived_gid; apr_status_t rv; char *gname = NULL; rv = apr_uid_current(&uid, &gid, p); CuAssertIntEquals(tc, APR_SUCCESS, rv); rv = apr_gid_name_get(&gname, gid, p); CuAssertIntEquals(tc, APR_SUCCESS, rv); CuAssertPtrNotNull(tc, gname); rv = apr_gid_get(&retreived_gid, gname, p); CuAssertIntEquals(tc, APR_SUCCESS, rv); CuAssertIntEquals(tc, APR_SUCCESS, apr_gid_compare(gid, retreived_gid)); }
term_t make_file_info(apr_finfo_t *fi, xpool_t *xp) { apr_status_t rs; apr_pool_t *tmp; term_t file_info = make_tuple(10, xp); term_t *e = tup_elts(file_info); e[0] = A_FILE_INFO0; e[1] = (fi->valid & APR_FINFO_TYPE) ? intnum(fi->filetype) : A_UNDEFINED; e[2] = (fi->valid & APR_FINFO_NAME) ? ztol(fi->name, xp) : A_UNDEFINED; e[3] = (fi->valid & APR_FINFO_SIZE) ? long2term(fi->size, xp) : A_UNDEFINED; e[4] = (fi->valid & APR_FINFO_MTIME) ? long2term(fi->mtime, xp) : A_UNDEFINED; e[5] = (fi->valid & APR_FINFO_CTIME) ? long2term(fi->ctime, xp) : A_UNDEFINED; e[6] = (fi->valid & APR_FINFO_ATIME) ? long2term(fi->atime, xp) : A_UNDEFINED; e[7] = A_UNDEFINED; e[8] = A_UNDEFINED; apr_pool_create(&tmp, 0); if (fi->valid & APR_FINFO_USER) { char *user_name; rs = apr_uid_name_get(&user_name, fi->user, tmp); if (rs == 0) e[7] = ztol(user_name, xp); } if (fi->valid & APR_FINFO_GROUP) { char *group_name; rs = apr_gid_name_get(&group_name, fi->group, tmp); if (rs == 0) e[8] = ztol(group_name, xp); } apr_pool_destroy(tmp); //TODO: only user or group permissions may be known e[9] = (fi->valid & APR_FINFO_PROT)? intnum(fi->protection) : A_UNDEFINED; return file_info; }
/* translates groupid to groupname */ MVMString * MVM_proc_gidtoname(MVMThreadContext *tc, MVMint64 groupid) { MVMString *result; apr_status_t rv; char *namestring; apr_pool_t *tmp_pool; /* need a temporary pool */ if ((rv = apr_pool_create(&tmp_pool, POOL(tc))) != APR_SUCCESS) { MVM_exception_throw_apr_error(tc, rv, "Failed to get group name from gid: "); } if ((rv = apr_gid_name_get(&namestring, (apr_gid_t)groupid, tmp_pool)) != APR_SUCCESS) { apr_pool_destroy(tmp_pool); MVM_exception_throw_apr_error(tc, rv, "Failed to get group name from gid: "); } result = MVM_string_utf8_decode(tc, tc->instance->VMString, namestring, strlen(namestring)); apr_pool_destroy(tmp_pool); return result; }
static int check_file_owner(request_rec *r) { authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config, &authz_owner_module); int m = r->method_number; register int x; const char *t, *w; const apr_array_header_t *reqs_arr = ap_requires(r); require_line *reqs; int required_owner = 0; apr_status_t status = 0; char *reason = NULL; if (!reqs_arr) { return DECLINED; } reqs = (require_line *)reqs_arr->elts; for (x = 0; x < reqs_arr->nelts; x++) { /* if authoritative = On then break if a require already failed. */ if (reason && conf->authoritative) { break; } if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { continue; } t = reqs[x].requirement; w = ap_getword_white(r->pool, &t); if (!strcmp(w, "file-owner")) { #if !APR_HAS_USER if ((required_owner & ~1) && conf->authoritative) { break; } required_owner |= 1; /* remember the requirement */ reason = "'Require file-owner' is not supported on this platform."; continue; #else /* APR_HAS_USER */ char *owner = NULL; apr_finfo_t finfo; if ((required_owner & ~1) && conf->authoritative) { break; } required_owner |= 1; /* remember the requirement */ if (!r->filename) { reason = "no filename available"; continue; } status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool); if (status != APR_SUCCESS) { reason = apr_pstrcat(r->pool, "could not stat file ", r->filename, NULL); continue; } if (!(finfo.valid & APR_FINFO_USER)) { reason = "no file owner information available"; continue; } status = apr_uid_name_get(&owner, finfo.user, r->pool); if (status != APR_SUCCESS || !owner) { reason = "could not get name of file owner"; continue; } if (strcmp(owner, r->user)) { reason = apr_psprintf(r->pool, "file owner %s does not match.", owner); continue; } /* this user is authorized */ return OK; #endif /* APR_HAS_USER */ } /* file-group only figures out the file's group and lets * other modules do the actual authorization (against a group file/db). * Thus, these modules have to hook themselves after * mod_authz_owner and of course recognize 'file-group', too. */ if (!strcmp(w, "file-group")) { #if !APR_HAS_USER if ((required_owner & ~6) && conf->authoritative) { break; } required_owner |= 2; /* remember the requirement */ reason = "'Require file-group' is not supported on this platform."; continue; #else /* APR_HAS_USER */ char *group = NULL; apr_finfo_t finfo; if ((required_owner & ~6) && conf->authoritative) { break; } required_owner |= 2; /* remember the requirement */ if (!r->filename) { reason = "no filename available"; continue; } status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool); if (status != APR_SUCCESS) { reason = apr_pstrcat(r->pool, "could not stat file ", r->filename, NULL); continue; } if (!(finfo.valid & APR_FINFO_GROUP)) { reason = "no file group information available"; continue; } status = apr_gid_name_get(&group, finfo.group, r->pool); if (status != APR_SUCCESS || !group) { reason = "could not get name of file group"; continue; } /* store group name in a note and let others decide... */ apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group); required_owner |= 4; continue; #endif /* APR_HAS_USER */ } } if (!required_owner || !conf->authoritative) { return DECLINED; } /* allow file-group passed to group db modules either if this is the * only applicable requirement here or if a file-owner failed but we're * not authoritative. * This allows configurations like: * * AuthzOwnerAuthoritative Off * require file-owner * require file-group * * with the semantical meaning of "either owner or group must match" * (inclusive or) * * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead? */ if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) { return DECLINED; } ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, "Authorization of user %s to access %s failed, reason: %s", r->user, r->uri, reason ? reason : "unknown"); ap_note_auth_failure(r); return HTTP_UNAUTHORIZED; }
APR_DECLARE(apr_status_t) apr_group_name_get(char **groupname, apr_gid_t groupid, apr_pool_t *p) { return apr_gid_name_get(groupname, groupid, p); }