gboolean in_admin_group(void) { int is_admin, is_sudo; // we consider the user an admin if the user is in the "sudo" or "admin" // group or neither of these groups exist is_admin = user_in_group("admin"); is_sudo = user_in_group("sudo"); return is_admin == 1 || is_sudo == 1 || (is_admin + is_sudo == 4); }
void check_user(void) { uid_t uid; gid_t gid; struct passwd *pwd; struct group *grp; gid = (gid_t)file_read_ulong(PROCHUGETLBGROUP, NULL); grp = getgrgid(gid); if (!grp) { printf("\n"); WARNING("Group ID %d in hugetlb_shm_group doesn't appear to be a valid group!\n", gid); return; } uid = getuid(); pwd = getpwuid(uid); /* Don't segfault if user does not have a passwd entry. */ if (!pwd) { printf("\n"); WARNING("User uid %d is not in the password file!\n", uid); return; } if (gid != pwd->pw_gid && !user_in_group(grp->gr_mem, pwd->pw_name) && uid != 0) { printf("\n"); WARNING("User %s (uid: %d) is not a member of the hugetlb_shm_group %s (gid: %d)!\n", pwd->pw_name, uid, grp->gr_name, gid); } else { printf("\n"); printf("To make your hugetlb_shm_group settings persistent, add the following line to /etc/sysctl.conf:\n"); printf(" vm.hugetlb_shm_group = %d\n", gid); } }
/* * Checks if the user is exempt from supplying a password. */ bool user_is_exempt(void) { bool rval = false; debug_decl(user_is_exempt, SUDO_DEBUG_AUTH) if (def_exempt_group) rval = user_in_group(sudo_user.pw, def_exempt_group); debug_return_bool(rval); }
/* * Returns true if the user successfully authenticates, false if not * or -1 on error. */ int check_user(int validated, int mode) { struct passwd *auth_pw; int rval = -1; debug_decl(check_user, SUDOERS_DEBUG_AUTH) /* * Init authentication system regardless of whether we need a password. * Required for proper PAM session support. */ if ((auth_pw = get_authpw(mode)) == NULL) goto done; if (sudo_auth_init(auth_pw) == -1) goto done; /* * Don't prompt for the root passwd or if the user is exempt. * If the user is not changing uid/gid, no need for a password. */ if (!def_authenticate || user_is_exempt()) { rval = true; goto done; } if (user_uid == 0 || (user_uid == runas_pw->pw_uid && (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))) { #ifdef HAVE_SELINUX if (user_role == NULL && user_type == NULL) #endif #ifdef HAVE_PRIV_SET if (runas_privs == NULL && runas_limitprivs == NULL) #endif { rval = true; goto done; } } rval = check_user_interactive(validated, mode, auth_pw); done: sudo_auth_cleanup(auth_pw); sudo_pw_delref(auth_pw); debug_return_bool(rval); }
BOOL user_in_list(const char *user,const char **list) { if (!list || !*list) return False; DEBUG(10,("user_in_list: checking user %s in list\n", user)); while (*list) { DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list)); /* * Check raw username. */ if (strequal(user, *list)) return(True); /* * Now check to see if any combination * of UNIX and netgroups has been specified. */ if(**list == '@') { /* * Old behaviour. Check netgroup list * followed by UNIX list. */ if(user_in_netgroup(user, *list +1)) return True; if(user_in_group(user, *list +1)) return True; } else if (**list == '+') { if((*(*list +1)) == '&') { /* * Search UNIX list followed by netgroup. */ if(user_in_group(user, *list +2)) return True; if(user_in_netgroup(user, *list +2)) return True; } else { /* * Just search UNIX list. */ if(user_in_group(user, *list +1)) return True; } } else if (**list == '&') { if(*(*list +1) == '+') { /* * Search netgroup list followed by UNIX list. */ if(user_in_netgroup(user, *list +2)) return True; if(user_in_group(user, *list +2)) return True; } else { /* * Just search netgroup list. */ if(user_in_netgroup(user, *list +1)) return True; } } list++; } return(False); }
static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, struct samu *sampass, const auth_usersupplied_info *user_info) { uint32 acct_ctrl = pdb_get_acct_ctrl(sampass); char *workstation_list; time_t kickoff_time; DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n",pdb_get_username(sampass))); /* Quit if the account was disabled. */ if (acct_ctrl & ACB_DISABLED) { DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass))); return NT_STATUS_ACCOUNT_DISABLED; } /* Quit if the account was locked out. */ if (acct_ctrl & ACB_AUTOLOCK) { DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass))); return NT_STATUS_ACCOUNT_LOCKED_OUT; } /* Quit if the account is not allowed to logon at this time. */ if (! logon_hours_ok(sampass)) { return NT_STATUS_INVALID_LOGON_HOURS; } /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); if (kickoff_time != 0 && time(NULL) > kickoff_time) { DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass))); DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { time_t must_change_time = pdb_get_pass_must_change_time(sampass); time_t last_set_time = pdb_get_pass_last_set_time(sampass); /* check for immediate expiry "must change at next logon" * for a user account. */ if (((acct_ctrl & (ACB_WSTRUST|ACB_SVRTRUST)) == 0) && (last_set_time == 0)) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } /* check for expired password */ if (must_change_time < time(NULL) && must_change_time != 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", pdb_get_username(sampass))); DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; } } /* Test workstation. Workstation list is comma separated. */ workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass)); if (!workstation_list) return NT_STATUS_NO_MEMORY; if (*workstation_list) { BOOL invalid_ws = True; fstring tok; const char *s = workstation_list; const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name); if (machine_name == NULL) return NT_STATUS_NO_MEMORY; while (next_token(&s, tok, ",", sizeof(tok))) { DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n", tok, user_info->wksta_name)); if(strequal(tok, user_info->wksta_name)) { invalid_ws = False; break; } if (tok[0] == '+') { DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", machine_name, tok + 1)); if (user_in_group(machine_name, tok + 1)) { invalid_ws = False; break; } } } if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } if (acct_ctrl & ACB_DOMTRUST) { DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } if (acct_ctrl & ACB_SVRTRUST) { if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; } } if (acct_ctrl & ACB_WSTRUST) { if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; } } return NT_STATUS_OK; }
/* * Returns true if the user successfully authenticates, false if not * or -1 on error. */ int check_user(int validated, int mode) { struct passwd *auth_pw; char *timestampdir = NULL; char *timestampfile = NULL; char *prompt; struct stat sb; int status, rval = true; debug_decl(check_user, SUDO_DEBUG_AUTH) /* * Init authentication system regardless of whether we need a password. * Required for proper PAM session support. */ auth_pw = get_authpw(); if (sudo_auth_init(auth_pw) == -1) { rval = -1; goto done; } /* * Don't prompt for the root passwd or if the user is exempt. * If the user is not changing uid/gid, no need for a password. */ if (!def_authenticate || user_uid == 0 || user_is_exempt()) goto done; if (user_uid == runas_pw->pw_uid && (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) { #ifdef HAVE_SELINUX if (user_role == NULL && user_type == NULL) #endif #ifdef HAVE_PRIV_SET if (runas_privs == NULL && runas_limitprivs == NULL) #endif goto done; } /* Always need a password when -k was specified with the command. */ if (ISSET(mode, MODE_IGNORE_TICKET)) SET(validated, FLAG_CHECK_USER); /* Stash the tty's ctime for tty ticket comparison. */ if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) { tty_info.dev = sb.st_dev; tty_info.ino = sb.st_ino; tty_info.rdev = sb.st_rdev; if (tty_is_devpts(user_ttypath)) ctim_get(&sb, &tty_info.ctime); } if (build_timestamp(×tampdir, ×tampfile) == -1) { rval = -1; goto done; } status = timestamp_status(timestampdir, timestampfile, user_name, TS_MAKE_DIRS); if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) { /* Bail out if we are non-interactive and a password is required */ if (ISSET(mode, MODE_NONINTERACTIVE)) { validated |= FLAG_NON_INTERACTIVE; log_auth_failure(validated, 0); rval = -1; goto done; } /* XXX - should not lecture if askpass helper is being used. */ lecture(status); /* Expand any escapes in the prompt. */ prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt, user_name, user_shost); rval = verify_user(auth_pw, prompt, validated); } /* Only update timestamp if user was validated. */ if (rval == true && ISSET(validated, VALIDATE_OK) && !ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR) update_timestamp(timestampdir, timestampfile); efree(timestampdir); efree(timestampfile); done: sudo_auth_cleanup(auth_pw); sudo_pw_delref(auth_pw); debug_return_bool(rval); }