BOOL lsp_remove(LSA_HANDLE lsa_handle, LPTSTR user, LPTSTR privilegeConstant)
{
LSA_ACCOUNT account;
NTSTATUS nt_status;
LSA_UNICODE_STRING privilege;
PSID sid;
BOOL success = TRUE;
if (!valid_privilege(&privilege, privilegeConstant))
return FALSE;
if (!valid_user(lsa_handle, &sid, user))
return FALSE;
if (!lsa_account_from_sid(lsa_handle, sid, &account))
{
FreeSid(sid);
return FALSE;
}
print_string(L"Removing %s from ", privilegeConstant);
print_account(&account);
print_string(L".\n");
nt_status = LsaRemoveAccountRights(lsa_handle, sid, FALSE, &privilege, 1);
if (nt_status != STATUS_SUCCESS)
{
FreeSid(sid);
return lsa_error(nt_status, L"LsaRemoveAccountRights");
}
FreeSid(sid);
return TRUE;
}
/*
* Account management. We want to verify that the account exists
* before returning PAM_SUCCESS
*/
PAM_EXTERN
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
const char *username;
int retval = PAM_USER_UNKNOWN;
/* parse arguments */
int ctrl = _pam_parse(argc, argv);
/* Get the username */
retval = pam_get_user(pamh, &username, NULL);
if ((retval != PAM_SUCCESS) || (!username)) {
if (ctrl & WINBIND_DEBUG_ARG)
_pam_log(LOG_DEBUG,"can not get the username");
return PAM_SERVICE_ERR;
}
/* Verify the username */
retval = valid_user(username);
switch (retval) {
case -1:
/* some sort of system error. The log was already printed */
return PAM_SERVICE_ERR;
case 1:
/* the user does not exist */
if (ctrl & WINBIND_DEBUG_ARG)
_pam_log(LOG_NOTICE, "user `%s' not found",
username);
if (ctrl & WINBIND_UNKNOWN_OK_ARG)
return PAM_IGNORE;
return PAM_USER_UNKNOWN;
case 0:
/* Otherwise, the authentication looked good */
_pam_log(LOG_NOTICE, "user '%s' granted access", username);
return PAM_SUCCESS;
default:
/* we don't know anything about this return value */
_pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'",
retval, username);
return PAM_SERVICE_ERR;
}
/* should not be reached */
return PAM_IGNORE;
}
BOOL lsp_list_by_user(LSA_HANDLE lsa_handle, LPTSTR user)
{
LSA_ACCOUNT account;
LSA_UNICODE_STRING* array;
ULONG count;
ULONG i;
NTSTATUS nt_status;
PSID sid;
if (!valid_user(lsa_handle, &sid, user))
return FALSE;
if (!lsa_account_from_sid(lsa_handle, sid, &account))
{
FreeSid(sid);
return FALSE;
}
print_string(L"Privileges for ");
print_account(&account);
print_string(L":\n");
nt_status = LsaEnumerateAccountRights(lsa_handle, sid, &array, &count);
if (nt_status != STATUS_SUCCESS)
{
FreeSid(sid);
return lsa_error(nt_status, L"LsaEnumerateAccountRights");
}
for(i=0; i<count; i++)
{
print_string(L" - ");
print_lsa_string(&array[i]);
print_string(L"\n");
}
LsaFreeMemory(array);
FreeSid(sid);
return TRUE;
}
int
get_mail(char *host, char *oboard, char *iboard)
{
int fd;
FILE *fp0;
int i;
struct sockaddr_in xs;
struct hostent *he;
char dir[80], file[80], buf[256], brk[80];
// file: 本地文件名, buf: 临时变量, brk: 分隔符.
servernow = host;
do_log("gethostbyname %s", host);
bzero((char *) &xs, sizeof (xs));
xs.sin_family = AF_INET;
if ((he = gethostbyname(host)) != NULL)
bcopy(he->h_addr, (char *) &xs.sin_addr, he->h_length);
else
xs.sin_addr.s_addr = inet_addr(host);
xs.sin_port = htons(PORT);
do_log("connecting %s", host);
fd = socket(AF_INET, SOCK_STREAM, 0);
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
if (connect(fd, (struct sockaddr *) &xs, sizeof (xs)) < 0) {
fd_set fds;
struct timeval timeout;
timeout.tv_sec = 10;
timeout.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(fd, &fds);
if (select(fd + 1, NULL, &fds, NULL, &timeout) <= 0) {
do_log("can't connect to %s", host);
close(fd);
return;
}
if (connect(fd, (struct sockaddr *) &xs, sizeof (xs)) < 0) {
do_log("can't connect to %s", host);
close(fd);
return;
}
}
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK);
do_log("connected %s", host);
fp0 = fdopen(fd, "r+");
if (fgets(brk, 80, fp0) == 0)
goto E;
if (strlen(brk) < 10)
goto E;
fprintf(fp0, "select * from %s where dt < %d\n", oboard,
time(0) - last);
fflush(fp0);
do_log("SEND request %s %d", oboard, time(0) - last);
while (1) {
FILE *fp;
int t;
struct fileheader x;
char owner[256];
bzero(&x, sizeof (x));
do_log("reading...");
if (fgets(x.title, sizeof (x.title), fp0) == 0)
break;
if (fgets(owner, sizeof (owner), fp0) == 0)
break;
fh_setowner(&x, owner, 0);
check_str(x.title);
check_str(x.owner);
removetailspace(x.title);
do_log("%s", x.title);
sprintf(file, "boards/%s/", iboard);
t = trycreatefile(file, "M.%d.A", time(NULL), 100);
x.filetime = t;
do_log(file);
do_log(fh2fname(&x));
fp = fopen(file, "w");
while (1) {
if (fgets(buf, 255, fp0) == 0)
break;
if (!strcmp(buf, brk))
break;
fprintf(fp, "%s", buf);
}
fclose(fp);
if (!valid_user(x.owner)) {
unlink(file);
do_log("bad user: %s", x.owner);
continue;
}
fh_find_thread(&x, iboard);
sprintf(dir, "boards/%s/.DIR", iboard);
fd = open(dir, O_WRONLY | O_APPEND | O_CREAT, 0660);
write(fd, &x, sizeof (x));
close(fd);
do_log("updatelastpost %s", iboard);
updatelastpost(iboard);
};
E:fclose(fp0);
close(fd);
do_log("done");
}
static int mavis_send_in(mavis_ctx * mcx, av_ctx ** ac)
{
struct passwd *pw;
char *t, *u, *p, *m;
char buf[1024];
t = av_get(*ac, AV_A_TYPE);
u = av_get(*ac, AV_A_USER);
p = av_get(*ac, AV_A_PASSWORD);
if (strcmp(t, AV_V_TYPE_FTP))
return MAVIS_DOWN;
/* no VHOST support yet */
m = av_get(*ac, AV_A_FTP_ANONYMOUS);
if (m && !strcmp(m, AV_V_BOOL_TRUE))
return MAVIS_DOWN;
if (mcx->honour_ftpusers && !valid_user(mcx, u)) {
av_set(*ac, AV_A_COMMENT, "user found in ftpusers file");
av_set(*ac, AV_A_RESULT, AV_V_RESULT_FAIL);
return MAVIS_FINAL;
}
#ifdef HAVE_SHADOWPWD
if (!mcx->passwordfile) {
struct spwd *spw;
uid_t uid;
uid = geteuid();
seteuid(0);
spw = getspnam(u);
seteuid(uid);
if (!spw)
return MAVIS_DOWN;
if (strcmp(spw->sp_pwdp, mcx->crypt(p, spw->sp_pwdp))) {
av_set(*ac, AV_A_COMMENT, "password mismatch");
av_unset(*ac, AV_A_DBPASSWORD);
} else
av_set(*ac, AV_A_DBPASSWORD, p);
pw = getpwnam(u);
if (!pw) {
av_set(*ac, AV_A_COMMENT, "user not found in password file");
av_set(*ac, AV_A_RESULT, AV_V_RESULT_FAIL);
return MAVIS_FINAL;
}
} else
#endif /* HAVE_SHADOWPWD */
{
int f;
f = open(mcx->passwordfile, O_RDONLY);
if (f < 0) {
av_set(*ac, AV_A_COMMENT, "error opening password file");
av_set(*ac, AV_A_RESULT, AV_V_RESULT_ERROR);
return MAVIS_DOWN;
}
pw = get_pwent(mcx, f, u);
close(f);
if (!pw)
return MAVIS_DOWN;
#undef crypt /* may be set by openssl include stuff */
if (strcmp(pw->pw_passwd, mcx->crypt(p, pw->pw_passwd))) {
av_set(*ac, AV_A_COMMENT, "password mismatch");
av_unset(*ac, AV_A_DBPASSWORD);
} else
av_set(*ac, AV_A_DBPASSWORD, p);
}
if (mcx->require_valid_shell && (!pw->pw_shell || !valid_shell(mcx, pw->pw_shell))) {
av_set(*ac, AV_A_COMMENT, "invalid shell");
av_set(*ac, AV_A_RESULT, AV_V_RESULT_FAIL);
return MAVIS_FINAL;
}
if (!pw->pw_dir) {
av_set(*ac, AV_A_COMMENT, "home dir not set");
av_set(*ac, AV_A_RESULT, AV_V_RESULT_FAIL);
return MAVIS_FINAL;
}
av_setf(*ac, AV_A_UID, "%lu", (u_long) pw->pw_uid);
av_setf(*ac, AV_A_GID, "%lu", (u_long) pw->pw_gid);
/* attempt to get supplemental groups */
av_set(*ac, AV_A_GIDS, groups_getlist(pw->pw_name, pw->pw_gid, buf, sizeof(buf)));
if (mcx->ftp_chroot) {
char *tp = strstr(pw->pw_dir, "/./");
if (tp) {
*tp = 0;
av_set(*ac, AV_A_HOME, tp + 2);
} else
av_set(*ac, AV_A_HOME, "/");
av_set(*ac, AV_A_ROOT, pw->pw_dir);
} else {
av_set(*ac, AV_A_HOME, pw->pw_dir);
av_set(*ac, AV_A_ROOT, "/");
}
if (mcx->lookup_sslusers)
lookup_ssluser(mcx, *ac, u);
return MAVIS_FINAL;
}
// ----------------------------------------------------------------------------
int main(int argc, char *argv[])
{
xbuf_t *reply = get_reply(argv);
http_t *http = (void*)get_env(argv, HTTP_HEADERS);
// -------------------------------------------------------------------------
// here you could count repeated attempts from the same IP address and then
// take measures like blacklisting offenders (using G-WAN's TCP/IP firewall)
// -------------------------------------------------------------------------
// u32 client_ip = (u32)get_env(argv, REMOTE_BIN_ADDR); // binary
// char *client_ip = (char*)get_env(argv, REMOTE_ADDR); // string
// -------------------------------------------------------------------------
// first (unauthorized) client request or something went bad
// -------------------------------------------------------------------------
// /?auth_digest might be called by rogue clients, without G-WAN having
// received (and validated) an authorization request
if(http->h_auth_type != AUTH_BASIC)
goto ask_new_auth;
// -------------------------------------------------------------------------
// find the request parameters we need (auth_type is double-checked here
// but that's to show how to implement a generic valid_user() function
// aimed at being used with a database or an LDAP server)
// -------------------------------------------------------------------------
static char *auth_types[] =
{
[AUTH_BAD] = "",
[AUTH_ANY] = "*",
[AUTH_BASIC] = "Basic",
[AUTH_DIGEST] = "Digest",
[AUTH_SRP] = "SRP",
[AUTH_X509] = "x509"
};
if(http->h_auth_type < AUTH_BASIC // check before you lookup auth_types[]
|| http->h_auth_type > AUTH_X509)
http->h_auth_type = AUTH_BAD;
char *auth = auth_types[http->h_auth_type];
char *meth = (char*)get_env(argv, REQUEST); // "GET /?auth_digest"
char *uri = strchr(meth, ' '); // ^
if(uri) uri++; // pass space character
// -------------------------------------------------------------------------
// check if the user is authorized (if not, send 401)
// -------------------------------------------------------------------------
if(!valid_user(http->h_auth_user, http->h_auth_pwd, auth, uri, meth))
goto ask_new_auth;
// -------------------------------------------------------------------------
// user is authorized, produce contents, redirect to contents, etc.
// -------------------------------------------------------------------------
xbuf_xcat(reply, "<h1>Basic AUTHORIZATION</h1><p>Successfully authorized"
" user: <tt>'%s'</tt>, password: <tt>'%s'</tt></p>",
http->h_auth_user, http->h_auth_pwd);
return 200; // return an HTTP code (200:'OK')
// -------------------------------------------------------------------------
// first (unauthorized) client request or something went bad
// -------------------------------------------------------------------------
ask_new_auth:
// let G-WAN generate a 401 server reply with the authorization we want
http->h_auth_type = AUTH_BASIC;
return 401; // "401 Unauthorized"
}
