bool DSAccessFile::CheckGroupMembership(const char* inUsername, const char* inGroupName)
{
// In Tiger, group membership is painfully simple: we ask memberd for it!
struct passwd *user = NULL;
struct group *group = NULL;
uuid_t userID;
uuid_t groupID;
int isMember = 0;
// Look up the user using the POSIX APIs: only care about the UID.
user = getpwnam(inUsername);
if ( user == NULL )
return false;
uuid_clear(userID);
if ( mbr_uid_to_uuid(user->pw_uid, userID) )
return false;
// Look up the group using the POSIX APIs: only care about the GID.
group = getgrnam(inGroupName);
endgrent();
if ( group == NULL )
return false;
uuid_clear(groupID);
if ( mbr_gid_to_uuid(group->gr_gid, groupID) )
return false;
// mbr_check_membership() returns 0 on success and error code on failure.
if ( mbr_check_membership(userID, groupID, &isMember) )
return false;
return (bool)isMember;
}
int
user_in_group(struct passwd *pw, const char *group)
{
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
uuid_t gu, uu;
int ismember;
#else
char **gr_mem;
int i;
#endif
struct group *grp;
int retval = FALSE;
#ifdef HAVE_SETAUTHDB
aix_setauthdb(pw->pw_name);
#endif
grp = sudo_getgrnam(group);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
if (grp == NULL)
goto done;
/* check against user's primary (passwd file) gid */
if (grp->gr_gid == pw->pw_gid) {
retval = TRUE;
goto done;
}
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
/* If we are matching the invoking user use the stashed uuid. */
if (strcmp(pw->pw_name, user_name) == 0) {
if (mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(user_uuid, gu, &ismember) == 0 && ismember) {
retval = TRUE;
goto done;
}
} else {
if (mbr_uid_to_uuid(pw->pw_uid, uu) == 0 &&
mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(uu, gu, &ismember) == 0 && ismember) {
retval = TRUE;
goto done;
}
}
#else /* HAVE_MBR_CHECK_MEMBERSHIP */
# ifdef HAVE_GETGROUPS
/*
* If we are matching the invoking or list user and that user has a
* supplementary group vector, check it.
*/
if (user_ngroups > 0 &&
strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) {
for (i = 0; i < user_ngroups; i++) {
if (grp->gr_gid == user_groups[i]) {
retval = TRUE;
goto done;
}
}
} else
# endif /* HAVE_GETGROUPS */
{
if (grp != NULL && grp->gr_mem != NULL) {
for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
if (strcmp(*gr_mem, pw->pw_name) == 0) {
retval = TRUE;
goto done;
}
}
}
}
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */
done:
if (grp != NULL)
gr_delref(grp);
return retval;
}
int main (int argc, char * const argv[])
{
char *searchType;
char *groupOrServiceName;
if ( argc == 4 )
{
searchType = argv[2];
groupOrServiceName = argv[3];
}
else if ( argc == 3 )
{
searchType = "-s";
groupOrServiceName = argv[2];
}
else
{
printUsage("Wrong number of arguments.");
return 1;
}
uuid_t user;
int result = mbr_user_name_to_uuid(argv[1], user);
int isMember = 0;
if ( result != 0 )
{
printf("Invalid user\n");
return 1;
}
if ( strncmp(searchType, "-s", 2) == 0 )
{
result = mbr_check_service_membership(user, groupOrServiceName, &isMember);
if ( ( isMember == 1 ) || ( result == 2 ) )
{
printf("Member (%i, %i)\n", isMember, result);
return 0;
}
else
{
printf("Not a member (%i, %i)\n", isMember, result);
return 1;
}
}
else if ( strncmp(searchType, "-g", 2) == 0 )
{
uuid_t group;
result = mbr_group_name_to_uuid(groupOrServiceName, group);
if ( result != 0 )
{
printf("Invalid group\n");
return 1;
}
result = mbr_check_membership(user, group, &isMember);
if ( ( result == 0 ) && ( isMember == 1 ) )
{
printf("Member (%i, %i)\n", isMember, result);
return 0;
}
else
{
printf("Not a member (%i, %i)", isMember, result);
return 1;
}
}
else
{
printUsage("Use -g to search for groups, or -s to search for a service.");
return 1;
}
}
