login_access.c revision 87628
12198Sguido /* 22198Sguido * This module implements a simple but effective form of login access 32198Sguido * control based on login names and on host (or domain) names, internet 42198Sguido * addresses (or network numbers), or on terminal line names in case of 52198Sguido * non-networked logins. Diagnostics are reported through syslog(3). 68874Srgrimes * 72198Sguido * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 82198Sguido */ 92198Sguido 102198Sguido#ifdef LOGIN_ACCESS 1187628Sdwmalone#if 0 122198Sguido#ifndef lint 1387628Sdwmalonestatic char sccsid[] = "%Z% %M% %I% %E% %U%"; 142198Sguido#endif 1587628Sdwmalone#endif 162198Sguido 1787628Sdwmalone#include <sys/cdefs.h> 1887628Sdwmalone__FBSDID("$FreeBSD: head/lib/libpam/modules/pam_login_access/login_access.c 87628 2001-12-10 21:13:08Z dwmalone $"); 1987628Sdwmalone 2087177Smarkm#include <sys/types.h> 212198Sguido#include <ctype.h> 2287177Smarkm#include <errno.h> 232198Sguido#include <grp.h> 2487177Smarkm#include <stdio.h> 2587177Smarkm#include <stdlib.h> 262198Sguido#include <string.h> 2787177Smarkm#include <syslog.h> 282198Sguido#include <unistd.h> 292198Sguido 3087173Smarkm#include "login.h" 312198Sguido#include "pathnames.h" 322198Sguido 332198Sguido /* Delimiters for fields and for lists of users, ttys or hosts. */ 342198Sguido 352198Sguidostatic char fs[] = ":"; /* field separator */ 362198Sguidostatic char sep[] = ", \t"; /* list-element separator */ 372198Sguido 382198Sguido /* Constants to be used in assignments only, not in comparisons... */ 392198Sguido 402198Sguido#define YES 1 412198Sguido#define NO 0 422198Sguido 4387177Smarkmstatic int from_match __P((char *, char *)); 4487177Smarkmstatic int list_match __P((char *, char *, int (*)(char *, char *))); 4587177Smarkmstatic int netgroup_match __P((char *, char *, char *)); 4687177Smarkmstatic int string_match __P((char *, char *)); 4787177Smarkmstatic int user_match __P((char *, char *)); 482198Sguido 492198Sguido/* login_access - match username/group and host/tty with access control file */ 502198Sguido 5122230Spstint 522198Sguidologin_access(user, from) 532198Sguidochar *user; 542198Sguidochar *from; 552198Sguido{ 562198Sguido FILE *fp; 572198Sguido char line[BUFSIZ]; 582198Sguido char *perm; /* becomes permission field */ 592198Sguido char *users; /* becomes list of login names */ 602198Sguido char *froms; /* becomes list of terminals or hosts */ 612198Sguido int match = NO; 622198Sguido int end; 632198Sguido int lineno = 0; /* for diagnostics */ 642198Sguido 652198Sguido /* 662198Sguido * Process the table one line at a time and stop at the first match. 672198Sguido * Blank lines and lines that begin with a '#' character are ignored. 682198Sguido * Non-comment lines are broken at the ':' character. All fields are 692198Sguido * mandatory. The first field should be a "+" or "-" character. A 702198Sguido * non-existing table means no access control. 712198Sguido */ 722198Sguido 7322230Spst if ((fp = fopen(_PATH_LOGACCESS, "r")) != NULL) { 742198Sguido while (!match && fgets(line, sizeof(line), fp)) { 752198Sguido lineno++; 762198Sguido if (line[end = strlen(line) - 1] != '\n') { 772198Sguido syslog(LOG_ERR, "%s: line %d: missing newline or line too long", 782198Sguido _PATH_LOGACCESS, lineno); 792198Sguido continue; 802198Sguido } 812198Sguido if (line[0] == '#') 822198Sguido continue; /* comment line */ 832198Sguido while (end > 0 && isspace(line[end - 1])) 842198Sguido end--; 852198Sguido line[end] = 0; /* strip trailing whitespace */ 862198Sguido if (line[0] == 0) /* skip blank lines */ 872198Sguido continue; 882198Sguido if (!(perm = strtok(line, fs)) 892198Sguido || !(users = strtok((char *) 0, fs)) 902198Sguido || !(froms = strtok((char *) 0, fs)) 912198Sguido || strtok((char *) 0, fs)) { 922198Sguido syslog(LOG_ERR, "%s: line %d: bad field count", _PATH_LOGACCESS, 932198Sguido lineno); 942198Sguido continue; 952198Sguido } 962198Sguido if (perm[0] != '+' && perm[0] != '-') { 972198Sguido syslog(LOG_ERR, "%s: line %d: bad first field", _PATH_LOGACCESS, 982198Sguido lineno); 992198Sguido continue; 1002198Sguido } 1012198Sguido match = (list_match(froms, from, from_match) 1022198Sguido && list_match(users, user, user_match)); 1032198Sguido } 1042198Sguido (void) fclose(fp); 1052198Sguido } else if (errno != ENOENT) { 1062198Sguido syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); 1072198Sguido } 1082198Sguido return (match == 0 || (line[0] == '+')); 1092198Sguido} 1102198Sguido 1112198Sguido/* list_match - match an item against a list of tokens with exceptions */ 1122198Sguido 1132198Sguidostatic int list_match(list, item, match_fn) 1142198Sguidochar *list; 1152198Sguidochar *item; 11687173Smarkmint (*match_fn) __P((char *, char *)); 1172198Sguido{ 1182198Sguido char *tok; 1192198Sguido int match = NO; 1202198Sguido 1212198Sguido /* 1222198Sguido * Process tokens one at a time. We have exhausted all possible matches 1232198Sguido * when we reach an "EXCEPT" token or the end of the list. If we do find 1242198Sguido * a match, look for an "EXCEPT" list and recurse to determine whether 1252198Sguido * the match is affected by any exceptions. 1262198Sguido */ 1272198Sguido 1282198Sguido for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) { 1292198Sguido if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ 1302198Sguido break; 13122230Spst if ((match = (*match_fn)(tok, item)) != NULL) /* YES */ 1322198Sguido break; 1332198Sguido } 1342198Sguido /* Process exceptions to matches. */ 1352198Sguido 1362198Sguido if (match != NO) { 1372198Sguido while ((tok = strtok((char *) 0, sep)) && strcasecmp(tok, "EXCEPT")) 1382198Sguido /* VOID */ ; 1392198Sguido if (tok == 0 || list_match((char *) 0, item, match_fn) == NO) 1402198Sguido return (match); 1412198Sguido } 1422198Sguido return (NO); 1432198Sguido} 1442198Sguido 1452198Sguido/* netgroup_match - match group against machine or user */ 1462198Sguido 1472198Sguidostatic int netgroup_match(group, machine, user) 14887173Smarkmchar *group __unused; 14987173Smarkmchar *machine __unused; 15087173Smarkmchar *user __unused; 1512198Sguido{ 1522198Sguido syslog(LOG_ERR, "NIS netgroup support not configured"); 15322230Spst return 0; 1542198Sguido} 1552198Sguido 1562198Sguido/* user_match - match a username against one token */ 1572198Sguido 1582198Sguidostatic int user_match(tok, string) 1592198Sguidochar *tok; 1602198Sguidochar *string; 1612198Sguido{ 1622198Sguido struct group *group; 1632198Sguido int i; 1642198Sguido 1652198Sguido /* 1662198Sguido * If a token has the magic value "ALL" the match always succeeds. 1672198Sguido * Otherwise, return YES if the token fully matches the username, or if 1682198Sguido * the token is a group that contains the username. 1692198Sguido */ 1702198Sguido 1712198Sguido if (tok[0] == '@') { /* netgroup */ 1722198Sguido return (netgroup_match(tok + 1, (char *) 0, string)); 1732198Sguido } else if (string_match(tok, string)) { /* ALL or exact match */ 1742198Sguido return (YES); 17522230Spst } else if ((group = getgrnam(tok)) != NULL) {/* try group membership */ 1762198Sguido for (i = 0; group->gr_mem[i]; i++) 1772198Sguido if (strcasecmp(string, group->gr_mem[i]) == 0) 1782198Sguido return (YES); 1792198Sguido } 1802198Sguido return (NO); 1812198Sguido} 1822198Sguido 1832198Sguido/* from_match - match a host or tty against a list of tokens */ 1842198Sguido 1852198Sguidostatic int from_match(tok, string) 1862198Sguidochar *tok; 1872198Sguidochar *string; 1882198Sguido{ 1892198Sguido int tok_len; 1902198Sguido int str_len; 1912198Sguido 1922198Sguido /* 1932198Sguido * If a token has the magic value "ALL" the match always succeeds. Return 1942198Sguido * YES if the token fully matches the string. If the token is a domain 1952198Sguido * name, return YES if it matches the last fields of the string. If the 1962198Sguido * token has the magic value "LOCAL", return YES if the string does not 1972198Sguido * contain a "." character. If the token is a network number, return YES 1982198Sguido * if it matches the head of the string. 1992198Sguido */ 2002198Sguido 2012198Sguido if (tok[0] == '@') { /* netgroup */ 2022198Sguido return (netgroup_match(tok + 1, string, (char *) 0)); 2032198Sguido } else if (string_match(tok, string)) { /* ALL or exact match */ 2042198Sguido return (YES); 2052198Sguido } else if (tok[0] == '.') { /* domain: match last fields */ 2062198Sguido if ((str_len = strlen(string)) > (tok_len = strlen(tok)) 2072198Sguido && strcasecmp(tok, string + str_len - tok_len) == 0) 2082198Sguido return (YES); 2092198Sguido } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ 2102198Sguido if (strchr(string, '.') == 0) 2112198Sguido return (YES); 2122198Sguido } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ 2132198Sguido && strncmp(tok, string, tok_len) == 0) { 2142198Sguido return (YES); 2152198Sguido } 2162198Sguido return (NO); 2172198Sguido} 2182198Sguido 2192198Sguido/* string_match - match a string against one token */ 2202198Sguido 2212198Sguidostatic int string_match(tok, string) 2222198Sguidochar *tok; 2232198Sguidochar *string; 2242198Sguido{ 2252198Sguido 2262198Sguido /* 2272198Sguido * If the token has the magic value "ALL" the match always succeeds. 2282198Sguido * Otherwise, return YES if the token fully matches the string. 2292198Sguido */ 2302198Sguido 2312198Sguido if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ 2322198Sguido return (YES); 2332198Sguido } else if (strcasecmp(tok, string) == 0) { /* try exact match */ 2342198Sguido return (YES); 2352198Sguido } 2362198Sguido return (NO); 2372198Sguido} 2382198Sguido#endif /* LOGIN_ACCES */ 239