login_cap.c revision 170713
1/*- 2 * Copyright (c) 1996 by 3 * Sean Eric Fagan <sef@kithrup.com> 4 * David Nugent <davidn@blaze.net.au> 5 * All rights reserved. 6 * 7 * Portions copyright (c) 1995,1997 8 * Berkeley Software Design, Inc. 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, is permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice immediately at the beginning of the file, without modification, 16 * this list of conditions, and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. This work was done expressly for inclusion into FreeBSD. Other use 21 * is permitted provided this notation is included. 22 * 4. Absolutely no warranty of function or purpose is made by the authors. 23 * 5. Modifications may be freely made to this file providing the above 24 * conditions are met. 25 * 26 * Low-level routines relating to the user capabilities database 27 */ 28 29#include <sys/cdefs.h> 30__FBSDID("$FreeBSD: head/lib/libutil/login_cap.c 170713 2007-06-14 06:42:49Z yar $"); 31 32#include <sys/types.h> 33#include <sys/time.h> 34#include <sys/resource.h> 35#include <sys/param.h> 36#include <errno.h> 37#include <fcntl.h> 38#include <libutil.h> 39#include <login_cap.h> 40#include <pwd.h> 41#include <stdio.h> 42#include <stdlib.h> 43#include <string.h> 44#include <syslog.h> 45#include <unistd.h> 46 47/* 48 * allocstr() 49 * Manage a single static pointer for handling a local char* buffer, 50 * resizing as necessary to contain the string. 51 * 52 * allocarray() 53 * Manage a static array for handling a group of strings, resizing 54 * when necessary. 55 */ 56 57static int lc_object_count = 0; 58 59static size_t internal_stringsz = 0; 60static char * internal_string = NULL; 61static size_t internal_arraysz = 0; 62static const char ** internal_array = NULL; 63 64static char * 65allocstr(const char *str) 66{ 67 char *p; 68 69 size_t sz = strlen(str) + 1; /* realloc() only if necessary */ 70 if (sz <= internal_stringsz) 71 p = strcpy(internal_string, str); 72 else if ((p = realloc(internal_string, sz)) != NULL) { 73 internal_stringsz = sz; 74 internal_string = strcpy(p, str); 75 } 76 return p; 77} 78 79 80static const char ** 81allocarray(size_t sz) 82{ 83 static const char **p; 84 85 if (sz <= internal_arraysz) 86 p = internal_array; 87 else if ((p = realloc(internal_array, sz * sizeof(char*))) != NULL) { 88 internal_arraysz = sz; 89 internal_array = p; 90 } 91 return p; 92} 93 94 95/* 96 * arrayize() 97 * Turn a simple string <str> separated by any of 98 * the set of <chars> into an array. The last element 99 * of the array will be NULL, as is proper. 100 * Free using freearraystr() 101 */ 102 103static const char ** 104arrayize(const char *str, const char *chars, int *size) 105{ 106 int i; 107 char *ptr; 108 const char *cptr; 109 const char **res = NULL; 110 111 /* count the sub-strings */ 112 for (i = 0, cptr = str; *cptr; i++) { 113 int count = strcspn(cptr, chars); 114 cptr += count; 115 if (*cptr) 116 ++cptr; 117 } 118 119 /* alloc the array */ 120 if ((ptr = allocstr(str)) != NULL) { 121 if ((res = allocarray(++i)) == NULL) 122 free((void *)(uintptr_t)(const void *)str); 123 else { 124 /* now split the string */ 125 i = 0; 126 while (*ptr) { 127 int count = strcspn(ptr, chars); 128 res[i++] = ptr; 129 ptr += count; 130 if (*ptr) 131 *ptr++ = '\0'; 132 } 133 res[i] = NULL; 134 } 135 } 136 137 if (size) 138 *size = i; 139 140 return res; 141} 142 143 144/* 145 * login_close() 146 * Frees up all resources relating to a login class 147 * 148 */ 149 150void 151login_close(login_cap_t * lc) 152{ 153 if (lc) { 154 free(lc->lc_style); 155 free(lc->lc_class); 156 free(lc->lc_cap); 157 free(lc); 158 if (--lc_object_count == 0) { 159 free(internal_string); 160 free(internal_array); 161 internal_array = NULL; 162 internal_arraysz = 0; 163 internal_string = NULL; 164 internal_stringsz = 0; 165 cgetclose(); 166 } 167 } 168} 169 170 171/* 172 * login_getclassbyname() 173 * Get the login class by its name. 174 * If the name given is NULL or empty, the default class 175 * LOGIN_DEFCLASS (i.e., "default") is fetched. 176 * If the name given is LOGIN_MECLASS and 177 * 'pwd' argument is non-NULL and contains an non-NULL 178 * dir entry, then the file _FILE_LOGIN_CONF is picked 179 * up from that directory and used before the system 180 * login database. In that case the system login database 181 * is looked up using LOGIN_MECLASS, too, which is a bug. 182 * Return a filled-out login_cap_t structure, including 183 * class name, and the capability record buffer. 184 */ 185 186login_cap_t * 187login_getclassbyname(char const *name, const struct passwd *pwd) 188{ 189 login_cap_t *lc; 190 191 if ((lc = malloc(sizeof(login_cap_t))) != NULL) { 192 int r, me, i = 0; 193 uid_t euid = 0; 194 gid_t egid = 0; 195 const char *msg = NULL; 196 const char *dir; 197 char userpath[MAXPATHLEN]; 198 199 static char *login_dbarray[] = { NULL, NULL, NULL }; 200 201 me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); 202 dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; 203 /* 204 * Switch to user mode before checking/reading its ~/.login_conf 205 * - some NFSes have root read access disabled. 206 * 207 * XXX: This fails to configure additional groups. 208 */ 209 if (dir) { 210 euid = geteuid(); 211 egid = getegid(); 212 (void)setegid(pwd->pw_gid); 213 (void)seteuid(pwd->pw_uid); 214 } 215 216 if (dir && snprintf(userpath, MAXPATHLEN, "%s/%s", dir, 217 _FILE_LOGIN_CONF) < MAXPATHLEN) { 218 login_dbarray[i] = userpath; 219 if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) 220 i++; /* only use 'secure' data */ 221 } 222 /* 223 * XXX: Why to add the system database if the class is `me'? 224 */ 225 if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) 226 login_dbarray[i++] = _PATH_LOGIN_CONF; 227 login_dbarray[i] = NULL; 228 229 memset(lc, 0, sizeof(login_cap_t)); 230 lc->lc_cap = lc->lc_class = lc->lc_style = NULL; 231 232 if (name == NULL || *name == '\0') 233 name = LOGIN_DEFCLASS; 234 235 switch (cgetent(&lc->lc_cap, login_dbarray, name)) { 236 case -1: /* Failed, entry does not exist */ 237 if (me) 238 break; /* Don't retry default on 'me' */ 239 if (i == 0) 240 r = -1; 241 else if ((r = open(login_dbarray[0], O_RDONLY)) >= 0) 242 close(r); 243 /* 244 * If there's at least one login class database, 245 * and we aren't searching for a default class 246 * then complain about a non-existent class. 247 */ 248 if (r >= 0 || strcmp(name, LOGIN_DEFCLASS) != 0) 249 syslog(LOG_ERR, "login_getclass: unknown class '%s'", name); 250 /* fall-back to default class */ 251 name = LOGIN_DEFCLASS; 252 msg = "%s: no default/fallback class '%s'"; 253 if (cgetent(&lc->lc_cap, login_dbarray, name) != 0 && r >= 0) 254 break; 255 /* FALLTHROUGH - just return system defaults */ 256 case 0: /* success! */ 257 if ((lc->lc_class = strdup(name)) != NULL) { 258 if (dir) { 259 (void)seteuid(euid); 260 (void)setegid(egid); 261 } 262 ++lc_object_count; 263 return lc; 264 } 265 msg = "%s: strdup: %m"; 266 break; 267 case -2: 268 msg = "%s: retrieving class information: %m"; 269 break; 270 case -3: 271 msg = "%s: 'tc=' reference loop '%s'"; 272 break; 273 case 1: 274 msg = "couldn't resolve 'tc=' reference in '%s'"; 275 break; 276 default: 277 msg = "%s: unexpected cgetent() error '%s': %m"; 278 break; 279 } 280 if (dir) { 281 (void)seteuid(euid); 282 (void)setegid(egid); 283 } 284 if (msg != NULL) 285 syslog(LOG_ERR, msg, "login_getclass", name); 286 free(lc); 287 } 288 289 return NULL; 290} 291 292 293 294/* 295 * login_getclass() 296 * Get the login class for the system (only) login class database. 297 * Return a filled-out login_cap_t structure, including 298 * class name, and the capability record buffer. 299 */ 300 301login_cap_t * 302login_getclass(const char *cls) 303{ 304 return login_getclassbyname(cls, NULL); 305} 306 307 308/* 309 * login_getpwclass() 310 * Get the login class for a given password entry from 311 * the system (only) login class database. 312 * If the password entry's class field is not set, or 313 * the class specified does not exist, then use the 314 * default of LOGIN_DEFCLASS (i.e., "default") for an unprivileged 315 * user or that of LOGIN_DEFROOTCLASS (i.e., "root") for a super-user. 316 * Return a filled-out login_cap_t structure, including 317 * class name, and the capability record buffer. 318 */ 319 320login_cap_t * 321login_getpwclass(const struct passwd *pwd) 322{ 323 const char *cls = NULL; 324 325 if (pwd != NULL) { 326 cls = pwd->pw_class; 327 if (cls == NULL || *cls == '\0') 328 cls = (pwd->pw_uid == 0) ? LOGIN_DEFROOTCLASS : LOGIN_DEFCLASS; 329 } 330 /* 331 * XXX: pwd should be unused by login_getclassbyname() unless cls is `me', 332 * so NULL can be passed instead of pwd for more safety. 333 */ 334 return login_getclassbyname(cls, pwd); 335} 336 337 338/* 339 * login_getuserclass() 340 * Get the `me' login class, allowing user overrides via ~/.login_conf. 341 * Note that user overrides are allowed only in the `me' class. 342 */ 343 344login_cap_t * 345login_getuserclass(const struct passwd *pwd) 346{ 347 return login_getclassbyname(LOGIN_MECLASS, pwd); 348} 349 350 351/* 352 * login_getcapstr() 353 * Given a login_cap entry, and a capability name, return the 354 * value defined for that capability, a default if not found, or 355 * an error string on error. 356 */ 357 358const char * 359login_getcapstr(login_cap_t *lc, const char *cap, const char *def, const char *error) 360{ 361 char *res; 362 int ret; 363 364 if (lc == NULL || cap == NULL || lc->lc_cap == NULL || *cap == '\0') 365 return def; 366 367 if ((ret = cgetstr(lc->lc_cap, cap, &res)) == -1) 368 return def; 369 return (ret >= 0) ? res : error; 370} 371 372 373/* 374 * login_getcaplist() 375 * Given a login_cap entry, and a capability name, return the 376 * value defined for that capability split into an array of 377 * strings. 378 */ 379 380const char ** 381login_getcaplist(login_cap_t *lc, const char *cap, const char *chars) 382{ 383 const char *lstring; 384 385 if (chars == NULL) 386 chars = ", \t"; 387 if ((lstring = login_getcapstr(lc, cap, NULL, NULL)) != NULL) 388 return arrayize(lstring, chars, NULL); 389 return NULL; 390} 391 392 393/* 394 * login_getpath() 395 * From the login_cap_t <lc>, get the capability <cap> which is 396 * formatted as either a space or comma delimited list of paths 397 * and append them all into a string and separate by semicolons. 398 * If there is an error of any kind, return <error>. 399 */ 400 401const char * 402login_getpath(login_cap_t *lc, const char *cap, const char *error) 403{ 404 const char *str; 405 char *ptr; 406 int count; 407 408 str = login_getcapstr(lc, cap, NULL, NULL); 409 if (str == NULL) 410 return error; 411 ptr = __DECONST(char *, str); /* XXXX Yes, very dodgy */ 412 while (*ptr) { 413 count = strcspn(ptr, ", \t"); 414 ptr += count; 415 if (*ptr) 416 *ptr++ = ':'; 417 } 418 return str; 419} 420 421 422static int 423isinfinite(const char *s) 424{ 425 static const char *infs[] = { 426 "infinity", 427 "inf", 428 "unlimited", 429 "unlimit", 430 "-1", 431 NULL 432 }; 433 const char **i = &infs[0]; 434 435 while (*i != NULL) { 436 if (strcasecmp(s, *i) == 0) 437 return 1; 438 ++i; 439 } 440 return 0; 441} 442 443 444static u_quad_t 445rmultiply(u_quad_t n1, u_quad_t n2) 446{ 447 u_quad_t m, r; 448 int b1, b2; 449 450 static int bpw = 0; 451 452 /* Handle simple cases */ 453 if (n1 == 0 || n2 == 0) 454 return 0; 455 if (n1 == 1) 456 return n2; 457 if (n2 == 1) 458 return n1; 459 460 /* 461 * sizeof() returns number of bytes needed for storage. 462 * This may be different from the actual number of useful bits. 463 */ 464 if (!bpw) { 465 bpw = sizeof(u_quad_t) * 8; 466 while (((u_quad_t)1 << (bpw-1)) == 0) 467 --bpw; 468 } 469 470 /* 471 * First check the magnitude of each number. If the sum of the 472 * magnatude is way to high, reject the number. (If this test 473 * is not done then the first multiply below may overflow.) 474 */ 475 for (b1 = bpw; (((u_quad_t)1 << (b1-1)) & n1) == 0; --b1) 476 ; 477 for (b2 = bpw; (((u_quad_t)1 << (b2-1)) & n2) == 0; --b2) 478 ; 479 if (b1 + b2 - 2 > bpw) { 480 errno = ERANGE; 481 return (UQUAD_MAX); 482 } 483 484 /* 485 * Decompose the multiplication to be: 486 * h1 = n1 & ~1 487 * h2 = n2 & ~1 488 * l1 = n1 & 1 489 * l2 = n2 & 1 490 * (h1 + l1) * (h2 + l2) 491 * (h1 * h2) + (h1 * l2) + (l1 * h2) + (l1 * l2) 492 * 493 * Since h1 && h2 do not have the low bit set, we can then say: 494 * 495 * (h1>>1 * h2>>1 * 4) + ... 496 * 497 * So if (h1>>1 * h2>>1) > (1<<(bpw - 2)) then the result will 498 * overflow. 499 * 500 * Finally, if MAX - ((h1 * l2) + (l1 * h2) + (l1 * l2)) < (h1*h2) 501 * then adding in residual amout will cause an overflow. 502 */ 503 504 m = (n1 >> 1) * (n2 >> 1); 505 if (m >= ((u_quad_t)1 << (bpw-2))) { 506 errno = ERANGE; 507 return (UQUAD_MAX); 508 } 509 m *= 4; 510 511 r = (n1 & n2 & 1) 512 + (n2 & 1) * (n1 & ~(u_quad_t)1) 513 + (n1 & 1) * (n2 & ~(u_quad_t)1); 514 515 if ((u_quad_t)(m + r) < m) { 516 errno = ERANGE; 517 return (UQUAD_MAX); 518 } 519 m += r; 520 521 return (m); 522} 523 524 525/* 526 * login_getcaptime() 527 * From the login_cap_t <lc>, get the capability <cap>, which is 528 * formatted as a time (e.g., "<cap>=10h3m2s"). If <cap> is not 529 * present in <lc>, return <def>; if there is an error of some kind, 530 * return <error>. 531 */ 532 533rlim_t 534login_getcaptime(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) 535{ 536 char *res, *ep, *oval; 537 int r; 538 rlim_t tot; 539 540 errno = 0; 541 if (lc == NULL || lc->lc_cap == NULL) 542 return def; 543 544 /* 545 * Look for <cap> in lc_cap. 546 * If it's not there (-1), return <def>. 547 * If there's an error, return <error>. 548 */ 549 550 if ((r = cgetstr(lc->lc_cap, cap, &res)) == -1) 551 return def; 552 else if (r < 0) { 553 errno = ERANGE; 554 return error; 555 } 556 557 /* "inf" and "infinity" are special cases */ 558 if (isinfinite(res)) 559 return RLIM_INFINITY; 560 561 /* 562 * Now go through the string, turning something like 1h2m3s into 563 * an integral value. Whee. 564 */ 565 566 errno = 0; 567 tot = 0; 568 oval = res; 569 while (*res) { 570 rlim_t tim = strtoq(res, &ep, 0); 571 rlim_t mult = 1; 572 573 if (ep == NULL || ep == res || errno != 0) { 574 invalid: 575 syslog(LOG_WARNING, "login_getcaptime: class '%s' bad value %s=%s", 576 lc->lc_class, cap, oval); 577 errno = ERANGE; 578 return error; 579 } 580 /* Look for suffixes */ 581 switch (*ep++) { 582 case 0: 583 ep--; 584 break; /* end of string */ 585 case 's': case 'S': /* seconds */ 586 break; 587 case 'm': case 'M': /* minutes */ 588 mult = 60; 589 break; 590 case 'h': case 'H': /* hours */ 591 mult = 60L * 60L; 592 break; 593 case 'd': case 'D': /* days */ 594 mult = 60L * 60L * 24L; 595 break; 596 case 'w': case 'W': /* weeks */ 597 mult = 60L * 60L * 24L * 7L; 598 break; 599 case 'y': case 'Y': /* 365-day years */ 600 mult = 60L * 60L * 24L * 365L; 601 break; 602 default: 603 goto invalid; 604 } 605 res = ep; 606 tot += rmultiply(tim, mult); 607 if (errno) 608 goto invalid; 609 } 610 611 return tot; 612} 613 614 615/* 616 * login_getcapnum() 617 * From the login_cap_t <lc>, extract the numerical value <cap>. 618 * If it is not present, return <def> for a default, and return 619 * <error> if there is an error. 620 * Like login_getcaptime(), only it only converts to a number, not 621 * to a time; "infinity" and "inf" are 'special.' 622 */ 623 624rlim_t 625login_getcapnum(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) 626{ 627 char *ep, *res; 628 int r; 629 rlim_t val; 630 631 if (lc == NULL || lc->lc_cap == NULL) 632 return def; 633 634 /* 635 * For BSDI compatibility, try for the tag=<val> first 636 */ 637 if ((r = cgetstr(lc->lc_cap, cap, &res)) == -1) { 638 long lval; 639 /* string capability not present, so try for tag#<val> as numeric */ 640 if ((r = cgetnum(lc->lc_cap, cap, &lval)) == -1) 641 return def; /* Not there, so return default */ 642 else if (r >= 0) 643 return (rlim_t)lval; 644 } 645 646 if (r < 0) { 647 errno = ERANGE; 648 return error; 649 } 650 651 if (isinfinite(res)) 652 return RLIM_INFINITY; 653 654 errno = 0; 655 val = strtoq(res, &ep, 0); 656 if (ep == NULL || ep == res || errno != 0) { 657 syslog(LOG_WARNING, "login_getcapnum: class '%s' bad value %s=%s", 658 lc->lc_class, cap, res); 659 errno = ERANGE; 660 return error; 661 } 662 663 return val; 664} 665 666 667 668/* 669 * login_getcapsize() 670 * From the login_cap_t <lc>, extract the capability <cap>, which is 671 * formatted as a size (e.g., "<cap>=10M"); it can also be "infinity". 672 * If not present, return <def>, or <error> if there is an error of 673 * some sort. 674 */ 675 676rlim_t 677login_getcapsize(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) 678{ 679 char *ep, *res, *oval; 680 int r; 681 rlim_t tot; 682 683 if (lc == NULL || lc->lc_cap == NULL) 684 return def; 685 686 if ((r = cgetstr(lc->lc_cap, cap, &res)) == -1) 687 return def; 688 else if (r < 0) { 689 errno = ERANGE; 690 return error; 691 } 692 693 if (isinfinite(res)) 694 return RLIM_INFINITY; 695 696 errno = 0; 697 tot = 0; 698 oval = res; 699 while (*res) { 700 rlim_t siz = strtoq(res, &ep, 0); 701 rlim_t mult = 1; 702 703 if (ep == NULL || ep == res || errno != 0) { 704 invalid: 705 syslog(LOG_WARNING, "login_getcapsize: class '%s' bad value %s=%s", 706 lc->lc_class, cap, oval); 707 errno = ERANGE; 708 return error; 709 } 710 switch (*ep++) { 711 case 0: /* end of string */ 712 ep--; 713 break; 714 case 'b': case 'B': /* 512-byte blocks */ 715 mult = 512; 716 break; 717 case 'k': case 'K': /* 1024-byte Kilobytes */ 718 mult = 1024; 719 break; 720 case 'm': case 'M': /* 1024-k kbytes */ 721 mult = 1024 * 1024; 722 break; 723 case 'g': case 'G': /* 1Gbyte */ 724 mult = 1024 * 1024 * 1024; 725 break; 726 case 't': case 'T': /* 1TBte */ 727 mult = 1024LL * 1024LL * 1024LL * 1024LL; 728 break; 729 default: 730 goto invalid; 731 } 732 res = ep; 733 tot += rmultiply(siz, mult); 734 if (errno) 735 goto invalid; 736 } 737 738 return tot; 739} 740 741 742/* 743 * login_getcapbool() 744 * From the login_cap_t <lc>, check for the existance of the capability 745 * of <cap>. Return <def> if <lc>->lc_cap is NULL, otherwise return 746 * the whether or not <cap> exists there. 747 */ 748 749int 750login_getcapbool(login_cap_t *lc, const char *cap, int def) 751{ 752 if (lc == NULL || lc->lc_cap == NULL) 753 return def; 754 return (cgetcap(lc->lc_cap, cap, ':') != NULL); 755} 756 757 758/* 759 * login_getstyle() 760 * Given a login_cap entry <lc>, and optionally a type of auth <auth>, 761 * and optionally a style <style>, find the style that best suits these 762 * rules: 763 * 1. If <auth> is non-null, look for an "auth-<auth>=" string 764 * in the capability; if not present, default to "auth=". 765 * 2. If there is no auth list found from (1), default to 766 * "passwd" as an authorization list. 767 * 3. If <style> is non-null, look for <style> in the list of 768 * authorization methods found from (2); if <style> is NULL, default 769 * to LOGIN_DEFSTYLE ("passwd"). 770 * 4. If the chosen style is found in the chosen list of authorization 771 * methods, return that; otherwise, return NULL. 772 * E.g.: 773 * login_getstyle(lc, NULL, "ftp"); 774 * login_getstyle(lc, "login", NULL); 775 * login_getstyle(lc, "skey", "network"); 776 */ 777 778const char * 779login_getstyle(login_cap_t *lc, const char *style, const char *auth) 780{ 781 int i; 782 const char **authtypes = NULL; 783 char *auths= NULL; 784 char realauth[64]; 785 786 static const char *defauthtypes[] = { LOGIN_DEFSTYLE, NULL }; 787 788 if (auth != NULL && *auth != '\0') { 789 if (snprintf(realauth, sizeof realauth, "auth-%s", auth) < (int)sizeof(realauth)) 790 authtypes = login_getcaplist(lc, realauth, NULL); 791 } 792 793 if (authtypes == NULL) 794 authtypes = login_getcaplist(lc, "auth", NULL); 795 796 if (authtypes == NULL) 797 authtypes = defauthtypes; 798 799 /* 800 * We have at least one authtype now; auths is a comma-separated 801 * (or space-separated) list of authentication types. We have to 802 * convert from this to an array of char*'s; authtypes then gets this. 803 */ 804 i = 0; 805 if (style != NULL && *style != '\0') { 806 while (authtypes[i] != NULL && strcmp(style, authtypes[i]) != 0) 807 i++; 808 } 809 810 lc->lc_style = NULL; 811 if (authtypes[i] != NULL && (auths = strdup(authtypes[i])) != NULL) 812 lc->lc_style = auths; 813 814 if (lc->lc_style != NULL) 815 lc->lc_style = strdup(lc->lc_style); 816 817 return lc->lc_style; 818} 819