1/*
2 * Copyright (c) 2005, PADL Software Pty Ltd.
3 * All rights reserved.
4 *
5 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 *    may be used to endorse or promote products derived from this software
20 *    without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35#include "kcm_locl.h"
36
37krb5_error_code
38kcm_access(krb5_context context,
39	   kcm_client *client,
40	   kcm_operation opcode,
41	   kcm_ccache ccache)
42{
43    krb5_error_code ret;
44
45    KCM_ASSERT_VALID(ccache);
46
47    if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM) {
48	/* Let root always read system caches */
49	if (CLIENT_IS_ROOT(client)) {
50	    ret = 0;
51	} else {
52	    ret = KRB5_FCC_PERM;
53	}
54    } else if (kcm_is_same_session(client, ccache->uid, ccache->session)) {
55	/* same session same as owner */
56	ret = 0;
57    } else {
58	ret = KRB5_FCC_PERM;
59    }
60
61    if (ret) {
62	kcm_log(2, "Process %d is not permitted to call %s on cache %s",
63		client->pid, kcm_op2string(opcode), ccache->name);
64    }
65
66    return ret;
67}
68
69krb5_error_code
70kcm_chmod(krb5_context context,
71	  kcm_client *client,
72	  kcm_ccache ccache,
73	  uint16_t mode)
74{
75    KCM_ASSERT_VALID(ccache);
76
77    /* System cache mode can only be set at startup */
78    if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
79	return KRB5_FCC_PERM;
80
81    if (ccache->uid != client->uid)
82	return KRB5_FCC_PERM;
83
84    return 0;
85}
86
87krb5_error_code
88kcm_chown(krb5_context context,
89	  kcm_client *client,
90	  kcm_ccache ccache,
91	  uid_t uid)
92{
93    KCM_ASSERT_VALID(ccache);
94
95    /* System cache owner can only be set at startup */
96    if (ccache->flags & KCM_FLAGS_OWNER_IS_SYSTEM)
97	return KRB5_FCC_PERM;
98
99    if (ccache->uid != client->uid && client->uid != 0)
100	return KRB5_FCC_PERM;
101
102    HEIMDAL_MUTEX_lock(&ccache->mutex);
103
104    ccache->uid = uid;
105
106    HEIMDAL_MUTEX_unlock(&ccache->mutex);
107
108    return 0;
109}
110
111