1/* $NetBSD$ */ 2 3/* 4 * Copyright (c) 1997 - 2001 Kungliga Tekniska H��gskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "kadm5_locl.h" 37 38__RCSID("$NetBSD$"); 39 40static struct units acl_units[] = { 41 { "all", KADM5_PRIV_ALL }, 42 { "change-password",KADM5_PRIV_CPW }, 43 { "cpw", KADM5_PRIV_CPW }, 44 { "list", KADM5_PRIV_LIST }, 45 { "delete", KADM5_PRIV_DELETE }, 46 { "modify", KADM5_PRIV_MODIFY }, 47 { "add", KADM5_PRIV_ADD }, 48 { "get", KADM5_PRIV_GET }, 49 { NULL } 50}; 51 52kadm5_ret_t 53_kadm5_string_to_privs(const char *s, uint32_t* privs) 54{ 55 int flags; 56 flags = parse_flags(s, acl_units, 0); 57 if(flags < 0) 58 return KADM5_FAILURE; 59 *privs = flags; 60 return 0; 61} 62 63kadm5_ret_t 64_kadm5_privs_to_string(uint32_t privs, char *string, size_t len) 65{ 66 if(privs == 0) 67 strlcpy(string, "none", len); 68 else 69 unparse_flags(privs, acl_units + 1, string, len); 70 return 0; 71} 72 73/* 74 * retrieve the right for the current caller on `princ' (NULL means all) 75 * and store them in `ret_flags' 76 * return 0 or an error. 77 */ 78 79static kadm5_ret_t 80fetch_acl (kadm5_server_context *context, 81 krb5_const_principal princ, 82 unsigned *ret_flags) 83{ 84 FILE *f; 85 krb5_error_code ret = 0; 86 char buf[256]; 87 88 *ret_flags = 0; 89 90 /* no acl file -> no rights */ 91 f = fopen(context->config.acl_file, "r"); 92 if (f == NULL) 93 return 0; 94 95 while(fgets(buf, sizeof(buf), f) != NULL) { 96 char *foo = NULL, *p; 97 krb5_principal this_princ; 98 unsigned flags = 0; 99 100 p = strtok_r(buf, " \t\n", &foo); 101 if(p == NULL) 102 continue; 103 if (*p == '#') /* comment */ 104 continue; 105 ret = krb5_parse_name(context->context, p, &this_princ); 106 if(ret) 107 break; 108 if(!krb5_principal_compare(context->context, 109 context->caller, this_princ)) { 110 krb5_free_principal(context->context, this_princ); 111 continue; 112 } 113 krb5_free_principal(context->context, this_princ); 114 p = strtok_r(NULL, " \t\n", &foo); 115 if(p == NULL) 116 continue; 117 ret = _kadm5_string_to_privs(p, &flags); 118 if (ret) 119 break; 120 p = strtok_r(NULL, " \t\n", &foo); 121 if (p == NULL) { 122 *ret_flags = flags; 123 break; 124 } 125 if (princ != NULL) { 126 krb5_principal pattern_princ; 127 krb5_boolean match; 128 129 ret = krb5_parse_name (context->context, p, &pattern_princ); 130 if (ret) 131 break; 132 match = krb5_principal_match (context->context, 133 princ, pattern_princ); 134 krb5_free_principal (context->context, pattern_princ); 135 if (match) { 136 *ret_flags = flags; 137 break; 138 } 139 } 140 } 141 fclose(f); 142 return ret; 143} 144 145/* 146 * set global acl flags in `context' for the current caller. 147 * return 0 on success or an error 148 */ 149 150kadm5_ret_t 151_kadm5_acl_init(kadm5_server_context *context) 152{ 153 krb5_principal princ; 154 krb5_error_code ret; 155 156 ret = krb5_parse_name(context->context, KADM5_ADMIN_SERVICE, &princ); 157 if (ret) 158 return ret; 159 ret = krb5_principal_compare(context->context, context->caller, princ); 160 krb5_free_principal(context->context, princ); 161 if(ret != 0) { 162 context->acl_flags = KADM5_PRIV_ALL; 163 return 0; 164 } 165 166 return fetch_acl (context, NULL, &context->acl_flags); 167} 168 169/* 170 * check if `flags' allows `op' 171 * return 0 if OK or an error 172 */ 173 174static kadm5_ret_t 175check_flags (unsigned op, 176 unsigned flags) 177{ 178 unsigned res = ~flags & op; 179 180 if(res & KADM5_PRIV_GET) 181 return KADM5_AUTH_GET; 182 if(res & KADM5_PRIV_ADD) 183 return KADM5_AUTH_ADD; 184 if(res & KADM5_PRIV_MODIFY) 185 return KADM5_AUTH_MODIFY; 186 if(res & KADM5_PRIV_DELETE) 187 return KADM5_AUTH_DELETE; 188 if(res & KADM5_PRIV_CPW) 189 return KADM5_AUTH_CHANGEPW; 190 if(res & KADM5_PRIV_LIST) 191 return KADM5_AUTH_LIST; 192 if(res) 193 return KADM5_AUTH_INSUFFICIENT; 194 return 0; 195} 196 197/* 198 * return 0 if the current caller in `context' is allowed to perform 199 * `op' on `princ' and otherwise an error 200 * princ == NULL if it's not relevant. 201 */ 202 203kadm5_ret_t 204_kadm5_acl_check_permission(kadm5_server_context *context, 205 unsigned op, 206 krb5_const_principal princ) 207{ 208 kadm5_ret_t ret; 209 unsigned princ_flags; 210 211 ret = check_flags (op, context->acl_flags); 212 if (ret == 0) 213 return ret; 214 ret = fetch_acl (context, princ, &princ_flags); 215 if (ret) 216 return ret; 217 return check_flags (op, princ_flags); 218} 219