search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
No empty .Rs/.Re
[netbsd-mini2440.git] / crypto / dist / heimdal / appl / login / login_access.c
bloba0e06e085ad91a1fc4bdb544ab71dbf3eab982cc
1 /************************************************************************
2 * Copyright 1995 by Wietse Venema. All rights reserved. Some individual
3 * files may be covered by other copyrights.
4 *
5 * This material was originally written and compiled by Wietse Venema at
6 * Eindhoven University of Technology, The Netherlands, in 1990, 1991,
7 * 1992, 1993, 1994 and 1995.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that this entire copyright notice
11 * is duplicated in all such copies.
12 *
13 * This software is provided "as is" and without any expressed or implied
14 * warranties, including, without limitation, the implied warranties of
15 * merchantibility and fitness for any particular purpose.
16 ************************************************************************/
17 /*
18 * This module implements a simple but effective form of login access
19 * control based on login names and on host (or domain) names, internet
20 * addresses (or network numbers), or on terminal line names in case of
21 * non-networked logins. Diagnostics are reported through syslog(3).
22 *
23 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
24 */
25
26 #include "login_locl.h"
27
28 __RCSID("$Heimdal: login_access.c 10020 2001-06-04 14:10:19Z assar $"
29 "$NetBSD$");
30
31 /* Delimiters for fields and for lists of users, ttys or hosts. */
32
33 static char fs[] = ":"; /* field separator */
34 static char sep[] = ", \t"; /* list-element separator */
35
36 /* Constants to be used in assignments only, not in comparisons... */
37
38 #define YES 1
39 #define NO 0
40
41 /*
42 * A structure to bundle up all login-related information to keep the
43 * functional interfaces as generic as possible.
44 */
45 struct login_info {
46 struct passwd *user;
47 char *from;
48 };
49
50 static int list_match(char *list, struct login_info *item,
51 int (*match_fn)(char *, struct login_info *));
52 static int user_match(char *tok, struct login_info *item);
53 static int from_match(char *tok, struct login_info *item);
54 static int string_match(char *tok, char *string);
55
56 /* login_access - match username/group and host/tty with access control file */
57
58 int login_access(struct passwd *user, char *from)
59 {
60 struct login_info item;
61 FILE *fp;
62 char line[BUFSIZ];
63 char *perm; /* becomes permission field */
64 char *users; /* becomes list of login names */
65 char *froms; /* becomes list of terminals or hosts */
66 int match = NO;
67 int end;
68 int lineno = 0; /* for diagnostics */
69 char *foo;
70
71 /*
72 * Bundle up the arguments to avoid unnecessary clumsiness lateron.
73 */
74 item.user = user;
75 item.from = from;
76
77 /*
78 * Process the table one line at a time and stop at the first match.
79 * Blank lines and lines that begin with a '#' character are ignored.
80 * Non-comment lines are broken at the ':' character. All fields are
81 * mandatory. The first field should be a "+" or "-" character. A
82 * non-existing table means no access control.
83 */
84
85 if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) {
86 while (!match && fgets(line, sizeof(line), fp)) {
87 lineno++;
88 if (line[end = strlen(line) - 1] != '\n') {
89 syslog(LOG_ERR, "%s: line %d: missing newline or line too long",
90 _PATH_LOGACCESS, lineno);
91 continue;
92 }
93 if (line[0] == '#')
94 continue; /* comment line */
95 while (end > 0 && isspace((unsigned char)line[end - 1]))
96 end--;
97 line[end] = 0; /* strip trailing whitespace */
98 if (line[0] == 0) /* skip blank lines */
99 continue;
100 foo = NULL;
101 if (!(perm = strtok_r(line, fs, &foo))
102 || !(users = strtok_r(NULL, fs, &foo))
103 || !(froms = strtok_r(NULL, fs, &foo))
104 || strtok_r(NULL, fs, &foo)) {
105 syslog(LOG_ERR, "%s: line %d: bad field count",
106 _PATH_LOGACCESS,
107 lineno);
108 continue;
109 }
110 if (perm[0] != '+' && perm[0] != '-') {
111 syslog(LOG_ERR, "%s: line %d: bad first field",
112 _PATH_LOGACCESS,
113 lineno);
114 continue;
115 }
116 match = (list_match(froms, &item, from_match)
117 && list_match(users, &item, user_match));
118 }
119 fclose(fp);
120 } else if (errno != ENOENT) {
121 syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS);
122 }
123 return (match == 0 || (line[0] == '+'));
124 }
125
126 /* list_match - match an item against a list of tokens with exceptions */
127
128 static int
129 list_match(char *list,
130 struct login_info *item,
131 int (*match_fn)(char *, struct login_info *))
132 {
133 char *tok;
134 int match = NO;
135 char *foo = NULL;
136
137 /*
138 * Process tokens one at a time. We have exhausted all possible matches
139 * when we reach an "EXCEPT" token or the end of the list. If we do find
140 * a match, look for an "EXCEPT" list and recurse to determine whether
141 * the match is affected by any exceptions.
142 */
143
144 for (tok = strtok_r(list, sep, &foo);
145 tok != NULL;
146 tok = strtok_r(NULL, sep, &foo)) {
147 if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */
148 break;
149 if ((match = (*match_fn) (tok, item)) != 0) /* YES */
150 break;
151 }
152 /* Process exceptions to matches. */
153
154 if (match != NO) {
155 while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT"))
156 /* VOID */ ;
157 if (tok == 0 || list_match(NULL, item, match_fn) == NO)
158 return (match);
159 }
160 return (NO);
161 }
162
163 /* myhostname - figure out local machine name */
164
165 static char *myhostname(void)
166 {
167 static char name[MAXHOSTNAMELEN + 1] = "";
168
169 if (name[0] == 0) {
170 gethostname(name, sizeof(name));
171 name[MAXHOSTNAMELEN] = 0;
172 }
173 return (name);
174 }
175
176 /* netgroup_match - match group against machine or user */
177
178 static int netgroup_match(char *group, char *machine, char *user)
179 {
180 #ifdef HAVE_YP_GET_DEFAULT_DOMAIN
181 static char *mydomain = 0;
182
183 if (mydomain == 0)
184 yp_get_default_domain(&mydomain);
185 return (innetgr(group, machine, user, mydomain));
186 #else
187 syslog(LOG_ERR, "NIS netgroup support not configured");
188 return 0;
189 #endif
190 }
191
192 /* user_match - match a username against one token */
193
194 static int user_match(char *tok, struct login_info *item)
195 {
196 char *string = item->user->pw_name;
197 struct login_info fake_item;
198 struct group *group;
199 int i;
200 char *at;
201
202 /*
203 * If a token has the magic value "ALL" the match always succeeds.
204 * Otherwise, return YES if the token fully matches the username, if the
205 * token is a group that contains the username, or if the token is the
206 * name of the user's primary group.
207 */
208
209 if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */
210 *at = 0;
211 fake_item.from = myhostname();
212 return (user_match(tok, item) && from_match(at + 1, &fake_item));
213 } else if (tok[0] == '@') { /* netgroup */
214 return (netgroup_match(tok + 1, (char *) 0, string));
215 } else if (string_match(tok, string)) { /* ALL or exact match */
216 return (YES);
217 } else if ((group = getgrnam(tok)) != 0) { /* try group membership */
218 if (item->user->pw_gid == group->gr_gid)
219 return (YES);
220 for (i = 0; group->gr_mem[i]; i++)
221 if (strcasecmp(string, group->gr_mem[i]) == 0)
222 return (YES);
223 }
224 return (NO);
225 }
226
227 /* from_match - match a host or tty against a list of tokens */
228
229 static int from_match(char *tok, struct login_info *item)
230 {
231 char *string = item->from;
232 int tok_len;
233 int str_len;
234
235 /*
236 * If a token has the magic value "ALL" the match always succeeds. Return
237 * YES if the token fully matches the string. If the token is a domain
238 * name, return YES if it matches the last fields of the string. If the
239 * token has the magic value "LOCAL", return YES if the string does not
240 * contain a "." character. If the token is a network number, return YES
241 * if it matches the head of the string.
242 */
243
244 if (tok[0] == '@') { /* netgroup */
245 return (netgroup_match(tok + 1, string, (char *) 0));
246 } else if (string_match(tok, string)) { /* ALL or exact match */
247 return (YES);
248 } else if (tok[0] == '.') { /* domain: match last fields */
249 if ((str_len = strlen(string)) > (tok_len = strlen(tok))
250 && strcasecmp(tok, string + str_len - tok_len) == 0)
251 return (YES);
252 } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */
253 if (strchr(string, '.') == 0)
254 return (YES);
255 } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */
256 && strncmp(tok, string, tok_len) == 0) {
257 return (YES);
258 }
259 return (NO);
260 }
261
262 /* string_match - match a string against one token */
263
264 static int string_match(char *tok, char *string)
265 {
266
267 /*
268 * If the token has the magic value "ALL" the match always succeeds.
269 * Otherwise, return YES if the token fully matches the string.
270 */
271
272 if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */
273 return (YES);
274 } else if (strcasecmp(tok, string) == 0) { /* try exact match */
275 return (YES);
276 }
277 return (NO);
278 }
NetBSD on the FriendlyARM MINI2440