PSARC/2008/034 Defining Workstation Owner Infrastructure

6650907 Implement PSARC/2008/034 Defining Workstation Owner Infrastructure 6655423 configd:rc_node.c:perm_granted() uses perm_lock which is no longer needed.
author: gww <none@none> 2008-02-21 17:17:41 -0800
committer: gww <none@none> 2008-02-21 17:17:41 -0800
commit: 499fd60129a966ad9d9e752e65f591c3a6a1c697 (patch)
tree: 81345eeff0f75d26b841b2684b02bd8c90458b27 /usr/src/lib/libsecdb/common
parent: 10b955899caccfba75ec0814d07b64204863e54e (diff)
download: illumos-joyent-499fd60129a966ad9d9e752e65f591c3a6a1c697.tar.gz
3 files changed, 137 insertions, 79 deletions
diff --git a/usr/src/lib/libsecdb/common/chkauthattr.c b/usr/src/lib/libsecdb/common/chkauthattr.c
index 6e41e99723..04b1fe8846 100644
--- a/usr/src/lib/libsecdb/common/chkauthattr.c
+++ b/usr/src/lib/libsecdb/common/chkauthattr.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -33,6 +33,8 @@
 #include <fcntl.h>
 #include <sys/mman.h>
 #include <limits.h>
+#include <pwd.h>
+#include <nss_dbdefs.h>
 #include <deflt.h>
 #include <auth_attr.h>
 #include <prof_attr.h>
@@ -40,10 +42,8 @@
 
 
 static int _is_authorized(const char *, char *);
-static int _chk_policy_auth(const char *, char **, int *);
+static int _chk_policy_auth(const char *, const char *, char **, int *);
 static int _chkprof_for_auth(const char *, const char *, char **, int *);
-
-
 int
 chkauthattr(const char *authname, const char *username)
 {
@@ -59,7 +59,8 @@ chkauthattr(const char *authname, const char *username)
 		return (0);
 
 	/* Check against AUTHS_GRANTED and PROFS_GRANTED in policy.conf */
-	auth_granted = _chk_policy_auth(authname, chkedprof, &chkedprof_cnt);
+	auth_granted = _chk_policy_auth(authname, username, chkedprof,
+	    &chkedprof_cnt);
 	if (auth_granted)
 		goto exit;
 
@@ -203,45 +204,6 @@ _is_authorized(const char *authname, char *auths)
 }
 
 
-int
-_get_auth_policy(char **def_auth, char **def_prof)
-{
-	char *cp;
-
-	if (defopen(AUTH_POLICY) != 0)
-		return (-1);
-
-	cp = defread(DEF_AUTH);
-	if (cp != NULL) {
-		*def_auth = strdup(cp);
-		if (*def_auth == NULL)
-			return (-1);
-	} else {
-		*def_auth = NULL;
-	}
-
-	cp = defread(DEF_PROF);
-	if (cp != NULL) {
-		*def_prof = strdup(cp);
-		if (*def_prof == NULL) {
-			free(*def_auth);
-			return (-1);
-		}
-	} else {
-		*def_prof = NULL;
-	}
-
-	(void) defopen(NULL);
-	return (0);
-}
-
-void
-_free_auth_policy(char *def_auth, char *def_prof)
-{
-	free(def_auth);
-	free(def_prof);
-}
-
 /*
  * read /etc/security/policy.conf for AUTHS_GRANTED.
  * return 1 if found matching authname.
@@ -249,12 +211,14 @@ _free_auth_policy(char *def_auth, char *def_prof)
  * default profiles.
  */
 static int
-_chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt)
+_chk_policy_auth(const char *authname, const char *username, char **chkedprof,
+    int *chkedprof_cnt)
 {
-	char	*auths, *profs;
+	char	*auths = NULL;
+	char	*profs = NULL;
 	int	ret = 1;
 
-	if (_get_auth_policy(&auths, &profs) != 0)
+	if (_get_user_defs(username, &auths, &profs) != 0)
 		return (0);
 
 	if (auths != NULL) {
@@ -270,6 +234,102 @@ _chk_policy_auth(const char *authname, char **chkedprof, int *chkedprof_cnt)
 	ret = 0;
 
 exit:
-	_free_auth_policy(auths, profs);
+	_free_user_defs(auths, profs);
 	return (ret);
 }
+
+#define	CONSOLE "/dev/console"
+
+static int
+is_cons_user(const char *user)
+{
+	struct stat	cons;
+	struct passwd	pw;
+	char		pwbuf[NSS_BUFLEN_PASSWD];
+
+	if (user == NULL) {
+		return (0);
+	}
+	if (stat(CONSOLE, &cons) == -1) {
+		return (0);
+	}
+	if (getpwnam_r(user, &pw, pwbuf, sizeof (pwbuf)) == NULL) {
+		return (0);
+	}
+
+	return (pw.pw_uid == cons.st_uid);
+}
+
+
+int
+_get_user_defs(const char *user, char **def_auth, char **def_prof)
+{
+	char *cp;
+	char *profs;
+
+	if (defopen(AUTH_POLICY) != 0) {
+		if (def_auth != NULL) {
+			*def_auth = NULL;
+		}
+		if (def_prof != NULL) {
+			*def_prof = NULL;
+		}
+		return (-1);
+	}
+
+	if (def_auth != NULL) {
+		if ((cp = defread(DEF_AUTH)) != NULL) {
+			if ((*def_auth = strdup(cp)) == NULL) {
+				(void) defopen(NULL);
+				return (-1);
+			}
+		} else {
+			*def_auth = NULL;
+		}
+	}
+	if (def_prof != NULL) {
+		if (is_cons_user(user) &&
+		    (cp = defread(DEF_CONSUSER)) != NULL) {
+			if ((*def_prof = strdup(cp)) == NULL) {
+				(void) defopen(NULL);
+				return (-1);
+			}
+		}
+		if ((cp = defread(DEF_PROF)) != NULL) {
+			int	prof_len;
+
+			if (*def_prof == NULL) {
+				if ((*def_prof = strdup(cp)) == NULL) {
+					(void) defopen(NULL);
+					return (-1);
+				}
+				(void) defopen(NULL);
+				return (0);
+			}
+
+			/* concatenate def profs with "," separator */
+			prof_len = strlen(*def_prof) + strlen(cp) + 2;
+			if ((profs = malloc(prof_len)) == NULL) {
+				free(*def_prof);
+				*def_prof = NULL;
+				(void) defopen(NULL);
+				return (-1);
+			}
+			(void) snprintf(profs, prof_len, "%s,%s", *def_prof,
+			    cp);
+			free(*def_prof);
+			*def_prof = profs;
+		}
+	}
+
+	(void) defopen(NULL);
+	return (0);
+}
+
+
+void
+_free_user_defs(char *def_auth, char *def_prof)
+{
+	free(def_auth);
+	free(def_prof);
+}
diff --git a/usr/src/lib/libsecdb/common/getexecattr.c b/usr/src/lib/libsecdb/common/getexecattr.c
index 1e1ab20ffd..93d05e9706 100644
--- a/usr/src/lib/libsecdb/common/getexecattr.c
+++ b/usr/src/lib/libsecdb/common/getexecattr.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -74,8 +74,8 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
 	int		err = 0;
 	char		unique[NSS_BUFLEN_EXECATTR];
 	char		buf[NSS_BUFLEN_EXECATTR];
-	execattr_t	*head = (execattr_t *)NULL;
-	execattr_t	*prev = (execattr_t *)NULL;
+	execattr_t	*head = NULL;
+	execattr_t	*prev = NULL;
 	execstr_t	exec;
 	execstr_t	*tmp;
 
@@ -83,7 +83,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
 	(void) memset(&exec, 0, sizeof (execstr_t));
 
 	if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) {
-		return ((execattr_t *)NULL);
+		return (NULL);
 	}
 
 	if ((name == NULL) && (type == NULL) && (id == NULL)) {
@@ -101,7 +101,7 @@ getexecprof(const char *name, const char *type, const char *id, int search_flag)
 			};
 			break;
 		default:
-			head = (execattr_t *)NULL;
+			head = NULL;
 			break;
 		}
 		endexecattr();
@@ -129,12 +129,12 @@ getexecuser(const char *username, const char *type, const char *id,
 	char		buf[NSS_BUFLEN_USERATTR];
 	userstr_t	user;
 	userstr_t	*utmp;
-	execattr_t	*head = (execattr_t *)NULL;
-	execattr_t	*prev = (execattr_t *)NULL;
-	execattr_t	*new = (execattr_t *)NULL;
+	execattr_t	*head = NULL;
+	execattr_t	*prev =  NULL;
+	execattr_t	*new = NULL;
 
 	if ((search_flag != GET_ONE) && (search_flag != GET_ALL)) {
-		return ((execattr_t *)NULL);
+		return (NULL);
 	}
 
 	if (username == NULL) {
@@ -156,7 +156,7 @@ getexecuser(const char *username, const char *type, const char *id,
 				prev = get_tail(head);
 			}
 			while ((utmp = _getuserattr(&user,
-				    buf, NSS_BUFLEN_USERATTR, &err)) != NULL) {
+			    buf, NSS_BUFLEN_USERATTR, &err)) != NULL) {
 				if ((new =
 				    userprof((const char *)(utmp->name),
 				    type, id, search_flag)) != NULL) {
@@ -171,7 +171,7 @@ getexecuser(const char *username, const char *type, const char *id,
 			}
 			break;
 		default:
-			head = (execattr_t *)NULL;
+			head = NULL;
 			break;
 		}
 		enduserattr();
@@ -187,7 +187,7 @@ execattr_t *
 match_execattr(execattr_t *exec, const char *profname, const char *type,
     const char *id)
 {
-	execattr_t	*execp = (execattr_t *)NULL;
+	execattr_t	*execp = NULL;
 
 	for (execp = exec; execp != NULL; execp = execp->next) {
 		if ((profname && execp->name &&
@@ -218,7 +218,7 @@ endexecattr()
 void
 free_execattr(execattr_t *exec)
 {
-	if (exec != (execattr_t *)NULL) {
+	if (exec != NULL) {
 		free(exec->name);
 		free(exec->type);
 		free(exec->policy);
@@ -240,16 +240,16 @@ userprof(const char *username, const char *type, const char *id,
 	int		err = 0;
 	char		*last;
 	char		*sep = ",";
-	char		*proflist = (char *)NULL;
-	char		*profname = (char *)NULL;
+	char		*proflist = NULL;
+	char		*profname = NULL;
 	char		buf[NSS_BUFLEN_USERATTR];
 	char		pwdb[NSS_BUFLEN_PASSWD];
 	kva_t		*user_attr;
 	userstr_t	user;
 	userstr_t	*utmp;
 	execattr_t	*exec;
-	execattr_t	*head = (execattr_t *)NULL;
-	execattr_t	*prev = (execattr_t *)NULL;
+	execattr_t	*head = NULL;
+	execattr_t	*prev = NULL;
 	struct passwd	pwd;
 
 	char		*profArray[MAXPROFS];
@@ -265,7 +265,6 @@ userprof(const char *username, const char *type, const char *id,
 
 	utmp = _getusernam(username, &user, buf, NSS_BUFLEN_USERATTR, &err);
 	if (utmp != NULL) {
-		proflist = NULL;
 		user_attr = _str2kva(user.attr, KV_ASSIGN, KV_DELIMITER);
 		if ((proflist = kva_match(user_attr, "profiles")) != NULL) {
 			/* Get the list of profiles for this user */
@@ -278,16 +277,15 @@ userprof(const char *username, const char *type, const char *id,
 	}
 
 	/* Get the list of default profiles */
-	if (defopen(AUTH_POLICY) == NULL) {
-		proflist = defread(DEF_PROF);
-		(void) defopen(NULL);
-	}
+	proflist = NULL;
+	(void) _get_user_defs(username, NULL, &proflist);
 	if (proflist != NULL) {
 		for (profname = _strtok_escape(proflist, sep, &last);
 		    profname != NULL;
 		    profname = _strtok_escape(NULL, sep, &last)) {
 			getproflist(profname, profArray, &profcnt);
 		}
+		_free_user_defs(NULL, proflist);
 	}
 
 	if (profcnt == 0) {
@@ -321,8 +319,8 @@ userprof(const char *username, const char *type, const char *id,
 static execattr_t *
 get_tail(execattr_t *exec)
 {
-	execattr_t *i_exec = (execattr_t *)NULL;
-	execattr_t *j_exec = (execattr_t *)NULL;
+	execattr_t *i_exec = NULL;
+	execattr_t *j_exec = NULL;
 
 	if (exec != NULL) {
 		if (exec->next == NULL) {
@@ -345,10 +343,10 @@ execstr2attr(execstr_t *es)
 	execattr_t	*newexec;
 
 	if (es == NULL) {
-		return ((execattr_t *)NULL);
+		return (NULL);
 	}
-	if ((newexec = (execattr_t *)malloc(sizeof (execattr_t))) == NULL) {
-		return ((execattr_t *)NULL);
+	if ((newexec = malloc(sizeof (execattr_t))) == NULL) {
+		return (NULL);
 	}
 
 	newexec->name = _do_unescape(es->name);
@@ -361,7 +359,7 @@ execstr2attr(execstr_t *es)
 	if (es->next) {
 		newexec->next = execstr2attr((execstr_t *)(es->next));
 	} else {
-		newexec->next = (execattr_t *)NULL;
+		newexec->next = NULL;
 	}
 	return (newexec);
 }
diff --git a/usr/src/lib/libsecdb/common/mapfile-vers b/usr/src/lib/libsecdb/common/mapfile-vers
index a6490cb988..8c401df535 100644
--- a/usr/src/lib/libsecdb/common/mapfile-vers
+++ b/usr/src/lib/libsecdb/common/mapfile-vers
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -64,8 +64,8 @@ SUNWprivate_1.1 {
 	_csl_to_argv;
 	_do_unescape;
 	_free_argv;
-	_free_auth_policy;
-	_get_auth_policy;
+	_free_user_defs;
+	_get_user_defs;
 	_insert2kva;
 	_kva2str;
 	_kva_dup;
author	gww <none@none>	2008-02-21 17:17:41 -0800
committer	gww <none@none>	2008-02-21 17:17:41 -0800
commit	499fd60129a966ad9d9e752e65f591c3a6a1c697 (patch)
tree	81345eeff0f75d26b841b2684b02bd8c90458b27 /usr/src/lib/libsecdb/common
parent	10b955899caccfba75ec0814d07b64204863e54e (diff)
download	illumos-joyent-499fd60129a966ad9d9e752e65f591c3a6a1c697.tar.gz