1 /*- 2 * Copyright (c) 1996 by 3 * Sean Eric Fagan <sef@kithrup.com> 4 * David Nugent <davidn@blaze.net.au> 5 * All rights reserved. 6 * 7 * Portions copyright (c) 1995,1997 8 * Berkeley Software Design, Inc. 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, is permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice immediately at the beginning of the file, without modification, 16 * this list of conditions, and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. This work was done expressly for inclusion into FreeBSD. Other use 21 * is permitted provided this notation is included. 22 * 4. Absolutely no warranty of function or purpose is made by the authors. 23 * 5. Modifications may be freely made to this file providing the above 24 * conditions are met. 25 * 26 * Low-level routines relating to the user capabilities database 27 * 28 * $FreeBSD: src/lib/libutil/login_cap.c,v 1.17.2.4 2001/10/21 19:42:13 ache Exp $ 29 * $DragonFly: src/lib/libutil/login_cap.c,v 1.2 2003/06/17 04:26:51 dillon Exp $ 30 */ 31 32 #include <stdio.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <errno.h> 36 #include <fcntl.h> 37 #include <unistd.h> 38 39 #include <sys/types.h> 40 #include <sys/time.h> 41 #include <sys/resource.h> 42 #include <sys/param.h> 43 #include <pwd.h> 44 #include <libutil.h> 45 #include <syslog.h> 46 #include <login_cap.h> 47 48 /* 49 * allocstr() 50 * Manage a single static pointer for handling a local char* buffer, 51 * resizing as necessary to contain the string. 52 * 53 * allocarray() 54 * Manage a static array for handling a group of strings, resizing 55 * when necessary. 56 */ 57 58 static int lc_object_count = 0; 59 60 static size_t internal_stringsz = 0; 61 static char * internal_string = NULL; 62 static size_t internal_arraysz = 0; 63 static char ** internal_array = NULL; 64 65 static char * 66 allocstr(char *str) 67 { 68 char *p; 69 70 size_t sz = strlen(str) + 1; /* realloc() only if necessary */ 71 if (sz <= internal_stringsz) 72 p = strcpy(internal_string, str); 73 else if ((p = realloc(internal_string, sz)) != NULL) { 74 internal_stringsz = sz; 75 internal_string = strcpy(p, str); 76 } 77 return p; 78 } 79 80 81 static char ** 82 allocarray(size_t sz) 83 { 84 char **p; 85 86 if (sz <= internal_arraysz) 87 p = internal_array; 88 else if ((p = realloc(internal_array, sz * sizeof(char*))) != NULL) { 89 internal_arraysz = sz; 90 internal_array = p; 91 } 92 return p; 93 } 94 95 96 /* 97 * arrayize() 98 * Turn a simple string <str> separated by any of 99 * the set of <chars> into an array. The last element 100 * of the array will be NULL, as is proper. 101 * Free using freearraystr() 102 */ 103 104 static char ** 105 arrayize(char *str, const char *chars, int *size) 106 { 107 int i; 108 char *ptr; 109 char **res = NULL; 110 111 /* count the sub-strings */ 112 for (i = 0, ptr = str; *ptr; i++) { 113 int count = strcspn(ptr, chars); 114 ptr += count; 115 if (*ptr) 116 ++ptr; 117 } 118 119 /* alloc the array */ 120 if ((ptr = allocstr(str)) != NULL) { 121 if ((res = allocarray(++i)) == NULL) 122 free(str); 123 else { 124 /* now split the string */ 125 i = 0; 126 while (*ptr) { 127 int count = strcspn(ptr, chars); 128 res[i++] = ptr; 129 ptr += count; 130 if (*ptr) 131 *ptr++ = '\0'; 132 } 133 res[i] = NULL; 134 } 135 } 136 137 if (size) 138 *size = i; 139 140 return res; 141 } 142 143 144 /* 145 * login_close() 146 * Frees up all resources relating to a login class 147 * 148 */ 149 150 void 151 login_close(login_cap_t * lc) 152 { 153 if (lc) { 154 free(lc->lc_style); 155 free(lc->lc_class); 156 free(lc->lc_cap); 157 free(lc); 158 if (--lc_object_count == 0) { 159 free(internal_string); 160 free(internal_array); 161 internal_array = NULL; 162 internal_arraysz = 0; 163 internal_string = NULL; 164 internal_stringsz = 0; 165 cgetclose(); 166 } 167 } 168 } 169 170 171 /* 172 * login_getclassbyname() get the login class by its name. 173 * If the name given is NULL or empty, the default class 174 * LOGIN_DEFCLASS (ie. "default") is fetched. If the 175 * 'dir' argument contains a non-NULL non-empty string, 176 * then the file _FILE_LOGIN_CONF is picked up from that 177 * directory instead of the system login database. 178 * Return a filled-out login_cap_t structure, including 179 * class name, and the capability record buffer. 180 */ 181 182 login_cap_t * 183 login_getclassbyname(char const *name, const struct passwd *pwd) 184 { 185 login_cap_t *lc; 186 187 if ((lc = malloc(sizeof(login_cap_t))) != NULL) { 188 int r, me, i = 0; 189 uid_t euid = 0; 190 gid_t egid = 0; 191 const char *msg = NULL; 192 const char *dir; 193 char userpath[MAXPATHLEN]; 194 195 static char *login_dbarray[] = { NULL, NULL, NULL }; 196 197 me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); 198 dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; 199 /* 200 * Switch to user mode before checking/reading its ~/.login_conf 201 * - some NFSes have root read access disabled. 202 * 203 * XXX: This fails to configure additional groups. 204 */ 205 if (dir) { 206 euid = geteuid(); 207 egid = getegid(); 208 (void)setegid(pwd->pw_gid); 209 (void)seteuid(pwd->pw_uid); 210 } 211 212 if (dir && snprintf(userpath, MAXPATHLEN, "%s/%s", dir, 213 _FILE_LOGIN_CONF) < MAXPATHLEN) { 214 login_dbarray[i] = userpath; 215 if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) 216 i++; /* only use 'secure' data */ 217 } 218 if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) 219 login_dbarray[i++] = _PATH_LOGIN_CONF; 220 login_dbarray[i] = NULL; 221 222 memset(lc, 0, sizeof(login_cap_t)); 223 lc->lc_cap = lc->lc_class = lc->lc_style = NULL; 224 225 if (name == NULL || *name == '\0') 226 name = LOGIN_DEFCLASS; 227 228 switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { 229 case -1: /* Failed, entry does not exist */ 230 if (me) 231 break; /* Don't retry default on 'me' */ 232 if (i == 0) 233 r = -1; 234 else if ((r = open(login_dbarray[0], O_RDONLY)) >= 0) 235 close(r); 236 /* 237 * If there's at least one login class database, 238 * and we aren't searching for a default class 239 * then complain about a non-existent class. 240 */ 241 if (r >= 0 || strcmp(name, LOGIN_DEFCLASS) != 0) 242 syslog(LOG_ERR, "login_getclass: unknown class '%s'", name); 243 /* fall-back to default class */ 244 name = LOGIN_DEFCLASS; 245 msg = "%s: no default/fallback class '%s'"; 246 if (cgetent(&lc->lc_cap, login_dbarray, (char*)name) != 0 && r >= 0) 247 break; 248 /* Fallthru - just return system defaults */ 249 case 0: /* success! */ 250 if ((lc->lc_class = strdup(name)) != NULL) { 251 if (dir) { 252 (void)seteuid(euid); 253 (void)setegid(egid); 254 } 255 ++lc_object_count; 256 return lc; 257 } 258 msg = "%s: strdup: %m"; 259 break; 260 case -2: 261 msg = "%s: retrieving class information: %m"; 262 break; 263 case -3: 264 msg = "%s: 'tc=' reference loop '%s'"; 265 break; 266 case 1: 267 msg = "couldn't resolve 'tc=' reference in '%s'"; 268 break; 269 default: 270 msg = "%s: unexpected cgetent() error '%s': %m"; 271 break; 272 } 273 if (dir) { 274 (void)seteuid(euid); 275 (void)setegid(egid); 276 } 277 if (msg != NULL) 278 syslog(LOG_ERR, msg, "login_getclass", name); 279 free(lc); 280 } 281 282 return NULL; 283 } 284 285 286 287 /* 288 * login_getclass() 289 * Get the login class for the system (only) login class database. 290 * Return a filled-out login_cap_t structure, including 291 * class name, and the capability record buffer. 292 */ 293 294 login_cap_t * 295 login_getclass(const char *cls) 296 { 297 return login_getclassbyname(cls, NULL); 298 } 299 300 301 /* 302 * login_getclass() 303 * Get the login class for a given password entry from 304 * the system (only) login class database. 305 * If the password entry's class field is not set, or 306 * the class specified does not exist, then use the 307 * default of LOGIN_DEFCLASS (ie. "default"). 308 * Return a filled-out login_cap_t structure, including 309 * class name, and the capability record buffer. 310 */ 311 312 login_cap_t * 313 login_getpwclass(const struct passwd *pwd) 314 { 315 const char *cls = NULL; 316 317 if (pwd != NULL) { 318 cls = pwd->pw_class; 319 if (cls == NULL || *cls == '\0') 320 cls = (pwd->pw_uid == 0) ? LOGIN_DEFROOTCLASS : LOGIN_DEFCLASS; 321 } 322 return login_getclassbyname(cls, pwd); 323 } 324 325 326 /* 327 * login_getuserclass() 328 * Get the login class for a given password entry, allowing user 329 * overrides via ~/.login_conf. 330 */ 331 332 login_cap_t * 333 login_getuserclass(const struct passwd *pwd) 334 { 335 return login_getclassbyname(LOGIN_MECLASS, pwd); 336 } 337 338 339 340 /* 341 * login_getcapstr() 342 * Given a login_cap entry, and a capability name, return the 343 * value defined for that capability, a defualt if not found, or 344 * an error string on error. 345 */ 346 347 char * 348 login_getcapstr(login_cap_t *lc, const char *cap, char *def, char *error) 349 { 350 char *res; 351 int ret; 352 353 if (lc == NULL || cap == NULL || lc->lc_cap == NULL || *cap == '\0') 354 return def; 355 356 if ((ret = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1) 357 return def; 358 return (ret >= 0) ? res : error; 359 } 360 361 362 /* 363 * login_getcaplist() 364 * Given a login_cap entry, and a capability name, return the 365 * value defined for that capability split into an array of 366 * strings. 367 */ 368 369 char ** 370 login_getcaplist(login_cap_t *lc, const char *cap, const char *chars) 371 { 372 char *lstring; 373 374 if (chars == NULL) 375 chars = ", \t"; 376 if ((lstring = login_getcapstr(lc, (char*)cap, NULL, NULL)) != NULL) 377 return arrayize(lstring, chars, NULL); 378 return NULL; 379 } 380 381 382 /* 383 * login_getpath() 384 * From the login_cap_t <lc>, get the capability <cap> which is 385 * formatted as either a space or comma delimited list of paths 386 * and append them all into a string and separate by semicolons. 387 * If there is an error of any kind, return <error>. 388 */ 389 390 char * 391 login_getpath(login_cap_t *lc, const char *cap, char * error) 392 { 393 char *str; 394 395 if ((str = login_getcapstr(lc, (char*)cap, NULL, NULL)) == NULL) 396 str = error; 397 else { 398 char *ptr = str; 399 400 while (*ptr) { 401 int count = strcspn(ptr, ", \t"); 402 ptr += count; 403 if (*ptr) 404 *ptr++ = ':'; 405 } 406 } 407 return str; 408 } 409 410 411 static int 412 isinfinite(const char *s) 413 { 414 static const char *infs[] = { 415 "infinity", 416 "inf", 417 "unlimited", 418 "unlimit", 419 "-1", 420 NULL 421 }; 422 const char **i = &infs[0]; 423 424 while (*i != NULL) { 425 if (strcasecmp(s, *i) == 0) 426 return 1; 427 ++i; 428 } 429 return 0; 430 } 431 432 433 static u_quad_t 434 rmultiply(u_quad_t n1, u_quad_t n2) 435 { 436 u_quad_t m, r; 437 int b1, b2; 438 439 static int bpw = 0; 440 441 /* Handle simple cases */ 442 if (n1 == 0 || n2 == 0) 443 return 0; 444 if (n1 == 1) 445 return n2; 446 if (n2 == 1) 447 return n1; 448 449 /* 450 * sizeof() returns number of bytes needed for storage. 451 * This may be different from the actual number of useful bits. 452 */ 453 if (!bpw) { 454 bpw = sizeof(u_quad_t) * 8; 455 while (((u_quad_t)1 << (bpw-1)) == 0) 456 --bpw; 457 } 458 459 /* 460 * First check the magnitude of each number. If the sum of the 461 * magnatude is way to high, reject the number. (If this test 462 * is not done then the first multiply below may overflow.) 463 */ 464 for (b1 = bpw; (((u_quad_t)1 << (b1-1)) & n1) == 0; --b1) 465 ; 466 for (b2 = bpw; (((u_quad_t)1 << (b2-1)) & n2) == 0; --b2) 467 ; 468 if (b1 + b2 - 2 > bpw) { 469 errno = ERANGE; 470 return (UQUAD_MAX); 471 } 472 473 /* 474 * Decompose the multiplication to be: 475 * h1 = n1 & ~1 476 * h2 = n2 & ~1 477 * l1 = n1 & 1 478 * l2 = n2 & 1 479 * (h1 + l1) * (h2 + l2) 480 * (h1 * h2) + (h1 * l2) + (l1 * h2) + (l1 * l2) 481 * 482 * Since h1 && h2 do not have the low bit set, we can then say: 483 * 484 * (h1>>1 * h2>>1 * 4) + ... 485 * 486 * So if (h1>>1 * h2>>1) > (1<<(bpw - 2)) then the result will 487 * overflow. 488 * 489 * Finally, if MAX - ((h1 * l2) + (l1 * h2) + (l1 * l2)) < (h1*h2) 490 * then adding in residual amout will cause an overflow. 491 */ 492 493 m = (n1 >> 1) * (n2 >> 1); 494 if (m >= ((u_quad_t)1 << (bpw-2))) { 495 errno = ERANGE; 496 return (UQUAD_MAX); 497 } 498 m *= 4; 499 500 r = (n1 & n2 & 1) 501 + (n2 & 1) * (n1 & ~(u_quad_t)1) 502 + (n1 & 1) * (n2 & ~(u_quad_t)1); 503 504 if ((u_quad_t)(m + r) < m) { 505 errno = ERANGE; 506 return (UQUAD_MAX); 507 } 508 m += r; 509 510 return (m); 511 } 512 513 514 /* 515 * login_getcaptime() 516 * From the login_cap_t <lc>, get the capability <cap>, which is 517 * formatted as a time (e.g., "<cap>=10h3m2s"). If <cap> is not 518 * present in <lc>, return <def>; if there is an error of some kind, 519 * return <error>. 520 */ 521 522 rlim_t 523 login_getcaptime(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) 524 { 525 char *res, *ep, *oval; 526 int r; 527 rlim_t tot; 528 529 errno = 0; 530 if (lc == NULL || lc->lc_cap == NULL) 531 return def; 532 533 /* 534 * Look for <cap> in lc_cap. 535 * If it's not there (-1), return <def>. 536 * If there's an error, return <error>. 537 */ 538 539 if ((r = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1) 540 return def; 541 else if (r < 0) { 542 errno = ERANGE; 543 return error; 544 } 545 546 /* "inf" and "infinity" are special cases */ 547 if (isinfinite(res)) 548 return RLIM_INFINITY; 549 550 /* 551 * Now go through the string, turning something like 1h2m3s into 552 * an integral value. Whee. 553 */ 554 555 errno = 0; 556 tot = 0; 557 oval = res; 558 while (*res) { 559 rlim_t tim = strtoq(res, &ep, 0); 560 rlim_t mult = 1; 561 562 if (ep == NULL || ep == res || errno != 0) { 563 invalid: 564 syslog(LOG_WARNING, "login_getcaptime: class '%s' bad value %s=%s", 565 lc->lc_class, cap, oval); 566 errno = ERANGE; 567 return error; 568 } 569 /* Look for suffixes */ 570 switch (*ep++) { 571 case 0: 572 ep--; 573 break; /* end of string */ 574 case 's': case 'S': /* seconds */ 575 break; 576 case 'm': case 'M': /* minutes */ 577 mult = 60; 578 break; 579 case 'h': case 'H': /* hours */ 580 mult = 60L * 60L; 581 break; 582 case 'd': case 'D': /* days */ 583 mult = 60L * 60L * 24L; 584 break; 585 case 'w': case 'W': /* weeks */ 586 mult = 60L * 60L * 24L * 7L; 587 break; 588 case 'y': case 'Y': /* 365-day years */ 589 mult = 60L * 60L * 24L * 365L; 590 break; 591 default: 592 goto invalid; 593 } 594 res = ep; 595 tot += rmultiply(tim, mult); 596 if (errno) 597 goto invalid; 598 } 599 600 return tot; 601 } 602 603 604 /* 605 * login_getcapnum() 606 * From the login_cap_t <lc>, extract the numerical value <cap>. 607 * If it is not present, return <def> for a default, and return 608 * <error> if there is an error. 609 * Like login_getcaptime(), only it only converts to a number, not 610 * to a time; "infinity" and "inf" are 'special.' 611 */ 612 613 rlim_t 614 login_getcapnum(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) 615 { 616 char *ep, *res; 617 int r; 618 rlim_t val; 619 620 if (lc == NULL || lc->lc_cap == NULL) 621 return def; 622 623 /* 624 * For BSDI compatibility, try for the tag=<val> first 625 */ 626 if ((r = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1) { 627 long lval; 628 /* string capability not present, so try for tag#<val> as numeric */ 629 if ((r = cgetnum(lc->lc_cap, (char *)cap, &lval)) == -1) 630 return def; /* Not there, so return default */ 631 else if (r >= 0) 632 return (rlim_t)lval; 633 } 634 635 if (r < 0) { 636 errno = ERANGE; 637 return error; 638 } 639 640 if (isinfinite(res)) 641 return RLIM_INFINITY; 642 643 errno = 0; 644 val = strtoq(res, &ep, 0); 645 if (ep == NULL || ep == res || errno != 0) { 646 syslog(LOG_WARNING, "login_getcapnum: class '%s' bad value %s=%s", 647 lc->lc_class, cap, res); 648 errno = ERANGE; 649 return error; 650 } 651 652 return val; 653 } 654 655 656 657 /* 658 * login_getcapsize() 659 * From the login_cap_t <lc>, extract the capability <cap>, which is 660 * formatted as a size (e.g., "<cap>=10M"); it can also be "infinity". 661 * If not present, return <def>, or <error> if there is an error of 662 * some sort. 663 */ 664 665 rlim_t 666 login_getcapsize(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error) 667 { 668 char *ep, *res, *oval; 669 int r; 670 rlim_t tot; 671 672 if (lc == NULL || lc->lc_cap == NULL) 673 return def; 674 675 if ((r = cgetstr(lc->lc_cap, (char *)cap, &res)) == -1) 676 return def; 677 else if (r < 0) { 678 errno = ERANGE; 679 return error; 680 } 681 682 if (isinfinite(res)) 683 return RLIM_INFINITY; 684 685 errno = 0; 686 tot = 0; 687 oval = res; 688 while (*res) { 689 rlim_t siz = strtoq(res, &ep, 0); 690 rlim_t mult = 1; 691 692 if (ep == NULL || ep == res || errno != 0) { 693 invalid: 694 syslog(LOG_WARNING, "login_getcapsize: class '%s' bad value %s=%s", 695 lc->lc_class, cap, oval); 696 errno = ERANGE; 697 return error; 698 } 699 switch (*ep++) { 700 case 0: /* end of string */ 701 ep--; 702 break; 703 case 'b': case 'B': /* 512-byte blocks */ 704 mult = 512; 705 break; 706 case 'k': case 'K': /* 1024-byte Kilobytes */ 707 mult = 1024; 708 break; 709 case 'm': case 'M': /* 1024-k kbytes */ 710 mult = 1024 * 1024; 711 break; 712 case 'g': case 'G': /* 1Gbyte */ 713 mult = 1024 * 1024 * 1024; 714 break; 715 case 't': case 'T': /* 1TBte */ 716 mult = 1024LL * 1024LL * 1024LL * 1024LL; 717 break; 718 default: 719 goto invalid; 720 } 721 res = ep; 722 tot += rmultiply(siz, mult); 723 if (errno) 724 goto invalid; 725 } 726 727 return tot; 728 } 729 730 731 /* 732 * login_getcapbool() 733 * From the login_cap_t <lc>, check for the existance of the capability 734 * of <cap>. Return <def> if <lc>->lc_cap is NULL, otherwise return 735 * the whether or not <cap> exists there. 736 */ 737 738 int 739 login_getcapbool(login_cap_t *lc, const char *cap, int def) 740 { 741 if (lc == NULL || lc->lc_cap == NULL) 742 return def; 743 return (cgetcap(lc->lc_cap, (char *)cap, ':') != NULL); 744 } 745 746 747 /* 748 * login_getstyle() 749 * Given a login_cap entry <lc>, and optionally a type of auth <auth>, 750 * and optionally a style <style>, find the style that best suits these 751 * rules: 752 * 1. If <auth> is non-null, look for an "auth-<auth>=" string 753 * in the capability; if not present, default to "auth=". 754 * 2. If there is no auth list found from (1), default to 755 * "passwd" as an authorization list. 756 * 3. If <style> is non-null, look for <style> in the list of 757 * authorization methods found from (2); if <style> is NULL, default 758 * to LOGIN_DEFSTYLE ("passwd"). 759 * 4. If the chosen style is found in the chosen list of authorization 760 * methods, return that; otherwise, return NULL. 761 * E.g.: 762 * login_getstyle(lc, NULL, "ftp"); 763 * login_getstyle(lc, "login", NULL); 764 * login_getstyle(lc, "skey", "network"); 765 */ 766 767 char * 768 login_getstyle(login_cap_t *lc, char *style, const char *auth) 769 { 770 int i; 771 char **authtypes = NULL; 772 char *auths= NULL; 773 char realauth[64]; 774 775 static char *defauthtypes[] = { LOGIN_DEFSTYLE, NULL }; 776 777 if (auth != NULL && *auth != '\0') { 778 if (snprintf(realauth, sizeof realauth, "auth-%s", auth) < sizeof realauth) 779 authtypes = login_getcaplist(lc, realauth, NULL); 780 } 781 782 if (authtypes == NULL) 783 authtypes = login_getcaplist(lc, "auth", NULL); 784 785 if (authtypes == NULL) 786 authtypes = defauthtypes; 787 788 /* 789 * We have at least one authtype now; auths is a comma-separated 790 * (or space-separated) list of authentication types. We have to 791 * convert from this to an array of char*'s; authtypes then gets this. 792 */ 793 i = 0; 794 if (style != NULL && *style != '\0') { 795 while (authtypes[i] != NULL && strcmp(style, authtypes[i]) != 0) 796 i++; 797 } 798 799 lc->lc_style = NULL; 800 if (authtypes[i] != NULL && (auths = strdup(authtypes[i])) != NULL) 801 lc->lc_style = auths; 802 803 if (lc->lc_style != NULL) 804 lc->lc_style = strdup(lc->lc_style); 805 806 return lc->lc_style; 807 } 808