1 /************************************************************************ 2 * Copyright 1995 by Wietse Venema. All rights reserved. Some individual 3 * files may be covered by other copyrights. 4 * 5 * This material was originally written and compiled by Wietse Venema at 6 * Eindhoven University of Technology, The Netherlands, in 1990, 1991, 7 * 1992, 1993, 1994 and 1995. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that this entire copyright notice 11 * is duplicated in all such copies. 12 * 13 * This software is provided "as is" and without any expressed or implied 14 * warranties, including, without limitation, the implied warranties of 15 * merchantibility and fitness for any particular purpose. 16 ************************************************************************/ 17 /* 18 * This module implements a simple but effective form of login access 19 * control based on login names and on host (or domain) names, internet 20 * addresses (or network numbers), or on terminal line names in case of 21 * non-networked logins. Diagnostics are reported through syslog(3). 22 * 23 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 24 */ 25 26 #include "login_locl.h" 27 28 RCSID("$Id$"); 29 30 /* Delimiters for fields and for lists of users, ttys or hosts. */ 31 32 static char fs[] = ":"; /* field separator */ 33 static char sep[] = ", \t"; /* list-element separator */ 34 35 /* Constants to be used in assignments only, not in comparisons... */ 36 37 #define YES 1 38 #define NO 0 39 40 /* 41 * A structure to bundle up all login-related information to keep the 42 * functional interfaces as generic as possible. 43 */ 44 struct login_info { 45 struct passwd *user; 46 char *from; 47 }; 48 49 static int list_match(char *list, struct login_info *item, 50 int (*match_fn)(char *, struct login_info *)); 51 static int user_match(char *tok, struct login_info *item); 52 static int from_match(char *tok, struct login_info *item); 53 static int string_match(char *tok, char *string); 54 55 /* login_access - match username/group and host/tty with access control file */ 56 57 int login_access(struct passwd *user, char *from) 58 { 59 struct login_info item; 60 FILE *fp; 61 char line[BUFSIZ]; 62 char *perm; /* becomes permission field */ 63 char *users; /* becomes list of login names */ 64 char *froms; /* becomes list of terminals or hosts */ 65 int match = NO; 66 int end; 67 int lineno = 0; /* for diagnostics */ 68 char *foo; 69 70 /* 71 * Bundle up the arguments to avoid unnecessary clumsiness lateron. 72 */ 73 item.user = user; 74 item.from = from; 75 76 /* 77 * Process the table one line at a time and stop at the first match. 78 * Blank lines and lines that begin with a '#' character are ignored. 79 * Non-comment lines are broken at the ':' character. All fields are 80 * mandatory. The first field should be a "+" or "-" character. A 81 * non-existing table means no access control. 82 */ 83 84 if ((fp = fopen(_PATH_LOGACCESS, "r")) != 0) { 85 while (!match && fgets(line, sizeof(line), fp)) { 86 lineno++; 87 if (line[end = strlen(line) - 1] != '\n') { 88 syslog(LOG_ERR, "%s: line %d: missing newline or line too long", 89 _PATH_LOGACCESS, lineno); 90 continue; 91 } 92 if (line[0] == '#') 93 continue; /* comment line */ 94 while (end > 0 && isspace((unsigned char)line[end - 1])) 95 end--; 96 line[end] = 0; /* strip trailing whitespace */ 97 if (line[0] == 0) /* skip blank lines */ 98 continue; 99 foo = NULL; 100 if (!(perm = strtok_r(line, fs, &foo)) 101 || !(users = strtok_r(NULL, fs, &foo)) 102 || !(froms = strtok_r(NULL, fs, &foo)) 103 || strtok_r(NULL, fs, &foo)) { 104 syslog(LOG_ERR, "%s: line %d: bad field count", 105 _PATH_LOGACCESS, 106 lineno); 107 continue; 108 } 109 if (perm[0] != '+' && perm[0] != '-') { 110 syslog(LOG_ERR, "%s: line %d: bad first field", 111 _PATH_LOGACCESS, 112 lineno); 113 continue; 114 } 115 match = (list_match(froms, &item, from_match) 116 && list_match(users, &item, user_match)); 117 } 118 fclose(fp); 119 } else if (errno != ENOENT) { 120 syslog(LOG_ERR, "cannot open %s: %m", _PATH_LOGACCESS); 121 } 122 return (match == 0 || (line[0] == '+')); 123 } 124 125 /* list_match - match an item against a list of tokens with exceptions */ 126 127 static int 128 list_match(char *list, 129 struct login_info *item, 130 int (*match_fn)(char *, struct login_info *)) 131 { 132 char *tok; 133 int match = NO; 134 char *foo = NULL; 135 136 /* 137 * Process tokens one at a time. We have exhausted all possible matches 138 * when we reach an "EXCEPT" token or the end of the list. If we do find 139 * a match, look for an "EXCEPT" list and recurse to determine whether 140 * the match is affected by any exceptions. 141 */ 142 143 for (tok = strtok_r(list, sep, &foo); 144 tok != NULL; 145 tok = strtok_r(NULL, sep, &foo)) { 146 if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ 147 break; 148 if ((match = (*match_fn) (tok, item)) != 0) /* YES */ 149 break; 150 } 151 /* Process exceptions to matches. */ 152 153 if (match != NO) { 154 while ((tok = strtok_r(NULL, sep, &foo)) && strcasecmp(tok, "EXCEPT")) 155 /* VOID */ ; 156 if (tok == 0 || list_match(NULL, item, match_fn) == NO) 157 return (match); 158 } 159 return (NO); 160 } 161 162 /* myhostname - figure out local machine name */ 163 164 static char *myhostname(void) 165 { 166 static char name[MAXHOSTNAMELEN + 1] = ""; 167 168 if (name[0] == 0) { 169 gethostname(name, sizeof(name)); 170 name[MAXHOSTNAMELEN] = 0; 171 } 172 return (name); 173 } 174 175 /* netgroup_match - match group against machine or user */ 176 177 static int netgroup_match(char *group, char *machine, char *user) 178 { 179 #ifdef HAVE_YP_GET_DEFAULT_DOMAIN 180 static char *mydomain = 0; 181 182 if (mydomain == 0) 183 yp_get_default_domain(&mydomain); 184 return (innetgr(group, machine, user, mydomain)); 185 #else 186 syslog(LOG_ERR, "NIS netgroup support not configured"); 187 return 0; 188 #endif 189 } 190 191 /* user_match - match a username against one token */ 192 193 static int user_match(char *tok, struct login_info *item) 194 { 195 char *string = item->user->pw_name; 196 struct login_info fake_item; 197 struct group *group; 198 int i; 199 char *at; 200 201 /* 202 * If a token has the magic value "ALL" the match always succeeds. 203 * Otherwise, return YES if the token fully matches the username, if the 204 * token is a group that contains the username, or if the token is the 205 * name of the user's primary group. 206 */ 207 208 if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ 209 *at = 0; 210 fake_item.from = myhostname(); 211 return (user_match(tok, item) && from_match(at + 1, &fake_item)); 212 } else if (tok[0] == '@') { /* netgroup */ 213 return (netgroup_match(tok + 1, (char *) 0, string)); 214 } else if (string_match(tok, string)) { /* ALL or exact match */ 215 return (YES); 216 } else if ((group = getgrnam(tok)) != 0) { /* try group membership */ 217 if (item->user->pw_gid == group->gr_gid) 218 return (YES); 219 for (i = 0; group->gr_mem[i]; i++) 220 if (strcasecmp(string, group->gr_mem[i]) == 0) 221 return (YES); 222 } 223 return (NO); 224 } 225 226 /* from_match - match a host or tty against a list of tokens */ 227 228 static int from_match(char *tok, struct login_info *item) 229 { 230 char *string = item->from; 231 int tok_len; 232 int str_len; 233 234 /* 235 * If a token has the magic value "ALL" the match always succeeds. Return 236 * YES if the token fully matches the string. If the token is a domain 237 * name, return YES if it matches the last fields of the string. If the 238 * token has the magic value "LOCAL", return YES if the string does not 239 * contain a "." character. If the token is a network number, return YES 240 * if it matches the head of the string. 241 */ 242 243 if (tok[0] == '@') { /* netgroup */ 244 return (netgroup_match(tok + 1, string, (char *) 0)); 245 } else if (string_match(tok, string)) { /* ALL or exact match */ 246 return (YES); 247 } else if (tok[0] == '.') { /* domain: match last fields */ 248 if ((str_len = strlen(string)) > (tok_len = strlen(tok)) 249 && strcasecmp(tok, string + str_len - tok_len) == 0) 250 return (YES); 251 } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ 252 if (strchr(string, '.') == 0) 253 return (YES); 254 } else if (tok[(tok_len = strlen(tok)) - 1] == '.' /* network */ 255 && strncmp(tok, string, tok_len) == 0) { 256 return (YES); 257 } 258 return (NO); 259 } 260 261 /* string_match - match a string against one token */ 262 263 static int string_match(char *tok, char *string) 264 { 265 266 /* 267 * If the token has the magic value "ALL" the match always succeeds. 268 * Otherwise, return YES if the token fully matches the string. 269 */ 270 271 if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ 272 return (YES); 273 } else if (strcasecmp(tok, string) == 0) { /* try exact match */ 274 return (YES); 275 } 276 return (NO); 277 } 278