2 * Copyright (c) 1996 by
3 * Sean Eric Fagan <sef@kithrup.com>
4 * David Nugent <davidn@blaze.net.au>
7 * Portions copyright (c) 1995,1997
8 * Berkeley Software Design, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, is permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice immediately at the beginning of the file, without modification,
16 * this list of conditions, and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. This work was done expressly for inclusion into FreeBSD. Other use
21 * is permitted provided this notation is included.
22 * 4. Absolutely no warranty of function or purpose is made by the authors.
23 * 5. Modifications may be freely made to this file providing the above
26 * Low-level routines relating to the user capabilities database
29 #include <sys/cdefs.h>
30 #include <sys/types.h>
32 #include <sys/resource.h>
33 #include <sys/param.h>
37 #include <login_cap.h>
47 * Manage a single static pointer for handling a local char* buffer,
48 * resizing as necessary to contain the string.
51 * Manage a static array for handling a group of strings, resizing
55 static int lc_object_count = 0;
57 static size_t internal_stringsz = 0;
58 static char * internal_string = NULL;
59 static size_t internal_arraysz = 0;
60 static const char ** internal_array = NULL;
62 static char path_login_conf[] = _PATH_LOGIN_CONF;
65 allocstr(const char *str)
69 size_t sz = strlen(str) + 1; /* realloc() only if necessary */
70 if (sz <= internal_stringsz)
71 p = strcpy(internal_string, str);
72 else if ((p = realloc(internal_string, sz)) != NULL) {
73 internal_stringsz = sz;
74 internal_string = strcpy(p, str);
83 static const char **p;
85 if (sz <= internal_arraysz)
87 else if ((p = reallocarray(internal_array, sz, sizeof(char*))) != NULL) {
88 internal_arraysz = sz;
96 * This is a variant of strcspn, which checks for quoted
98 * strcspn_quote("how 'now, brown' cow", ",", NULL);
99 * will return the index for the nul, rather than the comma, because
100 * the string is quoted. It does not handle escaped characters
104 strcspn_quote(const char *str, const char *exclude, int *is_quoted)
115 for (indx = 0; str[indx] != 0; indx++) {
116 if (quote && str[indx] == quote) {
123 (str[indx] == '\'' || str[indx] == '"')) {
128 strchr(exclude, str[indx]) != NULL)
135 * Remove quotes from the given string.
136 * It's a very simplistic approach: the first
137 * single or double quote it finds, it looks for
138 * the next one, and if it finds it, moves the
139 * entire string backwards in two chunks
140 * (first quote + 1 to first quote, length
141 * rest of string, and then second quote + 1
142 * to second quote, length rest of the string).
145 remove_quotes(char *str)
147 static const char *quote_chars = "'\"";
156 * If qc is 0, then we haven't found
157 * a quote yet, so do a strcspn search.
161 indx = strcspn(str, quote_chars);
162 if (str[indx] == '\0')
163 return; /* We're done */
168 * We've found a quote character,
169 * so use strchr to find the next one.
171 loc = strchr(str, qc);
178 * This gives us the location of the
179 * quoted character. We need to move
180 * the entire string down, from loc+1
183 size_t len = strlen(loc + 1) + 1;
184 memmove(loc, loc + 1, len);
187 } while (found != 0);
192 * Turn a simple string <str> separated by any of
193 * the set of <chars> into an array. The last element
194 * of the array will be NULL, as is proper.
195 * Free using freearraystr()
199 arrayize(const char *str, const char *chars, int *size)
204 const char **res = NULL;
206 /* count the sub-strings */
207 for (i = 0, cptr = str; *cptr; i++) {
208 int count = strcspn_quote(cptr, chars, NULL);
214 /* alloc the array */
215 if ((ptr = allocstr(str)) != NULL) {
216 if ((res = allocarray(++i)) == NULL)
217 free((void *)(uintptr_t)(const void *)str);
219 /* now split the string */
223 int count = strcspn_quote(ptr, chars, "ed);
230 * If the string contains a quoted element, we
231 * need to remove the quotes.
251 * Frees up all resources relating to a login class
256 login_close(login_cap_t * lc)
263 if (--lc_object_count == 0) {
264 free(internal_string);
265 free(internal_array);
266 internal_array = NULL;
267 internal_arraysz = 0;
268 internal_string = NULL;
269 internal_stringsz = 0;
277 * login_getclassbyname()
278 * Get the login class by its name.
279 * If the name given is NULL or empty, the default class
280 * LOGIN_DEFCLASS (i.e., "default") is fetched.
281 * If the name given is LOGIN_MECLASS and
282 * 'pwd' argument is non-NULL and contains an non-NULL
283 * dir entry, then the file _FILE_LOGIN_CONF is picked
284 * up from that directory and used before the system
285 * login database. In that case the system login database
286 * is looked up using LOGIN_MECLASS, too, which is a bug.
287 * Return a filled-out login_cap_t structure, including
288 * class name, and the capability record buffer.
292 login_getclassbyname(char const *name, const struct passwd *pwd)
296 if ((lc = calloc(1, sizeof(login_cap_t))) != NULL) {
300 const char *msg = NULL;
302 char userpath[MAXPATHLEN];
304 static char *login_dbarray[] = { NULL, NULL, NULL };
306 me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0);
307 dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir;
309 * Switch to user mode before checking/reading its ~/.login_conf
310 * - some NFSes have root read access disabled.
312 * XXX: This fails to configure additional groups.
317 (void)setegid(pwd->pw_gid);
318 (void)seteuid(pwd->pw_uid);
321 if (dir && snprintf(userpath, MAXPATHLEN, "%s/%s", dir,
322 _FILE_LOGIN_CONF) < MAXPATHLEN) {
323 if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1)
324 login_dbarray[i++] = userpath;
327 * XXX: Why to add the system database if the class is `me'?
329 if (_secure_path(path_login_conf, 0, 0) != -1)
330 login_dbarray[i++] = path_login_conf;
331 login_dbarray[i] = NULL;
333 if (name == NULL || *name == '\0')
334 name = LOGIN_DEFCLASS;
336 switch (cgetent(&lc->lc_cap, login_dbarray, name)) {
337 case -1: /* Failed, entry does not exist */
339 break; /* Don't retry default on 'me' */
342 else if ((r = open(login_dbarray[0], O_RDONLY | O_CLOEXEC)) >= 0)
345 * If there's at least one login class database,
346 * and we aren't searching for a default class
347 * then complain about a non-existent class.
349 if (r >= 0 || strcmp(name, LOGIN_DEFCLASS) != 0)
350 syslog(LOG_ERR, "login_getclass: unknown class '%s'", name);
351 /* fall-back to default class */
352 name = LOGIN_DEFCLASS;
353 msg = "%s: no default/fallback class '%s'";
354 if (cgetent(&lc->lc_cap, login_dbarray, name) != 0 && r >= 0)
356 /* FALLTHROUGH - just return system defaults */
357 case 0: /* success! */
358 if ((lc->lc_class = strdup(name)) != NULL) {
366 msg = "%s: strdup: %m";
369 msg = "%s: retrieving class information: %m";
372 msg = "%s: 'tc=' reference loop '%s'";
375 msg = "couldn't resolve 'tc=' reference in '%s'";
378 msg = "%s: unexpected cgetent() error '%s': %m";
386 syslog(LOG_ERR, msg, "login_getclass", name);
397 * Get the login class for the system (only) login class database.
398 * Return a filled-out login_cap_t structure, including
399 * class name, and the capability record buffer.
403 login_getclass(const char *cls)
405 return login_getclassbyname(cls, NULL);
411 * Get the login class for a given password entry from
412 * the system (only) login class database.
413 * If the password entry's class field is not set, or
414 * the class specified does not exist, then use the
415 * default of LOGIN_DEFCLASS (i.e., "default") for an unprivileged
416 * user or that of LOGIN_DEFROOTCLASS (i.e., "root") for a super-user.
417 * Return a filled-out login_cap_t structure, including
418 * class name, and the capability record buffer.
422 login_getpwclass(const struct passwd *pwd)
424 const char *cls = NULL;
428 if (cls == NULL || *cls == '\0')
429 cls = (pwd->pw_uid == 0) ? LOGIN_DEFROOTCLASS : LOGIN_DEFCLASS;
432 * XXX: pwd should be unused by login_getclassbyname() unless cls is `me',
433 * so NULL can be passed instead of pwd for more safety.
435 return login_getclassbyname(cls, pwd);
440 * login_getuserclass()
441 * Get the `me' login class, allowing user overrides via ~/.login_conf.
442 * Note that user overrides are allowed only in the `me' class.
446 login_getuserclass(const struct passwd *pwd)
448 return login_getclassbyname(LOGIN_MECLASS, pwd);
454 * Given a login_cap entry, and a capability name, return the
455 * value defined for that capability, a default if not found, or
456 * an error string on error.
460 login_getcapstr(login_cap_t *lc, const char *cap, const char *def, const char *error)
465 if (lc == NULL || cap == NULL || lc->lc_cap == NULL || *cap == '\0')
468 if ((ret = cgetstr(lc->lc_cap, cap, &res)) == -1)
470 return (ret >= 0) ? res : error;
476 * Given a login_cap entry, and a capability name, return the
477 * value defined for that capability split into an array of
482 login_getcaplist(login_cap_t *lc, const char *cap, const char *chars)
488 if ((lstring = login_getcapstr(lc, cap, NULL, NULL)) != NULL)
489 return arrayize(lstring, chars, NULL);
496 * From the login_cap_t <lc>, get the capability <cap> which is
497 * formatted as either a space or comma delimited list of paths
498 * and append them all into a string and separate by semicolons.
499 * If there is an error of any kind, return <error>.
503 login_getpath(login_cap_t *lc, const char *cap, const char *error)
509 str = login_getcapstr(lc, cap, NULL, NULL);
512 ptr = __DECONST(char *, str); /* XXXX Yes, very dodgy */
514 count = strcspn(ptr, ", \t");
524 isinfinite(const char *s)
526 static const char *infs[] = {
534 const char **i = &infs[0];
537 if (strcasecmp(s, *i) == 0)
546 rmultiply(u_quad_t n1, u_quad_t n2)
553 /* Handle simple cases */
554 if (n1 == 0 || n2 == 0)
562 * sizeof() returns number of bytes needed for storage.
563 * This may be different from the actual number of useful bits.
566 bpw = sizeof(u_quad_t) * 8;
567 while (((u_quad_t)1 << (bpw-1)) == 0)
572 * First check the magnitude of each number. If the sum of the
573 * magnatude is way to high, reject the number. (If this test
574 * is not done then the first multiply below may overflow.)
576 for (b1 = bpw; (((u_quad_t)1 << (b1-1)) & n1) == 0; --b1)
578 for (b2 = bpw; (((u_quad_t)1 << (b2-1)) & n2) == 0; --b2)
580 if (b1 + b2 - 2 > bpw) {
586 * Decompose the multiplication to be:
591 * (h1 + l1) * (h2 + l2)
592 * (h1 * h2) + (h1 * l2) + (l1 * h2) + (l1 * l2)
594 * Since h1 && h2 do not have the low bit set, we can then say:
596 * (h1>>1 * h2>>1 * 4) + ...
598 * So if (h1>>1 * h2>>1) > (1<<(bpw - 2)) then the result will
601 * Finally, if MAX - ((h1 * l2) + (l1 * h2) + (l1 * l2)) < (h1*h2)
602 * then adding in residual amout will cause an overflow.
605 m = (n1 >> 1) * (n2 >> 1);
606 if (m >= ((u_quad_t)1 << (bpw-2))) {
613 + (n2 & 1) * (n1 & ~(u_quad_t)1)
614 + (n1 & 1) * (n2 & ~(u_quad_t)1);
616 if ((u_quad_t)(m + r) < m) {
628 * From the login_cap_t <lc>, get the capability <cap>, which is
629 * formatted as a time (e.g., "<cap>=10h3m2s"). If <cap> is not
630 * present in <lc>, return <def>; if there is an error of some kind,
635 login_getcaptime(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error)
637 char *res, *ep, *oval;
642 if (lc == NULL || lc->lc_cap == NULL)
646 * Look for <cap> in lc_cap.
647 * If it's not there (-1), return <def>.
648 * If there's an error, return <error>.
651 if ((r = cgetstr(lc->lc_cap, cap, &res)) == -1)
658 /* "inf" and "infinity" are special cases */
660 return RLIM_INFINITY;
663 * Now go through the string, turning something like 1h2m3s into
664 * an integral value. Whee.
671 rlim_t tim = strtoq(res, &ep, 0);
674 if (ep == NULL || ep == res || errno != 0) {
676 syslog(LOG_WARNING, "login_getcaptime: class '%s' bad value %s=%s",
677 lc->lc_class, cap, oval);
681 /* Look for suffixes */
685 break; /* end of string */
686 case 's': case 'S': /* seconds */
688 case 'm': case 'M': /* minutes */
691 case 'h': case 'H': /* hours */
694 case 'd': case 'D': /* days */
695 mult = 60L * 60L * 24L;
697 case 'w': case 'W': /* weeks */
698 mult = 60L * 60L * 24L * 7L;
700 case 'y': case 'Y': /* 365-day years */
701 mult = 60L * 60L * 24L * 365L;
707 tot += rmultiply(tim, mult);
718 * From the login_cap_t <lc>, extract the numerical value <cap>.
719 * If it is not present, return <def> for a default, and return
720 * <error> if there is an error.
721 * Like login_getcaptime(), only it only converts to a number, not
722 * to a time; "infinity" and "inf" are 'special.'
726 login_getcapnum(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error)
732 if (lc == NULL || lc->lc_cap == NULL)
736 * For BSDI compatibility, try for the tag=<val> first
738 if ((r = cgetstr(lc->lc_cap, cap, &res)) == -1) {
740 /* string capability not present, so try for tag#<val> as numeric */
741 if ((r = cgetnum(lc->lc_cap, cap, &lval)) == -1)
742 return def; /* Not there, so return default */
753 return RLIM_INFINITY;
756 val = strtoq(res, &ep, 0);
757 if (ep == NULL || ep == res || errno != 0) {
758 syslog(LOG_WARNING, "login_getcapnum: class '%s' bad value %s=%s",
759 lc->lc_class, cap, res);
771 * From the login_cap_t <lc>, extract the capability <cap>, which is
772 * formatted as a size (e.g., "<cap>=10M"); it can also be "infinity".
773 * If not present, return <def>, or <error> if there is an error of
778 login_getcapsize(login_cap_t *lc, const char *cap, rlim_t def, rlim_t error)
780 char *ep, *res, *oval;
784 if (lc == NULL || lc->lc_cap == NULL)
787 if ((r = cgetstr(lc->lc_cap, cap, &res)) == -1)
795 return RLIM_INFINITY;
801 rlim_t siz = strtoq(res, &ep, 0);
804 if (ep == NULL || ep == res || errno != 0) {
806 syslog(LOG_WARNING, "login_getcapsize: class '%s' bad value %s=%s",
807 lc->lc_class, cap, oval);
812 case 0: /* end of string */
815 case 'b': case 'B': /* 512-byte blocks */
818 case 'k': case 'K': /* 1024-byte Kilobytes */
821 case 'm': case 'M': /* 1024-k kbytes */
824 case 'g': case 'G': /* 1Gbyte */
825 mult = 1024 * 1024 * 1024;
827 case 't': case 'T': /* 1TBte */
828 mult = 1024LL * 1024LL * 1024LL * 1024LL;
834 tot += rmultiply(siz, mult);
845 * From the login_cap_t <lc>, check for the existence of the capability
846 * of <cap>. Return <def> if <lc>->lc_cap is NULL, otherwise return
847 * the whether or not <cap> exists there.
851 login_getcapbool(login_cap_t *lc, const char *cap, int def)
853 if (lc == NULL || lc->lc_cap == NULL)
855 return (cgetcap(lc->lc_cap, cap, ':') != NULL);
861 * Given a login_cap entry <lc>, and optionally a type of auth <auth>,
862 * and optionally a style <style>, find the style that best suits these
864 * 1. If <auth> is non-null, look for an "auth-<auth>=" string
865 * in the capability; if not present, default to "auth=".
866 * 2. If there is no auth list found from (1), default to
867 * "passwd" as an authorization list.
868 * 3. If <style> is non-null, look for <style> in the list of
869 * authorization methods found from (2); if <style> is NULL, default
870 * to LOGIN_DEFSTYLE ("passwd").
871 * 4. If the chosen style is found in the chosen list of authorization
872 * methods, return that; otherwise, return NULL.
874 * login_getstyle(lc, NULL, "ftp");
875 * login_getstyle(lc, "login", NULL);
876 * login_getstyle(lc, "skey", "network");
880 login_getstyle(login_cap_t *lc, const char *style, const char *auth)
883 const char **authtypes = NULL;
887 static const char *defauthtypes[] = { LOGIN_DEFSTYLE, NULL };
889 if (auth != NULL && *auth != '\0') {
890 if (snprintf(realauth, sizeof realauth, "auth-%s", auth) < (int)sizeof(realauth))
891 authtypes = login_getcaplist(lc, realauth, NULL);
894 if (authtypes == NULL)
895 authtypes = login_getcaplist(lc, "auth", NULL);
897 if (authtypes == NULL)
898 authtypes = defauthtypes;
901 * We have at least one authtype now; auths is a comma-separated
902 * (or space-separated) list of authentication types. We have to
903 * convert from this to an array of char*'s; authtypes then gets this.
906 if (style != NULL && *style != '\0') {
907 while (authtypes[i] != NULL && strcmp(style, authtypes[i]) != 0)
912 if (authtypes[i] != NULL && (auths = strdup(authtypes[i])) != NULL)
913 lc->lc_style = auths;
915 if (lc->lc_style != NULL)
916 lc->lc_style = strdup(lc->lc_style);