diff options
author | David Nugent <davidn@FreeBSD.org> | 1997-01-04 16:50:08 +0000 |
---|---|---|
committer | David Nugent <davidn@FreeBSD.org> | 1997-01-04 16:50:08 +0000 |
commit | 68bbf3adb0b5def46b5174261657b038543972e3 (patch) | |
tree | aa04c54fb028c62bb1d96580ed4783ff2af6df69 /lib/libutil/login_ok.c | |
parent | a87a87a21c5ccd50a0f8d5b316341b79ee022202 (diff) | |
download | src-68bbf3adb0b5def46b5174261657b038543972e3.tar.gz src-68bbf3adb0b5def46b5174261657b038543972e3.zip |
Library functions relating to the login class capabilities database,
including manpages.
See also login_cap.h.
Notes
Notes:
svn path=/head/; revision=21288
Diffstat (limited to 'lib/libutil/login_ok.c')
-rw-r--r-- | lib/libutil/login_ok.c | 242 |
1 files changed, 242 insertions, 0 deletions
diff --git a/lib/libutil/login_ok.c b/lib/libutil/login_ok.c new file mode 100644 index 000000000000..cf778dab43ec --- /dev/null +++ b/lib/libutil/login_ok.c @@ -0,0 +1,242 @@ +/*- + * Copyright (c) 1996 by + * David Nugent <davidn@blaze.net.au> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, is permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice immediately at the beginning of the file, without modification, + * this list of conditions, and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. This work was done expressly for inclusion into FreeBSD. Other use + * is permitted provided this notation is included. + * 4. Absolutely no warranty of function or purpose is made by the authors. + * 5. Modifications may be freely made to this file providing the above + * conditions are met. + * + * Support allow/deny lists in login class capabilities + * + * $Id$ + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <ttyent.h> +#include <fnmatch.h> + +#include <sys/types.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <sys/param.h> +#include <login_cap.h> + + +/* -- support functions -- */ + +/* login_strinlist() + * This function is intentionally public - reused by TAS. + * Returns TRUE (non-zero) if a string matches a pattern + * in a given array of patterns. 'flags' is passed directly + * to fnmatch(3). + */ + +int +login_strinlist(char **list, char const *str, int flags) +{ + int rc = 0; + + if (str != NULL && *str != '\0') + { + int i = 0; + while (rc == 0 && list[i] != NULL) + rc = fnmatch(list[i], str, flags) == 0; + } + return rc; +} + + +/* login_str2inlist() + * Locate either or two strings in a given list + */ + +int +login_str2inlist(char **ttlst, const char *str1, const char *str2, int flags) +{ + int rc = 0; + + if (login_strinlist(ttlst, str1, flags)) + rc = 1; + else if (login_strinlist(ttlst, str2, flags)) + rc = 1; + return rc; +} + + +/* login_timelist() + * This function is intentinoally public - reused by TAS. + * Returns an allocated list of time periods given an array + * of time periods in ascii form. + */ + +login_time_t * +login_timelist(login_cap_t *lc, char const *cap, int *ltno, login_time_t **ltptr) +{ + int j = 0; + struct login_time * lt = NULL; + char **tl = login_getcaplist(lc, cap, NULL); + + if (tl) + { + while (tl[j++] != NULL) + ; + if (*ltno >= j) + lt = *ltptr; + else if ((lt = realloc(*ltptr, j)) != NULL) + { + *ltno = j; + *ltptr = lt; + } + if (lt != NULL) + { + int i = 0; + --j; + while (i < j) + { + lt[i] = parse_lt(tl[i]); + ++i; + } + lt[i].lt_dow = LTM_NONE; + } + } + return lt; +} + + +/* login_ttyok() + * This function is a variation of auth_ttyok(), but it checks two + * arbitrary capability lists not necessarily related to access. + * This hook is provided for the accounted/exclude accounting lists. + */ + +int +login_ttyok(login_cap_t *lc, const char *tty, const char *allowcap, const char *denycap) +{ + int rc = 1; + + if (lc != NULL && tty != NULL && *tty != '\0') + { + struct ttyent * te = getttynam(tty); /* Need group name */ + char * grp = te ? te->ty_group : NULL; + char **ttl = login_getcaplist(lc, allowcap, NULL); + + if (ttl != NULL && !login_str2inlist(ttl, tty, grp, 0)) + rc = 0; /* tty or ttygroup not in allow list */ + else + { + ttl = login_getcaplist(lc, denycap, NULL); + if (ttl != NULL && login_str2inlist(ttl, tty, grp, 0)) + rc = 0; /* tty or ttygroup in deny list */ + } + } + return rc; +} + + +/* auth_ttyok() + * Determine whether or not login on a tty is accessible for + * a login class + */ + +int +auth_ttyok(login_cap_t *lc, const char * tty) +{ + return login_ttyok(lc, tty, "ttys.allow", "ttys.deny"); +} + + +/* login_hostok() + * This function is a variation of auth_hostok(), but it checks two + * arbitrary capability lists not necessarily related to access. + * This hook is provided for the accounted/exclude accounting lists. + */ + +int +login_hostok(login_cap_t *lc, const char *host, const char *ip, const char *allowcap, const char *denycap) +{ + int rc = 1; /* Default is ok */ + + if (lc != NULL && ((host != NULL && *host != '\0') || (ip != NULL && *ip != '\0'))) + { + char **hl = login_getcaplist(lc, allowcap, NULL); + + if (hl != NULL && !login_str2inlist(hl, host, ip, FNM_CASEFOLD)) + rc = 0; /* host or IP not in allow list */ + else + { + hl = login_getcaplist(lc, "host.deny", NULL); + if (hl != NULL && login_str2inlist(hl, host, ip, FNM_CASEFOLD)) + rc = 0; /* host or IP in deny list */ + } + } + return rc; +} + + +/* auth_hostok() + * Determine whether or not login from a host is ok + */ + +int +auth_hostok(login_cap_t *lc, const char *host, const char *ip) +{ + return login_hostok(lc, host, ip, "host.allow", "host.deny"); +} + + +/* auth_timeok() + * Determine whether or not login is ok at a given time + */ + +int +auth_timeok(login_cap_t *lc, time_t t) +{ + int rc = 1; /* Default is ok */ + + if (lc != NULL && t != (time_t)0 && t != (time_t)-1) + { + struct tm * tptr = localtime(&t); + + static int ltimesno = 0; + static struct login_time * ltimes = NULL; + + if (tptr != NULL) + { + struct login_time *lt = login_timelist(lc, "times.allow", <imesno, <imes); + + if (lt != NULL && in_ltms(lt, tptr, NULL) == -1) + rc = 0; /* not in allowed times list */ + else + { + lt = login_timelist(lc, "times.deny", <imesno, <imes); + + if (lt != NULL && in_ltms(lt, tptr, NULL) != -1) + rc = 0; /* in deny times list */ + } + if (ltimes) + { + free(ltimes); + ltimes = NULL; + ltimesno = 0; + } + } + } + return rc; +} + |