| 1 | /* Copyright (c) 1997-2016 Free Software Foundation, Inc. |
|---|---|
| 2 | This file is part of the GNU C Library. |
| 3 | Contributed by Thorsten Kukuk <kukuk@suse.de>, 1997. |
| 4 | |
| 5 | The GNU C Library is free software; you can redistribute it and/or |
| 6 | modify it under the terms of the GNU Lesser General Public |
| 7 | License as published by the Free Software Foundation; either |
| 8 | version 2.1 of the License, or (at your option) any later version. |
| 9 | |
| 10 | The GNU C Library is distributed in the hope that it will be useful, |
| 11 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| 13 | Lesser General Public License for more details. |
| 14 | |
| 15 | You should have received a copy of the GNU Lesser General Public |
| 16 | License along with the GNU C Library; if not, see |
| 17 | <http://www.gnu.org/licenses/>. */ |
| 18 | |
| 19 | #include <nss.h> |
| 20 | #include <ctype.h> |
| 21 | #include <errno.h> |
| 22 | #include <stdio.h> |
| 23 | #include <string.h> |
| 24 | #include <libintl.h> |
| 25 | #include <syslog.h> |
| 26 | #include <rpc/rpc.h> |
| 27 | #include <rpcsvc/nis.h> |
| 28 | #include <rpc/key_prot.h> |
| 29 | extern int xdecrypt (char *, char *); |
| 30 | |
| 31 | #include <nss-nisplus.h> |
| 32 | |
| 33 | /* If we haven't found the entry, we give a SUCCESS and an empty key back. */ |
| 34 | enum nss_status |
| 35 | _nss_nisplus_getpublickey (const char *netname, char *pkey, int *errnop) |
| 36 | { |
| 37 | nis_result *res; |
| 38 | enum nss_status retval; |
| 39 | char buf[NIS_MAXNAMELEN + 2]; |
| 40 | size_t slen; |
| 41 | char *domain, *cptr; |
| 42 | int len; |
| 43 | |
| 44 | pkey[0] = 0; |
| 45 | |
| 46 | if (netname == NULL) |
| 47 | { |
| 48 | *errnop = EINVAL; |
| 49 | return NSS_STATUS_UNAVAIL; |
| 50 | } |
| 51 | |
| 52 | domain = strchr (netname, '@'); |
| 53 | if (!domain) |
| 54 | return NSS_STATUS_UNAVAIL; |
| 55 | domain++; |
| 56 | |
| 57 | slen = snprintf (buf, NIS_MAXNAMELEN, |
| 58 | "[auth_name=%s,auth_type=DES],cred.org_dir.%s", |
| 59 | netname, domain); |
| 60 | |
| 61 | if (slen >= NIS_MAXNAMELEN) |
| 62 | { |
| 63 | *errnop = EINVAL; |
| 64 | return NSS_STATUS_UNAVAIL; |
| 65 | } |
| 66 | |
| 67 | if (buf[slen - 1] != '.') |
| 68 | { |
| 69 | buf[slen++] = '.'; |
| 70 | buf[slen] = '\0'; |
| 71 | } |
| 72 | |
| 73 | res = nis_list (buf, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH, |
| 74 | NULL, NULL); |
| 75 | |
| 76 | if (res == NULL) |
| 77 | { |
| 78 | *errnop = ENOMEM; |
| 79 | return NSS_STATUS_TRYAGAIN; |
| 80 | } |
| 81 | retval = niserr2nss (res->status); |
| 82 | |
| 83 | if (retval != NSS_STATUS_SUCCESS) |
| 84 | { |
| 85 | if (retval == NSS_STATUS_TRYAGAIN) |
| 86 | *errnop = errno; |
| 87 | if (res->status == NIS_NOTFOUND) |
| 88 | retval = NSS_STATUS_SUCCESS; |
| 89 | nis_freeresult (res); |
| 90 | return retval; |
| 91 | } |
| 92 | |
| 93 | if (NIS_RES_NUMOBJ (res) > 1) |
| 94 | { |
| 95 | /* |
| 96 | * More than one principal with same uid? |
| 97 | * something wrong with cred table. Should be unique |
| 98 | * Warn user and continue. |
| 99 | */ |
| 100 | syslog (LOG_ERR, _("DES entry for netname %s not unique\n"), netname); |
| 101 | nis_freeresult (res); |
| 102 | return NSS_STATUS_SUCCESS; |
| 103 | } |
| 104 | |
| 105 | len = ENTRY_LEN (NIS_RES_OBJECT (res), 3); |
| 106 | memcpy (pkey, ENTRY_VAL (NIS_RES_OBJECT (res),3), len); |
| 107 | pkey[len] = 0; |
| 108 | cptr = strchr (pkey, ':'); |
| 109 | if (cptr) |
| 110 | cptr[0] = '\0'; |
| 111 | nis_freeresult (res); |
| 112 | |
| 113 | return NSS_STATUS_SUCCESS; |
| 114 | } |
| 115 | |
| 116 | |
| 117 | enum nss_status |
| 118 | _nss_nisplus_getsecretkey (const char *netname, char *skey, char *passwd, |
| 119 | int *errnop) |
| 120 | { |
| 121 | nis_result *res; |
| 122 | enum nss_status retval; |
| 123 | char buf[NIS_MAXNAMELEN + 2]; |
| 124 | size_t slen; |
| 125 | char *domain, *cptr; |
| 126 | int len; |
| 127 | |
| 128 | skey[0] = 0; |
| 129 | |
| 130 | if (netname == NULL) |
| 131 | { |
| 132 | *errnop = EINVAL; |
| 133 | return NSS_STATUS_UNAVAIL; |
| 134 | } |
| 135 | |
| 136 | domain = strchr (netname, '@'); |
| 137 | if (!domain) |
| 138 | return NSS_STATUS_UNAVAIL; |
| 139 | domain++; |
| 140 | |
| 141 | slen = snprintf (buf, NIS_MAXNAMELEN, |
| 142 | "[auth_name=%s,auth_type=DES],cred.org_dir.%s", |
| 143 | netname, domain); |
| 144 | |
| 145 | if (slen >= NIS_MAXNAMELEN) |
| 146 | { |
| 147 | *errnop = EINVAL; |
| 148 | return NSS_STATUS_UNAVAIL; |
| 149 | } |
| 150 | |
| 151 | if (buf[slen - 1] != '.') |
| 152 | { |
| 153 | buf[slen++] = '.'; |
| 154 | buf[slen] = '\0'; |
| 155 | } |
| 156 | |
| 157 | res = nis_list (buf, USE_DGRAM | NO_AUTHINFO | FOLLOW_LINKS | FOLLOW_PATH, |
| 158 | NULL, NULL); |
| 159 | |
| 160 | if (res == NULL) |
| 161 | { |
| 162 | *errnop = ENOMEM; |
| 163 | return NSS_STATUS_TRYAGAIN; |
| 164 | } |
| 165 | retval = niserr2nss (res->status); |
| 166 | |
| 167 | if (retval != NSS_STATUS_SUCCESS) |
| 168 | { |
| 169 | if (retval == NSS_STATUS_TRYAGAIN) |
| 170 | *errnop = errno; |
| 171 | nis_freeresult (res); |
| 172 | return retval; |
| 173 | } |
| 174 | |
| 175 | if (NIS_RES_NUMOBJ (res) > 1) |
| 176 | { |
| 177 | /* |
| 178 | * More than one principal with same uid? |
| 179 | * something wrong with cred table. Should be unique |
| 180 | * Warn user and continue. |
| 181 | */ |
| 182 | syslog (LOG_ERR, _("DES entry for netname %s not unique\n"), netname); |
| 183 | nis_freeresult (res); |
| 184 | return NSS_STATUS_SUCCESS; |
| 185 | } |
| 186 | |
| 187 | len = ENTRY_LEN (NIS_RES_OBJECT (res), 4); |
| 188 | memcpy (buf, ENTRY_VAL (NIS_RES_OBJECT (res), 4), len); |
| 189 | buf[len] = '\0'; |
| 190 | cptr = strchr (buf, ':'); |
| 191 | if (cptr) |
| 192 | cptr[0] = '\0'; |
| 193 | nis_freeresult (res); |
| 194 | |
| 195 | if (!xdecrypt (buf, passwd)) |
| 196 | return NSS_STATUS_SUCCESS; |
| 197 | |
| 198 | if (memcmp (buf, &(buf[HEXKEYBYTES]), KEYCHECKSUMSIZE) != 0) |
| 199 | return NSS_STATUS_SUCCESS; |
| 200 | |
| 201 | buf[HEXKEYBYTES] = 0; |
| 202 | strcpy (skey, buf); |
| 203 | |
| 204 | return NSS_STATUS_SUCCESS; |
| 205 | } |
| 206 | |
| 207 | |
| 208 | /* Parse information from the passed string. |
| 209 | The format of the string passed is gid,grp,grp, ... */ |
| 210 | static enum nss_status |
| 211 | parse_grp_str (const char *s, gid_t *gidp, int *gidlenp, gid_t *gidlist, |
| 212 | int *errnop) |
| 213 | { |
| 214 | char *ep; |
| 215 | int gidlen; |
| 216 | |
| 217 | if (!s || (!isdigit (*s))) |
| 218 | { |
| 219 | syslog (LOG_ERR, _("netname2user: missing group id list in `%s'"), s); |
| 220 | return NSS_STATUS_NOTFOUND; |
| 221 | } |
| 222 | |
| 223 | *gidp = strtoul (s, &ep, 10); |
| 224 | |
| 225 | gidlen = 0; |
| 226 | |
| 227 | /* After strtoul() ep should point to the marker ',', which means |
| 228 | here starts a new value. |
| 229 | |
| 230 | The Sun man pages show that GIDLIST should contain at least NGRPS |
| 231 | elements. Limiting the number written by this value is the best |
| 232 | we can do. */ |
| 233 | while (ep != NULL && *ep == ',' && gidlen < NGRPS) |
| 234 | { |
| 235 | ep++; |
| 236 | s = ep; |
| 237 | gidlist[gidlen++] = strtoul (s, &ep, 10); |
| 238 | } |
| 239 | *gidlenp = gidlen; |
| 240 | |
| 241 | return NSS_STATUS_SUCCESS; |
| 242 | } |
| 243 | |
| 244 | enum nss_status |
| 245 | _nss_nisplus_netname2user (char netname[MAXNETNAMELEN + 1], uid_t *uidp, |
| 246 | gid_t *gidp, int *gidlenp, gid_t *gidlist, int *errnop) |
| 247 | { |
| 248 | char *domain; |
| 249 | nis_result *res; |
| 250 | char sname[NIS_MAXNAMELEN + 2]; /* search criteria + table name */ |
| 251 | size_t slen; |
| 252 | char principal[NIS_MAXNAMELEN + 1]; |
| 253 | int len; |
| 254 | |
| 255 | /* 1. Get home domain of user. */ |
| 256 | domain = strchr (netname, '@'); |
| 257 | if (! domain) |
| 258 | return NSS_STATUS_UNAVAIL; |
| 259 | |
| 260 | ++domain; /* skip '@' */ |
| 261 | |
| 262 | /* 2. Get user's nisplus principal name. */ |
| 263 | slen = snprintf (sname, NIS_MAXNAMELEN, |
| 264 | "[auth_name=%s,auth_type=DES],cred.org_dir.%s", |
| 265 | netname, domain); |
| 266 | |
| 267 | if (slen >= NIS_MAXNAMELEN) |
| 268 | { |
| 269 | *errnop = EINVAL; |
| 270 | return NSS_STATUS_UNAVAIL; |
| 271 | } |
| 272 | |
| 273 | if (sname[slen - 1] != '.') |
| 274 | { |
| 275 | sname[slen++] = '.'; |
| 276 | sname[slen] = '\0'; |
| 277 | } |
| 278 | |
| 279 | /* must use authenticated call here */ |
| 280 | /* XXX but we cant, for now. XXX */ |
| 281 | res = nis_list (sname, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH, |
| 282 | NULL, NULL); |
| 283 | if (res == NULL) |
| 284 | { |
| 285 | *errnop = ENOMEM; |
| 286 | return NSS_STATUS_TRYAGAIN; |
| 287 | } |
| 288 | switch (res->status) |
| 289 | { |
| 290 | case NIS_SUCCESS: |
| 291 | case NIS_S_SUCCESS: |
| 292 | break; /* go and do something useful */ |
| 293 | case NIS_NOTFOUND: |
| 294 | case NIS_PARTIAL: |
| 295 | case NIS_NOSUCHNAME: |
| 296 | case NIS_NOSUCHTABLE: |
| 297 | nis_freeresult (res); |
| 298 | return NSS_STATUS_NOTFOUND; |
| 299 | case NIS_S_NOTFOUND: |
| 300 | case NIS_TRYAGAIN: |
| 301 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n"), |
| 302 | nis_sperrno (res->status)); |
| 303 | nis_freeresult (res); |
| 304 | *errnop = errno; |
| 305 | return NSS_STATUS_TRYAGAIN; |
| 306 | default: |
| 307 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n"), |
| 308 | nis_sperrno (res->status)); |
| 309 | nis_freeresult (res); |
| 310 | return NSS_STATUS_UNAVAIL; |
| 311 | } |
| 312 | |
| 313 | if (NIS_RES_NUMOBJ (res) > 1) |
| 314 | /* |
| 315 | * A netname belonging to more than one principal? |
| 316 | * Something wrong with cred table. should be unique. |
| 317 | * Warn user and continue. |
| 318 | */ |
| 319 | syslog (LOG_ALERT, |
| 320 | _("netname2user: DES entry for %s in directory %s not unique"), |
| 321 | netname, domain); |
| 322 | |
| 323 | len = ENTRY_LEN (NIS_RES_OBJECT (res), 0); |
| 324 | strncpy (principal, ENTRY_VAL (NIS_RES_OBJECT (res), 0), len); |
| 325 | principal[len] = '\0'; |
| 326 | nis_freeresult (res); |
| 327 | |
| 328 | if (principal[0] == '\0') |
| 329 | return NSS_STATUS_UNAVAIL; |
| 330 | |
| 331 | /* |
| 332 | * 3. Use principal name to look up uid/gid information in |
| 333 | * LOCAL entry in **local** cred table. |
| 334 | */ |
| 335 | domain = nis_local_directory (); |
| 336 | if (strlen (principal) + strlen (domain) + 45 > (size_t) NIS_MAXNAMELEN) |
| 337 | { |
| 338 | syslog (LOG_ERR, _("netname2user: principal name `%s' too long"), |
| 339 | principal); |
| 340 | return NSS_STATUS_UNAVAIL; |
| 341 | } |
| 342 | |
| 343 | slen = snprintf (sname, sizeof (sname), |
| 344 | "[cname=%s,auth_type=LOCAL],cred.org_dir.%s", |
| 345 | principal, domain); |
| 346 | |
| 347 | if (sname[slen - 1] != '.') |
| 348 | { |
| 349 | sname[slen++] = '.'; |
| 350 | sname[slen] = '\0'; |
| 351 | } |
| 352 | |
| 353 | /* must use authenticated call here */ |
| 354 | /* XXX but we cant, for now. XXX */ |
| 355 | res = nis_list (sname, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH, |
| 356 | NULL, NULL); |
| 357 | if (res == NULL) |
| 358 | { |
| 359 | *errnop = ENOMEM; |
| 360 | return NSS_STATUS_TRYAGAIN; |
| 361 | } |
| 362 | switch(res->status) |
| 363 | { |
| 364 | case NIS_NOTFOUND: |
| 365 | case NIS_PARTIAL: |
| 366 | case NIS_NOSUCHNAME: |
| 367 | case NIS_NOSUCHTABLE: |
| 368 | nis_freeresult (res); |
| 369 | return NSS_STATUS_NOTFOUND; |
| 370 | case NIS_S_NOTFOUND: |
| 371 | case NIS_TRYAGAIN: |
| 372 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n"), |
| 373 | nis_sperrno (res->status)); |
| 374 | nis_freeresult (res); |
| 375 | *errnop = errno; |
| 376 | return NSS_STATUS_TRYAGAIN; |
| 377 | case NIS_SUCCESS: |
| 378 | case NIS_S_SUCCESS: |
| 379 | break; /* go and do something useful */ |
| 380 | default: |
| 381 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n"), |
| 382 | nis_sperrno (res->status)); |
| 383 | nis_freeresult (res); |
| 384 | return NSS_STATUS_UNAVAIL; |
| 385 | } |
| 386 | |
| 387 | if (NIS_RES_NUMOBJ (res) > 1) |
| 388 | /* |
| 389 | * A principal can have more than one LOCAL entry? |
| 390 | * Something wrong with cred table. |
| 391 | * Warn user and continue. |
| 392 | */ |
| 393 | syslog (LOG_ALERT, |
| 394 | _("netname2user: LOCAL entry for %s in directory %s not unique"), |
| 395 | netname, domain); |
| 396 | /* Fetch the uid */ |
| 397 | *uidp = strtoul (ENTRY_VAL (NIS_RES_OBJECT (res), 2), NULL, 10); |
| 398 | |
| 399 | if (*uidp == 0) |
| 400 | { |
| 401 | syslog (LOG_ERR, _("netname2user: should not have uid 0")); |
| 402 | nis_freeresult (res); |
| 403 | return NSS_STATUS_NOTFOUND; |
| 404 | } |
| 405 | |
| 406 | parse_grp_str (ENTRY_VAL (NIS_RES_OBJECT (res), 3), |
| 407 | gidp, gidlenp, gidlist, errnop); |
| 408 | |
| 409 | nis_freeresult (res); |
| 410 | return NSS_STATUS_SUCCESS; |
| 411 | } |
| 412 |
Generated on 2018-Oct-27 from project glibc revision 2.23
Powered by 
Code Browser 2.1
Generator usage only permitted with license.