1 | /* Copyright (c) 1997-2017 Free Software Foundation, Inc. |
2 | This file is part of the GNU C Library. |
3 | Contributed by Thorsten Kukuk <kukuk@suse.de>, 1997. |
4 | |
5 | The GNU C Library is free software; you can redistribute it and/or |
6 | modify it under the terms of the GNU Lesser General Public |
7 | License as published by the Free Software Foundation; either |
8 | version 2.1 of the License, or (at your option) any later version. |
9 | |
10 | The GNU C Library is distributed in the hope that it will be useful, |
11 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
13 | Lesser General Public License for more details. |
14 | |
15 | You should have received a copy of the GNU Lesser General Public |
16 | License along with the GNU C Library; if not, see |
17 | <http://www.gnu.org/licenses/>. */ |
18 | |
19 | #include <nss.h> |
20 | #include <ctype.h> |
21 | #include <errno.h> |
22 | #include <stdio.h> |
23 | #include <string.h> |
24 | #include <libintl.h> |
25 | #include <syslog.h> |
26 | #include <rpc/rpc.h> |
27 | #include <rpcsvc/nis.h> |
28 | #include <rpc/key_prot.h> |
29 | extern int xdecrypt (char *, char *); |
30 | |
31 | #include <nss-nisplus.h> |
32 | |
33 | /* If we haven't found the entry, we give a SUCCESS and an empty key back. */ |
34 | enum nss_status |
35 | _nss_nisplus_getpublickey (const char *netname, char *pkey, int *errnop) |
36 | { |
37 | nis_result *res; |
38 | enum nss_status retval; |
39 | char buf[NIS_MAXNAMELEN + 2]; |
40 | size_t slen; |
41 | char *domain, *cptr; |
42 | int len; |
43 | |
44 | pkey[0] = 0; |
45 | |
46 | if (netname == NULL) |
47 | { |
48 | *errnop = EINVAL; |
49 | return NSS_STATUS_UNAVAIL; |
50 | } |
51 | |
52 | domain = strchr (netname, '@'); |
53 | if (!domain) |
54 | return NSS_STATUS_UNAVAIL; |
55 | domain++; |
56 | |
57 | slen = snprintf (buf, NIS_MAXNAMELEN, |
58 | "[auth_name=%s,auth_type=DES],cred.org_dir.%s" , |
59 | netname, domain); |
60 | |
61 | if (slen >= NIS_MAXNAMELEN) |
62 | { |
63 | *errnop = EINVAL; |
64 | return NSS_STATUS_UNAVAIL; |
65 | } |
66 | |
67 | if (buf[slen - 1] != '.') |
68 | { |
69 | buf[slen++] = '.'; |
70 | buf[slen] = '\0'; |
71 | } |
72 | |
73 | res = nis_list (buf, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH, |
74 | NULL, NULL); |
75 | |
76 | if (res == NULL) |
77 | { |
78 | *errnop = ENOMEM; |
79 | return NSS_STATUS_TRYAGAIN; |
80 | } |
81 | retval = niserr2nss (res->status); |
82 | |
83 | if (retval != NSS_STATUS_SUCCESS) |
84 | { |
85 | if (retval == NSS_STATUS_TRYAGAIN) |
86 | *errnop = errno; |
87 | if (res->status == NIS_NOTFOUND) |
88 | retval = NSS_STATUS_SUCCESS; |
89 | nis_freeresult (res); |
90 | return retval; |
91 | } |
92 | |
93 | if (NIS_RES_NUMOBJ (res) > 1) |
94 | { |
95 | /* |
96 | * More than one principal with same uid? |
97 | * something wrong with cred table. Should be unique |
98 | * Warn user and continue. |
99 | */ |
100 | syslog (LOG_ERR, _("DES entry for netname %s not unique\n" ), netname); |
101 | nis_freeresult (res); |
102 | return NSS_STATUS_SUCCESS; |
103 | } |
104 | |
105 | len = ENTRY_LEN (NIS_RES_OBJECT (res), 3); |
106 | memcpy (pkey, ENTRY_VAL (NIS_RES_OBJECT (res),3), len); |
107 | pkey[len] = 0; |
108 | cptr = strchr (pkey, ':'); |
109 | if (cptr) |
110 | cptr[0] = '\0'; |
111 | nis_freeresult (res); |
112 | |
113 | return NSS_STATUS_SUCCESS; |
114 | } |
115 | |
116 | |
117 | enum nss_status |
118 | _nss_nisplus_getsecretkey (const char *netname, char *skey, char *passwd, |
119 | int *errnop) |
120 | { |
121 | nis_result *res; |
122 | enum nss_status retval; |
123 | char buf[NIS_MAXNAMELEN + 2]; |
124 | size_t slen; |
125 | char *domain, *cptr; |
126 | int len; |
127 | |
128 | skey[0] = 0; |
129 | |
130 | if (netname == NULL) |
131 | { |
132 | *errnop = EINVAL; |
133 | return NSS_STATUS_UNAVAIL; |
134 | } |
135 | |
136 | domain = strchr (netname, '@'); |
137 | if (!domain) |
138 | return NSS_STATUS_UNAVAIL; |
139 | domain++; |
140 | |
141 | slen = snprintf (buf, NIS_MAXNAMELEN, |
142 | "[auth_name=%s,auth_type=DES],cred.org_dir.%s" , |
143 | netname, domain); |
144 | |
145 | if (slen >= NIS_MAXNAMELEN) |
146 | { |
147 | *errnop = EINVAL; |
148 | return NSS_STATUS_UNAVAIL; |
149 | } |
150 | |
151 | if (buf[slen - 1] != '.') |
152 | { |
153 | buf[slen++] = '.'; |
154 | buf[slen] = '\0'; |
155 | } |
156 | |
157 | res = nis_list (buf, USE_DGRAM | NO_AUTHINFO | FOLLOW_LINKS | FOLLOW_PATH, |
158 | NULL, NULL); |
159 | |
160 | if (res == NULL) |
161 | { |
162 | *errnop = ENOMEM; |
163 | return NSS_STATUS_TRYAGAIN; |
164 | } |
165 | retval = niserr2nss (res->status); |
166 | |
167 | if (retval != NSS_STATUS_SUCCESS) |
168 | { |
169 | if (retval == NSS_STATUS_TRYAGAIN) |
170 | *errnop = errno; |
171 | nis_freeresult (res); |
172 | return retval; |
173 | } |
174 | |
175 | if (NIS_RES_NUMOBJ (res) > 1) |
176 | { |
177 | /* |
178 | * More than one principal with same uid? |
179 | * something wrong with cred table. Should be unique |
180 | * Warn user and continue. |
181 | */ |
182 | syslog (LOG_ERR, _("DES entry for netname %s not unique\n" ), netname); |
183 | nis_freeresult (res); |
184 | return NSS_STATUS_SUCCESS; |
185 | } |
186 | |
187 | len = ENTRY_LEN (NIS_RES_OBJECT (res), 4); |
188 | memcpy (buf, ENTRY_VAL (NIS_RES_OBJECT (res), 4), len); |
189 | buf[len] = '\0'; |
190 | cptr = strchr (buf, ':'); |
191 | if (cptr) |
192 | cptr[0] = '\0'; |
193 | nis_freeresult (res); |
194 | |
195 | if (!xdecrypt (buf, passwd)) |
196 | return NSS_STATUS_SUCCESS; |
197 | |
198 | if (memcmp (buf, &(buf[HEXKEYBYTES]), KEYCHECKSUMSIZE) != 0) |
199 | return NSS_STATUS_SUCCESS; |
200 | |
201 | buf[HEXKEYBYTES] = 0; |
202 | strcpy (skey, buf); |
203 | |
204 | return NSS_STATUS_SUCCESS; |
205 | } |
206 | |
207 | |
208 | /* Parse information from the passed string. |
209 | The format of the string passed is gid,grp,grp, ... */ |
210 | static enum nss_status |
211 | parse_grp_str (const char *s, gid_t *gidp, int *gidlenp, gid_t *gidlist, |
212 | int *errnop) |
213 | { |
214 | char *ep; |
215 | int gidlen; |
216 | |
217 | if (!s || (!isdigit (*s))) |
218 | { |
219 | syslog (LOG_ERR, _("netname2user: missing group id list in `%s'" ), s); |
220 | return NSS_STATUS_NOTFOUND; |
221 | } |
222 | |
223 | *gidp = strtoul (s, &ep, 10); |
224 | |
225 | gidlen = 0; |
226 | |
227 | /* After strtoul() ep should point to the marker ',', which means |
228 | here starts a new value. |
229 | |
230 | The Sun man pages show that GIDLIST should contain at least NGRPS |
231 | elements. Limiting the number written by this value is the best |
232 | we can do. */ |
233 | while (ep != NULL && *ep == ',' && gidlen < NGRPS) |
234 | { |
235 | ep++; |
236 | s = ep; |
237 | gidlist[gidlen++] = strtoul (s, &ep, 10); |
238 | } |
239 | *gidlenp = gidlen; |
240 | |
241 | return NSS_STATUS_SUCCESS; |
242 | } |
243 | |
244 | enum nss_status |
245 | _nss_nisplus_netname2user (char netname[MAXNETNAMELEN + 1], uid_t *uidp, |
246 | gid_t *gidp, int *gidlenp, gid_t *gidlist, int *errnop) |
247 | { |
248 | char *domain; |
249 | nis_result *res; |
250 | char sname[NIS_MAXNAMELEN + 2]; /* search criteria + table name */ |
251 | size_t slen; |
252 | char principal[NIS_MAXNAMELEN + 1]; |
253 | int len; |
254 | |
255 | /* 1. Get home domain of user. */ |
256 | domain = strchr (netname, '@'); |
257 | if (! domain) |
258 | return NSS_STATUS_UNAVAIL; |
259 | |
260 | ++domain; /* skip '@' */ |
261 | |
262 | /* 2. Get user's nisplus principal name. */ |
263 | slen = snprintf (sname, NIS_MAXNAMELEN, |
264 | "[auth_name=%s,auth_type=DES],cred.org_dir.%s" , |
265 | netname, domain); |
266 | |
267 | if (slen >= NIS_MAXNAMELEN) |
268 | { |
269 | *errnop = EINVAL; |
270 | return NSS_STATUS_UNAVAIL; |
271 | } |
272 | |
273 | if (sname[slen - 1] != '.') |
274 | { |
275 | sname[slen++] = '.'; |
276 | sname[slen] = '\0'; |
277 | } |
278 | |
279 | /* must use authenticated call here */ |
280 | /* XXX but we cant, for now. XXX */ |
281 | res = nis_list (sname, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH, |
282 | NULL, NULL); |
283 | if (res == NULL) |
284 | { |
285 | *errnop = ENOMEM; |
286 | return NSS_STATUS_TRYAGAIN; |
287 | } |
288 | switch (res->status) |
289 | { |
290 | case NIS_SUCCESS: |
291 | case NIS_S_SUCCESS: |
292 | break; /* go and do something useful */ |
293 | case NIS_NOTFOUND: |
294 | case NIS_PARTIAL: |
295 | case NIS_NOSUCHNAME: |
296 | case NIS_NOSUCHTABLE: |
297 | nis_freeresult (res); |
298 | return NSS_STATUS_NOTFOUND; |
299 | case NIS_S_NOTFOUND: |
300 | case NIS_TRYAGAIN: |
301 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n" ), |
302 | nis_sperrno (res->status)); |
303 | nis_freeresult (res); |
304 | *errnop = errno; |
305 | return NSS_STATUS_TRYAGAIN; |
306 | default: |
307 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n" ), |
308 | nis_sperrno (res->status)); |
309 | nis_freeresult (res); |
310 | return NSS_STATUS_UNAVAIL; |
311 | } |
312 | |
313 | if (NIS_RES_NUMOBJ (res) > 1) |
314 | /* |
315 | * A netname belonging to more than one principal? |
316 | * Something wrong with cred table. should be unique. |
317 | * Warn user and continue. |
318 | */ |
319 | syslog (LOG_ALERT, |
320 | _("netname2user: DES entry for %s in directory %s not unique" ), |
321 | netname, domain); |
322 | |
323 | len = ENTRY_LEN (NIS_RES_OBJECT (res), 0); |
324 | strncpy (principal, ENTRY_VAL (NIS_RES_OBJECT (res), 0), len); |
325 | principal[len] = '\0'; |
326 | nis_freeresult (res); |
327 | |
328 | if (principal[0] == '\0') |
329 | return NSS_STATUS_UNAVAIL; |
330 | |
331 | /* |
332 | * 3. Use principal name to look up uid/gid information in |
333 | * LOCAL entry in **local** cred table. |
334 | */ |
335 | domain = nis_local_directory (); |
336 | if (strlen (principal) + strlen (domain) + 45 > (size_t) NIS_MAXNAMELEN) |
337 | { |
338 | syslog (LOG_ERR, _("netname2user: principal name `%s' too long" ), |
339 | principal); |
340 | return NSS_STATUS_UNAVAIL; |
341 | } |
342 | |
343 | slen = snprintf (sname, sizeof (sname), |
344 | "[cname=%s,auth_type=LOCAL],cred.org_dir.%s" , |
345 | principal, domain); |
346 | |
347 | if (sname[slen - 1] != '.') |
348 | { |
349 | sname[slen++] = '.'; |
350 | sname[slen] = '\0'; |
351 | } |
352 | |
353 | /* must use authenticated call here */ |
354 | /* XXX but we cant, for now. XXX */ |
355 | res = nis_list (sname, USE_DGRAM+NO_AUTHINFO+FOLLOW_LINKS+FOLLOW_PATH, |
356 | NULL, NULL); |
357 | if (res == NULL) |
358 | { |
359 | *errnop = ENOMEM; |
360 | return NSS_STATUS_TRYAGAIN; |
361 | } |
362 | switch(res->status) |
363 | { |
364 | case NIS_NOTFOUND: |
365 | case NIS_PARTIAL: |
366 | case NIS_NOSUCHNAME: |
367 | case NIS_NOSUCHTABLE: |
368 | nis_freeresult (res); |
369 | return NSS_STATUS_NOTFOUND; |
370 | case NIS_S_NOTFOUND: |
371 | case NIS_TRYAGAIN: |
372 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n" ), |
373 | nis_sperrno (res->status)); |
374 | nis_freeresult (res); |
375 | *errnop = errno; |
376 | return NSS_STATUS_TRYAGAIN; |
377 | case NIS_SUCCESS: |
378 | case NIS_S_SUCCESS: |
379 | break; /* go and do something useful */ |
380 | default: |
381 | syslog (LOG_ERR, _("netname2user: (nis+ lookup): %s\n" ), |
382 | nis_sperrno (res->status)); |
383 | nis_freeresult (res); |
384 | return NSS_STATUS_UNAVAIL; |
385 | } |
386 | |
387 | if (NIS_RES_NUMOBJ (res) > 1) |
388 | /* |
389 | * A principal can have more than one LOCAL entry? |
390 | * Something wrong with cred table. |
391 | * Warn user and continue. |
392 | */ |
393 | syslog (LOG_ALERT, |
394 | _("netname2user: LOCAL entry for %s in directory %s not unique" ), |
395 | netname, domain); |
396 | /* Fetch the uid */ |
397 | *uidp = strtoul (ENTRY_VAL (NIS_RES_OBJECT (res), 2), NULL, 10); |
398 | |
399 | if (*uidp == 0) |
400 | { |
401 | syslog (LOG_ERR, _("netname2user: should not have uid 0" )); |
402 | nis_freeresult (res); |
403 | return NSS_STATUS_NOTFOUND; |
404 | } |
405 | |
406 | parse_grp_str (ENTRY_VAL (NIS_RES_OBJECT (res), 3), |
407 | gidp, gidlenp, gidlist, errnop); |
408 | |
409 | nis_freeresult (res); |
410 | return NSS_STATUS_SUCCESS; |
411 | } |
412 | |