X-Git-Url: https://arthur.barton.de/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=etc%2Fafpd%2Fauth.c;h=e3d76d18bb29f61fa3e532717db74e42ed9c027a;hb=7952e70aaf2ed18f2225f6f15d3ac2d2c68b4053;hp=9a406a0e61e817f0bc02483b03dc78d88f2c26be;hpb=d275295045da592697047cda4b94b7ce6d45f158;p=netatalk.git diff --git a/etc/afpd/auth.c b/etc/afpd/auth.c index 9a406a0e..e3d76d18 100644 --- a/etc/afpd/auth.c +++ b/etc/afpd/auth.c @@ -1,15 +1,19 @@ /* + * $Id: auth.c,v 1.16 2001-06-25 15:18:01 rufustfirefly Exp $ + * * Copyright (c) 1990,1993 Regents of The University of Michigan. * All Rights Reserved. See COPYRIGHT. */ #ifdef HAVE_CONFIG_H #include "config.h" -#endif +#endif /* HAVE_CONFIG_H */ #include #include +#ifdef HAVE_UNISTD_H #include +#endif /* HAVE_UNISTD_H */ #include #include #include @@ -23,12 +27,21 @@ #ifdef SHADOWPW #include -#endif +#endif /* SHADOWPW */ #include #include #include +#ifdef TRU64 +#include +#include +#include +#include + +extern void afp_get_cmdline( int *ac, char ***av ); +#endif /* TRU64 */ + #include "globals.h" #include "auth.h" #include "uam_auth.h" @@ -69,12 +82,6 @@ static struct uam_obj uam_changepw = {"", "", 0, {{NULL}}, &uam_changepw, static struct uam_obj *afp_uam = NULL; -/* Variables for CAP style printer authentication */ -#ifdef CAPDIR -extern int addr_net, addr_node, addr_uid; -extern char addr_name[32]; -#endif /* CAPDIR */ - void status_versions( data ) char *data; { @@ -136,18 +143,19 @@ static int send_reply(const AFPObj *obj, const int err) obj->reply(obj->handle, err); obj->exit(0); + + return AFP_OK; } static int login(AFPObj *obj, struct passwd *pwd, void (*logout)(void)) { -#ifdef CAPDIR - char nodename[256]; - FILE *fp; -#endif /* CAPDIR */ #ifdef ADMIN_GRP - struct group *grps; + int admin = 0; #endif ADMIN_GRP + /* UAM had syslog control; afpd needs to reassert itself */ + openlog( "afpd", LOG_NDELAY|LOG_PID, LOG_DAEMON); + if ( pwd->pw_uid == 0 ) { /* don't allow root login */ syslog( LOG_ERR, "login: root login denied!" ); return AFPERR_NOTAUTH; @@ -156,57 +164,125 @@ static int login(AFPObj *obj, struct passwd *pwd, void (*logout)(void)) syslog( LOG_INFO, "login %s (uid %d, gid %d)", pwd->pw_name, pwd->pw_uid, pwd->pw_gid ); -#ifdef CAPDIR - if(addr_net && addr_node) { /* Do we have a valid Appletalk address? */ - addr_uid = pwd->pw_uid; - strncpy(addr_name, pwd->pw_name, 32); - sprintf(nodename, "%s/net%d.%dnode%d", CAPDIR, addr_net / 256, addr_net % 256, addr_node); - syslog (LOG_INFO, "registering %s (uid %d) on %u.%u as %s", - addr_name, addr_uid, addr_net, addr_node, nodename); - fp = fopen(nodename, "w"); - fprintf(fp, "%s\n", addr_name); - fclose(fp); - } -#endif /* CAPDIR */ + if (obj->proto == AFPPROTO_ASP) { + ASP asp = obj->handle; + int addr_net = ntohs( asp->asp_sat.sat_addr.s_net ); + int addr_node = asp->asp_sat.sat_addr.s_node; + + if (obj->options.authprintdir) { + if(addr_net && addr_node) { /* Do we have a valid Appletalk address? */ + char nodename[256]; + FILE *fp; + struct stat stat_buf; + + sprintf(nodename, "%s/net%d.%dnode%d", obj->options.authprintdir, + addr_net / 256, addr_net % 256, addr_node); + syslog (LOG_INFO, "registering %s (uid %d) on %u.%u as %s", + pwd->pw_name, pwd->pw_uid, addr_net, addr_node, nodename); + + if (stat(nodename, &stat_buf) == 0) { /* file exists */ + if (S_ISREG(stat_buf.st_mode)) { /* normal file */ + unlink(nodename); + fp = fopen(nodename, "w"); + fprintf(fp, "%s\n", pwd->pw_name); + fclose(fp); + chown( nodename, pwd->pw_uid, -1 ); + } else { /* somebody is messing with us */ + syslog( LOG_ERR, "print authfile %s is not a normal file, it will not be modified", nodename ); + } + } else { /* file 'nodename' does not exist */ + fp = fopen(nodename, "w"); + fprintf(fp, "%s\n", pwd->pw_name); + fclose(fp); + chown( nodename, pwd->pw_uid, -1 ); + } + } /* if (addr_net && addr_node ) */ + } /* if (options->authprintdir) */ + } /* if (obj->proto == AFPPROTO_ASP) */ if (initgroups( pwd->pw_name, pwd->pw_gid ) < 0) { #ifdef RUN_AS_USER syslog(LOG_INFO, "running with uid %d", geteuid()); -#else +#else /* RUN_AS_USER */ syslog(LOG_ERR, "login: %m"); return AFPERR_BADUAM; -#endif -#ifdef ADMIN_GRP - if ((grps = getgrnam(ADMIN_GRP)) != NULL) { - while (*(grps->gr_mem) != NULL) { - if (strcmp(pwd->pw_name, *grps->gr_mem) == 0) { - syslog(LOG_INFO, "User %s has admin privs, logging in as superuser.", - pwd->pw_name); - pwd->pw_gid = grps->gr_gid; - pwd->pw_uid = 0; - strcpy (pwd->pw_name, "root"); - break; - } - *(grps->gr_mem)++; - } - } -#endif ADMIN_GRP +#endif /* RUN_AS_USER */ } - - if (setegid( pwd->pw_gid ) < 0 || seteuid( pwd->pw_uid ) < 0) { - syslog( LOG_ERR, "login: %m" ); - return AFPERR_BADUAM; - } + + /* Basically if the user is in the admin group, we stay root */ if (( ngroups = getgroups( NGROUPS, groups )) < 0 ) { syslog( LOG_ERR, "login: getgroups: %m" ); return AFPERR_BADUAM; } +#ifdef ADMIN_GRP +#ifdef DEBUG + syslog(LOG_INFO, "obj->options.admingid == %d", obj->options.admingid); +#endif /* DEBUG */ + if (obj->options.admingid != 0) { + int i; + for (i = 0; i < ngroups; i++) { + if (groups[i] == obj->options.admingid) admin = 1; + } + } + if (admin) syslog( LOG_INFO, "admin login -- %s", pwd->pw_name ); + if (!admin) +#endif /* DEBUG */ +#ifdef TRU64 + { + struct DSI *dsi = obj->handle; + struct hostent *hp; + char *clientname; + int argc; + char **argv; + char hostname[256]; + + afp_get_cmdline( &argc, &argv ); + + hp = gethostbyaddr( (char *) &dsi->client.sin_addr, + sizeof( struct in_addr ), + dsi->client.sin_family ); + + if( hp ) + clientname = hp->h_name; + else + clientname = inet_ntoa( dsi->client.sin_addr ); + + sprintf( hostname, "%s@%s", pwd->pw_name, clientname ); + + if( sia_become_user( NULL, argc, argv, hostname, pwd->pw_name, + NULL, FALSE, NULL, NULL, + SIA_BEU_REALLOGIN ) != SIASUCCESS ) + return AFPERR_BADUAM; + + syslog( LOG_INFO, "session from %s (%s)", hostname, + inet_ntoa( dsi->client.sin_addr ) ); + + if (setegid( pwd->pw_gid ) < 0 || seteuid( pwd->pw_uid ) < 0) { + syslog( LOG_ERR, "login: %m" ); + return AFPERR_BADUAM; + } + } +#else /* TRU64 */ + if (setegid( pwd->pw_gid ) < 0 || seteuid( pwd->pw_uid ) < 0) { + syslog( LOG_ERR, "login: %m" ); + return AFPERR_BADUAM; + } +#endif /* TRU64 */ + + /* There's probably a better way to do this, but for now, we just + play root */ + +#ifdef ADMIN_GRP + if (admin) uuid = 0; + else +#endif /* ADMIN_GRP */ uuid = pwd->pw_uid; afp_switch = postauth_switch; obj->logout = logout; + return( AFP_OK ); } @@ -244,7 +320,7 @@ int afp_login(obj, ibuf, ibuflen, rbuf, rbuflen ) i = afp_uam->u.uam_login.login(obj, &pwd, ibuf, ibuflen, rbuf, rbuflen); if (i || !pwd) return send_reply(obj, i); - + return send_reply(obj, login(obj, pwd, afp_uam->u.uam_login.logout)); } @@ -279,6 +355,7 @@ int afp_logout(obj, ibuf, ibuflen, rbuf, rbuflen) { syslog(LOG_INFO, "logout %s", obj->username); obj->exit(0); + return AFP_OK; } @@ -443,12 +520,24 @@ int auth_load(const char *path, const char *list) while (p) { strncpy(name + len, p, sizeof(name) - len); + syslog(LOG_DEBUG, "uam : Loading (%s)", name); + /* if ((stat(name, &st) == 0) && (mod = uam_load(name, p))) { - uam_attach(&uam_modules, mod); - syslog(LOG_INFO, "uam: %s loaded", p); + */ + if (stat(name, &st) == 0) { + if ((mod = uam_load(name, p))) { + uam_attach(&uam_modules, mod); + syslog(LOG_INFO, "uam: %s loaded", p); + } else { + syslog(LOG_INFO, "uam: %s load failure",p); + } + } else { + syslog(LOG_INFO, "uam: uam not found (status=%d)", stat(name, &st)); } p = strtok(NULL, ","); } + + return 0; } /* get rid of all of the uams */