Fix typo in debug message in MakeAllCLTSServerListeners

Add $(GETPEER_DEFINES) to DEPEND_DEFINES for makedepend Add "localuser" and "localgroup" access types to server-interpreted authentication scheme.
author: Alan Coopersmith <Alan.Coopersmith@sun.com> 2004-07-17 01:13:31 +0000
committer: Alan Coopersmith <Alan.Coopersmith@sun.com> 2004-07-17 01:13:31 +0000
commit: c47a1bdd7463b6863018e2c4237acfd28b89f38f (patch)
tree: 4aa5594a031a2bb7025bedd276c2b96f1ad2cbeb /os
parent: 3e52373fc8179a59efc9e7ab22ce0cb5160d0409 (diff)
1 files changed, 175 insertions, 3 deletions
diff --git a/os/access.c b/os/access.c
index 2d41f33e9..fdee9802e 100644
--- a/os/access.c
+++ b/os/access.c
@@ -1,5 +1,5 @@
 /* $Xorg: access.c,v 1.5 2001/02/09 02:05:23 xorgcvs Exp $ */
-/* $XdotOrg: xc/programs/Xserver/os/access.c,v 1.3 2004/06/25 08:58:18 ago Exp $ */
+/* $XdotOrg: xc/programs/Xserver/os/access.c,v 1.4 2004/06/30 20:06:56 kem Exp $ */
 /***********************************************************
 
 Copyright 1987, 1998  The Open Group
@@ -90,6 +90,9 @@ SOFTWARE.
 
 #ifdef HAS_GETPEERUCRED
 # include <ucred.h>
+# ifdef sun
+#  include <zone.h>
+# endif
 #endif
 
 #if defined(DGUX)
@@ -227,6 +230,10 @@ static Bool NewHost(int /*family*/,
 		    int /*len*/,
 		    int /* addingLocalHosts */);
 
+int LocalClientCredAndGroups(ClientPtr client, int *pUid, int *pGid, 
+                             int **pSuppGids, int *nSuppGids);
+
+
 /* XFree86 bug #156: To keep track of which hosts were explicitly requested in
    /etc/X<display>.hosts, we've added a requested field to the HOST struct,
    and a LocalHostRequested variable.  These default to FALSE, but are set
@@ -1396,13 +1403,30 @@ Bool LocalClient(ClientPtr client)
 
 /*
  * Return the uid and gid of a connected local client
- * or the uid/gid for nobody those ids cannot be determinded
+ * or the uid/gid for nobody those ids cannot be determined
  * 
  * Used by XShm to test access rights to shared memory segments
  */
 int
 LocalClientCred(ClientPtr client, int *pUid, int *pGid)
 {
+    return LocalClientCredAndGroups(client, pUid, pGid, NULL, NULL);
+}
+
+/*
+ * Return the uid and all gids of a connected local client
+ * or the uid/gid for nobody those ids cannot be determined
+ * 
+ * If the caller passes non-NULL values for pSuppGids & nSuppGids,
+ * they are responsible for calling XFree(*pSuppGids) to release the
+ * memory allocated for the supplemental group ids list.
+ *
+ * Used by localuser & localgroup ServerInterpreted access control forms below
+ */
+int
+LocalClientCredAndGroups(ClientPtr client, int *pUid, int *pGid, 
+			 int **pSuppGids, int *nSuppGids)
+{
 #if defined(HAS_GETPEEREID) || defined(HAS_GETPEERUCRED) || defined(SO_PEERCRED)
     int fd;
     XtransConnInfo ci;
@@ -1428,6 +1452,12 @@ LocalClientCred(ClientPtr client, int *pUid, int *pGid)
 	return -1;
     }
 #endif
+
+    if (pSuppGids != NULL)
+	*pSuppGids = NULL;
+    if (nSuppGids != NULL)
+	*nSuppGids = 0;
+
     fd = _XSERVTransGetConnectionNumber(ci);
 #ifdef HAS_GETPEEREID
     if (getpeereid(fd, &uid, &gid) == -1) 
@@ -1440,10 +1470,31 @@ LocalClientCred(ClientPtr client, int *pUid, int *pGid)
 #elif defined(HAS_GETPEERUCRED)
     if (getpeerucred(fd, &peercred) < 0)
     	return -1;
+#ifdef sun /* Ensure process is in the same zone */
+    if (getzoneid() != ucred_getzoneid(peercred)) {
+	ucred_free(peercred);
+	return -1;
+    }
+#endif
     if (pUid != NULL)
 	*pUid = ucred_geteuid(peercred);
     if (pGid != NULL)
 	*pGid = ucred_getegid(peercred);
+    if (pSuppGids != NULL && nSuppGids != NULL) {
+	const gid_t *gids;
+	*nSuppGids = ucred_getgroups(peercred, &gids);
+	if (*nSuppGids > 0) {
+	    *pSuppGids = xalloc(sizeof(int) * (*nSuppGids));
+	    if (*pSuppGids == NULL) {
+		*nSuppGids = 0;
+	    } else {
+		int i;
+		for (i = 0 ; i < *nSuppGids; i++) {
+		    (*pSuppGids)[i] = (int) gids[i];
+		}
+	    }
+	}
+    }
     ucred_free(peercred);
     return 0;
 #elif defined(SO_PEERCRED)
@@ -1457,6 +1508,7 @@ LocalClientCred(ClientPtr client, int *pUid, int *pGid)
 #endif
 #else
     /* No system call available to get the credentials of the peer */
+#define NO_LOCAL_CLIENT_CRED
     return -1;
 #endif
 }
@@ -1762,7 +1814,6 @@ InvalidHost (
 			return 0;
 		}
 	    }
-	    return 1;
 	} else
 	    return 0;
     }
@@ -2225,6 +2276,121 @@ siIPv6CheckAddr(const char *addrString, int length, void *typePriv)
 }
 #endif /* IPv6 */
 
+#if !defined(NO_LOCAL_CLIENT_CRED)
+/***
+ * "localuser" & "localgroup" server interpreted types
+ *
+ * Allows local connections from a given local user or group
+ */
+
+#include <pwd.h>
+#include <grp.h>
+
+#define LOCAL_USER 1
+#define LOCAL_GROUP 2
+
+typedef struct {
+    int credType;
+} siLocalCredPrivRec, *siLocalCredPrivPtr;
+
+static siLocalCredPrivRec siLocalUserPriv = { LOCAL_USER };
+static siLocalCredPrivRec siLocalGroupPriv = { LOCAL_GROUP };
+
+static Bool
+siLocalCredGetId(const char *addr, int len, siLocalCredPrivPtr lcPriv, int *id)
+{
+    Bool parsedOK = FALSE;
+    char *addrbuf = xalloc(len + 1);
+
+    if (addrbuf == NULL) {
+	return FALSE;
+    }
+
+    memcpy(addrbuf, addr, len);
+    addrbuf[len] = '\0';
+
+    if (addr[0] == '#') { /* numeric id */
+	char *cp;
+	errno = 0;
+	*id = strtol(addrbuf + 1, &cp, 0);
+	if ((errno == 0) && (cp != (addrbuf+1))) {
+	    parsedOK = TRUE;
+	}
+    } else { /* non-numeric name */
+	if (lcPriv->credType == LOCAL_USER) {
+	    struct passwd *pw = getpwnam(addrbuf);
+
+	    if (pw != NULL) {
+		*id = (int) pw->pw_uid;
+		parsedOK = TRUE;
+	    }
+	} else { /* group */
+	    struct group *gr = getgrnam(addrbuf);
+
+	    if (gr != NULL) {
+		*id = (int) gr->gr_gid;
+		parsedOK = TRUE;
+	    }
+	}
+    }
+
+    xfree(addrbuf);
+    return parsedOK;
+}
+
+static Bool 
+siLocalCredAddrMatch(int family, pointer addr, int len,
+  const char *siAddr, int siAddrlen, ClientPtr client, void *typePriv)
+{
+    int connUid, connGid, *connSuppGids, connNumSuppGids, siAddrId;
+    siLocalCredPrivPtr lcPriv = (siLocalCredPrivPtr) typePriv;
+
+    if (LocalClientCredAndGroups(client, &connUid, &connGid,
+      &connSuppGids, &connNumSuppGids) == -1) {
+	return FALSE;
+    }
+
+    if (siLocalCredGetId(siAddr, siAddrlen, lcPriv, &siAddrId) == FALSE) {
+	return FALSE;
+    }
+
+    if (lcPriv->credType == LOCAL_USER) {
+	if (connUid == siAddrId) {
+	    return TRUE;
+	}
+    } else {
+	if (connGid == siAddrId) {
+	    return TRUE;
+	}
+	if (connSuppGids != NULL) {
+	    int i;
+
+	    for (i = 0 ; i < connNumSuppGids; i++) {
+		if (connSuppGids[i] == siAddrId) {
+		    xfree(connSuppGids);
+		    return TRUE;
+		}
+	    }
+	    xfree(connSuppGids);
+	}
+    }
+    return FALSE;
+}
+
+static int
+siLocalCredCheckAddr(const char *addrString, int length, void *typePriv)
+{
+    int len = length;
+    int id;
+
+    if (siLocalCredGetId(addrString, length, 
+	(siLocalCredPrivPtr)typePriv, &id) == FALSE) {
+	len = -1;
+    }
+    return len;
+}
+#endif /* localuser */
+
 static void
 siTypesInitialize(void)
 {
@@ -2232,4 +2398,10 @@ siTypesInitialize(void)
 #if defined(IPv6) && defined(AF_INET6)
     siTypeAdd("ipv6", siIPv6AddrMatch, siIPv6CheckAddr, NULL);
 #endif
+#if !defined(NO_LOCAL_CLIENT_CRED)
+    siTypeAdd("localuser", siLocalCredAddrMatch, siLocalCredCheckAddr, 
+      &siLocalUserPriv);
+    siTypeAdd("localgroup", siLocalCredAddrMatch, siLocalCredCheckAddr, 
+      &siLocalGroupPriv);
+#endif
 }
author	Alan Coopersmith <Alan.Coopersmith@sun.com>	2004-07-17 01:13:31 +0000
committer	Alan Coopersmith <Alan.Coopersmith@sun.com>	2004-07-17 01:13:31 +0000
commit	c47a1bdd7463b6863018e2c4237acfd28b89f38f (patch)
tree	4aa5594a031a2bb7025bedd276c2b96f1ad2cbeb /os
parent	3e52373fc8179a59efc9e7ab22ce0cb5160d0409 (diff)