17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*45916cd2Sjpk * Common Development and Distribution License (the "License").
6*45916cd2Sjpk * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
217c478bd9Sstevel@tonic-gate /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
227c478bd9Sstevel@tonic-gate /* All Rights Reserved */
237c478bd9Sstevel@tonic-gate
24*45916cd2Sjpk /*
25*45916cd2Sjpk * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
26*45916cd2Sjpk * Use is subject to license terms.
27*45916cd2Sjpk */
28*45916cd2Sjpk
297c478bd9Sstevel@tonic-gate /* EMACS_MODES: !fill, lnumb, !overwrite, !nodelete, !picture */
307c478bd9Sstevel@tonic-gate
317c478bd9Sstevel@tonic-gate #include "string.h"
327c478bd9Sstevel@tonic-gate #include "unistd.h"
337c478bd9Sstevel@tonic-gate
347c478bd9Sstevel@tonic-gate #include "lp.h"
357c478bd9Sstevel@tonic-gate #include "access.h"
36*45916cd2Sjpk #include <pwd.h>
37*45916cd2Sjpk #include <auth_attr.h>
38*45916cd2Sjpk #include <auth_list.h>
39*45916cd2Sjpk #include <tsol/label.h>
407c478bd9Sstevel@tonic-gate
417c478bd9Sstevel@tonic-gate /**
427c478bd9Sstevel@tonic-gate ** is_user_admin() - CHECK IF CURRENT USER IS AN ADMINISTRATOR
437c478bd9Sstevel@tonic-gate **/
447c478bd9Sstevel@tonic-gate
457c478bd9Sstevel@tonic-gate int
467c478bd9Sstevel@tonic-gate #if defined(__STDC__)
is_user_admin(void)477c478bd9Sstevel@tonic-gate is_user_admin (
487c478bd9Sstevel@tonic-gate void
497c478bd9Sstevel@tonic-gate )
507c478bd9Sstevel@tonic-gate #else
517c478bd9Sstevel@tonic-gate is_user_admin ()
527c478bd9Sstevel@tonic-gate #endif
537c478bd9Sstevel@tonic-gate {
54*45916cd2Sjpk /* For a labeled system, tsol_check_admin_auth is called
55*45916cd2Sjpk * instead of using Access.
56*45916cd2Sjpk */
57*45916cd2Sjpk if (is_system_labeled()) {
58*45916cd2Sjpk /* Check that user has print admin authorization */
59*45916cd2Sjpk return (tsol_check_admin_auth(getuid()));
60*45916cd2Sjpk } else {
61*45916cd2Sjpk return (Access(Lp_A, W_OK) == -1? 0 : 1);
62*45916cd2Sjpk }
637c478bd9Sstevel@tonic-gate }
647c478bd9Sstevel@tonic-gate
657c478bd9Sstevel@tonic-gate /**
667c478bd9Sstevel@tonic-gate ** is_user_allowed() - CHECK USER ACCESS ACCORDING TO ALLOW/DENY LISTS
677c478bd9Sstevel@tonic-gate **/
687c478bd9Sstevel@tonic-gate
697c478bd9Sstevel@tonic-gate int
707c478bd9Sstevel@tonic-gate #if defined(__STDC__)
is_user_allowed(char * user,char ** allow,char ** deny)717c478bd9Sstevel@tonic-gate is_user_allowed (
727c478bd9Sstevel@tonic-gate char * user,
737c478bd9Sstevel@tonic-gate char ** allow,
747c478bd9Sstevel@tonic-gate char ** deny
757c478bd9Sstevel@tonic-gate )
767c478bd9Sstevel@tonic-gate #else
777c478bd9Sstevel@tonic-gate is_user_allowed (user, allow, deny)
787c478bd9Sstevel@tonic-gate char *user,
797c478bd9Sstevel@tonic-gate **allow,
807c478bd9Sstevel@tonic-gate **deny;
817c478bd9Sstevel@tonic-gate #endif
827c478bd9Sstevel@tonic-gate {
837c478bd9Sstevel@tonic-gate if (bangequ(user, LOCAL_LPUSER) || bangequ(user, LOCAL_ROOTUSER))
847c478bd9Sstevel@tonic-gate return (1);
857c478bd9Sstevel@tonic-gate
867c478bd9Sstevel@tonic-gate return (allowed(user, allow, deny));
877c478bd9Sstevel@tonic-gate }
887c478bd9Sstevel@tonic-gate
897c478bd9Sstevel@tonic-gate /**
907c478bd9Sstevel@tonic-gate ** is_user_allowed_form() - CHECK USER ACCESS TO FORM
917c478bd9Sstevel@tonic-gate **/
927c478bd9Sstevel@tonic-gate
937c478bd9Sstevel@tonic-gate int
947c478bd9Sstevel@tonic-gate #if defined(__STDC__)
is_user_allowed_form(char * user,char * form)957c478bd9Sstevel@tonic-gate is_user_allowed_form (
967c478bd9Sstevel@tonic-gate char * user,
977c478bd9Sstevel@tonic-gate char * form
987c478bd9Sstevel@tonic-gate )
997c478bd9Sstevel@tonic-gate #else
1007c478bd9Sstevel@tonic-gate is_user_allowed_form (user, form)
1017c478bd9Sstevel@tonic-gate char *user,
1027c478bd9Sstevel@tonic-gate *form;
1037c478bd9Sstevel@tonic-gate #endif
1047c478bd9Sstevel@tonic-gate {
1057c478bd9Sstevel@tonic-gate char **allow,
1067c478bd9Sstevel@tonic-gate **deny;
1077c478bd9Sstevel@tonic-gate
1087c478bd9Sstevel@tonic-gate if (loadaccess(Lp_A_Forms, form, "", &allow, &deny) == -1)
1097c478bd9Sstevel@tonic-gate return (-1);
1107c478bd9Sstevel@tonic-gate
1117c478bd9Sstevel@tonic-gate return (is_user_allowed(user, allow, deny));
1127c478bd9Sstevel@tonic-gate }
1137c478bd9Sstevel@tonic-gate
1147c478bd9Sstevel@tonic-gate /**
1157c478bd9Sstevel@tonic-gate ** is_user_allowed_printer() - CHECK USER ACCESS TO PRINTER
1167c478bd9Sstevel@tonic-gate **/
1177c478bd9Sstevel@tonic-gate
1187c478bd9Sstevel@tonic-gate int
1197c478bd9Sstevel@tonic-gate #if defined(__STDC__)
is_user_allowed_printer(char * user,char * printer)1207c478bd9Sstevel@tonic-gate is_user_allowed_printer (
1217c478bd9Sstevel@tonic-gate char * user,
1227c478bd9Sstevel@tonic-gate char * printer
1237c478bd9Sstevel@tonic-gate )
1247c478bd9Sstevel@tonic-gate #else
1257c478bd9Sstevel@tonic-gate is_user_allowed_printer (user, printer)
1267c478bd9Sstevel@tonic-gate char *user,
1277c478bd9Sstevel@tonic-gate *printer;
1287c478bd9Sstevel@tonic-gate #endif
1297c478bd9Sstevel@tonic-gate {
1307c478bd9Sstevel@tonic-gate char **allow,
1317c478bd9Sstevel@tonic-gate **deny;
1327c478bd9Sstevel@tonic-gate
1337c478bd9Sstevel@tonic-gate if (loadaccess(Lp_A_Printers, printer, UACCESSPREFIX, &allow, &deny) == -1)
1347c478bd9Sstevel@tonic-gate return (-1);
1357c478bd9Sstevel@tonic-gate
1367c478bd9Sstevel@tonic-gate return (is_user_allowed(user, allow, deny));
1377c478bd9Sstevel@tonic-gate }
1387c478bd9Sstevel@tonic-gate
1397c478bd9Sstevel@tonic-gate /**
1407c478bd9Sstevel@tonic-gate ** is_form_allowed_printer() - CHECK FORM USE ON PRINTER
1417c478bd9Sstevel@tonic-gate **/
1427c478bd9Sstevel@tonic-gate
1437c478bd9Sstevel@tonic-gate int
1447c478bd9Sstevel@tonic-gate #if defined(__STDC__)
is_form_allowed_printer(char * form,char * printer)1457c478bd9Sstevel@tonic-gate is_form_allowed_printer (
1467c478bd9Sstevel@tonic-gate char * form,
1477c478bd9Sstevel@tonic-gate char * printer
1487c478bd9Sstevel@tonic-gate )
1497c478bd9Sstevel@tonic-gate #else
1507c478bd9Sstevel@tonic-gate is_form_allowed_printer (form, printer)
1517c478bd9Sstevel@tonic-gate char *form,
1527c478bd9Sstevel@tonic-gate *printer;
1537c478bd9Sstevel@tonic-gate #endif
1547c478bd9Sstevel@tonic-gate {
1557c478bd9Sstevel@tonic-gate char **allow,
1567c478bd9Sstevel@tonic-gate **deny;
1577c478bd9Sstevel@tonic-gate
1587c478bd9Sstevel@tonic-gate if (loadaccess(Lp_A_Printers, printer, FACCESSPREFIX, &allow, &deny) == -1)
1597c478bd9Sstevel@tonic-gate return (-1);
1607c478bd9Sstevel@tonic-gate
1617c478bd9Sstevel@tonic-gate return (allowed(form, allow, deny));
1627c478bd9Sstevel@tonic-gate }
1637c478bd9Sstevel@tonic-gate
1647c478bd9Sstevel@tonic-gate /**
1657c478bd9Sstevel@tonic-gate ** allowed() - GENERAL ROUTINE TO CHECK ALLOW/DENY LISTS
1667c478bd9Sstevel@tonic-gate **/
1677c478bd9Sstevel@tonic-gate
1687c478bd9Sstevel@tonic-gate int
1697c478bd9Sstevel@tonic-gate #if defined(__STDC__)
allowed(char * item,char ** allow,char ** deny)1707c478bd9Sstevel@tonic-gate allowed (
1717c478bd9Sstevel@tonic-gate char * item,
1727c478bd9Sstevel@tonic-gate char ** allow,
1737c478bd9Sstevel@tonic-gate char ** deny
1747c478bd9Sstevel@tonic-gate )
1757c478bd9Sstevel@tonic-gate #else
1767c478bd9Sstevel@tonic-gate allowed (item, allow, deny)
1777c478bd9Sstevel@tonic-gate char *item,
1787c478bd9Sstevel@tonic-gate **allow,
1797c478bd9Sstevel@tonic-gate **deny;
1807c478bd9Sstevel@tonic-gate #endif
1817c478bd9Sstevel@tonic-gate {
1827c478bd9Sstevel@tonic-gate if (allow) {
1837c478bd9Sstevel@tonic-gate if (bang_searchlist(item, allow))
1847c478bd9Sstevel@tonic-gate return (1);
1857c478bd9Sstevel@tonic-gate else
1867c478bd9Sstevel@tonic-gate return (0);
1877c478bd9Sstevel@tonic-gate }
1887c478bd9Sstevel@tonic-gate
1897c478bd9Sstevel@tonic-gate if (deny) {
1907c478bd9Sstevel@tonic-gate if (bang_searchlist(item, deny))
1917c478bd9Sstevel@tonic-gate return (0);
1927c478bd9Sstevel@tonic-gate else
1937c478bd9Sstevel@tonic-gate return (1);
1947c478bd9Sstevel@tonic-gate }
1957c478bd9Sstevel@tonic-gate
1967c478bd9Sstevel@tonic-gate return (0);
1977c478bd9Sstevel@tonic-gate }
198*45916cd2Sjpk
199*45916cd2Sjpk /*
200*45916cd2Sjpk * Check to see if the specified user has the administer the printing
201*45916cd2Sjpk * system authorization.
202*45916cd2Sjpk */
203*45916cd2Sjpk int
tsol_check_admin_auth(uid_t uid)204*45916cd2Sjpk tsol_check_admin_auth(uid_t uid)
205*45916cd2Sjpk {
206*45916cd2Sjpk struct passwd *p;
207*45916cd2Sjpk char *name;
208*45916cd2Sjpk
209*45916cd2Sjpk p = getpwuid(uid);
210*45916cd2Sjpk if (p != NULL && p->pw_name != NULL)
211*45916cd2Sjpk name = p->pw_name;
212*45916cd2Sjpk else
213*45916cd2Sjpk name = "";
214*45916cd2Sjpk
215*45916cd2Sjpk return (chkauthattr(PRINT_ADMIN_AUTH, name));
216*45916cd2Sjpk }
217