17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*45916cd2Sjpk * Common Development and Distribution License (the "License"). 6*45916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 227c478bd9Sstevel@tonic-gate /* All Rights Reserved */ 237c478bd9Sstevel@tonic-gate 247c478bd9Sstevel@tonic-gate 25*45916cd2Sjpk #pragma ident "%Z%%M% %I% %E% SMI" 26*45916cd2Sjpk 27*45916cd2Sjpk /* 28*45916cd2Sjpk * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 29*45916cd2Sjpk * Use is subject to license terms. 30*45916cd2Sjpk */ 31*45916cd2Sjpk 327c478bd9Sstevel@tonic-gate /* EMACS_MODES: !fill, lnumb, !overwrite, !nodelete, !picture */ 337c478bd9Sstevel@tonic-gate 347c478bd9Sstevel@tonic-gate #include "string.h" 357c478bd9Sstevel@tonic-gate #include "unistd.h" 367c478bd9Sstevel@tonic-gate 377c478bd9Sstevel@tonic-gate #include "lp.h" 387c478bd9Sstevel@tonic-gate #include "access.h" 39*45916cd2Sjpk #include <pwd.h> 40*45916cd2Sjpk #include <auth_attr.h> 41*45916cd2Sjpk #include <auth_list.h> 42*45916cd2Sjpk #include <tsol/label.h> 437c478bd9Sstevel@tonic-gate 447c478bd9Sstevel@tonic-gate /** 457c478bd9Sstevel@tonic-gate ** is_user_admin() - CHECK IF CURRENT USER IS AN ADMINISTRATOR 467c478bd9Sstevel@tonic-gate **/ 477c478bd9Sstevel@tonic-gate 487c478bd9Sstevel@tonic-gate int 497c478bd9Sstevel@tonic-gate #if defined(__STDC__) 507c478bd9Sstevel@tonic-gate is_user_admin ( 517c478bd9Sstevel@tonic-gate void 527c478bd9Sstevel@tonic-gate ) 537c478bd9Sstevel@tonic-gate #else 547c478bd9Sstevel@tonic-gate is_user_admin () 557c478bd9Sstevel@tonic-gate #endif 567c478bd9Sstevel@tonic-gate { 57*45916cd2Sjpk /* For a labeled system, tsol_check_admin_auth is called 58*45916cd2Sjpk * instead of using Access. 59*45916cd2Sjpk */ 60*45916cd2Sjpk if (is_system_labeled()) { 61*45916cd2Sjpk /* Check that user has print admin authorization */ 62*45916cd2Sjpk return (tsol_check_admin_auth(getuid())); 63*45916cd2Sjpk } else { 64*45916cd2Sjpk return (Access(Lp_A, W_OK) == -1? 0 : 1); 65*45916cd2Sjpk } 667c478bd9Sstevel@tonic-gate } 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gate /** 697c478bd9Sstevel@tonic-gate ** is_user_allowed() - CHECK USER ACCESS ACCORDING TO ALLOW/DENY LISTS 707c478bd9Sstevel@tonic-gate **/ 717c478bd9Sstevel@tonic-gate 727c478bd9Sstevel@tonic-gate int 737c478bd9Sstevel@tonic-gate #if defined(__STDC__) 747c478bd9Sstevel@tonic-gate is_user_allowed ( 757c478bd9Sstevel@tonic-gate char * user, 767c478bd9Sstevel@tonic-gate char ** allow, 777c478bd9Sstevel@tonic-gate char ** deny 787c478bd9Sstevel@tonic-gate ) 797c478bd9Sstevel@tonic-gate #else 807c478bd9Sstevel@tonic-gate is_user_allowed (user, allow, deny) 817c478bd9Sstevel@tonic-gate char *user, 827c478bd9Sstevel@tonic-gate **allow, 837c478bd9Sstevel@tonic-gate **deny; 847c478bd9Sstevel@tonic-gate #endif 857c478bd9Sstevel@tonic-gate { 867c478bd9Sstevel@tonic-gate if (bangequ(user, LOCAL_LPUSER) || bangequ(user, LOCAL_ROOTUSER)) 877c478bd9Sstevel@tonic-gate return (1); 887c478bd9Sstevel@tonic-gate 897c478bd9Sstevel@tonic-gate return (allowed(user, allow, deny)); 907c478bd9Sstevel@tonic-gate } 917c478bd9Sstevel@tonic-gate 927c478bd9Sstevel@tonic-gate /** 937c478bd9Sstevel@tonic-gate ** is_user_allowed_form() - CHECK USER ACCESS TO FORM 947c478bd9Sstevel@tonic-gate **/ 957c478bd9Sstevel@tonic-gate 967c478bd9Sstevel@tonic-gate int 977c478bd9Sstevel@tonic-gate #if defined(__STDC__) 987c478bd9Sstevel@tonic-gate is_user_allowed_form ( 997c478bd9Sstevel@tonic-gate char * user, 1007c478bd9Sstevel@tonic-gate char * form 1017c478bd9Sstevel@tonic-gate ) 1027c478bd9Sstevel@tonic-gate #else 1037c478bd9Sstevel@tonic-gate is_user_allowed_form (user, form) 1047c478bd9Sstevel@tonic-gate char *user, 1057c478bd9Sstevel@tonic-gate *form; 1067c478bd9Sstevel@tonic-gate #endif 1077c478bd9Sstevel@tonic-gate { 1087c478bd9Sstevel@tonic-gate char **allow, 1097c478bd9Sstevel@tonic-gate **deny; 1107c478bd9Sstevel@tonic-gate 1117c478bd9Sstevel@tonic-gate if (loadaccess(Lp_A_Forms, form, "", &allow, &deny) == -1) 1127c478bd9Sstevel@tonic-gate return (-1); 1137c478bd9Sstevel@tonic-gate 1147c478bd9Sstevel@tonic-gate return (is_user_allowed(user, allow, deny)); 1157c478bd9Sstevel@tonic-gate } 1167c478bd9Sstevel@tonic-gate 1177c478bd9Sstevel@tonic-gate /** 1187c478bd9Sstevel@tonic-gate ** is_user_allowed_printer() - CHECK USER ACCESS TO PRINTER 1197c478bd9Sstevel@tonic-gate **/ 1207c478bd9Sstevel@tonic-gate 1217c478bd9Sstevel@tonic-gate int 1227c478bd9Sstevel@tonic-gate #if defined(__STDC__) 1237c478bd9Sstevel@tonic-gate is_user_allowed_printer ( 1247c478bd9Sstevel@tonic-gate char * user, 1257c478bd9Sstevel@tonic-gate char * printer 1267c478bd9Sstevel@tonic-gate ) 1277c478bd9Sstevel@tonic-gate #else 1287c478bd9Sstevel@tonic-gate is_user_allowed_printer (user, printer) 1297c478bd9Sstevel@tonic-gate char *user, 1307c478bd9Sstevel@tonic-gate *printer; 1317c478bd9Sstevel@tonic-gate #endif 1327c478bd9Sstevel@tonic-gate { 1337c478bd9Sstevel@tonic-gate char **allow, 1347c478bd9Sstevel@tonic-gate **deny; 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate if (loadaccess(Lp_A_Printers, printer, UACCESSPREFIX, &allow, &deny) == -1) 1377c478bd9Sstevel@tonic-gate return (-1); 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate return (is_user_allowed(user, allow, deny)); 1407c478bd9Sstevel@tonic-gate } 1417c478bd9Sstevel@tonic-gate 1427c478bd9Sstevel@tonic-gate /** 1437c478bd9Sstevel@tonic-gate ** is_form_allowed_printer() - CHECK FORM USE ON PRINTER 1447c478bd9Sstevel@tonic-gate **/ 1457c478bd9Sstevel@tonic-gate 1467c478bd9Sstevel@tonic-gate int 1477c478bd9Sstevel@tonic-gate #if defined(__STDC__) 1487c478bd9Sstevel@tonic-gate is_form_allowed_printer ( 1497c478bd9Sstevel@tonic-gate char * form, 1507c478bd9Sstevel@tonic-gate char * printer 1517c478bd9Sstevel@tonic-gate ) 1527c478bd9Sstevel@tonic-gate #else 1537c478bd9Sstevel@tonic-gate is_form_allowed_printer (form, printer) 1547c478bd9Sstevel@tonic-gate char *form, 1557c478bd9Sstevel@tonic-gate *printer; 1567c478bd9Sstevel@tonic-gate #endif 1577c478bd9Sstevel@tonic-gate { 1587c478bd9Sstevel@tonic-gate char **allow, 1597c478bd9Sstevel@tonic-gate **deny; 1607c478bd9Sstevel@tonic-gate 1617c478bd9Sstevel@tonic-gate if (loadaccess(Lp_A_Printers, printer, FACCESSPREFIX, &allow, &deny) == -1) 1627c478bd9Sstevel@tonic-gate return (-1); 1637c478bd9Sstevel@tonic-gate 1647c478bd9Sstevel@tonic-gate return (allowed(form, allow, deny)); 1657c478bd9Sstevel@tonic-gate } 1667c478bd9Sstevel@tonic-gate 1677c478bd9Sstevel@tonic-gate /** 1687c478bd9Sstevel@tonic-gate ** allowed() - GENERAL ROUTINE TO CHECK ALLOW/DENY LISTS 1697c478bd9Sstevel@tonic-gate **/ 1707c478bd9Sstevel@tonic-gate 1717c478bd9Sstevel@tonic-gate int 1727c478bd9Sstevel@tonic-gate #if defined(__STDC__) 1737c478bd9Sstevel@tonic-gate allowed ( 1747c478bd9Sstevel@tonic-gate char * item, 1757c478bd9Sstevel@tonic-gate char ** allow, 1767c478bd9Sstevel@tonic-gate char ** deny 1777c478bd9Sstevel@tonic-gate ) 1787c478bd9Sstevel@tonic-gate #else 1797c478bd9Sstevel@tonic-gate allowed (item, allow, deny) 1807c478bd9Sstevel@tonic-gate char *item, 1817c478bd9Sstevel@tonic-gate **allow, 1827c478bd9Sstevel@tonic-gate **deny; 1837c478bd9Sstevel@tonic-gate #endif 1847c478bd9Sstevel@tonic-gate { 1857c478bd9Sstevel@tonic-gate if (allow) { 1867c478bd9Sstevel@tonic-gate if (bang_searchlist(item, allow)) 1877c478bd9Sstevel@tonic-gate return (1); 1887c478bd9Sstevel@tonic-gate else 1897c478bd9Sstevel@tonic-gate return (0); 1907c478bd9Sstevel@tonic-gate } 1917c478bd9Sstevel@tonic-gate 1927c478bd9Sstevel@tonic-gate if (deny) { 1937c478bd9Sstevel@tonic-gate if (bang_searchlist(item, deny)) 1947c478bd9Sstevel@tonic-gate return (0); 1957c478bd9Sstevel@tonic-gate else 1967c478bd9Sstevel@tonic-gate return (1); 1977c478bd9Sstevel@tonic-gate } 1987c478bd9Sstevel@tonic-gate 1997c478bd9Sstevel@tonic-gate return (0); 2007c478bd9Sstevel@tonic-gate } 201*45916cd2Sjpk 202*45916cd2Sjpk /* 203*45916cd2Sjpk * Check to see if the specified user has the administer the printing 204*45916cd2Sjpk * system authorization. 205*45916cd2Sjpk */ 206*45916cd2Sjpk int 207*45916cd2Sjpk tsol_check_admin_auth(uid_t uid) 208*45916cd2Sjpk { 209*45916cd2Sjpk struct passwd *p; 210*45916cd2Sjpk char *name; 211*45916cd2Sjpk 212*45916cd2Sjpk p = getpwuid(uid); 213*45916cd2Sjpk if (p != NULL && p->pw_name != NULL) 214*45916cd2Sjpk name = p->pw_name; 215*45916cd2Sjpk else 216*45916cd2Sjpk name = ""; 217*45916cd2Sjpk 218*45916cd2Sjpk return (chkauthattr(PRINT_ADMIN_AUTH, name)); 219*45916cd2Sjpk } 220