xref: /illumos-gate/usr/src/cmd/lp/lib/access/allowed.c (revision 45916cd2)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*45916cd2Sjpk  * Common Development and Distribution License (the "License").
6*45916cd2Sjpk  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
227c478bd9Sstevel@tonic-gate /*	  All Rights Reserved  	*/
237c478bd9Sstevel@tonic-gate 
247c478bd9Sstevel@tonic-gate 
25*45916cd2Sjpk #pragma ident	"%Z%%M%	%I%	%E% SMI"
26*45916cd2Sjpk 
27*45916cd2Sjpk /*
28*45916cd2Sjpk  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
29*45916cd2Sjpk  * Use is subject to license terms.
30*45916cd2Sjpk  */
31*45916cd2Sjpk 
327c478bd9Sstevel@tonic-gate /* EMACS_MODES: !fill, lnumb, !overwrite, !nodelete, !picture */
337c478bd9Sstevel@tonic-gate 
347c478bd9Sstevel@tonic-gate #include "string.h"
357c478bd9Sstevel@tonic-gate #include "unistd.h"
367c478bd9Sstevel@tonic-gate 
377c478bd9Sstevel@tonic-gate #include "lp.h"
387c478bd9Sstevel@tonic-gate #include "access.h"
39*45916cd2Sjpk #include <pwd.h>
40*45916cd2Sjpk #include <auth_attr.h>
41*45916cd2Sjpk #include <auth_list.h>
42*45916cd2Sjpk #include <tsol/label.h>
437c478bd9Sstevel@tonic-gate 
447c478bd9Sstevel@tonic-gate /**
457c478bd9Sstevel@tonic-gate  ** is_user_admin() - CHECK IF CURRENT USER IS AN ADMINISTRATOR
467c478bd9Sstevel@tonic-gate  **/
477c478bd9Sstevel@tonic-gate 
487c478bd9Sstevel@tonic-gate int
497c478bd9Sstevel@tonic-gate #if	defined(__STDC__)
is_user_admin(void)507c478bd9Sstevel@tonic-gate is_user_admin (
517c478bd9Sstevel@tonic-gate 	void
527c478bd9Sstevel@tonic-gate )
537c478bd9Sstevel@tonic-gate #else
547c478bd9Sstevel@tonic-gate is_user_admin ()
557c478bd9Sstevel@tonic-gate #endif
567c478bd9Sstevel@tonic-gate {
57*45916cd2Sjpk 	/* For a labeled system, tsol_check_admin_auth is called
58*45916cd2Sjpk 	 * instead of using Access.
59*45916cd2Sjpk 	 */
60*45916cd2Sjpk 	if (is_system_labeled()) {
61*45916cd2Sjpk 		/* Check that user has print admin authorization */
62*45916cd2Sjpk 		return (tsol_check_admin_auth(getuid()));
63*45916cd2Sjpk 	} else {
64*45916cd2Sjpk 		return (Access(Lp_A, W_OK) == -1? 0 : 1);
65*45916cd2Sjpk 	}
667c478bd9Sstevel@tonic-gate }
677c478bd9Sstevel@tonic-gate 
687c478bd9Sstevel@tonic-gate /**
697c478bd9Sstevel@tonic-gate  ** is_user_allowed() - CHECK USER ACCESS ACCORDING TO ALLOW/DENY LISTS
707c478bd9Sstevel@tonic-gate  **/
717c478bd9Sstevel@tonic-gate 
727c478bd9Sstevel@tonic-gate int
737c478bd9Sstevel@tonic-gate #if	defined(__STDC__)
is_user_allowed(char * user,char ** allow,char ** deny)747c478bd9Sstevel@tonic-gate is_user_allowed (
757c478bd9Sstevel@tonic-gate 	char *			user,
767c478bd9Sstevel@tonic-gate 	char **			allow,
777c478bd9Sstevel@tonic-gate 	char **			deny
787c478bd9Sstevel@tonic-gate )
797c478bd9Sstevel@tonic-gate #else
807c478bd9Sstevel@tonic-gate is_user_allowed (user, allow, deny)
817c478bd9Sstevel@tonic-gate 	char			*user,
827c478bd9Sstevel@tonic-gate 				**allow,
837c478bd9Sstevel@tonic-gate 				**deny;
847c478bd9Sstevel@tonic-gate #endif
857c478bd9Sstevel@tonic-gate {
867c478bd9Sstevel@tonic-gate 	if (bangequ(user, LOCAL_LPUSER) || bangequ(user, LOCAL_ROOTUSER))
877c478bd9Sstevel@tonic-gate 		return (1);
887c478bd9Sstevel@tonic-gate 
897c478bd9Sstevel@tonic-gate 	return (allowed(user, allow, deny));
907c478bd9Sstevel@tonic-gate }
917c478bd9Sstevel@tonic-gate 
927c478bd9Sstevel@tonic-gate /**
937c478bd9Sstevel@tonic-gate  ** is_user_allowed_form() - CHECK USER ACCESS TO FORM
947c478bd9Sstevel@tonic-gate  **/
957c478bd9Sstevel@tonic-gate 
967c478bd9Sstevel@tonic-gate int
977c478bd9Sstevel@tonic-gate #if	defined(__STDC__)
is_user_allowed_form(char * user,char * form)987c478bd9Sstevel@tonic-gate is_user_allowed_form (
997c478bd9Sstevel@tonic-gate 	char *			user,
1007c478bd9Sstevel@tonic-gate 	char *			form
1017c478bd9Sstevel@tonic-gate )
1027c478bd9Sstevel@tonic-gate #else
1037c478bd9Sstevel@tonic-gate is_user_allowed_form (user, form)
1047c478bd9Sstevel@tonic-gate 	char			*user,
1057c478bd9Sstevel@tonic-gate 				*form;
1067c478bd9Sstevel@tonic-gate #endif
1077c478bd9Sstevel@tonic-gate {
1087c478bd9Sstevel@tonic-gate 	char			**allow,
1097c478bd9Sstevel@tonic-gate 				**deny;
1107c478bd9Sstevel@tonic-gate 
1117c478bd9Sstevel@tonic-gate 	if (loadaccess(Lp_A_Forms, form, "", &allow, &deny) == -1)
1127c478bd9Sstevel@tonic-gate 		return (-1);
1137c478bd9Sstevel@tonic-gate 
1147c478bd9Sstevel@tonic-gate 	return (is_user_allowed(user, allow, deny));
1157c478bd9Sstevel@tonic-gate }
1167c478bd9Sstevel@tonic-gate 
1177c478bd9Sstevel@tonic-gate /**
1187c478bd9Sstevel@tonic-gate  ** is_user_allowed_printer() - CHECK USER ACCESS TO PRINTER
1197c478bd9Sstevel@tonic-gate  **/
1207c478bd9Sstevel@tonic-gate 
1217c478bd9Sstevel@tonic-gate int
1227c478bd9Sstevel@tonic-gate #if	defined(__STDC__)
is_user_allowed_printer(char * user,char * printer)1237c478bd9Sstevel@tonic-gate is_user_allowed_printer (
1247c478bd9Sstevel@tonic-gate 	char *			user,
1257c478bd9Sstevel@tonic-gate 	char *			printer
1267c478bd9Sstevel@tonic-gate )
1277c478bd9Sstevel@tonic-gate #else
1287c478bd9Sstevel@tonic-gate is_user_allowed_printer (user, printer)
1297c478bd9Sstevel@tonic-gate 	char			*user,
1307c478bd9Sstevel@tonic-gate 				*printer;
1317c478bd9Sstevel@tonic-gate #endif
1327c478bd9Sstevel@tonic-gate {
1337c478bd9Sstevel@tonic-gate 	char			**allow,
1347c478bd9Sstevel@tonic-gate 				**deny;
1357c478bd9Sstevel@tonic-gate 
1367c478bd9Sstevel@tonic-gate 	if (loadaccess(Lp_A_Printers, printer, UACCESSPREFIX, &allow, &deny) == -1)
1377c478bd9Sstevel@tonic-gate 		return (-1);
1387c478bd9Sstevel@tonic-gate 
1397c478bd9Sstevel@tonic-gate 	return (is_user_allowed(user, allow, deny));
1407c478bd9Sstevel@tonic-gate }
1417c478bd9Sstevel@tonic-gate 
1427c478bd9Sstevel@tonic-gate /**
1437c478bd9Sstevel@tonic-gate  ** is_form_allowed_printer() - CHECK FORM USE ON PRINTER
1447c478bd9Sstevel@tonic-gate  **/
1457c478bd9Sstevel@tonic-gate 
1467c478bd9Sstevel@tonic-gate int
1477c478bd9Sstevel@tonic-gate #if	defined(__STDC__)
is_form_allowed_printer(char * form,char * printer)1487c478bd9Sstevel@tonic-gate is_form_allowed_printer (
1497c478bd9Sstevel@tonic-gate 	char *			form,
1507c478bd9Sstevel@tonic-gate 	char *			printer
1517c478bd9Sstevel@tonic-gate )
1527c478bd9Sstevel@tonic-gate #else
1537c478bd9Sstevel@tonic-gate is_form_allowed_printer (form, printer)
1547c478bd9Sstevel@tonic-gate 	char			*form,
1557c478bd9Sstevel@tonic-gate 				*printer;
1567c478bd9Sstevel@tonic-gate #endif
1577c478bd9Sstevel@tonic-gate {
1587c478bd9Sstevel@tonic-gate 	char			**allow,
1597c478bd9Sstevel@tonic-gate 				**deny;
1607c478bd9Sstevel@tonic-gate 
1617c478bd9Sstevel@tonic-gate 	if (loadaccess(Lp_A_Printers, printer, FACCESSPREFIX, &allow, &deny) == -1)
1627c478bd9Sstevel@tonic-gate 		return (-1);
1637c478bd9Sstevel@tonic-gate 
1647c478bd9Sstevel@tonic-gate 	return (allowed(form, allow, deny));
1657c478bd9Sstevel@tonic-gate }
1667c478bd9Sstevel@tonic-gate 
1677c478bd9Sstevel@tonic-gate /**
1687c478bd9Sstevel@tonic-gate  ** allowed() - GENERAL ROUTINE TO CHECK ALLOW/DENY LISTS
1697c478bd9Sstevel@tonic-gate  **/
1707c478bd9Sstevel@tonic-gate 
1717c478bd9Sstevel@tonic-gate int
1727c478bd9Sstevel@tonic-gate #if	defined(__STDC__)
allowed(char * item,char ** allow,char ** deny)1737c478bd9Sstevel@tonic-gate allowed (
1747c478bd9Sstevel@tonic-gate 	char *			item,
1757c478bd9Sstevel@tonic-gate 	char **			allow,
1767c478bd9Sstevel@tonic-gate 	char **			deny
1777c478bd9Sstevel@tonic-gate )
1787c478bd9Sstevel@tonic-gate #else
1797c478bd9Sstevel@tonic-gate allowed (item, allow, deny)
1807c478bd9Sstevel@tonic-gate 	char			*item,
1817c478bd9Sstevel@tonic-gate 				**allow,
1827c478bd9Sstevel@tonic-gate 				**deny;
1837c478bd9Sstevel@tonic-gate #endif
1847c478bd9Sstevel@tonic-gate {
1857c478bd9Sstevel@tonic-gate 	if (allow) {
1867c478bd9Sstevel@tonic-gate 		if (bang_searchlist(item, allow))
1877c478bd9Sstevel@tonic-gate 			return (1);
1887c478bd9Sstevel@tonic-gate 		else
1897c478bd9Sstevel@tonic-gate 			return (0);
1907c478bd9Sstevel@tonic-gate 	}
1917c478bd9Sstevel@tonic-gate 
1927c478bd9Sstevel@tonic-gate 	if (deny) {
1937c478bd9Sstevel@tonic-gate 		if (bang_searchlist(item, deny))
1947c478bd9Sstevel@tonic-gate 			return (0);
1957c478bd9Sstevel@tonic-gate 		else
1967c478bd9Sstevel@tonic-gate 			return (1);
1977c478bd9Sstevel@tonic-gate 	}
1987c478bd9Sstevel@tonic-gate 
1997c478bd9Sstevel@tonic-gate 	return (0);
2007c478bd9Sstevel@tonic-gate }
201*45916cd2Sjpk 
202*45916cd2Sjpk /*
203*45916cd2Sjpk  * Check to see if the specified user has the administer the printing
204*45916cd2Sjpk  * system authorization.
205*45916cd2Sjpk  */
206*45916cd2Sjpk int
tsol_check_admin_auth(uid_t uid)207*45916cd2Sjpk tsol_check_admin_auth(uid_t uid)
208*45916cd2Sjpk {
209*45916cd2Sjpk 	struct passwd *p;
210*45916cd2Sjpk 	char *name;
211*45916cd2Sjpk 
212*45916cd2Sjpk 	p = getpwuid(uid);
213*45916cd2Sjpk 	if (p != NULL && p->pw_name != NULL)
214*45916cd2Sjpk 		name = p->pw_name;
215*45916cd2Sjpk 	else
216*45916cd2Sjpk 		name = "";
217*45916cd2Sjpk 
218*45916cd2Sjpk 	return (chkauthattr(PRINT_ADMIN_AUTH, name));
219*45916cd2Sjpk }
220