128b1e50eSSriharsha Basavapatna /*
228b1e50eSSriharsha Basavapatna * CDDL HEADER START
328b1e50eSSriharsha Basavapatna *
428b1e50eSSriharsha Basavapatna * The contents of this file are subject to the terms of the
528b1e50eSSriharsha Basavapatna * Common Development and Distribution License (the "License").
628b1e50eSSriharsha Basavapatna * You may not use this file except in compliance with the License.
728b1e50eSSriharsha Basavapatna *
828b1e50eSSriharsha Basavapatna * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
928b1e50eSSriharsha Basavapatna * or http://www.opensolaris.org/os/licensing.
1028b1e50eSSriharsha Basavapatna * See the License for the specific language governing permissions
1128b1e50eSSriharsha Basavapatna * and limitations under the License.
1228b1e50eSSriharsha Basavapatna *
1328b1e50eSSriharsha Basavapatna * When distributing Covered Code, include this CDDL HEADER in each
1428b1e50eSSriharsha Basavapatna * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1528b1e50eSSriharsha Basavapatna * If applicable, add the following below this CDDL HEADER, with the
1628b1e50eSSriharsha Basavapatna * fields enclosed by brackets "[]" replaced with your own identifying
1728b1e50eSSriharsha Basavapatna * information: Portions Copyright [yyyy] [name of copyright owner]
1828b1e50eSSriharsha Basavapatna *
1928b1e50eSSriharsha Basavapatna * CDDL HEADER END
2028b1e50eSSriharsha Basavapatna */
2128b1e50eSSriharsha Basavapatna
2228b1e50eSSriharsha Basavapatna /*
2328b1e50eSSriharsha Basavapatna * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
2428b1e50eSSriharsha Basavapatna * Use is subject to license terms.
2528b1e50eSSriharsha Basavapatna */
2628b1e50eSSriharsha Basavapatna
2728b1e50eSSriharsha Basavapatna /*
2828b1e50eSSriharsha Basavapatna * Authorization checking:
2928b1e50eSSriharsha Basavapatna *
3028b1e50eSSriharsha Basavapatna * These functions check 'vntsd' authorization to access guest consoles.
3128b1e50eSSriharsha Basavapatna * The mechanism used is Solaris authorizations. The local client (telnet)
3228b1e50eSSriharsha Basavapatna * process requesting the connection to a console is verified to have the
3328b1e50eSSriharsha Basavapatna * required authorization.
3428b1e50eSSriharsha Basavapatna *
3528b1e50eSSriharsha Basavapatna * Authorizations available are to access the console of any/all guests or to
3628b1e50eSSriharsha Basavapatna * access the consoles of a specific console group. A client connecting to the
3728b1e50eSSriharsha Basavapatna * console through telnet must have the appropriate authorization from file
3828b1e50eSSriharsha Basavapatna * /etc/security/auth_attr.
3928b1e50eSSriharsha Basavapatna *
4028b1e50eSSriharsha Basavapatna * The all-consoles authorization is added during vntsd installation:
4128b1e50eSSriharsha Basavapatna * solaris.vntsd.consoles:::Access All LDoms Guest Consoles::
4228b1e50eSSriharsha Basavapatna *
4328b1e50eSSriharsha Basavapatna * Example of a specific console group authorization based on the name of the
4428b1e50eSSriharsha Basavapatna * console group (added manually by a user with 'vntsd.grant' authorization,
4528b1e50eSSriharsha Basavapatna * such as 'root'); the group name in this example is "ldg1" :
4628b1e50eSSriharsha Basavapatna * solaris.vntsd.console-ldg1:::Access Specific LDoms Guest Console::
4728b1e50eSSriharsha Basavapatna *
48*bbf21555SRichard Lowe * Specific users are authorized with usermod(8). To add an authorization
4928b1e50eSSriharsha Basavapatna * (to /etc/user_attr) type a command similar to this (when user NOT
5028b1e50eSSriharsha Basavapatna * logged in):
5128b1e50eSSriharsha Basavapatna *
5228b1e50eSSriharsha Basavapatna * To authorize a user 'user1' to access all guest consoles:
5328b1e50eSSriharsha Basavapatna * # usermod -A solaris.vntsd.consoles user1
5428b1e50eSSriharsha Basavapatna *
5528b1e50eSSriharsha Basavapatna */
5628b1e50eSSriharsha Basavapatna
5728b1e50eSSriharsha Basavapatna #include <sys/types.h> /* uid_t */
5828b1e50eSSriharsha Basavapatna #include <sys/param.h> /* MAXNAMELEN */
5928b1e50eSSriharsha Basavapatna #include <pwd.h> /* getpw*() */
6028b1e50eSSriharsha Basavapatna #include <auth_attr.h> /* chkauthattr() */
6128b1e50eSSriharsha Basavapatna #include <secdb.h> /* chkauthattr() */
6228b1e50eSSriharsha Basavapatna #include <ucred.h> /* getpeerucred() */
6328b1e50eSSriharsha Basavapatna #include <errno.h> /* errno */
6428b1e50eSSriharsha Basavapatna
6528b1e50eSSriharsha Basavapatna #define VNTSD_AUTH_ALLCONS "solaris.vntsd.consoles" /* all-consoles auth */
6628b1e50eSSriharsha Basavapatna #define VNTSD_AUTH_GRPCONS "solaris.vntsd.console-" /* cons-group auth */
6728b1e50eSSriharsha Basavapatna #define VNTSD_AUTH_PREFIXLEN 32 /* max len of prefix */
6828b1e50eSSriharsha Basavapatna
6928b1e50eSSriharsha Basavapatna /*
7028b1e50eSSriharsha Basavapatna * socket_peer_euid()
7128b1e50eSSriharsha Basavapatna *
7228b1e50eSSriharsha Basavapatna * Return the effective UID (EUID) of the socket peer.
7328b1e50eSSriharsha Basavapatna * If none, return -1.
7428b1e50eSSriharsha Basavapatna *
7528b1e50eSSriharsha Basavapatna * Parameters:
7628b1e50eSSriharsha Basavapatna * sock_fd The socket fd of a locally-connected socket (mapped to a pid)
7728b1e50eSSriharsha Basavapatna *
7828b1e50eSSriharsha Basavapatna * Returns:
7928b1e50eSSriharsha Basavapatna * EUID if OK
8028b1e50eSSriharsha Basavapatna * -1 on failure or unknown EUID (passed on from ucred_geteuid()).
8128b1e50eSSriharsha Basavapatna */
8228b1e50eSSriharsha Basavapatna static uid_t
socket_peer_euid(int sock_fd)8328b1e50eSSriharsha Basavapatna socket_peer_euid(int sock_fd)
8428b1e50eSSriharsha Basavapatna {
8528b1e50eSSriharsha Basavapatna int rc;
8628b1e50eSSriharsha Basavapatna uid_t peer_euid;
8728b1e50eSSriharsha Basavapatna ucred_t *ucredp = NULL;
8828b1e50eSSriharsha Basavapatna
8928b1e50eSSriharsha Basavapatna /* Get info on the peer on the other side of the socket */
9028b1e50eSSriharsha Basavapatna rc = getpeerucred(sock_fd, &ucredp);
9128b1e50eSSriharsha Basavapatna if (rc == -1) {
9228b1e50eSSriharsha Basavapatna /* If errno is EINVAL, it's probably a non-local socket peer */
9328b1e50eSSriharsha Basavapatna return ((uid_t)-1);
9428b1e50eSSriharsha Basavapatna }
9528b1e50eSSriharsha Basavapatna
9628b1e50eSSriharsha Basavapatna /* Extract effective UID (EUID) info for the socket peer process */
9728b1e50eSSriharsha Basavapatna peer_euid = ucred_geteuid(ucredp);
9828b1e50eSSriharsha Basavapatna ucred_free(ucredp);
9928b1e50eSSriharsha Basavapatna
10028b1e50eSSriharsha Basavapatna /* Return EUID */
10128b1e50eSSriharsha Basavapatna return (peer_euid);
10228b1e50eSSriharsha Basavapatna }
10328b1e50eSSriharsha Basavapatna
10428b1e50eSSriharsha Basavapatna /*
10528b1e50eSSriharsha Basavapatna * auth_check_username()
10628b1e50eSSriharsha Basavapatna *
10728b1e50eSSriharsha Basavapatna * Check vntsd console authorization, given a user account.
10828b1e50eSSriharsha Basavapatna *
10928b1e50eSSriharsha Basavapatna * Parameters:
11028b1e50eSSriharsha Basavapatna * username The name of a user account to check authorization
11128b1e50eSSriharsha Basavapatna * group_name The name of the console group to check authorization. The max
11228b1e50eSSriharsha Basavapatna * length of group name is MAXPATHLEN.
11328b1e50eSSriharsha Basavapatna *
11428b1e50eSSriharsha Basavapatna * Returns:
11528b1e50eSSriharsha Basavapatna * 0 if OK (authorized), 1 on authorization failure.
11628b1e50eSSriharsha Basavapatna */
11728b1e50eSSriharsha Basavapatna static int
auth_check_username(char * username,char * group_name)11828b1e50eSSriharsha Basavapatna auth_check_username(char *username, char *group_name)
11928b1e50eSSriharsha Basavapatna {
12028b1e50eSSriharsha Basavapatna int auth_granted = 0;
12128b1e50eSSriharsha Basavapatna char authname[VNTSD_AUTH_PREFIXLEN + MAXPATHLEN];
12228b1e50eSSriharsha Basavapatna size_t len = VNTSD_AUTH_PREFIXLEN + MAXPATHLEN;
12328b1e50eSSriharsha Basavapatna
12428b1e50eSSriharsha Basavapatna /* Sanity check: */
12528b1e50eSSriharsha Basavapatna if ((username == NULL) || (username[0] == '\0') ||
12628b1e50eSSriharsha Basavapatna (group_name == NULL) || (group_name[0] == '\0')) {
12728b1e50eSSriharsha Basavapatna return (1); /* error (bad parameter) */
12828b1e50eSSriharsha Basavapatna }
12928b1e50eSSriharsha Basavapatna
13028b1e50eSSriharsha Basavapatna (void) snprintf(authname, len, VNTSD_AUTH_GRPCONS"%s", group_name);
13128b1e50eSSriharsha Basavapatna
13228b1e50eSSriharsha Basavapatna /*
13328b1e50eSSriharsha Basavapatna * Do authorization checking.
13428b1e50eSSriharsha Basavapatna * First, check if the user is authorized access to all consoles. If it
13528b1e50eSSriharsha Basavapatna * fails, check authorization to the specific console group.
13628b1e50eSSriharsha Basavapatna */
13728b1e50eSSriharsha Basavapatna auth_granted = chkauthattr(VNTSD_AUTH_ALLCONS, username);
13828b1e50eSSriharsha Basavapatna if (auth_granted)
13928b1e50eSSriharsha Basavapatna return (0);
14028b1e50eSSriharsha Basavapatna
14128b1e50eSSriharsha Basavapatna auth_granted = chkauthattr(authname, username);
14228b1e50eSSriharsha Basavapatna if (auth_granted)
14328b1e50eSSriharsha Basavapatna return (0);
14428b1e50eSSriharsha Basavapatna
14528b1e50eSSriharsha Basavapatna return (1);
14628b1e50eSSriharsha Basavapatna }
14728b1e50eSSriharsha Basavapatna
14828b1e50eSSriharsha Basavapatna /*
14928b1e50eSSriharsha Basavapatna * auth_check_euid()
15028b1e50eSSriharsha Basavapatna *
15128b1e50eSSriharsha Basavapatna * Check vntsd console authorization, given a EUID.
15228b1e50eSSriharsha Basavapatna *
15328b1e50eSSriharsha Basavapatna * Parameters:
15428b1e50eSSriharsha Basavapatna * euid The effective UID of a user account to check authorization
15528b1e50eSSriharsha Basavapatna * group_name The name of the console group to check authorization
15628b1e50eSSriharsha Basavapatna *
15728b1e50eSSriharsha Basavapatna * Returns:
15828b1e50eSSriharsha Basavapatna * 0 if OK (authorized), 1 on authorization failure.
15928b1e50eSSriharsha Basavapatna */
16028b1e50eSSriharsha Basavapatna static int
auth_check_euid(uid_t euid,char * group_name)16128b1e50eSSriharsha Basavapatna auth_check_euid(uid_t euid, char *group_name)
16228b1e50eSSriharsha Basavapatna {
16328b1e50eSSriharsha Basavapatna struct passwd *passwdp = NULL;
16428b1e50eSSriharsha Basavapatna char *username = NULL;
16528b1e50eSSriharsha Basavapatna
16628b1e50eSSriharsha Basavapatna /* If EUID is -1, then it's unknown, so fail */
16728b1e50eSSriharsha Basavapatna if (euid == (uid_t)-1) {
16828b1e50eSSriharsha Basavapatna return (1);
16928b1e50eSSriharsha Basavapatna }
17028b1e50eSSriharsha Basavapatna
17128b1e50eSSriharsha Basavapatna /* Map EUID to user name */
17228b1e50eSSriharsha Basavapatna passwdp = getpwuid(euid);
17328b1e50eSSriharsha Basavapatna if (passwdp == NULL) { /* lookup failed */
17428b1e50eSSriharsha Basavapatna return (1);
17528b1e50eSSriharsha Basavapatna }
17628b1e50eSSriharsha Basavapatna username = passwdp->pw_name;
17728b1e50eSSriharsha Basavapatna
17828b1e50eSSriharsha Basavapatna /* Do authorization check: */
17928b1e50eSSriharsha Basavapatna return (auth_check_username(username, group_name));
18028b1e50eSSriharsha Basavapatna }
18128b1e50eSSriharsha Basavapatna
18228b1e50eSSriharsha Basavapatna /*
18328b1e50eSSriharsha Basavapatna * auth_check_fd()
18428b1e50eSSriharsha Basavapatna *
18528b1e50eSSriharsha Basavapatna * Check vntsd authorization, given a fd of a socket. The socket fd is mapped
18628b1e50eSSriharsha Basavapatna * to a pid (and should not be used for remote connections).
18728b1e50eSSriharsha Basavapatna *
18828b1e50eSSriharsha Basavapatna * Parameters:
18928b1e50eSSriharsha Basavapatna * sock_fd The socket fd of a locally-connected socket (mapped to a pid)
19028b1e50eSSriharsha Basavapatna * group_name The name of the console group to check authorization
19128b1e50eSSriharsha Basavapatna *
19228b1e50eSSriharsha Basavapatna * Returns:
19328b1e50eSSriharsha Basavapatna * B_TRUE if OK (authorized), B_FALSE on authorization failure.
19428b1e50eSSriharsha Basavapatna */
19528b1e50eSSriharsha Basavapatna boolean_t
auth_check_fd(int sock_fd,char * group_name)19628b1e50eSSriharsha Basavapatna auth_check_fd(int sock_fd, char *group_name)
19728b1e50eSSriharsha Basavapatna {
19828b1e50eSSriharsha Basavapatna uid_t peer_euid;
19928b1e50eSSriharsha Basavapatna int rv;
20028b1e50eSSriharsha Basavapatna
20128b1e50eSSriharsha Basavapatna peer_euid = socket_peer_euid(sock_fd);
20228b1e50eSSriharsha Basavapatna if (peer_euid == (uid_t)-1) { /* unknown EUID */
20328b1e50eSSriharsha Basavapatna return (B_FALSE);
20428b1e50eSSriharsha Basavapatna }
20528b1e50eSSriharsha Basavapatna
20628b1e50eSSriharsha Basavapatna /* Do authorization check: */
20728b1e50eSSriharsha Basavapatna rv = auth_check_euid(peer_euid, group_name);
20828b1e50eSSriharsha Basavapatna if (rv != 0) {
20928b1e50eSSriharsha Basavapatna return (B_FALSE);
21028b1e50eSSriharsha Basavapatna }
21128b1e50eSSriharsha Basavapatna return (B_TRUE);
21228b1e50eSSriharsha Basavapatna }
213