[54] | 1 | /* mod_authz_afsgroup |
---|
| 2 | * version 1.0, released 2006-01-04 |
---|
| 3 | * Anders Kaseorg <anders@kaseorg.com> |
---|
| 4 | * |
---|
| 5 | * This module does authorization based on AFS groups: |
---|
| 6 | * Require afsgroup system:administrators |
---|
| 7 | * |
---|
| 8 | * It currently works by parsing the output of `pts membership |
---|
| 9 | * <group>`. |
---|
| 10 | */ |
---|
| 11 | |
---|
| 12 | #include "apr_strings.h" |
---|
| 13 | |
---|
| 14 | #include "ap_config.h" |
---|
| 15 | #include "httpd.h" |
---|
| 16 | #include "http_config.h" |
---|
| 17 | #include "http_core.h" |
---|
| 18 | #include "http_log.h" |
---|
| 19 | #include "http_protocol.h" |
---|
| 20 | #include "http_request.h" |
---|
| 21 | |
---|
| 22 | #include <unistd.h> |
---|
| 23 | #include <stdio.h> |
---|
| 24 | |
---|
| 25 | typedef struct { |
---|
| 26 | int authoritative; |
---|
| 27 | } authz_afsgroup_config_rec; |
---|
| 28 | |
---|
| 29 | static void *create_authz_afsgroup_dir_config(apr_pool_t *p, char *d) |
---|
| 30 | { |
---|
| 31 | authz_afsgroup_config_rec *conf = apr_palloc(p, sizeof(*conf)); |
---|
| 32 | |
---|
| 33 | conf->authoritative = 1; |
---|
| 34 | return conf; |
---|
| 35 | } |
---|
| 36 | |
---|
| 37 | static const command_rec authz_afsgroup_cmds[] = |
---|
| 38 | { |
---|
| 39 | AP_INIT_FLAG("AuthzAFSGroupAuthoritative", ap_set_flag_slot, |
---|
| 40 | (void *)APR_OFFSETOF(authz_afsgroup_config_rec, authoritative), |
---|
| 41 | OR_AUTHCFG, |
---|
| 42 | "Set to 'Off' to allow access control to be passed along to " |
---|
| 43 | "lower modules if the 'require afsgroup' statement is not " |
---|
| 44 | "met. (default: On)."), |
---|
| 45 | {NULL} |
---|
| 46 | }; |
---|
| 47 | |
---|
| 48 | module AP_MODULE_DECLARE_DATA authz_afsgroup_module; |
---|
| 49 | |
---|
| 50 | static int check_afsgroup_access(request_rec *r) |
---|
| 51 | { |
---|
| 52 | authz_afsgroup_config_rec *conf = ap_get_module_config(r->per_dir_config, |
---|
| 53 | &authz_afsgroup_module); |
---|
| 54 | char *user = r->user; |
---|
| 55 | int m = r->method_number; |
---|
| 56 | int required_afsgroup = 0; |
---|
| 57 | register int x; |
---|
| 58 | const char *t, *w; |
---|
| 59 | const apr_array_header_t *reqs_arr = ap_requires(r); |
---|
| 60 | require_line *reqs; |
---|
| 61 | |
---|
| 62 | if (!reqs_arr) { |
---|
| 63 | return DECLINED; |
---|
| 64 | } |
---|
| 65 | reqs = (require_line *)reqs_arr->elts; |
---|
| 66 | |
---|
| 67 | for (x = 0; x < reqs_arr->nelts; x++) { |
---|
| 68 | |
---|
| 69 | if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) { |
---|
| 70 | continue; |
---|
| 71 | } |
---|
| 72 | |
---|
| 73 | t = reqs[x].requirement; |
---|
| 74 | w = ap_getword_white(r->pool, &t); |
---|
| 75 | if (!strcasecmp(w, "afsgroup")) { |
---|
| 76 | required_afsgroup = 1; |
---|
| 77 | while (t[0]) { |
---|
| 78 | int pfd[2]; |
---|
| 79 | pid_t cpid; |
---|
| 80 | FILE *fp; |
---|
| 81 | char *line = NULL; |
---|
| 82 | char buf[256]; |
---|
| 83 | size_t len = 0; |
---|
| 84 | ssize_t read; |
---|
| 85 | w = ap_getword_conf(r->pool, &t); |
---|
| 86 | if (pipe(pfd) == -1) { |
---|
| 87 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
---|
| 88 | "pipe() failed!"); |
---|
| 89 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
| 90 | } |
---|
| 91 | cpid = fork(); |
---|
| 92 | if (cpid == -1) { |
---|
| 93 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
---|
| 94 | "fork() failed!"); |
---|
| 95 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
| 96 | } |
---|
| 97 | if (cpid == 0) { |
---|
| 98 | close(pfd[0]); |
---|
| 99 | dup2(pfd[1], STDOUT_FILENO); |
---|
| 100 | execve("/usr/bin/pts", |
---|
| 101 | (char *const[]) { |
---|
| 102 | "pts", "membership", "-nameorid", w, NULL |
---|
| 103 | }, |
---|
| 104 | NULL); |
---|
| 105 | _exit(1); |
---|
| 106 | } |
---|
| 107 | close(pfd[1]); |
---|
| 108 | fp = fdopen(pfd[0], "r"); |
---|
| 109 | if (fp == NULL) { |
---|
| 110 | close(pfd[0]); |
---|
| 111 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
---|
| 112 | "fdopen() failed!"); |
---|
| 113 | return HTTP_INTERNAL_SERVER_ERROR; |
---|
| 114 | } |
---|
| 115 | if (snprintf(buf, sizeof(buf), " %s\n", user) >= sizeof(buf)) { |
---|
| 116 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
---|
| 117 | "access to %s failed, reason: username '%s' " |
---|
| 118 | "is too long!", |
---|
| 119 | r->uri, user); |
---|
| 120 | continue; |
---|
| 121 | } |
---|
| 122 | while ((read = getline(&line, &len, fp)) != -1) { |
---|
| 123 | if (strcmp(line, buf) == 0) { |
---|
| 124 | return OK; |
---|
| 125 | } |
---|
| 126 | } |
---|
| 127 | if (line) |
---|
| 128 | free(line); |
---|
| 129 | fclose(fp); |
---|
| 130 | } |
---|
| 131 | } |
---|
| 132 | } |
---|
| 133 | |
---|
| 134 | if (!required_afsgroup) { |
---|
| 135 | return DECLINED; |
---|
| 136 | } |
---|
| 137 | |
---|
| 138 | if (!conf->authoritative) { |
---|
| 139 | return DECLINED; |
---|
| 140 | } |
---|
| 141 | |
---|
| 142 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, |
---|
| 143 | "access to %s failed, reason: user '%s' does not meet " |
---|
| 144 | "'require'ments for afsgroup to be allowed access", |
---|
| 145 | r->uri, user); |
---|
| 146 | |
---|
| 147 | ap_note_auth_failure(r); |
---|
| 148 | return HTTP_FORBIDDEN; |
---|
| 149 | } |
---|
| 150 | |
---|
| 151 | static void register_hooks(apr_pool_t *p) |
---|
| 152 | { |
---|
| 153 | ap_hook_auth_checker(check_afsgroup_access, NULL, NULL, APR_HOOK_MIDDLE); |
---|
| 154 | } |
---|
| 155 | |
---|
| 156 | module AP_MODULE_DECLARE_DATA authz_afsgroup_module = |
---|
| 157 | { |
---|
| 158 | STANDARD20_MODULE_STUFF, |
---|
| 159 | create_authz_afsgroup_dir_config, /* dir config creater */ |
---|
| 160 | NULL, /* dir merger --- default is to override */ |
---|
| 161 | NULL, /* server config */ |
---|
| 162 | NULL, /* merge server config */ |
---|
| 163 | authz_afsgroup_cmds, /* command apr_table_t */ |
---|
| 164 | register_hooks /* register hooks */ |
---|
| 165 | }; |
---|