diff options
| author | Jakob Kaivo <jkk@ung.org> | 2021-02-01 12:05:48 -0500 |
|---|---|---|
| committer | Jakob Kaivo <jkk@ung.org> | 2021-02-01 12:05:48 -0500 |
| commit | 5fd418a22a0b9631328b7516a901f829016a3be2 (patch) | |
| tree | f9cf274b58bf417dfc1d6429c9895c616d0d6655 | |
| parent | 93854e37b25f7bb134291fc36956a3488e5cd201 (diff) | |
outline of check program
| -rw-r--r-- | check/Makefile | 32 | ||||
| -rw-r--r-- | check/check.c | 95 | ||||
| -rw-r--r-- | check/check.h | 13 | ||||
| -rw-r--r-- | check/parse.c | 44 |
4 files changed, 184 insertions, 0 deletions
diff --git a/check/Makefile b/check/Makefile new file mode 100644 index 0000000..67b3f91 --- /dev/null +++ b/check/Makefile @@ -0,0 +1,32 @@ +.POSIX: + +# This Makefile was generated by maje +# See https://gitlab.com/jkaivo/maje/ for more information +# Do not edit this Makefile by hand + +CC=c99 +LD=$(CC) +CFLAGS=-Wall -Wextra -Wpedantic -Werror -g +LDFLAGS= +LDLIBS= +SRCDIR=. +OBJDIR=. +BINDIR=$(OBJDIR) + +all: $(BINDIR)/check + +clean: + rm -f $(BINDIR)/check $(OBJDIR)/*.o + +$(BINDIR)/check: $(OBJDIR)/parse.o +$(OBJDIR)/parse.o: $(SRCDIR)/check.h +$(OBJDIR)/parse.o: $(SRCDIR)/parse.c + $(CC) $(CFLAGS) -o $@ -c $(SRCDIR)/parse.c + +$(BINDIR)/check: $(OBJDIR)/check.o +$(OBJDIR)/check.o: $(SRCDIR)/check.h +$(OBJDIR)/check.o: $(SRCDIR)/check.c + $(CC) $(CFLAGS) -o $@ -c $(SRCDIR)/check.c + +$(BINDIR)/check: + $(LD) $(LDFLAGS) -o $@ $(OBJDIR)/*.o $(LDLIBS) diff --git a/check/check.c b/check/check.c new file mode 100644 index 0000000..a776053 --- /dev/null +++ b/check/check.c @@ -0,0 +1,95 @@ +#define _POSIX_C_SOURCE 200809L +#include <errno.h> +#include <grp.h> +#include <locale.h> +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <pwd.h> +#include <unistd.h> + +#include "check.h" + +static char *progname = NULL; + +void fatal(int include_errno, char *fmt, ...) +{ + fprintf(stderr, "%s: ", progname); + va_list ap; + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); + if (include_errno) { + fprintf(stderr, ": %s", strerror(errno)); + } + fputc('\n', stderr); + exit(EXIT_FAILURE); +} + +static int authorize(const char *user) +{ + (void)user; + return 1; +} + +static char *get_username(void) +{ + struct passwd *pwd = getpwuid(getuid()); + if (pwd == NULL) { + fatal(1, "unable to determine user name"); + } + printf("checking for user %s\n", pwd->pw_name); + return pwd->pw_name; +} + +static char *get_groupname(void) +{ + struct group *grp = getgrgid(getgid()); + if (grp == NULL) { + fatal(1, "unable to determine group name"); + } + printf("checking for group %s\n", grp->gr_name); + return grp->gr_name; +} + +static char *get_command(int argc, char *argv[]) +{ + if (argc < 2) { + fatal(1, "missing operands"); + } + + printf("checking command %s\n", argv[1]); + return argv[1]; +} + +int main(int argc, char *argv[]) +{ + setlocale(LC_ALL, ""); + progname = argv[0]; + + char *cmd = get_command(argc, argv); + char *user = get_username(); + char *group = get_groupname(); + + switch (get_permission(user, group, cmd)) { + case NEED_AUTH: + if (authorize(user) != 0) { + fatal(0, "bad authorization"); + } + /* FALLTHRU */ + case NO_AUTH: + puts("granted"); + return 0; + + case DENIED: + fatal(0, "explicitly denied"); + return 1; + + case UNKNOWN: + default: + fatal(0, "denied by default"); + } + + return 1; +} diff --git a/check/check.h b/check/check.h new file mode 100644 index 0000000..b4650af --- /dev/null +++ b/check/check.h @@ -0,0 +1,13 @@ +#ifndef PRIVEXEC_CHECK_H +#define PRIVEXEC_CHECK_H + +#ifndef CONFIG_PATH +#define CONFIG_PATH "/etc/privexec.conf" +#endif + +enum permission { UNKNOWN, NO_AUTH, NEED_AUTH, DENIED }; + +void fatal(int include_errno, char *fmt, ...); +enum permission get_permission(const char *user, const char *group, const char *cmd); + +#endif diff --git a/check/parse.c b/check/parse.c new file mode 100644 index 0000000..aded0b1 --- /dev/null +++ b/check/parse.c @@ -0,0 +1,44 @@ +#define _POSIX_C_SOURCE 200809L +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +#include "check.h" + +enum permission get_permission(const char *user, const char *group, const char *cmd) +{ + (void)user; (void)group; (void)cmd; + enum permission perm = UNKNOWN; + FILE *f = fopen(CONFIG_PATH, "r"); + if (f == NULL) { + fatal(1, CONFIG_PATH); + } + + ssize_t s = 0; + char *buf = NULL; + size_t len = 0; + while ((s = getline(&buf, &len, f)) > 0) { + if (*buf == '#') { + continue; + } + if (*buf == '\n') { + continue; + } + + char *space = strchr(buf, ' '); + if (!space) { + fatal(0, "invalid line in config: %s\n", buf); + } + } + if (s == -1 && ferror(f)) { + fatal(1, "reading configuration"); + } + + if (buf) { + free(buf); + } + if (f) { + fclose(f); + } + return perm; +} |