diff options
| author | Jakob Kaivo <jkk@ung.org> | 2021-02-01 12:37:42 -0500 |
|---|---|---|
| committer | Jakob Kaivo <jkk@ung.org> | 2021-02-01 12:37:42 -0500 |
| commit | 84f1e99b6001420251d5d77f4f32928e9ace067e (patch) | |
| tree | 95b331af51578e6aee3ce1ddb86b6ecb34fe5398 /check | |
| parent | 9ccd9576784d719eebc7cf8b5d9eda8544186b3a (diff) | |
actually parse privexec.conf
Diffstat (limited to 'check')
| -rw-r--r-- | check/parse.c | 57 |
1 files changed, 54 insertions, 3 deletions
diff --git a/check/parse.c b/check/parse.c index aded0b1..33d1aa5 100644 --- a/check/parse.c +++ b/check/parse.c @@ -5,9 +5,42 @@ #include "check.h" -enum permission get_permission(const char *user, const char *group, const char *cmd) +static enum permission eval(const char *keyword, const char *principal, const char *cmd, const char *user, const char *group, const char *command) +{ + int pmatch = 0; + if (!strcmp(user, principal)) { + pmatch = 1; + } + if (principal[0] == ':' && !strcmp(group, principal + 1)) { + pmatch = 1; + } + + int cmatch = 0; + if (cmd == NULL || !strcmp(cmd, command)) { + cmatch = 1; + } + + if (!strcmp(keyword, "authorize")) { + if (cmatch && pmatch) { + return AUTHORIZED; + } + } else if (!strcmp(keyword, "authenticate")) { + if (cmatch && pmatch) { + return AUTHENTICATE; + } + } else if (!strcmp(keyword, "deny")) { + if (cmatch && pmatch) { + return DENIED; + } + } else { + fatal(0, "invalid keyword: %s", keyword); + } + + return UNKNOWN; +} + +enum permission get_permission(const char *user, const char *group, const char *command) { - (void)user; (void)group; (void)cmd; enum permission perm = UNKNOWN; FILE *f = fopen(CONFIG_PATH, "r"); if (f == NULL) { @@ -24,11 +57,29 @@ enum permission get_permission(const char *user, const char *group, const char * if (*buf == '\n') { continue; } + buf[s-1] = '\0'; char *space = strchr(buf, ' '); if (!space) { - fatal(0, "invalid line in config: %s\n", buf); + fatal(0, "invalid line in config: %s", buf); } + + char *keyword = buf; + *space = '\0'; + + char *principal = space + 1; + char *cmd = NULL; + space = strchr(principal, ' '); + if (space) { + *space = '\0'; + cmd = space + 1; + } + + enum permission tmp = eval(keyword, principal, cmd, user, group, command); + /* only increase, so deny trumps authenticate, which trumps authorize */ + if (tmp > perm) { + perm = tmp; + } } if (s == -1 && ferror(f)) { fatal(1, "reading configuration"); |