big-one Sdiff usr/src/lib/libbsm/common/adt.c

Print this page

NEX-2842 SMB client authentication fails in adt_set_user() with IDMU enabled

   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.

  24  * Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
  25  */
  26 
  27 #include <bsm/adt.h>
  28 #include <bsm/adt_event.h>
  29 #include <assert.h>
  30 #include <bsm/audit.h>
  31 #include <bsm/audit_record.h>
  32 #include <bsm/libbsm.h>
  33 #include <door.h>
  34 #include <errno.h>
  35 #include <generic.h>
  36 #include <md5.h>
  37 #include <sys/mkdev.h>
  38 #include <netdb.h>
  39 #include <nss_dbdefs.h>
  40 #include <pwd.h>
  41 #include <sys/stat.h>
  42 #include <time.h>
  43 #include <stdlib.h>

 174         return ((auditstate & states) ? B_TRUE : B_FALSE);
 175 }
 176 
 177 /*
 178  * Get user_specific/non-attributable audit mask. This may be called even when
 179  * auditing is off.
 180  */
 181 
 182 static int
 183 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
 184 {
 185         struct passwd   pwd;
 186         long            buff_sz;
 187         char            *pwd_buff;
 188 
 189 
 190         if (auditstate & AUC_DISABLED) {
 191                 /* c2audit excluded */
 192                 mask->am_success = 0;
 193                 mask->am_failure = 0;
 194         } else if (uid <= MAXUID) {



 195                 if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
 196                         adt_write_syslog("couldn't determine maximum size of "
 197                             "password buffer", errno);
 198                         return (-1);
 199                 }
 200                 if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
 201                         return (-1);
 202                 }
 203                 if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) {
 204                         errno = EINVAL; /* user doesn't exist */
 205                         free(pwd_buff);
 206                         return (-1);
 207                 }

 208                 if (au_user_mask(pwd.pw_name, mask)) {
 209                         free(pwd_buff);
 210                         errno = EFAULT; /* undetermined failure */
 211                         return (-1);
 212                 }
 213                 free(pwd_buff);
 214         } else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {





 215                         return (-1);
 216         }
 217 
 218         return (0);
 219 }
 220 
 221 /*
 222  * adt_get_unique_id -- generate a hopefully unique 32 bit value
 223  *
 224  * there will be a follow up to replace this with the use of /dev/random
 225  *
 226  * An MD5 hash is taken on a buffer of
 227  *     hostname . audit id . unix time . pid . count
 228  *
 229  * "count = noise++;" is subject to a race condition but I don't
 230  * see a need to put a lock around it.
 231  */
 232 
 233 au_asid_t
 234 adt_get_unique_id(au_id_t uid)

   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  25  * Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
  26  */
  27 
  28 #include <bsm/adt.h>
  29 #include <bsm/adt_event.h>
  30 #include <assert.h>
  31 #include <bsm/audit.h>
  32 #include <bsm/audit_record.h>
  33 #include <bsm/libbsm.h>
  34 #include <door.h>
  35 #include <errno.h>
  36 #include <generic.h>
  37 #include <md5.h>
  38 #include <sys/mkdev.h>
  39 #include <netdb.h>
  40 #include <nss_dbdefs.h>
  41 #include <pwd.h>
  42 #include <sys/stat.h>
  43 #include <time.h>
  44 #include <stdlib.h>

 175         return ((auditstate & states) ? B_TRUE : B_FALSE);
 176 }
 177 
 178 /*
 179  * Get user_specific/non-attributable audit mask. This may be called even when
 180  * auditing is off.
 181  */
 182 
 183 static int
 184 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
 185 {
 186         struct passwd   pwd;
 187         long            buff_sz;
 188         char            *pwd_buff;
 189 
 190 
 191         if (auditstate & AUC_DISABLED) {
 192                 /* c2audit excluded */
 193                 mask->am_success = 0;
 194                 mask->am_failure = 0;
 195                 return (0);
 196         }
 197 
 198         if (uid <= MAXUID) {
 199                 if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
 200                         adt_write_syslog("couldn't determine maximum size of "
 201                             "password buffer", errno);
 202                         return (-1);
 203                 }
 204                 if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
 205                         return (-1);
 206                 }
 207                 /*
 208                  * Ephemeral id's and id's that exist in a name service we
 209                  * don't have configured (LDAP, NIS) can't be looked up,
 210                  * but either way it's not an error.
 211                  */
 212                 if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) != NULL) {
 213                         if (au_user_mask(pwd.pw_name, mask)) {
 214                                 free(pwd_buff);
 215                                 errno = EFAULT; /* undetermined failure */
 216                                 return (-1);
 217                         }
 218                         free(pwd_buff);
 219                         return (0);
 220                 }
 221                 free(pwd_buff);
 222         }
 223 
 224         if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
 225                         return (-1);
 226         }
 227 
 228         return (0);
 229 }
 230 
 231 /*
 232  * adt_get_unique_id -- generate a hopefully unique 32 bit value
 233  *
 234  * there will be a follow up to replace this with the use of /dev/random
 235  *
 236  * An MD5 hash is taken on a buffer of
 237  *     hostname . audit id . unix time . pid . count
 238  *
 239  * "count = noise++;" is subject to a race condition but I don't
 240  * see a need to put a lock around it.
 241  */
 242 
 243 au_asid_t
 244 adt_get_unique_id(au_id_t uid)