helpers/external_acl/unix_group/check_group.cc

   1 /*
   2  * $Id$
   3  *
   4  * This is a helper for the external ACL interface for Squid Cache
   5  * Copyright (C) 2002 Rodrigo Albani de Campos (rodrigo@geekbunker.org)
   6  *
   7  * It reads STDIN looking for a username that matches a specified group
   8  * Returns `OK' if the user belongs to the group or `ERR' otherwise, as
   9  * described on http://devel.squid-cache.org/external_acl/config.html
  10  * To compile this program, use:
  11  *
  12  * gcc -o check_group check_group.c
  13  *
  14  * Author: Rodrigo Albani de Campos
  15  * E-Mail: rodrigo@geekbunker.org
  16  *
  17  *  This program is free software; you can redistribute it and/or modify
  18  *  it under the terms of the GNU General Public License as published by
  19  *  the Free Software Foundation; either version 2 of the License, or
  20  *  (at your option) any later version.
  21  *
  22  *  This program is distributed in the hope that it will be useful,
  23  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  24  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  25  *  GNU General Public License for more details.
  26  *
  27  *  You should have received a copy of the GNU General Public License
  28  *  along with this program; if not, write to the Free Software
  29  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  30  *
  31  * Change Log:
  32  * 2010-02-24 hno
  33  * Removed group number limitation and fixed related uninitialized
  34  * pointer reference (Bug #2813)
  35  *
  36  * Revision 1.7  2004/08/15 00:29:33  hno
  37  * helper protocol changed to URL-escaped strings in Squid-3.0
  38  *
  39  * Revision 1.6  2002/08/12 15:48:32  hno
  40  * imported strwordtok from Squid, added man page, some minor fixes
  41  *
  42  * Revision 1.5  2002/07/27 14:26:49  rcampos
  43  * allow groups to be sent on stdin
  44  *
  45  * Revision 1.4  2002/04/17 01:58:48  camposr
  46  * minor corrections in the getopt
  47  *
  48  * Revision 1.3  2002/04/17 01:43:17  camposr
  49  * ready for action
  50  *
  51  * Revision 1.2  2002/04/17 01:32:16  camposr
  52  * all main routines ready
  53  *
  54  * Revision 1.1  2002/04/16 05:02:32  camposr
  55  * Initial revision
  56  *
  57  */
  58 #include "squid.h"
  59 #include "helpers/defines.h"
  60 #include "rfc1738.h"
  61 #include "util.h"
  62
  63 #if HAVE_STDIO_H
  64 #include <stdio.h>
  65 #endif
  66 #if HAVE_STRING_H
  67 #include <string.h>
  68 #endif
  69 #if HAVE_GRP_H
  70 #include <grp.h>
  71 #endif
  72 #if HAVE_UNISTD_H
  73 #include <unistd.h>
  74 #endif
  75 #if HAVE_PWD_H
  76 #include <pwd.h>
  77 #endif
  78 #if HAVE_CTYPE_H
  79 #include <ctype.h>
  80 #endif
  81
  82 /*
  83  * Verify if user's primary group matches groupname
  84  * Returns 0 if user is not on the group
  85  * Returns 1 otherwise
  86  */
  87 static int
  88 validate_user_pw(char *username, char *groupname)
  89 {
  90     struct passwd *p;
  91     struct group *g;
  92
  93     if ((p = getpwnam(username)) == NULL) {
  94         /* Returns an error if user does not exist in the /etc/passwd */
  95         fprintf(stderr, "ERROR: User does not exist '%s'\n", username);
  96         return 0;
  97     } else {
  98         /* Verify if the this is the primary user group */
  99         if ((g = getgrgid(p->pw_gid)) != NULL) {
 100             if ((strcmp(groupname, g->gr_name)) == 0)
 101                 return 1;
 102         }
 103     }
 104
 105     return 0;
 106 }
 107
 108 static int
 109 validate_user_gr(char *username, char *groupname)
 110 {
 111     /*
 112      * Verify if the user belongs to groupname as listed in the
 113      * /etc/group file
 114      */
 115     struct group *g;
 116
 117     if ((g = getgrnam(groupname)) == NULL) {
 118         fprintf(stderr, "ERROR: Group does not exist '%s'\n", groupname);
 119         return 0;
 120     } else {
 121         while (*(g->gr_mem) != NULL) {
 122             if (strcmp(*((g->gr_mem)++), username) == 0) {
 123                 return 1;
 124             }
 125         }
 126     }
 127     return 0;
 128 }
 129
 130 static void
 131 usage(char *program)
 132 {
 133     fprintf(stderr, "Usage: %s -g group1 [-g group2 ...] [-p] [-s]\n\n",
 134             program);
 135     fprintf(stderr, "-g group\n");
 136     fprintf(stderr,
 137             "                   The group name or id that the user must belong in order to\n");
 138     fprintf(stderr,
 139             "                   be allowed to authenticate.\n");
 140     fprintf(stderr,
 141             "-p                 Verify primary user group as well\n");
 142     fprintf(stderr,
 143             "-s                 Strip NT domain from usernames\n");
 144 }
 145
 146 int
 147 main(int argc, char *argv[])
 148 {
 149     char *user, *suser, *p;
 150     char buf[HELPER_INPUT_BUFFER];
 151     char **grents = NULL;
 152     int check_pw = 0, ch, ngroups = 0, i, j = 0, strip_dm = 0;
 153
 154     /* make standard output line buffered */
 155     setvbuf(stdout, NULL, _IOLBF, 0);
 156
 157     /* get user options */
 158     while ((ch = getopt(argc, argv, "dspg:")) != -1) {
 159         switch (ch) {
 160         case 'd':
 161             debug_enabled = 1;
 162             break;
 163         case 's':
 164             strip_dm = 1;
 165             break;
 166         case 'p':
 167             check_pw = 1;
 168             break;
 169         case 'g':
 170             grents = (char**)realloc(grents, sizeof(*grents) * (ngroups+1));
 171             grents[ngroups] = optarg;
 172             ++ngroups;
 173             break;
 174         case '?':
 175             if (xisprint(optopt)) {
 176                 fprintf(stderr, "Unknown option '-%c'.\n", optopt);
 177             } else {
 178                 fprintf(stderr, "Unknown option character `\\x%x'.\n", optopt);
 179             }
 180
 181         default:
 182             usage(argv[0]);
 183             exit(1);
 184         }
 185     }
 186     if (optind < argc) {
 187         fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]);
 188         usage(argv[0]);
 189         exit(1);
 190     }
 191     while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) {
 192         j = 0;
 193         if ((p = strchr(buf, '\n')) == NULL) {
 194             /* too large message received.. skip and deny */
 195             fprintf(stderr, "ERROR: %s: Too large: %s\n", argv[0], buf);
 196             while (fgets(buf, sizeof(buf), stdin)) {
 197                 fprintf(stderr, "ERROR: %s: Too large..: %s\n", argv[0], buf);
 198                 if (strchr(buf, '\n') != NULL)
 199                     break;
 200             }
 201             SEND_ERR("Username Input too large.");
 202             continue;
 203         }
 204         *p = '\0';
 205         if ((p = strtok(buf, " ")) == NULL) {
 206             SEND_ERR("No username given.");
 207             continue;
 208         } else {
 209             user = p;
 210             rfc1738_unescape(user);
 211             if (user && strip_dm) {
 212                 suser = strchr(user, '\\');
 213                 if (!suser) suser = strchr(user, '/');
 214                 if (suser && suser[1]) user = suser + 1;
 215             }
 216             /* check groups supplied by Squid */
 217             while ((p = strtok(NULL, " ")) != NULL) {
 218                 rfc1738_unescape(p);
 219                 if (check_pw == 1)
 220                     j += validate_user_pw(user, p);
 221                 j += validate_user_gr(user, p);
 222             }
 223         }
 224
 225         /* check groups supplied on the command line */
 226         for (i = 0; i < ngroups; ++i) {
 227             if (check_pw == 1) {
 228                 j += validate_user_pw(user, grents[i]);
 229             }
 230             j += validate_user_gr(user, grents[i]);
 231         }
 232
 233         if (j > 0) {
 234             SEND_OK("");
 235         } else {
 236             SEND_ERR("");
 237         }
 238     }
 239     return 0;
 240 }