]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/external/unix_group/check_group.cc
2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
10 * This is a helper for the external ACL interface for Squid Cache
11 * Copyright (C) 2002 Rodrigo Albani de Campos (rodrigo@geekbunker.org)
13 * It reads STDIN looking for a username that matches a specified group
14 * Returns `OK' if the user belongs to the group or `ERR' otherwise, as
15 * described on http://devel.squid-cache.org/external_acl/config.html
16 * To compile this program, use:
18 * gcc -o check_group check_group.c
20 * Author: Rodrigo Albani de Campos
21 * E-Mail: rodrigo@geekbunker.org
23 * This program is free software; you can redistribute it and/or modify
24 * it under the terms of the GNU General Public License as published by
25 * the Free Software Foundation; either version 2 of the License, or
26 * (at your option) any later version.
28 * This program is distributed in the hope that it will be useful,
29 * but WITHOUT ANY WARRANTY; without even the implied warranty of
30 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
31 * GNU General Public License for more details.
33 * You should have received a copy of the GNU General Public License
34 * along with this program; if not, write to the Free Software
35 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
39 * Removed group number limitation and fixed related uninitialized
40 * pointer reference (Bug #2813)
42 * Revision 1.7 2004/08/15 00:29:33 hno
43 * helper protocol changed to URL-escaped strings in Squid-3.0
45 * Revision 1.6 2002/08/12 15:48:32 hno
46 * imported strwordtok from Squid, added man page, some minor fixes
48 * Revision 1.5 2002/07/27 14:26:49 rcampos
49 * allow groups to be sent on stdin
51 * Revision 1.4 2002/04/17 01:58:48 camposr
52 * minor corrections in the getopt
54 * Revision 1.3 2002/04/17 01:43:17 camposr
57 * Revision 1.2 2002/04/17 01:32:16 camposr
58 * all main routines ready
60 * Revision 1.1 2002/04/16 05:02:32 camposr
65 #include "helper/protocol_defines.h"
82 * Verify if user's primary group matches groupname
83 * Returns 0 if user is not on the group
87 validate_user_pw(char *username
, char *groupname
)
92 if ((p
= getpwnam(username
)) == NULL
) {
93 /* Returns an error if user does not exist in the /etc/passwd */
94 fprintf(stderr
, "ERROR: User does not exist '%s'\n", username
);
97 /* Verify if the this is the primary user group */
98 if ((g
= getgrgid(p
->pw_gid
)) != NULL
) {
99 if ((strcmp(groupname
, g
->gr_name
)) == 0)
108 validate_user_gr(char *username
, char *groupname
)
111 * Verify if the user belongs to groupname as listed in the
116 if ((g
= getgrnam(groupname
)) == NULL
) {
117 fprintf(stderr
, "ERROR: Group does not exist '%s'\n", groupname
);
120 while (*(g
->gr_mem
) != NULL
) {
121 if (strcmp(*((g
->gr_mem
)++), username
) == 0) {
132 fprintf(stderr
, "Usage: %s -g group1 [-g group2 ...] [-p] [-s]\n\n",
134 fprintf(stderr
, "-g group\n");
136 " The group name or id that the user must belong in order to\n");
138 " be allowed to authenticate.\n");
140 "-p Verify primary user group as well\n");
142 "-s Strip NT domain from usernames\n");
144 "-r Strip Kerberos realm from usernames\n");
148 main(int argc
, char *argv
[])
150 char *user
, *suser
, *p
;
151 char buf
[HELPER_INPUT_BUFFER
];
152 char **grents
= NULL
;
153 int check_pw
= 0, ch
, ngroups
= 0, i
, j
= 0, strip_dm
= 0, strip_rm
= 0;
155 /* make standard output line buffered */
156 setvbuf(stdout
, NULL
, _IOLBF
, 0);
158 /* get user options */
159 while ((ch
= getopt(argc
, argv
, "dsrpg:")) != -1) {
174 grents
= (char**)realloc(grents
, sizeof(*grents
) * (ngroups
+1));
175 grents
[ngroups
] = optarg
;
179 if (xisprint(optopt
)) {
180 fprintf(stderr
, "Unknown option '-%c'.\n", optopt
);
182 fprintf(stderr
, "Unknown option character `\\x%x'.\n", optopt
);
184 // fall through to display help texts.
192 fprintf(stderr
, "FATAL: Unknown option '%s'\n", argv
[optind
]);
196 while (fgets(buf
, HELPER_INPUT_BUFFER
, stdin
)) {
198 if ((p
= strchr(buf
, '\n')) == NULL
) {
199 /* too large message received.. skip and deny */
200 fprintf(stderr
, "ERROR: %s: Too large: %s\n", argv
[0], buf
);
201 while (fgets(buf
, sizeof(buf
), stdin
)) {
202 fprintf(stderr
, "ERROR: %s: Too large..: %s\n", argv
[0], buf
);
203 if (strchr(buf
, '\n') != NULL
)
206 SEND_BH(HLP_MSG("Username Input too large."));
210 if ((p
= strtok(buf
, " ")) == NULL
) {
211 SEND_BH(HLP_MSG("No username given."));
215 rfc1738_unescape(user
);
217 suser
= strchr(user
, '\\');
218 if (!suser
) suser
= strchr(user
, '/');
219 if (suser
&& suser
[1]) user
= suser
+ 1;
222 suser
= strchr(user
, '@');
223 if (suser
) *suser
= '\0';
225 /* check groups supplied by Squid */
226 while ((p
= strtok(NULL
, " ")) != NULL
) {
229 j
+= validate_user_pw(user
, p
);
230 j
+= validate_user_gr(user
, p
);
234 /* check groups supplied on the command line */
235 for (i
= 0; i
< ngroups
; ++i
) {
237 j
+= validate_user_pw(user
, grents
[i
]);
239 j
+= validate_user_gr(user
, grents
[i
]);