/* -*-c-*-
*
- * $Id: rule.c,v 1.1 1997/07/21 13:47:45 mdw Exp $
+ * $Id: rule.c,v 1.4 1997/09/17 10:27:17 mdw Exp $
*
* Managing rule sets
*
* (c) 1997 EBI
*/
-/*----- Licencing notice --------------------------------------------------*
+/*----- Licensing notice --------------------------------------------------*
*
* This file is part of `become'
*
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
- * along with `become'; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * along with `become'; if not, write to the Free Software Foundation,
+ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
/*----- Revision history --------------------------------------------------*
*
* $Log: rule.c,v $
- * Revision 1.1 1997/07/21 13:47:45 mdw
+ * Revision 1.4 1997/09/17 10:27:17 mdw
+ * Use rewritten class handler.
+ *
+ * Revision 1.3 1997/08/20 16:22:36 mdw
+ * Rename `rule_reinit' to `rule_end' for more sensible restart. Don't try
+ * to trace when tracing's turned off.
+ *
+ * Revision 1.2 1997/08/04 10:24:25 mdw
+ * Sources placed under CVS control.
+ *
+ * Revision 1.1 1997/07/21 13:47:45 mdw
* Initial revision
*
*/
#include <stdlib.h>
#include <string.h>
+/* --- Unix headers --- */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <unistd.h>
+
/* --- Local headers --- */
#include "become.h"
#include "class.h"
#include "rule.h"
+#include "userdb.h"
#include "utils.h"
/*----- Type definitions --------------------------------------------------*/
typedef struct rule {
struct rule *next; /* Next rule in the list */
- classdef *host; /* Hosts this rule applies to */
- classdef *from; /* From users in this class */
- classdef *to; /* To users in this class */
- classdef *cmd; /* To run commands in this class */
+ class_node *host; /* Hosts this rule applies to */
+ class_node *from; /* From users in this class */
+ class_node *to; /* To users in this class */
+ class_node *cmd; /* To run commands in this class */
} rule;
/*----- Static variables --------------------------------------------------*/
rule__tail = (rule *)&rule__list;
}
-/* --- @rule_reinit@ --- *
+/* --- @rule_end@ --- *
*
* Arguments: ---
*
* Returns: ---
*
- * Use: Reinitialises the rule database.
+ * Use: Empties the rule database.
*/
-void rule_reinit(void)
+void rule_end(void)
{
rule *r = rule__list;
rule *rr;
while (r) {
rr = r->next;
+ class_dec(r->host);
+ class_dec(r->from);
+ class_dec(r->to);
+ class_dec(r->cmd);
free(r);
r = rr;
}
-
- rule_init();
}
/* --- @rule_add@ --- *
*
- * Arguments: @classdef *host@ = class of hosts this rule applies to
- * @classdef *from@ = class of users allowed to change
- * @classdef *to@ = class of users allowed to be changed to
- * @classdef *cmd@ = class of commands allowed
+ * Arguments: @class_node *host@ = class of hosts this rule applies to
+ * @class_node *from@ = class of users allowed to change
+ * @class_node *to@ = class of users allowed to be changed to
+ * @class_node *cmd@ = class of commands allowed
*
* Returns: ---
*
* Use: Registers another rule.
*/
-void rule_add(classdef *host, classdef *from, classdef *to, classdef *cmd)
+void rule_add(class_node *host, class_node *from, class_node *to, class_node *cmd)
{
rule *r = xmalloc(sizeof(*r));
int rule_check(request *r)
{
+ rule *rr;
+
+ /* --- Trace out the request we're checking --- */
+
+ IF_TRACING(TRACE_CHECK, {
+ struct passwd *pw_from = userdb_userById(r->from);
+ struct passwd *pw_to = userdb_userById(r->to);
+ struct hostent *h = gethostbyaddr((char *)&r->host, sizeof(r->host),
+ AF_INET);
+
+ trace(TRACE_CHECK, "check: request from %s (%li) to become %s (%li)",
+ pw_from ? pw_from->pw_name : "<unknown>", (long)r->from,
+ pw_to ? pw_to->pw_name : "<unknown>", (long)r->to);
+ trace(TRACE_CHECK, "check: ... at %s (%s) for `%s'",
+ h ? h->h_name : "<unknown>", inet_ntoa(r->host), r->cmd);
+ })
+
+ /* --- Search the rule list --- */
+
+ for (rr = rule__list; rr; rr = rr->next) {
+
+ /* --- Trace out the rule --- */
+
+ IF_TRACING(TRACE_RULE, {
+ trace(TRACE_RULE, "rule: check against rule...");
+ trace(TRACE_RULE, "rule: from"); class_dump(rr->from, 2);
+ trace(TRACE_RULE, "rule: to"); class_dump(rr->to, 2);
+ trace(TRACE_RULE, "rule: cmd"); class_dump(rr->cmd, 2);
+ trace(TRACE_RULE, "rule: host"); class_dump(rr->host, 2);
+ })
+
+ /* --- Check the rule --- */
+
+ if (class_matchUser(rr->from, r->from) &&
+ class_matchUser(rr->to, r->to) &&
+ class_matchCommand(rr->cmd, r->cmd) &&
+ class_matchHost(rr->host, r->host)) {
+ T( trace(TRACE_CHECK, "check: rule matched -- granting permission"); )
+ return (1);
+ }
+ }
+
+ /* --- Failed to match --- */
+
+ T( trace(TRACE_CHECK, "check: no rules matched -- permission denied"); )
+ return (0);
+}
+
+/* --- @rule_dump@ --- *
+ *
+ * Arguments: ---
+ *
+ * Returns: ---
+ *
+ * Use: Dumps a map of the current ruleset to the trace output.
+ */
+
+void rule_dump(void)
+{
+#ifdef TRACING
rule *rr = rule__list;
+ trace(TRACE_RULE, "rule: dumping rules");
while (rr) {
- if (class_userMatch(rr->from, r->from) &&
- class_userMatch(rr->to, r->to) &&
- class_commandMatch(rr->cmd, r->cmd) &&
- class_hostMatch(rr->host, r->host))
- return (1);
+ trace(TRACE_RULE, "rule: rule dump...");
+ trace(TRACE_RULE, "rule: from"); class_dump(rr->from, 2);
+ trace(TRACE_RULE, "rule: to"); class_dump(rr->to, 2);
+ trace(TRACE_RULE, "rule: cmd"); class_dump(rr->cmd, 2);
+ trace(TRACE_RULE, "rule: host"); class_dump(rr->host, 2);
rr = rr->next;
}
- return (0);
+ trace(TRACE_RULE, "rule: dump finished");
+#endif
}
/*----- That's all, folks -------------------------------------------------*/