|
1
|
<?php
|
|
2
|
/* $Id$ */
|
|
3
|
/*
|
|
4
|
Copyright (C) 2008 Shrew Soft Inc
|
|
5
|
All rights reserved.
|
|
6
|
|
|
7
|
Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
|
|
8
|
All rights reserved.
|
|
9
|
|
|
10
|
Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
|
|
11
|
All rights reserved.
|
|
12
|
|
|
13
|
Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
|
|
14
|
All rights reserved.
|
|
15
|
|
|
16
|
Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
|
|
17
|
All rights reserved.
|
|
18
|
|
|
19
|
Redistribution and use in source and binary forms, with or without
|
|
20
|
modification, are permitted provided that the following conditions are met:
|
|
21
|
|
|
22
|
1. Redistributions of source code must retain the above copyright notice,
|
|
23
|
this list of conditions and the following disclaimer.
|
|
24
|
|
|
25
|
2. Redistributions in binary form must reproduce the above copyright
|
|
26
|
notice, this list of conditions and the following disclaimer in the
|
|
27
|
documentation and/or other materials provided with the distribution.
|
|
28
|
|
|
29
|
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
30
|
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
31
|
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
32
|
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
33
|
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
34
|
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
35
|
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
36
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
37
|
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
38
|
POSSIBILITY OF SUCH DAMAGE.
|
|
39
|
|
|
40
|
DISABLE_PHP_LINT_CHECKING
|
|
41
|
*/
|
|
42
|
|
|
43
|
/*
|
|
44
|
pfSense_MODULE: auth
|
|
45
|
*/
|
|
46
|
|
|
47
|
|
|
48
|
/*
|
|
49
|
* USER PRIVILEGE DEFINITIONS
|
|
50
|
*/
|
|
51
|
|
|
52
|
$priv_list['user-shell-access'] = array();
|
|
53
|
$priv_list['user-shell-access']['name'] = "User - Shell account access";
|
|
54
|
$priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ".
|
|
55
|
"example via SSH.";
|
|
56
|
|
|
57
|
$priv_list['user-copy-files'] = array();
|
|
58
|
$priv_list['user-copy-files']['name'] = "User - Copy files";
|
|
59
|
$priv_list['user-copy-files']['descr'] = "Indicates whether the user is allowed to copy files ".
|
|
60
|
"onto the {$g['product_name']} appliance via SCP/SFTP. ".
|
|
61
|
"If you are going to use this privilege, you must install ".
|
|
62
|
"scponly on the appliance (Hint: pkg_add -r scponly).";
|
|
63
|
|
|
64
|
sort_privs($priv_list);
|
|
65
|
|
|
66
|
function cmp_privkeys($a, $b) {
|
|
67
|
/* user privs at the top */
|
|
68
|
$auser = strncmp("user-", $a, 5);
|
|
69
|
$buser = strncmp("user-", $b, 5);
|
|
70
|
if($auser != $buser)
|
|
71
|
return $auser - buser;
|
|
72
|
|
|
73
|
/* name compare others */
|
|
74
|
return strcasecmp($a, $b);
|
|
75
|
}
|
|
76
|
|
|
77
|
function sort_privs(& $privs) {
|
|
78
|
|
|
79
|
uksort($privs, "cmp_privkeys");
|
|
80
|
}
|
|
81
|
|
|
82
|
function cmp_page_matches($page, & $matches, $fullwc = true) {
|
|
83
|
|
|
84
|
// $dbg_matches = implode(",", $matches);
|
|
85
|
// log_error("debug: checking page {$page} match with {$dbg_matches}");
|
|
86
|
|
|
87
|
if (!is_array($matches))
|
|
88
|
return false;
|
|
89
|
|
|
90
|
/* skip any leading fwdslash */
|
|
91
|
$test = strpos($page, "/");
|
|
92
|
if ($test !== false && $test == 0)
|
|
93
|
$page = substr($page, 1);
|
|
94
|
|
|
95
|
/* look for a match */
|
|
96
|
foreach ($matches as $match) {
|
|
97
|
|
|
98
|
/* possibly ignore full wildcard match */
|
|
99
|
if (!$fullwc && !strcmp($match ,"*"))
|
|
100
|
continue;
|
|
101
|
|
|
102
|
/* compare exact or wildcard match */
|
|
103
|
$wcpos = strpos($match, "*");
|
|
104
|
if ($wcpos === false)
|
|
105
|
$result = strcmp($page, $match);
|
|
106
|
else
|
|
107
|
$result = strncmp($page, $match, $wcpos);
|
|
108
|
|
|
109
|
if (!$result)
|
|
110
|
return true;
|
|
111
|
}
|
|
112
|
|
|
113
|
return false;
|
|
114
|
}
|
|
115
|
|
|
116
|
function map_page_privname($page) {
|
|
117
|
global $priv_list;
|
|
118
|
|
|
119
|
foreach ($priv_list as $pname => $pdata) {
|
|
120
|
if (strncmp($pname, "page-", 5))
|
|
121
|
continue;
|
|
122
|
$fullwc = false;
|
|
123
|
if (!strcasecmp($page,"any")||!strcmp($page,"*"))
|
|
124
|
$fullwc = true;
|
|
125
|
if (cmp_page_matches($page, $pdata['match'], $fullwc))
|
|
126
|
return $pname;
|
|
127
|
}
|
|
128
|
|
|
129
|
return false;
|
|
130
|
}
|
|
131
|
|
|
132
|
function get_user_privdesc(& $user) {
|
|
133
|
global $priv_list;
|
|
134
|
|
|
135
|
$privs = array();
|
|
136
|
|
|
137
|
$user_privs = $user['priv'];
|
|
138
|
if (!is_array($user_privs))
|
|
139
|
$user_privs = array();
|
|
140
|
|
|
141
|
$names = local_user_get_groups($user, true);
|
|
142
|
|
|
143
|
foreach ($names as $name) {
|
|
144
|
$group = getGroupEntry($name);
|
|
145
|
$group_privs = $group['priv'];
|
|
146
|
if (!is_array($group_privs))
|
|
147
|
continue;
|
|
148
|
foreach ($group_privs as $pname) {
|
|
149
|
if (in_array($pname,$user_privs))
|
|
150
|
continue;
|
|
151
|
if (!$priv_list[$pname])
|
|
152
|
continue;
|
|
153
|
$priv = $priv_list[$pname];
|
|
154
|
$priv['group'] = $group['name'];
|
|
155
|
$privs[] = $priv;
|
|
156
|
}
|
|
157
|
}
|
|
158
|
|
|
159
|
foreach ($user_privs as $pname)
|
|
160
|
if($priv_list[$pname])
|
|
161
|
$privs[] = $priv_list[$pname];
|
|
162
|
|
|
163
|
return $privs;
|
|
164
|
}
|
|
165
|
|
|
166
|
function isAllowedPage($page) {
|
|
167
|
global $_SESSION;
|
|
168
|
|
|
169
|
$username = $_SESSION['Username'];
|
|
170
|
if (!isset($username))
|
|
171
|
return false;
|
|
172
|
|
|
173
|
/* admin/root access check */
|
|
174
|
$user = getUserEntry($username);
|
|
175
|
if (isset($user))
|
|
176
|
if (isset($user['uid']))
|
|
177
|
if ($user['uid']==0)
|
|
178
|
return true;
|
|
179
|
|
|
180
|
/* user privelege access check */
|
|
181
|
if (cmp_page_matches($page, $_SESSION['page-match']))
|
|
182
|
return true;
|
|
183
|
|
|
184
|
return false;
|
|
185
|
}
|
|
186
|
|
|
187
|
function getPrivPages(& $entry, & $allowed_pages) {
|
|
188
|
global $priv_list;
|
|
189
|
|
|
190
|
if (!is_array($entry['priv']))
|
|
191
|
return;
|
|
192
|
|
|
193
|
foreach ($entry['priv'] as $pname) {
|
|
194
|
if (strncmp($pname, "page-", 5))
|
|
195
|
continue;
|
|
196
|
$priv = &$priv_list[$pname];
|
|
197
|
if (!is_array($priv))
|
|
198
|
continue;
|
|
199
|
$matches = &$priv['match'];
|
|
200
|
if (!is_array($matches))
|
|
201
|
continue;
|
|
202
|
foreach ($matches as $match)
|
|
203
|
$allowed_pages[] = $match;
|
|
204
|
}
|
|
205
|
}
|
|
206
|
|
|
207
|
function getAllowedPages($username) {
|
|
208
|
global $config, $_SESSION;
|
|
209
|
|
|
210
|
if (!function_exists("ldap_connect"))
|
|
211
|
return;
|
|
212
|
|
|
213
|
$allowed_pages = array();
|
|
214
|
$allowed_groups = array();
|
|
215
|
|
|
216
|
$ldapon = $_SESSION['ldapon'];
|
|
217
|
|
|
218
|
// search for a local user by name
|
|
219
|
$local_user = getUserEntry($username);
|
|
220
|
|
|
221
|
// obtain local groups if we have a local user
|
|
222
|
if ($local_user) {
|
|
223
|
$allowed_groups = local_user_get_groups($local_user);
|
|
224
|
getPrivPages($local_user, $allowed_pages);
|
|
225
|
}
|
|
226
|
|
|
227
|
// obtain ldap groups if we are in ldap mode
|
|
228
|
if ($config['system']['webgui']['backend'] == "ldap" && !$local_user)
|
|
229
|
$allowed_groups = ldap_get_groups($username);
|
|
230
|
|
|
231
|
// obtain ldapother groups if we are in ldap mode
|
|
232
|
if ($config['system']['webgui']['backend'] == "ldapother" && !$local_user)
|
|
233
|
$allowed_groups = ldap_get_groups($username);
|
|
234
|
|
|
235
|
// build a list of allowed pages
|
|
236
|
if (is_array($config['system']['group']) && is_array($allowed_groups))
|
|
237
|
foreach ($config['system']['group'] as $group)
|
|
238
|
if (in_array($group['name'], $allowed_groups))
|
|
239
|
getPrivPages($group, $allowed_pages);
|
|
240
|
|
|
241
|
// $dbg_pages = implode(",", $allowed_pages);
|
|
242
|
// $dbg_groups = implode(",", $allowed_groups);
|
|
243
|
// log_error("debug: user {$username} groups = {$dbg_groups}");
|
|
244
|
// log_error("debug: user {$username} pages = {$dbg_pages}");
|
|
245
|
|
|
246
|
$_SESSION['page-match'] = $allowed_pages;
|
|
247
|
|
|
248
|
return $allowed_pages;
|
|
249
|
}
|
|
250
|
|
|
251
|
?>
|