Project

General

Profile

Download (6.65 KB) Statistics
| Branch: | Tag: | Revision:
1
<?php
2
/* $Id$ */
3
/*
4
		Copyright (C) 2008 Shrew Soft Inc
5
		All rights reserved.
6

    
7
		Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
8
		All rights reserved.
9

    
10
        Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
11
        All rights reserved.
12

    
13
        Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
14
        All rights reserved.
15

    
16
        Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
17
        All rights reserved.
18

    
19
        Redistribution and use in source and binary forms, with or without
20
        modification, are permitted provided that the following conditions are met:
21

    
22
        1. Redistributions of source code must retain the above copyright notice,
23
           this list of conditions and the following disclaimer.
24

    
25
        2. Redistributions in binary form must reproduce the above copyright
26
           notice, this list of conditions and the following disclaimer in the
27
           documentation and/or other materials provided with the distribution.
28

    
29
        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
30
        INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
31
        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
32
        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
33
        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
34
        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35
        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
36
        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
37
        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
38
        POSSIBILITY OF SUCH DAMAGE.
39

    
40
		DISABLE_PHP_LINT_CHECKING
41
*/
42

    
43
require_once("priv.defs.inc");
44
require_once("auth.inc");
45

    
46
/*
47
 * USER PRIVILEGE DEFINITIONS
48
 */
49

    
50
$priv_list['user-shell-access'] = array();
51
$priv_list['user-shell-access']['name']  = "User - Shell account access";
52
$priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ".
53
										   "example via SSH.";
54

    
55
$priv_list['user-copy-files'] = array();
56
$priv_list['user-copy-files']['name']  = "User - Copy files";
57
$priv_list['user-copy-files']['descr'] = "Indicates whether the user is allowed to copy files ".
58
										 "onto the {$g['product_name']} appliance via SCP/SFTP. ".
59
										 "If you are going to use this privilege, you must install ".
60
										 "scponly on the appliance (Hint: pkg_add -r scponly).";
61

    
62
sort_privs($priv_list);
63

    
64
function cmp_privkeys($a, $b) {
65
	/* user privs at the top */
66
	$auser = strncmp("user-", $a, 5);
67
	$buser = strncmp("user-", $b, 5);
68
	if($auser != $buser)
69
		return $auser - buser;
70

    
71
	/* name compare others */
72
	return strcasecmp($a, $b);
73
}
74

    
75
function sort_privs(& $privs) {
76

    
77
	uksort($privs, "cmp_privkeys");
78
}
79

    
80
function cmp_page_matches($page, & $matches, $fullwc = true) {
81

    
82
//	$dbg_matches = implode(",", $matches);
83
//	log_error("debug: checking page {$page} match with {$dbg_matches}");
84

    
85
	if (!is_array($matches))
86
		return false;
87

    
88
	/* skip any leading fwdslash */
89
	$test = strpos($page, "/");
90
	if ($test !== false && $test == 0)
91
		$page = substr($page, 1);
92

    
93
	/* look for a match */
94
	foreach ($matches as $match) {
95

    
96
		/* possibly ignore full wildcard match */
97
		if (!$fullwc && !strcmp($match ,"*"))
98
			continue;
99

    
100
		/* compare exact or wildcard match */
101
		$wcpos = strpos($match, "*");
102
		if ($wcpos === false)
103
			$result = strcmp($page, $match);
104
		else
105
			$result = strncmp($page, $match, $wcpos);
106

    
107
		if (!$result)
108
			return true;
109
	}
110

    
111
	return false;
112
}
113

    
114
function map_page_privname($page) {
115
	global $priv_list;
116

    
117
	foreach ($priv_list as $pname => $pdata) {
118
		if (strncmp($pname, "page-", 5))
119
			continue;
120
		$fullwc = false;
121
		if (!strcasecmp($page,"any")||!strcmp($page,"*"))
122
			$fullwc = true;
123
		if (cmp_page_matches($page, $pdata['match'], $fullwc))
124
			return $pname;
125
	}
126

    
127
	return false;
128
}
129

    
130
function get_user_privdesc(& $user) {
131
	global $priv_list;
132

    
133
	$privs = array();
134

    
135
	$user_privs = $user['priv'];
136
	if (!is_array($user_privs))
137
		$user_privs = array();
138

    
139
	$names = local_user_get_groups($user, true);
140

    
141
	foreach ($names as $name) {
142
		$group = getGroupEntry($name);
143
		$group_privs = $group['priv'];
144
		if (!is_array($group_privs))
145
			continue;
146
		foreach ($group_privs as $pname) {
147
			if (in_array($pname,$user_privs))
148
				continue;
149
			if (!$priv_list[$pname])
150
				continue;
151
			$priv = $priv_list[$pname];
152
			$priv['group'] = $group['name'];
153
			$privs[] = $priv;
154
		}
155
	}
156

    
157
	foreach ($user_privs as $pname)
158
		if($priv_list[$pname])
159
			$privs[] = $priv_list[$pname];
160

    
161
	return $privs;
162
}
163

    
164
function isAllowedPage($page) {
165
	global $_SESSION;
166

    
167
	$username = $_SESSION['Username'];
168
	if (!isset($username))
169
		return false;
170

    
171
	/* admin/root access check */
172
	$user = getUserEntry($username);
173
	if (isset($user))
174
		if (isset($user['uid']))
175
			if ($user['uid']==0)
176
				return true;
177

    
178
	/* user privelege access check */
179
	if (cmp_page_matches($page, $_SESSION['page-match']))
180
		return true;
181

    
182
	return false;
183
}
184

    
185
function getPrivPages(& $entry, & $allowed_pages) {
186
	global $priv_list;
187

    
188
	if (!is_array($entry['priv']))
189
		return;
190

    
191
	foreach ($entry['priv'] as $pname) {
192
		if (strncmp($pname, "page-", 5))
193
			continue;
194
		$priv = &$priv_list[$pname];
195
		if (!is_array($priv))
196
			continue;
197
		$matches = &$priv['match'];
198
		if (!is_array($matches))
199
			continue;
200
		foreach ($matches as $match)
201
			$allowed_pages[] = $match;
202
	}
203
}
204

    
205
function getAllowedPages($username) {
206
	global $config, $_SESSION;
207

    
208
	if (!function_exists("ldap_connect"))
209
		return;
210
	
211
	$allowed_pages = array();
212
	$allowed_groups = array();
213
	
214
	$ldapon = $_SESSION['ldapon'];
215

    
216
	// search for a local user by name
217
	$local_user = getUserEntry($username);
218

    
219
	// obtain local groups if we have a local user
220
	if ($local_user) {
221
		$allowed_groups = local_user_get_groups($local_user);
222
		getPrivPages($local_user, $allowed_pages);
223
	}
224

    
225
	// obtain ldap groups if we are in ldap mode
226
	if ($config['system']['webgui']['backend'] == "ldap" && !$local_user)
227
		$allowed_groups = ldap_get_groups($username);
228

    
229
	// obtain ldapother groups if we are in ldap mode
230
	if ($config['system']['webgui']['backend'] == "ldapother" && !$local_user)
231
		$allowed_groups = ldap_get_groups($username);
232

    
233
	// build a list of allowed pages
234
	if (is_array($config['system']['group']) && is_array($allowed_groups))
235
		foreach ($config['system']['group'] as $group)
236
			if (in_array($group['name'], $allowed_groups))
237
				getPrivPages($group, $allowed_pages);
238

    
239
//	$dbg_pages = implode(",", $allowed_pages);
240
//	$dbg_groups = implode(",", $allowed_groups);
241
//	log_error("debug: user {$username} groups = {$dbg_groups}");
242
//	log_error("debug: user {$username} pages = {$dbg_pages}");
243

    
244
	$_SESSION['page-match'] = $allowed_pages;
245

    
246
	return $allowed_pages;
247
}
248

    
249
?>
(25-25/41)