/src/etc/inc/priv.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/priv.inc @ 6dfb6b27

1	6dc88d53	Ermal Luci	<?php
2			/*
3	ce77a9c4	Phil Davis	priv.inc
4	6dc88d53	Ermal Luci
5	09221bc3	Renato Botelho	part of pfSense (https://www.pfsense.org)
6	ce77a9c4	Phil Davis	Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
7			Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
8	09221bc3	Renato Botelho	Copyright (C) 2008 Shrew Soft Inc
9	ce77a9c4	Phil Davis	Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
10	09221bc3	Renato Botelho	Copyright (c) 2004-2016 Electric Sheep Fencing, LLC.
11	ce77a9c4	Phil Davis	All rights reserved.
12	6dc88d53	Ermal Luci
13	ce77a9c4	Phil Davis	Redistribution and use in source and binary forms, with or without
14			modification, are permitted provided that the following conditions are met:
15	6dc88d53	Ermal Luci
16	ce77a9c4	Phil Davis	1. Redistributions of source code must retain the above copyright notice,
17			this list of conditions and the following disclaimer.
18	6dc88d53	Ermal Luci
19	ce77a9c4	Phil Davis	2. Redistributions in binary form must reproduce the above copyright
20	09221bc3	Renato Botelho	notice, this list of conditions and the following disclaimer in
21			the documentation and/or other materials provided with the
22			distribution.
23
24			3. All advertising materials mentioning features or use of this software
25			must display the following acknowledgment:
26			"This product includes software developed by the pfSense Project
27			for use in the pfSense® software distribution. (http://www.pfsense.org/).
28
29			4. The names "pfSense" and "pfSense Project" must not be used to
30			endorse or promote products derived from this software without
31			prior written permission. For written permission, please contact
32			coreteam@pfsense.org.
33
34			5. Products derived from this software may not be called "pfSense"
35			nor may "pfSense" appear in their names without prior written
36			permission of the Electric Sheep Fencing, LLC.
37
38			6. Redistributions of any form whatsoever must retain the following
39			acknowledgment:
40	6dc88d53	Ermal Luci
41	09221bc3	Renato Botelho	"This product includes software developed by the pfSense Project
42			for use in the pfSense software distribution (http://www.pfsense.org/).
43	6dc88d53	Ermal Luci
44	09221bc3	Renato Botelho	THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
45			EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46			IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47			PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
48			ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49			SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50			NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51			LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52			HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53			STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55			OF THE POSSIBILITY OF SUCH DAMAGE.
56	6dc88d53	Ermal Luci	*/
57
58	6306b5dd	Ermal Lu?i	require_once("priv.defs.inc");
59
60	2816a089	sullrich	/* Load and process custom privs. */
61	f5bdff7f	sullrich	function get_priv_files($directory) {
62	dd415d52	sullrich	$dir_array = array();
63	b37a2e8c	Phil Davis	if (!is_dir($directory)) {
64	dd415d52	sullrich	return;
65	b37a2e8c	Phil Davis	}
66	dd415d52	sullrich	if ($dh = opendir($directory)) {
67			while (($file = readdir($dh)) !== false) {
68			$canadd = 0;
69	b37a2e8c	Phil Davis	if ($file == ".") {
70	dd415d52	sullrich	$canadd = 1;
71	b37a2e8c	Phil Davis	}
72			if ($file == "..") {
73	dd415d52	sullrich	$canadd = 1;
74	b37a2e8c	Phil Davis	}
75			if ($canadd == 0) {
76	dd415d52	sullrich	array_push($dir_array, $file);
77	b37a2e8c	Phil Davis	}
78	dd415d52	sullrich	}
79			closedir($dh);
80			}
81	b37a2e8c	Phil Davis	if (!is_array($dir_array)) {
82	dd415d52	sullrich	return;
83	b37a2e8c	Phil Davis	}
84	f5bdff7f	sullrich	return $dir_array;
85	dd415d52	sullrich	}
86	0b013ef0	sullrich
87	dd415d52	sullrich	// Load and sort privs
88	f5bdff7f	sullrich	$dir_array = get_priv_files("/etc/inc/priv");
89	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
90	086cf944	Phil Davis	if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) {
91	6dfb6b27	Phil Davis	include_once("/etc/inc/priv/{$file}");
92	b37a2e8c	Phil Davis	}
93			}
94			if (is_dir("/usr/local/pkg/priv")) {
95	f5bdff7f	sullrich	$dir_array = get_priv_files("/usr/local/pkg/priv");
96	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
97	086cf944	Phil Davis	if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) {
98	6dfb6b27	Phil Davis	include_once("/usr/local/pkg/priv/{$file}");
99	b37a2e8c	Phil Davis	}
100			}
101	f5bdff7f	sullrich	}
102
103	b37a2e8c	Phil Davis	if (is_array($priv_list)) {
104	f5bdff7f	sullrich	sort_privs($priv_list);
105	b37a2e8c	Phil Davis	}
106	6dc88d53	Ermal Luci
107			function cmp_privkeys($a, $b) {
108			/* user privs at the top */
109			$auser = strncmp("user-", $a, 5);
110			$buser = strncmp("user-", $b, 5);
111	b37a2e8c	Phil Davis	if ($auser != $buser) {
112	84d86f07	jim-p	return $auser - $buser;
113	b37a2e8c	Phil Davis	}
114	6dc88d53	Ermal Luci
115			/* name compare others */
116			return strcasecmp($a, $b);
117			}
118
119			function sort_privs(& $privs) {
120			uksort($privs, "cmp_privkeys");
121			}
122
123			function cmp_page_matches($page, & $matches, $fullwc = true) {
124
125			// $dbg_matches = implode(",", $matches);
126			// log_error("debug: checking page {$page} match with {$dbg_matches}");
127
128	b37a2e8c	Phil Davis	if (!is_array($matches)) {
129	6dc88d53	Ermal Luci	return false;
130	b37a2e8c	Phil Davis	}
131	6dc88d53	Ermal Luci
132			/* skip any leading fwdslash */
133			$test = strpos($page, "/");
134	b37a2e8c	Phil Davis	if ($test !== false && $test == 0) {
135	6dc88d53	Ermal Luci	$page = substr($page, 1);
136	b37a2e8c	Phil Davis	}
137	6dc88d53	Ermal Luci
138			/* look for a match */
139			foreach ($matches as $match) {
140
141			/* possibly ignore full wildcard match */
142	086cf944	Phil Davis	if (!$fullwc && !strcmp($match , "*")) {
143	6dc88d53	Ermal Luci	continue;
144	b37a2e8c	Phil Davis	}
145	6dc88d53	Ermal Luci
146			/* compare exact or wildcard match */
147	6c07db48	Phil Davis	$match = str_replace(array(".", "", "?"), array("\.", ".", "\?"), $match);
148	14f5f705	marcelloc	$result = preg_match("@^/{$match}$@", "/{$page}");
149	b37a2e8c	Phil Davis
150			if ($result) {
151	6dc88d53	Ermal Luci	return true;
152	b37a2e8c	Phil Davis	}
153	6dc88d53	Ermal Luci	}
154
155			return false;
156			}
157
158			function map_page_privname($page) {
159			global $priv_list;
160
161			foreach ($priv_list as $pname => $pdata) {
162	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
163	6dc88d53	Ermal Luci	continue;
164	b37a2e8c	Phil Davis	}
165	6dc88d53	Ermal Luci	$fullwc = false;
166	086cf944	Phil Davis	if (!strcasecmp($page, "any")\|\|!strcmp($page, "*")) {
167	6dc88d53	Ermal Luci	$fullwc = true;
168	b37a2e8c	Phil Davis	}
169			if (cmp_page_matches($page, $pdata['match'], $fullwc)) {
170	6dc88d53	Ermal Luci	return $pname;
171	b37a2e8c	Phil Davis	}
172	6dc88d53	Ermal Luci	}
173
174			return false;
175			}
176
177			function get_user_privdesc(& $user) {
178			global $priv_list;
179
180			$privs = array();
181
182			$user_privs = $user['priv'];
183	b37a2e8c	Phil Davis	if (!is_array($user_privs)) {
184	6dc88d53	Ermal Luci	$user_privs = array();
185	b37a2e8c	Phil Davis	}
186	6dc88d53	Ermal Luci
187			$names = local_user_get_groups($user, true);
188
189			foreach ($names as $name) {
190			$group = getGroupEntry($name);
191			$group_privs = $group['priv'];
192	b37a2e8c	Phil Davis	if (!is_array($group_privs)) {
193	6dc88d53	Ermal Luci	continue;
194	b37a2e8c	Phil Davis	}
195	6dc88d53	Ermal Luci	foreach ($group_privs as $pname) {
196	086cf944	Phil Davis	if (in_array($pname, $user_privs)) {
197	6dc88d53	Ermal Luci	continue;
198	b37a2e8c	Phil Davis	}
199			if (!$priv_list[$pname]) {
200	6dc88d53	Ermal Luci	continue;
201	b37a2e8c	Phil Davis	}
202	6dc88d53	Ermal Luci	$priv = $priv_list[$pname];
203			$priv['group'] = $group['name'];
204			$privs[] = $priv;
205			}
206			}
207
208	b37a2e8c	Phil Davis	foreach ($user_privs as $pname) {
209			if ($priv_list[$pname]) {
210	6dc88d53	Ermal Luci	$privs[] = $priv_list[$pname];
211	b37a2e8c	Phil Davis	}
212			}
213	6dc88d53	Ermal Luci
214			return $privs;
215			}
216
217	2816a089	sullrich	function isAllowed($username, $page) {
218	6dc88d53	Ermal Luci	global $_SESSION;
219
220	b37a2e8c	Phil Davis	if (!isset($username)) {
221	dff909d8	sullrich	return false;
222	b37a2e8c	Phil Davis	}
223	dff909d8	sullrich
224			/* admin/root access check */
225			$user = getUserEntry($username);
226	b37a2e8c	Phil Davis	if (isset($user)) {
227			if (isset($user['uid'])) {
228	086cf944	Phil Davis	if ($user['uid'] == 0) {
229	dff909d8	sullrich	return true;
230	b37a2e8c	Phil Davis	}
231			}
232			}
233	dff909d8	sullrich
234	e30050b6	Phil Davis	/* user privilege access check */
235	b37a2e8c	Phil Davis	if (cmp_page_matches($page, $_SESSION['page-match'])) {
236	dff909d8	sullrich	return true;
237	b37a2e8c	Phil Davis	}
238	dff909d8	sullrich
239			return false;
240			}
241
242
243			function isAllowedPage($page) {
244			global $_SESSION;
245
246
247			$username = $_SESSION['Username'];
248	953ab2d4	sullrich
249	b37a2e8c	Phil Davis	if (!isset($username)) {
250	6dc88d53	Ermal Luci	return false;
251	b37a2e8c	Phil Davis	}
252	6dc88d53	Ermal Luci
253			/* admin/root access check */
254			$user = getUserEntry($username);
255	b37a2e8c	Phil Davis	if (isset($user)) {
256			if (isset($user['uid'])) {
257	086cf944	Phil Davis	if ($user['uid'] == 0) {
258	6dc88d53	Ermal Luci	return true;
259	b37a2e8c	Phil Davis	}
260			}
261			}
262	6dc88d53	Ermal Luci
263	e30050b6	Phil Davis	/* user privilege access check */
264	14f5f705	marcelloc	return cmp_page_matches($page, $_SESSION['page-match']);
265	6dc88d53	Ermal Luci	}
266
267			function getPrivPages(& $entry, & $allowed_pages) {
268			global $priv_list;
269
270	b37a2e8c	Phil Davis	if (!is_array($entry['priv'])) {
271	6dc88d53	Ermal Luci	return;
272	b37a2e8c	Phil Davis	}
273	6dc88d53	Ermal Luci
274			foreach ($entry['priv'] as $pname) {
275	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
276	6dc88d53	Ermal Luci	continue;
277	b37a2e8c	Phil Davis	}
278	6dc88d53	Ermal Luci	$priv = &$priv_list[$pname];
279	b37a2e8c	Phil Davis	if (!is_array($priv)) {
280	6dc88d53	Ermal Luci	continue;
281	b37a2e8c	Phil Davis	}
282	6dc88d53	Ermal Luci	$matches = &$priv['match'];
283	b37a2e8c	Phil Davis	if (!is_array($matches)) {
284	6dc88d53	Ermal Luci	continue;
285	b37a2e8c	Phil Davis	}
286			foreach ($matches as $match) {
287	6dc88d53	Ermal Luci	$allowed_pages[] = $match;
288	b37a2e8c	Phil Davis	}
289	6dc88d53	Ermal Luci	}
290			}
291
292	c4a9f99a	jim-p	function getAllowedPages($username, &$attributes = array()) {
293	6dc88d53	Ermal Luci	global $config, $_SESSION;
294
295	b37a2e8c	Phil Davis	if (!function_exists("ldap_connect")) {
296	6dc88d53	Ermal Luci	return;
297	b37a2e8c	Phil Davis	}
298
299	6dc88d53	Ermal Luci	$allowed_pages = array();
300			$allowed_groups = array();
301	b37a2e8c	Phil Davis
302	6306b5dd	Ermal Lu?i	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
303	6dc88d53	Ermal Luci	// obtain ldap groups if we are in ldap mode
304	b37a2e8c	Phil Davis	if ($authcfg['type'] == "ldap") {
305	6306b5dd	Ermal Lu?i	$allowed_groups = @ldap_get_groups($username, $authcfg);
306	c4a9f99a	jim-p	} elseif ($authcfg['type'] == "radius") {
307			$allowed_groups = @radius_get_groups($attributes);
308	fe65bb3a	Phil Davis	}
309			if (!$allowed_groups) {
310	6306b5dd	Ermal Lu?i	// search for a local user by name
311			$local_user = getUserEntry($username);
312
313	fe65bb3a	Phil Davis	// obtain local user pages and groups if we have a local user
314	b37a2e8c	Phil Davis	if ($local_user) {
315	fe65bb3a	Phil Davis	getPrivPages($local_user, $allowed_pages);
316	6306b5dd	Ermal Lu?i	$allowed_groups = local_user_get_groups($local_user);
317	b37a2e8c	Phil Davis	}
318	6306b5dd	Ermal Lu?i	}
319	6dc88d53	Ermal Luci
320			// build a list of allowed pages
321	b37a2e8c	Phil Davis	if (is_array($config['system']['group']) && is_array($allowed_groups)) {
322			foreach ($config['system']['group'] as $group) {
323			if (in_array($group['name'], $allowed_groups)) {
324	6dc88d53	Ermal Luci	getPrivPages($group, $allowed_pages);
325	b37a2e8c	Phil Davis	}
326			}
327			}
328	6dc88d53	Ermal Luci
329			// $dbg_pages = implode(",", $allowed_pages);
330			// $dbg_groups = implode(",", $allowed_groups);
331			// log_error("debug: user {$username} groups = {$dbg_groups}");
332			// log_error("debug: user {$username} pages = {$dbg_pages}");
333
334			$_SESSION['page-match'] = $allowed_pages;
335
336			return $allowed_pages;
337			}
338
339	3f109700	jim-p	function sort_user_privs($privs) {
340			// Privileges to place first, to redirect properly.
341	5d916fc7	Stephen Beaver	$priority_privs = array("page-dashboard-all", "page-system-login-logout");
342	3f109700	jim-p
343			$fprivs = array_intersect($privs, $priority_privs);
344	6c07db48	Phil Davis	$sprivs = array_diff($privs, $priority_privs);
345	3f109700	jim-p
346			return array_merge($fprivs, $sprivs);
347			}
348	fe65bb3a	Phil Davis	?>

Project

General

Profile

pfSense