/src/etc/inc/priv.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/priv.inc @ ac516731

1	6dc88d53	Ermal Luci	<?php
2			/*
3	ac24dc24	Renato Botelho	* priv.inc
4			*
5			* part of pfSense (https://www.pfsense.org)
6	81299b5c	Renato Botelho	* Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
7	c5d81585	Renato Botelho	* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
8			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
9			* Copyright (c) 2008 Shrew Soft Inc
10			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>.
11	ac24dc24	Renato Botelho	* All rights reserved.
12			*
13	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
14			* you may not use this file except in compliance with the License.
15			* You may obtain a copy of the License at
16	ac24dc24	Renato Botelho	*
17	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
18	ac24dc24	Renato Botelho	*
19	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
20			* distributed under the License is distributed on an "AS IS" BASIS,
21			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22			* See the License for the specific language governing permissions and
23			* limitations under the License.
24	ac24dc24	Renato Botelho	*/
25	6dc88d53	Ermal Luci
26	6306b5dd	Ermal Lu?i	require_once("priv.defs.inc");
27
28	2816a089	sullrich	/* Load and process custom privs. */
29	f5bdff7f	sullrich	function get_priv_files($directory) {
30	dd415d52	sullrich	$dir_array = array();
31	b37a2e8c	Phil Davis	if (!is_dir($directory)) {
32	dd415d52	sullrich	return;
33	b37a2e8c	Phil Davis	}
34	dd415d52	sullrich	if ($dh = opendir($directory)) {
35			while (($file = readdir($dh)) !== false) {
36			$canadd = 0;
37	b37a2e8c	Phil Davis	if ($file == ".") {
38	dd415d52	sullrich	$canadd = 1;
39	b37a2e8c	Phil Davis	}
40			if ($file == "..") {
41	dd415d52	sullrich	$canadd = 1;
42	b37a2e8c	Phil Davis	}
43			if ($canadd == 0) {
44	dd415d52	sullrich	array_push($dir_array, $file);
45	b37a2e8c	Phil Davis	}
46	dd415d52	sullrich	}
47			closedir($dh);
48			}
49	b37a2e8c	Phil Davis	if (!is_array($dir_array)) {
50	dd415d52	sullrich	return;
51	b37a2e8c	Phil Davis	}
52	f5bdff7f	sullrich	return $dir_array;
53	dd415d52	sullrich	}
54	0b013ef0	sullrich
55	dd415d52	sullrich	// Load and sort privs
56	f5bdff7f	sullrich	$dir_array = get_priv_files("/etc/inc/priv");
57	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
58	086cf944	Phil Davis	if (!is_dir("/etc/inc/priv/{$file}") && stristr($file, ".inc")) {
59	86573bb9	Phil Davis	include_once("/etc/inc/priv/{$file}");
60	b37a2e8c	Phil Davis	}
61			}
62			if (is_dir("/usr/local/pkg/priv")) {
63	f5bdff7f	sullrich	$dir_array = get_priv_files("/usr/local/pkg/priv");
64	b37a2e8c	Phil Davis	foreach ($dir_array as $file) {
65	086cf944	Phil Davis	if (!is_dir("/usr/local/pkg/priv/{$file}") && stristr($file, ".inc")) {
66	86573bb9	Phil Davis	include_once("/usr/local/pkg/priv/{$file}");
67	b37a2e8c	Phil Davis	}
68			}
69	f5bdff7f	sullrich	}
70
71	b37a2e8c	Phil Davis	if (is_array($priv_list)) {
72	f5bdff7f	sullrich	sort_privs($priv_list);
73	b37a2e8c	Phil Davis	}
74	6dc88d53	Ermal Luci
75			function cmp_privkeys($a, $b) {
76			/* user privs at the top */
77			$auser = strncmp("user-", $a, 5);
78			$buser = strncmp("user-", $b, 5);
79	b37a2e8c	Phil Davis	if ($auser != $buser) {
80	84d86f07	jim-p	return $auser - $buser;
81	b37a2e8c	Phil Davis	}
82	6dc88d53	Ermal Luci
83			/* name compare others */
84			return strcasecmp($a, $b);
85			}
86
87			function sort_privs(& $privs) {
88			uksort($privs, "cmp_privkeys");
89			}
90
91			function cmp_page_matches($page, & $matches, $fullwc = true) {
92
93			// $dbg_matches = implode(",", $matches);
94			// log_error("debug: checking page {$page} match with {$dbg_matches}");
95
96	b37a2e8c	Phil Davis	if (!is_array($matches)) {
97	6dc88d53	Ermal Luci	return false;
98	b37a2e8c	Phil Davis	}
99	6dc88d53	Ermal Luci
100			/* skip any leading fwdslash */
101			$test = strpos($page, "/");
102	b37a2e8c	Phil Davis	if ($test !== false && $test == 0) {
103	6dc88d53	Ermal Luci	$page = substr($page, 1);
104	b37a2e8c	Phil Davis	}
105	6dc88d53	Ermal Luci
106			/* look for a match */
107			foreach ($matches as $match) {
108
109			/* possibly ignore full wildcard match */
110	086cf944	Phil Davis	if (!$fullwc && !strcmp($match , "*")) {
111	6dc88d53	Ermal Luci	continue;
112	b37a2e8c	Phil Davis	}
113	6dc88d53	Ermal Luci
114			/* compare exact or wildcard match */
115	6c07db48	Phil Davis	$match = str_replace(array(".", "", "?"), array("\.", ".", "\?"), $match);
116	14f5f705	marcelloc	$result = preg_match("@^/{$match}$@", "/{$page}");
117	b37a2e8c	Phil Davis
118			if ($result) {
119	6dc88d53	Ermal Luci	return true;
120	b37a2e8c	Phil Davis	}
121	6dc88d53	Ermal Luci	}
122
123			return false;
124			}
125
126			function map_page_privname($page) {
127			global $priv_list;
128
129			foreach ($priv_list as $pname => $pdata) {
130	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
131	6dc88d53	Ermal Luci	continue;
132	b37a2e8c	Phil Davis	}
133	6dc88d53	Ermal Luci	$fullwc = false;
134	086cf944	Phil Davis	if (!strcasecmp($page, "any")\|\|!strcmp($page, "*")) {
135	6dc88d53	Ermal Luci	$fullwc = true;
136	b37a2e8c	Phil Davis	}
137			if (cmp_page_matches($page, $pdata['match'], $fullwc)) {
138	6dc88d53	Ermal Luci	return $pname;
139	b37a2e8c	Phil Davis	}
140	6dc88d53	Ermal Luci	}
141
142			return false;
143			}
144
145			function get_user_privdesc(& $user) {
146			global $priv_list;
147
148			$privs = array();
149
150			$user_privs = $user['priv'];
151	b37a2e8c	Phil Davis	if (!is_array($user_privs)) {
152	6dc88d53	Ermal Luci	$user_privs = array();
153	b37a2e8c	Phil Davis	}
154	6dc88d53	Ermal Luci
155			$names = local_user_get_groups($user, true);
156
157			foreach ($names as $name) {
158			$group = getGroupEntry($name);
159			$group_privs = $group['priv'];
160	b37a2e8c	Phil Davis	if (!is_array($group_privs)) {
161	6dc88d53	Ermal Luci	continue;
162	b37a2e8c	Phil Davis	}
163	6dc88d53	Ermal Luci	foreach ($group_privs as $pname) {
164	086cf944	Phil Davis	if (in_array($pname, $user_privs)) {
165	6dc88d53	Ermal Luci	continue;
166	b37a2e8c	Phil Davis	}
167			if (!$priv_list[$pname]) {
168	6dc88d53	Ermal Luci	continue;
169	b37a2e8c	Phil Davis	}
170	6dc88d53	Ermal Luci	$priv = $priv_list[$pname];
171			$priv['group'] = $group['name'];
172			$privs[] = $priv;
173			}
174			}
175
176	b37a2e8c	Phil Davis	foreach ($user_privs as $pname) {
177			if ($priv_list[$pname]) {
178	6dc88d53	Ermal Luci	$privs[] = $priv_list[$pname];
179	b37a2e8c	Phil Davis	}
180			}
181	6dc88d53	Ermal Luci
182			return $privs;
183			}
184
185	2816a089	sullrich	function isAllowed($username, $page) {
186	6dc88d53	Ermal Luci	global $_SESSION;
187
188	b37a2e8c	Phil Davis	if (!isset($username)) {
189	dff909d8	sullrich	return false;
190	b37a2e8c	Phil Davis	}
191	dff909d8	sullrich
192			/* admin/root access check */
193			$user = getUserEntry($username);
194	b37a2e8c	Phil Davis	if (isset($user)) {
195			if (isset($user['uid'])) {
196	086cf944	Phil Davis	if ($user['uid'] == 0) {
197	dff909d8	sullrich	return true;
198	b37a2e8c	Phil Davis	}
199			}
200			}
201	dff909d8	sullrich
202	e30050b6	Phil Davis	/* user privilege access check */
203	b37a2e8c	Phil Davis	if (cmp_page_matches($page, $_SESSION['page-match'])) {
204	dff909d8	sullrich	return true;
205	b37a2e8c	Phil Davis	}
206	dff909d8	sullrich
207			return false;
208			}
209
210
211			function isAllowedPage($page) {
212			global $_SESSION;
213
214
215			$username = $_SESSION['Username'];
216	953ab2d4	sullrich
217	b37a2e8c	Phil Davis	if (!isset($username)) {
218	6dc88d53	Ermal Luci	return false;
219	b37a2e8c	Phil Davis	}
220	6dc88d53	Ermal Luci
221			/* admin/root access check */
222			$user = getUserEntry($username);
223	b37a2e8c	Phil Davis	if (isset($user)) {
224			if (isset($user['uid'])) {
225	086cf944	Phil Davis	if ($user['uid'] == 0) {
226	6dc88d53	Ermal Luci	return true;
227	b37a2e8c	Phil Davis	}
228			}
229			}
230	6dc88d53	Ermal Luci
231	e30050b6	Phil Davis	/* user privilege access check */
232	14f5f705	marcelloc	return cmp_page_matches($page, $_SESSION['page-match']);
233	6dc88d53	Ermal Luci	}
234
235			function getPrivPages(& $entry, & $allowed_pages) {
236			global $priv_list;
237
238	b37a2e8c	Phil Davis	if (!is_array($entry['priv'])) {
239	6dc88d53	Ermal Luci	return;
240	b37a2e8c	Phil Davis	}
241	6dc88d53	Ermal Luci
242			foreach ($entry['priv'] as $pname) {
243	b37a2e8c	Phil Davis	if (strncmp($pname, "page-", 5)) {
244	6dc88d53	Ermal Luci	continue;
245	b37a2e8c	Phil Davis	}
246	6dc88d53	Ermal Luci	$priv = &$priv_list[$pname];
247	b37a2e8c	Phil Davis	if (!is_array($priv)) {
248	6dc88d53	Ermal Luci	continue;
249	b37a2e8c	Phil Davis	}
250	6dc88d53	Ermal Luci	$matches = &$priv['match'];
251	b37a2e8c	Phil Davis	if (!is_array($matches)) {
252	6dc88d53	Ermal Luci	continue;
253	b37a2e8c	Phil Davis	}
254			foreach ($matches as $match) {
255	6dc88d53	Ermal Luci	$allowed_pages[] = $match;
256	b37a2e8c	Phil Davis	}
257	6dc88d53	Ermal Luci	}
258			}
259
260	c4a9f99a	jim-p	function getAllowedPages($username, &$attributes = array()) {
261	6dc88d53	Ermal Luci	global $config, $_SESSION;
262
263	b37a2e8c	Phil Davis	if (!function_exists("ldap_connect")) {
264	6dc88d53	Ermal Luci	return;
265	b37a2e8c	Phil Davis	}
266
267	6dc88d53	Ermal Luci	$allowed_pages = array();
268			$allowed_groups = array();
269	b37a2e8c	Phil Davis
270	6306b5dd	Ermal Lu?i	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
271	6dc88d53	Ermal Luci	// obtain ldap groups if we are in ldap mode
272	b37a2e8c	Phil Davis	if ($authcfg['type'] == "ldap") {
273	6306b5dd	Ermal Lu?i	$allowed_groups = @ldap_get_groups($username, $authcfg);
274	c4a9f99a	jim-p	} elseif ($authcfg['type'] == "radius") {
275			$allowed_groups = @radius_get_groups($attributes);
276	fe65bb3a	Phil Davis	}
277			if (!$allowed_groups) {
278	6306b5dd	Ermal Lu?i	// search for a local user by name
279			$local_user = getUserEntry($username);
280
281	fe65bb3a	Phil Davis	// obtain local user pages and groups if we have a local user
282	b37a2e8c	Phil Davis	if ($local_user) {
283	fe65bb3a	Phil Davis	getPrivPages($local_user, $allowed_pages);
284	6306b5dd	Ermal Lu?i	$allowed_groups = local_user_get_groups($local_user);
285	b37a2e8c	Phil Davis	}
286	6306b5dd	Ermal Lu?i	}
287	6dc88d53	Ermal Luci
288			// build a list of allowed pages
289	b37a2e8c	Phil Davis	if (is_array($config['system']['group']) && is_array($allowed_groups)) {
290			foreach ($config['system']['group'] as $group) {
291			if (in_array($group['name'], $allowed_groups)) {
292	6dc88d53	Ermal Luci	getPrivPages($group, $allowed_pages);
293	b37a2e8c	Phil Davis	}
294			}
295			}
296	6dc88d53	Ermal Luci
297			// $dbg_pages = implode(",", $allowed_pages);
298			// $dbg_groups = implode(",", $allowed_groups);
299			// log_error("debug: user {$username} groups = {$dbg_groups}");
300			// log_error("debug: user {$username} pages = {$dbg_pages}");
301
302			$_SESSION['page-match'] = $allowed_pages;
303
304			return $allowed_pages;
305			}
306
307	3f109700	jim-p	function sort_user_privs($privs) {
308			// Privileges to place first, to redirect properly.
309	5d916fc7	Stephen Beaver	$priority_privs = array("page-dashboard-all", "page-system-login-logout");
310	3f109700	jim-p
311			$fprivs = array_intersect($privs, $priority_privs);
312	6c07db48	Phil Davis	$sprivs = array_diff($privs, $priority_privs);
313	3f109700	jim-p
314			return array_merge($fprivs, $sprivs);
315			}
316	fe65bb3a	Phil Davis	?>

Project

General

Profile

pfSense