2 * lib/krb5/os/kuserok.c
4 * Copyright 1990,1993 by the Massachusetts Institute of Technology.
7 * Export of this software from the United States of America may
8 * require a specific license from the United States Government.
9 * It is the responsibility of any person or organization contemplating
10 * export to obtain such a license before exporting.
12 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
13 * distribute this software and its documentation for any purpose and
14 * without fee is hereby granted, provided that the above copyright
15 * notice appear in all copies and that both that copyright notice and
16 * this permission notice appear in supporting documentation, and that
17 * the name of M.I.T. not be used in advertising or publicity pertaining
18 * to distribution of the software without specific, written prior
19 * permission. M.I.T. makes no representations about the suitability of
20 * this software for any purpose. It is provided "as is" without express
21 * or implied warranty.
28 #ifndef _MSDOS /* Not yet for Windows */
32 #if defined(_AIX) && defined(_IBMR2)
33 #include <sys/access.h>
34 /* xlc has a bug with "const" */
35 #define getpwnam(user) getpwnam((char *)user)
38 #define MAX_USERNAME 10
41 * Given a Kerberos principal "principal", and a local username "luser",
42 * determine whether user is authorized to login according to the
43 * authorization file ("~luser/.k5login" by default). Returns TRUE
44 * if authorized, FALSE if not authorized.
46 * If there is no account for "luser" on the local machine, returns
47 * FALSE. If there is no authorization file, and the given Kerberos
48 * name "server" translates to the same name as "luser" (using
49 * krb5_aname_to_lname()), returns TRUE. Otherwise, if the authorization file
50 * can't be accessed, returns FALSE. Otherwise, the file is read for
51 * a matching principal name, instance, and realm. If one is found,
52 * returns TRUE, if none is found, returns FALSE.
54 * The file entries are in the format produced by krb5_unparse_name(),
60 krb5_kuserok(context, principal, luser)
62 krb5_principal principal;
67 char pbuf[MAXPATHLEN];
68 krb5_boolean isok = FALSE;
70 char kuser[MAX_USERNAME];
76 /* no account => no access */
77 if ((pwd = getpwnam(luser)) == NULL) {
80 (void) strcpy(pbuf, pwd->pw_dir);
81 (void) strcat(pbuf, "/.k5login");
83 if (access(pbuf, F_OK)) { /* not accessible */
85 * if he's trying to log in as himself, and there is no .k5login file,
86 * let him. To find out, call
87 * krb5_aname_to_localname to convert the principal to a name
88 * which we can string compare.
90 if (!(krb5_aname_to_localname(context, principal,
91 sizeof(kuser), kuser))
92 && (strcmp(kuser, luser) == 0)) {
96 if (krb5_unparse_name(context, principal, &princname))
97 return(FALSE); /* no hope of matching */
100 if ((fp = fopen(pbuf, "r")) == NULL) {
105 * For security reasons, the .k5login file must be owned either by
106 * the user himself, or by root. Otherwise, don't grant access.
108 if (fstat(fileno(fp), &sbuf)) {
113 if ((sbuf.st_uid != pwd->pw_uid) && sbuf.st_uid) {
119 /* check each line */
120 while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) {
121 /* null-terminate the input string */
122 linebuf[BUFSIZ-1] = '\0';
124 /* nuke the newline if it exists */
125 if (newline = strchr(linebuf, '\n'))
127 if (!strcmp(linebuf, princname)) {
131 /* clean up the rest of the line if necessary */
133 while (((gobble = getc(fp)) != EOF) && gobble != '\n');
143 * If the given Kerberos name "server" translates to the same name as "luser"
144 * (using * krb5_aname_to_lname()), returns TRUE.
146 krb5_boolean INTERFACE
147 krb5_kuserok(context, principal, luser)
148 krb5_context context;
149 krb5_principal principal;
154 if (! krb5_aname_to_localname(context, principal, sizeof(kuser), kuser))
157 if (strcmp(kuser, luser) == 0)