2 * Copyright (c) 2004-2007 Apple Computer, Inc. All rights reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
20 * @APPLE_LICENSE_HEADER_END@
23 #include "membership.h"
24 #include "membershipPriv.h"
27 #include <sys/errno.h>
28 #include <servers/bootstrap.h>
29 #include <mach/mach.h>
31 #include <libkern/OSByteOrder.h>
33 static mach_port_t
GetServerPort()
36 static mach_port_t bsPort
= 0;
37 static mach_port_t fServerPort
= 0;
41 result
= task_get_bootstrap_port(mach_task_self(), &bsPort
);
42 result
= bootstrap_look_up(bsPort
, "com.apple.memberd", &fServerPort
);
48 int mbr_uid_to_uuid(uid_t id
, uuid_t uu
)
50 struct kauth_identity_extlookup request
;
51 security_token_t token
;
57 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UID
| KAUTH_EXTLOOKUP_WANT_UGUID
;
59 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
60 if (result
!= KERN_SUCCESS
) return EIO
;
61 if (token
.val
[0] != 0) return EAUTH
;
63 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UGUID
) != 0)
64 memcpy(uu
, &request
.el_uguid
, sizeof(guid_t
));
71 int mbr_gid_to_uuid(gid_t id
, uuid_t uu
)
73 struct kauth_identity_extlookup request
;
74 security_token_t token
;
81 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GID
| KAUTH_EXTLOOKUP_WANT_GGUID
;
83 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
84 if (result
!= KERN_SUCCESS
) return EIO
;
85 if (token
.val
[0] != 0) return EAUTH
;
87 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GGUID
) != 0)
88 memcpy(uu
, &request
.el_gguid
, sizeof(guid_t
));
95 int mbr_uuid_to_id(const uuid_t uu
, uid_t
*id
, int *id_type
)
97 struct kauth_identity_extlookup request
;
98 security_token_t token
;
105 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_UID
| KAUTH_EXTLOOKUP_WANT_GID
;
106 memcpy(&request
.el_uguid
, uu
, sizeof(guid_t
));
107 memcpy(&request
.el_gguid
, uu
, sizeof(guid_t
));
108 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
109 if (result
!= KERN_SUCCESS
) return EIO
;
110 if (token
.val
[0] != 0) return EAUTH
;
112 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UID
) != 0)
114 *id
= request
.el_uid
;
115 *id_type
= ID_TYPE_UID
;
117 else if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GID
) != 0)
119 *id
= request
.el_gid
;
120 *id_type
= ID_TYPE_GID
;
130 int mbr_sid_to_uuid(const nt_sid_t
*sid
, uuid_t uu
)
132 struct kauth_identity_extlookup request
;
133 security_token_t token
;
134 kern_return_t result
;
140 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GSID
| KAUTH_EXTLOOKUP_WANT_GGUID
;
141 memset(&request
.el_gsid
, 0, sizeof(ntsid_t
));
142 memcpy(&request
.el_gsid
, sid
, KAUTH_NTSID_SIZE(sid
));
143 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
144 if (result
!= KERN_SUCCESS
) return EIO
;
145 if (token
.val
[0] != 0) return EAUTH
;
147 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GGUID
) != 0)
148 memcpy(uu
, &request
.el_gguid
, sizeof(guid_t
));
155 int mbr_uuid_to_sid(const uuid_t uu
, nt_sid_t
*sid
)
157 struct kauth_identity_extlookup request
;
158 security_token_t token
;
159 kern_return_t result
;
165 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_GSID
;
166 memcpy(&request
.el_gguid
, uu
, sizeof(guid_t
));
167 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
168 if (result
!= KERN_SUCCESS
) return EIO
;
169 if (token
.val
[0] != 0) return EAUTH
;
171 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GSID
) != 0)
172 memcpy(sid
, &request
.el_gsid
, sizeof(nt_sid_t
));
179 int mbr_check_membership(uuid_t user
, uuid_t group
, int *ismember
)
181 struct kauth_identity_extlookup request
;
182 security_token_t token
;
183 kern_return_t result
;
189 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
;
190 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
191 memcpy(&request
.el_gguid
, group
, sizeof(guid_t
));
192 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
193 if (result
!= KERN_SUCCESS
) return EIO
;
194 if (token
.val
[0] != 0) return EAUTH
;
196 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) != 0)
197 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
204 int mbr_check_membership_refresh(uuid_t user
, uuid_t group
, int *ismember
)
206 struct kauth_identity_extlookup request
;
207 security_token_t token
;
208 kern_return_t result
;
214 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
| (1 << 15);
215 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
216 memcpy(&request
.el_gguid
, group
, sizeof(guid_t
));
217 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
218 if (result
!= KERN_SUCCESS
) return EIO
;
219 if (token
.val
[0] != 0) return EAUTH
;
221 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) != 0)
222 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
229 int mbr_check_membership_by_id(uuid_t user
, gid_t group
, int *ismember
)
231 struct kauth_identity_extlookup request
;
232 security_token_t token
;
233 kern_return_t result
;
239 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
;
240 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
241 request
.el_gid
= group
;
242 result
= _mbr_DoMembershipCall(GetServerPort(), &request
, &token
);
243 if (result
!= KERN_SUCCESS
) return EIO
;
244 if (token
.val
[0] != 0) return EAUTH
;
246 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) != 0)
247 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
254 int mbr_reset_cache()
256 security_token_t token
;
257 kern_return_t result
;
262 result
= _mbr_ClearCache(GetServerPort(), &token
);
263 if (result
!= KERN_SUCCESS
) return EIO
;
264 if (token
.val
[0] != 0) return EAUTH
;
269 int mbr_user_name_to_uuid(const char *name
, uuid_t uu
)
271 security_token_t token
;
272 kern_return_t result
;
274 if (name
== NULL
) return EINVAL
;
275 if (strlen(name
) > 255) return EINVAL
;
280 result
= _mbr_MapName(GetServerPort(), 1, (char *)name
, (guid_t
*)uu
, &token
);
281 if (result
== KERN_FAILURE
) return ENOENT
;
282 else if (result
!= KERN_SUCCESS
) return EIO
;
284 if (token
.val
[0] != 0) return EAUTH
;
289 int mbr_group_name_to_uuid(const char *name
, uuid_t uu
)
291 security_token_t token
;
292 kern_return_t result
;
294 if (name
== NULL
) return EINVAL
;
295 if (strlen(name
) > 255) return EINVAL
;
300 result
= _mbr_MapName(GetServerPort(), 0, (char *)name
, (guid_t
*)uu
, &token
);
301 if (result
== KERN_FAILURE
) return ENOENT
;
302 else if (result
!= KERN_SUCCESS
) return EIO
;
304 if (token
.val
[0] != 0) return EAUTH
;
309 int mbr_check_service_membership(const uuid_t user
, const char *servicename
, int *ismember
)
311 char *prefix
= "com.apple.access_";
312 char *all_services
= "com.apple.access_all_services";
317 if (servicename
== NULL
) return EINVAL
;
318 if (strlen(servicename
) > (255 - strlen(prefix
))) return EINVAL
;
320 /* start by checking "all services" */
321 result
= mbr_group_name_to_uuid(all_services
, group_uu
);
323 if (result
== EAUTH
) return result
;
325 if (result
== ENOENT
)
327 /* all_services group didn't exist, check individual group */
328 memcpy(groupName
, prefix
, strlen(prefix
));
329 strcpy(groupName
+ strlen(prefix
), servicename
);
330 result
= mbr_group_name_to_uuid(groupName
, group_uu
);
335 result
= mbr_check_membership_refresh(user
, group_uu
, ismember
);
337 else if (result
== EAUTH
)
343 /* just force cache update with bogus membership check */
344 memset(group_uu
, 0, sizeof(group_uu
));
345 mbr_check_membership_refresh(user
, group_uu
, &dummy
);
351 static char *ConvertBytesToDecimal(char *buffer
, unsigned long long value
)
357 if (value
== 0) return &buffer
[23];
363 *temp
= '0' + (value
% 10);
370 int mbr_sid_to_string(const nt_sid_t
*sid
, char *string
)
372 char *current
= string
;
377 if (sid
->sid_authcount
> NTSID_MAX_AUTHORITIES
) return EINVAL
;
379 for (i
= 0; i
< 6; i
++)
380 temp
= (temp
<< 8) | sid
->sid_authority
[i
];
385 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, sid
->sid_kind
));
386 current
= current
+ strlen(current
);
389 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, temp
));
391 for (i
= 0; i
< sid
->sid_authcount
; i
++)
393 current
= current
+ strlen(current
);
396 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, sid
->sid_authorities
[i
]));
402 int mbr_string_to_sid(const char *string
, nt_sid_t
*sid
)
404 char *current
= string
+2;
408 memset(sid
, 0, sizeof(nt_sid_t
));
409 if ((string
[0] != 'S') || (string
[1] != '-')) return EINVAL
;
411 sid
->sid_kind
= strtol(current
, ¤t
, 10);
412 if (*current
== '\0') return EINVAL
;
414 temp
= strtoll(current
, ¤t
, 10);
416 /* convert to BigEndian before copying */
417 temp
= OSSwapHostToBigInt64(temp
);
418 memcpy(sid
->sid_authority
, ((char*)&temp
)+2, 6);
419 while ((*current
!= '\0') && (count
< NTSID_MAX_AUTHORITIES
))
422 sid
->sid_authorities
[count
] = strtol(current
, ¤t
, 10);
426 if (*current
!= '\0') return EINVAL
;
428 sid
->sid_authcount
= count
;
433 static void ConvertBytesToHex(char **string
, char **data
, int numBytes
)
437 for (i
= 0; i
< numBytes
; i
++)
439 unsigned char hi
= ((**data
) >> 4) & 0xf;
440 unsigned char low
= (**data
) & 0xf;
444 **string
= 'A' + hi
- 10;
449 **string
= '0' + low
;
451 **string
= 'A' + low
- 10;
458 int mbr_uuid_to_string(const uuid_t uu
, char *string
)
460 char *guid
= (char *)uu
;
461 char *strPtr
= string
;
462 ConvertBytesToHex(&strPtr
, &guid
, 4);
463 *strPtr
= '-'; strPtr
++;
464 ConvertBytesToHex(&strPtr
, &guid
, 2);
465 *strPtr
= '-'; strPtr
++;
466 ConvertBytesToHex(&strPtr
, &guid
, 2);
467 *strPtr
= '-'; strPtr
++;
468 ConvertBytesToHex(&strPtr
, &guid
, 2);
469 *strPtr
= '-'; strPtr
++;
470 ConvertBytesToHex(&strPtr
, &guid
, 6);
476 int mbr_string_to_uuid(const char *string
, uuid_t uu
)
479 int isFirstNibble
= 1;
481 if (strlen(string
) > MBR_UU_STRING_SIZE
)
484 while (*string
!= '\0' && dataIndex
< 16)
488 if ((*string
>= '0') && (*string
<= '9'))
490 nibble
= *string
- '0';
492 else if ((*string
>= 'A') && (*string
<= 'F'))
494 nibble
= *string
- 'A' + 10;
496 else if ((*string
>= 'a') && (*string
<= 'f'))
498 nibble
= *string
- 'a' + 10;
502 if (*string
!= '-') return EINVAL
;
509 uu
[dataIndex
] = nibble
<< 4;
514 uu
[dataIndex
] |= nibble
;
522 if (dataIndex
!= 16) return EINVAL
;