2 * Copyright (c) 2004-2007 Apple Inc. All rights reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * The contents of this file constitute Original Code as defined in and
7 * are subject to the Apple Public Source License Version 1.1 (the
8 * "License"). You may not use this file except in compliance with the
9 * License. Please obtain a copy of the License at
10 * http://www.apple.com/publicsource and read it before using this file.
12 * This Original Code and all software distributed under the License are
13 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17 * License for the specific language governing rights and limitations
20 * @APPLE_LICENSE_HEADER_END@
23 #include "membership.h"
24 #include "membershipPriv.h"
25 #include "DSmemberdMIG.h"
26 #include "DSmemberdMIG_types.h"
27 #include <sys/errno.h>
28 #include <mach/mach.h>
29 #include <servers/bootstrap.h>
31 #include <libkern/OSByteOrder.h>
34 extern mach_port_t _ds_port
;
35 extern int _ds_running(void);
37 static const uint8_t _mbr_root_uuid
[] = {0xff, 0xff, 0xee, 0xee, 0xdd, 0xdd, 0xcc, 0xcc, 0xbb, 0xbb, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00};
39 #define MAX_LOOKUP_ATTEMPTS 10
41 __private_extern__ uid_t
42 audit_token_uid(audit_token_t a
)
45 * This should really call audit_token_to_au32,
46 * but that's in libbsm, not in a Libsystem library.
48 return (uid_t
)a
.val
[1];
52 _mbr_MembershipCall(struct kauth_identity_extlookup
*req
)
58 if (_ds_running() == 0) return EIO
;
59 if (_ds_port
== MACH_PORT_NULL
) return EIO
;
61 memset(&token
, 0, sizeof(audit_token_t
));
63 status
= MIG_SERVER_DIED
;
64 for (i
= 0; (_ds_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
66 status
= memberdDSmig_MembershipCall(_ds_port
, req
, &token
);
67 if (status
== MACH_SEND_INVALID_DEST
)
69 mach_port_mod_refs(mach_task_self(), _ds_port
, MACH_PORT_RIGHT_SEND
, -1);
70 _ds_port
= MACH_PORT_NULL
;
72 status
= MIG_SERVER_DIED
;
76 if (status
!= KERN_SUCCESS
) return EIO
;
77 if (audit_token_uid(token
) != 0) return EAUTH
;
83 _mbr_MapName(char *name
, int type
, guid_t
*uu
)
89 if (name
== NULL
) return EINVAL
;
90 if (strlen(name
) > 255) return EINVAL
;
92 if (_ds_running() == 0) return EIO
;
93 if (_ds_port
== MACH_PORT_NULL
) return EIO
;
95 memset(&token
, 0, sizeof(audit_token_t
));
97 status
= MIG_SERVER_DIED
;
98 for (i
= 0; (_ds_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
100 status
= memberdDSmig_MapName(_ds_port
, type
, name
, uu
, &token
);
101 if (status
== KERN_FAILURE
) return ENOENT
;
103 if (status
== MACH_SEND_INVALID_DEST
)
105 mach_port_mod_refs(mach_task_self(), _ds_port
, MACH_PORT_RIGHT_SEND
, -1);
106 _ds_port
= MACH_PORT_NULL
;
108 status
= MIG_SERVER_DIED
;
112 if (status
!= KERN_SUCCESS
) return EIO
;
113 if (audit_token_uid(token
) != 0) return EAUTH
;
121 kern_return_t status
;
124 if (_ds_running() == 0) return EIO
;
125 if (_ds_port
== MACH_PORT_NULL
) return EIO
;
127 status
= MIG_SERVER_DIED
;
128 for (i
= 0; (_ds_port
!= MACH_PORT_NULL
) && (status
== MIG_SERVER_DIED
) && (i
< MAX_LOOKUP_ATTEMPTS
); i
++)
130 status
= memberdDSmig_ClearCache(_ds_port
);
131 if (status
== MACH_SEND_INVALID_DEST
)
133 mach_port_mod_refs(mach_task_self(), _ds_port
, MACH_PORT_RIGHT_SEND
, -1);
134 _ds_port
= MACH_PORT_NULL
;
136 status
= MIG_SERVER_DIED
;
140 if (status
!= KERN_SUCCESS
) return EIO
;
145 int mbr_uid_to_uuid(uid_t id
, uuid_t uu
)
147 struct kauth_identity_extlookup request
;
152 memcpy(uu
, _mbr_root_uuid
, sizeof(uuid_t
));
156 /* used as a byte order field */
157 request
.el_seqno
= 1;
158 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UID
| KAUTH_EXTLOOKUP_WANT_UGUID
;
161 status
= _mbr_MembershipCall(&request
);
162 if (status
!= 0) return status
;
163 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UGUID
) == 0) return ENOENT
;
165 memcpy(uu
, &request
.el_uguid
, sizeof(guid_t
));
169 int mbr_gid_to_uuid(gid_t id
, uuid_t uu
)
171 struct kauth_identity_extlookup request
;
174 request
.el_seqno
= 1;
175 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GID
| KAUTH_EXTLOOKUP_WANT_GGUID
;
178 status
= _mbr_MembershipCall(&request
);
179 if (status
!= 0) return status
;
180 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GGUID
) == 0) return ENOENT
;
182 memcpy(uu
, &request
.el_gguid
, sizeof(guid_t
));
186 int mbr_uuid_to_id(const uuid_t uu
, uid_t
*id
, int *id_type
)
188 struct kauth_identity_extlookup request
;
191 if (id
== NULL
) return EIO
;
192 if (id_type
== NULL
) return EIO
;
194 if (!memcmp(uu
, _mbr_root_uuid
, sizeof(uuid_t
)))
197 *id_type
= ID_TYPE_UID
;
201 request
.el_seqno
= 1;
202 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_UID
| KAUTH_EXTLOOKUP_WANT_GID
;
203 memcpy(&request
.el_uguid
, uu
, sizeof(guid_t
));
204 memcpy(&request
.el_gguid
, uu
, sizeof(guid_t
));
206 status
= _mbr_MembershipCall(&request
);
207 if (status
!= 0) return status
;
209 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_UID
) != 0)
211 *id
= request
.el_uid
;
212 *id_type
= ID_TYPE_UID
;
214 else if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GID
) != 0)
216 *id
= request
.el_gid
;
217 *id_type
= ID_TYPE_GID
;
227 int mbr_sid_to_uuid(const nt_sid_t
*sid
, uuid_t uu
)
229 struct kauth_identity_extlookup request
;
232 request
.el_seqno
= 1;
233 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_GSID
| KAUTH_EXTLOOKUP_WANT_GGUID
;
234 memset(&request
.el_gsid
, 0, sizeof(ntsid_t
));
235 memcpy(&request
.el_gsid
, sid
, KAUTH_NTSID_SIZE(sid
));
237 status
= _mbr_MembershipCall(&request
);
238 if (status
!= 0) return status
;
239 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GGUID
) == 0) return ENOENT
;
241 memcpy(uu
, &request
.el_gguid
, sizeof(guid_t
));
245 int mbr_uuid_to_sid_type(const uuid_t uu
, nt_sid_t
*sid
, int *id_type
)
247 struct kauth_identity_extlookup request
;
250 request
.el_seqno
= 1;
251 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_USID
| KAUTH_EXTLOOKUP_WANT_GSID
;
252 memcpy(&request
.el_uguid
, uu
, sizeof(guid_t
));
253 memcpy(&request
.el_gguid
, uu
, sizeof(guid_t
));
255 status
= _mbr_MembershipCall(&request
);
256 if (status
!= 0) return status
;
258 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_USID
) != 0)
260 *id_type
= SID_TYPE_USER
;
261 memcpy(sid
, &request
.el_usid
, sizeof(nt_sid_t
));
263 else if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_GSID
) != 0)
265 *id_type
= SID_TYPE_GROUP
;
266 memcpy(sid
, &request
.el_gsid
, sizeof(nt_sid_t
));
276 int mbr_uuid_to_sid(const uuid_t uu
, nt_sid_t
*sid
)
282 status
= mbr_uuid_to_sid_type(uu
, sid
, &type
);
283 if (status
!= 0) return status
;
288 int mbr_check_membership(uuid_t user
, uuid_t group
, int *ismember
)
290 struct kauth_identity_extlookup request
;
293 request
.el_seqno
= 1;
294 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
;
295 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
296 memcpy(&request
.el_gguid
, group
, sizeof(guid_t
));
298 status
= _mbr_MembershipCall(&request
);
299 if (status
!= 0) return status
;
300 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) == 0) return ENOENT
;
302 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
306 int mbr_check_membership_refresh(const uuid_t user
, uuid_t group
, int *ismember
)
308 struct kauth_identity_extlookup request
;
311 request
.el_seqno
= 1;
312 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GGUID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
| (1<<15);
313 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
314 memcpy(&request
.el_gguid
, group
, sizeof(guid_t
));
316 status
= _mbr_MembershipCall(&request
);
317 if (status
!= 0) return status
;
318 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) == 0) return ENOENT
;
320 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
324 int mbr_check_membership_by_id(uuid_t user
, gid_t group
, int *ismember
)
326 struct kauth_identity_extlookup request
;
329 request
.el_seqno
= 1;
330 request
.el_flags
= KAUTH_EXTLOOKUP_VALID_UGUID
| KAUTH_EXTLOOKUP_VALID_GID
| KAUTH_EXTLOOKUP_WANT_MEMBERSHIP
;
331 memcpy(&request
.el_uguid
, user
, sizeof(guid_t
));
332 request
.el_gid
= group
;
334 status
= _mbr_MembershipCall(&request
);
335 if (status
!= 0) return status
;
336 if ((request
.el_flags
& KAUTH_EXTLOOKUP_VALID_MEMBERSHIP
) == 0) return ENOENT
;
338 *ismember
= ((request
.el_flags
& KAUTH_EXTLOOKUP_ISMEMBER
) != 0);
342 int mbr_reset_cache()
344 return _mbr_ClearCache();
347 int mbr_user_name_to_uuid(const char *name
, uuid_t uu
)
349 return _mbr_MapName((char *)name
, 1, (guid_t
*)uu
);
352 int mbr_group_name_to_uuid(const char *name
, uuid_t uu
)
354 return _mbr_MapName((char *)name
, 0, (guid_t
*)uu
);
357 int mbr_check_service_membership(const uuid_t user
, const char *servicename
, int *ismember
)
359 char *prefix
= "com.apple.access_";
360 char *all_services
= "com.apple.access_all_services";
365 if (servicename
== NULL
) return EINVAL
;
366 if (strlen(servicename
) > 255 - strlen(prefix
)) return EINVAL
;
368 /* start by checking "all services" */
369 result
= mbr_group_name_to_uuid(all_services
, group_uu
);
371 if (result
== EAUTH
) return result
;
373 if (result
== ENOENT
)
375 /* all_services group didn't exist, check individual group */
376 memcpy(groupName
, prefix
, strlen(prefix
));
377 strcpy(groupName
+ strlen(prefix
), servicename
);
378 result
= mbr_group_name_to_uuid(groupName
, group_uu
);
383 result
= mbr_check_membership_refresh(user
, group_uu
, ismember
);
385 else if (result
== EAUTH
)
391 /* just force cache update with bogus membership check */
392 memset(group_uu
, 0, sizeof(group_uu
));
393 mbr_check_membership_refresh(user
, group_uu
, &dummy
);
399 static char *ConvertBytesToDecimal(char *buffer
, unsigned long long value
)
412 *temp
= '0' + (value
% 10);
419 int mbr_sid_to_string(const nt_sid_t
*sid
, char *string
)
421 char *current
= string
;
426 if (sid
->sid_authcount
> NTSID_MAX_AUTHORITIES
) return EINVAL
;
428 for (i
= 0; i
< 6; i
++)
429 temp
= (temp
<< 8) | sid
->sid_authority
[i
];
434 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, sid
->sid_kind
));
435 current
= current
+ strlen(current
);
438 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, temp
));
440 for(i
=0; i
< sid
->sid_authcount
; i
++)
442 current
= current
+ strlen(current
);
445 strcpy(current
, ConvertBytesToDecimal(tempBuffer
, sid
->sid_authorities
[i
]));
451 int mbr_string_to_sid(const char *string
, nt_sid_t
*sid
)
453 char *current
= (char *)string
+2;
457 if (string
== NULL
) return EINVAL
;
459 memset(sid
, 0, sizeof(nt_sid_t
));
460 if (string
[0] != 'S' || string
[1] != '-') return EINVAL
;
462 sid
->sid_kind
= strtol(current
, ¤t
, 10);
463 if (*current
== '\0') return EINVAL
;
465 temp
= strtoll(current
, ¤t
, 10);
467 /* convert to BigEndian before copying */
468 temp
= OSSwapHostToBigInt64(temp
);
469 memcpy(sid
->sid_authority
, ((char*)&temp
)+2, 6);
470 while (*current
!= '\0' && count
< NTSID_MAX_AUTHORITIES
)
473 sid
->sid_authorities
[count
] = strtol(current
, ¤t
, 10);
477 if (*current
!= '\0') return EINVAL
;
479 sid
->sid_authcount
= count
;
484 static void ConvertBytesToHex(char **string
, char **data
, int numBytes
)
488 for (i
=0; i
< numBytes
; i
++)
490 unsigned char hi
= ((**data
) >> 4) & 0xf;
491 unsigned char low
= (**data
) & 0xf;
495 **string
= 'A' + hi
- 10;
500 **string
= '0' + low
;
502 **string
= 'A' + low
- 10;
509 int mbr_uuid_to_string(const uuid_t uu
, char *string
)
511 char *guid
= (char*)uu
;
512 char *strPtr
= string
;
513 ConvertBytesToHex(&strPtr
, &guid
, 4);
514 *strPtr
= '-'; strPtr
++;
515 ConvertBytesToHex(&strPtr
, &guid
, 2);
516 *strPtr
= '-'; strPtr
++;
517 ConvertBytesToHex(&strPtr
, &guid
, 2);
518 *strPtr
= '-'; strPtr
++;
519 ConvertBytesToHex(&strPtr
, &guid
, 2);
520 *strPtr
= '-'; strPtr
++;
521 ConvertBytesToHex(&strPtr
, &guid
, 6);
527 int mbr_string_to_uuid(const char *string
, uuid_t uu
)
530 int isFirstNibble
= 1;
532 if (string
== NULL
) return EINVAL
;
533 if (strlen(string
) > MBR_UU_STRING_SIZE
) return EINVAL
;
535 while (*string
!= '\0' && dataIndex
< 16)
539 if (*string
>= '0' && *string
<= '9')
540 nibble
= *string
- '0';
541 else if (*string
>= 'A' && *string
<= 'F')
542 nibble
= *string
- 'A' + 10;
543 else if (*string
>= 'a' && *string
<= 'f')
544 nibble
= *string
- 'a' + 10;
555 uu
[dataIndex
] = nibble
<< 4;
560 uu
[dataIndex
] |= nibble
;
568 if (dataIndex
!= 16) return EINVAL
;