Update sesman files moved to libsesman
This commit is contained in:
parent
75c9979b54
commit
b4f9d250e2
@ -18,7 +18,7 @@
|
||||
|
||||
/**
|
||||
*
|
||||
* @file access.c
|
||||
* @file sesman_access.c
|
||||
* @brief User access control code
|
||||
* @author Simone Fedele
|
||||
*
|
||||
@ -30,28 +30,27 @@
|
||||
|
||||
#include "arch.h"
|
||||
|
||||
#include "access.h"
|
||||
#include "config.h"
|
||||
#include "sesman_access.h"
|
||||
#include "sesman_config.h"
|
||||
#include "log.h"
|
||||
#include "sesman.h"
|
||||
#include "os_calls.h"
|
||||
#include "string_calls.h"
|
||||
|
||||
/******************************************************************************/
|
||||
int
|
||||
access_login_allowed(const char *user)
|
||||
access_login_allowed(const struct config_security *cfg_sec, const char *user)
|
||||
{
|
||||
int gid;
|
||||
int ok;
|
||||
|
||||
if ((0 == g_strncmp(user, "root", 5)) && (0 == g_cfg->sec.allow_root))
|
||||
if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
|
||||
{
|
||||
LOG(LOG_LEVEL_WARNING,
|
||||
"ROOT login attempted, but root login is disabled");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((0 == g_cfg->sec.ts_users_enable) && (0 == g_cfg->sec.ts_always_group_check))
|
||||
if ((0 == cfg_sec->ts_users_enable) && (0 == cfg_sec->ts_always_group_check))
|
||||
{
|
||||
LOG(LOG_LEVEL_INFO, "Terminal Server Users group is disabled, allowing authentication");
|
||||
return 1;
|
||||
@ -63,13 +62,13 @@ access_login_allowed(const char *user)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (g_cfg->sec.ts_users == gid)
|
||||
if (cfg_sec->ts_users == gid)
|
||||
{
|
||||
LOG(LOG_LEVEL_DEBUG, "ts_users is user's primary group");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (0 != g_check_user_in_group(user, g_cfg->sec.ts_users, &ok))
|
||||
if (0 != g_check_user_in_group(user, cfg_sec->ts_users, &ok))
|
||||
{
|
||||
LOG(LOG_LEVEL_ERROR, "Cannot read group info! - login denied");
|
||||
return 0;
|
||||
@ -87,19 +86,20 @@ access_login_allowed(const char *user)
|
||||
|
||||
/******************************************************************************/
|
||||
int
|
||||
access_login_mng_allowed(const char *user)
|
||||
access_login_mng_allowed(const struct config_security *cfg_sec,
|
||||
const char *user)
|
||||
{
|
||||
int gid;
|
||||
int ok;
|
||||
|
||||
if ((0 == g_strncmp(user, "root", 5)) && (0 == g_cfg->sec.allow_root))
|
||||
if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
|
||||
{
|
||||
LOG(LOG_LEVEL_WARNING,
|
||||
"[MNG] ROOT login attempted, but root login is disabled");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (0 == g_cfg->sec.ts_admins_enable)
|
||||
if (0 == cfg_sec->ts_admins_enable)
|
||||
{
|
||||
LOG(LOG_LEVEL_INFO, "[MNG] Terminal Server Admin group is disabled, "
|
||||
"allowing authentication");
|
||||
@ -112,13 +112,13 @@ access_login_mng_allowed(const char *user)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (g_cfg->sec.ts_admins == gid)
|
||||
if (cfg_sec->ts_admins == gid)
|
||||
{
|
||||
LOG(LOG_LEVEL_INFO, "[MNG] ts_users is user's primary group");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (0 != g_check_user_in_group(user, g_cfg->sec.ts_admins, &ok))
|
||||
if (0 != g_check_user_in_group(user, cfg_sec->ts_admins, &ok))
|
||||
{
|
||||
LOG(LOG_LEVEL_ERROR, "[MNG] Cannot read group info! - login denied");
|
||||
return 0;
|
||||
|
@ -18,14 +18,16 @@
|
||||
|
||||
/**
|
||||
*
|
||||
* @file access.h
|
||||
* @file sesman_access.h
|
||||
* @brief User access control definitions
|
||||
* @author Simone Fedele
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef ACCESS_H
|
||||
#define ACCESS_H
|
||||
#ifndef SESMAN_ACCESS_H
|
||||
#define SESMAN_ACCESS_H
|
||||
|
||||
struct config_security;
|
||||
|
||||
/**
|
||||
*
|
||||
@ -35,7 +37,8 @@
|
||||
*
|
||||
*/
|
||||
int
|
||||
access_login_allowed(const char *user);
|
||||
access_login_allowed(const struct config_security *cfg_sec,
|
||||
const char *user);
|
||||
|
||||
/**
|
||||
*
|
||||
@ -45,6 +48,7 @@ access_login_allowed(const char *user);
|
||||
*
|
||||
*/
|
||||
int
|
||||
access_login_mng_allowed(const char *user);
|
||||
access_login_mng_allowed(const struct config_security *cfg_sec,
|
||||
const char *user);
|
||||
|
||||
#endif
|
||||
|
@ -18,14 +18,14 @@
|
||||
|
||||
/**
|
||||
*
|
||||
* @file auth.h
|
||||
* @file sesman_auth.h
|
||||
* @brief User authentication definitions
|
||||
* @author Jay Sorg
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef AUTH_H
|
||||
#define AUTH_H
|
||||
#ifndef SESMAN_AUTH_H
|
||||
#define SESMAN_AUTH_H
|
||||
|
||||
/**
|
||||
* Opaque type used to represent an authentication handle
|
||||
|
@ -29,13 +29,15 @@
|
||||
#endif
|
||||
|
||||
#include "arch.h"
|
||||
#include "config.h"
|
||||
#include "sesman_config.h"
|
||||
#include "sesman_clip_restrict.h"
|
||||
|
||||
#include "list.h"
|
||||
#include "file.h"
|
||||
#include "log.h"
|
||||
#include "os_calls.h"
|
||||
#include "string_calls.h"
|
||||
#include "chansrv/chansrv_common.h"
|
||||
//#include "chansrv/chansrv_common.h"
|
||||
#include "scp.h"
|
||||
|
||||
static const struct bitmask_char policy_bits[] =
|
||||
@ -234,26 +236,6 @@ config_read_globals(int file, struct config_sesman *cf, struct list *param_n,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
Map clipboard strings into bitmask values.
|
||||
Duplicated definition exists in chansrv_config,
|
||||
because it avoids build failure for xrdp-sesman and xrdp-sesrun.
|
||||
It should be unified in the future.
|
||||
*/
|
||||
static const struct bitmask_string clip_restrict_map[] =
|
||||
{
|
||||
{ CLIP_RESTRICT_TEXT, "text"},
|
||||
{ CLIP_RESTRICT_FILE, "file"},
|
||||
{ CLIP_RESTRICT_IMAGE, "image"},
|
||||
{ CLIP_RESTRICT_ALL, "all"},
|
||||
{ CLIP_RESTRICT_NONE, "none"},
|
||||
/* Compatibility values */
|
||||
{ CLIP_RESTRICT_ALL, "true"},
|
||||
{ CLIP_RESTRICT_ALL, "yes"},
|
||||
{ CLIP_RESTRICT_NONE, "false"},
|
||||
BITMASK_STRING_END_OF_LIST
|
||||
};
|
||||
|
||||
/***************************************************************************//**
|
||||
*
|
||||
* @brief Reads sesman [Security] configuration section
|
||||
@ -326,9 +308,9 @@ config_read_security(int file, struct config_security *sc,
|
||||
{
|
||||
char unrecognised[256];
|
||||
sc->restrict_outbound_clipboard =
|
||||
g_str_to_bitmask((const char *)list_get_item(param_v, i),
|
||||
clip_restrict_map, ",",
|
||||
unrecognised, sizeof(unrecognised));
|
||||
sesman_clip_restrict_string_to_bitmask(
|
||||
(const char *)list_get_item(param_v, i),
|
||||
unrecognised, sizeof(unrecognised));
|
||||
if (unrecognised[0] != '\0')
|
||||
{
|
||||
LOG(LOG_LEVEL_WARNING,
|
||||
@ -340,9 +322,9 @@ config_read_security(int file, struct config_security *sc,
|
||||
{
|
||||
char unrecognised[256];
|
||||
sc->restrict_inbound_clipboard =
|
||||
g_str_to_bitmask((const char *)list_get_item(param_v, i),
|
||||
clip_restrict_map, ",",
|
||||
unrecognised, sizeof(unrecognised));
|
||||
sesman_clip_restrict_string_to_bitmask(
|
||||
(const char *)list_get_item(param_v, i),
|
||||
unrecognised, sizeof(unrecognised));
|
||||
if (unrecognised[0] != '\0')
|
||||
{
|
||||
LOG(LOG_LEVEL_WARNING,
|
||||
@ -589,6 +571,7 @@ config_dump(struct config_sesman *config)
|
||||
se = &(config->sess);
|
||||
sc = &(config->sec);
|
||||
char policy_s[64];
|
||||
char restrict_s[64];
|
||||
|
||||
/* Global sesman configuration */
|
||||
g_writeln("Filename: %s", config->sesman_ini);
|
||||
@ -614,39 +597,16 @@ config_dump(struct config_sesman *config)
|
||||
|
||||
/* Security configuration */
|
||||
g_writeln("Security configuration:");
|
||||
g_writeln(" AllowRootLogin: %d", sc->allow_root);
|
||||
g_writeln(" AllowRootLogin: esm %d", sc->allow_root);
|
||||
g_writeln(" MaxLoginRetry: %d", sc->login_retry);
|
||||
g_writeln(" AlwaysGroupCheck: %d", sc->ts_always_group_check);
|
||||
if (sc->restrict_outbound_clipboard == CLIP_RESTRICT_NONE)
|
||||
{
|
||||
g_writeln(" RestrictOutboundClipboard: %s", "none");
|
||||
}
|
||||
else if (sc->restrict_outbound_clipboard == CLIP_RESTRICT_ALL)
|
||||
{
|
||||
g_writeln(" RestrictOutboundClipboard: %s", "all");
|
||||
}
|
||||
else
|
||||
{
|
||||
char buf[256];
|
||||
g_bitmask_to_str(sc->restrict_outbound_clipboard,
|
||||
clip_restrict_map, ',', buf, sizeof(buf));
|
||||
g_writeln(" RestrictOutboundClipboard: %s", buf);
|
||||
}
|
||||
if (sc->restrict_inbound_clipboard == CLIP_RESTRICT_NONE)
|
||||
{
|
||||
g_writeln(" RestrictInboundClipboard: %s", "none");
|
||||
}
|
||||
else if (sc->restrict_inbound_clipboard == CLIP_RESTRICT_ALL)
|
||||
{
|
||||
g_writeln(" RestrictInboundClipboard: %s", "all");
|
||||
}
|
||||
else
|
||||
{
|
||||
char buf[256];
|
||||
g_bitmask_to_str(sc->restrict_inbound_clipboard,
|
||||
clip_restrict_map, ',', buf, sizeof(buf));
|
||||
g_writeln(" RestrictInboundClipboard: %s", buf);
|
||||
}
|
||||
sesman_clip_restrict_mask_to_string(sc->restrict_outbound_clipboard,
|
||||
restrict_s, sizeof(restrict_s));
|
||||
g_writeln(" RestrictOutboundClipboard: %s", restrict_s);
|
||||
sesman_clip_restrict_mask_to_string(sc->restrict_inbound_clipboard,
|
||||
restrict_s, sizeof(restrict_s));
|
||||
|
||||
g_writeln(" RestrictInboundClipboard: %s", restrict_s);
|
||||
|
||||
g_printf( " TSUsersGroup: ");
|
||||
if (sc->ts_users_enable)
|
||||
|
@ -18,14 +18,14 @@
|
||||
|
||||
/**
|
||||
*
|
||||
* @file config.h
|
||||
* @file sesman_config.h
|
||||
* @brief User authentication definitions
|
||||
* @author Simone Fedele @< simo [at] esseemme [dot] org @>
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef CONFIG_H
|
||||
#define CONFIG_H
|
||||
#ifndef SESMAN_CONFIG_H
|
||||
#define SESMAN_CONFIG_H
|
||||
|
||||
#include "arch.h"
|
||||
#include "list.h"
|
||||
|
@ -29,7 +29,7 @@
|
||||
#endif
|
||||
|
||||
#include "arch.h"
|
||||
#include "auth.h"
|
||||
#include "sesman_auth.h"
|
||||
#include "log.h"
|
||||
#include "os_calls.h"
|
||||
#include "string_calls.h"
|
||||
|
@ -29,7 +29,7 @@
|
||||
#endif
|
||||
|
||||
#include "arch.h"
|
||||
#include "auth.h"
|
||||
#include "sesman_auth.h"
|
||||
|
||||
#define _XOPEN_SOURCE
|
||||
#include <stdio.h>
|
||||
|
@ -29,7 +29,7 @@
|
||||
#endif
|
||||
|
||||
#include "arch.h"
|
||||
#include "auth.h"
|
||||
#include "sesman_auth.h"
|
||||
#include "os_calls.h"
|
||||
#include "string_calls.h"
|
||||
#include "log.h"
|
||||
|
@ -32,7 +32,7 @@
|
||||
#include "os_calls.h"
|
||||
#include "log.h"
|
||||
#include "string_calls.h"
|
||||
#include "auth.h"
|
||||
#include "sesman_auth.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <security/pam_appl.h>
|
||||
|
@ -32,7 +32,7 @@
|
||||
#include "os_calls.h"
|
||||
#include "log.h"
|
||||
#include "string_calls.h"
|
||||
#include "auth.h"
|
||||
#include "sesman_auth.h"
|
||||
|
||||
#include <security/pam_userpass.h>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user