Update sesman files moved to libsesman

This commit is contained in:
matt335672 2023-03-20 15:06:11 +00:00
parent 75c9979b54
commit b4f9d250e2
10 changed files with 53 additions and 89 deletions

View File

@ -18,7 +18,7 @@
/**
*
* @file access.c
* @file sesman_access.c
* @brief User access control code
* @author Simone Fedele
*
@ -30,28 +30,27 @@
#include "arch.h"
#include "access.h"
#include "config.h"
#include "sesman_access.h"
#include "sesman_config.h"
#include "log.h"
#include "sesman.h"
#include "os_calls.h"
#include "string_calls.h"
/******************************************************************************/
int
access_login_allowed(const char *user)
access_login_allowed(const struct config_security *cfg_sec, const char *user)
{
int gid;
int ok;
if ((0 == g_strncmp(user, "root", 5)) && (0 == g_cfg->sec.allow_root))
if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
{
LOG(LOG_LEVEL_WARNING,
"ROOT login attempted, but root login is disabled");
return 0;
}
if ((0 == g_cfg->sec.ts_users_enable) && (0 == g_cfg->sec.ts_always_group_check))
if ((0 == cfg_sec->ts_users_enable) && (0 == cfg_sec->ts_always_group_check))
{
LOG(LOG_LEVEL_INFO, "Terminal Server Users group is disabled, allowing authentication");
return 1;
@ -63,13 +62,13 @@ access_login_allowed(const char *user)
return 0;
}
if (g_cfg->sec.ts_users == gid)
if (cfg_sec->ts_users == gid)
{
LOG(LOG_LEVEL_DEBUG, "ts_users is user's primary group");
return 1;
}
if (0 != g_check_user_in_group(user, g_cfg->sec.ts_users, &ok))
if (0 != g_check_user_in_group(user, cfg_sec->ts_users, &ok))
{
LOG(LOG_LEVEL_ERROR, "Cannot read group info! - login denied");
return 0;
@ -87,19 +86,20 @@ access_login_allowed(const char *user)
/******************************************************************************/
int
access_login_mng_allowed(const char *user)
access_login_mng_allowed(const struct config_security *cfg_sec,
const char *user)
{
int gid;
int ok;
if ((0 == g_strncmp(user, "root", 5)) && (0 == g_cfg->sec.allow_root))
if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
{
LOG(LOG_LEVEL_WARNING,
"[MNG] ROOT login attempted, but root login is disabled");
return 0;
}
if (0 == g_cfg->sec.ts_admins_enable)
if (0 == cfg_sec->ts_admins_enable)
{
LOG(LOG_LEVEL_INFO, "[MNG] Terminal Server Admin group is disabled, "
"allowing authentication");
@ -112,13 +112,13 @@ access_login_mng_allowed(const char *user)
return 0;
}
if (g_cfg->sec.ts_admins == gid)
if (cfg_sec->ts_admins == gid)
{
LOG(LOG_LEVEL_INFO, "[MNG] ts_users is user's primary group");
return 1;
}
if (0 != g_check_user_in_group(user, g_cfg->sec.ts_admins, &ok))
if (0 != g_check_user_in_group(user, cfg_sec->ts_admins, &ok))
{
LOG(LOG_LEVEL_ERROR, "[MNG] Cannot read group info! - login denied");
return 0;

View File

@ -18,14 +18,16 @@
/**
*
* @file access.h
* @file sesman_access.h
* @brief User access control definitions
* @author Simone Fedele
*
*/
#ifndef ACCESS_H
#define ACCESS_H
#ifndef SESMAN_ACCESS_H
#define SESMAN_ACCESS_H
struct config_security;
/**
*
@ -35,7 +37,8 @@
*
*/
int
access_login_allowed(const char *user);
access_login_allowed(const struct config_security *cfg_sec,
const char *user);
/**
*
@ -45,6 +48,7 @@ access_login_allowed(const char *user);
*
*/
int
access_login_mng_allowed(const char *user);
access_login_mng_allowed(const struct config_security *cfg_sec,
const char *user);
#endif

View File

@ -18,14 +18,14 @@
/**
*
* @file auth.h
* @file sesman_auth.h
* @brief User authentication definitions
* @author Jay Sorg
*
*/
#ifndef AUTH_H
#define AUTH_H
#ifndef SESMAN_AUTH_H
#define SESMAN_AUTH_H
/**
* Opaque type used to represent an authentication handle

View File

@ -29,13 +29,15 @@
#endif
#include "arch.h"
#include "config.h"
#include "sesman_config.h"
#include "sesman_clip_restrict.h"
#include "list.h"
#include "file.h"
#include "log.h"
#include "os_calls.h"
#include "string_calls.h"
#include "chansrv/chansrv_common.h"
//#include "chansrv/chansrv_common.h"
#include "scp.h"
static const struct bitmask_char policy_bits[] =
@ -234,26 +236,6 @@ config_read_globals(int file, struct config_sesman *cf, struct list *param_n,
return 0;
}
/*
Map clipboard strings into bitmask values.
Duplicated definition exists in chansrv_config,
because it avoids build failure for xrdp-sesman and xrdp-sesrun.
It should be unified in the future.
*/
static const struct bitmask_string clip_restrict_map[] =
{
{ CLIP_RESTRICT_TEXT, "text"},
{ CLIP_RESTRICT_FILE, "file"},
{ CLIP_RESTRICT_IMAGE, "image"},
{ CLIP_RESTRICT_ALL, "all"},
{ CLIP_RESTRICT_NONE, "none"},
/* Compatibility values */
{ CLIP_RESTRICT_ALL, "true"},
{ CLIP_RESTRICT_ALL, "yes"},
{ CLIP_RESTRICT_NONE, "false"},
BITMASK_STRING_END_OF_LIST
};
/***************************************************************************//**
*
* @brief Reads sesman [Security] configuration section
@ -326,9 +308,9 @@ config_read_security(int file, struct config_security *sc,
{
char unrecognised[256];
sc->restrict_outbound_clipboard =
g_str_to_bitmask((const char *)list_get_item(param_v, i),
clip_restrict_map, ",",
unrecognised, sizeof(unrecognised));
sesman_clip_restrict_string_to_bitmask(
(const char *)list_get_item(param_v, i),
unrecognised, sizeof(unrecognised));
if (unrecognised[0] != '\0')
{
LOG(LOG_LEVEL_WARNING,
@ -340,9 +322,9 @@ config_read_security(int file, struct config_security *sc,
{
char unrecognised[256];
sc->restrict_inbound_clipboard =
g_str_to_bitmask((const char *)list_get_item(param_v, i),
clip_restrict_map, ",",
unrecognised, sizeof(unrecognised));
sesman_clip_restrict_string_to_bitmask(
(const char *)list_get_item(param_v, i),
unrecognised, sizeof(unrecognised));
if (unrecognised[0] != '\0')
{
LOG(LOG_LEVEL_WARNING,
@ -589,6 +571,7 @@ config_dump(struct config_sesman *config)
se = &(config->sess);
sc = &(config->sec);
char policy_s[64];
char restrict_s[64];
/* Global sesman configuration */
g_writeln("Filename: %s", config->sesman_ini);
@ -614,39 +597,16 @@ config_dump(struct config_sesman *config)
/* Security configuration */
g_writeln("Security configuration:");
g_writeln(" AllowRootLogin: %d", sc->allow_root);
g_writeln(" AllowRootLogin: esm %d", sc->allow_root);
g_writeln(" MaxLoginRetry: %d", sc->login_retry);
g_writeln(" AlwaysGroupCheck: %d", sc->ts_always_group_check);
if (sc->restrict_outbound_clipboard == CLIP_RESTRICT_NONE)
{
g_writeln(" RestrictOutboundClipboard: %s", "none");
}
else if (sc->restrict_outbound_clipboard == CLIP_RESTRICT_ALL)
{
g_writeln(" RestrictOutboundClipboard: %s", "all");
}
else
{
char buf[256];
g_bitmask_to_str(sc->restrict_outbound_clipboard,
clip_restrict_map, ',', buf, sizeof(buf));
g_writeln(" RestrictOutboundClipboard: %s", buf);
}
if (sc->restrict_inbound_clipboard == CLIP_RESTRICT_NONE)
{
g_writeln(" RestrictInboundClipboard: %s", "none");
}
else if (sc->restrict_inbound_clipboard == CLIP_RESTRICT_ALL)
{
g_writeln(" RestrictInboundClipboard: %s", "all");
}
else
{
char buf[256];
g_bitmask_to_str(sc->restrict_inbound_clipboard,
clip_restrict_map, ',', buf, sizeof(buf));
g_writeln(" RestrictInboundClipboard: %s", buf);
}
sesman_clip_restrict_mask_to_string(sc->restrict_outbound_clipboard,
restrict_s, sizeof(restrict_s));
g_writeln(" RestrictOutboundClipboard: %s", restrict_s);
sesman_clip_restrict_mask_to_string(sc->restrict_inbound_clipboard,
restrict_s, sizeof(restrict_s));
g_writeln(" RestrictInboundClipboard: %s", restrict_s);
g_printf( " TSUsersGroup: ");
if (sc->ts_users_enable)

View File

@ -18,14 +18,14 @@
/**
*
* @file config.h
* @file sesman_config.h
* @brief User authentication definitions
* @author Simone Fedele @< simo [at] esseemme [dot] org @>
*
*/
#ifndef CONFIG_H
#define CONFIG_H
#ifndef SESMAN_CONFIG_H
#define SESMAN_CONFIG_H
#include "arch.h"
#include "list.h"

View File

@ -29,7 +29,7 @@
#endif
#include "arch.h"
#include "auth.h"
#include "sesman_auth.h"
#include "log.h"
#include "os_calls.h"
#include "string_calls.h"

View File

@ -29,7 +29,7 @@
#endif
#include "arch.h"
#include "auth.h"
#include "sesman_auth.h"
#define _XOPEN_SOURCE
#include <stdio.h>

View File

@ -29,7 +29,7 @@
#endif
#include "arch.h"
#include "auth.h"
#include "sesman_auth.h"
#include "os_calls.h"
#include "string_calls.h"
#include "log.h"

View File

@ -32,7 +32,7 @@
#include "os_calls.h"
#include "log.h"
#include "string_calls.h"
#include "auth.h"
#include "sesman_auth.h"
#include <stdio.h>
#include <security/pam_appl.h>

View File

@ -32,7 +32,7 @@
#include "os_calls.h"
#include "log.h"
#include "string_calls.h"
#include "auth.h"
#include "sesman_auth.h"
#include <security/pam_userpass.h>