3 * aklog auth plugin, Taken from rot13 with guidance from NullAuthPlugin
4 * Copyright (c) 2010 Your File System Inc. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 #include <sys/kauth.h>
33 #include <Security/AuthorizationTags.h>
34 #include <Security/AuthorizationPlugin.h>
35 #include <DirectoryService/DirectoryService.h>
37 typedef struct PluginRef
39 const AuthorizationCallbacks
*callbacks
;
42 typedef struct MechanismRef
44 const PluginRef
*plugin
;
45 AuthorizationEngineRef engine
;
49 static OSStatus
do_aklog(char *cell
)
52 * The first draft used aklog source inline. In an rxgk
53 * universe, that code should be encapsulated in a library
54 * we call. In this version we simply fork aklog.
55 * This function should be replaced with calls to a "libaklog"
60 if (asprintf(&aklogCmd
, "/usr/bin/aklog %s", cell
) < 0)
63 return system(aklogCmd
);
68 return system("/usr/bin/aklog");
71 static OSStatus
invokeAklog(MechanismRef
*mechanism
)
73 AuthorizationContextFlags contextFlags
;
74 const AuthorizationValue
*value
;
79 /* a list of context values appears in the Null sample plugin */
80 status
= mechanism
->plugin
->callbacks
->GetContextValue(mechanism
->engine
,
85 /* This and the group are strings. I don't know why. */
87 uid
= atoi(value
->data
);
91 status
= mechanism
->plugin
->callbacks
->GetContextValue(mechanism
->engine
,
92 kDS1AttrPrimaryGroupID
,
96 gid
= atoi(value
->data
);
100 /* in a PAGless universe, this trick works */
101 status
= pthread_setugid_np(uid
, gid
);
103 status
= do_aklog(mechanism
->mechanismArg
);
104 pthread_setugid_np(KAUTH_UID_NONE
, KAUTH_GID_NONE
);
110 mechanism
->plugin
->callbacks
->SetResult(mechanism
->engine
,
111 kAuthorizationResultAllow
);
114 return errAuthorizationSuccess
;
117 return errAuthorizationInternal
;
120 static OSStatus
pluginDestroy(AuthorizationPluginRef inPlugin
)
122 /* seems to not be called. can't do cleanup? */
123 PluginRef
*plugin
= (PluginRef
*)inPlugin
;
128 static OSStatus
mechanismCreate(AuthorizationPluginRef inPlugin
,
129 AuthorizationEngineRef inEngine
,
130 AuthorizationMechanismId mechanismId
,
131 AuthorizationMechanismRef
*outMechanism
)
133 const PluginRef
*plugin
= (const PluginRef
*)inPlugin
;
135 MechanismRef
*mechanism
= calloc(1, sizeof(MechanismRef
));
137 mechanism
->plugin
= plugin
;
138 mechanism
->engine
= inEngine
;
140 * consider supporting a variant which backgrounds aklog and returns
141 * success where tokens are desired but not critical.
143 mechanism
->mechanismArg
= strdup(mechanismId
);
145 *outMechanism
= mechanism
;
151 static OSStatus
mechanismInvoke(AuthorizationMechanismRef inMechanism
)
153 MechanismRef
*mechanism
= (MechanismRef
*)inMechanism
;
156 status
= invokeAklog(mechanism
);
158 return errAuthorizationInternal
;
161 return mechanism
->plugin
->callbacks
->SetResult(mechanism
->engine
, kAuthorizationResultAllow
);
166 * Since a authorization result is provided within invoke, we don't have to
167 * cancel a long(er) term operation that might have been spawned.
168 * A timeout could be done here.
170 static OSStatus
mechanismDeactivate(AuthorizationMechanismRef inMechanism
)
176 static OSStatus
mechanismDestroy(AuthorizationMechanismRef inMechanism
)
178 MechanismRef
*mechanism
= (MechanismRef
*)inMechanism
;
179 free(mechanism
->mechanismArg
);
186 AuthorizationPluginInterface pluginInterface
=
188 kAuthorizationPluginInterfaceVersion
, /* UInt32 version; */
198 * Entry point for all plugins. Plugin and the host loading it exchange interfaces.
199 * Normally you'd allocate resources shared amongst all mechanisms here.
200 * When a plugin is created it may not necessarily be used, so be conservative
202 OSStatus
AuthorizationPluginCreate(const AuthorizationCallbacks
*callbacks
,
203 AuthorizationPluginRef
*outPlugin
,
204 const AuthorizationPluginInterface
**outPluginInterface
)
206 PluginRef
*plugin
= calloc(1, sizeof(PluginRef
));
208 plugin
->callbacks
= callbacks
;
209 *outPlugin
= (AuthorizationPluginRef
) plugin
;
210 *outPluginInterface
= &pluginInterface
;