Skip to content

Commit

Permalink
Update logging in sesman access control
Browse files Browse the repository at this point in the history 
Improve the built-in access checks for sesman/sesexec:-
- Group existence is checked for at login-time rather than program
  start time
- The name of the group is now included in the message

Also, check for UID == 0 when checking for root, rather than just
checking the name (which might be an alias)
  • Loading branch information
@matt335672
matt335672 committed Oct 5, 2023
1 parent 5837dea commit cf5c271
Show file tree
Hide file tree
Showing 3 changed files with 143 additions and 90 deletions.
164 changes: 120 additions & 44 deletions sesman/libsesman/sesman_access.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,82 +28,158 @@
#include <config_ac.h>
#endif

#include <stdio.h>

#include "arch.h"

#include "sesman_access.h"
#include "sesman_config.h"
#include "log.h"
#include "os_calls.h"
#include "string_calls.h"

/******************************************************************************/
int
access_login_allowed(const struct config_security *cfg_sec, const char *user)
/**
* Root user login check
*
* @param cfg_sec Sesman security config
* @param user user name
* @return 0 if user is root and root accesses are not allowed
*/
static int
root_login_check(const struct config_security *cfg_sec,
const char *user)
{
int rv = 0;
if (cfg_sec->allow_root)
{
rv = 1;
}
else
{
// Check the UID of the user isn't 0
int uid;
if (g_getuser_info_by_name(user, &uid, NULL, NULL, NULL, NULL) != 0)
{
LOG(LOG_LEVEL_ERROR, "Can't get UID for user %s", user);
}
else if (0 == uid)
{
LOG(LOG_LEVEL_ERROR,
"ROOT login attempted, but root login is disabled");
}
else
{
rv = 1;
}
}
return rv;
}

/******************************************************************************/
/**
* Common access control for group checks
* @param group Group name
* @param param Where group comes from (e.g. "TerminalServerUsers")
* @param always_check_group 0 if a missing group allows a login
* @param user Username
* @return != 0 if the access is allowed */

static int
access_login_allowed_common(const char *group, const char *param,
int always_check_group,
const char *user)
{
int rv = 0;
int gid;
int ok;

if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
if (group == NULL || group[0] == '\0')
{
LOG(LOG_LEVEL_WARNING,
"ROOT login attempted, but root login is disabled");
return 0;
/* Group is not defined. Default access depends on whether
* we must have the group or not */
if (always_check_group)
{
LOG(LOG_LEVEL_ERROR,
"%s group is not defined. Access denied for %s",
param, user);
}
else
{
LOG(LOG_LEVEL_INFO,
"%s group is not defined. Access granted for %s",
param, user);
rv = 1;
}
}

if ((0 == cfg_sec->ts_users_enable) && (0 == cfg_sec->ts_always_group_check))
else if (g_getgroup_info(group, &gid) != 0)
{
LOG(LOG_LEVEL_INFO, "Terminal Server Users group is disabled, allowing authentication");
return 1;
/* Group is defined but doesn't exist. Default access depends
* on whether we must have the group or not */
if (always_check_group)
{
LOG(LOG_LEVEL_ERROR,
"%s group %s doesn't exist. Access denied for %s",
param, group, user);
}
else
{
LOG(LOG_LEVEL_INFO,
"%s group %s doesn't exist. Access granted for %s",
param, group, user);
rv = 1;
}
}

if (0 != g_check_user_in_group(user, cfg_sec->ts_users, &ok))
else if (0 != g_check_user_in_group(user, gid, &ok))
{
LOG(LOG_LEVEL_ERROR, "Cannot read group info! - login denied");
return 0;
LOG(LOG_LEVEL_ERROR, "Error checking %s group %s. "
"Access denied for %s", param, group, user);
}

if (ok)
else if (!ok)
{
return 1;
LOG(LOG_LEVEL_ERROR, "User %s is not in %s group %s. Access denied",
user, param, group);
}
else
{
LOG(LOG_LEVEL_INFO, "User %s is in %s group %s. Access granted",
user, param, group);
rv = 1;
}

LOG(LOG_LEVEL_INFO, "login denied for user %s", user);

return 0;
return rv;
}

/******************************************************************************/
int
access_login_mng_allowed(const struct config_security *cfg_sec,
const char *user)
access_login_allowed(const struct config_security *cfg_sec, const char *user)
{
int ok;
int rv = 0;

if ((0 == g_strncmp(user, "root", 5)) && (0 == cfg_sec->allow_root))
if (root_login_check(cfg_sec, user))
{
LOG(LOG_LEVEL_WARNING,
"[MNG] ROOT login attempted, but root login is disabled");
return 0;
rv = access_login_allowed_common(cfg_sec->ts_users,
"TerminalServerUsers",
cfg_sec->ts_always_group_check,
user);
}

if (0 == cfg_sec->ts_admins_enable)
{
LOG(LOG_LEVEL_INFO, "[MNG] Terminal Server Admin group is disabled, "
"allowing authentication");
return 1;
}
return rv;
}

if (0 != g_check_user_in_group(user, cfg_sec->ts_admins, &ok))
{
LOG(LOG_LEVEL_ERROR, "[MNG] Cannot read group info! - login denied");
return 0;
}
/******************************************************************************/
int
access_login_mng_allowed(const struct config_security *cfg_sec,
const char *user)
{
int rv = 0;

if (ok)
if (root_login_check(cfg_sec, user))
{
return 1;
rv = access_login_allowed_common(cfg_sec->ts_admins,
"TerminalServerAdmins",
1,
user);
}

LOG(LOG_LEVEL_INFO, "[MNG] login denied for user %s", user);

return 0;
return rv;
}
63 changes: 21 additions & 42 deletions sesman/libsesman/sesman_config.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,58 +297,55 @@ config_read_security(int file, struct config_security *sc,
struct list *param_v)
{
int i;
int gid;
char *buf;
const char *buf;
const char *value;

list_clear(param_v);
list_clear(param_n);

/* setting defaults */
sc->allow_root = 0;
sc->login_retry = 3;
sc->ts_users_enable = 0;
sc->ts_admins_enable = 0;
sc->restrict_outbound_clipboard = 0;
sc->restrict_inbound_clipboard = 0;
sc->allow_alternate_shell = 1;
sc->xorg_no_new_privileges = 1;
sc->ts_users = g_strdup("");
sc->ts_admins = g_strdup("");

file_read_section(file, SESMAN_CFG_SECURITY, param_n, param_v);

for (i = 0; i < param_n->count; i++)
{
buf = (char *)list_get_item(param_n, i);
buf = (const char *)list_get_item(param_n, i);
value = (const char *)list_get_item(param_v, i);

if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ALLOW_ROOT))
{
sc->allow_root = g_text2bool((char *)list_get_item(param_v, i));
sc->allow_root = g_text2bool(value);
}

if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_LOGIN_RETRY))
{
sc->login_retry = g_atoi((char *)list_get_item(param_v, i));
sc->login_retry = g_atoi(value);
}

if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_USR_GROUP))
{
if (g_getgroup_info((char *)list_get_item(param_v, i), &gid) == 0)
{
sc->ts_users_enable = 1;
sc->ts_users = gid;
}
g_free(sc->ts_users);
sc->ts_users = NULL;
sc->ts_users = g_strdup(value);
}

if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ADM_GROUP))
{
if (g_getgroup_info((char *)list_get_item(param_v, i), &gid) == 0)
{
sc->ts_admins_enable = 1;
sc->ts_admins = gid;
}
g_free(sc->ts_admins);
sc->ts_admins = NULL;
sc->ts_admins = g_strdup(value);
}
if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ALWAYSGROUPCHECK))
{
sc->ts_always_group_check = g_text2bool((char *)list_get_item(param_v, i));
sc->ts_always_group_check = g_text2bool(value);
}

if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_RESTRICT_OUTBOUND_CLIPBOARD))
Expand Down Expand Up @@ -382,13 +379,13 @@ config_read_security(int file, struct config_security *sc,
if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ALLOW_ALTERNATE_SHELL))
{
sc->allow_alternate_shell =
g_text2bool((char *)list_get_item(param_v, i));
g_text2bool(value);
}

if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_XORG_NO_NEW_PRIVILEGES))
{
sc->xorg_no_new_privileges =
g_text2bool((char *)list_get_item(param_v, i));
g_text2bool(value);
}
}

Expand Down Expand Up @@ -687,28 +684,8 @@ config_dump(struct config_sesman *config)
restrict_s, sizeof(restrict_s));

g_writeln(" RestrictInboundClipboard: %s", restrict_s);

g_printf( " TSUsersGroup: ");
if (sc->ts_users_enable)
{
g_printf("%d", sc->ts_users);
}
else
{
g_printf("(not defined)");
}
g_writeln("%s", "");

g_printf( " TSAdminsGroup: ");
if (sc->ts_admins_enable)
{
g_printf("%d", sc->ts_admins);
}
else
{
g_printf("(not defined)");
}
g_writeln("%s", "");
g_writeln(" TSUsersGroup: %s", sc->ts_users);
g_writeln(" TSAdminsGroup: %s", sc->ts_admins);


/* Xorg */
Expand Down Expand Up @@ -764,6 +741,8 @@ config_free(struct config_sesman *cs)
list_delete(cs->xorg_params);
list_delete(cs->env_names);
list_delete(cs->env_values);
g_free(cs->sec.ts_users);
g_free(cs->sec.ts_admins);
g_free(cs);
}
}
6 changes: 2 additions & 4 deletions sesman/libsesman/sesman_config.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,12 @@ struct config_security
* @var ts_users
* @brief Terminal Server Users group
*/
int ts_users_enable;
int ts_users;
char *ts_users;
/**
* @var ts_admins
* @brief Terminal Server Administrators group
*/
int ts_admins_enable;
int ts_admins;
char *ts_admins;
/**
* @var ts_always_group_check
* @brief if the Groups are not found deny access
Expand Down

0 comments on commit cf5c271

Please sign in to comment.