diff options
| author | Dmitri Pal <dpal@redhat.com> | 2010-04-02 20:08:14 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-04-14 12:15:54 -0400 |
| commit | bf7247298136660f512bd1a96f68be1487f425b6 (patch) | |
| tree | a5d6acc3bf8ce45d77fbddedfbaf7048335b02b9 /common/ini/ini_config.h | |
| parent | 693c44378b5a7b457b31f343730880dee8f271f3 (diff) | |
| download | sssd-bf7247298136660f512bd1a96f68be1487f425b6.tar.gz sssd-bf7247298136660f512bd1a96f68be1487f425b6.tar.xz sssd-bf7247298136660f512bd1a96f68be1487f425b6.zip | |
Acess control and config change checks
1) Fixed the issue that metadata was saved
as numbers. Was supposed to be saved as strings.
2) Added two functions. One is to check permissions
on the config file. Another to check if the file
has changed and thus the cinfiguration needs
to be reread.
3) Added unit test will sample code
and comments how to use the functions.
4) Added doxygen description in the comments.
5) Fixed couple typos and ommisions here and there.
[INI] Fixing crash detected on 64-bit system
This patch corrects original code to be
more on the safe side and check parameters
before using.
Instead of dereferencing metadata it is now
passed as reference to the next level.
It is not used there yet so no other new changes
needed so far.
[INI] Addressing review comments
[INI] Addressing comments.
Diffstat (limited to 'common/ini/ini_config.h')
| -rw-r--r-- | common/ini/ini_config.h | 114 |
1 files changed, 113 insertions, 1 deletions
diff --git a/common/ini/ini_config.h b/common/ini/ini_config.h index c0f82d0f1..a5fd4a932 100644 --- a/common/ini/ini_config.h +++ b/common/ini/ini_config.h @@ -264,6 +264,42 @@ */ /** + * @defgroup accesscheck Access control check flags + * + * @{ + */ + +/** + * @brief Validate access mode + * + * If this flag is specified the mode parameter + * will be matched against the permissions set on the file + * using the provided mask. + */ +#define INI_ACCESS_CHECK_MODE 0x00000001 + +/** + * @brief Validate uid + * + * Provided uid will be checked against uid + * of the file. + */ +#define INI_ACCESS_CHECK_UID 0x00000002 + +/** + * @brief Validate gid + * + * Provided gid will be checked against gid + * of the file. + */ +#define INI_ACCESS_CHECK_GID 0x00000004 + +/** + * @} + */ + + +/** * @} */ @@ -485,6 +521,7 @@ const char *parsing_error_str(int parsing_error); * * @return 0 - Success. * @return EINVAL - Invalid parameter. + * @return EMOMEM - No memory. * @return Any error returned by fopen(). * */ @@ -516,6 +553,7 @@ int config_from_file(const char *application, * detected during parsing. * * @return 0 - Success. + * @return EMOMEM - No memory. * @return EINVAL - Invalid parameter. * */ @@ -567,6 +605,7 @@ int config_from_fd(const char *application, * * @return 0 - Success. * @return EINVAL - Invalid parameter. + * @return EMOMEM - No memory. * @return Any error returned by fopen(). * * @@ -622,6 +661,7 @@ int config_from_file_with_metadata( * * @return 0 - Success. * @return EINVAL - Invalid parameter. + * @return EMOMEM - No memory. * */ int config_from_fd_with_metadata( @@ -660,6 +700,7 @@ int config_from_fd_with_metadata( * * @return 0 - Success. * @return EINVAL - Invalid parameter. + * @return EMOMEM - No memory. * @return Any error returned by fopen(). */ int config_for_app(const char *application, @@ -715,6 +756,7 @@ int config_for_app(const char *application, * * @return 0 - Success. * @return EINVAL - Invalid parameter. + * @return EMOMEM - No memory. * @return Any error returned by fopen(). */ int config_for_app_with_metadata( @@ -727,6 +769,76 @@ int config_for_app_with_metadata( uint32_t metaflags, struct collection_item **meta_default, struct collection_item **meta_appini); + + +/** + * + * @brief Function to check ownership and permissions + * + * The function allow caller to make decision + * if the configuration file is from a trusted source + * or not. + * + * The flags control how to perform check. + * See \ref accesscheck "Access control check flags" + * section for more information. + * + * @param[in] metadata Meta data object. + * Can't be NULL. + * @param[in] flags How and what to check. + * Must be nonzero. + * @param[in] uid UID to check. + * @param[in] gid GID to check. + * @param[in] mode Mode to check. + * Only permission bits + * are used. + * @param[in] mask Which mode bits to check. + * If 0 all permision bits + * are checked. + * + * @return 0 - Success. + * @return EINVAL - Invalid parameter. + * @return EACCESS - File properties do not match provided + * access parameters. + */ +int config_access_check(struct collection_item *metadata, + uint32_t flags, + uid_t uid, + gid_t gid, + mode_t mode, + mode_t mask); + + +/** + * @brief Function compares two meta data objects + * + * Function compares two meta data objects + * to determine whether the configuration + * has changed since last time the meta data + * was collected. + * The function checks three things about the + * file: + * - time stamp + * - device ID + * - i-node + * If any of those changes function will indicate + * that configuration changed. + * + * @param[in] metadata Recent meta data object. + * @param[in] saved_metadata Previously saved meta + * data object. + * @param[out] changed Will be set to a nonzero value + * if the configuration has changed. + * + * @return 0 - No internal error + * @return EINVAL - Invalid argument + * @return ENOENT - Expected value is missing + * @return ENOMEM - No memory + */ +int config_changed(struct collection_item *metadata, + struct collection_item *saved_metadata, + int *changed); + /** * @brief Function to free configuration object. * @@ -747,7 +859,7 @@ void free_ini_config_errors(struct collection_item *error_set); /** * @brief Function to free metadata. * - * @param[in] error_set Configuration meta data object. + * @param[in] metadata Configuration meta data object. * */ void free_ini_config_metadata(struct collection_item *metadata); |