module for SecureWare systems

lance@fox.com
Thu, 7 Jul 94 14:51:02 PDT

I took Guido's advice and instead of modifying posixmodule.c
and all the other modules I did to support the SecureWare environment
under SCO ODT (higher levels of security), I created a
secureware module.

I have completed (partially) a working version. There is one
modification to config.c.in that needs to me made and I will
include the diffs for that.

In the Setup file I have a line similar to:

secureware securewaremodule.o -lprot_s -lcrypt_d

You might have to change these if you are running on a different
system...

The secureware module supports the following functions:

setluid() - set the LUID or return secureware.error
getluid() - get the LUID for this process, returns intobject
bigcrypt() - this is needed to encrypt passwords longer than
8 chars, it returns a clipped password for the
system length to compare with results of getpwnam()
bigcryptmax() - same as bigcrypt() but does not clip.
getpwnam() - returns TCB entries for user name
getpwuid() - returns TCB entries for user id
getpwall() - returns TCB entries for ALL users on system

here is the diffs for config.c.in:

*** config.c.in~ Wed Mar 2 03:32:04 1994
--- config.c.in Thu Jul 7 12:46:40 1994
***************
*** 48,53 ****
--- 48,65 ----

static char *argv0;

+ /* These are made available for other modules that might need them.
+ This is rare, but I had to add it to support the secureware module */
+ static char **orig_argv;
+ static int orig_argc;
+ getargcargv(argc,argv)
+ int *argc;
+ char ***argv;
+ {
+ *argc = orig_argc;
+ *argv = orig_argv;
+ }
+
main(argc, argv)
int argc;
char **argv;
***************
*** 55,60 ****
--- 67,74 ----
#ifdef macintosh
wargs(&argc, &argv);
#endif
+ orig_argc = argc;
+ orig_argv = argv;
argv0 = argv[0];
realmain(argc, argv);
}

Here is the securewaremodule.c file...

/***********************************************************
Copyright 1991, 1992, 1993, 1994 by Stichting Mathematisch Centrum,
Amsterdam, The Netherlands.

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the names of Stichting Mathematisch
Centrum or CWI not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior permission.

STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

******************************************************************/

/* secureware module */

#include "allobjects.h"
#include "modsupport.h"

#define SecureWare
#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>

#ifdef M_UNIX
/* SCO does not supply one without -lx */
/* nap() is not normally defined in SCO ODT... so this
defines it WITHOUT having to link to -lx since that will
break other things */
long nap(secs)
long secs;
{
return syscall(0x0c28,secs);
}
#endif

static object *SecureWareError;
static object *
secureware_error()
{
return err_errno(SecureWareError);
}

static object *
secureware_getluid(self, args)
object *self;
object *args;
{
if (!getnoarg(args))
return NULL;
return newintobject((long)getluid());
}

static object *
secureware_setluid(self, args)
object *self;
object *args;
{
int uid;
if (!getargs(args, "i", &uid))
return NULL;
if (setluid(uid) < 0)
return secureware_error();
INCREF(None);
return None;
}

static object *
secureware_bigcrypt(self, args)
object *self;
object *args;
{
char *cleartext;
char *tmptext;
char *salt;
int len;
object *rtn;

if (!getargs(args,"(s#s);cleartext, salt", &cleartext, &len, &salt))
return NULL;
tmptext = malloc(len+1);
strncpy(tmptext,cleartext,len);
tmptext[len] = '\0';
rtn = newstringobject(bigcrypt(tmptext,salt));
free(tmptext);
return rtn;
}

static object *
secureware_bigcryptmax(self, args)
object *self;
object *args;
{
char *cleartext;
char *tmptext;
char *salt;
int len;
object *rtn;

if (!getargs(args,"(s#s);cleartext, salt", &cleartext, &len, &salt))
return NULL;
tmptext = malloc(len+1);
strncpy(tmptext,cleartext,len);
tmptext[len] = '\0';
rtn = newstringobject(bigcryptmax(tmptext,salt));
free(tmptext);
return rtn;
}

static struct auth_types {
int mask_val;
char *str_val;
} auth_table[] = {
(1<<AUTH_ROOT_TYPE), "root",
(1<<AUTH_OPER_TYPE), "system operator",
(1<<AUTH_SSO_TYPE), "security officer",
(1<<AUTH_ADMIN_TYPE), "system administrator",
(1<<AUTH_PSEUDO_TYPE), "pseudo-user",
(1<<AUTH_GENERAL_TYPE),"general user",
(1<<AUTH_RETIRED_TYPE),"retired",
0,NULL
};

static char *
get_auth_type(array)
mask_t array[];
{
struct auth_types *p = auth_table;

for (;p->mask_val != 0;p++) {
if (p->mask_val == array[0])
return p->str_val;
}
return "*INVALID AUTHORIZATION TYPE*";
}

static object *mkpwent(pr_pw)
struct pr_passwd *pr_pw;
{
return mkvalue("(sOsssO)",
(pr_pw->uflg.fg_name?
pr_pw->ufld.fd_name:
NULL),
(pr_pw->uflg.fg_uid?
newintobject((long)pr_pw->ufld.fd_uid):
None),
(pr_pw->uflg.fg_encrypt?
pr_pw->ufld.fd_encrypt:
NULL),
(pr_pw->uflg.fg_type?
get_auth_type(pr_pw->ufld.fd_type):
NULL),
(pr_pw->uflg.fg_owner?
pr_pw->ufld.fd_owner:
NULL),
(pr_pw->uflg.fg_nice?
newintobject((long)pr_pw->ufld.fd_nice):
None)
);
}

static object *secureware_getpwuid(self, args)
object *self, *args;
{
int uid;
struct pr_passwd *pr_pw;
if (!getintarg(args, &uid))
return NULL;
if ((pr_pw = getprpwuid(uid)) == NULL) {
err_setstr(KeyError, "getpwuid(): uid not found");
return NULL;
}
return mkpwent(pr_pw);
}

static object *secureware_getpwnam(self, args)
object *self, *args;
{
char *name;
struct pr_passwd *pr_pw;
if (!getstrarg(args, &name))
return NULL;
if ((pr_pw = getprpwnam(name)) == NULL) {
err_setstr(KeyError, "getpwnam(): name not found");
return NULL;
}
return mkpwent(pr_pw);
}

static object *secureware_getpwall(self, args)
object *self, *args;
{
object *d;
struct pr_passwd *pr_pw;
if (!getnoarg(args))
return NULL;
if ((d = newlistobject(0)) == NULL)
return NULL;
setprpwent();
while ((pr_pw = getprpwent()) != NULL) {
object *v = mkpwent(pr_pw);
if (v == NULL || addlistitem(d, v) != 0) {
XDECREF(v);
DECREF(d);
return NULL;
}
}
return d;
}

/* List of functions defined in the module */

static struct methodlist secureware_methods[] = {
{"getluid", secureware_getluid},
{"setluid", secureware_setluid},
{"bigcrypt", secureware_bigcrypt},
{"bigcryptmax", secureware_bigcryptmax},
{"getpwuid", secureware_getpwuid},
{"getpwnam", secureware_getpwnam},
{"getpwall", secureware_getpwall},
{NULL, NULL} /* sentinel */
};

/* Initialization function for the module (*must* be called initsecureware) */

void
initsecureware()
{
object *m, *d, *x;
int argc;
char **argv;
mode_t cmask = umask(0);
umask(cmask);

/* Create the module and add the functions */
m = initmodule("secureware", secureware_methods);

/* Add some symbolic constants to the module */
d = getmoduledict(m);
SecureWareError = newstringobject("secureware.error");
dictinsert(d, "error", SecureWareError);

/* Check for errors */
if (err_occurred())
fatal("can't initialize module secureware");

getargcargv(&argc,&argv);
set_auth_parameters(argc,argv);
umask(cmask); /* Set things back.. set_auth_parameters() sets to 077 */
}

--
Lance Ellinghouse                lance@fox.com