summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libiohelp/Makefile6
-rw-r--r--libiohelp/iouser-restrict.c83
2 files changed, 86 insertions, 3 deletions
diff --git a/libiohelp/Makefile b/libiohelp/Makefile
index d2680665..54fb4343 100644
--- a/libiohelp/Makefile
+++ b/libiohelp/Makefile
@@ -1,5 +1,5 @@
#
-# Copyright (C) 1993, 94, 95, 96, 98 Free Software Foundation, Inc.
+# Copyright (C) 1993,94,95,96,98,2002 Free Software Foundation, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -20,8 +20,8 @@ makemode := library
SRCS = get_conch.c handle_io_get_conch.c handle_io_release_conch.c \
initialize_conch.c verify_user_conch.c iouser-create.c \
- iouser-dup.c iouser-reauth.c iouser-free.c shared.c \
- return-buffer.c
+ iouser-dup.c iouser-reauth.c iouser-free.c iouser-restrict.c \
+ shared.c return-buffer.c
OBJS = $(SRCS:.c=.o)
LCLHDRS = iohelp.h
HURDLIBS = threads
diff --git a/libiohelp/iouser-restrict.c b/libiohelp/iouser-restrict.c
new file mode 100644
index 00000000..853820ea
--- /dev/null
+++ b/libiohelp/iouser-restrict.c
@@ -0,0 +1,83 @@
+/* iohelp_restrict_iouser -- helper for io_restrict_auth implementations
+ Copyright (C) 2002 Free Software Foundation
+
+ This program is free software; you can redistribute it and/or
+ modify it under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 2, or (at
+ your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
+
+#include "iohelp.h"
+
+/* Tell if the array LIST (of size N) contains a member equal to QUERY. */
+static inline int
+listmember (const uid_t *list, int query, int n)
+{
+ int i;
+ for (i = 0; i < n; i++)
+ if (list[i] == query)
+ return 1;
+ return 0;
+}
+
+error_t
+iohelp_restrict_iouser (struct iouser **new_user,
+ const struct iouser *old_user,
+ const uid_t *uids, int nuids,
+ const gid_t *gids, int ngids)
+{
+ if (idvec_contains (old_user->uids, 0))
+ /* OLD_USER has root access, and so may use any ids. */
+ return iohelp_create_complex_iouser (new_user, uids, nuids, gids, ngids);
+ else
+ {
+ struct idvec *uvec, *gvec;
+ int i;
+ error_t err;
+
+ uvec = make_idvec ();
+ if (! uvec)
+ return ENOMEM;
+
+ gvec = make_idvec ();
+ if (! gvec)
+ {
+ idvec_free (uvec);
+ return ENOMEM;
+ }
+
+ /* Otherwise, use any of the requested ids that OLD_USER already has. */
+ for (i = 0; i < old_user->uids->num; i++)
+ if (listmember (uids, old_user->uids->ids[i], nuids))
+ {
+ err = idvec_add (uvec, old_user->uids->ids[i]);
+ if (err)
+ goto out;
+ }
+ for (i = 0; i < old_user->gids->num; i++)
+ if (listmember (gids, old_user->gids->ids[i], ngids))
+ {
+ err = idvec_add (gvec, old_user->gids->ids[i]);
+ if (err)
+ goto out;
+ }
+
+ err = iohelp_create_iouser (new_user, uvec, gvec);
+
+ if (err)
+ {
+ out:
+ idvec_free (uvec);
+ idvec_free (gvec);
+ }
+ return err;
+ }
+}