1 #, $in{'mode'} == 1 Functions for parsing the various RBAC configuration files
3 BEGIN { push(@INC, ".."); };
6 %access = &get_module_acl();
8 ####################### functions for users #######################
11 # Returns a list of user attribute objects
14 if (!scalar(@list_user_attrs_cache)) {
15 @list_user_attrs_cache = ( );
17 open(ATTR, $config{'user_attr'});
21 local @w = split(/:/, $_, -1);
23 local $attr = { 'user' => $w[0],
29 'index' => scalar(@list_user_attrs_cache) };
31 foreach $a (split(/;/, $w[4])) {
32 local ($an, $av) = split(/=/, $a, 2);
33 $attr->{'attr'}->{$an} = $av;
35 push(@list_user_attrs_cache, $attr);
41 return \@list_user_attrs_cache;
44 # create_user_attr(&attr)
45 # Add a new user attribute
49 &list_user_attrs(); # init cache
50 local $lref = &read_file_lines($config{'user_attr'});
51 $attr->{'line'} = scalar(@$lref);
52 push(@$lref, &user_attr_line($attr));
53 $attr->{'index'} = scalar(@list_user_attrs_cache);
54 push(@list_user_attrs_cache, $attr);
58 # modify_user_attr(&attr)
59 # Updates an existing user attribute in the config file
63 local $lref = &read_file_lines($config{'user_attr'});
64 $lref->[$attr->{'line'}] = &user_attr_line($attr);
68 # delete_user_attr(&attr)
69 # Removes one user attribute entry
73 local $lref = &read_file_lines($config{'user_attr'});
74 splice(@$lref, $attr->{'line'}, 1);
75 splice(@list_user_attrs_cache, $attr->{'index'}, 1);
77 foreach $c (@list_user_attrs_cache) {
78 $c->{'line'}-- if ($c->{'line'} > $attr->{'line'});
79 $c->{'index'}-- if ($c->{'index'} > $attr->{'index'});
84 # user_attr_line(&attr)
85 # Returns the text for a user attribute line
89 local $rv = $attr->{'user'}.":".$attr->{'qualifier'}.":".$attr->{'res1'}.":".
91 $rv .= join(";", map { $_."=".$attr->{'attr'}->{$_} }
92 keys %{$attr->{'attr'}});
96 # attr_input(name, value, [type], [acl-restrict])
97 # Returns HTML for selecting one or more user attrs
100 local ($name, $value, $type, $restrict) = @_;
101 local @values = split(/,+/, $value);
102 local $users = &list_user_attrs();
104 foreach $u (@$users) {
105 local $utype = $u->{'attr'}->{'type'} || "normal";
106 if ((!$type || $utype eq $type) &&
107 (!$restrict || &can_assign_role($u))) {
108 push(@sel, [ $u->{'user'} ]);
112 return &ui_select($name, \@values, \@sel, 5, 1, 1);
115 return $text{'attr_none'.$type};
120 # Returns a comma-separated list of values from an attrs field
123 return join(",", split(/\0/, $in{$_[0]}));
126 # all_recursive_roles(username)
127 # Returns all roles and sub-roles for some user
128 sub all_recursive_roles
130 local $users = &list_user_attrs();
131 local ($user) = grep { $_->{'user'} eq $_[0] } @$users;
133 foreach $r (split(/,/, $user->{'attr'}->{'roles'})) {
134 push(@rv, $r, &all_recursive_roles($r));
139 ####################### functions for profiles #######################
142 # Returns a list of all profiles
145 if (!scalar(@list_prof_attrs_cache)) {
146 @list_prof_attrs_cache = ( );
148 open(ATTR, $config{'prof_attr'});
152 local @w = split(/:/, $_, -1);
154 local $attr = { 'name' => $w[0],
160 'index' => scalar(@list_prof_attrs_cache) };
162 foreach $a (split(/;/, $w[4])) {
163 local ($an, $av) = split(/=/, $a, 2);
164 $attr->{'attr'}->{$an} = $av;
166 push(@list_prof_attrs_cache, $attr);
173 return \@list_prof_attrs_cache;
176 # create_prof_attr(&attr)
181 &list_prof_attrs(); # init cache
182 local $lref = &read_file_lines($config{'prof_attr'});
183 $attr->{'line'} = scalar(@$lref);
184 push(@$lref, &prof_attr_line($attr));
185 $attr->{'index'} = scalar(@list_prof_attrs_cache);
186 push(@list_prof_attrs_cache, $attr);
190 # modify_prof_attr(&attr)
191 # Updates an existing profile in the config file
195 local $lref = &read_file_lines($config{'prof_attr'});
196 $lref->[$attr->{'line'}] = &prof_attr_line($attr);
200 # delete_prof_attr(&attr)
201 # Removes one profile
205 local $lref = &read_file_lines($config{'prof_attr'});
206 splice(@$lref, $attr->{'line'}, 1);
207 splice(@list_prof_attrs_cache, $attr->{'index'}, 1);
209 foreach $c (@list_prof_attrs_cache) {
210 $c->{'line'}-- if ($c->{'line'} > $attr->{'line'});
211 $c->{'index'}-- if ($c->{'index'} > $attr->{'index'});
216 # prof_attr_line(&attr)
217 # Returns the text for a prof attribute line
221 local $rv = $attr->{'name'}.":".$attr->{'res1'}.":".$attr->{'res2'}.":".
223 $rv .= join(";", map { $_."=".$attr->{'attr'}->{$_} }
224 keys %{$attr->{'attr'}});
228 # profiles_input(name, comma-sep-value, acl-restrict)
229 # Returns HTML for a field for selecting multiple profiles
232 local ($name, $value, $restrict) = @_;
233 local @values = split(/,/, $value);
234 local $profs = &list_prof_attrs();
235 local @canprofs = $restrict ? grep { &can_assign_profile($_) } @$profs
238 return &ui_select($name, \@values,
239 [ map { [ $_->{'name'}, "$_->{'name'} ($_->{'desc'})" ] }
240 sort { $a->{'name'} cmp $b->{'name'} }
241 @canprofs ], 10, 1, 1);
244 return $text{'prof_none'};
248 # profiles_parse(name)
249 # Returns a comma-separated list of values from a profiles field
252 return join(",", split(/\0/, $in{$_[0]}));
255 # all_recursive_profs(username|profilename)
256 # Returns all profiles and sub-profiles for some user
257 sub all_recursive_profs
259 local $users = &list_user_attrs();
260 local ($user) = grep { $_->{'user'} eq $_[0] } @$users;
261 local $profs = &list_prof_attrs();
262 local ($prof) = grep { $_->{'name'} eq $_[0] } @$profs;
265 # Return all profiles from roles, direct profiles and sub-profiles
266 foreach $r (split(/,/, $user->{'attr'}->{'roles'})) {
267 push(@rv, &all_recursive_profs($r));
269 foreach $r (split(/,/, $user->{'attr'}->{'profiles'})) {
270 push(@rv, $r, &all_recursive_profs($r));
274 # Return all sub-profiles
275 foreach $r (split(/,/, $prof->{'attr'}->{'profs'})) {
276 push(@rv, &all_recursive_profs($r));
282 ####################### functions for authorizations #######################
285 # Returns a user of all authorizations
288 if (!scalar(@list_auth_attrs_cache)) {
289 @list_auth_attrs_cache = ( );
291 open(ATTR, $config{'auth_attr'});
295 local @w = split(/:/, $_, -1);
297 local $attr = { 'name' => $w[0],
304 'index' => scalar(@list_auth_attrs_cache) };
306 foreach $a (split(/;/, $w[5])) {
307 local ($an, $av) = split(/=/, $a, 2);
308 $attr->{'attr'}->{$an} = $av;
310 push(@list_auth_attrs_cache, $attr);
317 return \@list_auth_attrs_cache;
320 # create_auth_attr(&attr)
321 # Add a new authorization
325 &list_auth_attrs(); # init cache
326 local $lref = &read_file_lines($config{'auth_attr'});
327 $attr->{'line'} = scalar(@$lref);
328 push(@$lref, &auth_attr_line($attr));
329 $attr->{'index'} = scalar(@list_auth_attrs_cache);
330 push(@list_auth_attrs_cache, $attr);
334 # modify_auth_attr(&attr)
335 # Updates an existing authorization in the config file
339 local $lref = &read_file_lines($config{'auth_attr'});
340 $lref->[$attr->{'line'}] = &auth_attr_line($attr);
344 # delete_auth_attr(&attr)
345 # Removes one authorization
349 local $lref = &read_file_lines($config{'auth_attr'});
350 splice(@$lref, $attr->{'line'}, 1);
351 splice(@list_auth_attrs_cache, $attr->{'index'}, 1);
353 foreach $c (@list_auth_attrs_cache) {
354 $c->{'line'}-- if ($c->{'line'} > $attr->{'line'});
355 $c->{'index'}-- if ($c->{'index'} > $attr->{'index'});
360 # auth_attr_line(&attr)
361 # Returns the text for a auth attribute line
365 local $rv = $attr->{'name'}.":".$attr->{'res1'}.":".$attr->{'res2'}.":".
366 $attr->{'short'}.":".$attr->{'desc'}.":";
367 $rv .= join(";", map { $_."=".$attr->{'attr'}->{$_} }
368 keys %{$attr->{'attr'}});
372 # auths_input(name, value)
373 # Returns HTML for a text area for entering and choosing authorizations
376 local ($name, $value) = @_;
377 return "<table cellpadding=0 cellspacing=0><tr><td>".
378 &ui_textarea($name, join("\n", split(/,/, $value)), 3, 50).
379 "</td><td valign=top> ".
380 &auth_chooser($name).
381 "</td></tr></table>";
384 # auth_chooser(field)
385 # Returns HTML for a button that pops up an authorization chooser window
388 return "<input type=button onClick='ifield = form.$_[0]; chooser = window.open(\"auth_chooser.cgi\", \"chooser\", \"toolbar=no,menubar=no,scrollbars=yes,width=500,height=400\"); chooser.ifield = ifield; window.ifield = ifield' value=\"...\">\n";
392 # Returns a comma-separated list of auths
395 local @auths = split(/[\r\n]+/, $in{$_[0]});
397 foreach $a (@auths) {
398 $a =~ /^\S+$/ || &error(&text('user_eauth', $a));
400 return join(",", @auths);
403 ####################### functions for exec attributes #######################
406 # Returns a user of all execorizations
409 if (!scalar(@list_exec_attrs_cache)) {
410 @list_exec_attrs_cache = ( );
412 open(ATTR, $config{'exec_attr'});
416 local @w = split(/:/, $_, -1);
418 local $attr = { 'name' => $w[0],
425 'index' => scalar(@list_exec_attrs_cache) };
427 foreach $a (split(/;/, $w[6])) {
428 local ($an, $av) = split(/=/, $a, 2);
429 $attr->{'attr'}->{$an} = $av;
431 push(@list_exec_attrs_cache, $attr);
438 return \@list_exec_attrs_cache;
441 # create_exec_attr(&attr)
442 # Add a new execorization
446 &list_exec_attrs(); # init cache
447 local $lref = &read_file_lines($config{'exec_attr'});
448 $attr->{'line'} = scalar(@$lref);
449 push(@$lref, &exec_attr_line($attr));
450 $attr->{'index'} = scalar(@list_exec_attrs_cache);
451 push(@list_exec_attrs_cache, $attr);
455 # modify_exec_attr(&attr)
456 # Updates an existing execorization in the config file
460 local $lref = &read_file_lines($config{'exec_attr'});
461 $lref->[$attr->{'line'}] = &exec_attr_line($attr);
465 # delete_exec_attr(&attr)
466 # Removes one execorization
470 local $lref = &read_file_lines($config{'exec_attr'});
471 splice(@$lref, $attr->{'line'}, 1);
472 splice(@list_exec_attrs_cache, $attr->{'index'}, 1);
474 foreach $c (@list_exec_attrs_cache) {
475 $c->{'line'}-- if ($c->{'line'} > $attr->{'line'});
476 $c->{'index'}-- if ($c->{'index'} > $attr->{'index'});
481 # exec_attr_line(&attr)
482 # Returns the text for a exec attribute line
486 local $rv = $attr->{'name'}.":".$attr->{'policy'}.":".$attr->{'cmd'}.":".
487 $attr->{'res1'}.":".$attr->{'res2'}.":".$attr->{'id'}.":";
488 $rv .= join(";", map { $_."=".$attr->{'attr'}->{$_} }
489 keys %{$attr->{'attr'}});
493 ####################### policy.conf functions #######################
495 # get_policy_config()
496 # Returns a list of policy config file directives
497 sub get_policy_config
499 if (!scalar(@policy_conf_cache)) {
500 @policy_conf_cache = ( );
502 open(ATTR, $config{'policy_conf'});
506 if (/^\s*(#*)\s*([^= ]+)\s*=\s*(\S.*)$/) {
507 local $pol = { 'name' => $2,
511 'index' => scalar(@policy_conf_cache) };
512 push(@policy_conf_cache, $pol);
519 return \@policy_conf_cache;
522 # find_policy(name, &conf, [enabled])
525 local ($name, $conf, $ena) = @_;
526 local ($rv) = grep { lc($_->{'name'}) eq lc($name) &&
528 defined($ena) && $ena == $_->{'enabled'}) } @$conf;
532 # find_policy_value(name, &conf);
533 sub find_policy_value
535 local ($name, $conf) = @_;
536 local $rv = &find_policy($name, $conf, 1);
537 return $rv ? $rv->{'value'} : undef;
540 # save_policy(&conf, name, [value])
541 # Update or delete an entry in policy.conf
544 local ($conf, $name, $value) = @_;
545 local $old = &find_policy($name, $conf);
546 local $lref = &read_file_lines($config{'policy_conf'});
547 if (!$old && $value) {
549 push(@$lref, "$name=$value");
550 push(@$conf, { 'name' => $name,
552 'index' => scalar(@$conf),
553 'line' => scalar(@$lref) - 1 });
555 elsif ($old && $value) {
556 # Need to update (and perhaps comment in)
557 $old->{'value'} = $value;
558 $old->{'enabled'} = 1;
559 $lref->[$old->{'line'}] = "$name=$value";
561 elsif ($old && $old->{'enabled'} && !$value) {
562 # Need to comment out
563 $old->{'enabled'} = 0;
564 $lref->[$old->{'line'}] = "#$name=$old->{'value'}";
568 ####################### functions for projects #######################
571 # Returns a list of project objects
574 if (!scalar(@list_projects_cache)) {
575 @list_projects_cache = ( );
577 open(ATTR, $config{'project'});
581 local @w = split(/:/, $_, -1);
583 local $attr = { 'name' => $w[0],
590 'index' => scalar(@list_projects_cache) };
592 foreach $a (split(/;/, $w[5])) {
593 local ($an, $av) = split(/=/, $a, 2);
594 $attr->{'attr'}->{$an} = $av;
596 push(@list_projects_cache, $attr);
602 return \@list_projects_cache;
605 # create_project(&attr)
610 &list_projects(); # init cache
611 local $lref = &read_file_lines($config{'project'});
612 $attr->{'line'} = scalar(@$lref);
613 push(@$lref, &project_line($attr));
614 $attr->{'index'} = scalar(@list_projects_cache);
615 push(@list_projects_cache, $attr);
619 # modify_project(&attr)
620 # Updates an existing project in the config file
624 local $lref = &read_file_lines($config{'project'});
625 $lref->[$attr->{'line'}] = &project_line($attr);
629 # delete_project(&attr)
630 # Removes one project entry
634 local $lref = &read_file_lines($config{'project'});
635 splice(@$lref, $attr->{'line'}, 1);
636 splice(@list_projects_cache, $attr->{'index'}, 1);
638 foreach $c (@list_projects_cache) {
639 $c->{'line'}-- if ($c->{'line'} > $attr->{'line'});
640 $c->{'index'}-- if ($c->{'index'} > $attr->{'index'});
645 # project_line(&attr)
646 # Returns the text for a project file line
650 local $rv = $attr->{'name'}.":".$attr->{'id'}.":".$attr->{'desc'}.":".
651 $attr->{'users'}.":".$attr->{'groups'}.":";
652 $rv .= join(";", map { defined($attr->{'attr'}->{$_}) ?
653 $_."=".$attr->{'attr'}->{$_} : $_ }
654 keys %{$attr->{'attr'}});
658 # project_input(name, value)
659 # Returns HTML for selecting one project
662 local ($name, $value) = @_;
663 local $projects = &list_projects();
664 return &ui_select($name, $value,
665 [ map { [ $_->{'name'},
666 $_->{'name'}.($_->{'desc'} ? " ($_->{'desc'})"
667 : "") ] } @$projects ],
668 0, 0, $value ? 1 : 0);
671 # project_members_input(name, comma-separated-members)
672 # Returns HTML for selecting users or groups in a project. These may be all,
673 # none, all except or only some
674 sub project_members_input
676 local ($name, $users) = @_;
677 local @users = split(/,/, $users);
678 local %users = map { $_, 1 } @users;
679 local (@canusers, @cannotuser, $mode);
680 if ($users{'*'} && @users == 1) {
683 elsif (@users == 0 || $users{'!*'} && @users == 1) {
686 elsif ($users{'*'}) {
689 @cannotusers = map { /^\!(.*)/; $1 } grep { /^\!/ } @users[1..$#users];
691 elsif ($users{'!*'}) {
694 @canusers = grep { !/^\!/ } @users[1..$#users];
701 local $cb = $name =~ /user/ ? \&user_chooser_button : \&group_chooser_button;
702 return &ui_radio($name."_mode", $mode,
703 [ [ 0, $text{'projects_all'.$name} ],
704 [ 1, $text{'projects_none'.$name}."<br>" ],
705 [ 2, &text('projects_only'.$name,
706 &ui_textbox($name."_can", join(" ", @canusers), 40)." ".
707 &$cb($name."_can", 1))."<br>" ],
708 [ 3, &text('projects_except'.$name,
709 &ui_textbox($name."_cannot", join(" ", @cannotusers), 40)." ".
710 &$cb($name."_cannot", 1)) ]
714 # parse_project_members(name)
715 sub parse_project_members
718 if ($in{$name."_mode"} == 0) {
721 elsif ($in{$name."_mode"} == 1) {
724 elsif ($in{$name."_mode"} == 2) {
725 $in{$name."_can"} || &error($text{'project_e'.$name.'can'});
726 return join(",", split(/\s+/, $in{$name."_can"}));
728 elsif ($in{$name."_mode"} == 3) {
729 $in{$name."_cannot"} || &error($text{'project_e'.$name.'cannot'});
730 return join(",", "*", map { "!$_" } split(/\s+/, $in{$name."_cannot"}));
734 ####################### miscellaneous functions #######################
736 # nice_comma_list(comma-separated-value)
737 # Nicely formats and shortens a comma-separated string
740 local @l = split(/,/, $_[0]);
742 return join(" , ", @l[0..1], "...");
745 return join(" , ", @l);
749 # rbac_help_file(&object)
752 local $hf = $config{$_[0]->{'type'}.'_help_dir'}."/$_[0]->{'attr'}->{'help'}";
753 return -r $hf && !-d $hf ? $hf : undef;
756 # rbac_help_link(&object, desc)
759 local $hf = &rbac_help_file($_[0]);
760 local $rv = "<table cellpadding=0 cellspacing=0 width=100%><tr><td>$_[1]</td>";
763 $rv .= "<td align=right><a onClick='window.open(\"rbac_help.cgi?help=$hf\", \"help\", \"toolbar=no,menubar=no,scrollbars=yes,width=400,height=300,resizable=yes\"); return false' href=\"rbac_help.cgi?help=$hf\"><img src=images/help.gif border=0></a></td>";
765 $rv .= "</tr></table>";
769 # rbac_config_files()
770 # Returns a list of all config files managed by this module
771 sub rbac_config_files
773 return map { $config{$_} } ('user_attr', 'prof_attr', 'auth_attr',
774 'exec_attr', 'policy_conf', 'project');
777 # missing_rbac_config_file()
778 # Returns the path to any missing config file
779 sub missing_rbac_config_file
781 foreach $c (&rbac_config_files()) {
782 return $c if (!-r $c);
788 # Lock all config files used by RBAC
792 foreach $c (&rbac_config_files()) {
797 # unlock_rbac_files()
798 # Unlock all config files used by RBAC
799 sub unlock_rbac_files
802 foreach $c (&rbac_config_files()) {
807 # list_crypt_algorithms()
808 # Returns 1 list of all encryption algorithms, including the internal __unix__
809 sub list_crypt_algorithms
811 if (!scalar(@list_crypt_algorithms_cache)) {
812 push(@list_crypt_algorithms_cache, { 'name' => '__unix__' } );
814 open(CRYPT, $config{'crypt_conf'});
818 if (/^\s*(\S+)\s+(\S+)/) {
819 push(@list_crypt_algorithms_cache,
823 'index' => scalar(@list_crypt_algorithms_cache) });
829 return \@list_crypt_algorithms_cache;
832 # crypt_algorithms_input(name, value, multiple)
833 # Returns HTML for selecting one or many crypt algorithms
834 sub crypt_algorithms_input
836 local ($name, $value, $multiple) = @_;
837 local @values = split(/,/, $value);
838 local $crypts = &list_crypt_algorithms();
839 return &ui_select($name, \@values,
840 [ map { [ $_->{'name'}, $text{'crypt_'.$_->{'name'}} ] }
841 @$crypts ], $multiple ? scalar(@$crypts) : undef,
845 # can_edit_user(&user)
846 # Returns 1 if some user can be edited
850 return 0 if ($user->{'attr'}->{'type'} eq 'role' && !$access{'roles'});
851 return 0 if ($user->{'attr'}->{'type'} ne 'role' && !$access{'users'});
855 # can_assign_role(&role|rolename)
856 # Returns 1 if some role can be assigned
860 local $rolename = ref($role) ? $role->{'user'} : $role;
861 if ($access{'roleassign'} eq '*') {
866 if ($access{'roleassign'} eq 'x') {
867 # Work out Webmin user's roles
868 @canroles = &all_recursive_roles($remote_user);
871 @canroles = split(/,/, $access{'roleassign'});
873 return &indexof($rolename, @canroles) != -1;
877 # can_assign_profile(&profile|profilename)
878 # Returns 1 if some profile can be assigned
879 sub can_assign_profile
882 local $profname = ref($prof) ? $prof->{'name'} : $prof;
883 if ($access{'profassign'} eq '*') {
888 if ($access{'profassign'} eq 'x') {
889 # Work out Webmin user's profs
890 @canprofs = &all_recursive_profs($remote_user);
893 @canprofs = split(/,/, $access{'profassign'});
895 return &indexof($profname, @canprofs) != -1;
900 # Returns a list of possible resource control names
904 open(RCTL, "rctladm -l |");
906 if (/^(\S+)\s+(\S+)=(\S+)/) {
914 # list_rctl_signals()
915 # Returns a list of allowed signals for rctl actions
916 sub list_rctl_signals
918 return ( [ "SIGABRT", "Abort the process" ],
919 [ "SIGHUP", "Send a hangup signal" ],
920 [ "SIGTERM", "Terminate the process" ],
921 [ "SIGKILL", "Kill the process" ],
922 [ "SIGSTOP", "Stop the process" ],
923 [ "SIGXRES", "Resource control limit exceeded" ],
924 [ "SIGXFSZ", "File size limit exceeded" ],
925 [ "SIGXCPU", "CPU time limit exceeded" ] );
928 # list_resource_controls(type, id)
929 # Returns a list of resource controls for some project, zone or process
930 sub list_resource_controls
932 local ($type, $id) = @_;
933 &open_execute_command(PRCTL,
934 "prctl -i ".quotemeta($type)." ".quotemeta($id), 1);
938 next if (/^NAME/); # skip header
940 # Start of a new resource
943 elsif (/^\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)/ && $res) {
944 # A limit within a resource
945 push(@rv, { 'res' => $res,
948 'flag' => $3 eq "-" ? undef : $3,