sacl.patch   [plain text]


diff -Naurdp ../openssh/auth.c ./auth.c
--- ../openssh/auth.c	2005-09-28 16:11:01.000000000 -0700
+++ ./auth.c	2005-09-28 16:21:03.000000000 -0700
@@ -36,6 +37,10 @@ RCSID("$OpenBSD: auth.c,v 1.60 2005/06/1
 #include <libgen.h>
 #endif
 
+#ifdef __APPLE_SACL__
+#include <membershipPriv.h>
+#endif
+
 #include "xmalloc.h"
 #include "match.h"
 #include "groupaccess.h"
@@ -216,6 +221,46 @@ allowed_user(struct passwd * pw)
 		ga_free();
 	}
 
+ 	if( options.sacl_support )
+ 	{
+ #ifdef __APPLE_SACL__
+ 		/*
+ 	 	* Here we check with memberd if the Service ACLs allow this user to
+ 	 	* use the ssh service.
+ 	 	*/
+ 
+ 		debug("Checking with Service ACLs for ssh login restrictions");
+ 
+ 		uuid_t user_uuid;
+ 		int isMember = 0;
+ 		int mbrErr = 0;
+ 	
+ 		// get the uuid
+ 		if ( mbr_user_name_to_uuid(pw->pw_name, user_uuid) )
+ 		{
+ 			debug("call to mbr_user_name_to_uuid with <%s> failed to retrieve user_uuid", pw->pw_name);
+ 			return 0;
+ 		}	
+ 		debug("call to mbr_user_name_to_uuid with <%s> suceeded to retrieve user_uuid", pw->pw_name);
+ 	
+ 		// check the sacl
+ 		if((mbrErr = mbr_check_service_membership(user_uuid, "ssh", &isMember)))
+ 		{
+ 			debug("Called mbr_check_service_membership with isMember <%d> with status <%d>", isMember, mbrErr);
+ 			if(mbrErr == ENOENT)	// no ACL exists
+ 			{
+ 				return 1;	
+ 			} else {
+ 				return 0;
+ 			}
+ 		}
+ 		debug("Call to mbr_check_service_membership failed with status <%d>", mbrErr);
+ 		return isMember;
+ #endif /* __APPLE_SACL__ */
+ 	}
+
+
+
 #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
 	if (!sys_auth_allowed_user(pw, &loginmsg))
 		return 0;
diff -Naurdp ../openssh/servconf.c ./servconf.c
--- ../openssh/servconf.c	2005-09-28 16:11:01.000000000 -0700
+++ ./servconf.c	2005-09-28 16:21:10.000000000 -0700
@@ -80,6 +80,7 @@ initialize_server_options(ServerOptions 
 	options->permit_empty_passwd = -1;
 	options->permit_user_env = -1;
 	options->use_login = -1;
+	options->sacl_support = -1;
 	options->compression = -1;
 	options->allow_tcp_forwarding = -1;
 	options->num_allow_users = 0;
@@ -275,6 +276,7 @@ typedef enum {
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssKeyEx, sGssCleanupCreds, sAcceptEnv,
 	sUsePrivilegeSeparation,
+	sSACLSupport,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -377,6 +379,7 @@ static struct {
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation},
+	{ "saclsupport", sSACLSupport },
 	{ "acceptenv", sAcceptEnv },
 	{ NULL, sBadOption }
 };
@@ -718,6 +721,10 @@ parse_flag:
 		charptr = &options->xauth_location;
 		goto parse_filename;
 
+	case sSACLSupport:
+		intptr = &options->sacl_support;
+		goto parse_flag;
+
 	case sStrictModes:
 		intptr = &options->strict_modes;
 		goto parse_flag;
diff -Naurdp ../openssh/servconf.h ./servconf.h
--- ../openssh/servconf.h	2005-09-28 16:11:01.000000000 -0700
+++ ./servconf.h	2005-09-28 16:20:38.000000000 -0700
@@ -135,6 +135,7 @@ typedef struct {
 	char   *authorized_keys_file;	/* File containing public keys */
 	char   *authorized_keys_file2;
 	int	use_pam;		/* Enable auth via PAM */
+	int	sacl_support;		/* Enable use of SACLs */
 }       ServerOptions;
 
 void	 initialize_server_options(ServerOptions *);
diff -Naurdp ../openssh/sshd_config ./sshd_config
--- ../openssh/sshd_config	2005-09-28 16:11:01.000000000 -0700
+++ ./sshd_config	2005-09-28 16:20:38.000000000 -0700
@@ -56,6 +56,9 @@
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
+# SACL options
+#SACLSupport yes
+
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes