ref: e5de0d457a42bd4f6e90f3b95a735b51330cc1b2
dir: /sys/src/cmd/auth/asaudit.c/
#include <u.h>
#include <libc.h>
#include <bio.h>
#include <authsrv.h>
#include <ndb.h>
int havenvram;
Nvrsafe nvr;
char eve[128];
Ndb *db;
void
geteve(void)
{
int fd;
fd = open("#c/hostowner", OREAD);
if(fd < 0) sysfatal("open: %r");
memset(eve, 0, sizeof(eve));
if(read(fd, eve, sizeof(eve)-1) < 0) sysfatal("read: %r");
close(fd);
if(strcmp(getuser(), eve) != 0) print("hostowner is %#q, but running as %#q\n", eve, getuser());
}
void
ndb(void)
{
db = ndbopen(nil);
if(db == nil){
print("ndbopen: %r\n");
return;
}
}
void
nvram(void)
{
char *auth;
if(readnvram(&nvr, 0) < 0){
print("readnvram: %r\n");
return;
}
havenvram = 1;
print("found nvram key for user '%s@%s'\n", nvr.authid, nvr.authdom);
if(strcmp(eve, nvr.authid) != 0) print("nvram authid doesn't match hostowner %#q\n", eve);
if(db != nil){
auth = ndbgetvalue(db, nil, "authdom", nvr.authdom, "auth", nil);
if(auth == nil) print("authdom %#q not found in ndb\n", nvr.authdom);
else{
print("ndb says authdom %#q corresponds to auth server %#q\n", nvr.authdom, auth);
free(auth);
}
}
}
void
keyfs(void)
{
char *buf;
int fd;
char aes[AESKEYLEN];
if(!havenvram) return;
if(access("/adm/keys", AREAD) < 0){
print("no access to /adm/keys\n");
return;
}
print("starting keyfs\n");
rfork(RFNAMEG);
switch(fork()){
case -1:
sysfatal("fork: %r");
case 0:
if(execl("/bin/auth/keyfs", "auth/keyfs", "-r", nil) < 0)
sysfatal("execl: %r");
}
waitpid();
buf = smprint("/mnt/keys/%s/aeskey", nvr.authid);
fd = open(buf, OREAD);
if(fd < 0){
print("can't get key from keyfs: %r\n");
return;
}
werrstr("short read");
if(read(fd, aes, sizeof(aes)) < sizeof(aes)){
print("read: %r\n");
close(fd);
return;
}
if(memcmp(nvr.aesmachkey, aes, AESKEYLEN) != 0)
print("key in keyfs does not match nvram\n");
else
print("key in keyfs matches nvram\n");
close(fd);
}
void
main()
{
quotefmtinstall();
geteve();
ndb();
nvram();
keyfs();
}