This brings this structure one step closer to the struct auth_session_info.
A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.
NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL. This patch has not changed this behaviour however.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
status = create_token_from_username(session_info,
session_info->unix_name,
session_info->guest,
- &session_info->utok.uid,
- &session_info->utok.gid,
+ &session_info->unix_token->uid,
+ &session_info->unix_token->gid,
&session_info->unix_name,
&session_info->security_token);
/* Convert the SIDs to gids. */
- session_info->utok.ngroups = 0;
- session_info->utok.groups = NULL;
+ session_info->unix_token->ngroups = 0;
+ session_info->unix_token->groups = NULL;
t = session_info->security_token;
continue;
}
if (!add_gid_to_array_unique(session_info, ids[i].id.gid,
- &session_info->utok.groups,
- &session_info->utok.ngroups)) {
+ &session_info->unix_token->groups,
+ &session_info->unix_token->ngroups)) {
return NT_STATUS_NO_MEMORY;
}
}
* the nt token.
*/
- uid_to_unix_users_sid(session_info->utok.uid, &tmp_sid);
+ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);
add_sid_to_array_unique(session_info->security_token, &tmp_sid,
&session_info->security_token->sids,
&session_info->security_token->num_sids);
- for ( i=0; i<session_info->utok.ngroups; i++ ) {
- gid_to_unix_groups_sid(session_info->utok.groups[i], &tmp_sid);
+ for ( i=0; i<session_info->unix_token->ngroups; i++ ) {
+ gid_to_unix_groups_sid(session_info->unix_token->groups[i], &tmp_sid);
add_sid_to_array_unique(session_info->security_token, &tmp_sid,
&session_info->security_token->sids,
&session_info->security_token->num_sids);
security_token_debug(DBGC_AUTH, 10, session_info->security_token);
debug_unix_user_token(DBGC_AUTH, 10,
- session_info->utok.uid,
- session_info->utok.gid,
- session_info->utok.ngroups,
- session_info->utok.groups);
+ session_info->unix_token->uid,
+ session_info->unix_token->gid,
+ session_info->unix_token->ngroups,
+ session_info->unix_token->groups);
status = log_nt_token(session_info->security_token);
if (!NT_STATUS_IS_OK(status)) {
dst->guest = src->guest;
dst->system = src->system;
- dst->utok.uid = src->utok.uid;
- dst->utok.gid = src->utok.gid;
- dst->utok.ngroups = src->utok.ngroups;
- if (src->utok.ngroups != 0) {
+
+ /* This element must be provided to convert back to an auth_serversupplied_info */
+ SMB_ASSERT(src->unix_token);
+ dst->utok.uid = src->unix_token->uid;
+ dst->utok.gid = src->unix_token->gid;
+ dst->utok.ngroups = src->unix_token->ngroups;
+ if (src->unix_token->ngroups != 0) {
dst->utok.groups = (gid_t *)talloc_memdup(
- dst, src->utok.groups,
+ dst, src->unix_token->groups,
sizeof(gid_t)*dst->utok.ngroups);
} else {
dst->utok.groups = NULL;
dst->guest = src->guest;
dst->system = src->system;
- dst->utok.uid = src->utok.uid;
- dst->utok.gid = src->utok.gid;
- dst->utok.ngroups = src->utok.ngroups;
+
+ dst->unix_token = talloc(dst, struct security_unix_token);
+ if (!dst->unix_token) {
+ return NULL;
+ }
+
+ dst->unix_token->uid = src->utok.uid;
+ dst->unix_token->gid = src->utok.gid;
+ dst->unix_token->ngroups = src->utok.ngroups;
if (src->utok.ngroups != 0) {
- dst->utok.groups = (gid_t *)talloc_memdup(
- dst, src->utok.groups,
- sizeof(gid_t)*dst->utok.ngroups);
+ dst->unix_token->groups = (gid_t *)talloc_memdup(
+ dst->unix_token, src->utok.groups,
+ sizeof(gid_t)*dst->unix_token->ngroups);
} else {
- dst->utok.groups = NULL;
+ dst->unix_token->groups = NULL;
}
if (src->security_token) {
dst->guest = src->guest;
dst->system = src->system;
- dst->utok.uid = src->utok.uid;
- dst->utok.gid = src->utok.gid;
- dst->utok.ngroups = src->utok.ngroups;
- if (src->utok.ngroups != 0) {
- dst->utok.groups = (gid_t *)talloc_memdup(
- dst, src->utok.groups,
- sizeof(gid_t)*dst->utok.ngroups);
+
+ if (src->unix_token) {
+ dst->unix_token = talloc(dst, struct security_unix_token);
+ if (!dst->unix_token) {
+ return NULL;
+ }
+
+ dst->unix_token->uid = src->unix_token->uid;
+ dst->unix_token->gid = src->unix_token->gid;
+ dst->unix_token->ngroups = src->unix_token->ngroups;
+ if (src->unix_token->ngroups != 0) {
+ dst->unix_token->groups = (gid_t *)talloc_memdup(
+ dst->unix_token, src->unix_token->groups,
+ sizeof(gid_t)*dst->unix_token->ngroups);
+ } else {
+ dst->unix_token->groups = NULL;
+ }
} else {
- dst->utok.groups = NULL;
+ dst->unix_token = NULL;
}
if (src->security_token) {
talloc_set_destructor(result, auth3_session_info_dtor);
- /* Initialise the uid and gid values to something non-zero
- which may save us from giving away root access if there
- is a bug in allocating these fields. */
+ /* Initialise the unix_token to NULL which may save us from
+ giving away root access if there is a bug in allocating
+ these fields. */
- result->utok.uid = -1;
- result->utok.gid = -1;
+ result->unix_token = NULL;
return result;
}
bool guest;
bool system;
- struct security_unix_token utok;
+ struct security_unix_token *unix_token;
/* NT group information taken from the info3 structure */
afs_username = talloc_sub_advanced(ctx,
SNUM(conn), conn->session_info->unix_name,
- conn->connectpath, conn->session_info->utok.gid,
+ conn->connectpath, conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
pdb_get_domain(conn->session_info->sam_account),
afs_username);
char *standard_sub_conn(TALLOC_CTX *ctx, connection_struct *conn, const char *str)
{
+ /* Make clear that we require the optional unix_token in the source3 code */
+ SMB_ASSERT(conn->session_info->unix_token);
return talloc_sub_advanced(ctx,
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
get_smb_user_name(),
"",
str);
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
targethost);
} else {
smb_fname->st.st_ex_mode = S_IRWXU;
}
- smb_fname->st.st_ex_uid = handle->conn->session_info->utok.uid;
- smb_fname->st.st_ex_gid = handle->conn->session_info->utok.gid;
+ smb_fname->st.st_ex_uid = handle->conn->session_info->unix_token->uid;
+ smb_fname->st.st_ex_gid = handle->conn->session_info->unix_token->gid;
}
return ret;
} else {
sbuf->st_ex_mode = S_IRWXU;
}
- sbuf->st_ex_uid = handle->conn->session_info->utok.uid;
- sbuf->st_ex_gid = handle->conn->session_info->utok.gid;
+ sbuf->st_ex_uid = handle->conn->session_info->unix_token->uid;
+ sbuf->st_ex_gid = handle->conn->session_info->unix_token->gid;
}
return ret;
}
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
prefix);
repository = talloc_sub_advanced(NULL, lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
recycle_repository(handle));
/* Always allow root or SE_PRINT_OPERATROR to do anything */
- if (session_info->utok.uid == sec_initial_uid()
+ if (session_info->unix_token->uid == sec_initial_uid()
|| security_token_has_privilege(session_info->security_token, SEC_PRIV_PRINT_OPERATOR)) {
return True;
}
/* see if we need to try the printer admin list */
if (!NT_STATUS_IS_OK(status) &&
- (token_contains_name_in_list(uidtoname(session_info->utok.uid),
+ (token_contains_name_in_list(uidtoname(session_info->unix_token->uid),
session_info->info3->base.domain.string,
NULL, session_info->security_token,
lp_printer_admin(snum)))) {
sys_adminlog( LOG_ERR,
"Permission denied-- user not allowed to delete, \
pause, or resume print job. User name: %s. Printer name: %s.",
- uidtoname(server_info->utok.uid),
+ uidtoname(server_info->unix_token->uid),
lp_printername(snum) );
/* END_ADMIN_LOG */
sys_adminlog( LOG_ERR,
"Permission denied-- user not allowed to delete, \
pause, or resume print job. User name: %s. Printer name: %s.",
- uidtoname(server_info->utok.uid),
+ uidtoname(server_info->unix_token->uid),
lp_printername(snum) );
/* END_ADMIN_LOG */
sys_adminlog( LOG_ERR,
"Permission denied-- user not allowed to delete, \
pause, or resume print job. User name: %s. Printer name: %s.",
- uidtoname(server_info->utok.uid),
+ uidtoname(server_info->unix_token->uid),
lp_printername(snum) );
/* END_ADMIN_LOG */
return False;
fstrcpy(pjob.user, lp_printjob_username(snum));
standard_sub_advanced(sharename, server_info->sanitized_username,
- path, server_info->utok.gid,
+ path, server_info->unix_token->gid,
server_info->sanitized_username,
server_info->info3->base.domain.string,
pjob.user, sizeof(pjob.user)-1);
NTSTATUS status;
TALLOC_CTX *ctx = talloc_tos();
- if (p->session_info->utok.uid != sec_initial_uid()) {
+ if (p->session_info->unix_token->uid != sec_initial_uid()) {
DEBUG(10,("_dfs_add: uid != 0. Access denied.\n"));
return WERR_ACCESS_DENIED;
}
TALLOC_CTX *ctx = talloc_tos();
char *altpath = NULL;
- if (p->session_info->utok.uid != sec_initial_uid()) {
+ if (p->session_info->unix_token->uid != sec_initial_uid()) {
DEBUG(10,("_dfs_remove: uid != 0. Access denied.\n"));
return WERR_ACCESS_DENIED;
}
static bool is_priviledged_pipe(struct auth3_session_info *info) {
/* If the user is not root, or has the system token, fail */
- if ((info->utok.uid != sec_initial_uid()) &&
+ if ((info->unix_token->uid != sec_initial_uid()) &&
!security_token_is_system(info->security_token)) {
return false;
}
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
/* map the generic bits to the lsa policy ones */
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&access_mask);
/* map the generic bits to the lsa account ones */
return NT_STATUS_ACCESS_DENIED;
}
- if (p->session_info->utok.uid != sec_initial_uid() &&
+ if (p->session_info->unix_token->uid != sec_initial_uid() &&
!nt_token_check_domain_rid(p->session_info->security_token, DOMAIN_RID_ADMINS)) {
return NT_STATUS_ACCESS_DENIED;
}
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&r->in.access_mask);
/* map the generic bits to the lsa policy ones */
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&r->in.access_mask);
/* map the generic bits to the lsa policy ones */
/* Work out max allowed. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
/* map the generic bits to the lsa account ones */
/*check if access can be granted as requested by client. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd( p->mem_ctx, &psd, &sd_size, &dom_generic_mapping, NULL, 0 );
/* check if access can be granted as requested by client. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping, &sid, SAMR_USR_RIGHTS_WRITE_PW);
}
DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
- uidtoname(p->session_info->utok.uid),
+ uidtoname(p->session_info->unix_token->uid),
can_add_account ? "True":"False" ));
if (!can_add_account) {
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &usr_generic_mapping,
user level access control on shares) --jerry */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
se_map_generic( &des_access, &sam_generic_mapping );
}
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
/*check if access can be granted as requested by client. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
/*check if access can be granted as requested by client. */
map_max_allowed_access(p->session_info->security_token,
- &p->session_info->utok,
+ p->session_info->unix_token,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ((p->session_info->utok.uid != sec_initial_uid()) &&
+ if ((p->session_info->unix_token->uid != sec_initial_uid()) &&
!security_token_has_privilege(p->session_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
!nt_token_check_sid(&global_sid_Builtin_Print_Operators, p->session_info->security_token) &&
!token_contains_name_in_list(
- uidtoname(p->session_info->utok.uid),
+ uidtoname(p->session_info->unix_token->uid),
p->session_info->info3->base.domain.string,
NULL,
p->session_info->security_token,
return WERR_ACCESS_DENIED;
}
- if (!user_ok_token(uidtoname(p->session_info->utok.uid), NULL,
+ if (!user_ok_token(uidtoname(p->session_info->unix_token->uid), NULL,
p->session_info->security_token, snum) ||
!print_access_check(p->session_info,
p->msg_ctx,
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ( (p->session_info->utok.uid != sec_initial_uid())
+ if ( (p->session_info->unix_token->uid != sec_initial_uid())
&& !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_PRINT_OPERATOR)
&& !token_contains_name_in_list(
- uidtoname(p->session_info->utok.uid),
+ uidtoname(p->session_info->unix_token->uid),
p->session_info->info3->base.domain.string,
NULL,
p->session_info->security_token,
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ( (p->session_info->utok.uid != sec_initial_uid())
+ if ( (p->session_info->unix_token->uid != sec_initial_uid())
&& !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_PRINT_OPERATOR)
&& !token_contains_name_in_list(
- uidtoname(p->session_info->utok.uid),
+ uidtoname(p->session_info->unix_token->uid),
p->session_info->info3->base.domain.string,
NULL,
p->session_info->security_token, lp_printer_admin(-1)) )
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ((p->session_info->utok.uid != sec_initial_uid()) &&
+ if ((p->session_info->unix_token->uid != sec_initial_uid()) &&
!security_token_has_privilege(p->session_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
- !token_contains_name_in_list(uidtoname(p->session_info->utok.uid),
+ !token_contains_name_in_list(uidtoname(p->session_info->unix_token->uid),
p->session_info->info3->base.domain.string,
NULL,
p->session_info->security_token,
return WERR_BADFID;
}
- if ((p->session_info->utok.uid != sec_initial_uid()) &&
+ if ((p->session_info->unix_token->uid != sec_initial_uid()) &&
!security_token_has_privilege(p->session_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
- !token_contains_name_in_list(uidtoname(p->session_info->utok.uid),
+ !token_contains_name_in_list(uidtoname(p->session_info->unix_token->uid),
p->session_info->info3->base.domain.string,
NULL,
p->session_info->security_token,
/* if the user is not root, doesn't have SE_PRINT_OPERATOR privilege,
and not a printer admin, then fail */
- if ((p->session_info->utok.uid != sec_initial_uid()) &&
+ if ((p->session_info->unix_token->uid != sec_initial_uid()) &&
!security_token_has_privilege(p->session_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
- !token_contains_name_in_list(uidtoname(p->session_info->utok.uid),
+ !token_contains_name_in_list(uidtoname(p->session_info->unix_token->uid),
p->session_info->info3->base.domain.string,
NULL,
p->session_info->security_token,
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->session_info->utok.uid, get_current_username(),
+ p->session_info->unix_token->uid, get_current_username(),
"", remark);
}
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->session_info->utok.uid, get_current_username(),
+ p->session_info->unix_token->uid, get_current_username(),
"", remark);
}
path = talloc_asprintf(p->mem_ctx,
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->session_info->utok.uid, get_current_username(),
+ p->session_info->unix_token->uid, get_current_username(),
"", remark);
}
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->session_info->utok.uid, get_current_username(),
+ p->session_info->unix_token->uid, get_current_username(),
"", remark);
}
path = talloc_asprintf(ctx, "C:%s", lp_pathname(snum));
remark = talloc_sub_advanced(
p->mem_ctx, lp_servicename(snum),
get_current_username(), lp_pathname(snum),
- p->session_info->utok.uid, get_current_username(),
+ p->session_info->unix_token->uid, get_current_username(),
"", remark);
}
/* fail out now if you are not root or not a domain admin */
- if ((p->session_info->utok.uid != sec_initial_uid()) &&
+ if ((p->session_info->unix_token->uid != sec_initial_uid()) &&
( ! nt_token_check_domain_rid(p->session_info->security_token,
DOMAIN_RID_ADMINS))) {
NTSTATUS ntstat;
- if (p->session_info->utok.uid != sec_initial_uid()) {
+ if (p->session_info->unix_token->uid != sec_initial_uid()) {
not_root = True;
become_root();
}
/* fail out now if you are not root and not a disk op */
- if ( p->session_info->utok.uid != sec_initial_uid() && !is_disk_op ) {
+ if ( p->session_info->unix_token->uid != sec_initial_uid() && !is_disk_op ) {
DEBUG(2,("_srvsvc_NetShareSetInfo: uid %u doesn't have the "
"SeDiskOperatorPrivilege privilege needed to modify "
"share %s\n",
- (unsigned int)p->session_info->utok.uid,
+ (unsigned int)p->session_info->unix_token->uid,
share_name ));
return WERR_ACCESS_DENIED;
}
is_disk_op = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_DISK_OPERATOR);
- if (p->session_info->utok.uid != sec_initial_uid() && !is_disk_op )
+ if (p->session_info->unix_token->uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
if (!lp_add_share_cmd() || !*lp_add_share_cmd()) {
is_disk_op = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_DISK_OPERATOR);
- if (p->session_info->utok.uid != sec_initial_uid() && !is_disk_op )
+ if (p->session_info->unix_token->uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
if (!lp_delete_share_cmd() || !*lp_delete_share_cmd()) {
is_disk_op = security_token_has_privilege(p->session_info->security_token, SEC_PRIV_DISK_OPERATOR);
- if (p->session_info->utok.uid != sec_initial_uid() && !is_disk_op) {
+ if (p->session_info->unix_token->uid != sec_initial_uid() && !is_disk_op) {
return WERR_ACCESS_DENIED;
}
return False;
}
+ /* Make clear that we require the optional unix_token in the source3 code */
+ SMB_ASSERT(conn->session_info->unix_token);
+
/* fill in the crec */
ZERO_STRUCT(crec);
crec.magic = 0x280267;
crec.pid = sconn_server_id(conn->sconn);
crec.cnum = conn->cnum;
- crec.uid = conn->session_info->utok.uid;
- crec.gid = conn->session_info->utok.gid;
+ crec.uid = conn->session_info->unix_token->uid;
+ crec.gid = conn->session_info->unix_token->gid;
strlcpy(crec.servicename, lp_servicename(SNUM(conn)),
sizeof(crec.servicename));
crec.start = time(NULL);
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
buf);
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
buf);
if(vuser != NULL) {
DEBUG(3,(" Username of UID %d is %s\n",
- (int)vuser->session_info->utok.uid,
+ (int)vuser->session_info->unix_token->uid,
vuser->session_info->unix_name));
}
static bool uid_in_use(const struct user_struct* user, uid_t uid)
{
while (user) {
- if (user->session_info && (user->session_info->utok.uid == uid)) {
+ if (user->session_info && (user->session_info->unix_token->uid == uid)) {
return true;
}
user = user->next;
while (user) {
if (user->session_info != NULL) {
int i;
- struct security_unix_token utok = user->session_info->utok;
- if (utok.gid == gid) {
+ struct security_unix_token *utok = user->session_info->unix_token;
+ if (utok->gid == gid) {
return true;
}
- for(i=0; i<utok.ngroups; i++) {
- if (utok.groups[i] == gid) {
+ for(i=0; i<utok->ngroups; i++) {
+ if (utok->groups[i] == gid) {
return true;
}
}
vuser->session_info->sanitized_username = talloc_strdup(
vuser->session_info, tmp);
+ /* Make clear that we require the optional unix_token in the source3 code */
+ SMB_ASSERT(vuser->session_info->unix_token);
+
DEBUG(10,("register_existing_vuid: (%u,%u) %s %s %s guest=%d\n",
- (unsigned int)vuser->session_info->utok.uid,
- (unsigned int)vuser->session_info->utok.gid,
+ (unsigned int)vuser->session_info->unix_token->uid,
+ (unsigned int)vuser->session_info->unix_token->gid,
vuser->session_info->unix_name,
vuser->session_info->sanitized_username,
vuser->session_info->info3->base.domain.string,
goto fail;
}
+ /* Make clear that we require the optional unix_token in the source3 code */
+ SMB_ASSERT(vuser->session_info->unix_token);
+
DEBUG(3,("register_existing_vuid: UNIX uid %d is UNIX user %s, "
- "and will be vuid %u\n", (int)vuser->session_info->utok.uid,
+ "and will be vuid %u\n", (int)vuser->session_info->unix_token->uid,
vuser->session_info->unix_name, vuser->vuid));
if (!session_claim(sconn, vuser)) {
}
/* The set is across all open files on this dev/inode pair. */
- if (!set_delete_on_close(fsp, True, &conn->session_info->utok)) {
+ if (!set_delete_on_close(fsp, True, conn->session_info->unix_token)) {
close_file(req, fsp, NORMAL_CLOSE);
return NT_STATUS_ACCESS_DENIED;
}
goto out;
}
- if (!set_delete_on_close(fsp, true, &conn->session_info->utok)) {
+ if (!set_delete_on_close(fsp, true, conn->session_info->unix_token)) {
close_file(req, fsp, ERROR_CLOSE);
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
goto out;
status = find_forced_group(
conn->force_user, snum, conn->session_info->unix_name,
&conn->session_info->security_token->sids[1],
- &conn->session_info->utok.gid);
+ &conn->session_info->unix_token->gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
* struct. We only use conn->session_info directly if
* "force_user" was set.
*/
- conn->force_group_gid = conn->session_info->utok.gid;
+ conn->force_group_gid = conn->session_info->unix_token->gid;
}
return NT_STATUS_OK;
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
lp_pathname(snum));
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
lp_rootpreexec(snum));
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
lp_preexec(snum));
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
lp_postexec(SNUM(conn)));
lp_servicename(SNUM(conn)),
conn->session_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
+ conn->session_info->unix_token->gid,
conn->session_info->sanitized_username,
conn->session_info->info3->base.domain.string,
lp_rootpostexec(SNUM(conn)));
return false;
}
+ /* Make clear that we require the optional unix_token in the source3 code */
+ SMB_ASSERT(vuser->session_info->unix_token);
+
fstrcpy(sessionid.username, vuser->session_info->unix_name);
fstrcpy(sessionid.hostname, sconn->remote_hostname);
sessionid.id_num = i; /* Only valid for utmp sessions */
sessionid.pid = pid;
- sessionid.uid = vuser->session_info->utok.uid;
- sessionid.gid = vuser->session_info->utok.gid;
+ sessionid.uid = vuser->session_info->unix_token->uid;
+ sessionid.gid = vuser->session_info->unix_token->gid;
fstrcpy(sessionid.remote_machine, get_remote_machine_name());
fstrcpy(sessionid.ip_addr_str, raddr);
sessionid.connect_start = time(NULL);
+ 4 /* num_sids */
+ 4 /* SID bytes */
+ 4 /* pad/reserved */
- + (conn->session_info->utok.ngroups * 8)
+ + (conn->session_info->unix_token->ngroups * 8)
/* groups list */
+ (conn->session_info->security_token->num_sids *
SID_MAX_SIZE)
SIVAL(pdata, 0, flags);
SIVAL(pdata, 4, SMB_WHOAMI_MASK);
SBIG_UINT(pdata, 8,
- (uint64_t)conn->session_info->utok.uid);
+ (uint64_t)conn->session_info->unix_token->uid);
SBIG_UINT(pdata, 16,
- (uint64_t)conn->session_info->utok.gid);
+ (uint64_t)conn->session_info->unix_token->gid);
if (data_len >= max_data_bytes) {
break;
}
- SIVAL(pdata, 24, conn->session_info->utok.ngroups);
+ SIVAL(pdata, 24, conn->session_info->unix_token->ngroups);
SIVAL(pdata, 28, conn->session_info->security_token->num_sids);
/* We walk the SID list twice, but this call is fairly
data_len = 40;
/* GID list */
- for (i = 0; i < conn->session_info->utok.ngroups; ++i) {
+ for (i = 0; i < conn->session_info->unix_token->ngroups; ++i) {
SBIG_UINT(pdata, data_len,
- (uint64_t)conn->session_info->utok.groups[i]);
+ (uint64_t)conn->session_info->unix_token->groups[i]);
data_len += 8;
}
/* The set is across all open files on this dev/inode pair. */
if (!set_delete_on_close(fsp, delete_on_close,
- &conn->session_info->utok)) {
+ conn->session_info->unix_token)) {
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
"Setting uid as %d\n",
conn->session_info->unix_name,
sec_initial_uid() ));
- conn->session_info->utok.uid = sec_initial_uid();
+ conn->session_info->unix_token->uid = sec_initial_uid();
}
return(True);
return false;
}
- uid = conn->session_info->utok.uid;
- gid = conn->session_info->utok.gid;
- num_groups = conn->session_info->utok.ngroups;
- group_list = conn->session_info->utok.groups;
+ uid = conn->session_info->unix_token->uid;
+ gid = conn->session_info->unix_token->gid;
+ num_groups = conn->session_info->unix_token->ngroups;
+ group_list = conn->session_info->unix_token->groups;
/*
* See if we should force group for this service. If so this overrides
*/
for (i = 0; i < num_groups; i++) {
if (group_list[i] == conn->force_group_gid) {
- conn->session_info->utok.gid =
+ conn->session_info->unix_token->gid =
conn->force_group_gid;
gid = conn->force_group_gid;
gid_to_sid(&conn->session_info->security_token
}
}
} else {
- conn->session_info->utok.gid = conn->force_group_gid;
+ conn->session_info->unix_token->gid = conn->force_group_gid;
gid = conn->force_group_gid;
gid_to_sid(&conn->session_info->security_token->sids[1],
gid);
*/
if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
- (current_user.ut.uid == conn->session_info->utok.uid)) {
+ (current_user.ut.uid == conn->session_info->unix_token->uid)) {
DEBUG(4,("Skipping user change - already "
"user\n"));
return(True);
} else if ((current_user.conn == conn) &&
(vuser != NULL) && (current_user.vuid == vuid) &&
- (current_user.ut.uid == vuser->session_info->utok.uid)) {
+ (current_user.ut.uid == vuser->session_info->unix_token->uid)) {
DEBUG(4,("Skipping user change - already "
"user\n"));
return(True);
SMB_ASSERT(session_info != NULL);
if ((current_user.conn == conn) &&
- (current_user.ut.uid == session_info->utok.uid)) {
+ (current_user.ut.uid == session_info->unix_token->uid)) {
DEBUG(7, ("Skipping user change - already user\n"));
return true;
if (!push_sec_ctx())
return False;
- set_sec_ctx(session_info->utok.uid, session_info->utok.gid,
- session_info->utok.ngroups, session_info->utok.groups,
+ set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
+ session_info->unix_token->ngroups, session_info->unix_token->groups,
session_info->security_token);
return True;
/****************************************************************************
Return the current user we are running effectively as on this connection.
- I'd like to make this return conn->session_info->utok.uid, but become_root()
+ I'd like to make this return conn->session_info->unix_token->uid, but become_root()
doesn't alter this value.
****************************************************************************/
/****************************************************************************
Return the current group we are running effectively as on this connection.
- I'd like to make this return conn->session_info->utok.gid, but become_root()
+ I'd like to make this return conn->session_info->unix_token->gid, but become_root()
doesn't alter this value.
****************************************************************************/
/****************************************************************************
Return the UNIX token we are running effectively as on this connection.
- I'd like to make this return &conn->session_info->utok, but become_root()
+ I'd like to make this return &conn->session_info->unix_token-> but become_root()
doesn't alter this value.
****************************************************************************/
git.samba.org / amitay / samba.git / commitdiff