2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
28 #include "../auth/auth_util.h"
30 /* what user is current? */
31 extern struct current_user current_user;
33 /****************************************************************************
34 Become the guest user without changing the security context stack.
35 ****************************************************************************/
37 bool change_to_guest(void)
41 pass = Get_Pwnam_alloc(talloc_tos(), lp_guest_account());
47 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
49 initgroups(pass->pw_name, pass->pw_gid);
52 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
54 current_user.conn = NULL;
55 current_user.vuid = UID_FIELD_INVALID;
56 current_user.need_chdir = false;
57 current_user.done_chdir = false;
64 /****************************************************************************
65 talloc free the conn->session_info if not used in the vuid cache.
66 ****************************************************************************/
68 static void free_conn_session_info_if_unused(connection_struct *conn)
72 for (i = 0; i < VUID_CACHE_SIZE; i++) {
73 struct vuid_cache_entry *ent;
74 ent = &conn->vuid_cache->array[i];
75 if (ent->vuid != UID_FIELD_INVALID &&
76 conn->session_info == ent->session_info) {
80 /* Not used, safe to free. */
81 TALLOC_FREE(conn->session_info);
84 /****************************************************************************
85 Setup the share access mask for a connection.
86 ****************************************************************************/
88 static uint32_t create_share_access_mask(int snum,
90 const struct security_token *token)
92 uint32_t share_access = 0;
94 share_access_check(token,
95 lp_const_servicename(snum),
96 MAXIMUM_ALLOWED_ACCESS,
101 ~(SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
102 SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
103 SEC_DIR_DELETE_CHILD );
106 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
107 share_access |= SEC_FLAG_SYSTEM_SECURITY;
109 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
110 share_access |= SEC_RIGHTS_PRIV_RESTORE;
112 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
113 share_access |= SEC_RIGHTS_PRIV_BACKUP;
115 if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
116 share_access |= SEC_STD_WRITE_OWNER;
122 /*******************************************************************
123 Calculate access mask and if this user can access this share.
124 ********************************************************************/
126 NTSTATUS check_user_share_access(connection_struct *conn,
127 const struct auth_session_info *session_info,
128 uint32_t *p_share_access,
129 bool *p_readonly_share)
131 int snum = SNUM(conn);
132 uint32_t share_access = 0;
133 bool readonly_share = false;
135 if (!user_ok_token(session_info->unix_info->unix_name,
136 session_info->info->domain_name,
137 session_info->security_token, snum)) {
138 return NT_STATUS_ACCESS_DENIED;
141 readonly_share = is_share_read_only_for_token(
142 session_info->unix_info->unix_name,
143 session_info->info->domain_name,
144 session_info->security_token,
147 share_access = create_share_access_mask(snum,
149 session_info->security_token);
151 if ((share_access & (FILE_READ_DATA|FILE_WRITE_DATA)) == 0) {
152 /* No access, read or write. */
153 DBG_NOTICE("user %s connection to %s denied due to share "
154 "security descriptor.\n",
155 session_info->unix_info->unix_name,
156 lp_const_servicename(snum));
157 return NT_STATUS_ACCESS_DENIED;
160 if (!readonly_share &&
161 !(share_access & FILE_WRITE_DATA)) {
162 /* smb.conf allows r/w, but the security descriptor denies
163 * write. Fall back to looking at readonly. */
164 readonly_share = true;
165 DBG_INFO("falling back to read-only access-evaluation due to "
166 "security descriptor\n");
169 *p_share_access = share_access;
170 *p_readonly_share = readonly_share;
175 /*******************************************************************
176 Check if a username is OK.
178 This sets up conn->session_info with a copy related to this vuser that
179 later code can then mess with.
180 ********************************************************************/
182 static bool check_user_ok(connection_struct *conn,
184 const struct auth_session_info *session_info,
188 bool readonly_share = false;
189 bool admin_user = false;
190 struct vuid_cache_entry *ent = NULL;
191 uint32_t share_access = 0;
194 for (i=0; i<VUID_CACHE_SIZE; i++) {
195 ent = &conn->vuid_cache->array[i];
196 if (ent->vuid == vuid) {
197 if (vuid == UID_FIELD_INVALID) {
199 * Slow path, we don't care
200 * about the array traversal.
204 free_conn_session_info_if_unused(conn);
205 conn->session_info = ent->session_info;
206 conn->read_only = ent->read_only;
207 conn->share_access = ent->share_access;
208 conn->vuid = ent->vuid;
213 status = check_user_share_access(conn,
217 if (!NT_STATUS_IS_OK(status)) {
221 admin_user = token_contains_name_in_list(
222 session_info->unix_info->unix_name,
223 session_info->info->domain_name,
224 NULL, session_info->security_token, lp_admin_users(snum));
226 ent = &conn->vuid_cache->array[conn->vuid_cache->next_entry];
228 conn->vuid_cache->next_entry =
229 (conn->vuid_cache->next_entry + 1) % VUID_CACHE_SIZE;
231 TALLOC_FREE(ent->session_info);
234 * If force_user was set, all session_info's are based on the same
235 * username-based faked one.
238 ent->session_info = copy_session_info(
239 conn, conn->force_user ? conn->session_info : session_info);
241 if (ent->session_info == NULL) {
242 ent->vuid = UID_FIELD_INVALID;
247 DEBUG(2,("check_user_ok: user %s is an admin user. "
248 "Setting uid as %d\n",
249 ent->session_info->unix_info->unix_name,
250 sec_initial_uid() ));
251 ent->session_info->unix_token->uid = sec_initial_uid();
255 * It's actually OK to call check_user_ok() with
256 * vuid == UID_FIELD_INVALID as called from change_to_user_by_session().
257 * All this will do is throw away one entry in the cache.
261 ent->read_only = readonly_share;
262 ent->share_access = share_access;
263 free_conn_session_info_if_unused(conn);
264 conn->session_info = ent->session_info;
265 conn->vuid = ent->vuid;
266 if (vuid == UID_FIELD_INVALID) {
268 * Not strictly needed, just make it really
269 * clear this entry is actually an unused one.
271 ent->read_only = false;
272 ent->share_access = 0;
273 ent->session_info = NULL;
276 conn->read_only = readonly_share;
277 conn->share_access = share_access;
282 /****************************************************************************
283 Become the user of a connection number without changing the security context
284 stack, but modify the current_user entries.
285 ****************************************************************************/
287 static bool change_to_user_internal(connection_struct *conn,
288 const struct auth_session_info *session_info,
294 const char *force_group_name;
297 gid_t *group_list = NULL;
300 if ((current_user.conn == conn) &&
301 (current_user.vuid == vuid) &&
302 (current_user.need_chdir == conn->tcon_done) &&
303 (current_user.ut.uid == session_info->unix_token->uid))
305 DBG_INFO("Skipping user change - already user\n");
309 set_current_user_info(session_info->unix_info->sanitized_username,
310 session_info->unix_info->unix_name,
311 session_info->info->domain_name);
315 ok = check_user_ok(conn, vuid, session_info, snum);
317 DBG_WARNING("SMB user %s (unix user %s) "
318 "not permitted access to share %s.\n",
319 session_info->unix_info->sanitized_username,
320 session_info->unix_info->unix_name,
321 lp_const_servicename(snum));
325 uid = conn->session_info->unix_token->uid;
326 gid = conn->session_info->unix_token->gid;
327 num_groups = conn->session_info->unix_token->ngroups;
328 group_list = conn->session_info->unix_token->groups;
331 * See if we should force group for this service. If so this overrides
332 * any group set in the force user code.
334 force_group_name = lp_force_group(talloc_tos(), snum);
335 group_c = *force_group_name;
337 if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
339 * This can happen if "force group" is added to a
340 * share definition whilst an existing connection
341 * to that share exists. In that case, don't change
342 * the existing credentials for force group, only
343 * do so for new connections.
345 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
347 DBG_INFO("Not forcing group %s on existing connection to "
348 "share %s for SMB user %s (unix user %s)\n",
350 lp_const_servicename(snum),
351 session_info->unix_info->sanitized_username,
352 session_info->unix_info->unix_name);
355 if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
357 * Only force group for connections where
358 * conn->force_group_gid has already been set
359 * to the correct value (i.e. the connection
360 * happened after the 'force group' definition
361 * was added to the share definition. Connections
362 * that were made before force group was added
363 * should stay with their existing credentials.
365 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
368 if (group_c == '+') {
372 * Only force group if the user is a member of the
373 * service group. Check the group memberships for this
374 * user (we already have this) to see if we should force
377 for (i = 0; i < num_groups; i++) {
378 if (group_list[i] == conn->force_group_gid) {
379 conn->session_info->unix_token->gid =
380 conn->force_group_gid;
381 gid = conn->force_group_gid;
382 gid_to_sid(&conn->session_info->security_token
388 conn->session_info->unix_token->gid = conn->force_group_gid;
389 gid = conn->force_group_gid;
390 gid_to_sid(&conn->session_info->security_token->sids[1],
395 /*Set current_user since we will immediately also call set_sec_ctx() */
396 current_user.ut.ngroups = num_groups;
397 current_user.ut.groups = group_list;
401 current_user.ut.ngroups,
402 current_user.ut.groups,
403 conn->session_info->security_token);
405 current_user.conn = conn;
406 current_user.vuid = vuid;
407 current_user.need_chdir = conn->tcon_done;
409 if (current_user.need_chdir) {
410 ok = chdir_current_service(conn);
412 DBG_ERR("chdir_current_service() failed!\n");
415 current_user.done_chdir = true;
418 if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
419 struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn);
420 if (cwdfname == NULL) {
423 DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
428 cwdfname->base_name);
429 TALLOC_FREE(cwdfname);
435 bool change_to_user(connection_struct *conn, uint64_t vuid)
437 struct user_struct *vuser;
438 int snum = SNUM(conn);
441 DEBUG(2,("Connection not open\n"));
445 vuser = get_valid_user_struct(conn->sconn, vuid);
447 /* Invalid vuid sent */
448 DBG_WARNING("Invalid vuid %llu used on share %s.\n",
449 (unsigned long long)vuid,
450 lp_const_servicename(snum));
454 return change_to_user_internal(conn, vuser->session_info, vuid);
457 bool change_to_user_by_fsp(struct files_struct *fsp)
459 return change_to_user(fsp->conn, fsp->vuid);
462 static bool change_to_user_by_session(connection_struct *conn,
463 const struct auth_session_info *session_info)
465 SMB_ASSERT(conn != NULL);
466 SMB_ASSERT(session_info != NULL);
468 return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
471 /****************************************************************************
472 Go back to being root without changing the security context stack,
473 but modify the current_user entries.
474 ****************************************************************************/
476 bool smbd_change_to_root_user(void)
480 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
481 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
483 current_user.conn = NULL;
484 current_user.vuid = UID_FIELD_INVALID;
485 current_user.need_chdir = false;
486 current_user.done_chdir = false;
491 /****************************************************************************
492 Become the user of an authenticated connected named pipe.
493 When this is called we are currently running as the connection
494 user. Doesn't modify current_user.
495 ****************************************************************************/
497 bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info)
502 set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
503 session_info->unix_token->ngroups, session_info->unix_token->groups,
504 session_info->security_token);
506 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
515 /****************************************************************************
516 Unbecome the user of an authenticated connected named pipe.
517 When this is called we are running as the authenticated pipe
518 user and need to go back to being the connection user. Doesn't modify
520 ****************************************************************************/
522 bool smbd_unbecome_authenticated_pipe_user(void)
524 return pop_sec_ctx();
527 /****************************************************************************
528 Utility functions used by become_xxx/unbecome_xxx.
529 ****************************************************************************/
531 static void push_conn_ctx(void)
533 struct conn_ctx *ctx_p;
534 extern userdom_struct current_user_info;
536 /* Check we don't overflow our stack */
538 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
539 DEBUG(0, ("Connection context stack overflow!\n"));
540 smb_panic("Connection context stack overflow!\n");
543 /* Store previous user context */
544 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
546 ctx_p->conn = current_user.conn;
547 ctx_p->vuid = current_user.vuid;
548 ctx_p->need_chdir = current_user.need_chdir;
549 ctx_p->done_chdir = current_user.done_chdir;
550 ctx_p->user_info = current_user_info;
552 DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
553 (unsigned long long)ctx_p->vuid, conn_ctx_stack_ndx));
555 conn_ctx_stack_ndx++;
558 static void pop_conn_ctx(void)
560 struct conn_ctx *ctx_p;
562 /* Check for stack underflow. */
564 if (conn_ctx_stack_ndx == 0) {
565 DEBUG(0, ("Connection context stack underflow!\n"));
566 smb_panic("Connection context stack underflow!\n");
569 conn_ctx_stack_ndx--;
570 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
572 set_current_user_info(ctx_p->user_info.smb_name,
573 ctx_p->user_info.unix_name,
574 ctx_p->user_info.domain);
577 * Check if the current context did a chdir_current_service()
578 * and restore the cwd_fname of the previous context
581 if (current_user.done_chdir && ctx_p->need_chdir) {
584 ret = vfs_ChDir(ctx_p->conn, ctx_p->conn->cwd_fsp->fsp_name);
586 DBG_ERR("vfs_ChDir() failed!\n");
587 smb_panic("vfs_ChDir() failed!\n");
591 current_user.conn = ctx_p->conn;
592 current_user.vuid = ctx_p->vuid;
593 current_user.need_chdir = ctx_p->need_chdir;
594 current_user.done_chdir = ctx_p->done_chdir;
596 *ctx_p = (struct conn_ctx) {
597 .vuid = UID_FIELD_INVALID,
601 /****************************************************************************
602 Temporarily become a root user. Must match with unbecome_root(). Saves and
603 restores the connection context.
604 ****************************************************************************/
606 void smbd_become_root(void)
609 * no good way to handle push_sec_ctx() failing without changing
610 * the prototype of become_root()
612 if (!push_sec_ctx()) {
613 smb_panic("become_root: push_sec_ctx failed");
619 /* Unbecome the root user */
621 void smbd_unbecome_root(void)
627 /****************************************************************************
628 Push the current security context then force a change via change_to_user().
629 Saves and restores the connection context.
630 ****************************************************************************/
632 bool become_user(connection_struct *conn, uint64_t vuid)
639 if (!change_to_user(conn, vuid)) {
648 bool become_user_by_fsp(struct files_struct *fsp)
650 return become_user(fsp->conn, fsp->vuid);
653 bool become_user_by_session(connection_struct *conn,
654 const struct auth_session_info *session_info)
661 if (!change_to_user_by_session(conn, session_info)) {
670 bool unbecome_user(void)
677 /****************************************************************************
678 Return the current user we are running effectively as on this connection.
679 I'd like to make this return conn->session_info->unix_token->uid, but become_root()
680 doesn't alter this value.
681 ****************************************************************************/
683 uid_t get_current_uid(connection_struct *conn)
685 return current_user.ut.uid;
688 /****************************************************************************
689 Return the current group we are running effectively as on this connection.
690 I'd like to make this return conn->session_info->unix_token->gid, but become_root()
691 doesn't alter this value.
692 ****************************************************************************/
694 gid_t get_current_gid(connection_struct *conn)
696 return current_user.ut.gid;
699 /****************************************************************************
700 Return the UNIX token we are running effectively as on this connection.
701 I'd like to make this return &conn->session_info->unix_token-> but become_root()
702 doesn't alter this value.
703 ****************************************************************************/
705 const struct security_unix_token *get_current_utok(connection_struct *conn)
707 return ¤t_user.ut;
710 /****************************************************************************
711 Return the Windows token we are running effectively as on this connection.
712 If this is currently a NULL token as we're inside become_root() - a temporary
713 UNIX security override, then we search up the stack for the previous active
715 ****************************************************************************/
717 const struct security_token *get_current_nttok(connection_struct *conn)
719 if (current_user.nt_user_token) {
720 return current_user.nt_user_token;
722 return sec_ctx_active_token();
725 uint64_t get_current_vuid(connection_struct *conn)
727 return current_user.vuid;
git.samba.org / samba.git / blob