source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/globals.h"
  22
  23 /* what user is current? */
  24 extern struct current_user current_user;
  25
  26 /****************************************************************************
  27  Become the guest user without changing the security context stack.
  28 ****************************************************************************/
  29
  30 bool change_to_guest(void)
  31 {
  32         struct passwd *pass;
  33
  34         pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
  35         if (!pass) {
  36                 return false;
  37         }
  38
  39 #ifdef AIX
  40         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  41            setting IDs */
  42         initgroups(pass->pw_name, pass->pw_gid);
  43 #endif
  44
  45         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  46
  47         current_user.conn = NULL;
  48         current_user.vuid = UID_FIELD_INVALID;
  49
  50         TALLOC_FREE(pass);
  51
  52         return true;
  53 }
  54
  55 /****************************************************************************
  56  talloc free the conn->server_info if not used in the vuid cache.
  57 ****************************************************************************/
  58
  59 static void free_conn_server_info_if_unused(connection_struct *conn)
  60 {
  61         unsigned int i;
  62
  63         for (i = 0; i < VUID_CACHE_SIZE; i++) {
  64                 struct vuid_cache_entry *ent;
  65                 ent = &conn->vuid_cache.array[i];
  66                 if (ent->vuid != UID_FIELD_INVALID &&
  67                                 conn->server_info == ent->server_info) {
  68                         return;
  69                 }
  70         }
  71         /* Not used, safe to free. */
  72         TALLOC_FREE(conn->server_info);
  73 }
  74
  75 /*******************************************************************
  76  Check if a username is OK.
  77
  78  This sets up conn->server_info with a copy related to this vuser that
  79  later code can then mess with.
  80 ********************************************************************/
  81
  82 static bool check_user_ok(connection_struct *conn,
  83                         uint16_t vuid,
  84                         const struct auth_serversupplied_info *server_info,
  85                         int snum)
  86 {
  87         bool valid_vuid = (vuid != UID_FIELD_INVALID);
  88         unsigned int i;
  89         bool readonly_share;
  90         bool admin_user;
  91
  92         if (valid_vuid) {
  93                 struct vuid_cache_entry *ent;
  94
  95                 for (i=0; i<VUID_CACHE_SIZE; i++) {
  96                         ent = &conn->vuid_cache.array[i];
  97                         if (ent->vuid == vuid) {
  98                                 free_conn_server_info_if_unused(conn);
  99                                 conn->server_info = ent->server_info;
 100                                 conn->read_only = ent->read_only;
 101                                 conn->admin_user = ent->admin_user;
 102                                 return(True);
 103                         }
 104                 }
 105         }
 106
 107         if (!user_ok_token(server_info->unix_name,
 108                            pdb_get_domain(server_info->sam_account),
 109                            server_info->ptok, snum))
 110                 return(False);
 111
 112         readonly_share = is_share_read_only_for_token(
 113                 server_info->unix_name,
 114                 pdb_get_domain(server_info->sam_account),
 115                 server_info->ptok,
 116                 conn);
 117
 118         if (!readonly_share &&
 119             !share_access_check(server_info->ptok, lp_servicename(snum),
 120                                 FILE_WRITE_DATA)) {
 121                 /* smb.conf allows r/w, but the security descriptor denies
 122                  * write. Fall back to looking at readonly. */
 123                 readonly_share = True;
 124                 DEBUG(5,("falling back to read-only access-evaluation due to "
 125                          "security descriptor\n"));
 126         }
 127
 128         if (!share_access_check(server_info->ptok, lp_servicename(snum),
 129                                 readonly_share ?
 130                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 131                 return False;
 132         }
 133
 134         admin_user = token_contains_name_in_list(
 135                 server_info->unix_name,
 136                 pdb_get_domain(server_info->sam_account),
 137                 NULL, server_info->ptok, lp_admin_users(snum));
 138
 139         if (valid_vuid) {
 140                 struct vuid_cache_entry *ent =
 141                         &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 142
 143                 conn->vuid_cache.next_entry =
 144                         (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
 145
 146                 TALLOC_FREE(ent->server_info);
 147
 148                 /*
 149                  * If force_user was set, all server_info's are based on the same
 150                  * username-based faked one.
 151                  */
 152
 153                 ent->server_info = copy_serverinfo(
 154                         conn, conn->force_user ? conn->server_info : server_info);
 155
 156                 if (ent->server_info == NULL) {
 157                         ent->vuid = UID_FIELD_INVALID;
 158                         return false;
 159                 }
 160
 161                 ent->vuid = vuid;
 162                 ent->read_only = readonly_share;
 163                 ent->admin_user = admin_user;
 164                 free_conn_server_info_if_unused(conn);
 165                 conn->server_info = ent->server_info;
 166         }
 167
 168         conn->read_only = readonly_share;
 169         conn->admin_user = admin_user;
 170         if (conn->admin_user) {
 171                 conn->server_info->utok.uid = sec_initial_uid();
 172         }
 173
 174         return(True);
 175 }
 176
 177 /****************************************************************************
 178  Clear a vuid out of the connection's vuid cache
 179  This is only called on SMBulogoff.
 180 ****************************************************************************/
 181
 182 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 183 {
 184         int i;
 185
 186         for (i=0; i<VUID_CACHE_SIZE; i++) {
 187                 struct vuid_cache_entry *ent;
 188
 189                 ent = &conn->vuid_cache.array[i];
 190
 191                 if (ent->vuid == vuid) {
 192                         ent->vuid = UID_FIELD_INVALID;
 193                         /*
 194                          * We need to keep conn->server_info around
 195                          * if it's equal to ent->server_info as a SMBulogoff
 196                          * is often followed by a SMBtdis (with an invalid
 197                          * vuid). The debug code (or regular code in
 198                          * vfs_full_audit) wants to refer to the
 199                          * conn->server_info pointer to print debug
 200                          * statements. Theoretically this is a bug,
 201                          * as once the vuid is gone the server_info
 202                          * on the conn struct isn't valid any more,
 203                          * but there's enough code that assumes
 204                          * conn->server_info is never null that
 205                          * it's easier to hold onto the old pointer
 206                          * until we get a new sessionsetupX.
 207                          * As everything is hung off the
 208                          * conn pointer as a talloc context we're not
 209                          * leaking memory here. See bug #6315. JRA.
 210                          */
 211                         if (conn->server_info == ent->server_info) {
 212                                 ent->server_info = NULL;
 213                         } else {
 214                                 TALLOC_FREE(ent->server_info);
 215                         }
 216                         ent->read_only = False;
 217                         ent->admin_user = False;
 218                 }
 219         }
 220 }
 221
 222 /****************************************************************************
 223  Become the user of a connection number without changing the security context
 224  stack, but modify the current_user entries.
 225 ****************************************************************************/
 226
 227 bool change_to_user(connection_struct *conn, uint16 vuid)
 228 {
 229         const struct auth_serversupplied_info *server_info = NULL;
 230         struct smbd_server_connection *sconn = smbd_server_conn;
 231         user_struct *vuser = get_valid_user_struct(sconn, vuid);
 232         int snum;
 233         gid_t gid;
 234         uid_t uid;
 235         char group_c;
 236         int num_groups = 0;
 237         gid_t *group_list = NULL;
 238
 239         if (!conn) {
 240                 DEBUG(2,("change_to_user: Connection not open\n"));
 241                 return(False);
 242         }
 243
 244         /*
 245          * We need a separate check in security=share mode due to vuid
 246          * always being UID_FIELD_INVALID. If we don't do this then
 247          * in share mode security we are *always* changing uid's between
 248          * SMB's - this hurts performance - Badly.
 249          */
 250
 251         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 252            (current_user.ut.uid == conn->server_info->utok.uid)) {
 253                 DEBUG(4,("change_to_user: Skipping user change - already "
 254                          "user\n"));
 255                 return(True);
 256         } else if ((current_user.conn == conn) &&
 257                    (vuser != NULL) && (current_user.vuid == vuid) &&
 258                    (current_user.ut.uid == vuser->server_info->utok.uid)) {
 259                 DEBUG(4,("change_to_user: Skipping user change - already "
 260                          "user\n"));
 261                 return(True);
 262         }
 263
 264         snum = SNUM(conn);
 265
 266         server_info = vuser ? vuser->server_info : conn->server_info;
 267
 268         if (!server_info) {
 269                 /* Invalid vuid sent - even with security = share. */
 270                 DEBUG(2,("change_to_user: Invalid vuid %d used on "
 271                          "share %s.\n",vuid, lp_servicename(snum) ));
 272                 return false;
 273         }
 274
 275         if (!check_user_ok(conn, vuid, server_info, snum)) {
 276                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 277                          "not permitted access to share %s.\n",
 278                          server_info->sanitized_username,
 279                          server_info->unix_name, vuid,
 280                          lp_servicename(snum)));
 281                 return false;
 282         }
 283
 284         /* security = share sets force_user. */
 285         if (!conn->force_user && !vuser) {
 286                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 287                         "share %s.\n",vuid, lp_servicename(snum) ));
 288                 return False;
 289         }
 290
 291         /*
 292          * conn->server_info is now correctly set up with a copy we can mess
 293          * with for force_group etc.
 294          */
 295
 296         uid = conn->server_info->utok.uid;
 297         gid = conn->server_info->utok.gid;
 298         num_groups = conn->server_info->utok.ngroups;
 299         group_list  = conn->server_info->utok.groups;
 300
 301         /*
 302          * See if we should force group for this service.
 303          * If so this overrides any group set in the force
 304          * user code.
 305          */
 306
 307         if((group_c = *lp_force_group(snum))) {
 308
 309                 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
 310
 311                 if(group_c == '+') {
 312
 313                         /*
 314                          * Only force group if the user is a member of
 315                          * the service group. Check the group memberships for
 316                          * this user (we already have this) to
 317                          * see if we should force the group.
 318                          */
 319
 320                         int i;
 321                         for (i = 0; i < num_groups; i++) {
 322                                 if (group_list[i]
 323                                     == conn->force_group_gid) {
 324                                         conn->server_info->utok.gid =
 325                                                 conn->force_group_gid;
 326                                         gid = conn->force_group_gid;
 327                                         gid_to_sid(&conn->server_info->ptok
 328                                                    ->user_sids[1], gid);
 329                                         break;
 330                                 }
 331                         }
 332                 } else {
 333                         conn->server_info->utok.gid = conn->force_group_gid;
 334                         gid = conn->force_group_gid;
 335                         gid_to_sid(&conn->server_info->ptok->user_sids[1],
 336                                    gid);
 337                 }
 338         }
 339
 340         /* Now set current_user since we will immediately also call
 341            set_sec_ctx() */
 342
 343         current_user.ut.ngroups = num_groups;
 344         current_user.ut.groups  = group_list;
 345
 346         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 347                     conn->server_info->ptok);
 348
 349         current_user.conn = conn;
 350         current_user.vuid = vuid;
 351
 352         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 353                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 354
 355         return(True);
 356 }
 357
 358 /****************************************************************************
 359  Go back to being root without changing the security context stack,
 360  but modify the current_user entries.
 361 ****************************************************************************/
 362
 363 bool change_to_root_user(void)
 364 {
 365         set_root_sec_ctx();
 366
 367         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 368                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 369
 370         current_user.conn = NULL;
 371         current_user.vuid = UID_FIELD_INVALID;
 372
 373         return(True);
 374 }
 375
 376 /****************************************************************************
 377  Become the user of an authenticated connected named pipe.
 378  When this is called we are currently running as the connection
 379  user. Doesn't modify current_user.
 380 ****************************************************************************/
 381
 382 bool become_authenticated_pipe_user(pipes_struct *p)
 383 {
 384         if (!push_sec_ctx())
 385                 return False;
 386
 387         set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
 388                     p->server_info->utok.ngroups, p->server_info->utok.groups,
 389                     p->server_info->ptok);
 390
 391         return True;
 392 }
 393
 394 /****************************************************************************
 395  Unbecome the user of an authenticated connected named pipe.
 396  When this is called we are running as the authenticated pipe
 397  user and need to go back to being the connection user. Doesn't modify
 398  current_user.
 399 ****************************************************************************/
 400
 401 bool unbecome_authenticated_pipe_user(void)
 402 {
 403         return pop_sec_ctx();
 404 }
 405
 406 /****************************************************************************
 407  Utility functions used by become_xxx/unbecome_xxx.
 408 ****************************************************************************/
 409
 410 static void push_conn_ctx(void)
 411 {
 412         struct conn_ctx *ctx_p;
 413
 414         /* Check we don't overflow our stack */
 415
 416         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 417                 DEBUG(0, ("Connection context stack overflow!\n"));
 418                 smb_panic("Connection context stack overflow!\n");
 419         }
 420
 421         /* Store previous user context */
 422         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 423
 424         ctx_p->conn = current_user.conn;
 425         ctx_p->vuid = current_user.vuid;
 426
 427         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 428                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 429
 430         conn_ctx_stack_ndx++;
 431 }
 432
 433 static void pop_conn_ctx(void)
 434 {
 435         struct conn_ctx *ctx_p;
 436
 437         /* Check for stack underflow. */
 438
 439         if (conn_ctx_stack_ndx == 0) {
 440                 DEBUG(0, ("Connection context stack underflow!\n"));
 441                 smb_panic("Connection context stack underflow!\n");
 442         }
 443
 444         conn_ctx_stack_ndx--;
 445         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 446
 447         current_user.conn = ctx_p->conn;
 448         current_user.vuid = ctx_p->vuid;
 449
 450         ctx_p->conn = NULL;
 451         ctx_p->vuid = UID_FIELD_INVALID;
 452 }
 453
 454 /****************************************************************************
 455  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 456  restores the connection context.
 457 ****************************************************************************/
 458
 459 void become_root(void)
 460 {
 461          /*
 462           * no good way to handle push_sec_ctx() failing without changing
 463           * the prototype of become_root()
 464           */
 465         if (!push_sec_ctx()) {
 466                 smb_panic("become_root: push_sec_ctx failed");
 467         }
 468         push_conn_ctx();
 469         set_root_sec_ctx();
 470 }
 471
 472 /* Unbecome the root user */
 473
 474 void unbecome_root(void)
 475 {
 476         pop_sec_ctx();
 477         pop_conn_ctx();
 478 }
 479
 480 /****************************************************************************
 481  Push the current security context then force a change via change_to_user().
 482  Saves and restores the connection context.
 483 ****************************************************************************/
 484
 485 bool become_user(connection_struct *conn, uint16 vuid)
 486 {
 487         if (!push_sec_ctx())
 488                 return False;
 489
 490         push_conn_ctx();
 491
 492         if (!change_to_user(conn, vuid)) {
 493                 pop_sec_ctx();
 494                 pop_conn_ctx();
 495                 return False;
 496         }
 497
 498         return True;
 499 }
 500
 501 bool unbecome_user(void)
 502 {
 503         pop_sec_ctx();
 504         pop_conn_ctx();
 505         return True;
 506 }
 507
 508 /****************************************************************************
 509  Return the current user we are running effectively as on this connection.
 510  I'd like to make this return conn->server_info->utok.uid, but become_root()
 511  doesn't alter this value.
 512 ****************************************************************************/
 513
 514 uid_t get_current_uid(connection_struct *conn)
 515 {
 516         return current_user.ut.uid;
 517 }
 518
 519 /****************************************************************************
 520  Return the current group we are running effectively as on this connection.
 521  I'd like to make this return conn->server_info->utok.gid, but become_root()
 522  doesn't alter this value.
 523 ****************************************************************************/
 524
 525 gid_t get_current_gid(connection_struct *conn)
 526 {
 527         return current_user.ut.gid;
 528 }
 529
 530 /****************************************************************************
 531  Return the UNIX token we are running effectively as on this connection.
 532  I'd like to make this return &conn->server_info->utok, but become_root()
 533  doesn't alter this value.
 534 ****************************************************************************/
 535
 536 const UNIX_USER_TOKEN *get_current_utok(connection_struct *conn)
 537 {
 538         return &current_user.ut;
 539 }
 540
 541 const NT_USER_TOKEN *get_current_nttok(connection_struct *conn)
 542 {
 543         return current_user.nt_user_token;
 544 }
 545
 546 uint16_t get_current_vuid(connection_struct *conn)
 547 {
 548         return current_user.vuid;
 549 }