#include "includes.h"
#include "system/filesys.h"
+#include "../lib/tsocket/tsocket.h"
#include "smbd/smbd.h"
#include "smbd/globals.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "printing/pcap.h"
#include "passdb/lookup_sid.h"
#include "auth.h"
+#include "lib/param/loadparm.h"
extern userdom_struct current_user_info;
return(True);
}
-static int load_registry_service(const char *servicename)
-{
- if (!lp_registry_shares()) {
- return -1;
- }
-
- if ((servicename == NULL) || (*servicename == '\0')) {
- return -1;
- }
-
- if (strequal(servicename, GLOBAL_NAME)) {
- return -2;
- }
-
- if (!process_registry_service(servicename)) {
- return -1;
- }
-
- return lp_servicenumber(servicename);
-}
-
-void load_registry_shares(void)
-{
- DEBUG(8, ("load_registry_shares()\n"));
- if (!lp_registry_shares()) {
- return;
- }
-
- process_registry_shares();
-
- return;
-}
-
-/****************************************************************************
- Add a home service. Returns the new service number or -1 if fail.
-****************************************************************************/
-
-int add_home_service(const char *service, const char *username, const char *homedir)
-{
- int iHomeService;
-
- if (!service || !homedir || homedir[0] == '\0')
- return -1;
-
- if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
- if ((iHomeService = load_registry_service(HOMES_NAME)) < 0) {
- return -1;
- }
- }
-
- /*
- * If this is a winbindd provided username, remove
- * the domain component before adding the service.
- * Log a warning if the "path=" parameter does not
- * include any macros.
- */
-
- {
- const char *p = strchr(service,*lp_winbind_separator());
-
- /* We only want the 'user' part of the string */
- if (p) {
- service = p + 1;
- }
- }
-
- if (!lp_add_home(service, iHomeService, username, homedir)) {
- return -1;
- }
-
- return lp_servicenumber(service);
-
-}
-
-/**
- * Find a service entry.
- *
- * @param service is modified (to canonical form??)
- **/
-
-int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
-{
- int iService;
-
- if (!service_in) {
- return -1;
- }
-
- /* First make a copy. */
- *p_service_out = talloc_strdup(ctx, service_in);
- if (!*p_service_out) {
- return -1;
- }
-
- all_string_sub(*p_service_out,"\\","/",0);
-
- iService = lp_servicenumber(*p_service_out);
-
- /* now handle the special case of a home directory */
- if (iService < 0) {
- char *phome_dir = get_user_home_dir(ctx, *p_service_out);
-
- if(!phome_dir) {
- /*
- * Try mapping the servicename, it may
- * be a Windows to unix mapped user name.
- */
- if(map_username(ctx, *p_service_out, p_service_out)) {
- if (*p_service_out == NULL) {
- /* Out of memory. */
- return -1;
- }
- phome_dir = get_user_home_dir(
- ctx, *p_service_out);
- }
- }
-
- DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
- phome_dir?phome_dir:"(NULL)"));
-
- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
- }
-
- /* If we still don't have a service, attempt to add it as a printer. */
- if (iService < 0) {
- int iPrinterService;
-
- if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
- iPrinterService = load_registry_service(PRINTERS_NAME);
- }
- if (iPrinterService >= 0) {
- DEBUG(3,("checking whether %s is a valid printer name...\n",
- *p_service_out));
- if (pcap_printername_ok(*p_service_out)) {
- DEBUG(3,("%s is a valid printer name\n",
- *p_service_out));
- DEBUG(3,("adding %s as a printer service\n",
- *p_service_out));
- lp_add_printer(*p_service_out, iPrinterService);
- iService = lp_servicenumber(*p_service_out);
- if (iService < 0) {
- DEBUG(0,("failed to add %s as a printer service!\n",
- *p_service_out));
- }
- } else {
- DEBUG(3,("%s is not a valid printer name\n",
- *p_service_out));
- }
- }
- }
-
- /* Check for default vfs service? Unsure whether to implement this */
- if (iService < 0) {
- }
-
- if (iService < 0) {
- iService = load_registry_service(*p_service_out);
- }
-
- /* Is it a usershare service ? */
- if (iService < 0 && *lp_usershare_path()) {
- /* Ensure the name is canonicalized. */
- strlower_m(*p_service_out);
- iService = load_usershare_service(*p_service_out);
- }
-
- /* just possibly it's a default service? */
- if (iService < 0) {
- char *pdefservice = lp_defaultservice();
- if (pdefservice &&
- *pdefservice &&
- !strequal(pdefservice, *p_service_out)
- && !strstr_m(*p_service_out,"..")) {
- /*
- * We need to do a local copy here as lp_defaultservice()
- * returns one of the rotating lp_string buffers that
- * could get overwritten by the recursive find_service() call
- * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
- */
- char *defservice = talloc_strdup(ctx, pdefservice);
-
- if (!defservice) {
- goto fail;
- }
-
- /* Disallow anything except explicit share names. */
- if (strequal(defservice,HOMES_NAME) ||
- strequal(defservice, PRINTERS_NAME) ||
- strequal(defservice, "IPC$")) {
- TALLOC_FREE(defservice);
- goto fail;
- }
-
- iService = find_service(ctx, defservice, p_service_out);
- if (!*p_service_out) {
- TALLOC_FREE(defservice);
- iService = -1;
- goto fail;
- }
- if (iService >= 0) {
- all_string_sub(*p_service_out, "_","/",0);
- iService = lp_add_service(*p_service_out, iService);
- }
- TALLOC_FREE(defservice);
- }
- }
-
- if (iService >= 0) {
- if (!VALID_SNUM(iService)) {
- DEBUG(0,("Invalid snum %d for %s\n",iService,
- *p_service_out));
- iService = -1;
- }
- }
-
- fail:
-
- if (iService < 0) {
- DEBUG(3,("find_service() failed to find service %s\n",
- *p_service_out));
- }
-
- return (iService);
-}
-
-
/****************************************************************************
do some basic sainity checks on the share.
This function modifies dev, ecode.
****************************************************************************/
-static NTSTATUS share_sanity_checks(struct client_address *client_id, int snum,
+static NTSTATUS share_sanity_checks(const struct tsocket_address *remote_address,
+ const char *rhost,
+ int snum,
fstring dev)
{
- if (!lp_snum_ok(snum) ||
+ char *raddr;
+
+ raddr = tsocket_address_inet_addr_string(remote_address,
+ talloc_tos());
+ if (raddr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!lp_snum_ok(snum) ||
!allow_access(lp_hostsdeny(snum), lp_hostsallow(snum),
- client_id->name, client_id->addr)) {
+ rhost, raddr)) {
return NT_STATUS_ACCESS_DENIED;
}
}
/****************************************************************************
- Create an auth_serversupplied_info structure for a connection_struct
+ Create an auth3_session_info structure for a connection_struct
****************************************************************************/
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
TALLOC_CTX *mem_ctx, int snum,
- struct auth_serversupplied_info *vuid_serverinfo,
+ struct auth3_session_info *vuid_serverinfo,
DATA_BLOB password,
- struct auth_serversupplied_info **presult)
+ struct auth3_session_info **presult)
{
if (lp_guest_only(snum)) {
- return make_server_info_guest(mem_ctx, presult);
+ return make_session_info_guest(mem_ctx, presult);
}
if (vuid_serverinfo != NULL) {
- struct auth_serversupplied_info *result;
+ struct auth3_session_info *result;
/*
* This is the normal security != share case where we have a
* valid vuid from the session setup. */
- if (vuid_serverinfo->guest) {
+ if (vuid_serverinfo->unix_info->guest) {
if (!lp_guest_ok(snum)) {
DEBUG(2, ("guest user (from session setup) "
"not permitted to access this share "
return NT_STATUS_ACCESS_DENIED;
}
} else {
- if (!user_ok_token(vuid_serverinfo->unix_name,
- vuid_serverinfo->info3->base.domain.string,
+ if (!user_ok_token(vuid_serverinfo->unix_info->unix_name,
+ vuid_serverinfo->info->domain_name,
vuid_serverinfo->security_token, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
"(%s)\n",
- vuid_serverinfo->unix_name,
+ vuid_serverinfo->unix_info->unix_name,
lp_servicename(snum)));
return NT_STATUS_ACCESS_DENIED;
}
}
- result = copy_serverinfo(mem_ctx, vuid_serverinfo);
+ result = copy_session_info(mem_ctx, vuid_serverinfo);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_WRONG_PASSWORD;
}
- return make_serverinfo_from_username(mem_ctx, user, guest,
- presult);
+ return make_session_info_from_username(mem_ctx, user, guest,
+ presult);
}
DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
*/
char *fuser;
- struct auth_serversupplied_info *forced_serverinfo;
+ struct auth3_session_info *forced_serverinfo;
fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
lp_const_servicename(snum));
return NT_STATUS_NO_MEMORY;
}
- status = make_serverinfo_from_username(
- conn, fuser, conn->session_info->guest,
+ status = make_session_info_from_username(
+ conn, fuser, conn->session_info->unix_info->guest,
&forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) {
return status;
if (*lp_force_group(snum)) {
status = find_forced_group(
- conn->force_user, snum, conn->session_info->unix_name,
+ conn->force_user, snum, conn->session_info->unix_info->unix_name,
&conn->session_info->security_token->sids[1],
- &conn->session_info->utok.gid);
+ &conn->session_info->unix_token->gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
* struct. We only use conn->session_info directly if
* "force_user" was set.
*/
- conn->force_group_gid = conn->session_info->utok.gid;
+ conn->force_group_gid = conn->session_info->unix_token->gid;
}
return NT_STATUS_OK;
fstrcpy(dev, pdev);
- *pstatus = share_sanity_checks(&sconn->client_id, snum, dev);
+ *pstatus = share_sanity_checks(sconn->remote_address,
+ sconn->remote_hostname,
+ snum,
+ dev);
if (NT_STATUS_IS_ERR(*pstatus)) {
goto err_root_exit;
}
conn->force_user = true;
}
- add_session_user(sconn, conn->session_info->unix_name);
+ add_session_user(sconn, conn->session_info->unix_info->unix_name);
conn->num_files_open = 0;
conn->lastused = conn->lastused_count = time(NULL);
{
char *s = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
- conn->session_info->unix_name,
+ conn->session_info->unix_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
- conn->session_info->sanitized_username,
- conn->session_info->info3->base.domain.string,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
lp_pathname(snum));
if (!s) {
*pstatus = NT_STATUS_NO_MEMORY;
*
*/
- {
- bool can_write = False;
-
- can_write = share_access_check(conn->session_info->security_token,
- lp_servicename(snum),
- FILE_WRITE_DATA);
-
- if (!can_write) {
- if (!share_access_check(conn->session_info->security_token,
- lp_servicename(snum),
- FILE_READ_DATA)) {
- /* No access, read or write. */
- DEBUG(0,("make_connection: connection to %s "
- "denied due to security "
- "descriptor.\n",
- lp_servicename(snum)));
- *pstatus = NT_STATUS_ACCESS_DENIED;
- goto err_root_exit;
- } else {
- conn->read_only = True;
- }
+ share_access_check(conn->session_info->security_token,
+ lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
+ &conn->share_access);
+
+ if ((conn->share_access & FILE_WRITE_DATA) == 0) {
+ if ((conn->share_access & FILE_READ_DATA) == 0) {
+ /* No access, read or write. */
+ DEBUG(0,("make_connection: connection to %s "
+ "denied due to security "
+ "descriptor.\n",
+ lp_servicename(snum)));
+ *pstatus = NT_STATUS_ACCESS_DENIED;
+ goto err_root_exit;
+ } else {
+ conn->read_only = True;
}
}
/* Initialise VFS function pointers */
filesystem operation that we do. */
if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
- conn->session_info->unix_name) < 0) {
+ conn->session_info->unix_info->unix_name) < 0) {
DEBUG(0,("make_connection: VFS make connection failed!\n"));
*pstatus = NT_STATUS_UNSUCCESSFUL;
goto err_root_exit;
conn->notify_ctx = notify_init(conn,
sconn_server_id(sconn),
sconn->msg_ctx,
- smbd_event_context(),
+ server_event_context(),
conn);
}
if (*lp_rootpreexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
- conn->session_info->unix_name,
+ conn->session_info->unix_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
- conn->session_info->sanitized_username,
- conn->session_info->info3->base.domain.string,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
lp_rootpreexec(snum));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
if (*lp_preexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
- conn->session_info->unix_name,
+ conn->session_info->unix_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
- conn->session_info->sanitized_username,
- conn->session_info->info3->base.domain.string,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
lp_preexec(snum));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
dbgtext( "%s (%s) ", get_remote_machine_name(),
- conn->sconn->client_id.addr );
+ tsocket_address_string(conn->sconn->remote_address,
+ talloc_tos()) );
dbgtext( "%s", srv_is_signing_active(sconn) ? "signed " : "");
dbgtext( "connect to service %s ", lp_servicename(snum) );
dbgtext( "initially as user %s ",
- conn->session_info->unix_name );
+ conn->session_info->unix_info->unix_name );
dbgtext( "(uid=%d, gid=%d) ", (int)effuid, (int)effgid );
dbgtext( "(pid %d)\n", (int)sys_getpid() );
}
DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
get_remote_machine_name(),
- conn->sconn->client_id.addr,
+ tsocket_address_string(conn->sconn->remote_address,
+ talloc_tos()),
lp_servicename(SNUM(conn))));
/* Call VFS disconnect hook */
change_to_user(conn, vuid)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
- conn->session_info->unix_name,
+ conn->session_info->unix_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
- conn->session_info->sanitized_username,
- conn->session_info->info3->base.domain.string,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
lp_postexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);
if (*lp_rootpostexec(SNUM(conn))) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
- conn->session_info->unix_name,
+ conn->session_info->unix_info->unix_name,
conn->connectpath,
- conn->session_info->utok.gid,
- conn->session_info->sanitized_username,
- conn->session_info->info3->base.domain.string,
+ conn->session_info->unix_token->gid,
+ conn->session_info->unix_info->sanitized_username,
+ conn->session_info->info->domain_name,
lp_rootpostexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);