Rever e80ceb1d7355c8c46a2ed90d5721cf367640f4e8 "Remove more uses of "extern struct...
authorJeremy Allison <jra@samba.org>
Mon, 15 Mar 2010 17:33:09 +0000 (10:33 -0700)
committerJeremy Allison <jra@samba.org>
Mon, 15 Mar 2010 21:48:54 +0000 (14:48 -0700)
As requested by Volker, split this into smaller commits.

Jeremy.

source3/include/proto.h
source3/locking/locking.c
source3/modules/nfs4_acls.c
source3/smbd/close.c
source3/smbd/dir.c
source3/smbd/file_access.c
source3/smbd/lanman.c
source3/smbd/open.c
source3/smbd/posix_acls.c
source3/smbd/uid.c

index 6e210de4582dd270d9546515974c5b53be25bd21..453f8e99df5aaf3d13227e44b2efe6eb1dcbd8f4 100644 (file)
@@ -6753,7 +6753,7 @@ uint32_t map_canon_ace_perms(int snum,
                                 enum security_ace_type *pacl_type,
                                 mode_t perms,
                                 bool directory_ace);
-NTSTATUS unpack_nt_owners(connection_struct *conn, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd);
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd);
 SMB_ACL_T free_empty_sys_acl(connection_struct *conn, SMB_ACL_T the_acl);
 NTSTATUS posix_fget_nt_acl(struct files_struct *fsp, uint32_t security_info,
                           SEC_DESC **ppdesc);
@@ -7117,11 +7117,6 @@ void become_root(void);
 void unbecome_root(void);
 bool become_user(connection_struct *conn, uint16 vuid);
 bool unbecome_user(void);
-uid_t get_current_uid(connection_struct *conn);
-gid_t get_current_gid(connection_struct *conn);
-const UNIX_USER_TOKEN *get_current_utok(connection_struct *conn);
-const NT_USER_TOKEN *get_current_nttok(connection_struct *conn);
-uint16_t get_current_vuid(connection_struct *conn);
 
 /* The following definitions come from smbd/utmp.c  */
 
index e9826ba5bdf9c4aa7d229d79837c302c7d11d529..6f1bc8cf8a26a21d241a78af3b74278fc38975d5 100644 (file)
@@ -1441,6 +1441,16 @@ bool set_delete_on_close(files_struct *fsp, bool delete_on_close, const UNIX_USE
                return False;
        }
 
+       if (fsp->conn->admin_user) {
+               tok_copy = copy_unix_token(lck, tok);
+               if (tok_copy == NULL) {
+                       TALLOC_FREE(lck);
+                       return false;
+               }
+               tok_copy->uid = (uid_t)0;
+               tok = tok_copy;
+       }
+
        set_delete_on_close_lck(lck, delete_on_close, tok);
 
        if (fsp->is_directory) {
index 80bd65f5b84bffcfd697740a348971820154bc0d..658f2b4e8de877ebb0120a587d4a4d2fa9cc8de7 100644 (file)
@@ -751,7 +751,7 @@ NTSTATUS smb_set_nt_acl_nfs4(files_struct *fsp,
 
        if (params.do_chown) {
                /* chown logic is a copy/paste from posix_acl.c:set_nt_acl */
-               NTSTATUS status = unpack_nt_owners(fsp->conn, &newUID, &newGID, security_info_sent, psd);
+               NTSTATUS status = unpack_nt_owners(SNUM(fsp->conn), &newUID, &newGID, security_info_sent, psd);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(8, ("unpack_nt_owners failed"));
                        return status;
index 1530b96797da0da6e6254739d18e61cf57398d91..ca1ac47fa02ce5de6d6f95a3386600121c30c73a 100644 (file)
@@ -21,6 +21,8 @@
 
 #include "includes.h"
 
+extern struct current_user current_user;
+
 /****************************************************************************
  Run a file if it is a magic script.
 ****************************************************************************/
@@ -330,12 +332,12 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
                /* Initial delete on close was set and no one else
                 * wrote a real delete on close. */
 
-               if (get_current_vuid(conn) != fsp->vuid) {
+               if (current_user.vuid != fsp->vuid) {
                        become_user(conn, fsp->vuid);
                        became_user = True;
                }
                fsp->delete_on_close = true;
-               set_delete_on_close_lck(lck, True, get_current_utok(fsp->conn));
+               set_delete_on_close_lck(lck, True, &current_user.ut);
                if (became_user) {
                        unbecome_user();
                }
@@ -387,7 +389,7 @@ static NTSTATUS close_remove_share_mode(files_struct *fsp,
         */
        fsp->update_write_time_on_close = false;
 
-       if (!unix_token_equal(lck->delete_token, get_current_utok(conn))) {
+       if (!unix_token_equal(lck->delete_token, &current_user.ut)) {
                /* Become the user who requested the delete. */
 
                DEBUG(5,("close_remove_share_mode: file %s. "
@@ -953,12 +955,12 @@ static NTSTATUS close_directory(struct smb_request *req, files_struct *fsp,
                 * directories we don't care if anyone else
                 * wrote a real delete on close. */
 
-               if (get_current_vuid(fsp->conn) != fsp->vuid) {
+               if (current_user.vuid != fsp->vuid) {
                        become_user(fsp->conn, fsp->vuid);
                        became_user = True;
                }
                send_stat_cache_delete_message(fsp->fsp_name->base_name);
-               set_delete_on_close_lck(lck, True, get_current_utok(fsp->conn));
+               set_delete_on_close_lck(lck, True, &current_user.ut);
                fsp->delete_on_close = true;
                if (became_user) {
                        unbecome_user();
index 69ebc57473d6a88d759b72cb2ebb1d023530bb6b..b1e9734681eb5371df887b93460fd963ecdf04ac 100644 (file)
@@ -1129,11 +1129,9 @@ static bool user_can_read_file(connection_struct *conn,
        /*
         * If user is a member of the Admin group
         * we never hide files from them.
-        * Use (uid_t)0 here not sec_initial_uid()
-        * because of the RAW-SAMBA3HIDE test.
         */
 
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->admin_user) {
                return True;
        }
 
@@ -1153,11 +1151,9 @@ static bool user_can_write_file(connection_struct *conn,
        /*
         * If user is a member of the Admin group
         * we never hide files from them.
-        * Use (uid_t)0 here not sec_initial_uid()
-        * because of the RAW-SAMBA3HIDE test.
         */
 
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->admin_user) {
                return True;
        }
 
@@ -1182,13 +1178,10 @@ static bool file_is_special(connection_struct *conn,
        /*
         * If user is a member of the Admin group
         * we never hide files from them.
-        * Use (uid_t)0 here not sec_initial_uid()
-        * because of the RAW-SAMBA3HIDE test.
         */
 
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->admin_user)
                return False;
-       }
 
        SMB_ASSERT(VALID_STAT(smb_fname->st));
 
index 5c3089ede65a30116f70e640f50e226230bec34f..631efce677d8fb1028cd6673e9ae09cf5f967b3f 100644 (file)
@@ -35,7 +35,7 @@ bool can_access_file_acl(struct connection_struct *conn,
        struct security_descriptor *secdesc = NULL;
        bool ret;
 
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->server_info->utok.uid == 0 || conn->admin_user) {
                /* I'm sorry sir, I didn't know you were root... */
                return true;
        }
@@ -111,7 +111,7 @@ bool can_delete_file_in_directory(connection_struct *conn,
                ret = false;
                goto out;
        }
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->server_info->utok.uid == 0 || conn->admin_user) {
                /* I'm sorry sir, I didn't know you were root... */
                ret = true;
                goto out;
@@ -195,7 +195,7 @@ bool can_access_file_data(connection_struct *conn,
        DEBUG(10,("can_access_file_data: requesting 0x%x on file %s\n",
                  (unsigned int)access_mask, smb_fname_str_dbg(smb_fname)));
 
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->server_info->utok.uid == 0 || conn->admin_user) {
                /* I'm sorry sir, I didn't know you were root... */
                return True;
        }
@@ -203,7 +203,7 @@ bool can_access_file_data(connection_struct *conn,
        SMB_ASSERT(VALID_STAT(smb_fname->st));
 
        /* Check primary owner access. */
-       if (get_current_uid(conn) == smb_fname->st.st_ex_uid) {
+       if (conn->server_info->utok.uid == smb_fname->st.st_ex_uid) {
                switch (access_mask) {
                        case FILE_READ_DATA:
                                return (smb_fname->st.st_ex_mode & S_IRUSR) ?
index 4c15f133aec0cab39fe34ffa384c98eacfa30398..dab26d0abe0dddfead31eee12befdd7b0e4d44f9 100644 (file)
@@ -3767,9 +3767,7 @@ static bool api_RNetUserGetInfo(connection_struct *conn, uint16 vuid,
                                vuser->server_info->sam_account);
                }
                /* modelled after NTAS 3.51 reply */
-               SSVAL(p,usri11_priv,
-                       (get_current_uid(conn) == (uid_t)0)?
-                       USER_PRIV_ADMIN:USER_PRIV_USER);
+               SSVAL(p,usri11_priv,conn->admin_user?USER_PRIV_ADMIN:USER_PRIV_USER);
                SIVAL(p,usri11_auth_flags,AF_OP_PRINT);         /* auth flags */
                SIVALS(p,usri11_password_age,-1);               /* password age */
                SIVAL(p,usri11_homedir,PTR_DIFF(p2,p)); /* home dir */
@@ -3822,8 +3820,7 @@ static bool api_RNetUserGetInfo(connection_struct *conn, uint16 vuid,
                memset(p+22,' ',16);    /* password */
                SIVALS(p,38,-1);                /* password age */
                SSVAL(p,42,
-                       (get_current_uid(conn) == (uid_t)0)?
-                       USER_PRIV_ADMIN:USER_PRIV_USER);
+               conn->admin_user?USER_PRIV_ADMIN:USER_PRIV_USER);
                SIVAL(p,44,PTR_DIFF(p2,*rdata)); /* home dir */
                strlcpy(p2, vuser ? pdb_get_homedir(
                                vuser->server_info->sam_account) : "",
@@ -3974,9 +3971,7 @@ static bool api_WWkstaUserLogon(connection_struct *conn,uint16 vuid,
                PACKI(&desc,"W",0);             /* code */
                PACKS(&desc,"B21",name);        /* eff. name */
                PACKS(&desc,"B","");            /* pad */
-               PACKI(&desc,"W",
-                       (get_current_uid(conn) == (uid_t)0)?
-                       USER_PRIV_ADMIN:USER_PRIV_USER);
+               PACKI(&desc,"W", conn->admin_user?USER_PRIV_ADMIN:USER_PRIV_USER);
                PACKI(&desc,"D",0);             /* auth flags XXX */
                PACKI(&desc,"W",0);             /* num logons */
                PACKI(&desc,"W",0);             /* bad pw count */
index 0834e6d3d3950c679c6f67b05cf76f16ecb0bbf9..e366c5fadfe95b2dfcc0e4272f885bbb4fca8982 100644 (file)
@@ -58,7 +58,7 @@ NTSTATUS smb1_file_se_access_check(struct connection_struct *conn,
 {
        *access_granted = 0;
 
-       if (get_current_uid(conn) == (uid_t)0) {
+       if (conn->server_info->utok.uid == 0 || conn->admin_user) {
                /* I'm sorry sir, I didn't know you were root... */
                *access_granted = access_desired;
                if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
@@ -2176,7 +2176,7 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
                new_file_created = True;
        }
 
-       set_share_mode(lck, fsp, get_current_uid(conn), 0,
+       set_share_mode(lck, fsp, conn->server_info->utok.uid, 0,
                       fsp->oplock_type);
 
        /* Handle strange delete on close create semantics. */
@@ -2641,7 +2641,7 @@ static NTSTATUS open_directory(connection_struct *conn,
                return status;
        }
 
-       set_share_mode(lck, fsp, get_current_uid(conn), 0, NO_OPLOCK);
+       set_share_mode(lck, fsp, conn->server_info->utok.uid, 0, NO_OPLOCK);
 
        /* For directories the delete on close bit at open time seems
           always to be honored on close... See test 19 in Samba4 BASE-DELETE. */
index c00b7bd757d9d33cd6164a29f61434a9c989f8f4..2fb7b77c861fb78fca187f57e93242f9dad50183 100644 (file)
@@ -21,6 +21,7 @@
 
 #include "includes.h"
 
+extern struct current_user current_user;
 extern const struct generic_mapping file_generic_mapping;
 
 #undef  DBGC_CLASS
@@ -1167,9 +1168,7 @@ static mode_t map_nt_perms( uint32 *mask, int type)
  Unpack a SEC_DESC into a UNIX owner and group.
 ****************************************************************************/
 
-NTSTATUS unpack_nt_owners(struct connection_struct *conn,
-                       uid_t *puser, gid_t *pgrp,
-                       uint32 security_info_sent, const SEC_DESC *psd)
+NTSTATUS unpack_nt_owners(int snum, uid_t *puser, gid_t *pgrp, uint32 security_info_sent, const SEC_DESC *psd)
 {
        DOM_SID owner_sid;
        DOM_SID grp_sid;
@@ -1199,10 +1198,10 @@ NTSTATUS unpack_nt_owners(struct connection_struct *conn,
        if (security_info_sent & OWNER_SECURITY_INFORMATION) {
                sid_copy(&owner_sid, psd->owner_sid);
                if (!sid_to_uid(&owner_sid, puser)) {
-                       if (lp_force_unknown_acl_user(SNUM(conn))) {
+                       if (lp_force_unknown_acl_user(snum)) {
                                /* this allows take ownership to work
                                 * reasonably */
-                               *puser = get_current_uid(conn);
+                               *puser = current_user.ut.uid;
                        } else {
                                DEBUG(3,("unpack_nt_owners: unable to validate"
                                         " owner sid for %s\n",
@@ -1222,10 +1221,10 @@ NTSTATUS unpack_nt_owners(struct connection_struct *conn,
        if (security_info_sent & GROUP_SECURITY_INFORMATION) {
                sid_copy(&grp_sid, psd->group_sid);
                if (!sid_to_gid( &grp_sid, pgrp)) {
-                       if (lp_force_unknown_acl_user(SNUM(conn))) {
+                       if (lp_force_unknown_acl_user(snum)) {
                                /* this allows take group ownership to work
                                 * reasonably */
-                               *pgrp = get_current_gid(conn);
+                               *pgrp = current_user.ut.gid;
                        } else {
                                DEBUG(3,("unpack_nt_owners: unable to validate"
                                         " group sid.\n"));
@@ -1290,7 +1289,7 @@ static void apply_default_perms(const struct share_params *params,
  expensive and will need optimisation. A *lot* of optimisation :-). JRA.
 ****************************************************************************/
 
-static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, canon_ace *group_ace )
+static bool uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace )
 {
        const char *u_name = NULL;
 
@@ -1303,17 +1302,15 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
         * if it's the current user, we already have the unix token
         * and don't need to do the complex user_in_group_sid() call
         */
-       if (uid_ace->unix_ug.uid == get_current_uid(conn)) {
-               const UNIX_USER_TOKEN *curr_utok = NULL;
+       if (uid_ace->unix_ug.uid == current_user.ut.uid) {
                size_t i;
 
-               if (group_ace->unix_ug.gid == get_current_gid(conn)) {
+               if (group_ace->unix_ug.gid == current_user.ut.gid) {
                        return True;
                }
 
-               curr_utok = get_current_utok(conn);
-               for (i=0; i < curr_utok->ngroups; i++) {
-                       if (group_ace->unix_ug.gid == curr_utok->groups[i]) {
+               for (i=0; i < current_user.ut.ngroups; i++) {
+                       if (group_ace->unix_ug.gid == current_user.ut.groups[i]) {
                                return True;
                        }
                }
@@ -1344,7 +1341,7 @@ static bool uid_entry_in_group(connection_struct *conn, canon_ace *uid_ace, cano
  type.
 ****************************************************************************/
 
-static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace,
+static bool ensure_canon_entry_valid(canon_ace **pp_ace,
                                     const struct share_params *params,
                                     const bool is_directory,
                                                        const DOM_SID *pfile_owner_sid,
@@ -1410,7 +1407,7 @@ static bool ensure_canon_entry_valid(connection_struct *conn, canon_ace **pp_ace
 
                        for (pace_iter = *pp_ace; pace_iter; pace_iter = pace_iter->next) {
                                if (pace_iter->type == SMB_ACL_GROUP_OBJ || pace_iter->type == SMB_ACL_GROUP) {
-                                       if (uid_entry_in_group(conn, pace, pace_iter)) {
+                                       if (uid_entry_in_group(pace, pace_iter)) {
                                                pace->perms |= pace_iter->perms;
                                                group_matched = True;
                                        }
@@ -2060,7 +2057,7 @@ static bool create_canon_ace_lists(files_struct *fsp,
  allow entries.
 ****************************************************************************/
 
-static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
+static void process_deny_list( canon_ace **pp_ace_list )
 {
        canon_ace *ace_list = *pp_ace_list;
        canon_ace *curr_ace = NULL;
@@ -2165,7 +2162,7 @@ static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
                        if (allow_ace_p->owner_type == UID_ACE)
                                continue;
 
-                       if (uid_entry_in_group(conn, curr_ace, allow_ace_p))
+                       if (uid_entry_in_group( curr_ace, allow_ace_p))
                                new_perms |= allow_ace_p->perms;
                }
 
@@ -2209,7 +2206,7 @@ static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
 
                        /* Mask off the deny group perms. */
 
-                       if (uid_entry_in_group(conn, allow_ace_p, curr_ace))
+                       if (uid_entry_in_group( allow_ace_p, curr_ace))
                                allow_ace_p->perms &= ~curr_ace->perms;
                }
 
@@ -2259,7 +2256,7 @@ static void process_deny_list(connection_struct *conn, canon_ace **pp_ace_list )
 
                        /* OR in the group perms. */
 
-                       if (uid_entry_in_group(conn,  curr_ace, allow_ace_p))
+                       if (uid_entry_in_group( curr_ace, allow_ace_p))
                                curr_ace->perms |= allow_ace_p->perms;
                }
        }
@@ -2371,10 +2368,10 @@ static bool unpack_canon_ace(files_struct *fsp,
         */
 
        print_canon_ace_list( "file ace - before deny", file_ace);
-       process_deny_list(fsp->conn, &file_ace);
+       process_deny_list( &file_ace);
 
        print_canon_ace_list( "dir ace - before deny", dir_ace);
-       process_deny_list(fsp->conn, &dir_ace);
+       process_deny_list( &dir_ace);
 
        /*
         * A well formed POSIX file or default ACL has at least 3 entries, a 
@@ -2393,7 +2390,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 
        st.st_ex_mode = create_default_mode(fsp, False);
 
-       if (!ensure_canon_entry_valid(fsp->conn, &file_ace, fsp->conn->params,
+       if (!ensure_canon_entry_valid(&file_ace, fsp->conn->params,
                        fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
                free_canon_ace_list(file_ace);
                free_canon_ace_list(dir_ace);
@@ -2410,7 +2407,7 @@ static bool unpack_canon_ace(files_struct *fsp,
 
        st.st_ex_mode = create_default_mode(fsp, True);
 
-       if (dir_ace && !ensure_canon_entry_valid(fsp->conn, &dir_ace, fsp->conn->params,
+       if (dir_ace && !ensure_canon_entry_valid(&dir_ace, fsp->conn->params,
                        fsp->is_directory, pfile_owner_sid, pfile_grp_sid, &st, True)) {
                free_canon_ace_list(file_ace);
                free_canon_ace_list(dir_ace);
@@ -2595,7 +2592,7 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
         * This next call will ensure we have at least a user/group/world set.
         */
 
-       if (!ensure_canon_entry_valid(conn, &l_head, conn->params,
+       if (!ensure_canon_entry_valid(&l_head, conn->params,
                                      S_ISDIR(psbuf->st_ex_mode), powner, pgroup,
                                      psbuf, False))
                goto fail;
@@ -2639,13 +2636,12 @@ static canon_ace *canonicalise_acl(struct connection_struct *conn,
  Check if the current user group list contains a given group.
 ****************************************************************************/
 
-static bool current_user_in_group(connection_struct *conn, gid_t gid)
+static bool current_user_in_group(gid_t gid)
 {
        int i;
-       const UNIX_USER_TOKEN *utok = get_current_utok(conn);
 
-       for (i = 0; i < utok->ngroups; i++) {
-               if (utok->groups[i] == gid) {
+       for (i = 0; i < current_user.ut.ngroups; i++) {
+               if (current_user.ut.groups[i] == gid) {
                        return True;
                }
        }
@@ -2666,7 +2662,7 @@ static bool acl_group_override(connection_struct *conn,
 
        /* file primary group == user primary or supplementary group */
        if (lp_acl_group_control(SNUM(conn)) &&
-           current_user_in_group(conn, smb_fname->st.st_ex_gid)) {
+           current_user_in_group(smb_fname->st.st_ex_gid)) {
                return true;
        }
 
@@ -3544,13 +3540,13 @@ int try_chown(connection_struct *conn, struct smb_filename *smb_fname,
        /* Case (2) / (3) */
        if (lp_enable_privileges()) {
 
-               bool has_take_ownership_priv = user_has_privileges(get_current_nttok(conn),
+               bool has_take_ownership_priv = user_has_privileges(current_user.nt_user_token,
                                                              &se_take_ownership);
-               bool has_restore_priv = user_has_privileges(get_current_nttok(conn),
+               bool has_restore_priv = user_has_privileges(current_user.nt_user_token,
                                                       &se_restore);
 
                /* Case (2) */
-               if ( ( has_take_ownership_priv && ( uid == get_current_uid(conn) ) ) ||
+               if ( ( has_take_ownership_priv && ( uid == current_user.ut.uid ) ) ||
                /* Case (3) */
                     ( has_restore_priv ) ) {
 
@@ -3578,7 +3574,7 @@ int try_chown(connection_struct *conn, struct smb_filename *smb_fname,
           and also copes with the case where the SID in a take ownership ACL is
           a local SID on the users workstation
        */
-       if (uid != get_current_uid(conn)) {
+       if (uid != current_user.ut.uid) {
                errno = EPERM;
                return -1;
        }
@@ -3864,7 +3860,7 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32 security_info_sent, const SEC_DESC
         * Unpack the user/group/world id's.
         */
 
-       status = unpack_nt_owners( conn, &user, &grp, security_info_sent, psd);
+       status = unpack_nt_owners( SNUM(conn), &user, &grp, security_info_sent, psd);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
index 3bf5a7ee4918632fcca7efeaa8f67b8c90c2528c..706f8c9f6affcaead0e1432addc2bf379f79c75c 100644 (file)
@@ -167,9 +167,6 @@ static bool check_user_ok(connection_struct *conn,
 
        conn->read_only = readonly_share;
        conn->admin_user = admin_user;
-       if (conn->admin_user) {
-               conn->server_info->utok.uid = sec_initial_uid();
-       }
 
        return(True);
 }
@@ -281,22 +278,26 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
                return false;
        }
 
-       /* security = share sets force_user. */
-       if (!conn->force_user && !vuser) {
-               DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
-                        "share %s.\n",vuid, lp_servicename(snum) ));
-               return False;
-       }
-
        /*
         * conn->server_info is now correctly set up with a copy we can mess
         * with for force_group etc.
         */
 
-       uid = conn->server_info->utok.uid;
-       gid = conn->server_info->utok.gid;
-       num_groups = conn->server_info->utok.ngroups;
-       group_list  = conn->server_info->utok.groups;
+       if (conn->force_user) /* security = share sets this too */ {
+               uid = conn->server_info->utok.uid;
+               gid = conn->server_info->utok.gid;
+               group_list = conn->server_info->utok.groups;
+               num_groups = conn->server_info->utok.ngroups;
+       } else if (vuser) {
+               uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
+               gid = conn->server_info->utok.gid;
+               num_groups = conn->server_info->utok.ngroups;
+               group_list  = conn->server_info->utok.groups;
+       } else {
+               DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
+                        "share %s.\n",vuid, lp_servicename(snum) ));
+               return False;
+       }
 
        /*
         * See if we should force group for this service.
@@ -504,46 +505,3 @@ bool unbecome_user(void)
        pop_conn_ctx();
        return True;
 }
-
-/****************************************************************************
- Return the current user we are running effectively as on this connection.
- I'd like to make this return conn->server_info->utok.uid, but become_root()
- doesn't alter this value.
-****************************************************************************/
-
-uid_t get_current_uid(connection_struct *conn)
-{
-       return current_user.ut.uid;
-}
-
-/****************************************************************************
- Return the current group we are running effectively as on this connection.
- I'd like to make this return conn->server_info->utok.gid, but become_root()
- doesn't alter this value.
-****************************************************************************/
-
-gid_t get_current_gid(connection_struct *conn)
-{
-       return current_user.ut.gid;
-}
-
-/****************************************************************************
- Return the UNIX token we are running effectively as on this connection.
- I'd like to make this return &conn->server_info->utok, but become_root()
- doesn't alter this value.
-****************************************************************************/
-
-const UNIX_USER_TOKEN *get_current_utok(connection_struct *conn)
-{
-       return &current_user.ut;
-}
-
-const NT_USER_TOKEN *get_current_nttok(connection_struct *conn)
-{
-       return current_user.nt_user_token;
-}
-
-uint16_t get_current_vuid(connection_struct *conn)
-{
-       return current_user.vuid;
-}