2 Unix SMB/CIFS implementation.
4 a pass-thru NTVFS module to setup a security context using unix
7 Copyright (C) Andrew Tridgell 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/filesys.h"
25 #include "system/passwd.h"
26 #include "auth/auth.h"
27 #include "ntvfs/ntvfs.h"
28 #include "dsdb/samdb/samdb.h"
30 struct unixuid_private {
31 struct sidmap_context *sidmap;
32 struct unix_sec_ctx *last_sec_ctx;
33 struct security_token *last_token;
46 pull the current security context into a unix_sec_ctx
48 static struct unix_sec_ctx *save_unix_security(TALLOC_CTX *mem_ctx)
50 struct unix_sec_ctx *sec = talloc(mem_ctx, struct unix_sec_ctx);
56 sec->ngroups = getgroups(0, NULL);
57 if (sec->ngroups == -1) {
61 sec->groups = talloc_array(sec, gid_t, sec->ngroups);
62 if (sec->groups == NULL) {
67 if (getgroups(sec->ngroups, sec->groups) != sec->ngroups) {
76 set the current security context from a unix_sec_ctx
78 static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
82 if (setgroups(sec->ngroups, sec->groups) != 0) {
83 return NT_STATUS_ACCESS_DENIED;
85 if (setegid(sec->gid) != 0) {
86 return NT_STATUS_ACCESS_DENIED;
88 if (seteuid(sec->uid) != 0) {
89 return NT_STATUS_ACCESS_DENIED;
95 form a unix_sec_ctx from the current security_token
97 static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
98 struct ntvfs_request *req,
99 struct security_token *token,
100 struct unix_sec_ctx **sec)
102 struct unixuid_private *private = ntvfs->private_data;
105 *sec = talloc(req, struct unix_sec_ctx);
107 /* we can't do unix security without a user and group */
108 if (token->num_sids < 2) {
109 return NT_STATUS_ACCESS_DENIED;
112 status = sidmap_sid_to_unixuid(private->sidmap,
113 token->user_sid, &(*sec)->uid);
114 if (!NT_STATUS_IS_OK(status)) {
118 status = sidmap_sid_to_unixgid(private->sidmap,
119 token->group_sid, &(*sec)->gid);
120 if (!NT_STATUS_IS_OK(status)) {
124 (*sec)->ngroups = token->num_sids - 2;
125 (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
126 if ((*sec)->groups == NULL) {
127 return NT_STATUS_NO_MEMORY;
130 for (i=0;i<(*sec)->ngroups;i++) {
131 status = sidmap_sid_to_unixgid(private->sidmap,
132 token->sids[i+2], &(*sec)->groups[i]);
133 if (!NT_STATUS_IS_OK(status)) {
142 setup our unix security context according to the session authentication info
144 static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
145 struct ntvfs_request *req, struct unix_sec_ctx **sec)
147 struct unixuid_private *private = ntvfs->private_data;
148 struct security_token *token;
149 struct unix_sec_ctx *newsec;
152 if (req->session_info == NULL) {
153 return NT_STATUS_ACCESS_DENIED;
156 token = req->session_info->security_token;
158 *sec = save_unix_security(ntvfs);
160 return NT_STATUS_NO_MEMORY;
163 if (token == private->last_token) {
164 newsec = private->last_sec_ctx;
166 status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
167 if (!NT_STATUS_IS_OK(status)) {
171 if (private->last_sec_ctx) {
172 talloc_free(private->last_sec_ctx);
174 private->last_sec_ctx = newsec;
175 private->last_token = token;
176 talloc_steal(private, newsec);
179 status = set_unix_security(newsec);
180 if (!NT_STATUS_IS_OK(status)) {
189 this pass through macro operates on request contexts
191 #define PASS_THRU_REQ(ntvfs, req, op, args) do { \
193 struct unix_sec_ctx *sec; \
194 status = unixuid_setup_security(ntvfs, req, &sec); \
195 NT_STATUS_NOT_OK_RETURN(status); \
196 status = ntvfs_next_##op args; \
197 status2 = set_unix_security(sec); \
199 if (!NT_STATUS_IS_OK(status2)) smb_panic("Unable to reset security context"); \
205 connect to a share - used when a tree_connect operation comes in.
207 static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs,
208 struct ntvfs_request *req, const char *sharename)
210 struct unixuid_private *private;
213 private = talloc(ntvfs, struct unixuid_private);
215 return NT_STATUS_NO_MEMORY;
218 private->sidmap = sidmap_open(private);
219 if (private->sidmap == NULL) {
220 return NT_STATUS_INTERNAL_DB_CORRUPTION;
223 ntvfs->private_data = private;
224 private->last_sec_ctx = NULL;
225 private->last_token = NULL;
227 /* we don't use PASS_THRU_REQ here, as the connect operation runs with
228 root privileges. This allows the backends to setup any database
229 links they might need during the connect. */
230 status = ntvfs_next_connect(ntvfs, req, sharename);
236 disconnect from a share
238 static NTSTATUS unixuid_disconnect(struct ntvfs_module_context *ntvfs)
240 struct unixuid_private *private = ntvfs->private_data;
243 talloc_free(private);
244 ntvfs->private_data = NULL;
246 status = ntvfs_next_disconnect(ntvfs);
255 static NTSTATUS unixuid_unlink(struct ntvfs_module_context *ntvfs,
256 struct ntvfs_request *req,
257 union smb_unlink *unl)
261 PASS_THRU_REQ(ntvfs, req, unlink, (ntvfs, req, unl));
269 static NTSTATUS unixuid_ioctl(struct ntvfs_module_context *ntvfs,
270 struct ntvfs_request *req, union smb_ioctl *io)
274 PASS_THRU_REQ(ntvfs, req, ioctl, (ntvfs, req, io));
280 check if a directory exists
282 static NTSTATUS unixuid_chkpath(struct ntvfs_module_context *ntvfs,
283 struct ntvfs_request *req,
284 union smb_chkpath *cp)
288 PASS_THRU_REQ(ntvfs, req, chkpath, (ntvfs, req, cp));
294 return info on a pathname
296 static NTSTATUS unixuid_qpathinfo(struct ntvfs_module_context *ntvfs,
297 struct ntvfs_request *req, union smb_fileinfo *info)
301 PASS_THRU_REQ(ntvfs, req, qpathinfo, (ntvfs, req, info));
307 query info on a open file
309 static NTSTATUS unixuid_qfileinfo(struct ntvfs_module_context *ntvfs,
310 struct ntvfs_request *req, union smb_fileinfo *info)
314 PASS_THRU_REQ(ntvfs, req, qfileinfo, (ntvfs, req, info));
321 set info on a pathname
323 static NTSTATUS unixuid_setpathinfo(struct ntvfs_module_context *ntvfs,
324 struct ntvfs_request *req, union smb_setfileinfo *st)
328 PASS_THRU_REQ(ntvfs, req, setpathinfo, (ntvfs, req, st));
336 static NTSTATUS unixuid_open(struct ntvfs_module_context *ntvfs,
337 struct ntvfs_request *req, union smb_open *io)
341 PASS_THRU_REQ(ntvfs, req, open, (ntvfs, req, io));
349 static NTSTATUS unixuid_mkdir(struct ntvfs_module_context *ntvfs,
350 struct ntvfs_request *req, union smb_mkdir *md)
354 PASS_THRU_REQ(ntvfs, req, mkdir, (ntvfs, req, md));
362 static NTSTATUS unixuid_rmdir(struct ntvfs_module_context *ntvfs,
363 struct ntvfs_request *req, struct smb_rmdir *rd)
367 PASS_THRU_REQ(ntvfs, req, rmdir, (ntvfs, req, rd));
373 rename a set of files
375 static NTSTATUS unixuid_rename(struct ntvfs_module_context *ntvfs,
376 struct ntvfs_request *req, union smb_rename *ren)
380 PASS_THRU_REQ(ntvfs, req, rename, (ntvfs, req, ren));
388 static NTSTATUS unixuid_copy(struct ntvfs_module_context *ntvfs,
389 struct ntvfs_request *req, struct smb_copy *cp)
393 PASS_THRU_REQ(ntvfs, req, copy, (ntvfs, req, cp));
401 static NTSTATUS unixuid_read(struct ntvfs_module_context *ntvfs,
402 struct ntvfs_request *req, union smb_read *rd)
406 PASS_THRU_REQ(ntvfs, req, read, (ntvfs, req, rd));
414 static NTSTATUS unixuid_write(struct ntvfs_module_context *ntvfs,
415 struct ntvfs_request *req, union smb_write *wr)
419 PASS_THRU_REQ(ntvfs, req, write, (ntvfs, req, wr));
427 static NTSTATUS unixuid_seek(struct ntvfs_module_context *ntvfs,
428 struct ntvfs_request *req,
433 PASS_THRU_REQ(ntvfs, req, seek, (ntvfs, req, io));
441 static NTSTATUS unixuid_flush(struct ntvfs_module_context *ntvfs,
442 struct ntvfs_request *req,
447 PASS_THRU_REQ(ntvfs, req, flush, (ntvfs, req, io));
455 static NTSTATUS unixuid_close(struct ntvfs_module_context *ntvfs,
456 struct ntvfs_request *req, union smb_close *io)
460 PASS_THRU_REQ(ntvfs, req, close, (ntvfs, req, io));
468 static NTSTATUS unixuid_exit(struct ntvfs_module_context *ntvfs,
469 struct ntvfs_request *req)
473 PASS_THRU_REQ(ntvfs, req, exit, (ntvfs, req));
479 logoff - closing files
481 static NTSTATUS unixuid_logoff(struct ntvfs_module_context *ntvfs,
482 struct ntvfs_request *req)
484 struct unixuid_private *private = ntvfs->private_data;
487 PASS_THRU_REQ(ntvfs, req, logoff, (ntvfs, req));
489 private->last_token = NULL;
497 static NTSTATUS unixuid_async_setup(struct ntvfs_module_context *ntvfs,
498 struct ntvfs_request *req,
503 PASS_THRU_REQ(ntvfs, req, async_setup, (ntvfs, req, private));
509 cancel an async request
511 static NTSTATUS unixuid_cancel(struct ntvfs_module_context *ntvfs,
512 struct ntvfs_request *req)
516 PASS_THRU_REQ(ntvfs, req, cancel, (ntvfs, req));
524 static NTSTATUS unixuid_notify(struct ntvfs_module_context *ntvfs,
525 struct ntvfs_request *req, union smb_notify *info)
529 PASS_THRU_REQ(ntvfs, req, notify, (ntvfs, req, info));
537 static NTSTATUS unixuid_lock(struct ntvfs_module_context *ntvfs,
538 struct ntvfs_request *req, union smb_lock *lck)
542 PASS_THRU_REQ(ntvfs, req, lock, (ntvfs, req, lck));
548 set info on a open file
550 static NTSTATUS unixuid_setfileinfo(struct ntvfs_module_context *ntvfs,
551 struct ntvfs_request *req,
552 union smb_setfileinfo *info)
556 PASS_THRU_REQ(ntvfs, req, setfileinfo, (ntvfs, req, info));
563 return filesystem space info
565 static NTSTATUS unixuid_fsinfo(struct ntvfs_module_context *ntvfs,
566 struct ntvfs_request *req, union smb_fsinfo *fs)
570 PASS_THRU_REQ(ntvfs, req, fsinfo, (ntvfs, req, fs));
576 return print queue info
578 static NTSTATUS unixuid_lpq(struct ntvfs_module_context *ntvfs,
579 struct ntvfs_request *req, union smb_lpq *lpq)
583 PASS_THRU_REQ(ntvfs, req, lpq, (ntvfs, req, lpq));
589 list files in a directory matching a wildcard pattern
591 static NTSTATUS unixuid_search_first(struct ntvfs_module_context *ntvfs,
592 struct ntvfs_request *req, union smb_search_first *io,
593 void *search_private,
594 bool (*callback)(void *, const union smb_search_data *))
598 PASS_THRU_REQ(ntvfs, req, search_first, (ntvfs, req, io, search_private, callback));
603 /* continue a search */
604 static NTSTATUS unixuid_search_next(struct ntvfs_module_context *ntvfs,
605 struct ntvfs_request *req, union smb_search_next *io,
606 void *search_private,
607 bool (*callback)(void *, const union smb_search_data *))
611 PASS_THRU_REQ(ntvfs, req, search_next, (ntvfs, req, io, search_private, callback));
617 static NTSTATUS unixuid_search_close(struct ntvfs_module_context *ntvfs,
618 struct ntvfs_request *req, union smb_search_close *io)
622 PASS_THRU_REQ(ntvfs, req, search_close, (ntvfs, req, io));
627 /* SMBtrans - not used on file shares */
628 static NTSTATUS unixuid_trans(struct ntvfs_module_context *ntvfs,
629 struct ntvfs_request *req, struct smb_trans2 *trans2)
633 PASS_THRU_REQ(ntvfs, req, trans, (ntvfs, req, trans2));
639 initialise the unixuid backend, registering ourselves with the ntvfs subsystem
641 NTSTATUS ntvfs_unixuid_init(void)
644 struct ntvfs_ops ops;
645 NTVFS_CURRENT_CRITICAL_SIZES(vers);
649 /* fill in all the operations */
650 ops.connect = unixuid_connect;
651 ops.disconnect = unixuid_disconnect;
652 ops.unlink = unixuid_unlink;
653 ops.chkpath = unixuid_chkpath;
654 ops.qpathinfo = unixuid_qpathinfo;
655 ops.setpathinfo = unixuid_setpathinfo;
656 ops.open = unixuid_open;
657 ops.mkdir = unixuid_mkdir;
658 ops.rmdir = unixuid_rmdir;
659 ops.rename = unixuid_rename;
660 ops.copy = unixuid_copy;
661 ops.ioctl = unixuid_ioctl;
662 ops.read = unixuid_read;
663 ops.write = unixuid_write;
664 ops.seek = unixuid_seek;
665 ops.flush = unixuid_flush;
666 ops.close = unixuid_close;
667 ops.exit = unixuid_exit;
668 ops.lock = unixuid_lock;
669 ops.setfileinfo = unixuid_setfileinfo;
670 ops.qfileinfo = unixuid_qfileinfo;
671 ops.fsinfo = unixuid_fsinfo;
672 ops.lpq = unixuid_lpq;
673 ops.search_first = unixuid_search_first;
674 ops.search_next = unixuid_search_next;
675 ops.search_close = unixuid_search_close;
676 ops.trans = unixuid_trans;
677 ops.logoff = unixuid_logoff;
678 ops.async_setup = unixuid_async_setup;
679 ops.cancel = unixuid_cancel;
680 ops.notify = unixuid_notify;
682 ops.name = "unixuid";
684 /* we register under all 3 backend types, as we are not type specific */
685 ops.type = NTVFS_DISK;
686 ret = ntvfs_register(&ops, &vers);
687 if (!NT_STATUS_IS_OK(ret)) goto failed;
689 ops.type = NTVFS_PRINT;
690 ret = ntvfs_register(&ops, &vers);
691 if (!NT_STATUS_IS_OK(ret)) goto failed;
693 ops.type = NTVFS_IPC;
694 ret = ntvfs_register(&ops, &vers);
695 if (!NT_STATUS_IS_OK(ret)) goto failed;