2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Jeremy Allison 1997-2001.
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 /* internal functions */
25 static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (const char *), int N);
26 static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N);
28 /*****************************************************************
29 Check if a user or group name is local (this is a *local* name for
30 *local* people, there's nothing for you here...).
31 *****************************************************************/
33 static BOOL name_is_local(const char *name)
35 return !(strchr_m(name, *lp_winbind_separator()));
38 /*****************************************************************
39 Splits passed user or group name to domain and user/group name parts
40 Returns True if name was splitted and False otherwise.
41 *****************************************************************/
43 BOOL split_domain_and_name(const char *name, char *domain, char* username)
45 char *p = strchr(name,*lp_winbind_separator());
48 /* Parse a string of the form DOMAIN/user into a domain and a user */
49 DEBUG(10,("split_domain_and_name: checking whether name |%s| local or not\n", name));
52 fstrcpy(username, p+1);
53 fstrcpy(domain, name);
54 domain[PTR_DIFF(p, name)] = 0;
55 } else if (lp_winbind_use_default_domain()) {
56 fstrcpy(username, name);
57 fstrcpy(domain, lp_workgroup());
62 DEBUG(10,("split_domain_and_name: all is fine, domain is |%s| and name is |%s|\n", domain, username));
66 /****************************************************************************
67 Get a users home directory.
68 ****************************************************************************/
70 char *get_user_home_dir(const char *user)
72 static struct passwd *pass;
74 /* Ensure the user exists. */
76 pass = Get_Pwnam(user);
80 /* Return home directory from struct passwd. */
85 /*******************************************************************
86 Map a username from a dos name to a unix name by looking in the username
87 map. Note that this modifies the name in place.
88 This is the main function that should be called *once* on
89 any incoming or new username - in order to canonicalize the name.
90 This is being done to de-couple the case conversions from the user mapping
91 function. Previously, the map_username was being called
92 every time Get_Pwnam was called.
93 Returns True if username was changed, false otherwise.
94 ********************************************************************/
96 BOOL map_username(char *user)
98 static BOOL initialised=False;
99 static fstring last_from,last_to;
101 char *mapfile = lp_username_map();
104 BOOL mapped_user = False;
113 *last_from = *last_to = 0;
117 if (strequal(user,last_to))
120 if (strequal(user,last_from)) {
121 DEBUG(3,("Mapped user %s to %s\n",user,last_to));
122 fstrcpy(user,last_to);
126 f = x_fopen(mapfile,O_RDONLY, 0);
128 DEBUG(0,("can't open username map %s. Error %s\n",mapfile, strerror(errno) ));
132 DEBUG(4,("Scanning username map %s\n",mapfile));
134 while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) {
136 char *dosname = strchr_m(unixname,'=');
138 BOOL return_if_mapped = False;
145 while (isspace((int)*unixname))
148 if ('!' == *unixname) {
149 return_if_mapped = True;
151 while (*unixname && isspace((int)*unixname))
155 if (!*unixname || strchr_m("#;",*unixname))
159 int l = strlen(unixname);
160 while (l && isspace((int)unixname[l-1])) {
166 dosuserlist = str_list_make(dosname);
168 DEBUG(0,("Unable to build user list\n"));
172 if (strchr_m(dosname,'*') || user_in_list(user, dosuserlist)) {
173 DEBUG(3,("Mapped user %s to %s\n",user,unixname));
175 fstrcpy(last_from,user);
176 sscanf(unixname,"%s",user);
177 fstrcpy(last_to,user);
178 if(return_if_mapped) {
179 str_list_free (&dosuserlist);
185 str_list_free (&dosuserlist);
191 * Setup the last_from and last_to as an optimization so
192 * that we don't scan the file again for the same user.
194 fstrcpy(last_from,user);
195 fstrcpy(last_to,user);
200 /****************************************************************************
201 * A wrapper for sys_getpwnam(). The following variations are tried:
203 * - in all lower case if this differs from transmitted
204 * - in all upper case if this differs from transmitted
205 * - using lp_usernamelevel() for permutations.
206 ****************************************************************************/
208 static struct passwd *Get_Pwnam_ret = NULL;
210 static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
212 struct passwd *ret = NULL;
214 if (!user2 || !(*user2))
217 if (!user || !(*user))
220 /* Try in all lower case first as this is the most
221 common case on UNIX systems */
223 DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
224 ret = getpwnam_alloc(user2);
228 /* Try as given, if username wasn't originally lowercase */
229 if(strcmp(user, user2) != 0) {
230 DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n", user));
231 ret = getpwnam_alloc(user);
236 /* Try as uppercase, if username wasn't originally uppercase */
238 if(strcmp(user, user2) != 0) {
239 DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n", user2));
240 ret = getpwnam_alloc(user2);
245 /* Try all combinations up to usernamelevel */
247 DEBUG(5,("Checking combinations of %d uppercase letters in %s\n", lp_usernamelevel(), user2));
248 ret = uname_string_combinations(user2, getpwnam_alloc, lp_usernamelevel());
251 DEBUG(5,("Get_Pwnam_internals %s find user [%s]!\n",ret ? "did":"didn't", user));
253 /* This call used to just return the 'passwd' static buffer.
254 This could then have accidental reuse implications, so
255 we now malloc a copy, and free it in the next use.
257 This should cause the (ab)user to segfault if it
260 This is better than useing the wrong data in security
263 The real fix is to make the callers free the returned
268 passwd_free(&Get_Pwnam_ret);
276 /****************************************************************************
277 Get_Pwnam wrapper for modification.
278 NOTE: This can potentially modify 'user'!
279 ****************************************************************************/
281 struct passwd *Get_Pwnam_Modify(fstring user)
286 fstrcpy(user2, user);
288 ret = Get_Pwnam_internals(user, user2);
290 /* If caller wants the modified username, ensure they get it */
293 /* We can safely assume ret is NULL if none of the above succeed */
297 /****************************************************************************
298 Get_Pwnam wrapper without modification.
299 NOTE: This with NOT modify 'user'!
300 ****************************************************************************/
302 struct passwd *Get_Pwnam(const char *user)
307 fstrcpy(user2, user);
309 DEBUG(5,("Finding user %s\n", user));
311 ret = Get_Pwnam_internals(user, user2);
316 /****************************************************************************
317 Check if a user is in a netgroup user list.
318 ****************************************************************************/
320 static BOOL user_in_netgroup_list(const char *user, const char *ngname)
323 static char *mydomain = NULL;
324 if (mydomain == NULL)
325 yp_get_default_domain(&mydomain);
327 if(mydomain == NULL) {
328 DEBUG(5,("Unable to get default yp domain\n"));
332 DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
333 user, mydomain, ngname));
334 DEBUG(5,("innetgr is %s\n", innetgr(ngname, NULL, user, mydomain)
335 ? "TRUE" : "FALSE"));
337 if (innetgr(ngname, NULL, user, mydomain))
339 #endif /* HAVE_NETGROUP */
343 /****************************************************************************
344 Check if a user is in a winbind group.
345 ****************************************************************************/
347 static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL *winbind_answered)
351 gid_t *groups = NULL;
355 *winbind_answered = False;
358 * Get the gid's that this user belongs to.
361 if ((num_groups = winbind_getgroups(user, 0, NULL)) == -1)
364 if (num_groups == 0) {
365 *winbind_answered = True;
369 if ((groups = (gid_t *)malloc(sizeof(gid_t) * num_groups )) == NULL) {
370 DEBUG(0,("user_in_winbind_group_list: malloc fail.\n"));
374 if ((num_groups = winbind_getgroups(user, num_groups, groups)) == -1) {
375 DEBUG(0,("user_in_winbind_group_list: second winbind_getgroups call \
376 failed with error %s\n", strerror(errno) ));
381 * Now we have the gid list for this user - convert the gname
382 * to a gid_t via either winbind or the local UNIX lookup and do the comparison.
385 if ((gid = nametogid(gname)) == (gid_t)-1) {
386 DEBUG(0,("user_in_winbind_group_list: winbind_lookup_name for group %s failed.\n",
391 for (i = 0; i < num_groups; i++) {
392 if (gid == groups[i]) {
398 *winbind_answered = True;
404 *winbind_answered = False;
409 /****************************************************************************
410 Check if a user is in a UNIX group.
411 ****************************************************************************/
413 static BOOL user_in_unix_group_list(const char *user,const char *gname)
415 struct passwd *pass = Get_Pwnam(user);
416 struct sys_userlist *user_list;
417 struct sys_userlist *member;
419 DEBUG(10,("user_in_unix_group_list: checking user %s in group %s\n", user, gname));
422 * We need to check the users primary group as this
423 * group is implicit and often not listed in the group database.
427 if (strequal(gname,gidtoname(pass->pw_gid))) {
428 DEBUG(10,("user_in_unix_group_list: group %s is primary group.\n", gname ));
433 user_list = get_users_in_group(gname);
434 if (user_list == NULL) {
435 DEBUG(10,("user_in_unix_group_list: no such group %s\n", gname ));
439 for (member = user_list; member; member = member->next) {
440 DEBUG(10,("user_in_unix_group_list: checking user %s against member %s\n",
441 user, member->unix_name ));
442 if (strequal(member->unix_name,user)) {
443 free_userlist(user_list);
448 free_userlist(user_list);
452 /****************************************************************************
453 Check if a user is in a group list. Ask winbind first, then use UNIX.
454 ****************************************************************************/
456 BOOL user_in_group_list(const char *user, const char *gname)
458 BOOL winbind_answered = False;
461 ret = user_in_winbind_group_list(user, gname, &winbind_answered);
462 if (!winbind_answered)
463 ret = user_in_unix_group_list(user, gname);
466 DEBUG(10,("user_in_group_list: user |%s| is in group |%s|\n", user, gname));
470 /****************************************************************************
471 Check if a user is in a user list - can check combinations of UNIX
473 ****************************************************************************/
475 BOOL user_in_list(const char *user,char **list)
480 DEBUG(10,("user_in_list: checking user %s in list\n", user));
484 DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list));
487 * Check raw username.
489 if (strequal(user, *list))
493 * Now check to see if any combination
494 * of UNIX and netgroups has been specified.
499 * Old behaviour. Check netgroup list
500 * followed by UNIX list.
502 if(user_in_netgroup_list(user, *list +1))
504 if(user_in_group_list(user, *list +1))
506 } else if (**list == '+') {
508 if((*(*list +1)) == '&') {
510 * Search UNIX list followed by netgroup.
512 if(user_in_group_list(user, *list +2))
514 if(user_in_netgroup_list(user, *list +2))
520 * Just search UNIX list.
523 if(user_in_group_list(user, *list +1))
527 } else if (**list == '&') {
529 if(*(*list +1) == '+') {
531 * Search netgroup list followed by UNIX list.
533 if(user_in_netgroup_list(user, *list +2))
535 if(user_in_group_list(user, *list +2))
539 * Just search netgroup list.
541 if(user_in_netgroup_list(user, *list +1))
544 } else if (!name_is_local(*list)) {
546 * If user name did not match and token is not
547 * a unix group and the token has a winbind separator in the
548 * name then see if it is a Windows group.
552 enum SID_NAME_USE name_type;
553 BOOL winbind_answered = False;
555 fstring groupname, domain;
557 /* Parse a string of the form DOMAIN/user into a domain and a user */
559 char *p = strchr(*list,*lp_winbind_separator());
561 DEBUG(10,("user_in_list: checking if user |%s| is in winbind group |%s|\n", user, *list));
564 fstrcpy(groupname, p+1);
565 fstrcpy(domain, *list);
566 domain[PTR_DIFF(p, *list)] = 0;
568 /* Check to see if name is a Windows group */
569 if (winbind_lookup_name(domain, groupname, &g_sid, &name_type) && name_type == SID_NAME_DOM_GRP) {
571 /* Check if user name is in the Windows group */
572 ret = user_in_winbind_group_list(user, *list, &winbind_answered);
574 if (winbind_answered && ret == True) {
575 DEBUG(10,("user_in_list: user |%s| is in winbind group |%s|\n", user, *list));
587 /* The functions below have been taken from password.c and slightly modified */
588 /****************************************************************************
589 Apply a function to upper/lower case combinations
590 of a string and return true if one of them returns true.
591 Try all combinations with N uppercase letters.
592 offset is the first char to try and change (start with 0)
593 it assumes the string starts lowercased
594 ****************************************************************************/
596 static struct passwd *uname_string_combinations2(char *s,int offset,struct passwd *(*fn)(const char *),int N)
598 ssize_t len = (ssize_t)strlen(s);
602 if (N <= 0 || offset >= len)
605 for (i=offset;i<(len-(N-1));i++) {
607 if (!islower((int)c))
610 ret = uname_string_combinations2(s,i+1,fn,N-1);
618 /****************************************************************************
619 Apply a function to upper/lower case combinations
620 of a string and return true if one of them returns true.
621 Try all combinations with up to N uppercase letters.
622 offset is the first char to try and change (start with 0)
623 it assumes the string starts lowercased
624 ****************************************************************************/
626 static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(const char *),int N)
632 ret = uname_string_combinations2(s,0,fn,n);
639 /****************************************************************************
640 These wrappers allow appliance mode to work. In appliance mode the username
641 takes the form DOMAIN/user.
642 ****************************************************************************/
644 struct passwd *smb_getpwnam(char *user, BOOL allow_change)
649 extern pstring global_myname;
652 pw = Get_Pwnam_Modify(user);
654 pw = Get_Pwnam(user);
660 * If it is a domain qualified name and it isn't in our password
661 * database but the domain portion matches our local machine name then
662 * lookup just the username portion locally.
665 sep = lp_winbind_separator();
666 p = strchr_m(user,*sep);
667 if (p && strncasecmp(global_myname, user, strlen(global_myname))==0) {
669 pw = Get_Pwnam_Modify(p+1);