2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern struct timeval smb_last_time;
24 extern int case_default;
25 extern BOOL case_preserve;
26 extern BOOL short_case_preserve;
27 extern BOOL case_mangle;
28 extern BOOL case_sensitive;
29 extern BOOL use_mangled_map;
30 extern fstring remote_machine;
31 extern userdom_struct current_user_info;
32 extern fstring remote_machine;
35 /****************************************************************************
36 Load parameters specific to a connection/service.
37 ****************************************************************************/
39 BOOL set_current_service(connection_struct *conn,BOOL do_chdir)
41 extern char magic_char;
42 static connection_struct *last_conn;
50 conn->lastused = smb_last_time.tv_sec;
55 vfs_ChDir(conn,conn->connectpath) != 0 &&
56 vfs_ChDir(conn,conn->origpath) != 0) {
57 DEBUG(0,("chdir (%s) failed\n",
62 if (conn == last_conn)
67 case_default = lp_defaultcase(snum);
68 case_preserve = lp_preservecase(snum);
69 short_case_preserve = lp_shortpreservecase(snum);
70 case_mangle = lp_casemangle(snum);
71 case_sensitive = lp_casesensitive(snum);
72 magic_char = lp_magicchar(snum);
73 use_mangled_map = (*lp_mangled_map(snum) ? True:False);
77 /****************************************************************************
78 Add a home service. Returns the new service number or -1 if fail.
79 ****************************************************************************/
81 int add_home_service(const char *service, const char *homedir)
88 if (!service || !homedir)
91 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
95 * If this is a winbindd provided username, remove
96 * the domain component before adding the service.
97 * Log a warning if the "path=" parameter does not
101 split_domain_and_name(service, domain, new_service);
102 lp_add_home(new_service, iHomeService, homedir);
103 iService = lp_servicenumber(new_service);
110 * Find a service entry. service is always in dos codepage.
112 * @param service is modified (to canonical form??)
114 int find_service(fstring service)
118 all_string_sub(service,"\\","/",0);
120 iService = lp_servicenumber(service);
122 /* now handle the special case of a home directory */
125 char *phome_dir = get_user_service_home_dir(service);
130 * Try mapping the servicename, it may
131 * be a Windows to unix mapped user name.
133 if(map_username(service))
134 phome_dir = get_user_service_home_dir(service);
137 DEBUG(3,("checking for home directory %s gave %s\n",service,
138 phome_dir?phome_dir:"(NULL)"));
140 iService = add_home_service(service,phome_dir);
143 /* If we still don't have a service, attempt to add it as a printer. */
148 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) >= 0)
152 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
154 if ((pszTemp != NULL) && pcap_printername_ok(service, pszTemp))
156 DEBUG(3,("%s is a valid printer name\n", service));
157 DEBUG(3,("adding %s as a printer service\n", service));
158 lp_add_printer(service, iPrinterService);
159 iService = lp_servicenumber(service);
161 DEBUG(0,("failed to add %s as a printer service!\n", service));
164 DEBUG(3,("%s is not a valid printer name\n", service));
168 /* Check for default vfs service? Unsure whether to implement this */
173 /* just possibly it's a default service? */
176 char *pdefservice = lp_defaultservice();
177 if (pdefservice && *pdefservice &&
178 !strequal(pdefservice,service) &&
179 !strstr(service,".."))
182 * We need to do a local copy here as lp_defaultservice()
183 * returns one of the rotating lp_string buffers that
184 * could get overwritten by the recursive find_service() call
185 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
188 pstrcpy(defservice, pdefservice);
189 iService = find_service(defservice);
192 all_string_sub(service, "_","/",0);
193 iService = lp_add_service(service, iService);
199 if (!VALID_SNUM(iService))
201 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
206 DEBUG(3,("find_service() failed to find service %s\n", service));
212 /****************************************************************************
213 do some basic sainity checks on the share.
214 This function modifies dev, ecode.
215 ****************************************************************************/
216 static NTSTATUS share_sanity_checks(int snum, const char* service, pstring dev)
219 if (!lp_snum_ok(snum) ||
220 !check_access(smbd_server_fd(),
221 lp_hostsallow(snum), lp_hostsdeny(snum))) {
222 return NT_STATUS_ACCESS_DENIED;
225 /* you can only connect to the IPC$ service as an ipc device */
226 if (strequal(service,"IPC$") || strequal(service,"ADMIN$"))
229 if (dev[0] == '?' || !dev[0]) {
230 if (lp_print_ok(snum)) {
231 pstrcpy(dev,"LPT1:");
237 /* if the request is as a printer and you can't print then refuse */
239 if (!lp_print_ok(snum) && (strncmp(dev,"LPT",3) == 0)) {
240 DEBUG(1,("Attempt to connect to non-printer as a printer\n"));
241 return NT_STATUS_BAD_DEVICE_TYPE;
244 /* Behave as a printer if we are supposed to */
245 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
246 pstrcpy(dev, "LPT1:");
253 /****************************************************************************
255 ****************************************************************************/
256 static void set_read_only(connection_struct *conn)
259 char *service = lp_servicename(conn->service);
260 conn->read_only = lp_readonly(conn->service);
262 if (!service) return;
264 lp_list_copy(&list, lp_readlist(conn->service));
266 if (!lp_list_substitute(list, "%S", service)) {
267 DEBUG(0, ("ERROR: read list substitution failed\n"));
269 if (user_in_list(conn->user, list))
270 conn->read_only = True;
274 lp_list_copy(&list, lp_writelist(conn->service));
276 if (!lp_list_substitute(list, "%S", service)) {
277 DEBUG(0, ("ERROR: write list substitution failed\n"));
279 if (user_in_list(conn->user, list))
280 conn->read_only = False;
286 /****************************************************************************
288 ****************************************************************************/
289 static void set_admin_user(connection_struct *conn)
291 /* admin user check */
293 /* JRA - original code denied admin user if the share was
294 marked read_only. Changed as I don't think this is needed,
295 but old code left in case there is a problem here.
297 if (user_in_list(conn->user,lp_admin_users(conn->service))
302 conn->admin_user = True;
303 DEBUG(0,("%s logged in as admin user (root privileges)\n",conn->user));
305 conn->admin_user = False;
308 #if 0 /* This done later, for now */
309 /* admin users always run as uid=0 */
310 if (conn->admin_user) {
316 /****************************************************************************
317 Make a connection to a service.
319 * @param service (May be modified to canonical form???)
320 ****************************************************************************/
322 connection_struct *make_connection(char *service, DATA_BLOB password,
323 char *dev, uint16 vuid, NTSTATUS *status)
326 struct passwd *pass = NULL;
329 connection_struct *conn;
335 /* This must ONLY BE CALLED AS ROOT. As it exits this function as root. */
336 if (!non_root_mode() && (euid = geteuid()) != 0) {
337 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot (%u)\n", (unsigned int)euid ));
338 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
343 snum = find_service(service);
346 if (strequal(service,"IPC$") || strequal(service,"ADMIN$")) {
347 DEBUG(3,("refusing IPC connection\n"));
348 *status = NT_STATUS_ACCESS_DENIED;
352 DEBUG(0,("%s (%s) couldn't find service %s\n",
353 remote_machine, client_addr(), service));
354 *status = NT_STATUS_BAD_NETWORK_NAME;
358 if (strequal(service,HOMES_NAME)) {
359 if(lp_security() != SEC_SHARE) {
360 if (validated_username(vuid)) {
361 fstring unix_username;
362 fstrcpy(unix_username,validated_username(vuid));
363 return make_connection(unix_username,
364 password,dev,vuid,status);
367 /* Security = share. Try with current_user_info.smb_name
368 * as the username. */
369 if (* current_user_info.smb_name) {
370 fstring unix_username;
371 fstrcpy(unix_username,
372 current_user_info.smb_name);
373 map_username(unix_username);
374 return make_connection(unix_username,
375 password,dev,vuid,status);
380 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, service, dev))) {
384 /* add it as a possible user name if we
385 are in share mode security */
386 if (lp_security() == SEC_SHARE) {
387 add_session_user(service);
391 /* shall we let them in? */
392 if (!authorise_login(snum,user,password,&guest,&force,vuid)) {
393 DEBUG( 2, ( "Invalid username/password for %s [%s]\n", service, user ) );
394 *status = NT_STATUS_WRONG_PASSWORD;
398 add_session_user(user);
402 DEBUG(0,("Couldn't find free connection.\n"));
403 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
407 /* find out some info about the user */
408 pass = smb_getpwnam(user,True);
411 DEBUG(0,( "Couldn't find account %s\n",user));
412 *status = NT_STATUS_NO_SUCH_USER;
417 conn->force_user = force;
419 conn->uid = pass->pw_uid;
420 conn->gid = pass->pw_gid;
421 safe_strcpy(conn->client_address, client_addr(),
422 sizeof(conn->client_address)-1);
423 conn->num_files_open = 0;
424 conn->lastused = time(NULL);
425 conn->service = snum;
427 conn->printer = (strncmp(dev,"LPT",3) == 0);
428 conn->ipc = ((strncmp(dev,"IPC",3) == 0) || strequal(dev,"ADMIN$"));
430 conn->veto_list = NULL;
431 conn->hide_list = NULL;
432 conn->veto_oplock_list = NULL;
433 string_set(&conn->dirpath,"");
434 string_set(&conn->user,user);
435 conn->nt_user_token = NULL;
439 set_admin_user(conn);
442 * If force user is true, then store the
443 * given userid and also the primary groupid
444 * of the user we're forcing.
447 if (*lp_force_user(snum)) {
448 struct passwd *pass2;
450 pstrcpy(fuser,lp_force_user(snum));
452 /* Allow %S to be used by force user. */
453 pstring_sub(fuser,"%S",service);
455 pass2 = (struct passwd *)Get_Pwnam_Modify(fuser);
457 conn->uid = pass2->pw_uid;
458 conn->gid = pass2->pw_gid;
459 string_set(&conn->user,fuser);
461 conn->force_user = True;
462 DEBUG(3,("Forced user %s\n",fuser));
464 DEBUG(1,("Couldn't find user %s\n",fuser));
468 /* admin users always run as uid=0 */
469 if (conn->admin_user) {
475 * If force group is true, then override
476 * any groupid stored for the connecting user.
479 if (*lp_force_group(snum)) {
483 BOOL user_must_be_member = False;
485 StrnCpy(tmp_gname,lp_force_group(snum),sizeof(pstring)-1);
487 if (tmp_gname[0] == '+') {
488 user_must_be_member = True;
489 StrnCpy(gname,&tmp_gname[1],sizeof(pstring)-2);
491 StrnCpy(gname,tmp_gname,sizeof(pstring)-1);
493 /* default service may be a group name */
494 pstring_sub(gname,"%S",service);
495 gid = nametogid(gname);
497 if (gid != (gid_t)-1) {
499 * If the user has been forced and the forced group starts
500 * with a '+', then we only set the group to be the forced
501 * group if the forced user is a member of that group.
502 * Otherwise, the meaning of the '+' would be ignored.
504 if (conn->force_user && user_must_be_member) {
505 if (user_in_group_list( user, gname )) {
507 DEBUG(3,("Forced group %s for member %s\n",gname,user));
511 DEBUG(3,("Forced group %s\n",gname));
514 DEBUG(1,("Couldn't find group %s\n",gname));
517 #endif /* HAVE_GETGRNAM */
521 pstrcpy(s,lp_pathname(snum));
522 standard_sub_conn(conn,s);
523 string_set(&conn->connectpath,s);
524 DEBUG(3,("Connect path is %s\n",s));
527 /* groups stuff added by ih */
531 /* Find all the groups this uid is in and
532 store them. Used by change_to_user() */
533 initialise_groups(conn->user, conn->uid, conn->gid);
534 get_current_groups(&conn->ngroups,&conn->groups);
536 conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
537 conn->ngroups, conn->groups,
541 * New code to check if there's a share security descripter
542 * added from NT server manager. This is done after the
543 * smb.conf checks are done as we need a uid and token. JRA.
547 BOOL can_write = share_access_check(conn, snum, vuid, FILE_WRITE_DATA);
550 if (!share_access_check(conn, snum, vuid, FILE_READ_DATA)) {
551 /* No access, read or write. */
552 *status = NT_STATUS_ACCESS_DENIED;
553 DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
558 conn->read_only = True;
562 /* Initialise VFS function pointers */
564 if (!smbd_vfs_init(conn)) {
565 DEBUG(0, ("vfs_init failed for service %s\n", lp_servicename(SNUM(conn))));
570 /* ROOT Activities: */
571 /* check number of connections */
572 if (!claim_connection(conn,
573 lp_servicename(SNUM(conn)),
574 lp_max_connections(SNUM(conn)),
576 DEBUG(1,("too many connections - rejected\n"));
577 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
582 /* Preexecs are done here as they might make the dir we are to ChDir to below */
583 /* execute any "root preexec = " line */
584 if (*lp_rootpreexec(SNUM(conn))) {
587 pstrcpy(cmd,lp_rootpreexec(SNUM(conn)));
588 standard_sub_conn(conn,cmd);
589 DEBUG(5,("cmd=%s\n",cmd));
590 ret = smbrun(cmd,NULL);
591 if (ret != 0 && lp_rootpreexec_close(SNUM(conn))) {
592 DEBUG(1,("root preexec gave %d - failing connection\n", ret));
593 yield_connection(conn, lp_servicename(SNUM(conn)));
595 *status = NT_STATUS_UNSUCCESSFUL;
600 /* USER Activites: */
601 if (!change_to_user(conn, conn->vuid)) {
602 /* No point continuing if they fail the basic checks */
603 DEBUG(0,("Can't become connected user!\n"));
605 *status = NT_STATUS_LOGON_FAILURE;
609 /* Remember that a different vuid can connect later without these checks... */
611 /* Preexecs are done here as they might make the dir we are to ChDir to below */
612 /* execute any "preexec = " line */
613 if (*lp_preexec(SNUM(conn))) {
616 pstrcpy(cmd,lp_preexec(SNUM(conn)));
617 standard_sub_conn(conn,cmd);
618 ret = smbrun(cmd,NULL);
619 if (ret != 0 && lp_preexec_close(SNUM(conn))) {
620 DEBUG(1,("preexec gave %d - failing connection\n", ret));
621 change_to_root_user();
622 yield_connection(conn, lp_servicename(SNUM(conn)));
624 *status = NT_STATUS_UNSUCCESSFUL;
629 if (vfs_ChDir(conn,conn->connectpath) != 0) {
630 DEBUG(0,("%s (%s) Can't change directory to %s (%s)\n",
631 remote_machine, conn->client_address,
632 conn->connectpath,strerror(errno)));
633 change_to_root_user();
634 yield_connection(conn, lp_servicename(SNUM(conn)));
636 *status = NT_STATUS_BAD_NETWORK_NAME;
640 string_set(&conn->origpath,conn->connectpath);
642 #if SOFTLINK_OPTIMISATION
643 /* resolve any soft links early */
646 pstrcpy(s,conn->connectpath);
648 string_set(&conn->connectpath,s);
649 vfs_ChDir(conn,conn->connectpath);
654 * Print out the 'connected as' stuff here as we need
655 * to know the effective uid and gid we will be using
656 * (at least initially).
659 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
660 dbgtext( "%s (%s) ", remote_machine, conn->client_address );
661 dbgtext( "connect to service %s ", lp_servicename(SNUM(conn)) );
662 dbgtext( "initially as user %s ", user );
663 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
664 dbgtext( "(pid %d)\n", (int)sys_getpid() );
667 /* Add veto/hide lists */
668 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
669 set_namearray( &conn->veto_list, lp_veto_files(SNUM(conn)));
670 set_namearray( &conn->hide_list, lp_hide_files(SNUM(conn)));
671 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(SNUM(conn)));
674 /* Invoke VFS make connection hook */
676 if (conn->vfs_ops.connect) {
677 if (conn->vfs_ops.connect(conn, service, user) < 0) {
678 DEBUG(0,("make_connection: VFS make connection failed!\n"));
679 *status = NT_STATUS_UNSUCCESSFUL;
680 change_to_root_user();
686 /* we've finished with the user stuff - go back to root */
687 change_to_root_user();
693 /****************************************************************************
695 ****************************************************************************/
696 void close_cnum(connection_struct *conn, uint16 vuid)
698 DirCacheFlush(SNUM(conn));
700 change_to_root_user();
702 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
703 remote_machine,conn->client_address,
704 lp_servicename(SNUM(conn))));
706 if (conn->vfs_ops.disconnect != NULL) {
708 /* Call VFS disconnect hook */
710 conn->vfs_ops.disconnect(conn);
714 yield_connection(conn, lp_servicename(SNUM(conn)));
716 file_close_conn(conn);
717 dptr_closecnum(conn);
719 /* execute any "postexec = " line */
720 if (*lp_postexec(SNUM(conn)) &&
721 change_to_user(conn, vuid)) {
723 pstrcpy(cmd,lp_postexec(SNUM(conn)));
724 standard_sub_conn(conn,cmd);
726 change_to_root_user();
729 change_to_root_user();
730 /* execute any "root postexec = " line */
731 if (*lp_rootpostexec(SNUM(conn))) {
733 pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
734 standard_sub_conn(conn,cmd);