/* what user is current? */
extern struct current_user current_user;
+/****************************************************************************
+ Iterator functions for getting all gid's from current_user.
+****************************************************************************/
+
+gid_t get_current_user_gid_first(int *piterator)
+{
+ *piterator = 0;
+ return current_user.ut.gid;
+}
+
+gid_t get_current_user_gid_next(int *piterator)
+{
+ gid_t ret;
+
+ if (!current_user.ut.groups || *piterator >= current_user.ut.ngroups) {
+ return (gid_t)-1;
+ }
+
+ ret = current_user.ut.groups[*piterator];
+ (*piterator) += 1;
+ return ret;
+}
+
/****************************************************************************
Become the guest user without changing the security context stack.
****************************************************************************/
if (!pass) {
/* Don't need to free() this as its stored in a static */
- pass = getpwnam_alloc(lp_guestaccount());
+ pass = getpwnam_alloc(NULL, lp_guestaccount());
if (!pass)
return(False);
}
current_user.conn = NULL;
current_user.vuid = UID_FIELD_INVALID;
+
+ TALLOC_FREE(pass);
+ pass = NULL;
return True;
}
static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
{
- int i;
- for (i=0;i<conn->uid_cache.entries;i++)
- if (conn->uid_cache.list[i] == vuser->uid)
+ unsigned int i;
+ struct vuid_cache_entry *ent = NULL;
+ BOOL readonly_share;
+ NT_USER_TOKEN *token;
+
+ for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) {
+ if (conn->vuid_cache.array[i].vuid == vuser->vuid) {
+ ent = &conn->vuid_cache.array[i];
+ conn->read_only = ent->read_only;
+ conn->admin_user = ent->admin_user;
return(True);
+ }
+ }
- if (!user_ok(vuser->user.unix_name,snum))
+ if (!user_ok_token(vuser->user.unix_name, vuser->nt_user_token, snum))
return(False);
- i = conn->uid_cache.entries % UID_CACHE_SIZE;
- conn->uid_cache.list[i] = vuser->uid;
+ readonly_share = is_share_read_only_for_token(vuser->user.unix_name,
+ vuser->nt_user_token,
+ SNUM(conn));
+
+ token = conn->nt_user_token ?
+ conn->nt_user_token : vuser->nt_user_token;
+
+ if (!readonly_share &&
+ !share_access_check(token, lp_servicename(snum),
+ FILE_WRITE_DATA)) {
+ /* smb.conf allows r/w, but the security descriptor denies
+ * write. Fall back to looking at readonly. */
+ readonly_share = True;
+ DEBUG(5,("falling back to read-only access-evaluation due to "
+ "security descriptor\n"));
+ }
+
+ if (!share_access_check(token, lp_servicename(snum),
+ readonly_share ?
+ FILE_READ_DATA : FILE_WRITE_DATA)) {
+ return False;
+ }
+
+ i = conn->vuid_cache.entries % VUID_CACHE_SIZE;
+ if (conn->vuid_cache.entries < VUID_CACHE_SIZE)
+ conn->vuid_cache.entries++;
+
+ ent = &conn->vuid_cache.array[i];
+ ent->vuid = vuser->vuid;
+ ent->read_only = readonly_share;
+
+ ent->admin_user = token_contains_name_in_list(
+ vuser->user.unix_name, NULL, vuser->nt_user_token,
+ lp_admin_users(SNUM(conn)));
- if (conn->uid_cache.entries < UID_CACHE_SIZE)
- conn->uid_cache.entries++;
+ conn->read_only = ent->read_only;
+ conn->admin_user = ent->admin_user;
return(True);
}
/****************************************************************************
Become the user of a connection number without changing the security context
- stack, but modify the currnet_user entries.
+ stack, but modify the current_user entries.
****************************************************************************/
BOOL change_to_user(connection_struct *conn, uint16 vuid)
*/
if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
- (current_user.uid == conn->uid)) {
- DEBUG(4,("change_to_user: Skipping user change - already user\n"));
+ (current_user.ut.uid == conn->uid)) {
+ DEBUG(4,("change_to_user: Skipping user change - already "
+ "user\n"));
return(True);
} else if ((current_user.conn == conn) &&
(vuser != 0) && (current_user.vuid == vuid) &&
- (current_user.uid == vuser->uid)) {
- DEBUG(4,("change_to_user: Skipping user change - already user\n"));
+ (current_user.ut.uid == vuser->uid)) {
+ DEBUG(4,("change_to_user: Skipping user change - already "
+ "user\n"));
return(True);
}
snum = SNUM(conn);
- if((vuser != NULL) && !check_user_ok(conn, vuser, snum))
+ if ((vuser) && !check_user_ok(conn, vuser, snum)) {
+ DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
+ "not permitted access to share %s.\n",
+ vuser->user.smb_name, vuser->user.unix_name, vuid,
+ lp_servicename(snum)));
return False;
+ }
- if (conn->force_user ||
- conn->admin_user ||
- (lp_security() == SEC_SHARE)) {
+ if (conn->force_user) /* security = share sets this too */ {
uid = conn->uid;
gid = conn->gid;
- current_user.groups = conn->groups;
- current_user.ngroups = conn->ngroups;
+ current_user.ut.groups = conn->groups;
+ current_user.ut.ngroups = conn->ngroups;
token = conn->nt_user_token;
- } else {
- if (!vuser) {
- DEBUG(2,("change_to_user: Invalid vuid used %d\n",vuid));
- return(False);
- }
- uid = vuser->uid;
+ } else if (vuser) {
+ uid = conn->admin_user ? 0 : vuser->uid;
gid = vuser->gid;
- current_user.ngroups = vuser->n_groups;
- current_user.groups = vuser->groups;
+ current_user.ut.ngroups = vuser->n_groups;
+ current_user.ut.groups = vuser->groups;
token = vuser->nt_user_token;
+ } else {
+ DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
+ "share %s.\n",vuid, lp_servicename(snum) ));
+ return False;
}
/*
*/
if((group_c = *lp_force_group(snum))) {
- BOOL is_guest = False;
+
+ token = dup_nt_token(NULL, token);
+ if (token == NULL) {
+ DEBUG(0, ("dup_nt_token failed\n"));
+ return False;
+ }
+ must_free_token = True;
if(group_c == '+') {
*/
int i;
- for (i = 0; i < current_user.ngroups; i++) {
- if (current_user.groups[i] == conn->gid) {
+ for (i = 0; i < current_user.ut.ngroups; i++) {
+ if (current_user.ut.groups[i] == conn->gid) {
gid = conn->gid;
+ gid_to_sid(&token->user_sids[1], gid);
break;
}
}
} else {
gid = conn->gid;
+ gid_to_sid(&token->user_sids[1], gid);
}
-
- /*
- * We've changed the group list in the token - we must
- * re-create it.
- */
-
- if (vuser && vuser->guest)
- is_guest = True;
-
- token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest, NULL);
- must_free_token = True;
}
- set_sec_ctx(uid, gid, current_user.ngroups, current_user.groups, token);
+ set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
+ token);
/*
* Free the new token (as set_sec_ctx copies it).
*/
if (must_free_token)
- delete_nt_token(&token);
+ TALLOC_FREE(token);
current_user.conn = conn;
current_user.vuid = vuid;
if (!push_sec_ctx())
return False;
- set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid,
- p->pipe_user.ngroups, p->pipe_user.groups, p->pipe_user.nt_user_token);
+ set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid,
+ p->pipe_user.ut.ngroups, p->pipe_user.ut.groups,
+ p->pipe_user.nt_user_token);
return True;
}
ctx_p->vuid = UID_FIELD_INVALID;
}
-void init_conn_ctx(void)
-{
- int i;
-
- /* Initialise connection context stack */
- for (i = 0; i < MAX_SEC_CTX_DEPTH; i++) {
- conn_ctx_stack[i].conn = NULL;
- conn_ctx_stack[i].vuid = UID_FIELD_INVALID;
- }
-}
-
/****************************************************************************
Temporarily become a root user. Must match with unbecome_root(). Saves and
restores the connection context.
pop_conn_ctx();
return True;
}
-
-/*****************************************************************
- Convert the suplimentary SIDs returned in a netlogon into UNIX
- group gid_t's. Add to the total group array.
-*****************************************************************/
-
-void add_supplementary_nt_login_groups(int *n_groups, gid_t **pp_groups, NT_USER_TOKEN **pptok)
-{
- int total_groups;
- int current_n_groups = *n_groups;
- gid_t *final_groups = NULL;
- size_t i;
- NT_USER_TOKEN *ptok = *pptok;
- NT_USER_TOKEN *new_tok = NULL;
-
- if (!ptok || (ptok->num_sids == 0))
- return;
-
- new_tok = dup_nt_token(ptok);
- if (!new_tok) {
- DEBUG(0,("add_supplementary_nt_login_groups: Failed to malloc new token\n"));
- return;
- }
- /* Leave the allocated space but empty the number of SIDs. */
- new_tok->num_sids = 0;
-
- total_groups = current_n_groups + ptok->num_sids;
-
- final_groups = (gid_t *)malloc(total_groups * sizeof(gid_t));
- if (!final_groups) {
- DEBUG(0,("add_supplementary_nt_login_groups: Failed to malloc new groups.\n"));
- delete_nt_token(&new_tok);
- return;
- }
-
- memcpy(final_groups, *pp_groups, current_n_groups * sizeof(gid_t));
- for (i = 0; i < ptok->num_sids; i++) {
- enum SID_NAME_USE sid_type;
- gid_t new_grp;
-
- if (sid_to_gid(&ptok->user_sids[i], &new_grp, &sid_type)) {
- /*
- * Don't add the gid_t if it is already in the current group
- * list. Some UNIXen don't like the same group more than once.
- */
- int j;
-
- for (j = 0; j < current_n_groups; j++)
- if (final_groups[j] == new_grp)
- break;
-
- if ( j == current_n_groups) {
- /* Group not already present. */
- final_groups[current_n_groups++] = new_grp;
- }
- } else {
- /* SID didn't map. Copy to the new token to be saved. */
- sid_copy(&new_tok->user_sids[new_tok->num_sids++], &ptok->user_sids[i]);
- }
- }
-
- SAFE_FREE(*pp_groups);
- *pp_groups = final_groups;
- *n_groups = current_n_groups;
-
- /* Replace the old token with the truncated one. */
- delete_nt_token(&ptok);
- *pptok = new_tok;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert name to SID function.
- Tries local lookup first - for local domains - then uses winbind.
-*****************************************************************/
-
-BOOL lookup_name(const char *domain, const char *name, DOM_SID *psid, enum SID_NAME_USE *name_type)
-{
- extern pstring global_myname;
- extern fstring global_myworkgroup;
- fstring sid;
- BOOL local_lookup = False;
-
- *name_type = SID_NAME_UNKNOWN;
-
- /* If we are looking up a domain user, make sure it is
- for the local machine only */
-
- if (strequal(global_myname, domain)) {
- local_lookup = True;
- } else if (lp_server_role() == ROLE_DOMAIN_PDC ||
- lp_server_role() == ROLE_DOMAIN_PDC) {
- if (strequal(domain, global_myworkgroup)) {
- local_lookup = True;
- }
- }
-
- if (local_lookup) {
- if (local_lookup_name(name, psid, name_type)) {
- DEBUG(10,
- ("lookup_name: (local) [%s]\\[%s] -> SID %s (type %s: %u)\n",
- domain, name, sid_to_string(sid,psid),
- sid_type_lookup(*name_type), (unsigned int)*name_type));
- return True;
- }
- } else {
- /* Remote */
- if (winbind_lookup_name(domain, name, psid, name_type)) {
-
- DEBUG(10,("lookup_name (winbindd): [%s]\\[%s] -> SID %s (type %u)\n",
- domain, name, sid_to_string(sid, psid),
- (unsigned int)*name_type));
- return True;
- }
- }
-
- DEBUG(10, ("lookup_name: %s lookup for [%s]\\[%s] failed\n",
- local_lookup ? "local" : "winbind", domain, name));
-
- return False;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert SID to name function.
- Tries local lookup first - for local sids, then tries winbind.
-*****************************************************************/
-
-BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE *name_type)
-{
- if (!name_type)
- return False;
-
- *name_type = SID_NAME_UNKNOWN;
-
- /* Check if this is our own sid. This should perhaps be done by
- winbind? For the moment handle it here. */
-
- if (sid->num_auths == 5) {
- DOM_SID tmp_sid;
- uint32 rid;
-
- sid_copy(&tmp_sid, sid);
- sid_split_rid(&tmp_sid, &rid);
-
- if (sid_equal(get_global_sam_sid(), &tmp_sid)) {
-
- return map_domain_sid_to_name(&tmp_sid, dom_name) &&
- local_lookup_sid(sid, name, name_type);
- }
- }
-
- if (!winbind_lookup_sid(sid, dom_name, name, name_type)) {
- fstring sid_str;
- DOM_SID tmp_sid;
- uint32 rid;
-
- DEBUG(10,("lookup_sid: winbind lookup for SID %s failed - trying local.\n", sid_to_string(sid_str, sid) ));
-
- sid_copy(&tmp_sid, sid);
- sid_split_rid(&tmp_sid, &rid);
- return map_domain_sid_to_name(&tmp_sid, dom_name) &&
- lookup_known_rid(&tmp_sid, rid, name, name_type);
- }
- return True;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert uid_t to SID function.
- Tries winbind first - then uses local lookup.
- Returns SID pointer.
-*****************************************************************/
-
-DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
-{
- uid_t low, high;
- fstring sid;
-
- if (lp_winbind_uid(&low, &high) && uid >= low && uid <= high) {
- if (winbind_uid_to_sid(psid, uid)) {
-
- DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
- (unsigned int)uid, sid_to_string(sid, psid)));
-
- return psid;
- }
- }
-
- /* Make sure we report failure, (when psid == NULL) */
- become_root();
- psid = local_uid_to_sid(psid, uid);
- unbecome_root();
-
- DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid, sid_to_string(sid, psid)));
-
- return psid;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert gid_t to SID function.
- Tries winbind first - then uses local lookup.
- Returns SID pointer.
-*****************************************************************/
-
-DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
-{
- gid_t low, high;
- fstring sid;
-
- if (lp_winbind_gid(&low, &high) && gid >= low && gid <= high) {
- if (winbind_gid_to_sid(psid, gid)) {
-
- DEBUG(10,("gid_to_sid: winbindd %u -> %s\n",
- (unsigned int)gid, sid_to_string(sid, psid)));
-
- return psid;
- }
- }
-
- /* Make sure we report failure, (when psid == NULL) */
- psid = local_gid_to_sid(psid, gid);
-
- DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid, sid_to_string(sid, psid)));
-
- return psid;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert SID to uid function.
- Tries winbind first - then uses local lookup.
- Returns True if this name is a user sid and the conversion
- was done correctly, False if not. sidtype is set by this function.
-*****************************************************************/
-
-BOOL sid_to_uid(const DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
-{
- fstring sid_str;
-
- /* if we know its local then don't try winbindd */
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- return result;
- }
-
-/* (tridge) I commented out the slab of code below in order to support foreign SIDs
- Do we really need to validate the type of SID we have in this case?
-*/
-#if 0
- fstring dom_name, name;
- enum SID_NAME_USE name_type;
-
- *sidtype = SID_NAME_UNKNOWN;
- /*
- * First we must look up the name and decide if this is a user sid.
- */
-
- if ( (!winbind_lookup_sid(psid, dom_name, name, &name_type)) || (name_type != SID_NAME_USER) ) {
- BOOL result;
- DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - trying local.\n",
- sid_to_string(sid_str, psid) ));
-
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- return result;
- }
-
- /*
- * Ensure this is a user sid.
- */
-
- if (name_type != SID_NAME_USER) {
- DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is not a uid (%u)\n",
- (unsigned int)name_type ));
- return False;
- }
-#endif
- *sidtype = SID_NAME_USER;
-
- /*
- * Get the uid for this SID.
- */
-
- if (!winbind_sid_to_uid(puid, psid)) {
- BOOL result;
- DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed.\n",
- sid_to_string(sid_str, psid) ));
- become_root();
- result = local_sid_to_uid(puid, psid, sidtype);
- unbecome_root();
- return result;
- }
-
- DEBUG(10,("sid_to_uid: winbindd %s -> %u\n",
- sid_to_string(sid_str, psid),
- (unsigned int)*puid ));
-
- return True;
-}
-
-/*****************************************************************
- *THE CANONICAL* convert SID to gid function.
- Tries winbind first - then uses local lookup.
- Returns True if this name is a user sid and the conversion
- was done correctly, False if not.
-*****************************************************************/
-
-BOOL sid_to_gid(const DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
-{
- fstring dom_name, name, sid_str;
- enum SID_NAME_USE name_type;
-
- *sidtype = SID_NAME_UNKNOWN;
-
- /*
- * First we must look up the name and decide if this is a group sid.
- */
-
- /* if we know its local then don't try winbindd */
- if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
- BOOL result;
- become_root();
- result = local_sid_to_gid(pgid, psid, sidtype);
- unbecome_root();
- return result;
- }
-
- if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) {
- DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n",
- sid_to_string(sid_str, psid) ));
- /* this was probably a foreign sid - assume its a group rid
- and continue */
- name_type = SID_NAME_DOM_GRP;
- }
-
- /*
- * Ensure this is a group sid.
- */
-
- if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) {
- DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n",
- (unsigned int)name_type ));
-
- return False;
- }
-
- *sidtype = name_type;
-
- /*
- * Get the gid for this SID.
- */
-
- if (!winbind_sid_to_gid(pgid, psid)) {
- DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n",
- sid_to_string(sid_str, psid) ));
- return False;
- }
-
- DEBUG(10,("sid_to_gid: winbindd %s -> %u\n",
- sid_to_string(sid_str, psid),
- (unsigned int)*pgid ));
-
- return True;
-}
-