2 Unix SMB/CIFS implementation.
4 a pass-thru NTVFS module to setup a security context using unix
7 Copyright (C) Andrew Tridgell 2004
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 struct unixuid_private {
28 struct unix_sec_ctx *last_sec_ctx;
29 struct nt_user_token *last_token;
34 map a sid to a unix uid
36 static NTSTATUS sid_to_unixuid(struct ntvfs_module_context *ntvfs,
37 struct smbsrv_request *req, struct dom_sid *sid, uid_t *uid)
39 struct unixuid_private *private = ntvfs->private_data;
40 const char *attrs[] = { "sAMAccountName", "unixID", "unixName", "sAMAccountType", NULL };
44 struct ldb_message **res;
49 sidstr = dom_sid_string(ctx, sid);
51 ret = samdb_search(private->samctx, ctx, NULL, &res, attrs, "objectSid=%s", sidstr);
53 DEBUG(0,("sid_to_unixuid: unable to find sam record for sid %s\n", sidstr));
55 return NT_STATUS_ACCESS_DENIED;
58 /* make sure its a user, not a group */
59 atype = samdb_result_uint(res[0], "sAMAccountType", 0);
60 if (atype && atype != ATYPE_NORMAL_ACCOUNT) {
61 DEBUG(0,("sid_to_unixuid: sid %s is not ATYPE_NORMAL_ACCOUNT\n", sidstr));
63 return NT_STATUS_ACCESS_DENIED;
66 /* first try to get the uid directly */
67 s = samdb_result_string(res[0], "unixID", NULL);
69 *uid = strtoul(s, NULL, 0);
74 /* next try via the UnixName attribute */
75 s = samdb_result_string(res[0], "unixName", NULL);
77 struct passwd *pwd = getpwnam(s);
79 DEBUG(0,("unixName %s for sid %s does not exist as a local user\n", s, sidstr));
81 return NT_STATUS_ACCESS_DENIED;
88 /* finally try via the sAMAccountName attribute */
89 s = samdb_result_string(res[0], "sAMAccountName", NULL);
91 struct passwd *pwd = getpwnam(s);
93 DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local user\n", s, sidstr));
95 return NT_STATUS_ACCESS_DENIED;
102 DEBUG(0,("sid_to_unixuid: no unixID, unixName or sAMAccountName for sid %s\n", sidstr));
105 return NT_STATUS_ACCESS_DENIED;
110 map a sid to a unix gid
112 static NTSTATUS sid_to_unixgid(struct ntvfs_module_context *ntvfs,
113 struct smbsrv_request *req, struct dom_sid *sid, gid_t *gid)
115 struct unixuid_private *private = ntvfs->private_data;
116 const char *attrs[] = { "sAMAccountName", "unixID", "unixName", "sAMAccountType", NULL };
120 struct ldb_message **res;
124 ctx = talloc(req, 0);
125 sidstr = dom_sid_string(ctx, sid);
127 ret = samdb_search(private->samctx, ctx, NULL, &res, attrs, "objectSid=%s", sidstr);
129 DEBUG(0,("sid_to_unixgid: unable to find sam record for sid %s\n", sidstr));
131 return NT_STATUS_ACCESS_DENIED;
134 /* make sure its not a user */
135 atype = samdb_result_uint(res[0], "sAMAccountType", 0);
136 if (atype && atype == ATYPE_NORMAL_ACCOUNT) {
137 DEBUG(0,("sid_to_unixgid: sid %s is a ATYPE_NORMAL_ACCOUNT\n", sidstr));
139 return NT_STATUS_ACCESS_DENIED;
142 /* first try to get the gid directly */
143 s = samdb_result_string(res[0], "unixID", NULL);
145 *gid = strtoul(s, NULL, 0);
150 /* next try via the UnixName attribute */
151 s = samdb_result_string(res[0], "unixName", NULL);
153 struct group *grp = getgrnam(s);
155 DEBUG(0,("unixName '%s' for sid %s does not exist as a local group\n", s, sidstr));
157 return NT_STATUS_ACCESS_DENIED;
164 /* finally try via the sAMAccountName attribute */
165 s = samdb_result_string(res[0], "sAMAccountName", NULL);
167 struct group *grp = getgrnam(s);
169 DEBUG(0,("sAMAccountName '%s' for sid %s does not exist as a local group\n", s, sidstr));
171 return NT_STATUS_ACCESS_DENIED;
178 DEBUG(0,("sid_to_unixgid: no unixID, unixName or sAMAccountName for sid %s\n", sidstr));
181 return NT_STATUS_ACCESS_DENIED;
184 struct unix_sec_ctx {
192 pull the current security context into a unix_sec_ctx
194 static struct unix_sec_ctx *save_unix_security(TALLOC_CTX *mem_ctx)
196 struct unix_sec_ctx *sec = talloc_p(mem_ctx, struct unix_sec_ctx);
200 sec->uid = geteuid();
201 sec->gid = getegid();
202 sec->ngroups = getgroups(0, NULL);
203 if (sec->ngroups == -1) {
207 sec->groups = talloc_array_p(sec, gid_t, sec->ngroups);
208 if (sec->groups == NULL) {
213 if (getgroups(sec->ngroups, sec->groups) != sec->ngroups) {
222 set the current security context from a unix_sec_ctx
224 static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
228 if (setgroups(sec->ngroups, sec->groups) != 0) {
229 return NT_STATUS_ACCESS_DENIED;
231 if (setegid(sec->gid) != 0) {
232 return NT_STATUS_ACCESS_DENIED;
234 if (seteuid(sec->uid) != 0) {
235 return NT_STATUS_ACCESS_DENIED;
241 form a unix_sec_ctx from the current nt_user_token
243 static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
244 struct smbsrv_request *req,
245 struct nt_user_token *token,
246 struct unix_sec_ctx **sec)
250 *sec = talloc_p(req, struct unix_sec_ctx);
252 /* we can't do unix security without a user and group */
253 if (token->num_sids < 2) {
254 return NT_STATUS_ACCESS_DENIED;
257 status = sid_to_unixuid(ntvfs, req, token->user_sids[0], &(*sec)->uid);
258 if (!NT_STATUS_IS_OK(status)) {
262 status = sid_to_unixgid(ntvfs, req, token->user_sids[1], &(*sec)->gid);
263 if (!NT_STATUS_IS_OK(status)) {
267 (*sec)->ngroups = token->num_sids - 2;
268 (*sec)->groups = talloc_array_p(*sec, gid_t, (*sec)->ngroups);
269 if ((*sec)->groups == NULL) {
270 return NT_STATUS_NO_MEMORY;
273 for (i=0;i<(*sec)->ngroups;i++) {
274 status = sid_to_unixgid(ntvfs, req, token->user_sids[i+2], &(*sec)->groups[i]);
275 if (!NT_STATUS_IS_OK(status)) {
284 setup our unix security context according to the session authentication info
286 static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
287 struct smbsrv_request *req, struct unix_sec_ctx **sec)
289 struct unixuid_private *private = ntvfs->private_data;
290 struct nt_user_token *token = req->session->session_info->nt_user_token;
291 void *ctx = talloc(req, 0);
292 struct unix_sec_ctx *newsec;
295 *sec = save_unix_security(req);
297 return NT_STATUS_NO_MEMORY;
300 if (req->session->session_info->nt_user_token == private->last_token) {
301 newsec = private->last_sec_ctx;
303 status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
304 if (!NT_STATUS_IS_OK(status)) {
308 if (private->last_sec_ctx) {
309 talloc_free(private->last_sec_ctx);
311 private->last_sec_ctx = newsec;
312 private->last_token = req->session->session_info->nt_user_token;
313 talloc_steal(private, newsec);
316 status = set_unix_security(newsec);
317 if (!NT_STATUS_IS_OK(status)) {
328 this pass through macro operates on request contexts
330 #define PASS_THRU_REQ(ntvfs, req, op, args) do { \
332 struct unix_sec_ctx *sec; \
333 status = unixuid_setup_security(ntvfs, req, &sec); \
334 if (NT_STATUS_IS_OK(status)) status = ntvfs_next_##op args; \
335 status2 = set_unix_security(sec); \
336 if (!NT_STATUS_IS_OK(status2)) smb_panic("Unable to reset security context"); \
342 connect to a share - used when a tree_connect operation comes in.
344 static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs,
345 struct smbsrv_request *req, const char *sharename)
347 struct unixuid_private *private;
350 private = talloc_p(req->tcon, struct unixuid_private);
352 return NT_STATUS_NO_MEMORY;
355 private->samctx = samdb_connect(private);
356 if (private->samctx == NULL) {
357 return NT_STATUS_INTERNAL_DB_CORRUPTION;
360 ntvfs->private_data = private;
361 private->last_sec_ctx = NULL;
362 private->last_token = NULL;
364 PASS_THRU_REQ(ntvfs, req, connect, (ntvfs, req, sharename));
370 disconnect from a share
372 static NTSTATUS unixuid_disconnect(struct ntvfs_module_context *ntvfs,
373 struct smbsrv_tcon *tcon)
375 struct unixuid_private *private = ntvfs->private_data;
378 talloc_free(private);
380 status = ntvfs_next_disconnect(ntvfs, tcon);
389 static NTSTATUS unixuid_unlink(struct ntvfs_module_context *ntvfs,
390 struct smbsrv_request *req, struct smb_unlink *unl)
394 PASS_THRU_REQ(ntvfs, req, unlink, (ntvfs, req, unl));
402 static NTSTATUS unixuid_ioctl(struct ntvfs_module_context *ntvfs,
403 struct smbsrv_request *req, union smb_ioctl *io)
407 PASS_THRU_REQ(ntvfs, req, ioctl, (ntvfs, req, io));
413 check if a directory exists
415 static NTSTATUS unixuid_chkpath(struct ntvfs_module_context *ntvfs,
416 struct smbsrv_request *req, struct smb_chkpath *cp)
420 PASS_THRU_REQ(ntvfs, req, chkpath, (ntvfs, req, cp));
426 return info on a pathname
428 static NTSTATUS unixuid_qpathinfo(struct ntvfs_module_context *ntvfs,
429 struct smbsrv_request *req, union smb_fileinfo *info)
433 PASS_THRU_REQ(ntvfs, req, qpathinfo, (ntvfs, req, info));
439 query info on a open file
441 static NTSTATUS unixuid_qfileinfo(struct ntvfs_module_context *ntvfs,
442 struct smbsrv_request *req, union smb_fileinfo *info)
446 PASS_THRU_REQ(ntvfs, req, qfileinfo, (ntvfs, req, info));
453 set info on a pathname
455 static NTSTATUS unixuid_setpathinfo(struct ntvfs_module_context *ntvfs,
456 struct smbsrv_request *req, union smb_setfileinfo *st)
460 PASS_THRU_REQ(ntvfs, req, setpathinfo, (ntvfs, req, st));
468 static NTSTATUS unixuid_open(struct ntvfs_module_context *ntvfs,
469 struct smbsrv_request *req, union smb_open *io)
473 PASS_THRU_REQ(ntvfs, req, open, (ntvfs, req, io));
481 static NTSTATUS unixuid_mkdir(struct ntvfs_module_context *ntvfs,
482 struct smbsrv_request *req, union smb_mkdir *md)
486 PASS_THRU_REQ(ntvfs, req, mkdir, (ntvfs, req, md));
494 static NTSTATUS unixuid_rmdir(struct ntvfs_module_context *ntvfs,
495 struct smbsrv_request *req, struct smb_rmdir *rd)
499 PASS_THRU_REQ(ntvfs, req, rmdir, (ntvfs, req, rd));
505 rename a set of files
507 static NTSTATUS unixuid_rename(struct ntvfs_module_context *ntvfs,
508 struct smbsrv_request *req, union smb_rename *ren)
512 PASS_THRU_REQ(ntvfs, req, rename, (ntvfs, req, ren));
520 static NTSTATUS unixuid_copy(struct ntvfs_module_context *ntvfs,
521 struct smbsrv_request *req, struct smb_copy *cp)
525 PASS_THRU_REQ(ntvfs, req, copy, (ntvfs, req, cp));
533 static NTSTATUS unixuid_read(struct ntvfs_module_context *ntvfs,
534 struct smbsrv_request *req, union smb_read *rd)
538 PASS_THRU_REQ(ntvfs, req, read, (ntvfs, req, rd));
546 static NTSTATUS unixuid_write(struct ntvfs_module_context *ntvfs,
547 struct smbsrv_request *req, union smb_write *wr)
551 PASS_THRU_REQ(ntvfs, req, write, (ntvfs, req, wr));
559 static NTSTATUS unixuid_seek(struct ntvfs_module_context *ntvfs,
560 struct smbsrv_request *req, struct smb_seek *io)
564 PASS_THRU_REQ(ntvfs, req, seek, (ntvfs, req, io));
572 static NTSTATUS unixuid_flush(struct ntvfs_module_context *ntvfs,
573 struct smbsrv_request *req, struct smb_flush *io)
577 PASS_THRU_REQ(ntvfs, req, flush, (ntvfs, req, io));
585 static NTSTATUS unixuid_close(struct ntvfs_module_context *ntvfs,
586 struct smbsrv_request *req, union smb_close *io)
590 PASS_THRU_REQ(ntvfs, req, close, (ntvfs, req, io));
598 static NTSTATUS unixuid_exit(struct ntvfs_module_context *ntvfs,
599 struct smbsrv_request *req)
603 PASS_THRU_REQ(ntvfs, req, exit, (ntvfs, req));
609 logoff - closing files
611 static NTSTATUS unixuid_logoff(struct ntvfs_module_context *ntvfs,
612 struct smbsrv_request *req)
614 struct unixuid_private *private = ntvfs->private_data;
617 PASS_THRU_REQ(ntvfs, req, logoff, (ntvfs, req));
619 private->last_token = NULL;
627 static NTSTATUS unixuid_lock(struct ntvfs_module_context *ntvfs,
628 struct smbsrv_request *req, union smb_lock *lck)
632 PASS_THRU_REQ(ntvfs, req, lock, (ntvfs, req, lck));
638 set info on a open file
640 static NTSTATUS unixuid_setfileinfo(struct ntvfs_module_context *ntvfs,
641 struct smbsrv_request *req,
642 union smb_setfileinfo *info)
646 PASS_THRU_REQ(ntvfs, req, setfileinfo, (ntvfs, req, info));
653 return filesystem space info
655 static NTSTATUS unixuid_fsinfo(struct ntvfs_module_context *ntvfs,
656 struct smbsrv_request *req, union smb_fsinfo *fs)
660 PASS_THRU_REQ(ntvfs, req, fsinfo, (ntvfs, req, fs));
666 return print queue info
668 static NTSTATUS unixuid_lpq(struct ntvfs_module_context *ntvfs,
669 struct smbsrv_request *req, union smb_lpq *lpq)
673 PASS_THRU_REQ(ntvfs, req, lpq, (ntvfs, req, lpq));
679 list files in a directory matching a wildcard pattern
681 static NTSTATUS unixuid_search_first(struct ntvfs_module_context *ntvfs,
682 struct smbsrv_request *req, union smb_search_first *io,
683 void *search_private,
684 BOOL (*callback)(void *, union smb_search_data *))
688 PASS_THRU_REQ(ntvfs, req, search_first, (ntvfs, req, io, search_private, callback));
693 /* continue a search */
694 static NTSTATUS unixuid_search_next(struct ntvfs_module_context *ntvfs,
695 struct smbsrv_request *req, union smb_search_next *io,
696 void *search_private,
697 BOOL (*callback)(void *, union smb_search_data *))
701 PASS_THRU_REQ(ntvfs, req, search_next, (ntvfs, req, io, search_private, callback));
707 static NTSTATUS unixuid_search_close(struct ntvfs_module_context *ntvfs,
708 struct smbsrv_request *req, union smb_search_close *io)
712 PASS_THRU_REQ(ntvfs, req, search_close, (ntvfs, req, io));
717 /* SMBtrans - not used on file shares */
718 static NTSTATUS unixuid_trans(struct ntvfs_module_context *ntvfs,
719 struct smbsrv_request *req, struct smb_trans2 *trans2)
723 PASS_THRU_REQ(ntvfs, req, trans, (ntvfs, req, trans2));
729 initialise the unixuid backend, registering ourselves with the ntvfs subsystem
731 NTSTATUS ntvfs_unixuid_init(void)
734 struct ntvfs_ops ops;
738 /* fill in all the operations */
739 ops.connect = unixuid_connect;
740 ops.disconnect = unixuid_disconnect;
741 ops.unlink = unixuid_unlink;
742 ops.chkpath = unixuid_chkpath;
743 ops.qpathinfo = unixuid_qpathinfo;
744 ops.setpathinfo = unixuid_setpathinfo;
745 ops.open = unixuid_open;
746 ops.mkdir = unixuid_mkdir;
747 ops.rmdir = unixuid_rmdir;
748 ops.rename = unixuid_rename;
749 ops.copy = unixuid_copy;
750 ops.ioctl = unixuid_ioctl;
751 ops.read = unixuid_read;
752 ops.write = unixuid_write;
753 ops.seek = unixuid_seek;
754 ops.flush = unixuid_flush;
755 ops.close = unixuid_close;
756 ops.exit = unixuid_exit;
757 ops.lock = unixuid_lock;
758 ops.setfileinfo = unixuid_setfileinfo;
759 ops.qfileinfo = unixuid_qfileinfo;
760 ops.fsinfo = unixuid_fsinfo;
761 ops.lpq = unixuid_lpq;
762 ops.search_first = unixuid_search_first;
763 ops.search_next = unixuid_search_next;
764 ops.search_close = unixuid_search_close;
765 ops.trans = unixuid_trans;
766 ops.logoff = unixuid_logoff;
768 ops.name = "unixuid";
770 /* we register under all 3 backend types, as we are not type specific */
771 ops.type = NTVFS_DISK;
772 ret = register_backend("ntvfs", &ops);
773 if (!NT_STATUS_IS_OK(ret)) goto failed;
775 ops.type = NTVFS_PRINT;
776 ret = register_backend("ntvfs", &ops);
777 if (!NT_STATUS_IS_OK(ret)) goto failed;
779 ops.type = NTVFS_IPC;
780 ret = register_backend("ntvfs", &ops);
781 if (!NT_STATUS_IS_OK(ret)) goto failed;