2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/globals.h"
23 extern userdom_struct current_user_info;
25 static bool canonicalize_connect_path(connection_struct *conn)
27 #ifdef REALPATH_TAKES_NULL
29 char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath,NULL);
33 ret = set_conn_connectpath(conn,resolved_name);
34 SAFE_FREE(resolved_name);
37 char resolved_name_buf[PATH_MAX+1];
38 char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath,resolved_name_buf);
42 return set_conn_connectpath(conn,resolved_name);
43 #endif /* REALPATH_TAKES_NULL */
46 /****************************************************************************
47 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
48 absolute path stating in / and not ending in /.
49 Observent people will notice a similarity between this and check_path_syntax :-).
50 ****************************************************************************/
52 bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
56 const char *s = connectpath;
57 bool start_of_name_component = true;
59 destname = SMB_STRDUP(connectpath);
65 *d++ = '/'; /* Always start with root. */
69 /* Eat multiple '/' */
73 if ((d > destname + 1) && (*s != '\0')) {
76 start_of_name_component = True;
80 if (start_of_name_component) {
81 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
82 /* Uh oh - "/../" or "/..\0" ! */
84 /* Go past the ../ or .. */
88 s += 2; /* Go past the .. */
91 /* If we just added a '/' - delete it */
92 if ((d > destname) && (*(d-1) == '/')) {
97 /* Are we at the start ? Can't go back further if so. */
99 *d++ = '/'; /* Can't delete root */
102 /* Go back one level... */
103 /* Decrement d first as d points to the *next* char to write into. */
104 for (d--; d > destname; d--) {
109 /* We're still at the start of a name component, just the previous one. */
111 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
112 /* Component of pathname can't be "." only - skip the '.' . */
126 /* Get the size of the next MB character. */
127 next_codepoint(s,&siz);
148 start_of_name_component = false;
152 /* And must not end in '/' */
153 if (d > destname + 1 && (*(d-1) == '/')) {
157 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
158 lp_servicename(SNUM(conn)), destname ));
160 string_set(&conn->connectpath, destname);
165 /****************************************************************************
166 Load parameters specific to a connection/service.
167 ****************************************************************************/
169 bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir)
178 conn->lastused_count++;
183 vfs_ChDir(conn,conn->connectpath) != 0 &&
184 vfs_ChDir(conn,conn->origpath) != 0) {
185 DEBUG(0,("chdir (%s) failed\n",
190 if ((conn == last_conn) && (last_flags == flags)) {
197 /* Obey the client case sensitivity requests - only for clients that support it. */
198 switch (lp_casesensitive(snum)) {
201 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
202 enum remote_arch_types ra_type = get_remote_arch();
203 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
204 /* Client can't support per-packet case sensitive pathnames. */
205 conn->case_sensitive = False;
207 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
212 conn->case_sensitive = True;
215 conn->case_sensitive = False;
221 static int load_registry_service(const char *servicename)
223 if (!lp_registry_shares()) {
227 if ((servicename == NULL) || (*servicename == '\0')) {
231 if (strequal(servicename, GLOBAL_NAME)) {
235 if (!process_registry_service(servicename)) {
239 return lp_servicenumber(servicename);
242 void load_registry_shares(void)
244 DEBUG(8, ("load_registry_shares()\n"));
245 if (!lp_registry_shares()) {
249 process_registry_shares();
254 /****************************************************************************
255 Add a home service. Returns the new service number or -1 if fail.
256 ****************************************************************************/
258 int add_home_service(const char *service, const char *username, const char *homedir)
262 if (!service || !homedir)
265 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
266 if ((iHomeService = load_registry_service(HOMES_NAME)) < 0) {
272 * If this is a winbindd provided username, remove
273 * the domain component before adding the service.
274 * Log a warning if the "path=" parameter does not
275 * include any macros.
279 const char *p = strchr(service,*lp_winbind_separator());
281 /* We only want the 'user' part of the string */
287 if (!lp_add_home(service, iHomeService, username, homedir)) {
291 return lp_servicenumber(service);
296 * Find a service entry.
298 * @param service is modified (to canonical form??)
301 int find_service(fstring service)
305 all_string_sub(service,"\\","/",0);
307 iService = lp_servicenumber(service);
309 /* now handle the special case of a home directory */
311 char *phome_dir = get_user_home_dir(talloc_tos(), service);
315 * Try mapping the servicename, it may
316 * be a Windows to unix mapped user name.
318 if(map_username(service))
319 phome_dir = get_user_home_dir(
320 talloc_tos(), service);
323 DEBUG(3,("checking for home directory %s gave %s\n",service,
324 phome_dir?phome_dir:"(NULL)"));
326 iService = add_home_service(service,service /* 'username' */, phome_dir);
329 /* If we still don't have a service, attempt to add it as a printer. */
333 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
334 iPrinterService = load_registry_service(PRINTERS_NAME);
336 if (iPrinterService) {
337 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
338 if (pcap_printername_ok(service)) {
339 DEBUG(3,("%s is a valid printer name\n", service));
340 DEBUG(3,("adding %s as a printer service\n", service));
341 lp_add_printer(service, iPrinterService);
342 iService = lp_servicenumber(service);
344 DEBUG(0,("failed to add %s as a printer service!\n", service));
347 DEBUG(3,("%s is not a valid printer name\n", service));
352 /* Check for default vfs service? Unsure whether to implement this */
357 iService = load_registry_service(service);
360 /* Is it a usershare service ? */
361 if (iService < 0 && *lp_usershare_path()) {
362 /* Ensure the name is canonicalized. */
364 iService = load_usershare_service(service);
367 /* just possibly it's a default service? */
369 char *pdefservice = lp_defaultservice();
370 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
372 * We need to do a local copy here as lp_defaultservice()
373 * returns one of the rotating lp_string buffers that
374 * could get overwritten by the recursive find_service() call
375 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
377 char *defservice = SMB_STRDUP(pdefservice);
383 /* Disallow anything except explicit share names. */
384 if (strequal(defservice,HOMES_NAME) ||
385 strequal(defservice, PRINTERS_NAME) ||
386 strequal(defservice, "IPC$")) {
387 SAFE_FREE(defservice);
391 iService = find_service(defservice);
393 all_string_sub(service, "_","/",0);
394 iService = lp_add_service(service, iService);
396 SAFE_FREE(defservice);
401 if (!VALID_SNUM(iService)) {
402 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
410 DEBUG(3,("find_service() failed to find service %s\n", service));
416 /****************************************************************************
417 do some basic sainity checks on the share.
418 This function modifies dev, ecode.
419 ****************************************************************************/
421 static NTSTATUS share_sanity_checks(int snum, fstring dev)
424 if (!lp_snum_ok(snum) ||
425 !check_access(smbd_server_fd(),
426 lp_hostsallow(snum), lp_hostsdeny(snum))) {
427 return NT_STATUS_ACCESS_DENIED;
430 if (dev[0] == '?' || !dev[0]) {
431 if (lp_print_ok(snum)) {
432 fstrcpy(dev,"LPT1:");
433 } else if (strequal(lp_fstype(snum), "IPC")) {
442 if (lp_print_ok(snum)) {
443 if (!strequal(dev, "LPT1:")) {
444 return NT_STATUS_BAD_DEVICE_TYPE;
446 } else if (strequal(lp_fstype(snum), "IPC")) {
447 if (!strequal(dev, "IPC")) {
448 return NT_STATUS_BAD_DEVICE_TYPE;
450 } else if (!strequal(dev, "A:")) {
451 return NT_STATUS_BAD_DEVICE_TYPE;
454 /* Behave as a printer if we are supposed to */
455 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
456 fstrcpy(dev, "LPT1:");
463 * Go through lookup_name etc to find the force'd group.
465 * Create a new token from src_token, replacing the primary group sid with the
469 static NTSTATUS find_forced_group(bool force_user,
470 int snum, const char *username,
474 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
475 TALLOC_CTX *frame = talloc_stackframe();
477 enum lsa_SidType type;
479 bool user_must_be_member = False;
482 groupname = talloc_strdup(talloc_tos(), lp_force_group(snum));
483 if (groupname == NULL) {
484 DEBUG(1, ("talloc_strdup failed\n"));
485 result = NT_STATUS_NO_MEMORY;
489 if (groupname[0] == '+') {
490 user_must_be_member = True;
494 groupname = talloc_string_sub(talloc_tos(), groupname,
495 "%S", lp_servicename(snum));
496 if (groupname == NULL) {
497 DEBUG(1, ("talloc_string_sub failed\n"));
498 result = NT_STATUS_NO_MEMORY;
502 if (!lookup_name_smbconf(talloc_tos(), groupname,
503 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
504 NULL, NULL, &group_sid, &type)) {
505 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
510 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
511 (type != SID_NAME_WKN_GRP)) {
512 DEBUG(10, ("%s is a %s, not a group\n", groupname,
513 sid_type_lookup(type)));
517 if (!sid_to_gid(&group_sid, &gid)) {
518 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
519 sid_string_dbg(&group_sid), groupname));
524 * If the user has been forced and the forced group starts with a '+',
525 * then we only set the group to be the forced group if the forced
526 * user is a member of that group. Otherwise, the meaning of the '+'
530 if (force_user && user_must_be_member) {
531 if (user_in_group_sid(username, &group_sid)) {
532 sid_copy(pgroup_sid, &group_sid);
534 DEBUG(3,("Forced group %s for member %s\n",
535 groupname, username));
537 DEBUG(0,("find_forced_group: forced user %s is not a member "
538 "of forced group %s. Disallowing access.\n",
539 username, groupname ));
540 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
544 sid_copy(pgroup_sid, &group_sid);
546 DEBUG(3,("Forced group %s\n", groupname));
549 result = NT_STATUS_OK;
555 /****************************************************************************
556 Create an auth_serversupplied_info structure for a connection_struct
557 ****************************************************************************/
559 static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum,
560 struct auth_serversupplied_info *vuid_serverinfo,
562 struct auth_serversupplied_info **presult)
564 if (lp_guest_only(snum)) {
565 return make_server_info_guest(mem_ctx, presult);
568 if (vuid_serverinfo != NULL) {
570 struct auth_serversupplied_info *result;
573 * This is the normal security != share case where we have a
574 * valid vuid from the session setup. */
576 if (vuid_serverinfo->guest) {
577 if (!lp_guest_ok(snum)) {
578 DEBUG(2, ("guest user (from session setup) "
579 "not permitted to access this share "
580 "(%s)\n", lp_servicename(snum)));
581 return NT_STATUS_ACCESS_DENIED;
584 if (!user_ok_token(vuid_serverinfo->unix_name,
585 pdb_get_domain(vuid_serverinfo->sam_account),
586 vuid_serverinfo->ptok, snum)) {
587 DEBUG(2, ("user '%s' (from session setup) not "
588 "permitted to access this share "
590 vuid_serverinfo->unix_name,
591 lp_servicename(snum)));
592 return NT_STATUS_ACCESS_DENIED;
596 result = copy_serverinfo(mem_ctx, vuid_serverinfo);
597 if (result == NULL) {
598 return NT_STATUS_NO_MEMORY;
605 if (lp_security() == SEC_SHARE) {
610 /* add the sharename as a possible user name if we
611 are in share mode security */
613 add_session_user(lp_servicename(snum));
615 /* shall we let them in? */
617 if (!authorise_login(snum,user,password,&guest)) {
618 DEBUG( 2, ( "Invalid username/password for [%s]\n",
619 lp_servicename(snum)) );
620 return NT_STATUS_WRONG_PASSWORD;
623 return make_serverinfo_from_username(mem_ctx, user, guest,
627 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
628 return NT_STATUS_ACCESS_DENIED;
632 /****************************************************************************
633 Make a connection, given the snum to connect to, and the vuser of the
634 connecting user if appropriate.
635 ****************************************************************************/
637 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
642 connection_struct *conn;
646 char addr[INET6_ADDRSTRLEN];
647 bool on_err_call_dis_hook = false;
651 SET_STAT_INVALID(st);
653 if (NT_STATUS_IS_ERR(*pstatus = share_sanity_checks(snum, dev))) {
659 DEBUG(0,("Couldn't find free connection.\n"));
660 *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
664 conn->params->service = snum;
666 status = create_connection_server_info(
667 conn, snum, vuser ? vuser->server_info : NULL, password,
670 if (!NT_STATUS_IS_OK(status)) {
671 DEBUG(1, ("create_connection_server_info failed: %s\n",
678 if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
679 conn->force_user = true;
682 add_session_user(conn->server_info->unix_name);
684 safe_strcpy(conn->client_address,
685 client_addr(get_client_fd(),addr,sizeof(addr)),
686 sizeof(conn->client_address)-1);
687 conn->num_files_open = 0;
688 conn->lastused = conn->lastused_count = time(NULL);
690 conn->printer = (strncmp(dev,"LPT",3) == 0);
691 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
692 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
695 /* Case options for the share. */
696 if (lp_casesensitive(snum) == Auto) {
697 /* We will be setting this per packet. Set to be case
698 * insensitive for now. */
699 conn->case_sensitive = False;
701 conn->case_sensitive = (bool)lp_casesensitive(snum);
704 conn->case_preserve = lp_preservecase(snum);
705 conn->short_case_preserve = lp_shortpreservecase(snum);
707 conn->encrypt_level = lp_smb_encrypt(snum);
709 conn->veto_list = NULL;
710 conn->hide_list = NULL;
711 conn->veto_oplock_list = NULL;
712 conn->aio_write_behind_list = NULL;
713 string_set(&conn->dirpath,"");
715 conn->read_only = lp_readonly(SNUM(conn));
716 conn->admin_user = False;
718 if (*lp_force_user(snum)) {
721 * Replace conn->server_info with a completely faked up one
722 * from the username we are forced into :-)
726 struct auth_serversupplied_info *forced_serverinfo;
728 fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
729 lp_servicename(snum));
732 *pstatus = NT_STATUS_NO_MEMORY;
736 status = make_serverinfo_from_username(
737 conn, fuser, conn->server_info->guest,
739 if (!NT_STATUS_IS_OK(status)) {
745 TALLOC_FREE(conn->server_info);
746 conn->server_info = forced_serverinfo;
748 conn->force_user = True;
749 DEBUG(3,("Forced user %s\n", fuser));
753 * If force group is true, then override
754 * any groupid stored for the connecting user.
757 if (*lp_force_group(snum)) {
759 status = find_forced_group(
760 conn->force_user, snum, conn->server_info->unix_name,
761 &conn->server_info->ptok->user_sids[1],
762 &conn->server_info->utok.gid);
764 if (!NT_STATUS_IS_OK(status)) {
771 * We need to cache this gid, to use within
772 * change_to_user() separately from the conn->server_info
773 * struct. We only use conn->server_info directly if
774 * "force_user" was set.
776 conn->force_group_gid = conn->server_info->utok.gid;
779 conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
782 char *s = talloc_sub_advanced(talloc_tos(),
783 lp_servicename(SNUM(conn)),
784 conn->server_info->unix_name,
786 conn->server_info->utok.gid,
787 conn->server_info->sanitized_username,
788 pdb_get_domain(conn->server_info->sam_account),
792 *pstatus = NT_STATUS_NO_MEMORY;
796 if (!set_conn_connectpath(conn,s)) {
799 *pstatus = NT_STATUS_NO_MEMORY;
802 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
803 lp_servicename(snum)));
808 * New code to check if there's a share security descripter
809 * added from NT server manager. This is done after the
810 * smb.conf checks are done as we need a uid and token. JRA.
815 bool can_write = False;
817 can_write = share_access_check(conn->server_info->ptok,
818 lp_servicename(snum),
822 if (!share_access_check(conn->server_info->ptok,
823 lp_servicename(snum),
825 /* No access, read or write. */
826 DEBUG(0,("make_connection: connection to %s "
827 "denied due to security "
829 lp_servicename(snum)));
831 *pstatus = NT_STATUS_ACCESS_DENIED;
834 conn->read_only = True;
838 /* Initialise VFS function pointers */
840 if (!smbd_vfs_init(conn)) {
841 DEBUG(0, ("vfs_init failed for service %s\n",
842 lp_servicename(snum)));
844 *pstatus = NT_STATUS_BAD_NETWORK_NAME;
849 * If widelinks are disallowed we need to canonicalise the connect
850 * path here to ensure we don't have any symlinks in the
851 * connectpath. We will be checking all paths on this connection are
852 * below this directory. We must do this after the VFS init as we
853 * depend on the realpath() pointer in the vfs table. JRA.
855 if (!lp_widelinks(snum)) {
856 if (!canonicalize_connect_path(conn)) {
857 DEBUG(0, ("canonicalize_connect_path failed "
858 "for service %s, path %s\n",
859 lp_servicename(snum),
862 *pstatus = NT_STATUS_BAD_NETWORK_NAME;
867 if ((!conn->printer) && (!conn->ipc)) {
868 conn->notify_ctx = notify_init(conn, server_id_self(),
869 smbd_messaging_context(),
870 smbd_event_context(),
874 /* ROOT Activities: */
876 * Enforce the max connections parameter.
879 if ((lp_max_connections(snum) > 0)
880 && (count_current_connections(lp_servicename(SNUM(conn)), True) >=
881 lp_max_connections(snum))) {
883 DEBUG(1, ("Max connections (%d) exceeded for %s\n",
884 lp_max_connections(snum), lp_servicename(snum)));
886 *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
891 * Get us an entry in the connections db
893 if (!claim_connection(conn, lp_servicename(snum), 0)) {
894 DEBUG(1, ("Could not store connections entry\n"));
896 *pstatus = NT_STATUS_INTERNAL_DB_ERROR;
900 /* Preexecs are done here as they might make the dir we are to ChDir
902 /* execute any "root preexec = " line */
903 if (*lp_rootpreexec(snum)) {
904 char *cmd = talloc_sub_advanced(talloc_tos(),
905 lp_servicename(SNUM(conn)),
906 conn->server_info->unix_name,
908 conn->server_info->utok.gid,
909 conn->server_info->sanitized_username,
910 pdb_get_domain(conn->server_info->sam_account),
911 lp_rootpreexec(snum));
912 DEBUG(5,("cmd=%s\n",cmd));
913 ret = smbrun(cmd,NULL);
915 if (ret != 0 && lp_rootpreexec_close(snum)) {
916 DEBUG(1,("root preexec gave %d - failing "
917 "connection\n", ret));
918 yield_connection(conn, lp_servicename(snum));
920 *pstatus = NT_STATUS_ACCESS_DENIED;
925 /* USER Activites: */
926 if (!change_to_user(conn, conn->vuid)) {
927 /* No point continuing if they fail the basic checks */
928 DEBUG(0,("Can't become connected user!\n"));
929 yield_connection(conn, lp_servicename(snum));
931 *pstatus = NT_STATUS_LOGON_FAILURE;
935 /* Remember that a different vuid can connect later without these
938 /* Preexecs are done here as they might make the dir we are to ChDir
941 /* execute any "preexec = " line */
942 if (*lp_preexec(snum)) {
943 char *cmd = talloc_sub_advanced(talloc_tos(),
944 lp_servicename(SNUM(conn)),
945 conn->server_info->unix_name,
947 conn->server_info->utok.gid,
948 conn->server_info->sanitized_username,
949 pdb_get_domain(conn->server_info->sam_account),
951 ret = smbrun(cmd,NULL);
953 if (ret != 0 && lp_preexec_close(snum)) {
954 DEBUG(1,("preexec gave %d - failing connection\n",
956 *pstatus = NT_STATUS_ACCESS_DENIED;
961 #ifdef WITH_FAKE_KASERVER
962 if (lp_afs_share(snum)) {
967 /* Add veto/hide lists */
968 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
969 set_namearray( &conn->veto_list, lp_veto_files(snum));
970 set_namearray( &conn->hide_list, lp_hide_files(snum));
971 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
972 set_namearray( &conn->aio_write_behind_list,
973 lp_aio_write_behind(snum));
976 /* Invoke VFS make connection hook - do this before the VFS_STAT call
977 to allow any filesystems needing user credentials to initialize
980 if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
981 conn->server_info->unix_name) < 0) {
982 DEBUG(0,("make_connection: VFS make connection failed!\n"));
983 *pstatus = NT_STATUS_UNSUCCESSFUL;
987 /* Any error exit after here needs to call the disconnect hook. */
988 on_err_call_dis_hook = true;
990 /* win2000 does not check the permissions on the directory
991 during the tree connect, instead relying on permission
992 check during individual operations. To match this behaviour
993 I have disabled this chdir check (tridge) */
994 /* the alternative is just to check the directory exists */
995 if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
996 !S_ISDIR(st.st_ex_mode)) {
997 if (ret == 0 && !S_ISDIR(st.st_ex_mode)) {
998 DEBUG(0,("'%s' is not a directory, when connecting to "
999 "[%s]\n", conn->connectpath,
1000 lp_servicename(snum)));
1002 DEBUG(0,("'%s' does not exist or permission denied "
1003 "when connecting to [%s] Error was %s\n",
1004 conn->connectpath, lp_servicename(snum),
1007 *pstatus = NT_STATUS_BAD_NETWORK_NAME;
1011 string_set(&conn->origpath,conn->connectpath);
1013 #if SOFTLINK_OPTIMISATION
1014 /* resolve any soft links early if possible */
1015 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1016 TALLOC_CTX *ctx = talloc_tos();
1017 char *s = vfs_GetWd(ctx,s);
1019 *status = map_nt_error_from_unix(errno);
1022 if (!set_conn_connectpath(conn,s)) {
1023 *status = NT_STATUS_NO_MEMORY;
1026 vfs_ChDir(conn,conn->connectpath);
1030 /* Figure out the characteristics of the underlying filesystem. This
1031 * assumes that all the filesystem mounted withing a share path have
1032 * the same characteristics, which is likely but not guaranteed.
1035 conn->fs_capabilities = SMB_VFS_FS_CAPABILITIES(conn);
1038 * Print out the 'connected as' stuff here as we need
1039 * to know the effective uid and gid we will be using
1040 * (at least initially).
1043 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1044 dbgtext( "%s (%s) ", get_remote_machine_name(),
1045 conn->client_address );
1046 dbgtext( "%s", srv_is_signing_active(smbd_server_conn) ? "signed " : "");
1047 dbgtext( "connect to service %s ", lp_servicename(snum) );
1048 dbgtext( "initially as user %s ",
1049 conn->server_info->unix_name );
1050 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1051 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1054 /* we've finished with the user stuff - go back to root */
1055 change_to_root_user();
1060 change_to_root_user();
1061 if (on_err_call_dis_hook) {
1062 /* Call VFS disconnect hook */
1063 SMB_VFS_DISCONNECT(conn);
1065 yield_connection(conn, lp_servicename(snum));
1070 /****************************************************************************
1071 Make a connection to a service.
1074 ****************************************************************************/
1076 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
1077 const char *pdev, uint16 vuid,
1081 user_struct *vuser = NULL;
1085 char addr[INET6_ADDRSTRLEN];
1089 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1091 if (!non_root_mode() && (euid = geteuid()) != 0) {
1092 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1093 "(%u)\n", (unsigned int)euid ));
1094 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1097 if (conn_num_open() > 2047) {
1098 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1102 if(lp_security() != SEC_SHARE) {
1103 vuser = get_valid_user_struct(vuid);
1105 DEBUG(1,("make_connection: refusing to connect with "
1106 "no session setup\n"));
1107 *status = NT_STATUS_ACCESS_DENIED;
1112 /* Logic to try and connect to the correct [homes] share, preferably
1113 without too many getpwnam() lookups. This is particulary nasty for
1114 winbind usernames, where the share name isn't the same as unix
1117 The snum of the homes share is stored on the vuser at session setup
1121 if (strequal(service_in,HOMES_NAME)) {
1122 if(lp_security() != SEC_SHARE) {
1123 DATA_BLOB no_pw = data_blob_null;
1124 if (vuser->homes_snum == -1) {
1125 DEBUG(2, ("[homes] share not available for "
1126 "this user because it was not found "
1127 "or created at session setup "
1129 *status = NT_STATUS_BAD_NETWORK_NAME;
1132 DEBUG(5, ("making a connection to [homes] service "
1133 "created at session setup time\n"));
1134 return make_connection_snum(vuser->homes_snum,
1138 /* Security = share. Try with
1139 * current_user_info.smb_name as the username. */
1140 if (*current_user_info.smb_name) {
1141 fstring unix_username;
1142 fstrcpy(unix_username,
1143 current_user_info.smb_name);
1144 map_username(unix_username);
1145 snum = find_service(unix_username);
1148 DEBUG(5, ("making a connection to 'homes' "
1149 "service %s based on "
1150 "security=share\n", service_in));
1151 return make_connection_snum(snum, NULL,
1156 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1157 && strequal(service_in,
1158 lp_servicename(vuser->homes_snum))) {
1159 DATA_BLOB no_pw = data_blob_null;
1160 DEBUG(5, ("making a connection to 'homes' service [%s] "
1161 "created at session setup time\n", service_in));
1162 return make_connection_snum(vuser->homes_snum,
1167 fstrcpy(service, service_in);
1169 strlower_m(service);
1171 snum = find_service(service);
1174 if (strequal(service,"IPC$") ||
1175 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1176 DEBUG(3,("refusing IPC connection to %s\n", service));
1177 *status = NT_STATUS_ACCESS_DENIED;
1181 DEBUG(0,("%s (%s) couldn't find service %s\n",
1182 get_remote_machine_name(),
1183 client_addr(get_client_fd(),addr,sizeof(addr)),
1185 *status = NT_STATUS_BAD_NETWORK_NAME;
1189 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1190 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1191 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1192 "(pointing to %s)\n",
1193 service, lp_msdfs_proxy(snum)));
1194 *status = NT_STATUS_BAD_NETWORK_NAME;
1198 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1200 return make_connection_snum(snum, vuser,
1205 /****************************************************************************
1207 ****************************************************************************/
1209 void close_cnum(connection_struct *conn, uint16 vuid)
1211 file_close_conn(conn);
1213 if (!IS_IPC(conn)) {
1214 dptr_closecnum(conn);
1217 change_to_root_user();
1219 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1220 get_remote_machine_name(),
1221 conn->client_address,
1222 lp_servicename(SNUM(conn))));
1224 /* Call VFS disconnect hook */
1225 SMB_VFS_DISCONNECT(conn);
1227 yield_connection(conn, lp_servicename(SNUM(conn)));
1229 /* make sure we leave the directory available for unmount */
1230 vfs_ChDir(conn, "/");
1232 /* execute any "postexec = " line */
1233 if (*lp_postexec(SNUM(conn)) &&
1234 change_to_user(conn, vuid)) {
1235 char *cmd = talloc_sub_advanced(talloc_tos(),
1236 lp_servicename(SNUM(conn)),
1237 conn->server_info->unix_name,
1239 conn->server_info->utok.gid,
1240 conn->server_info->sanitized_username,
1241 pdb_get_domain(conn->server_info->sam_account),
1242 lp_postexec(SNUM(conn)));
1245 change_to_root_user();
1248 change_to_root_user();
1249 /* execute any "root postexec = " line */
1250 if (*lp_rootpostexec(SNUM(conn))) {
1251 char *cmd = talloc_sub_advanced(talloc_tos(),
1252 lp_servicename(SNUM(conn)),
1253 conn->server_info->unix_name,
1255 conn->server_info->utok.gid,
1256 conn->server_info->sanitized_username,
1257 pdb_get_domain(conn->server_info->sam_account),
1258 lp_rootpostexec(SNUM(conn)));
git.samba.org / samba.git / blob