char *pszTemp;
DEBUG(3,("checking whether %s is a valid printer name...\n", service));
- pszTemp = PRINTCAP;
+ pszTemp = lp_printcapname();
if ((pszTemp != NULL) && pcap_printername_ok(service, pszTemp))
{
DEBUG(3,("%s is a valid printer name\n", service));
do some basic sainity checks on the share.
This function modifies dev, ecode.
****************************************************************************/
-static NTSTATUS share_sanity_checks(int snum, pstring dev)
+static NTSTATUS share_sanity_checks(int snum, fstring dev)
{
if (!lp_snum_ok(snum) ||
return NT_STATUS_ACCESS_DENIED;
}
- /* you can only connect to the IPC$ service as an ipc device */
- if (strequal(lp_fstype(snum), "IPC"))
- pstrcpy(dev,"IPC");
-
if (dev[0] == '?' || !dev[0]) {
if (lp_print_ok(snum)) {
- pstrcpy(dev,"LPT1:");
+ fstrcpy(dev,"LPT1:");
+ } else if (strequal(lp_fstype(snum), "IPC")) {
+ fstrcpy(dev, "IPC");
} else {
- pstrcpy(dev,"A:");
+ fstrcpy(dev,"A:");
}
}
- /* if the request is as a printer and you can't print then refuse */
strupper(dev);
- if (!lp_print_ok(snum) && (strncmp(dev,"LPT",3) == 0)) {
- DEBUG(1,("Attempt to connect to non-printer as a printer\n"));
+
+ if (lp_print_ok(snum)) {
+ if (!strequal(dev, "LPT1:")) {
+ return NT_STATUS_BAD_DEVICE_TYPE;
+ }
+ } else if (strequal(lp_fstype(snum), "IPC")) {
+ if (!strequal(dev, "IPC")) {
+ return NT_STATUS_BAD_DEVICE_TYPE;
+ }
+ } else if (!strequal(dev, "A:")) {
return NT_STATUS_BAD_DEVICE_TYPE;
}
/* Behave as a printer if we are supposed to */
if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
- pstrcpy(dev, "LPT1:");
+ fstrcpy(dev, "LPT1:");
}
return NT_STATUS_OK;
/****************************************************************************
readonly share?
****************************************************************************/
-static void set_read_only(connection_struct *conn)
+static void set_read_only(connection_struct *conn, gid_t *groups, size_t n_groups)
{
char **list;
char *service = lp_servicename(conn->service);
if (!str_list_substitute(list, "%S", service)) {
DEBUG(0, ("ERROR: read list substitution failed\n"));
}
- if (user_in_list(conn->user, list))
+ if (user_in_list(conn->user, (const char **)list, groups, n_groups))
conn->read_only = True;
str_list_free(&list);
}
if (!str_list_substitute(list, "%S", service)) {
DEBUG(0, ("ERROR: write list substitution failed\n"));
}
- if (user_in_list(conn->user, list))
+ if (user_in_list(conn->user, (const char **)list, groups, n_groups))
conn->read_only = False;
str_list_free(&list);
}
/****************************************************************************
admin user check
****************************************************************************/
-static void set_admin_user(connection_struct *conn)
+static void set_admin_user(connection_struct *conn, gid_t *groups, size_t n_groups)
{
/* admin user check */
marked read_only. Changed as I don't think this is needed,
but old code left in case there is a problem here.
*/
- if (user_in_list(conn->user,lp_admin_users(conn->service))
+ if (user_in_list(conn->user,lp_admin_users(conn->service), groups, n_groups)
#if 0
&& !conn->read_only
#endif
static connection_struct *make_connection_snum(int snum, user_struct *vuser,
DATA_BLOB password,
- char *dev, NTSTATUS *status)
+ const char *pdev, NTSTATUS *status)
{
struct passwd *pass = NULL;
BOOL guest = False;
connection_struct *conn;
struct stat st;
fstring user;
+ fstring dev;
+
*user = 0;
+ fstrcpy(dev, pdev);
if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
return NULL;
} else if (vuser) {
if (vuser->guest) {
if (!lp_guest_ok(snum)) {
- DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)", lp_servicename(snum)));
+ DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)\n", lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
} else {
- if (!user_ok(vuser->user.unix_name, snum)) {
- DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)", vuser->user.unix_name, lp_servicename(snum)));
+ if (!user_ok(vuser->user.unix_name, snum, vuser->groups, vuser->n_groups)) {
+ DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)\n", vuser->user.unix_name, lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
string_set(&conn->user,user);
conn->nt_user_token = NULL;
- set_read_only(conn);
+ set_read_only(conn, vuser ? vuser->groups : NULL, vuser ? vuser->n_groups : 0);
- set_admin_user(conn);
+ set_admin_user(conn, vuser ? vuser->groups : NULL, vuser ? vuser->n_groups : 0);
/*
* If force user is true, then store the
pstring tmp_gname;
BOOL user_must_be_member = False;
- StrnCpy(tmp_gname,lp_force_group(snum),sizeof(pstring)-1);
+ pstrcpy(tmp_gname,lp_force_group(snum));
if (tmp_gname[0] == '+') {
user_must_be_member = True;
- StrnCpy(gname,&tmp_gname[1],sizeof(pstring)-2);
+ /* even now, tmp_gname is null terminated */
+ pstrcpy(gname,&tmp_gname[1]);
} else {
- StrnCpy(gname,tmp_gname,sizeof(pstring)-1);
+ pstrcpy(gname,tmp_gname);
}
/* default service may be a group name */
pstring_sub(gname,"%S",lp_servicename(snum));
* Otherwise, the meaning of the '+' would be ignored.
*/
if (conn->force_user && user_must_be_member) {
- if (user_in_group_list( user, gname )) {
+ if (user_in_group_list( user, gname, NULL, 0)) {
conn->gid = gid;
DEBUG(3,("Forced group %s for member %s\n",gname,user));
}
if (!smbd_vfs_init(conn)) {
DEBUG(0, ("vfs_init failed for service %s\n", lp_servicename(SNUM(conn))));
conn_free(conn);
- *status = NT_STATUS_UNSUCCESSFUL;
+ *status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
if (!claim_connection(conn,
lp_servicename(SNUM(conn)),
lp_max_connections(SNUM(conn)),
- False)) {
+ False,0)) {
DEBUG(1,("too many connections - rejected\n"));
conn_free(conn);
*status = NT_STATUS_INSUFFICIENT_RESOURCES;
DEBUG(1,("root preexec gave %d - failing connection\n", ret));
yield_connection(conn, lp_servicename(SNUM(conn)));
conn_free(conn);
- *status = NT_STATUS_UNSUCCESSFUL;
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
*status = NT_STATUS_LOGON_FAILURE;
return NULL;
}
-
+
/* Remember that a different vuid can connect later without these checks... */
/* Preexecs are done here as they might make the dir we are to ChDir to below */
change_to_root_user();
yield_connection(conn, lp_servicename(SNUM(conn)));
conn_free(conn);
- *status = NT_STATUS_UNSUCCESSFUL;
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
**************************************************************************************/
connection_struct *make_connection_with_chdir(const char *service_in, DATA_BLOB password,
- char *dev, uint16 vuid, NTSTATUS *status)
+ const char *dev, uint16 vuid, NTSTATUS *status)
{
connection_struct *conn = NULL;
****************************************************************************/
connection_struct *make_connection(const char *service_in, DATA_BLOB password,
- char *dev, uint16 vuid, NTSTATUS *status)
+ const char *pdev, uint16 vuid, NTSTATUS *status)
{
uid_t euid;
user_struct *vuser = NULL;
- pstring service;
+ fstring service;
+ fstring dev;
int snum = -1;
+ fstrcpy(dev, pdev);
+
/* This must ONLY BE CALLED AS ROOT. As it exits this function as root. */
if (!non_root_mode() && (euid = geteuid()) != 0) {
DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot (%u)\n", (unsigned int)euid ));
if(lp_security() != SEC_SHARE) {
DATA_BLOB no_pw = data_blob(NULL, 0);
if (vuser->homes_snum == -1) {
- DEBUG(2, ("[homes] share not available for this user becouse it was not found or created at session setup time\n"));
+ DEBUG(2, ("[homes] share not available for this user because it was not found or created at session setup time\n"));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
dev, status);
}
- pstrcpy(service, service_in);
+ fstrcpy(service, service_in);
strlower(service);
return NULL;
}
+ /* Handle non-Dfs clients attempting connections to msdfs proxy */
+ if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
+ DEBUG(3, ("refusing connection to dfs proxy '%s'\n", service));
+ *status = NT_STATUS_BAD_NETWORK_NAME;
+ return NULL;
+ }
+
DEBUG(5, ("making a connection to 'normal' service %s\n", service));
return make_connection_snum(snum, vuser,
git.samba.org / tprouty / samba.git / blobdiff