*local* people, there's nothing for you here...).
*****************************************************************/
-BOOL name_is_local(const char *name)
+static BOOL name_is_local(const char *name)
{
return !(strchr_m(name, *lp_winbind_separator()));
}
} else if (lp_winbind_use_default_domain()) {
fstrcpy(username, name);
fstrcpy(domain, lp_workgroup());
- } else
+ } else {
return False;
-
+ }
+
DEBUG(10,("split_domain_and_name: all is fine, domain is |%s| and name is |%s|\n", domain, username));
return True;
}
return(pass->pw_dir);
}
-/****************************************************************************
- Get a users service home directory.
-****************************************************************************/
-
-char *get_user_service_home_dir(const char *user)
-{
- static struct passwd *pass;
- int snum;
-
- /* Ensure the user exists. */
-
- pass = Get_Pwnam(user);
-
- if (!pass)
- return(NULL);
-
- /* If a path is specified in [homes] then use it instead of the
- user's home directory from struct passwd. */
-
- if ((snum = lp_servicenumber(HOMES_NAME)) != -1) {
- static pstring home_dir;
-
- pstrcpy(home_dir, lp_pathname(snum));
- standard_sub_home(snum, user, home_dir);
-
- if (home_dir[0])
- return home_dir;
- }
-
- /* Return home directory from struct passwd. */
-
- return(pass->pw_dir);
-}
-
/*******************************************************************
Map a username from a dos name to a unix name by looking in the username
map. Note that this modifies the name in place.
}
}
- dosuserlist = lp_list_make(dosname);
+ dosuserlist = str_list_make(dosname, NULL);
if (!dosuserlist) {
DEBUG(0,("Unable to build user list\n"));
return False;
}
- if (strchr_m(dosname,'*') || user_in_list(user, dosuserlist)) {
+ if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist, NULL, 0)) {
DEBUG(3,("Mapped user %s to %s\n",user,unixname));
mapped_user = True;
fstrcpy(last_from,user);
sscanf(unixname,"%s",user);
fstrcpy(last_to,user);
if(return_if_mapped) {
- lp_list_free (&dosuserlist);
+ str_list_free (&dosuserlist);
x_fclose(f);
return True;
}
}
- lp_list_free (&dosuserlist);
+ str_list_free (&dosuserlist);
}
x_fclose(f);
* - using lp_usernamelevel() for permutations.
****************************************************************************/
-struct passwd *Get_Pwnam_internals(const char *user, char *user2)
+static struct passwd *Get_Pwnam_ret = NULL;
+
+static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
{
struct passwd *ret = NULL;
/* Try in all lower case first as this is the most
common case on UNIX systems */
- strlower(user2);
+ strlower_m(user2);
DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
- ret = sys_getpwnam(user2);
+ ret = getpwnam_alloc(user2);
if(ret)
goto done;
/* Try as given, if username wasn't originally lowercase */
- if(strcmp(user,user2) != 0) {
- DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n",user));
- ret = sys_getpwnam(user);
+ if(strcmp(user, user2) != 0) {
+ DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n", user));
+ ret = getpwnam_alloc(user);
if(ret)
goto done;
}
/* Try as uppercase, if username wasn't originally uppercase */
- strupper(user2);
- if(strcmp(user,user2) != 0) {
- DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n",user2));
- ret = sys_getpwnam(user2);
+ strupper_m(user2);
+ if(strcmp(user, user2) != 0) {
+ DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n", user2));
+ ret = getpwnam_alloc(user2);
if(ret)
goto done;
}
/* Try all combinations up to usernamelevel */
- strlower(user2);
- DEBUG(5,("Checking combinations of %d uppercase letters in %s\n",lp_usernamelevel(),user2));
- ret = uname_string_combinations(user2, sys_getpwnam, lp_usernamelevel());
+ strlower_m(user2);
+ DEBUG(5,("Checking combinations of %d uppercase letters in %s\n", lp_usernamelevel(), user2));
+ ret = uname_string_combinations(user2, getpwnam_alloc, lp_usernamelevel());
done:
- DEBUG(5,("Get_Pwnam %s find a valid username!\n",ret ? "did":"didn't"));
- return ret;
-}
+ DEBUG(5,("Get_Pwnam_internals %s find user [%s]!\n",ret ? "did":"didn't", user));
-/****************************************************************************
- Get_Pwnam wrapper for modification.
- NOTE: This can potentially modify 'user'!
-****************************************************************************/
+ /* This call used to just return the 'passwd' static buffer.
+ This could then have accidental reuse implications, so
+ we now malloc a copy, and free it in the next use.
-struct passwd *Get_Pwnam_Modify(char *user)
-{
- fstring user2;
- struct passwd *ret;
+ This should cause the (ab)user to segfault if it
+ uses an old struct.
+
+ This is better than useing the wrong data in security
+ critical operations.
- fstrcpy(user2, user);
+ The real fix is to make the callers free the returned
+ malloc'ed data.
+ */
- ret = Get_Pwnam_internals(user, user2);
+ if (Get_Pwnam_ret) {
+ passwd_free(&Get_Pwnam_ret);
+ }
- /* If caller wants the modified username, ensure they get it */
- fstrcpy(user,user2);
+ Get_Pwnam_ret = ret;
- /* We can safely assume ret is NULL if none of the above succeed */
- return(ret);
+ return ret;
}
/****************************************************************************
fstring user2;
struct passwd *ret;
+ if ( *user == '\0' ) {
+ DEBUG(10,("Get_Pwnam: empty username!\n"));
+ return NULL;
+ }
+
fstrcpy(user2, user);
+ DEBUG(5,("Finding user %s\n", user));
+
ret = Get_Pwnam_internals(user, user2);
- /* We can safely assume ret is NULL if none of the above succeed */
- return(ret);
+ return ret;
}
/****************************************************************************
- Check if a user is in a netgroup user list.
+ Check if a user is in a netgroup user list. If at first we don't succeed,
+ try lower case.
****************************************************************************/
static BOOL user_in_netgroup_list(const char *user, const char *ngname)
{
#ifdef HAVE_NETGROUP
static char *mydomain = NULL;
+ fstring lowercase_user;
+
if (mydomain == NULL)
yp_get_default_domain(&mydomain);
DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
user, mydomain, ngname));
- DEBUG(5,("innetgr is %s\n", innetgr(ngname, NULL, user, mydomain)
- ? "TRUE" : "FALSE"));
- if (innetgr(ngname, NULL, user, mydomain))
+ if (innetgr(ngname, NULL, user, mydomain)) {
+ DEBUG(5,("user_in_netgroup_list: Found\n"));
return (True);
+ } else {
+
+ /*
+ * Ok, innetgr is case sensitive. Try once more with lowercase
+ * just in case. Attempt to fix #703. JRA.
+ */
+
+ fstrcpy(lowercase_user, user);
+ strlower_m(lowercase_user);
+
+ DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+ lowercase_user, mydomain, ngname));
+
+ if (innetgr(ngname, NULL, lowercase_user, mydomain)) {
+ DEBUG(5,("user_in_netgroup_list: Found\n"));
+ return (True);
+ }
+ }
#endif /* HAVE_NETGROUP */
return False;
}
static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL *winbind_answered)
{
- int num_groups;
int i;
- gid_t *groups = NULL;
- gid_t gid;
+ gid_t gid, gid_low, gid_high;
BOOL ret = False;
+ static gid_t *groups = NULL;
+ static int num_groups = 0;
+ static fstring last_user = "";
*winbind_answered = False;
- /*
- * Get the gid's that this user belongs to.
- */
+ if ((gid = nametogid(gname)) == (gid_t)-1) {
+ DEBUG(0,("user_in_winbind_group_list: nametogid for group %s failed.\n",
+ gname ));
+ goto err;
+ }
+
+ if (!lp_idmap_gid(&gid_low, &gid_high)) {
+ DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname));
+ goto err;
+ }
+
+ if (gid < gid_low || gid > gid_high) {
+ DEBUG(4, ("group %s is not a winbind group\n", gname));
+ goto err;
+ }
- if ((num_groups = winbind_getgroups(user, 0, NULL)) == -1)
- return False;
+ /* try to user the last user we looked up */
+ /* otherwise fall back to lookups */
+
+ if ( !strequal( last_user, user ) || !groups )
+ {
+ /* clear any cached information */
+
+ SAFE_FREE(groups);
+ fstrcpy( last_user, "" );
+
+ /*
+ * Get the gid's that this user belongs to.
+ */
- if (num_groups == 0) {
- *winbind_answered = True;
- return False;
- }
+ if ((num_groups = winbind_getgroups(user, &groups)) == -1)
+ return False;
+
+ if ( num_groups == -1 )
+ return False;
- if ((groups = (gid_t *)malloc(sizeof(gid_t) * num_groups )) == NULL) {
- DEBUG(0,("user_in_winbind_group_list: malloc fail.\n"));
- goto err;
- }
+ if ( num_groups == 0 ) {
+ *winbind_answered = True;
+ return False;
+ }
+
+ /* save the last username */
+
+ fstrcpy( last_user, user );
+
+ }
+ else
+ DEBUG(10,("user_in_winbind_group_list: using cached user groups for [%s]\n", user));
- if ((num_groups = winbind_getgroups(user, num_groups, groups)) == -1) {
- DEBUG(0,("user_in_winbind_group_list: second winbind_getgroups call \
-failed with error %s\n", strerror(errno) ));
- goto err;
+ if ( DEBUGLEVEL >= 10 ) {
+ DEBUG(10,("user_in_winbind_group_list: using groups -- "));
+ for ( i=0; i<num_groups; i++ )
+ DEBUGADD(10,("%lu ", (unsigned long)groups[i]));
+ DEBUGADD(10,("\n"));
}
/*
* to a gid_t via either winbind or the local UNIX lookup and do the comparison.
*/
- if ((gid = nametogid(gname)) == (gid_t)-1) {
- DEBUG(0,("user_in_winbind_group_list: winbind_lookup_name for group %s failed.\n",
- gname ));
- goto err;
- }
-
for (i = 0; i < num_groups; i++) {
if (gid == groups[i]) {
ret = True;
Check if a user is in a UNIX group.
****************************************************************************/
-static BOOL user_in_unix_group_list(const char *user,const char *gname)
+BOOL user_in_unix_group_list(const char *user,const char *gname)
{
struct passwd *pass = Get_Pwnam(user);
struct sys_userlist *user_list;
Check if a user is in a group list. Ask winbind first, then use UNIX.
****************************************************************************/
-BOOL user_in_group_list(const char *user, const char *gname)
+BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups, size_t n_groups)
{
BOOL winbind_answered = False;
BOOL ret;
+ gid_t gid;
+ unsigned i;
+
+ gid = nametogid(gname);
+ if (gid == (gid_t)-1)
+ return False;
+
+ if (groups && n_groups > 0) {
+ for (i=0; i < n_groups; i++) {
+ if (groups[i] == gid) {
+ return True;
+ }
+ }
+ return False;
+ }
+
+ /* fallback if we don't yet have the group list */
ret = user_in_winbind_group_list(user, gname, &winbind_answered);
if (!winbind_answered)
and netgroup lists.
****************************************************************************/
-BOOL user_in_list(const char *user,char **list)
+BOOL user_in_list(const char *user,const char **list, gid_t *groups, size_t n_groups)
{
if (!list || !*list)
return False;
while (*list) {
- DEBUG(10,("user_in_list: checking user |%s| in group |%s|\n", user, *list));
+ DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list));
/*
* Check raw username.
*/
if(user_in_netgroup_list(user, *list +1))
return True;
- if(user_in_group_list(user, *list +1))
+ if(user_in_group_list(user, *list +1, groups, n_groups))
return True;
} else if (**list == '+') {
/*
* Search UNIX list followed by netgroup.
*/
- if(user_in_group_list(user, *list +2))
+ if(user_in_group_list(user, *list +2, groups, n_groups))
return True;
if(user_in_netgroup_list(user, *list +2))
return True;
* Just search UNIX list.
*/
- if(user_in_group_list(user, *list +1))
+ if(user_in_group_list(user, *list +1, groups, n_groups))
return True;
}
*/
if(user_in_netgroup_list(user, *list +2))
return True;
- if(user_in_group_list(user, *list +2))
+ if(user_in_group_list(user, *list +2, groups, n_groups))
return True;
} else {
/*
fstrcpy(domain, *list);
domain[PTR_DIFF(p, *list)] = 0;
- /* Check to see if name is a Windows group */
- if (winbind_lookup_name(domain, groupname, &g_sid, &name_type) && name_type == SID_NAME_DOM_GRP) {
+ /* Check to see if name is a Windows group; Win2k native mode DCs
+ will return domain local groups; while NT4 or mixed mode 2k DCs
+ will not */
+
+ if ( winbind_lookup_name(domain, groupname, &g_sid, &name_type)
+ && ( name_type==SID_NAME_DOM_GRP ||
+ (strequal(lp_workgroup(), domain) && name_type==SID_NAME_ALIAS) ) )
+ {
- /* Check if user name is in the Windows group */
+ /* Check if user name is in the Windows group */
ret = user_in_winbind_group_list(user, *list, &winbind_answered);
if (winbind_answered && ret == True) {
return(NULL);
}
-/****************************************************************************
- These wrappers allow appliance mode to work. In appliance mode the username
- takes the form DOMAIN/user.
-****************************************************************************/
-
-struct passwd *smb_getpwnam(char *user, BOOL allow_change)
-{
- struct passwd *pw;
- char *p;
- char *sep;
- extern pstring global_myname;
-
- if (allow_change)
- pw = Get_Pwnam_Modify(user);
- else
- pw = Get_Pwnam(user);
-
- if (pw)
- return pw;
-
- /*
- * If it is a domain qualified name and it isn't in our password
- * database but the domain portion matches our local machine name then
- * lookup just the username portion locally.
- */
-
- sep = lp_winbind_separator();
- p = strchr_m(user,*sep);
- if (p && strncasecmp(global_myname, user, strlen(global_myname))==0) {
- if (allow_change)
- pw = Get_Pwnam_Modify(p+1);
- else
- pw = Get_Pwnam(p+1);
- }
- return NULL;
-}