/*
- Unix SMB/Netbios implementation.
- Version 1.9.
+ Unix SMB/CIFS implementation.
Username handling
Copyright (C) Andrew Tridgell 1992-1998
+ Copyright (C) Jeremy Allison 1997-2001.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
*/
#include "includes.h"
-extern int DEBUGLEVEL;
/* internal functions */
-static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (char *), int N);
-static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (char *), int N);
+static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (const char *), int N);
+static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N);
-/****************************************************************************
- Since getpwnam() makes samba really slow with the NT-domain code
- (reading /etc/passwd again and again and again), here is an implementation
- of very simple passwd cache
-****************************************************************************/
-#define PASSWD_HASH_SIZE 1009
-/* The hashtable is rebuild every 15 seconds */
-#define PASSWD_HASH_AGE 15
-struct passwd_hash_entry {
- int entry;
- int next;
-};
-
-struct passwd_hash_table_s {
- struct passwd *passwds;
- int passwds_size;
- int *names;
- int *uids;
- struct passwd_hash_entry *entries;
- int entries_size;
- struct timeval build_time;
-} passwd_hash_table = {
- NULL,0,NULL,NULL,NULL,0,{0,0}
-};
-
-static int name_hash_function(const char *name)
-{
- /* I guess that there must be better hash functions. This one was the
- * first to come into mind :) */
- unsigned int value=0;
- while (*name) {
- value=(value<<8)|(unsigned char)(*name);
- if (value>1048576) value=value%PASSWD_HASH_SIZE;
- name++;
- }
- value=value%PASSWD_HASH_SIZE;
- return value;
-}
-
-static int uid_hash_function(uid_t uid)
-{
- return uid%PASSWD_HASH_SIZE;
-}
+/*****************************************************************
+ Check if a user or group name is local (this is a *local* name for
+ *local* people, there's nothing for you here...).
+*****************************************************************/
-
-static BOOL build_passwd_hash_table(void)
+static BOOL name_is_local(const char *name)
{
- struct passwd_hash_table_s *pht=&passwd_hash_table; /* Convenience */
- int num_passwds=0;
- int num_entries=0;
- struct passwd *pass;
- int i;
- int name_i,uid_i;
-
- DEBUG(3,("Building passwd hash table\n"));
- /* Free the allocated strings in old hash table */
- for (i=0;i<pht->passwds_size;i++) {
- free(pht->passwds[i].pw_name);
- free(pht->passwds[i].pw_passwd);
- free(pht->passwds[i].pw_gecos);
- free(pht->passwds[i].pw_dir);
- free(pht->passwds[i].pw_shell);
- }
-
- /* Initialize hash table if first table build */
- if (pht->passwds_size==0) {
- DEBUG(3,("Building passwd hash table for the first time\n"));
- pht->passwds=malloc(sizeof(struct passwd)*64); /* A reasonable default */
- pht->passwds_size=64;
- }
- if (pht->names==NULL) {
- pht->names=malloc(sizeof(struct passwd_hash_entry *)*PASSWD_HASH_SIZE);
- }
- if (pht->uids==NULL) {
- pht->uids=malloc(sizeof(struct passwd_hash_entry *)*PASSWD_HASH_SIZE);
- }
- if (pht->entries==NULL) {
- pht->entries=malloc(sizeof(struct passwd_hash_entry)*128);
- pht->entries_size=128;
- }
- if (pht->passwds==NULL || pht->names==NULL ||
- pht->uids==NULL || pht->entries==NULL) {
- goto fail;
- }
-
- /* Clear out the hash table */
- for(i=0;i<PASSWD_HASH_SIZE;i++) pht->uids[i]=-1;
- for(i=0;i<PASSWD_HASH_SIZE;i++) pht->names[i]=-1;
-
- /* Now do the build */
- setpwent();
-
- while((pass=getpwent())) {
-
- /* Check that we have enough space */
- if (num_passwds==pht->passwds_size) {
- struct passwd *new_passwds=NULL;
- pht->passwds_size+=pht->passwds_size/2;
- new_passwds=realloc(pht->passwds,
- sizeof(struct passwd)*pht->passwds_size);
- if (new_passwds==NULL) goto fail;
- pht->passwds=new_passwds;
- }
- if (num_entries+1>=pht->entries_size) {
- pht->entries_size+=pht->entries_size/2;
- pht->entries=realloc(pht->entries,
- sizeof(struct passwd_hash_entry)*pht->entries_size);
- if (pht->entries==NULL) goto fail;
- }
-
- /* Copy the passwd struct */
- memset(&pht->passwds[num_passwds],0,sizeof(struct passwd));
- pht->passwds[num_passwds].pw_uid=pass->pw_uid;
- pht->passwds[num_passwds].pw_gid=pass->pw_gid;
- if (
- (pht->passwds[num_passwds].pw_name=strdup(pass->pw_name))==NULL ||
- (pht->passwds[num_passwds].pw_passwd=strdup(pass->pw_passwd))==NULL ||
- (pht->passwds[num_passwds].pw_gecos=strdup(pass->pw_gecos))==NULL ||
- (pht->passwds[num_passwds].pw_dir=strdup(pass->pw_dir))==NULL ||
- (pht->passwds[num_passwds].pw_shell=strdup(pass->pw_shell))==NULL ) {
- num_passwds++;
- goto fail;
- }
-
- /* Add to the hash table */
- /* Add the name */
- pht->entries[num_entries].entry=num_passwds;
- name_i=name_hash_function(pass->pw_name);
- pht->entries[num_entries].next=pht->names[name_i];
- pht->names[name_i]=num_entries;
- num_entries++;
- /* Add the uid */
- pht->entries[num_entries].entry=num_passwds;
- uid_i=uid_hash_function(pass->pw_uid);
- pht->entries[num_entries].next=pht->uids[uid_i];
- pht->uids[uid_i]=num_entries;
- num_entries++;
-
- /* This entry has been done */
- num_passwds++;
- }
- endpwent();
-
- if (pht->passwds_size>num_passwds) {
- struct passwd *passwds;
- passwds=realloc(pht->passwds,sizeof(pht->passwds[0])*num_passwds);
- if (passwds==NULL) goto fail;
- pht->passwds=passwds;
- pht->passwds_size=num_passwds;
- }
- if (pht->entries_size>num_entries) {
- struct passwd_hash_entry *entries;
- entries=realloc(pht->entries,sizeof(pht->entries[0])*num_entries);
- if (entries==NULL) goto fail;
- pht->entries=entries;
- pht->entries_size=num_entries;
- }
-
- /* Mark the creation time */
- GetTimeOfDay(&pht->build_time);
- /* Everything went smoothly. */
- return True;
-
- fail:
- DEBUG(0,("Failed to create passwd hash table: %s",strerror(errno)));
- /* OK: now the untested part. Normally this should never happen:
- * Only running out of memory could cause this and even then
- * we have enough trouble already. */
- while (num_passwds>0) {
- num_passwds--;
- free(pht->passwds[num_passwds].pw_name);
- free(pht->passwds[num_passwds].pw_passwd);
- free(pht->passwds[num_passwds].pw_gecos);
- free(pht->passwds[num_passwds].pw_dir);
- free(pht->passwds[num_passwds].pw_shell);
- }
- free(pht->entries);
- free(pht->uids);
- free(pht->names);
- free(pht->passwds);
- pht->passwds_size=0;
- pht->entries_size=0;
- /* Also mark fail time, so that retry will happen after PASSWD_HASH_AGE */
- GetTimeOfDay(&pht->build_time);
- return False;
+ return !(strchr_m(name, *lp_winbind_separator()));
}
-static BOOL have_passwd_hash(void)
-{
- struct passwd_hash_table_s *pht=&passwd_hash_table;
- struct timeval tv;
- GetTimeOfDay(&tv);
- /* I'm ignoring microseconds. If you think they matter, go ahead
- * and implement them */
- if (tv.tv_sec - pht->build_time.tv_sec > PASSWD_HASH_AGE) {
- return build_passwd_hash_table();
- }
- return pht->passwds_size>0;
-}
+/*****************************************************************
+ Splits passed user or group name to domain and user/group name parts
+ Returns True if name was splitted and False otherwise.
+*****************************************************************/
-struct passwd *hashed_getpwnam(const char *name)
+BOOL split_domain_and_name(const char *name, char *domain, char* username)
{
-#ifndef USE_HASHED_GETPWNAM
- return getpwnam(name);
-#else
- struct passwd_hash_table_s *pht=&passwd_hash_table;
-
- DEBUG(5,("getpwnam(%s)\n", name));
-
- if (have_passwd_hash()) {
- int name_i=name_hash_function(name);
- int hash_index=pht->names[name_i];
- while(hash_index!=-1) {
- struct passwd *pass=&pht->passwds[pht->entries[hash_index].entry];
- if (strcmp(name,pass->pw_name)==0) {
- DEBUG(5,("Found: %s:%s:%d:%d:%s:%s:%s\n",
- pass->pw_name,
- pass->pw_passwd,
- pass->pw_uid,
- pass->pw_gid,
- pass->pw_gecos,
- pass->pw_dir,
- pass->pw_shell));
- return pass;
- }
- hash_index=pht->entries[hash_index].next;
- }
-
- /* Not found */
- DEBUG(5,("%s not found\n",name));
- return NULL;
- }
- /* Fall back to real getpwnam() */
- return getpwnam(name);
-#endif
-}
+ char *p = strchr(name,*lp_winbind_separator());
+
+
+ /* Parse a string of the form DOMAIN/user into a domain and a user */
+ DEBUG(10,("split_domain_and_name: checking whether name |%s| local or not\n", name));
+
+ if (p) {
+ fstrcpy(username, p+1);
+ fstrcpy(domain, name);
+ domain[PTR_DIFF(p, name)] = 0;
+ } else if (lp_winbind_use_default_domain()) {
+ fstrcpy(username, name);
+ fstrcpy(domain, lp_workgroup());
+ } else {
+ return False;
+ }
-/*******************************************************************
-turn a uid into a user name
-********************************************************************/
-char *uidtoname(uid_t uid)
-{
- static char name[40];
- struct passwd_hash_table_s *pht=&passwd_hash_table;
- struct passwd *pass=NULL;
-
- DEBUG(5,("uidtoname(%d)\n",uid));
- if (have_passwd_hash()) {
- int hash_index=pht->uids[uid_hash_function(uid)];
- while(hash_index!=-1) {
- pass=&pht->passwds[pht->entries[hash_index].entry];
- if (pass->pw_uid==uid) {
- DEBUG(5,("Found: %s:%s:%d:%d:%s:%s:%s\n",
- pass->pw_name,
- pass->pw_passwd,
- pass->pw_uid,
- pass->pw_gid,
- pass->pw_gecos,
- pass->pw_dir,
- pass->pw_shell));
- return pass->pw_name;
- }
- hash_index=pht->entries[hash_index].next;
- }
- DEBUG(5,("Hash miss"));
- pass=NULL;
- } else {
- /* No hash table, fall back to getpwuid */
- pass = getpwuid(uid);
- }
- if (pass) return(pass->pw_name);
- slprintf(name, sizeof(name) - 1, "%d",(int)uid);
- return(name);
+ DEBUG(10,("split_domain_and_name: all is fine, domain is |%s| and name is |%s|\n", domain, username));
+ return True;
}
/****************************************************************************
-get a users home directory.
+ Get a users home directory.
****************************************************************************/
-char *get_home_dir(char *user)
+
+char *get_user_home_dir(const char *user)
{
- const struct passwd *pass;
- static pstring home_dir;
+ static struct passwd *pass;
- pass = Get_Pwnam(user, False);
+ /* Ensure the user exists. */
- if (pass == NULL || pass->pw_dir == NULL) return(NULL);
+ pass = Get_Pwnam(user);
- pstrcpy(home_dir, pass->pw_dir);
- DEBUG(10,("get_home_dir: returning %s for user %s\n", home_dir, user));
- return home_dir;
-}
+ if (!pass)
+ return(NULL);
+ /* Return home directory from struct passwd. */
+ return(pass->pw_dir);
+}
/*******************************************************************
-map a username from a dos name to a unix name by looking in the username
-map. Note that this modifies the name in place.
-This is the main function that should be called *once* on
-any incoming or new username - in order to canonicalize the name.
-This is being done to de-couple the case conversions from the user mapping
-function. Previously, the map_username was being called
-every time Get_Pwnam was called.
-Returns True if username was changed, false otherwise.
+ Map a username from a dos name to a unix name by looking in the username
+ map. Note that this modifies the name in place.
+ This is the main function that should be called *once* on
+ any incoming or new username - in order to canonicalize the name.
+ This is being done to de-couple the case conversions from the user mapping
+ function. Previously, the map_username was being called
+ every time Get_Pwnam was called.
+ Returns True if username was changed, false otherwise.
********************************************************************/
+
BOOL map_username(char *user)
{
- static BOOL initialised=False;
- static fstring last_from,last_to;
- FILE *f;
- char *mapfile = lp_username_map();
- char *s;
- pstring buf;
- BOOL mapped_user = False;
-
- if (!*user)
- return False;
-
- if (!*mapfile)
- return False;
-
- if (!initialised) {
- *last_from = *last_to = 0;
- initialised = True;
- }
-
- if (strequal(user,last_to))
- return False;
-
- if (strequal(user,last_from)) {
- DEBUG(3,("Mapped user %s to %s\n",user,last_to));
- fstrcpy(user,last_to);
- return True;
- }
-
- f = sys_fopen(mapfile,"r");
- if (!f) {
- DEBUG(0,("can't open username map %s\n",mapfile));
- return False;
- }
-
- DEBUG(4,("Scanning username map %s\n",mapfile));
-
- while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) {
- char *unixname = s;
- char *dosname = strchr(unixname,'=');
- BOOL return_if_mapped = False;
-
- if (!dosname)
- continue;
-
- *dosname++ = 0;
-
- while (isspace(*unixname))
- unixname++;
- if ('!' == *unixname) {
- return_if_mapped = True;
- unixname++;
- while (*unixname && isspace(*unixname))
- unixname++;
- }
-
- if (!*unixname || strchr("#;",*unixname))
- continue;
-
- {
- int l = strlen(unixname);
- while (l && isspace(unixname[l-1])) {
- unixname[l-1] = 0;
- l--;
- }
- }
-
- if (strchr(dosname,'*') || user_in_list(user,dosname)) {
- DEBUG(3,("Mapped user %s to %s\n",user,unixname));
- mapped_user = True;
- fstrcpy(last_from,user);
- sscanf(unixname,"%s",user);
- fstrcpy(last_to,user);
- if(return_if_mapped) {
- fclose(f);
- return True;
- }
- }
- }
-
- fclose(f);
-
- /*
- * Setup the last_from and last_to as an optimization so
- * that we don't scan the file again for the same user.
- */
- fstrcpy(last_from,user);
- fstrcpy(last_to,user);
-
- return mapped_user;
-}
+ static BOOL initialised=False;
+ static fstring last_from,last_to;
+ XFILE *f;
+ char *mapfile = lp_username_map();
+ char *s;
+ pstring buf;
+ BOOL mapped_user = False;
+
+ if (!*user)
+ return False;
+
+ if (!*mapfile)
+ return False;
+
+ if (!initialised) {
+ *last_from = *last_to = 0;
+ initialised = True;
+ }
-/****************************************************************************
-Get_Pwnam wrapper
-****************************************************************************/
-static struct passwd *_Get_Pwnam(char *s)
-{
- struct passwd *ret;
-
- ret = hashed_getpwnam(s);
- if (ret)
- {
-
- /* Deal with password information stored in shadows. Due to the
- dynamic allocation of password cache stuff, the original password
- needs to be freed and the new password mallocated to avoid
- crashing the cache destructor code. */
-
-#ifdef HAVE_GETSPNAM
- {
- struct spwd *spass;
-
- /* many shadow systems require you to be root to get
- the password, in most cases this should already be
- the case when this function is called, except
- perhaps for IPC password changing requests */
-
- spass = getspnam(ret->pw_name);
- if (spass && spass->sp_pwdp) {
- free(ret->pw_passwd);
- ret->pw_passwd = strdup(spass->sp_pwdp);
- }
+ if (strequal(user,last_to))
+ return False;
+
+ if (strequal(user,last_from)) {
+ DEBUG(3,("Mapped user %s to %s\n",user,last_to));
+ fstrcpy(user,last_to);
+ return True;
}
-#elif defined(IA_UINFO)
- {
- /* Need to get password with SVR4.2's ia_ functions
- instead of get{sp,pw}ent functions. Required by
- UnixWare 2.x, tested on version
- 2.1. (tangent@cyberport.com) */
- /* Not sure how large the new password string should
- be so I'm using a pstring instead. If anyone has
- access to a UnixWare system perhaps they could
- optimise this. (tpot@samba.org) */
- uinfo_t uinfo;
- if (ia_openinfo(ret->pw_name, &uinfo) != -1) {
- free(ret->pw_passwd);
- ret->pw_passwd = malloc(FSTRING_LEN);
- ia_get_logpwd(uinfo, &(ret->pw_passwd));
- }
+
+ f = x_fopen(mapfile,O_RDONLY, 0);
+ if (!f) {
+ DEBUG(0,("can't open username map %s. Error %s\n",mapfile, strerror(errno) ));
+ return False;
}
-#endif
-
-#ifdef HAVE_GETPRPWNAM
- {
- struct pr_passwd *pr_pw = getprpwnam(ret->pw_name);
- if (pr_pw && pr_pw->ufld.fd_encrypt) {
- free(ret->pw_passwd);
- ret->pw_passwd = strdup(pr_pw->ufld.fd_encrypt);
+
+ DEBUG(4,("Scanning username map %s\n",mapfile));
+
+ while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) {
+ char *unixname = s;
+ char *dosname = strchr_m(unixname,'=');
+ char **dosuserlist;
+ BOOL return_if_mapped = False;
+
+ if (!dosname)
+ continue;
+
+ *dosname++ = 0;
+
+ while (isspace((int)*unixname))
+ unixname++;
+
+ if ('!' == *unixname) {
+ return_if_mapped = True;
+ unixname++;
+ while (*unixname && isspace((int)*unixname))
+ unixname++;
}
- }
-#endif
-
-#ifdef OSF1_ENH_SEC
- {
- struct pr_passwd *mypasswd;
- DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n",
- user));
- mypasswd = getprpwnam (user);
- if (mypasswd) {
- free(ret->pw_name);
- free(ret->pw_passwd);
- ret->pw_name = strdup(mypasswd->ufld.fd_name);
- ret->pw_passwd = strdup(mypasswd->ufld.fd_encrypt);
- } else {
- DEBUG(5,("No entry for user %s in protected database !\n",
- user));
- return(False);
+
+ if (!*unixname || strchr_m("#;",*unixname))
+ continue;
+
+ {
+ int l = strlen(unixname);
+ while (l && isspace((int)unixname[l-1])) {
+ unixname[l-1] = 0;
+ l--;
+ }
}
- }
-#endif
-
-#ifdef ULTRIX_AUTH
- {
- AUTHORIZATION *ap = getauthuid(ret->pw_uid);
- if (ap) {
- free(ret->pw_passwd);
- ret->pw_passwd = strdup(ap->a_password);
- endauthent();
+
+ dosuserlist = str_list_make(dosname, NULL);
+ if (!dosuserlist) {
+ DEBUG(0,("Unable to build user list\n"));
+ return False;
}
+
+ if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist, NULL, 0)) {
+ DEBUG(3,("Mapped user %s to %s\n",user,unixname));
+ mapped_user = True;
+ fstrcpy(last_from,user);
+ sscanf(unixname,"%s",user);
+ fstrcpy(last_to,user);
+ if(return_if_mapped) {
+ str_list_free (&dosuserlist);
+ x_fclose(f);
+ return True;
+ }
+ }
+
+ str_list_free (&dosuserlist);
}
-#endif
-
-#ifdef HAVE_GETPWANAM
- struct passwd_adjunct *pwret;
- pwret = getpwanam(s);
- if (pwret)
- {
- free(ret->pw_passwd);
- ret->pw_passwd = pwret->pwa_passwd;
- }
-#endif
- }
+ x_fclose(f);
- return(ret);
-}
+ /*
+ * Setup the last_from and last_to as an optimization so
+ * that we don't scan the file again for the same user.
+ */
+ fstrcpy(last_from,user);
+ fstrcpy(last_to,user);
+ return mapped_user;
+}
/****************************************************************************
-a wrapper for getpwnam() that tries with all lower and all upper case
-if the initial name fails. Also tried with first letter capitalised
-Note that this can change user! Function returns const to emphasise
-the fact that most of the members of the struct passwd * returned are
-dynamically allocated.
+ * A wrapper for sys_getpwnam(). The following variations are tried:
+ * - as transmitted
+ * - in all lower case if this differs from transmitted
+ * - in all upper case if this differs from transmitted
+ * - using lp_usernamelevel() for permutations.
****************************************************************************/
-const struct passwd *Get_Pwnam(char *user,BOOL allow_change)
+
+static struct passwd *Get_Pwnam_ret = NULL;
+
+static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
{
- fstring user2;
- int last_char;
- int usernamelevel = lp_usernamelevel();
+ struct passwd *ret = NULL;
+
+ if (!user2 || !(*user2))
+ return(NULL);
+
+ if (!user || !(*user))
+ return(NULL);
+
+ /* Try in all lower case first as this is the most
+ common case on UNIX systems */
+ strlower_m(user2);
+ DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
+ ret = getpwnam_alloc(user2);
+ if(ret)
+ goto done;
+
+ /* Try as given, if username wasn't originally lowercase */
+ if(strcmp(user, user2) != 0) {
+ DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n", user));
+ ret = getpwnam_alloc(user);
+ if(ret)
+ goto done;
+ }
- struct passwd *ret;
+ /* Try as uppercase, if username wasn't originally uppercase */
+ strupper_m(user2);
+ if(strcmp(user, user2) != 0) {
+ DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n", user2));
+ ret = getpwnam_alloc(user2);
+ if(ret)
+ goto done;
+ }
- if (!user || !(*user))
- return(NULL);
+ /* Try all combinations up to usernamelevel */
+ strlower_m(user2);
+ DEBUG(5,("Checking combinations of %d uppercase letters in %s\n", lp_usernamelevel(), user2));
+ ret = uname_string_combinations(user2, getpwnam_alloc, lp_usernamelevel());
- StrnCpy(user2,user,sizeof(user2)-1);
+done:
+ DEBUG(5,("Get_Pwnam_internals %s find user [%s]!\n",ret ? "did":"didn't", user));
- if (!allow_change) {
- user = &user2[0];
- }
+ /* This call used to just return the 'passwd' static buffer.
+ This could then have accidental reuse implications, so
+ we now malloc a copy, and free it in the next use.
- ret = _Get_Pwnam(user);
- if (ret) return(ret);
+ This should cause the (ab)user to segfault if it
+ uses an old struct.
+
+ This is better than useing the wrong data in security
+ critical operations.
- strlower(user);
- ret = _Get_Pwnam(user);
- if (ret) return(ret);
+ The real fix is to make the callers free the returned
+ malloc'ed data.
+ */
- strupper(user);
- ret = _Get_Pwnam(user);
- if (ret) return(ret);
+ if (Get_Pwnam_ret) {
+ passwd_free(&Get_Pwnam_ret);
+ }
+
+ Get_Pwnam_ret = ret;
- /* try with first letter capitalised */
- if (strlen(user) > 1)
- strlower(user+1);
- ret = _Get_Pwnam(user);
- if (ret) return(ret);
+ return ret;
+}
- /* try with last letter capitalised */
- strlower(user);
- last_char = strlen(user)-1;
- user[last_char] = toupper(user[last_char]);
- ret = _Get_Pwnam(user);
- if (ret) return(ret);
+/****************************************************************************
+ Get_Pwnam wrapper without modification.
+ NOTE: This with NOT modify 'user'!
+****************************************************************************/
- /* try all combinations up to usernamelevel */
- strlower(user);
- ret = uname_string_combinations(user, _Get_Pwnam, usernamelevel);
- if (ret) return(ret);
+struct passwd *Get_Pwnam(const char *user)
+{
+ fstring user2;
+ struct passwd *ret;
+
+ if ( *user == '\0' ) {
+ DEBUG(10,("Get_Pwnam: empty username!\n"));
+ return NULL;
+ }
- if (allow_change)
- fstrcpy(user,user2);
+ fstrcpy(user2, user);
- return(NULL);
+ DEBUG(5,("Finding user %s\n", user));
+
+ ret = Get_Pwnam_internals(user, user2);
+
+ return ret;
}
/****************************************************************************
-check if a user is in a netgroup user list
+ Check if a user is in a netgroup user list. If at first we don't succeed,
+ try lower case.
****************************************************************************/
-static BOOL user_in_netgroup_list(char *user,char *ngname)
+
+static BOOL user_in_netgroup_list(const char *user, const char *ngname)
{
#ifdef HAVE_NETGROUP
- static char *mydomain = NULL;
- if (mydomain == NULL)
- yp_get_default_domain(&mydomain);
-
- if(mydomain == NULL)
- {
- DEBUG(5,("Unable to get default yp domain\n"));
- }
- else
- {
- DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
- user, mydomain, ngname));
- DEBUG(5,("innetgr is %s\n",
- innetgr(ngname, NULL, user, mydomain)
- ? "TRUE" : "FALSE"));
-
- if (innetgr(ngname, NULL, user, mydomain))
- return (True);
- }
+ static char *mydomain = NULL;
+ fstring lowercase_user;
+
+ if (mydomain == NULL)
+ yp_get_default_domain(&mydomain);
+
+ if(mydomain == NULL) {
+ DEBUG(5,("Unable to get default yp domain\n"));
+ return False;
+ }
+
+ DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+ user, mydomain, ngname));
+
+ if (innetgr(ngname, NULL, user, mydomain)) {
+ DEBUG(5,("user_in_netgroup_list: Found\n"));
+ return (True);
+ } else {
+
+ /*
+ * Ok, innetgr is case sensitive. Try once more with lowercase
+ * just in case. Attempt to fix #703. JRA.
+ */
+
+ fstrcpy(lowercase_user, user);
+ strlower_m(lowercase_user);
+
+ DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
+ lowercase_user, mydomain, ngname));
+
+ if (innetgr(ngname, NULL, lowercase_user, mydomain)) {
+ DEBUG(5,("user_in_netgroup_list: Found\n"));
+ return (True);
+ }
+ }
#endif /* HAVE_NETGROUP */
- return False;
+ return False;
}
/****************************************************************************
-check if a user is in a UNIX user list
+ Check if a user is in a winbind group.
****************************************************************************/
-static BOOL user_in_group_list(char *user,char *gname)
+
+static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL *winbind_answered)
{
-#ifdef HAVE_GETGRNAM
- struct group *gptr;
- char **member;
- const struct passwd *pass = Get_Pwnam(user,False);
-
- if (pass)
- {
- gptr = getgrgid(pass->pw_gid);
- if (gptr && strequal(gptr->gr_name,gname))
- return(True);
- }
-
- gptr = (struct group *)getgrnam(gname);
-
- if (gptr)
- {
- member = gptr->gr_mem;
- while (member && *member)
- {
- if (strequal(*member,user))
- return(True);
- member++;
- }
- }
-#endif /* HAVE_GETGRNAM */
- return False;
-}
+ int i;
+ gid_t gid, gid_low, gid_high;
+ BOOL ret = False;
+ static gid_t *groups = NULL;
+ static int num_groups = 0;
+ static fstring last_user = "";
+
+ *winbind_answered = False;
+
+ if ((gid = nametogid(gname)) == (gid_t)-1) {
+ DEBUG(0,("user_in_winbind_group_list: nametogid for group %s failed.\n",
+ gname ));
+ goto err;
+ }
+
+ if (!lp_idmap_gid(&gid_low, &gid_high)) {
+ DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname));
+ goto err;
+ }
+ if (gid < gid_low || gid > gid_high) {
+ DEBUG(4, ("group %s is not a winbind group\n", gname));
+ goto err;
+ }
+
+ /* try to user the last user we looked up */
+ /* otherwise fall back to lookups */
+
+ if ( !strequal( last_user, user ) || !groups )
+ {
+ /* clear any cached information */
+
+ SAFE_FREE(groups);
+ fstrcpy( last_user, "" );
+
+ /*
+ * Get the gid's that this user belongs to.
+ */
+
+ if ((num_groups = winbind_getgroups(user, &groups)) == -1)
+ return False;
+
+ if ( num_groups == -1 )
+ return False;
+
+ if ( num_groups == 0 ) {
+ *winbind_answered = True;
+ return False;
+ }
+
+ /* save the last username */
+
+ fstrcpy( last_user, user );
+
+ }
+ else
+ DEBUG(10,("user_in_winbind_group_list: using cached user groups for [%s]\n", user));
+
+ if ( DEBUGLEVEL >= 10 ) {
+ DEBUG(10,("user_in_winbind_group_list: using groups -- "));
+ for ( i=0; i<num_groups; i++ )
+ DEBUGADD(10,("%lu ", (unsigned long)groups[i]));
+ DEBUGADD(10,("\n"));
+ }
+
+ /*
+ * Now we have the gid list for this user - convert the gname
+ * to a gid_t via either winbind or the local UNIX lookup and do the comparison.
+ */
+
+ for (i = 0; i < num_groups; i++) {
+ if (gid == groups[i]) {
+ ret = True;
+ break;
+ }
+ }
+
+ *winbind_answered = True;
+ SAFE_FREE(groups);
+ return ret;
+
+ err:
+
+ *winbind_answered = False;
+ SAFE_FREE(groups);
+ return False;
+}
+
/****************************************************************************
-check if a user is in a user list - can check combinations of UNIX
-and netgroup lists.
+ Check if a user is in a UNIX group.
****************************************************************************/
-BOOL user_in_list(char *user,char *list)
+
+BOOL user_in_unix_group_list(const char *user,const char *gname)
{
- pstring tok;
- char *p=list;
-
- while (next_token(&p,tok,LIST_SEP, sizeof(tok)))
- {
- /*
- * Check raw username.
- */
- if (strequal(user,tok))
- return(True);
-
- /*
- * Now check to see if any combination
- * of UNIX and netgroups has been specified.
- */
-
- if(*tok == '@')
- {
- /*
- * Old behaviour. Check netgroup list
- * followed by UNIX list.
- */
- if(user_in_netgroup_list(user,&tok[1]))
- return True;
- if(user_in_group_list(user,&tok[1]))
- return True;
- }
- else if (*tok == '+')
- {
- if(tok[1] == '&')
- {
- /*
- * Search UNIX list followed by netgroup.
- */
- if(user_in_group_list(user,&tok[2]))
- return True;
- if(user_in_netgroup_list(user,&tok[2]))
- return True;
- }
- else
- {
- /*
- * Just search UNIX list.
- */
- if(user_in_group_list(user,&tok[1]))
- return True;
- }
- }
- else if (*tok == '&')
- {
- if(tok[1] == '&')
- {
- /*
- * Search netgroup list followed by UNIX list.
- */
- if(user_in_netgroup_list(user,&tok[2]))
- return True;
- if(user_in_group_list(user,&tok[2]))
- return True;
- }
- else
- {
- /*
- * Just search netgroup list.
- */
- if(user_in_netgroup_list(user,&tok[1]))
- return True;
- }
- }
- }
- return(False);
-}
+ struct passwd *pass = Get_Pwnam(user);
+ struct sys_userlist *user_list;
+ struct sys_userlist *member;
+
+ DEBUG(10,("user_in_unix_group_list: checking user %s in group %s\n", user, gname));
+
+ /*
+ * We need to check the users primary group as this
+ * group is implicit and often not listed in the group database.
+ */
+
+ if (pass) {
+ if (strequal(gname,gidtoname(pass->pw_gid))) {
+ DEBUG(10,("user_in_unix_group_list: group %s is primary group.\n", gname ));
+ return True;
+ }
+ }
+
+ user_list = get_users_in_group(gname);
+ if (user_list == NULL) {
+ DEBUG(10,("user_in_unix_group_list: no such group %s\n", gname ));
+ return False;
+ }
+
+ for (member = user_list; member; member = member->next) {
+ DEBUG(10,("user_in_unix_group_list: checking user %s against member %s\n",
+ user, member->unix_name ));
+ if (strequal(member->unix_name,user)) {
+ free_userlist(user_list);
+ return(True);
+ }
+ }
+
+ free_userlist(user_list);
+ return False;
+}
-/* The functions below have been taken from password.c and slightly modified */
/****************************************************************************
-apply a function to upper/lower case combinations
-of a string and return true if one of them returns true.
-try all combinations with N uppercase letters.
-offset is the first char to try and change (start with 0)
-it assumes the string starts lowercased
+ Check if a user is in a group list. Ask winbind first, then use UNIX.
****************************************************************************/
-static struct passwd *uname_string_combinations2(char *s,int offset,struct passwd *(*fn)(char *),int N)
+
+BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups, size_t n_groups)
{
- int len = strlen(s);
- int i;
- struct passwd *ret;
+ BOOL winbind_answered = False;
+ BOOL ret;
+ gid_t gid;
+ unsigned i;
+
+ gid = nametogid(gname);
+ if (gid == (gid_t)-1)
+ return False;
+
+ if (groups && n_groups > 0) {
+ for (i=0; i < n_groups; i++) {
+ if (groups[i] == gid) {
+ return True;
+ }
+ }
+ return False;
+ }
+
+ /* fallback if we don't yet have the group list */
-#ifdef PASSWORD_LENGTH
- len = MIN(len,PASSWORD_LENGTH);
-#endif
+ ret = user_in_winbind_group_list(user, gname, &winbind_answered);
+ if (!winbind_answered)
+ ret = user_in_unix_group_list(user, gname);
- if (N <= 0 || offset >= len)
- return(fn(s));
+ if (ret)
+ DEBUG(10,("user_in_group_list: user |%s| is in group |%s|\n", user, gname));
+ return ret;
+}
+
+/****************************************************************************
+ Check if a user is in a user list - can check combinations of UNIX
+ and netgroup lists.
+****************************************************************************/
+BOOL user_in_list(const char *user,const char **list, gid_t *groups, size_t n_groups)
+{
+ if (!list || !*list)
+ return False;
+
+ DEBUG(10,("user_in_list: checking user %s in list\n", user));
+
+ while (*list) {
+
+ DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list));
+
+ /*
+ * Check raw username.
+ */
+ if (strequal(user, *list))
+ return(True);
+
+ /*
+ * Now check to see if any combination
+ * of UNIX and netgroups has been specified.
+ */
+
+ if(**list == '@') {
+ /*
+ * Old behaviour. Check netgroup list
+ * followed by UNIX list.
+ */
+ if(user_in_netgroup_list(user, *list +1))
+ return True;
+ if(user_in_group_list(user, *list +1, groups, n_groups))
+ return True;
+ } else if (**list == '+') {
+
+ if((*(*list +1)) == '&') {
+ /*
+ * Search UNIX list followed by netgroup.
+ */
+ if(user_in_group_list(user, *list +2, groups, n_groups))
+ return True;
+ if(user_in_netgroup_list(user, *list +2))
+ return True;
+
+ } else {
+
+ /*
+ * Just search UNIX list.
+ */
+
+ if(user_in_group_list(user, *list +1, groups, n_groups))
+ return True;
+ }
+
+ } else if (**list == '&') {
+
+ if(*(*list +1) == '+') {
+ /*
+ * Search netgroup list followed by UNIX list.
+ */
+ if(user_in_netgroup_list(user, *list +2))
+ return True;
+ if(user_in_group_list(user, *list +2, groups, n_groups))
+ return True;
+ } else {
+ /*
+ * Just search netgroup list.
+ */
+ if(user_in_netgroup_list(user, *list +1))
+ return True;
+ }
+ } else if (!name_is_local(*list)) {
+ /*
+ * If user name did not match and token is not
+ * a unix group and the token has a winbind separator in the
+ * name then see if it is a Windows group.
+ */
+
+ DOM_SID g_sid;
+ enum SID_NAME_USE name_type;
+ BOOL winbind_answered = False;
+ BOOL ret;
+ fstring groupname, domain;
+
+ /* Parse a string of the form DOMAIN/user into a domain and a user */
+
+ char *p = strchr(*list,*lp_winbind_separator());
+
+ DEBUG(10,("user_in_list: checking if user |%s| is in winbind group |%s|\n", user, *list));
+
+ if (p) {
+ fstrcpy(groupname, p+1);
+ fstrcpy(domain, *list);
+ domain[PTR_DIFF(p, *list)] = 0;
+
+ /* Check to see if name is a Windows group; Win2k native mode DCs
+ will return domain local groups; while NT4 or mixed mode 2k DCs
+ will not */
+
+ if ( winbind_lookup_name(domain, groupname, &g_sid, &name_type)
+ && ( name_type==SID_NAME_DOM_GRP ||
+ (strequal(lp_workgroup(), domain) && name_type==SID_NAME_ALIAS) ) )
+ {
+
+ /* Check if user name is in the Windows group */
+ ret = user_in_winbind_group_list(user, *list, &winbind_answered);
+
+ if (winbind_answered && ret == True) {
+ DEBUG(10,("user_in_list: user |%s| is in winbind group |%s|\n", user, *list));
+ return ret;
+ }
+ }
+ }
+ }
+
+ list++;
+ }
+ return(False);
+}
- for (i=offset;i<(len-(N-1));i++)
+/* The functions below have been taken from password.c and slightly modified */
+/****************************************************************************
+ Apply a function to upper/lower case combinations
+ of a string and return true if one of them returns true.
+ Try all combinations with N uppercase letters.
+ offset is the first char to try and change (start with 0)
+ it assumes the string starts lowercased
+****************************************************************************/
- {
- char c = s[i];
- if (!islower(c)) continue;
- s[i] = toupper(c);
- ret = uname_string_combinations2(s,i+1,fn,N-1);
- if(ret) return(ret);
- s[i] = c;
- }
- return(NULL);
+static struct passwd *uname_string_combinations2(char *s,int offset,struct passwd *(*fn)(const char *),int N)
+{
+ ssize_t len = (ssize_t)strlen(s);
+ int i;
+ struct passwd *ret;
+
+ if (N <= 0 || offset >= len)
+ return(fn(s));
+
+ for (i=offset;i<(len-(N-1));i++) {
+ char c = s[i];
+ if (!islower((int)c))
+ continue;
+ s[i] = toupper(c);
+ ret = uname_string_combinations2(s,i+1,fn,N-1);
+ if(ret)
+ return(ret);
+ s[i] = c;
+ }
+ return(NULL);
}
/****************************************************************************
-apply a function to upper/lower case combinations
-of a string and return true if one of them returns true.
-try all combinations with up to N uppercase letters.
-offset is the first char to try and change (start with 0)
-it assumes the string starts lowercased
+ Apply a function to upper/lower case combinations
+ of a string and return true if one of them returns true.
+ Try all combinations with up to N uppercase letters.
+ offset is the first char to try and change (start with 0)
+ it assumes the string starts lowercased
****************************************************************************/
-static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(char *),int N)
+
+static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(const char *),int N)
{
- int n;
- struct passwd *ret;
-
- for (n=1;n<=N;n++)
- {
- ret = uname_string_combinations2(s,0,fn,n);
- if(ret) return(ret);
- }
- return(NULL);
+ int n;
+ struct passwd *ret;
+
+ for (n=1;n<=N;n++) {
+ ret = uname_string_combinations2(s,0,fn,n);
+ if(ret)
+ return(ret);
+ }
+ return(NULL);
}
+