4 Unix SMB/Netbios implementation.
7 Copyright (C) Andrew Tridgell 1992-1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 extern int DEBUGLEVEL;
28 /* what user is current? */
29 extern struct current_user current_user;
31 /****************************************************************************
32 Become the guest user.
33 ****************************************************************************/
35 BOOL become_guest(void)
37 static struct passwd *pass=NULL;
40 pass = Get_Pwnam(lp_guestaccount(-1),True);
45 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
47 initgroups(pass->pw_name, (gid_t)pass->pw_gid);
50 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
52 current_user.conn = NULL;
53 current_user.vuid = UID_FIELD_INVALID;
58 /*******************************************************************
59 Check if a username is OK.
60 ********************************************************************/
62 static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
65 for (i=0;i<conn->uid_cache.entries;i++)
66 if (conn->uid_cache.list[i] == vuser->uid)
69 if (!user_ok(vuser->user.unix_name,snum))
72 i = conn->uid_cache.entries % UID_CACHE_SIZE;
73 conn->uid_cache.list[i] = vuser->uid;
75 if (conn->uid_cache.entries < UID_CACHE_SIZE)
76 conn->uid_cache.entries++;
81 /****************************************************************************
82 Become the user of a connection number.
83 ****************************************************************************/
85 BOOL become_user(connection_struct *conn, uint16 vuid)
87 user_struct *vuser = get_valid_user_struct(vuid);
92 BOOL must_free_token = False;
93 NT_USER_TOKEN *token = NULL;
96 DEBUG(2,("Connection not open\n"));
101 * We need a separate check in security=share mode due to vuid
102 * always being UID_FIELD_INVALID. If we don't do this then
103 * in share mode security we are *always* changing uid's between
104 * SMB's - this hurts performance - Badly.
107 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
108 (current_user.uid == conn->uid)) {
109 DEBUG(4,("Skipping become_user - already user\n"));
111 } else if ((current_user.conn == conn) &&
112 (vuser != 0) && (current_user.vuid == vuid) &&
113 (current_user.uid == vuser->uid)) {
114 DEBUG(4,("Skipping become_user - already user\n"));
120 if((vuser != NULL) && !check_user_ok(conn, vuser, snum))
123 if (conn->force_user ||
125 lp_security() == SEC_SHARE ||
126 !(vuser) || (vuser->guest)) {
129 current_user.groups = conn->groups;
130 current_user.ngroups = conn->ngroups;
131 token = conn->nt_user_token;
134 DEBUG(2,("Invalid vuid used %d\n",vuid));
139 current_user.ngroups = vuser->n_groups;
140 current_user.groups = vuser->groups;
141 token = vuser->nt_user_token;
145 * See if we should force group for this service.
146 * If so this overrides any group set in the force
150 if((group_c = *lp_force_group(snum))) {
151 BOOL is_guest = False;
156 * Only force group if the user is a member of
157 * the service group. Check the group memberships for
158 * this user (we already have this) to
159 * see if we should force the group.
163 for (i = 0; i < current_user.ngroups; i++) {
164 if (current_user.groups[i] == conn->gid) {
174 * We've changed the group list in the token - we must
178 if (vuser && vuser->guest)
181 token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest);
182 must_free_token = True;
185 set_sec_ctx(uid, gid, current_user.ngroups, current_user.groups, token);
188 * Free the new token (as set_sec_ctx copies it).
192 delete_nt_token(&token);
194 current_user.conn = conn;
195 current_user.vuid = vuid;
197 DEBUG(5,("become_user uid=(%d,%d) gid=(%d,%d)\n",
198 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
203 /****************************************************************************
204 Unbecome the user of a connection number.
205 ****************************************************************************/
207 BOOL unbecome_user(void )
211 DEBUG(5,("unbecome_user now uid=(%d,%d) gid=(%d,%d)\n",
212 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
214 current_user.conn = NULL;
215 current_user.vuid = UID_FIELD_INVALID;
220 /****************************************************************************
221 Become the user of an authenticated connected named pipe.
222 When this is called we are currently running as the connection
224 ****************************************************************************/
226 BOOL become_authenticated_pipe_user(pipes_struct *p)
228 BOOL res = push_sec_ctx();
234 set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid,
235 p->pipe_user.ngroups, p->pipe_user.groups, p->pipe_user.nt_user_token);
240 /****************************************************************************
241 Unbecome the user of an authenticated connected named pipe.
242 When this is called we are running as the authenticated pipe
243 user and need to go back to being the connection user.
244 ****************************************************************************/
246 BOOL unbecome_authenticated_pipe_user(pipes_struct *p)
248 return pop_sec_ctx();
251 /* Temporarily become a root user. Must match with unbecome_root(). */
253 void become_root(void)
259 /* Unbecome the root user */
261 void unbecome_root(void)
266 /*****************************************************************
267 *THE CANONICAL* convert name to SID function.
268 Tries winbind first - then uses local lookup.
269 *****************************************************************/
271 BOOL lookup_name(char *name, DOM_SID *psid, enum SID_NAME_USE *name_type)
273 extern pstring global_myname;
275 char *sep = lp_winbind_separator();
277 if (!winbind_lookup_name(name, psid, name_type)) {
280 DEBUG(10, ("lookup_name: winbind lookup for %s failed - trying local\n", name));
282 /* If we are looking up a domain user, make sure it is
283 for the local machine only */
285 if (strchr(name, sep[0]) || strchr(name, '\\')) {
286 fstring domain, username;
288 split_domain_name(name, domain, username);
290 if (strcasecmp(global_myname, domain) != 0) {
291 DEBUG(5, ("domain %s is not local\n", domain));
295 ret = local_lookup_name(domain, username, psid,
299 ret = local_lookup_name(global_myname, name, psid,
305 ("lookup_name: (local) %s -> SID %s (type %u)\n",
306 name, sid_to_string(sid,psid),
307 (unsigned int)*name_type ));
309 DEBUG(10,("lookup name: (local) %s failed.\n", name));
315 DEBUG(10,("lookup_name (winbindd): %s -> SID %s (type %u)\n",
316 name, sid_to_string(sid, psid),
317 (unsigned int)*name_type));
321 /*****************************************************************
322 *THE CANONICAL* convert SID to name function.
323 Tries winbind first - then uses local lookup.
324 *****************************************************************/
326 BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE *name_type)
331 /* Check if this is our own sid. This should perhaps be done by
332 winbind? For the moment handle it here. */
334 if (sid->num_auths == 5) {
338 sid_copy(&tmp_sid, sid);
339 sid_split_rid(&tmp_sid, &rid);
341 if (sid_equal(&global_sam_sid, &tmp_sid)) {
343 return map_domain_sid_to_name(&tmp_sid, dom_name) &&
344 local_lookup_rid(rid, name, name_type);
348 if (!winbind_lookup_sid(sid, dom_name, name, name_type)) {
353 DEBUG(10,("lookup_sid: winbind lookup for SID %s failed - trying local.\n", sid_to_string(sid_str, sid) ));
355 sid_copy(&tmp_sid, sid);
356 sid_split_rid(&tmp_sid, &rid);
357 return map_domain_sid_to_name(&tmp_sid, dom_name) &&
358 lookup_known_rid(&tmp_sid, rid, name, name_type);
363 /*****************************************************************
364 *THE CANONICAL* convert uid_t to SID function.
365 Tries winbind first - then uses local lookup.
367 *****************************************************************/
369 DOM_SID *uid_to_sid(DOM_SID *psid, uid_t uid)
373 if (!winbind_uid_to_sid(psid, uid)) {
374 DEBUG(10,("uid_to_sid: winbind lookup for uid %u failed - trying local.\n", (unsigned int)uid ));
376 return local_uid_to_sid(psid, uid);
379 DEBUG(10,("uid_to_sid: winbindd %u -> %s\n",
380 (unsigned int)uid, sid_to_string(sid, psid) ));
385 /*****************************************************************
386 *THE CANONICAL* convert gid_t to SID function.
387 Tries winbind first - then uses local lookup.
389 *****************************************************************/
391 DOM_SID *gid_to_sid(DOM_SID *psid, gid_t gid)
395 if (!winbind_gid_to_sid(psid, gid)) {
396 DEBUG(10,("gid_to_sid: winbind lookup for gid %u failed - trying local.\n", (unsigned int)gid ));
398 return local_gid_to_sid(psid, gid);
401 DEBUG(10,("gid_to_sid: winbindd %u -> %s\n",
402 (unsigned int)gid, sid_to_string(sid,psid) ));
407 /*****************************************************************
408 *THE CANONICAL* convert SID to uid function.
409 Tries winbind first - then uses local lookup.
410 Returns True if this name is a user sid and the conversion
411 was done correctly, False if not.
412 *****************************************************************/
414 BOOL sid_to_uid(DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
416 fstring dom_name, name, sid_str;
417 enum SID_NAME_USE name_type;
419 *sidtype = SID_NAME_UNKNOWN;
422 * First we must look up the name and decide if this is a user sid.
425 if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) {
426 DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed - trying local.\n",
427 sid_to_string(sid_str, psid) ));
429 return local_sid_to_uid(puid, psid, sidtype);
433 * Ensure this is a user sid.
436 if (name_type != SID_NAME_USER) {
437 DEBUG(10,("sid_to_uid: winbind lookup succeeded but SID is not a uid (%u)\n",
438 (unsigned int)name_type ));
442 *sidtype = SID_NAME_USER;
445 * Get the uid for this SID.
448 if (!winbind_sid_to_uid(puid, psid)) {
449 DEBUG(10,("sid_to_uid: winbind lookup for sid %s failed.\n",
450 sid_to_string(sid_str, psid) ));
454 DEBUG(10,("sid_to_uid: winbindd %s -> %u\n",
455 sid_to_string(sid_str, psid),
456 (unsigned int)*puid ));
461 /*****************************************************************
462 *THE CANONICAL* convert SID to gid function.
463 Tries winbind first - then uses local lookup.
464 Returns True if this name is a user sid and the conversion
465 was done correctly, False if not.
466 *****************************************************************/
468 BOOL sid_to_gid(DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
470 fstring dom_name, name, sid_str;
471 enum SID_NAME_USE name_type;
473 *sidtype = SID_NAME_UNKNOWN;
476 * First we must look up the name and decide if this is a group sid.
479 if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) {
480 DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed - trying local.\n",
481 sid_to_string(sid_str, psid) ));
483 return local_sid_to_gid(pgid, psid, sidtype);
487 * Ensure this is a group sid.
490 if ((name_type != SID_NAME_DOM_GRP) && (name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_WKN_GRP)) {
491 DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n",
492 (unsigned int)name_type ));
494 return local_sid_to_gid(pgid, psid, sidtype);
497 *sidtype = name_type;
500 * Get the gid for this SID.
503 if (!winbind_sid_to_gid(pgid, psid)) {
504 DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed.\n",
505 sid_to_string(sid_str, psid) ));
509 DEBUG(10,("gid_to_uid: winbindd %s -> %u\n",
510 sid_to_string(sid_str, psid),
511 (unsigned int)*pgid ));