2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern userdom_struct current_user_info;
25 static BOOL canonicalize_path(connection_struct *conn, pstring path)
27 #ifdef REALPATH_TAKES_NULL
28 char *resolved_name = SMB_VFS_REALPATH(conn,path,NULL);
32 pstrcpy(path, resolved_name);
33 SAFE_FREE(resolved_name);
37 char resolved_name_buf[PATH_MAX+1];
39 pstring resolved_name_buf;
41 char *resolved_name = SMB_VFS_REALPATH(conn,path,resolved_name_buf);
45 pstrcpy(path, resolved_name);
47 #endif /* REALPATH_TAKES_NULL */
50 /****************************************************************************
51 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
52 absolute path stating in / and not ending in /.
53 Observent people will notice a similarity between this and check_path_syntax :-).
54 ****************************************************************************/
56 void set_conn_connectpath(connection_struct *conn, const pstring connectpath)
60 const char *s = connectpath;
61 BOOL start_of_name_component = True;
63 *d++ = '/'; /* Always start with root. */
67 /* Eat multiple '/' */
71 if ((d > destname + 1) && (*s != '\0')) {
74 start_of_name_component = True;
78 if (start_of_name_component) {
79 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
80 /* Uh oh - "/../" or "/..\0" ! */
82 /* Go past the ../ or .. */
86 s += 2; /* Go past the .. */
89 /* If we just added a '/' - delete it */
90 if ((d > destname) && (*(d-1) == '/')) {
95 /* Are we at the start ? Can't go back further if so. */
97 *d++ = '/'; /* Can't delete root */
100 /* Go back one level... */
101 /* Decrement d first as d points to the *next* char to write into. */
102 for (d--; d > destname; d--) {
107 /* We're still at the start of a name component, just the previous one. */
109 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
110 /* Component of pathname can't be "." only - skip the '.' . */
124 /* Get the size of the next MB character. */
125 next_codepoint(s,&siz);
146 start_of_name_component = False;
150 /* And must not end in '/' */
151 if (d > destname + 1 && (*(d-1) == '/')) {
155 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
156 lp_servicename(SNUM(conn)), destname ));
158 string_set(&conn->connectpath, destname);
161 /****************************************************************************
162 Load parameters specific to a connection/service.
163 ****************************************************************************/
165 BOOL set_current_service(connection_struct *conn, uint16 flags, BOOL do_chdir)
167 static connection_struct *last_conn;
168 static uint16 last_flags;
176 conn->lastused_count++;
181 vfs_ChDir(conn,conn->connectpath) != 0 &&
182 vfs_ChDir(conn,conn->origpath) != 0) {
183 DEBUG(0,("chdir (%s) failed\n",
188 if ((conn == last_conn) && (last_flags == flags)) {
195 /* Obey the client case sensitivity requests - only for clients that support it. */
196 switch (lp_casesensitive(snum)) {
199 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
200 enum remote_arch_types ra_type = get_remote_arch();
201 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
202 /* Client can't support per-packet case sensitive pathnames. */
203 conn->case_sensitive = False;
205 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
210 conn->case_sensitive = True;
213 conn->case_sensitive = False;
219 /****************************************************************************
220 Add a home service. Returns the new service number or -1 if fail.
221 ****************************************************************************/
223 int add_home_service(const char *service, const char *username, const char *homedir)
227 if (!service || !homedir)
230 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
234 * If this is a winbindd provided username, remove
235 * the domain component before adding the service.
236 * Log a warning if the "path=" parameter does not
237 * include any macros.
241 const char *p = strchr(service,*lp_winbind_separator());
243 /* We only want the 'user' part of the string */
249 if (!lp_add_home(service, iHomeService, username, homedir)) {
253 return lp_servicenumber(service);
257 static int load_registry_service(const char *servicename)
259 struct registry_key *key;
265 struct registry_value *value;
269 if (!lp_registry_shares()) {
273 if (asprintf(&path, "%s\\%s", KEY_SMBCONF, servicename) == -1) {
277 err = reg_open_path(NULL, path, REG_KEY_READ, get_root_nt_token(),
281 if (!W_ERROR_IS_OK(err)) {
285 res = lp_add_service(servicename, -1);
291 W_ERROR_IS_OK(reg_enumvalue(key, key, i, &value_name, &value));
293 switch (value->type) {
296 if (asprintf(&tmp, "%d", value->v.dword) == -1) {
299 lp_do_parameter(res, value_name, tmp);
304 lp_do_parameter(res, value_name, value->v.sz.str);
308 /* Ignore all the rest */
312 TALLOC_FREE(value_name);
322 void load_registry_shares(void)
324 struct registry_key *key;
329 if (!lp_registry_shares()) {
333 err = reg_open_path(NULL, KEY_SMBCONF, REG_KEY_READ,
334 get_root_nt_token(), &key);
335 if (!(W_ERROR_IS_OK(err))) {
339 for (i=0; W_ERROR_IS_OK(reg_enumkey(key, key, i, &name, NULL)); i++) {
340 load_registry_service(name);
349 * Find a service entry.
351 * @param service is modified (to canonical form??)
354 int find_service(fstring service)
358 all_string_sub(service,"\\","/",0);
360 iService = lp_servicenumber(service);
362 /* now handle the special case of a home directory */
364 char *phome_dir = get_user_home_dir(service);
368 * Try mapping the servicename, it may
369 * be a Windows to unix mapped user name.
371 if(map_username(service))
372 phome_dir = get_user_home_dir(service);
375 DEBUG(3,("checking for home directory %s gave %s\n",service,
376 phome_dir?phome_dir:"(NULL)"));
378 iService = add_home_service(service,service /* 'username' */, phome_dir);
381 /* If we still don't have a service, attempt to add it as a printer. */
385 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) >= 0) {
386 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
387 if (pcap_printername_ok(service)) {
388 DEBUG(3,("%s is a valid printer name\n", service));
389 DEBUG(3,("adding %s as a printer service\n", service));
390 lp_add_printer(service, iPrinterService);
391 iService = lp_servicenumber(service);
393 DEBUG(0,("failed to add %s as a printer service!\n", service));
396 DEBUG(3,("%s is not a valid printer name\n", service));
401 /* Check for default vfs service? Unsure whether to implement this */
405 /* just possibly it's a default service? */
407 char *pdefservice = lp_defaultservice();
408 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
410 * We need to do a local copy here as lp_defaultservice()
411 * returns one of the rotating lp_string buffers that
412 * could get overwritten by the recursive find_service() call
413 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
416 pstrcpy(defservice, pdefservice);
417 iService = find_service(defservice);
419 all_string_sub(service, "_","/",0);
420 iService = lp_add_service(service, iService);
426 iService = load_registry_service(service);
429 /* Is it a usershare service ? */
430 if (iService < 0 && *lp_usershare_path()) {
431 /* Ensure the name is canonicalized. */
433 iService = load_usershare_service(service);
437 if (!VALID_SNUM(iService)) {
438 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
444 DEBUG(3,("find_service() failed to find service %s\n", service));
450 /****************************************************************************
451 do some basic sainity checks on the share.
452 This function modifies dev, ecode.
453 ****************************************************************************/
455 static NTSTATUS share_sanity_checks(int snum, fstring dev)
458 if (!lp_snum_ok(snum) ||
459 !check_access(smbd_server_fd(),
460 lp_hostsallow(snum), lp_hostsdeny(snum))) {
461 return NT_STATUS_ACCESS_DENIED;
464 if (dev[0] == '?' || !dev[0]) {
465 if (lp_print_ok(snum)) {
466 fstrcpy(dev,"LPT1:");
467 } else if (strequal(lp_fstype(snum), "IPC")) {
476 if (lp_print_ok(snum)) {
477 if (!strequal(dev, "LPT1:")) {
478 return NT_STATUS_BAD_DEVICE_TYPE;
480 } else if (strequal(lp_fstype(snum), "IPC")) {
481 if (!strequal(dev, "IPC")) {
482 return NT_STATUS_BAD_DEVICE_TYPE;
484 } else if (!strequal(dev, "A:")) {
485 return NT_STATUS_BAD_DEVICE_TYPE;
488 /* Behave as a printer if we are supposed to */
489 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
490 fstrcpy(dev, "LPT1:");
496 static NTSTATUS find_forced_user(connection_struct *conn, BOOL vuser_is_guest, fstring username)
498 int snum = conn->params->service;
499 char *fuser, *found_username;
502 if (!(fuser = talloc_string_sub(conn->mem_ctx, lp_force_user(snum), "%S",
503 lp_servicename(snum)))) {
504 return NT_STATUS_NO_MEMORY;
507 result = create_token_from_username(conn->mem_ctx, fuser, vuser_is_guest,
508 &conn->uid, &conn->gid, &found_username,
509 &conn->nt_user_token);
510 if (!NT_STATUS_IS_OK(result)) {
514 fstrcpy(username, found_username);
517 TALLOC_FREE(found_username);
522 * Go through lookup_name etc to find the force'd group.
524 * Create a new token from src_token, replacing the primary group sid with the
528 static NTSTATUS find_forced_group(BOOL force_user,
529 int snum, const char *username,
533 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
536 enum lsa_SidType type;
538 BOOL user_must_be_member = False;
541 ZERO_STRUCTP(pgroup_sid);
544 mem_ctx = talloc_new(NULL);
545 if (mem_ctx == NULL) {
546 DEBUG(0, ("talloc_new failed\n"));
547 return NT_STATUS_NO_MEMORY;
550 groupname = talloc_strdup(mem_ctx, lp_force_group(snum));
551 if (groupname == NULL) {
552 DEBUG(1, ("talloc_strdup failed\n"));
553 result = NT_STATUS_NO_MEMORY;
557 if (groupname[0] == '+') {
558 user_must_be_member = True;
562 groupname = talloc_string_sub(mem_ctx, groupname,
563 "%S", lp_servicename(snum));
565 if (!lookup_name_smbconf(mem_ctx, groupname,
566 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
567 NULL, NULL, &group_sid, &type)) {
568 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
573 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
574 (type != SID_NAME_WKN_GRP)) {
575 DEBUG(10, ("%s is a %s, not a group\n", groupname,
576 sid_type_lookup(type)));
580 if (!sid_to_gid(&group_sid, &gid)) {
581 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
582 sid_string_static(&group_sid), groupname));
587 * If the user has been forced and the forced group starts with a '+',
588 * then we only set the group to be the forced group if the forced
589 * user is a member of that group. Otherwise, the meaning of the '+'
593 if (force_user && user_must_be_member) {
594 if (user_in_group_sid(username, &group_sid)) {
595 sid_copy(pgroup_sid, &group_sid);
597 DEBUG(3,("Forced group %s for member %s\n",
598 groupname, username));
600 DEBUG(0,("find_forced_group: forced user %s is not a member "
601 "of forced group %s. Disallowing access.\n",
602 username, groupname ));
603 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
607 sid_copy(pgroup_sid, &group_sid);
609 DEBUG(3,("Forced group %s\n", groupname));
612 result = NT_STATUS_OK;
614 TALLOC_FREE(mem_ctx);
618 /****************************************************************************
619 Make a connection, given the snum to connect to, and the vuser of the
620 connecting user if appropriate.
621 ****************************************************************************/
623 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
628 struct passwd *pass = NULL;
630 connection_struct *conn;
638 SET_STAT_INVALID(st);
640 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
646 DEBUG(0,("Couldn't find free connection.\n"));
647 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
651 conn->params->service = snum;
652 conn->nt_user_token = NULL;
654 if (lp_guest_only(snum)) {
655 const char *guestname = lp_guestaccount();
657 char *found_username = NULL;
660 pass = getpwnam_alloc(NULL, guestname);
662 DEBUG(0,("make_connection_snum: Invalid guest "
663 "account %s??\n",guestname));
665 *status = NT_STATUS_NO_SUCH_USER;
668 status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
669 &conn->uid, &conn->gid,
671 &conn->nt_user_token);
672 if (!NT_STATUS_IS_OK(status2)) {
678 fstrcpy(user, found_username);
679 string_set(&conn->user,user);
680 conn->force_user = True;
681 TALLOC_FREE(found_username);
683 DEBUG(3,("Guest only user %s\n",user));
686 if (!lp_guest_ok(snum)) {
687 DEBUG(2, ("guest user (from session setup) "
688 "not permitted to access this share "
689 "(%s)\n", lp_servicename(snum)));
691 *status = NT_STATUS_ACCESS_DENIED;
695 if (!user_ok_token(vuser->user.unix_name,
696 vuser->nt_user_token, snum)) {
697 DEBUG(2, ("user '%s' (from session setup) not "
698 "permitted to access this share "
699 "(%s)\n", vuser->user.unix_name,
700 lp_servicename(snum)));
702 *status = NT_STATUS_ACCESS_DENIED;
706 conn->vuid = vuser->vuid;
707 conn->uid = vuser->uid;
708 conn->gid = vuser->gid;
709 string_set(&conn->user,vuser->user.unix_name);
710 fstrcpy(user,vuser->user.unix_name);
711 guest = vuser->guest;
712 } else if (lp_security() == SEC_SHARE) {
714 char *found_username = NULL;
716 /* add it as a possible user name if we
717 are in share mode security */
718 add_session_user(lp_servicename(snum));
719 /* shall we let them in? */
720 if (!authorise_login(snum,user,password,&guest)) {
721 DEBUG( 2, ( "Invalid username/password for [%s]\n",
722 lp_servicename(snum)) );
724 *status = NT_STATUS_WRONG_PASSWORD;
727 pass = Get_Pwnam(user);
728 status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
729 &conn->uid, &conn->gid,
731 &conn->nt_user_token);
732 if (!NT_STATUS_IS_OK(status2)) {
737 fstrcpy(user, found_username);
738 string_set(&conn->user,user);
739 TALLOC_FREE(found_username);
740 conn->force_user = True;
742 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
744 *status = NT_STATUS_ACCESS_DENIED;
748 add_session_user(user);
750 safe_strcpy(conn->client_address, client_addr(),
751 sizeof(conn->client_address)-1);
752 conn->num_files_open = 0;
753 conn->lastused = conn->lastused_count = time(NULL);
755 conn->printer = (strncmp(dev,"LPT",3) == 0);
756 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
757 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
760 /* Case options for the share. */
761 if (lp_casesensitive(snum) == Auto) {
762 /* We will be setting this per packet. Set to be case
763 * insensitive for now. */
764 conn->case_sensitive = False;
766 conn->case_sensitive = (BOOL)lp_casesensitive(snum);
769 conn->case_preserve = lp_preservecase(snum);
770 conn->short_case_preserve = lp_shortpreservecase(snum);
772 conn->veto_list = NULL;
773 conn->hide_list = NULL;
774 conn->veto_oplock_list = NULL;
775 conn->aio_write_behind_list = NULL;
776 string_set(&conn->dirpath,"");
777 string_set(&conn->user,user);
779 conn->read_only = lp_readonly(SNUM(conn));
780 conn->admin_user = False;
783 * If force user is true, then store the given userid and the gid of
784 * the user we're forcing.
785 * For auxiliary groups see below.
788 if (*lp_force_user(snum)) {
791 status2 = find_forced_user(conn,
792 (vuser != NULL) && vuser->guest,
794 if (!NT_STATUS_IS_OK(status2)) {
799 string_set(&conn->user,user);
800 conn->force_user = True;
801 DEBUG(3,("Forced user %s\n",user));
805 * If force group is true, then override
806 * any groupid stored for the connecting user.
809 if (*lp_force_group(snum)) {
813 status2 = find_forced_group(conn->force_user,
815 &group_sid, &conn->gid);
816 if (!NT_STATUS_IS_OK(status2)) {
822 if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
824 /* Not force user and not security=share, but force
825 * group. vuser has a token to copy */
827 conn->nt_user_token = dup_nt_token(
828 NULL, vuser->nt_user_token);
829 if (conn->nt_user_token == NULL) {
830 DEBUG(0, ("dup_nt_token failed\n"));
832 *status = NT_STATUS_NO_MEMORY;
837 /* If conn->nt_user_token is still NULL, we have
838 * security=share. This means ignore the SID, as we had no
839 * vuser to copy from */
841 if (conn->nt_user_token != NULL) {
842 /* Overwrite the primary group sid */
843 sid_copy(&conn->nt_user_token->user_sids[1],
847 conn->force_group = True;
850 if (conn->nt_user_token != NULL) {
853 /* We have a share-specific token from force [user|group].
854 * This means we have to create the list of unix groups from
855 * the list of sids. */
860 for (i=0; i<conn->nt_user_token->num_sids; i++) {
862 DOM_SID *sid = &conn->nt_user_token->user_sids[i];
864 if (!sid_to_gid(sid, &gid)) {
865 DEBUG(10, ("Could not convert SID %s to gid, "
867 sid_string_static(sid)));
870 if (!add_gid_to_array_unique(conn->mem_ctx, gid, &conn->groups,
872 DEBUG(0, ("add_gid_to_array_unique failed\n"));
874 *status = NT_STATUS_NO_MEMORY;
882 pstrcpy(s,lp_pathname(snum));
883 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
884 conn->connectpath, conn->gid,
885 get_current_username(),
886 current_user_info.domain,
888 set_conn_connectpath(conn,s);
889 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
890 lp_servicename(snum)));
894 * New code to check if there's a share security descripter
895 * added from NT server manager. This is done after the
896 * smb.conf checks are done as we need a uid and token. JRA.
901 NT_USER_TOKEN *token = conn->nt_user_token ?
902 conn->nt_user_token : vuser->nt_user_token;
904 BOOL can_write = share_access_check(token,
905 lp_servicename(snum),
909 if (!share_access_check(token,
910 lp_servicename(snum),
912 /* No access, read or write. */
913 DEBUG(0,("make_connection: connection to %s "
914 "denied due to security "
916 lp_servicename(snum)));
918 *status = NT_STATUS_ACCESS_DENIED;
921 conn->read_only = True;
925 /* Initialise VFS function pointers */
927 if (!smbd_vfs_init(conn)) {
928 DEBUG(0, ("vfs_init failed for service %s\n",
929 lp_servicename(snum)));
931 *status = NT_STATUS_BAD_NETWORK_NAME;
936 * If widelinks are disallowed we need to canonicalise the connect
937 * path here to ensure we don't have any symlinks in the
938 * connectpath. We will be checking all paths on this connection are
939 * below this directory. We must do this after the VFS init as we
940 * depend on the realpath() pointer in the vfs table. JRA.
942 if (!lp_widelinks(snum)) {
944 pstrcpy(s,conn->connectpath);
945 canonicalize_path(conn, s);
946 set_conn_connectpath(conn,s);
949 if ((!conn->printer) && (!conn->ipc)) {
950 conn->notify_ctx = notify_init(conn->mem_ctx, server_id_self(),
951 smbd_messaging_context(),
952 smbd_event_context(),
956 /* ROOT Activities: */
957 /* check number of connections */
958 if (!claim_connection(conn,
959 lp_servicename(snum),
960 lp_max_connections(snum),
962 DEBUG(1,("too many connections - rejected\n"));
964 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
968 /* Preexecs are done here as they might make the dir we are to ChDir
970 /* execute any "root preexec = " line */
971 if (*lp_rootpreexec(snum)) {
973 pstrcpy(cmd,lp_rootpreexec(snum));
974 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
975 conn->connectpath, conn->gid,
976 get_current_username(),
977 current_user_info.domain,
979 DEBUG(5,("cmd=%s\n",cmd));
980 ret = smbrun(cmd,NULL);
981 if (ret != 0 && lp_rootpreexec_close(snum)) {
982 DEBUG(1,("root preexec gave %d - failing "
983 "connection\n", ret));
984 yield_connection(conn, lp_servicename(snum));
986 *status = NT_STATUS_ACCESS_DENIED;
991 /* USER Activites: */
992 if (!change_to_user(conn, conn->vuid)) {
993 /* No point continuing if they fail the basic checks */
994 DEBUG(0,("Can't become connected user!\n"));
995 yield_connection(conn, lp_servicename(snum));
997 *status = NT_STATUS_LOGON_FAILURE;
1001 /* Remember that a different vuid can connect later without these
1004 /* Preexecs are done here as they might make the dir we are to ChDir
1007 /* execute any "preexec = " line */
1008 if (*lp_preexec(snum)) {
1010 pstrcpy(cmd,lp_preexec(snum));
1011 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1012 conn->connectpath, conn->gid,
1013 get_current_username(),
1014 current_user_info.domain,
1016 ret = smbrun(cmd,NULL);
1017 if (ret != 0 && lp_preexec_close(snum)) {
1018 DEBUG(1,("preexec gave %d - failing connection\n",
1020 change_to_root_user();
1021 yield_connection(conn, lp_servicename(snum));
1023 *status = NT_STATUS_ACCESS_DENIED;
1028 #ifdef WITH_FAKE_KASERVER
1029 if (lp_afs_share(snum)) {
1034 /* Add veto/hide lists */
1035 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
1036 set_namearray( &conn->veto_list, lp_veto_files(snum));
1037 set_namearray( &conn->hide_list, lp_hide_files(snum));
1038 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
1041 /* Invoke VFS make connection hook - do this before the VFS_STAT call
1042 to allow any filesystems needing user credentials to initialize
1045 if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
1046 DEBUG(0,("make_connection: VFS make connection failed!\n"));
1047 change_to_root_user();
1048 yield_connection(conn, lp_servicename(snum));
1050 *status = NT_STATUS_UNSUCCESSFUL;
1054 /* win2000 does not check the permissions on the directory
1055 during the tree connect, instead relying on permission
1056 check during individual operations. To match this behaviour
1057 I have disabled this chdir check (tridge) */
1058 /* the alternative is just to check the directory exists */
1059 if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
1060 !S_ISDIR(st.st_mode)) {
1061 if (ret == 0 && !S_ISDIR(st.st_mode)) {
1062 DEBUG(0,("'%s' is not a directory, when connecting to "
1063 "[%s]\n", conn->connectpath,
1064 lp_servicename(snum)));
1066 DEBUG(0,("'%s' does not exist or permission denied "
1067 "when connecting to [%s] Error was %s\n",
1068 conn->connectpath, lp_servicename(snum),
1071 change_to_root_user();
1072 /* Call VFS disconnect hook */
1073 SMB_VFS_DISCONNECT(conn);
1074 yield_connection(conn, lp_servicename(snum));
1076 *status = NT_STATUS_BAD_NETWORK_NAME;
1080 string_set(&conn->origpath,conn->connectpath);
1082 #if SOFTLINK_OPTIMISATION
1083 /* resolve any soft links early if possible */
1084 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1086 pstrcpy(s,conn->connectpath);
1088 set_conn_connectpath(conn,s);
1089 vfs_ChDir(conn,conn->connectpath);
1094 * Print out the 'connected as' stuff here as we need
1095 * to know the effective uid and gid we will be using
1096 * (at least initially).
1099 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1100 dbgtext( "%s (%s) ", get_remote_machine_name(),
1101 conn->client_address );
1102 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
1103 dbgtext( "connect to service %s ", lp_servicename(snum) );
1104 dbgtext( "initially as user %s ", user );
1105 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1106 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1109 /* we've finished with the user stuff - go back to root */
1110 change_to_root_user();
1114 /***************************************************************************************
1115 Simple wrapper function for make_connection() to include a call to
1117 **************************************************************************************/
1119 connection_struct *make_connection_with_chdir(const char *service_in,
1121 const char *dev, uint16 vuid,
1124 connection_struct *conn = NULL;
1126 conn = make_connection(service_in, password, dev, vuid, status);
1129 * make_connection() does not change the directory for us any more
1130 * so we have to do it as a separate step --jerry
1133 if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
1134 DEBUG(0,("move_driver_to_download_area: Can't change "
1135 "directory to %s for [print$] (%s)\n",
1136 conn->connectpath,strerror(errno)));
1137 yield_connection(conn, lp_servicename(SNUM(conn)));
1139 *status = NT_STATUS_UNSUCCESSFUL;
1146 /****************************************************************************
1147 Make a connection to a service.
1150 ****************************************************************************/
1152 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
1153 const char *pdev, uint16 vuid,
1157 user_struct *vuser = NULL;
1164 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1166 if (!non_root_mode() && (euid = geteuid()) != 0) {
1167 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1168 "(%u)\n", (unsigned int)euid ));
1169 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1172 if (conn_num_open() > 2047) {
1173 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1177 if(lp_security() != SEC_SHARE) {
1178 vuser = get_valid_user_struct(vuid);
1180 DEBUG(1,("make_connection: refusing to connect with "
1181 "no session setup\n"));
1182 *status = NT_STATUS_ACCESS_DENIED;
1187 /* Logic to try and connect to the correct [homes] share, preferably
1188 without too many getpwnam() lookups. This is particulary nasty for
1189 winbind usernames, where the share name isn't the same as unix
1192 The snum of the homes share is stored on the vuser at session setup
1196 if (strequal(service_in,HOMES_NAME)) {
1197 if(lp_security() != SEC_SHARE) {
1198 DATA_BLOB no_pw = data_blob(NULL, 0);
1199 if (vuser->homes_snum == -1) {
1200 DEBUG(2, ("[homes] share not available for "
1201 "this user because it was not found "
1202 "or created at session setup "
1204 *status = NT_STATUS_BAD_NETWORK_NAME;
1207 DEBUG(5, ("making a connection to [homes] service "
1208 "created at session setup time\n"));
1209 return make_connection_snum(vuser->homes_snum,
1213 /* Security = share. Try with
1214 * current_user_info.smb_name as the username. */
1215 if (*current_user_info.smb_name) {
1216 fstring unix_username;
1217 fstrcpy(unix_username,
1218 current_user_info.smb_name);
1219 map_username(unix_username);
1220 snum = find_service(unix_username);
1223 DEBUG(5, ("making a connection to 'homes' "
1224 "service %s based on "
1225 "security=share\n", service_in));
1226 return make_connection_snum(snum, NULL,
1231 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1232 && strequal(service_in,
1233 lp_servicename(vuser->homes_snum))) {
1234 DATA_BLOB no_pw = data_blob(NULL, 0);
1235 DEBUG(5, ("making a connection to 'homes' service [%s] "
1236 "created at session setup time\n", service_in));
1237 return make_connection_snum(vuser->homes_snum,
1242 fstrcpy(service, service_in);
1244 strlower_m(service);
1246 snum = find_service(service);
1249 if (strequal(service,"IPC$") ||
1250 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1251 DEBUG(3,("refusing IPC connection to %s\n", service));
1252 *status = NT_STATUS_ACCESS_DENIED;
1256 DEBUG(0,("%s (%s) couldn't find service %s\n",
1257 get_remote_machine_name(), client_addr(), service));
1258 *status = NT_STATUS_BAD_NETWORK_NAME;
1262 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1263 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1264 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1265 "(pointing to %s)\n",
1266 service, lp_msdfs_proxy(snum)));
1267 *status = NT_STATUS_BAD_NETWORK_NAME;
1271 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1273 return make_connection_snum(snum, vuser,
1278 /****************************************************************************
1280 ****************************************************************************/
1282 void close_cnum(connection_struct *conn, uint16 vuid)
1285 pipe_close_conn(conn);
1287 file_close_conn(conn);
1288 dptr_closecnum(conn);
1291 change_to_root_user();
1293 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1294 get_remote_machine_name(),
1295 conn->client_address,
1296 lp_servicename(SNUM(conn))));
1298 /* Call VFS disconnect hook */
1299 SMB_VFS_DISCONNECT(conn);
1301 yield_connection(conn, lp_servicename(SNUM(conn)));
1303 /* make sure we leave the directory available for unmount */
1304 vfs_ChDir(conn, "/");
1306 /* execute any "postexec = " line */
1307 if (*lp_postexec(SNUM(conn)) &&
1308 change_to_user(conn, vuid)) {
1310 pstrcpy(cmd,lp_postexec(SNUM(conn)));
1311 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1312 conn->connectpath, conn->gid,
1313 get_current_username(),
1314 current_user_info.domain,
1317 change_to_root_user();
1320 change_to_root_user();
1321 /* execute any "root postexec = " line */
1322 if (*lp_rootpostexec(SNUM(conn))) {
1324 pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
1325 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1326 conn->connectpath, conn->gid,
1327 get_current_username(),
1328 current_user_info.domain,
git.samba.org / ira / wip.git / blob