2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/globals.h"
23 extern userdom_struct current_user_info;
25 static bool canonicalize_connect_path(connection_struct *conn)
27 #ifdef REALPATH_TAKES_NULL
29 char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath,NULL);
33 ret = set_conn_connectpath(conn,resolved_name);
34 SAFE_FREE(resolved_name);
37 char resolved_name_buf[PATH_MAX+1];
38 char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath,resolved_name_buf);
42 return set_conn_connectpath(conn,resolved_name);
43 #endif /* REALPATH_TAKES_NULL */
46 /****************************************************************************
47 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
48 absolute path stating in / and not ending in /.
49 Observent people will notice a similarity between this and check_path_syntax :-).
50 ****************************************************************************/
52 bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
56 const char *s = connectpath;
57 bool start_of_name_component = true;
59 destname = SMB_STRDUP(connectpath);
65 *d++ = '/'; /* Always start with root. */
69 /* Eat multiple '/' */
73 if ((d > destname + 1) && (*s != '\0')) {
76 start_of_name_component = True;
80 if (start_of_name_component) {
81 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
82 /* Uh oh - "/../" or "/..\0" ! */
84 /* Go past the ../ or .. */
88 s += 2; /* Go past the .. */
91 /* If we just added a '/' - delete it */
92 if ((d > destname) && (*(d-1) == '/')) {
97 /* Are we at the start ? Can't go back further if so. */
99 *d++ = '/'; /* Can't delete root */
102 /* Go back one level... */
103 /* Decrement d first as d points to the *next* char to write into. */
104 for (d--; d > destname; d--) {
109 /* We're still at the start of a name component, just the previous one. */
111 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
112 /* Component of pathname can't be "." only - skip the '.' . */
126 /* Get the size of the next MB character. */
127 next_codepoint(s,&siz);
148 start_of_name_component = false;
152 /* And must not end in '/' */
153 if (d > destname + 1 && (*(d-1) == '/')) {
157 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
158 lp_servicename(SNUM(conn)), destname ));
160 string_set(&conn->connectpath, destname);
165 /****************************************************************************
166 Load parameters specific to a connection/service.
167 ****************************************************************************/
169 bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir)
178 conn->lastused_count++;
183 vfs_ChDir(conn,conn->connectpath) != 0 &&
184 vfs_ChDir(conn,conn->origpath) != 0) {
185 DEBUG(((errno!=EACCES)?0:3),("chdir (%s) failed, reason: %s\n",
186 conn->connectpath, strerror(errno)));
190 if ((conn == last_conn) && (last_flags == flags)) {
197 /* Obey the client case sensitivity requests - only for clients that support it. */
198 switch (lp_casesensitive(snum)) {
201 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
202 enum remote_arch_types ra_type = get_remote_arch();
203 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
204 /* Client can't support per-packet case sensitive pathnames. */
205 conn->case_sensitive = False;
207 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
212 conn->case_sensitive = True;
215 conn->case_sensitive = False;
221 static int load_registry_service(const char *servicename)
223 if (!lp_registry_shares()) {
227 if ((servicename == NULL) || (*servicename == '\0')) {
231 if (strequal(servicename, GLOBAL_NAME)) {
235 if (!process_registry_service(servicename)) {
239 return lp_servicenumber(servicename);
242 void load_registry_shares(void)
244 DEBUG(8, ("load_registry_shares()\n"));
245 if (!lp_registry_shares()) {
249 process_registry_shares();
254 /****************************************************************************
255 Add a home service. Returns the new service number or -1 if fail.
256 ****************************************************************************/
258 int add_home_service(const char *service, const char *username, const char *homedir)
262 if (!service || !homedir)
265 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
266 if ((iHomeService = load_registry_service(HOMES_NAME)) < 0) {
272 * If this is a winbindd provided username, remove
273 * the domain component before adding the service.
274 * Log a warning if the "path=" parameter does not
275 * include any macros.
279 const char *p = strchr(service,*lp_winbind_separator());
281 /* We only want the 'user' part of the string */
287 if (!lp_add_home(service, iHomeService, username, homedir)) {
291 return lp_servicenumber(service);
296 * Find a service entry.
298 * @param service is modified (to canonical form??)
301 int find_service(fstring service)
304 struct smbd_server_connection *sconn = smbd_server_conn;
306 all_string_sub(service,"\\","/",0);
308 iService = lp_servicenumber(service);
310 /* now handle the special case of a home directory */
312 char *phome_dir = get_user_home_dir(talloc_tos(), service);
316 * Try mapping the servicename, it may
317 * be a Windows to unix mapped user name.
319 if(map_username(sconn, service))
320 phome_dir = get_user_home_dir(
321 talloc_tos(), service);
324 DEBUG(3,("checking for home directory %s gave %s\n",service,
325 phome_dir?phome_dir:"(NULL)"));
327 iService = add_home_service(service,service /* 'username' */, phome_dir);
330 /* If we still don't have a service, attempt to add it as a printer. */
334 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
335 iPrinterService = load_registry_service(PRINTERS_NAME);
337 if (iPrinterService) {
338 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
339 if (pcap_printername_ok(service)) {
340 DEBUG(3,("%s is a valid printer name\n", service));
341 DEBUG(3,("adding %s as a printer service\n", service));
342 lp_add_printer(service, iPrinterService);
343 iService = lp_servicenumber(service);
345 DEBUG(0,("failed to add %s as a printer service!\n", service));
348 DEBUG(3,("%s is not a valid printer name\n", service));
353 /* Check for default vfs service? Unsure whether to implement this */
358 iService = load_registry_service(service);
361 /* Is it a usershare service ? */
362 if (iService < 0 && *lp_usershare_path()) {
363 /* Ensure the name is canonicalized. */
365 iService = load_usershare_service(service);
368 /* just possibly it's a default service? */
370 char *pdefservice = lp_defaultservice();
371 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
373 * We need to do a local copy here as lp_defaultservice()
374 * returns one of the rotating lp_string buffers that
375 * could get overwritten by the recursive find_service() call
376 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
378 char *defservice = SMB_STRDUP(pdefservice);
384 /* Disallow anything except explicit share names. */
385 if (strequal(defservice,HOMES_NAME) ||
386 strequal(defservice, PRINTERS_NAME) ||
387 strequal(defservice, "IPC$")) {
388 SAFE_FREE(defservice);
392 iService = find_service(defservice);
394 all_string_sub(service, "_","/",0);
395 iService = lp_add_service(service, iService);
397 SAFE_FREE(defservice);
402 if (!VALID_SNUM(iService)) {
403 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
411 DEBUG(3,("find_service() failed to find service %s\n", service));
417 /****************************************************************************
418 do some basic sainity checks on the share.
419 This function modifies dev, ecode.
420 ****************************************************************************/
422 static NTSTATUS share_sanity_checks(int snum, fstring dev)
425 if (!lp_snum_ok(snum) ||
426 !check_access(smbd_server_fd(),
427 lp_hostsallow(snum), lp_hostsdeny(snum))) {
428 return NT_STATUS_ACCESS_DENIED;
431 if (dev[0] == '?' || !dev[0]) {
432 if (lp_print_ok(snum)) {
433 fstrcpy(dev,"LPT1:");
434 } else if (strequal(lp_fstype(snum), "IPC")) {
443 if (lp_print_ok(snum)) {
444 if (!strequal(dev, "LPT1:")) {
445 return NT_STATUS_BAD_DEVICE_TYPE;
447 } else if (strequal(lp_fstype(snum), "IPC")) {
448 if (!strequal(dev, "IPC")) {
449 return NT_STATUS_BAD_DEVICE_TYPE;
451 } else if (!strequal(dev, "A:")) {
452 return NT_STATUS_BAD_DEVICE_TYPE;
455 /* Behave as a printer if we are supposed to */
456 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
457 fstrcpy(dev, "LPT1:");
464 * Go through lookup_name etc to find the force'd group.
466 * Create a new token from src_token, replacing the primary group sid with the
470 static NTSTATUS find_forced_group(bool force_user,
471 int snum, const char *username,
475 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
476 TALLOC_CTX *frame = talloc_stackframe();
478 enum lsa_SidType type;
480 bool user_must_be_member = False;
483 groupname = talloc_strdup(talloc_tos(), lp_force_group(snum));
484 if (groupname == NULL) {
485 DEBUG(1, ("talloc_strdup failed\n"));
486 result = NT_STATUS_NO_MEMORY;
490 if (groupname[0] == '+') {
491 user_must_be_member = True;
495 groupname = talloc_string_sub(talloc_tos(), groupname,
496 "%S", lp_servicename(snum));
497 if (groupname == NULL) {
498 DEBUG(1, ("talloc_string_sub failed\n"));
499 result = NT_STATUS_NO_MEMORY;
503 if (!lookup_name_smbconf(talloc_tos(), groupname,
504 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
505 NULL, NULL, &group_sid, &type)) {
506 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
511 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
512 (type != SID_NAME_WKN_GRP)) {
513 DEBUG(10, ("%s is a %s, not a group\n", groupname,
514 sid_type_lookup(type)));
518 if (!sid_to_gid(&group_sid, &gid)) {
519 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
520 sid_string_dbg(&group_sid), groupname));
525 * If the user has been forced and the forced group starts with a '+',
526 * then we only set the group to be the forced group if the forced
527 * user is a member of that group. Otherwise, the meaning of the '+'
531 if (force_user && user_must_be_member) {
532 if (user_in_group_sid(username, &group_sid)) {
533 sid_copy(pgroup_sid, &group_sid);
535 DEBUG(3,("Forced group %s for member %s\n",
536 groupname, username));
538 DEBUG(0,("find_forced_group: forced user %s is not a member "
539 "of forced group %s. Disallowing access.\n",
540 username, groupname ));
541 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
545 sid_copy(pgroup_sid, &group_sid);
547 DEBUG(3,("Forced group %s\n", groupname));
550 result = NT_STATUS_OK;
556 /****************************************************************************
557 Create an auth_serversupplied_info structure for a connection_struct
558 ****************************************************************************/
560 static NTSTATUS create_connection_server_info(struct smbd_server_connection *sconn,
561 TALLOC_CTX *mem_ctx, int snum,
562 struct auth_serversupplied_info *vuid_serverinfo,
564 struct auth_serversupplied_info **presult)
566 if (lp_guest_only(snum)) {
567 return make_server_info_guest(mem_ctx, presult);
570 if (vuid_serverinfo != NULL) {
572 struct auth_serversupplied_info *result;
575 * This is the normal security != share case where we have a
576 * valid vuid from the session setup. */
578 if (vuid_serverinfo->guest) {
579 if (!lp_guest_ok(snum)) {
580 DEBUG(2, ("guest user (from session setup) "
581 "not permitted to access this share "
582 "(%s)\n", lp_servicename(snum)));
583 return NT_STATUS_ACCESS_DENIED;
586 if (!user_ok_token(vuid_serverinfo->unix_name,
587 pdb_get_domain(vuid_serverinfo->sam_account),
588 vuid_serverinfo->ptok, snum)) {
589 DEBUG(2, ("user '%s' (from session setup) not "
590 "permitted to access this share "
592 vuid_serverinfo->unix_name,
593 lp_servicename(snum)));
594 return NT_STATUS_ACCESS_DENIED;
598 result = copy_serverinfo(mem_ctx, vuid_serverinfo);
599 if (result == NULL) {
600 return NT_STATUS_NO_MEMORY;
607 if (lp_security() == SEC_SHARE) {
612 /* add the sharename as a possible user name if we
613 are in share mode security */
615 add_session_user(sconn, lp_servicename(snum));
617 /* shall we let them in? */
619 if (!authorise_login(sconn, snum,user,password,&guest)) {
620 DEBUG( 2, ( "Invalid username/password for [%s]\n",
621 lp_servicename(snum)) );
622 return NT_STATUS_WRONG_PASSWORD;
625 return make_serverinfo_from_username(mem_ctx, user, guest,
629 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
630 return NT_STATUS_ACCESS_DENIED;
634 /****************************************************************************
635 Make a connection, given the snum to connect to, and the vuser of the
636 connecting user if appropriate.
637 ****************************************************************************/
639 connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
640 int snum, user_struct *vuser,
645 connection_struct *conn;
646 struct smb_filename *smb_fname_cpath = NULL;
649 char addr[INET6_ADDRSTRLEN];
650 bool on_err_call_dis_hook = false;
655 if (NT_STATUS_IS_ERR(*pstatus = share_sanity_checks(snum, dev))) {
659 conn = conn_new(sconn);
661 DEBUG(0,("Couldn't find free connection.\n"));
662 *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
666 conn->params->service = snum;
668 status = create_connection_server_info(sconn,
669 conn, snum, vuser ? vuser->server_info : NULL, password,
672 if (!NT_STATUS_IS_OK(status)) {
673 DEBUG(1, ("create_connection_server_info failed: %s\n",
680 if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
681 conn->force_user = true;
684 add_session_user(sconn, conn->server_info->unix_name);
686 safe_strcpy(conn->client_address,
687 client_addr(get_client_fd(),addr,sizeof(addr)),
688 sizeof(conn->client_address)-1);
689 conn->num_files_open = 0;
690 conn->lastused = conn->lastused_count = time(NULL);
692 conn->printer = (strncmp(dev,"LPT",3) == 0);
693 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
694 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
696 /* Case options for the share. */
697 if (lp_casesensitive(snum) == Auto) {
698 /* We will be setting this per packet. Set to be case
699 * insensitive for now. */
700 conn->case_sensitive = False;
702 conn->case_sensitive = (bool)lp_casesensitive(snum);
705 conn->case_preserve = lp_preservecase(snum);
706 conn->short_case_preserve = lp_shortpreservecase(snum);
708 conn->encrypt_level = lp_smb_encrypt(snum);
710 conn->veto_list = NULL;
711 conn->hide_list = NULL;
712 conn->veto_oplock_list = NULL;
713 conn->aio_write_behind_list = NULL;
715 conn->read_only = lp_readonly(SNUM(conn));
716 conn->admin_user = False;
718 if (*lp_force_user(snum)) {
721 * Replace conn->server_info with a completely faked up one
722 * from the username we are forced into :-)
726 struct auth_serversupplied_info *forced_serverinfo;
728 fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
729 lp_servicename(snum));
732 *pstatus = NT_STATUS_NO_MEMORY;
736 status = make_serverinfo_from_username(
737 conn, fuser, conn->server_info->guest,
739 if (!NT_STATUS_IS_OK(status)) {
745 TALLOC_FREE(conn->server_info);
746 conn->server_info = forced_serverinfo;
748 conn->force_user = True;
749 DEBUG(3,("Forced user %s\n", fuser));
753 * If force group is true, then override
754 * any groupid stored for the connecting user.
757 if (*lp_force_group(snum)) {
759 status = find_forced_group(
760 conn->force_user, snum, conn->server_info->unix_name,
761 &conn->server_info->ptok->user_sids[1],
762 &conn->server_info->utok.gid);
764 if (!NT_STATUS_IS_OK(status)) {
771 * We need to cache this gid, to use within
772 * change_to_user() separately from the conn->server_info
773 * struct. We only use conn->server_info directly if
774 * "force_user" was set.
776 conn->force_group_gid = conn->server_info->utok.gid;
779 conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
782 char *s = talloc_sub_advanced(talloc_tos(),
783 lp_servicename(SNUM(conn)),
784 conn->server_info->unix_name,
786 conn->server_info->utok.gid,
787 conn->server_info->sanitized_username,
788 pdb_get_domain(conn->server_info->sam_account),
792 *pstatus = NT_STATUS_NO_MEMORY;
796 if (!set_conn_connectpath(conn,s)) {
799 *pstatus = NT_STATUS_NO_MEMORY;
802 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
803 lp_servicename(snum)));
808 * New code to check if there's a share security descripter
809 * added from NT server manager. This is done after the
810 * smb.conf checks are done as we need a uid and token. JRA.
815 bool can_write = False;
817 can_write = share_access_check(conn->server_info->ptok,
818 lp_servicename(snum),
822 if (!share_access_check(conn->server_info->ptok,
823 lp_servicename(snum),
825 /* No access, read or write. */
826 DEBUG(0,("make_connection: connection to %s "
827 "denied due to security "
829 lp_servicename(snum)));
831 *pstatus = NT_STATUS_ACCESS_DENIED;
834 conn->read_only = True;
838 /* Initialise VFS function pointers */
840 if (!smbd_vfs_init(conn)) {
841 DEBUG(0, ("vfs_init failed for service %s\n",
842 lp_servicename(snum)));
844 *pstatus = NT_STATUS_BAD_NETWORK_NAME;
849 * If widelinks are disallowed we need to canonicalise the connect
850 * path here to ensure we don't have any symlinks in the
851 * connectpath. We will be checking all paths on this connection are
852 * below this directory. We must do this after the VFS init as we
853 * depend on the realpath() pointer in the vfs table. JRA.
855 if (!lp_widelinks(snum)) {
856 if (!canonicalize_connect_path(conn)) {
857 DEBUG(0, ("canonicalize_connect_path failed "
858 "for service %s, path %s\n",
859 lp_servicename(snum),
862 *pstatus = NT_STATUS_BAD_NETWORK_NAME;
867 if ((!conn->printer) && (!conn->ipc)) {
868 conn->notify_ctx = notify_init(conn, server_id_self(),
869 smbd_messaging_context(),
870 smbd_event_context(),
874 /* ROOT Activities: */
876 * Enforce the max connections parameter.
879 if ((lp_max_connections(snum) > 0)
880 && (count_current_connections(lp_servicename(SNUM(conn)), True) >=
881 lp_max_connections(snum))) {
883 DEBUG(1, ("Max connections (%d) exceeded for %s\n",
884 lp_max_connections(snum), lp_servicename(snum)));
886 *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
891 * Get us an entry in the connections db
893 if (!claim_connection(conn, lp_servicename(snum), 0)) {
894 DEBUG(1, ("Could not store connections entry\n"));
896 *pstatus = NT_STATUS_INTERNAL_DB_ERROR;
900 /* Preexecs are done here as they might make the dir we are to ChDir
902 /* execute any "root preexec = " line */
903 if (*lp_rootpreexec(snum)) {
904 char *cmd = talloc_sub_advanced(talloc_tos(),
905 lp_servicename(SNUM(conn)),
906 conn->server_info->unix_name,
908 conn->server_info->utok.gid,
909 conn->server_info->sanitized_username,
910 pdb_get_domain(conn->server_info->sam_account),
911 lp_rootpreexec(snum));
912 DEBUG(5,("cmd=%s\n",cmd));
913 ret = smbrun(cmd,NULL);
915 if (ret != 0 && lp_rootpreexec_close(snum)) {
916 DEBUG(1,("root preexec gave %d - failing "
917 "connection\n", ret));
918 yield_connection(conn, lp_servicename(snum));
920 *pstatus = NT_STATUS_ACCESS_DENIED;
925 /* USER Activites: */
926 if (!change_to_user(conn, conn->vuid)) {
927 /* No point continuing if they fail the basic checks */
928 DEBUG(0,("Can't become connected user!\n"));
929 yield_connection(conn, lp_servicename(snum));
931 *pstatus = NT_STATUS_LOGON_FAILURE;
935 /* Remember that a different vuid can connect later without these
938 /* Preexecs are done here as they might make the dir we are to ChDir
941 /* execute any "preexec = " line */
942 if (*lp_preexec(snum)) {
943 char *cmd = talloc_sub_advanced(talloc_tos(),
944 lp_servicename(SNUM(conn)),
945 conn->server_info->unix_name,
947 conn->server_info->utok.gid,
948 conn->server_info->sanitized_username,
949 pdb_get_domain(conn->server_info->sam_account),
951 ret = smbrun(cmd,NULL);
953 if (ret != 0 && lp_preexec_close(snum)) {
954 DEBUG(1,("preexec gave %d - failing connection\n",
956 *pstatus = NT_STATUS_ACCESS_DENIED;
961 #ifdef WITH_FAKE_KASERVER
962 if (lp_afs_share(snum)) {
967 /* Add veto/hide lists */
968 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
969 set_namearray( &conn->veto_list, lp_veto_files(snum));
970 set_namearray( &conn->hide_list, lp_hide_files(snum));
971 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
972 set_namearray( &conn->aio_write_behind_list,
973 lp_aio_write_behind(snum));
976 /* Invoke VFS make connection hook - do this before the VFS_STAT call
977 to allow any filesystems needing user credentials to initialize
980 if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
981 conn->server_info->unix_name) < 0) {
982 DEBUG(0,("make_connection: VFS make connection failed!\n"));
983 *pstatus = NT_STATUS_UNSUCCESSFUL;
987 /* Any error exit after here needs to call the disconnect hook. */
988 on_err_call_dis_hook = true;
990 status = create_synthetic_smb_fname(talloc_tos(), conn->connectpath,
991 NULL, NULL, &smb_fname_cpath);
992 if (!NT_STATUS_IS_OK(status)) {
997 /* win2000 does not check the permissions on the directory
998 during the tree connect, instead relying on permission
999 check during individual operations. To match this behaviour
1000 I have disabled this chdir check (tridge) */
1001 /* the alternative is just to check the directory exists */
1002 if ((ret = SMB_VFS_STAT(conn, smb_fname_cpath)) != 0 ||
1003 !S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
1004 if (ret == 0 && !S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
1005 DEBUG(0,("'%s' is not a directory, when connecting to "
1006 "[%s]\n", conn->connectpath,
1007 lp_servicename(snum)));
1009 DEBUG(0,("'%s' does not exist or permission denied "
1010 "when connecting to [%s] Error was %s\n",
1011 conn->connectpath, lp_servicename(snum),
1014 *pstatus = NT_STATUS_BAD_NETWORK_NAME;
1018 if (smb_fname_cpath->st.st_ex_mtime.tv_nsec ||
1019 smb_fname_cpath->st.st_ex_atime.tv_nsec ||
1020 smb_fname_cpath->st.st_ex_ctime.tv_nsec) {
1021 /* If any of the normal UNIX directory timestamps
1022 * have a non-zero tv_nsec component assume
1023 * we can fully store hires timestamps. We need
1024 * to make a runtime/share level distinction
1025 * as on Linux ext3 doesn't have hires timestamps, but
1026 * ext4 does, so a compile time test won't work. JRA.
1028 DEBUG(10,("make_connection_snum: hires timestamps "
1029 "available on share %s, directory %s\n",
1030 lp_servicename(snum),
1031 conn->connectpath ));
1032 conn->hires_timestamps_avail = true;
1035 string_set(&conn->origpath,conn->connectpath);
1037 #if SOFTLINK_OPTIMISATION
1038 /* resolve any soft links early if possible */
1039 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1040 TALLOC_CTX *ctx = talloc_tos();
1041 char *s = vfs_GetWd(ctx,s);
1043 *status = map_nt_error_from_unix(errno);
1046 if (!set_conn_connectpath(conn,s)) {
1047 *status = NT_STATUS_NO_MEMORY;
1050 vfs_ChDir(conn,conn->connectpath);
1054 /* Figure out the characteristics of the underlying filesystem. This
1055 * assumes that all the filesystem mounted withing a share path have
1056 * the same characteristics, which is likely but not guaranteed.
1059 conn->fs_capabilities = SMB_VFS_FS_CAPABILITIES(conn);
1062 * Print out the 'connected as' stuff here as we need
1063 * to know the effective uid and gid we will be using
1064 * (at least initially).
1067 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1068 dbgtext( "%s (%s) ", get_remote_machine_name(),
1069 conn->client_address );
1070 dbgtext( "%s", srv_is_signing_active(smbd_server_conn) ? "signed " : "");
1071 dbgtext( "connect to service %s ", lp_servicename(snum) );
1072 dbgtext( "initially as user %s ",
1073 conn->server_info->unix_name );
1074 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1075 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1078 /* we've finished with the user stuff - go back to root */
1079 change_to_root_user();
1083 TALLOC_FREE(smb_fname_cpath);
1084 change_to_root_user();
1085 if (on_err_call_dis_hook) {
1086 /* Call VFS disconnect hook */
1087 SMB_VFS_DISCONNECT(conn);
1089 yield_connection(conn, lp_servicename(snum));
1094 /****************************************************************************
1095 Make a connection to a service.
1098 ****************************************************************************/
1100 connection_struct *make_connection(struct smbd_server_connection *sconn,
1101 const char *service_in, DATA_BLOB password,
1102 const char *pdev, uint16 vuid,
1106 user_struct *vuser = NULL;
1110 char addr[INET6_ADDRSTRLEN];
1114 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1116 if (!non_root_mode() && (euid = geteuid()) != 0) {
1117 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1118 "(%u)\n", (unsigned int)euid ));
1119 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1122 if (conn_num_open(sconn) > 2047) {
1123 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1127 if(lp_security() != SEC_SHARE) {
1128 vuser = get_valid_user_struct(sconn, vuid);
1130 DEBUG(1,("make_connection: refusing to connect with "
1131 "no session setup\n"));
1132 *status = NT_STATUS_ACCESS_DENIED;
1137 /* Logic to try and connect to the correct [homes] share, preferably
1138 without too many getpwnam() lookups. This is particulary nasty for
1139 winbind usernames, where the share name isn't the same as unix
1142 The snum of the homes share is stored on the vuser at session setup
1146 if (strequal(service_in,HOMES_NAME)) {
1147 if(lp_security() != SEC_SHARE) {
1148 DATA_BLOB no_pw = data_blob_null;
1149 if (vuser->homes_snum == -1) {
1150 DEBUG(2, ("[homes] share not available for "
1151 "this user because it was not found "
1152 "or created at session setup "
1154 *status = NT_STATUS_BAD_NETWORK_NAME;
1157 DEBUG(5, ("making a connection to [homes] service "
1158 "created at session setup time\n"));
1159 return make_connection_snum(sconn,
1164 /* Security = share. Try with
1165 * current_user_info.smb_name as the username. */
1166 if (*current_user_info.smb_name) {
1167 fstring unix_username;
1168 fstrcpy(unix_username,
1169 current_user_info.smb_name);
1170 map_username(sconn, unix_username);
1171 snum = find_service(unix_username);
1174 DEBUG(5, ("making a connection to 'homes' "
1175 "service %s based on "
1176 "security=share\n", service_in));
1177 return make_connection_snum(sconn,
1183 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1184 && strequal(service_in,
1185 lp_servicename(vuser->homes_snum))) {
1186 DATA_BLOB no_pw = data_blob_null;
1187 DEBUG(5, ("making a connection to 'homes' service [%s] "
1188 "created at session setup time\n", service_in));
1189 return make_connection_snum(sconn,
1195 fstrcpy(service, service_in);
1197 strlower_m(service);
1199 snum = find_service(service);
1202 if (strequal(service,"IPC$") ||
1203 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1204 DEBUG(3,("refusing IPC connection to %s\n", service));
1205 *status = NT_STATUS_ACCESS_DENIED;
1209 DEBUG(0,("%s (%s) couldn't find service %s\n",
1210 get_remote_machine_name(),
1211 client_addr(get_client_fd(),addr,sizeof(addr)),
1213 *status = NT_STATUS_BAD_NETWORK_NAME;
1217 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1218 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1219 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1220 "(pointing to %s)\n",
1221 service, lp_msdfs_proxy(snum)));
1222 *status = NT_STATUS_BAD_NETWORK_NAME;
1226 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1228 return make_connection_snum(sconn, snum, vuser,
1233 /****************************************************************************
1235 ****************************************************************************/
1237 void close_cnum(connection_struct *conn, uint16 vuid)
1239 file_close_conn(conn);
1241 if (!IS_IPC(conn)) {
1242 dptr_closecnum(conn);
1245 change_to_root_user();
1247 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1248 get_remote_machine_name(),
1249 conn->client_address,
1250 lp_servicename(SNUM(conn))));
1252 /* Call VFS disconnect hook */
1253 SMB_VFS_DISCONNECT(conn);
1255 yield_connection(conn, lp_servicename(SNUM(conn)));
1257 /* make sure we leave the directory available for unmount */
1258 vfs_ChDir(conn, "/");
1260 /* execute any "postexec = " line */
1261 if (*lp_postexec(SNUM(conn)) &&
1262 change_to_user(conn, vuid)) {
1263 char *cmd = talloc_sub_advanced(talloc_tos(),
1264 lp_servicename(SNUM(conn)),
1265 conn->server_info->unix_name,
1267 conn->server_info->utok.gid,
1268 conn->server_info->sanitized_username,
1269 pdb_get_domain(conn->server_info->sam_account),
1270 lp_postexec(SNUM(conn)));
1273 change_to_root_user();
1276 change_to_root_user();
1277 /* execute any "root postexec = " line */
1278 if (*lp_rootpostexec(SNUM(conn))) {
1279 char *cmd = talloc_sub_advanced(talloc_tos(),
1280 lp_servicename(SNUM(conn)),
1281 conn->server_info->unix_name,
1283 conn->server_info->utok.gid,
1284 conn->server_info->sanitized_username,
1285 pdb_get_domain(conn->server_info->sam_account),
1286 lp_rootpostexec(SNUM(conn)));
git.samba.org / ira / wip.git / blob