source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/globals.h"
  22
  23 /* what user is current? */
  24 extern struct current_user current_user;
  25
  26 /****************************************************************************
  27  Become the guest user without changing the security context stack.
  28 ****************************************************************************/
  29
  30 bool change_to_guest(void)
  31 {
  32         struct passwd *pass;
  33
  34         pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
  35         if (!pass) {
  36                 return false;
  37         }
  38
  39 #ifdef AIX
  40         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  41            setting IDs */
  42         initgroups(pass->pw_name, pass->pw_gid);
  43 #endif
  44
  45         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  46
  47         current_user.conn = NULL;
  48         current_user.vuid = UID_FIELD_INVALID;
  49
  50         TALLOC_FREE(pass);
  51
  52         return true;
  53 }
  54
  55 /****************************************************************************
  56  talloc free the conn->server_info if not used in the vuid cache.
  57 ****************************************************************************/
  58
  59 static void free_conn_server_info_if_unused(connection_struct *conn)
  60 {
  61         unsigned int i;
  62
  63         for (i = 0; i < VUID_CACHE_SIZE; i++) {
  64                 struct vuid_cache_entry *ent;
  65                 ent = &conn->vuid_cache.array[i];
  66                 if (ent->vuid != UID_FIELD_INVALID &&
  67                                 conn->server_info == ent->server_info) {
  68                         return;
  69                 }
  70         }
  71         /* Not used, safe to free. */
  72         TALLOC_FREE(conn->server_info);
  73 }
  74
  75 /*******************************************************************
  76  Check if a username is OK.
  77
  78  This sets up conn->server_info with a copy related to this vuser that
  79  later code can then mess with.
  80 ********************************************************************/
  81
  82 static bool check_user_ok(connection_struct *conn,
  83                         uint16_t vuid,
  84                         const struct auth_serversupplied_info *server_info,
  85                         int snum)
  86 {
  87         bool valid_vuid = (vuid != UID_FIELD_INVALID);
  88         unsigned int i;
  89         bool readonly_share;
  90         bool admin_user;
  91
  92         if (valid_vuid) {
  93                 struct vuid_cache_entry *ent;
  94
  95                 for (i=0; i<VUID_CACHE_SIZE; i++) {
  96                         ent = &conn->vuid_cache.array[i];
  97                         if (ent->vuid == vuid) {
  98                                 free_conn_server_info_if_unused(conn);
  99                                 conn->server_info = ent->server_info;
 100                                 conn->read_only = ent->read_only;
 101                                 return(True);
 102                         }
 103                 }
 104         }
 105
 106         if (!user_ok_token(server_info->unix_name,
 107                            pdb_get_domain(server_info->sam_account),
 108                            server_info->ptok, snum))
 109                 return(False);
 110
 111         readonly_share = is_share_read_only_for_token(
 112                 server_info->unix_name,
 113                 pdb_get_domain(server_info->sam_account),
 114                 server_info->ptok,
 115                 conn);
 116
 117         if (!readonly_share &&
 118             !share_access_check(server_info->ptok, lp_servicename(snum),
 119                                 FILE_WRITE_DATA)) {
 120                 /* smb.conf allows r/w, but the security descriptor denies
 121                  * write. Fall back to looking at readonly. */
 122                 readonly_share = True;
 123                 DEBUG(5,("falling back to read-only access-evaluation due to "
 124                          "security descriptor\n"));
 125         }
 126
 127         if (!share_access_check(server_info->ptok, lp_servicename(snum),
 128                                 readonly_share ?
 129                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 130                 return False;
 131         }
 132
 133         admin_user = token_contains_name_in_list(
 134                 server_info->unix_name,
 135                 pdb_get_domain(server_info->sam_account),
 136                 NULL, server_info->ptok, lp_admin_users(snum));
 137
 138         if (valid_vuid) {
 139                 struct vuid_cache_entry *ent =
 140                         &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 141
 142                 conn->vuid_cache.next_entry =
 143                         (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
 144
 145                 TALLOC_FREE(ent->server_info);
 146
 147                 /*
 148                  * If force_user was set, all server_info's are based on the same
 149                  * username-based faked one.
 150                  */
 151
 152                 ent->server_info = copy_serverinfo(
 153                         conn, conn->force_user ? conn->server_info : server_info);
 154
 155                 if (ent->server_info == NULL) {
 156                         ent->vuid = UID_FIELD_INVALID;
 157                         return false;
 158                 }
 159
 160                 ent->vuid = vuid;
 161                 ent->read_only = readonly_share;
 162                 free_conn_server_info_if_unused(conn);
 163                 conn->server_info = ent->server_info;
 164         }
 165
 166         conn->read_only = readonly_share;
 167         if (admin_user) {
 168                 DEBUG(2,("check_user_ok: user %s is an admin user. "
 169                         "Setting uid as %d\n",
 170                         conn->server_info->unix_name,
 171                         sec_initial_uid() ));
 172                 conn->server_info->utok.uid = sec_initial_uid();
 173         }
 174
 175         return(True);
 176 }
 177
 178 /****************************************************************************
 179  Clear a vuid out of the connection's vuid cache
 180  This is only called on SMBulogoff.
 181 ****************************************************************************/
 182
 183 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 184 {
 185         int i;
 186
 187         for (i=0; i<VUID_CACHE_SIZE; i++) {
 188                 struct vuid_cache_entry *ent;
 189
 190                 ent = &conn->vuid_cache.array[i];
 191
 192                 if (ent->vuid == vuid) {
 193                         ent->vuid = UID_FIELD_INVALID;
 194                         /*
 195                          * We need to keep conn->server_info around
 196                          * if it's equal to ent->server_info as a SMBulogoff
 197                          * is often followed by a SMBtdis (with an invalid
 198                          * vuid). The debug code (or regular code in
 199                          * vfs_full_audit) wants to refer to the
 200                          * conn->server_info pointer to print debug
 201                          * statements. Theoretically this is a bug,
 202                          * as once the vuid is gone the server_info
 203                          * on the conn struct isn't valid any more,
 204                          * but there's enough code that assumes
 205                          * conn->server_info is never null that
 206                          * it's easier to hold onto the old pointer
 207                          * until we get a new sessionsetupX.
 208                          * As everything is hung off the
 209                          * conn pointer as a talloc context we're not
 210                          * leaking memory here. See bug #6315. JRA.
 211                          */
 212                         if (conn->server_info == ent->server_info) {
 213                                 ent->server_info = NULL;
 214                         } else {
 215                                 TALLOC_FREE(ent->server_info);
 216                         }
 217                         ent->read_only = False;
 218                 }
 219         }
 220 }
 221
 222 /****************************************************************************
 223  Become the user of a connection number without changing the security context
 224  stack, but modify the current_user entries.
 225 ****************************************************************************/
 226
 227 bool change_to_user(connection_struct *conn, uint16 vuid)
 228 {
 229         const struct auth_serversupplied_info *server_info = NULL;
 230         struct smbd_server_connection *sconn = smbd_server_conn;
 231         user_struct *vuser = get_valid_user_struct(sconn, vuid);
 232         int snum;
 233         gid_t gid;
 234         uid_t uid;
 235         char group_c;
 236         int num_groups = 0;
 237         gid_t *group_list = NULL;
 238
 239         if (!conn) {
 240                 DEBUG(2,("change_to_user: Connection not open\n"));
 241                 return(False);
 242         }
 243
 244         /*
 245          * We need a separate check in security=share mode due to vuid
 246          * always being UID_FIELD_INVALID. If we don't do this then
 247          * in share mode security we are *always* changing uid's between
 248          * SMB's - this hurts performance - Badly.
 249          */
 250
 251         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 252            (current_user.ut.uid == conn->server_info->utok.uid)) {
 253                 DEBUG(4,("change_to_user: Skipping user change - already "
 254                          "user\n"));
 255                 return(True);
 256         } else if ((current_user.conn == conn) &&
 257                    (vuser != NULL) && (current_user.vuid == vuid) &&
 258                    (current_user.ut.uid == vuser->server_info->utok.uid)) {
 259                 DEBUG(4,("change_to_user: Skipping user change - already "
 260                          "user\n"));
 261                 return(True);
 262         }
 263
 264         snum = SNUM(conn);
 265
 266         server_info = vuser ? vuser->server_info : conn->server_info;
 267
 268         if (!server_info) {
 269                 /* Invalid vuid sent - even with security = share. */
 270                 DEBUG(2,("change_to_user: Invalid vuid %d used on "
 271                          "share %s.\n",vuid, lp_servicename(snum) ));
 272                 return false;
 273         }
 274
 275         if (!check_user_ok(conn, vuid, server_info, snum)) {
 276                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 277                          "not permitted access to share %s.\n",
 278                          server_info->sanitized_username,
 279                          server_info->unix_name, vuid,
 280                          lp_servicename(snum)));
 281                 return false;
 282         }
 283
 284         /* security = share sets force_user. */
 285         if (!conn->force_user && !vuser) {
 286                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 287                         "share %s.\n",vuid, lp_servicename(snum) ));
 288                 return False;
 289         }
 290
 291         /*
 292          * conn->server_info is now correctly set up with a copy we can mess
 293          * with for force_group etc.
 294          */
 295
 296         uid = conn->server_info->utok.uid;
 297         gid = conn->server_info->utok.gid;
 298         num_groups = conn->server_info->utok.ngroups;
 299         group_list  = conn->server_info->utok.groups;
 300
 301         /*
 302          * See if we should force group for this service.
 303          * If so this overrides any group set in the force
 304          * user code.
 305          */
 306
 307         if((group_c = *lp_force_group(snum))) {
 308
 309                 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
 310
 311                 if(group_c == '+') {
 312
 313                         /*
 314                          * Only force group if the user is a member of
 315                          * the service group. Check the group memberships for
 316                          * this user (we already have this) to
 317                          * see if we should force the group.
 318                          */
 319
 320                         int i;
 321                         for (i = 0; i < num_groups; i++) {
 322                                 if (group_list[i]
 323                                     == conn->force_group_gid) {
 324                                         conn->server_info->utok.gid =
 325                                                 conn->force_group_gid;
 326                                         gid = conn->force_group_gid;
 327                                         gid_to_sid(&conn->server_info->ptok
 328                                                    ->user_sids[1], gid);
 329                                         break;
 330                                 }
 331                         }
 332                 } else {
 333                         conn->server_info->utok.gid = conn->force_group_gid;
 334                         gid = conn->force_group_gid;
 335                         gid_to_sid(&conn->server_info->ptok->user_sids[1],
 336                                    gid);
 337                 }
 338         }
 339
 340         /* Now set current_user since we will immediately also call
 341            set_sec_ctx() */
 342
 343         current_user.ut.ngroups = num_groups;
 344         current_user.ut.groups  = group_list;
 345
 346         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 347                     conn->server_info->ptok);
 348
 349         current_user.conn = conn;
 350         current_user.vuid = vuid;
 351
 352         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 353                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 354
 355         return(True);
 356 }
 357
 358 /****************************************************************************
 359  Go back to being root without changing the security context stack,
 360  but modify the current_user entries.
 361 ****************************************************************************/
 362
 363 bool change_to_root_user(void)
 364 {
 365         set_root_sec_ctx();
 366
 367         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 368                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 369
 370         current_user.conn = NULL;
 371         current_user.vuid = UID_FIELD_INVALID;
 372
 373         return(True);
 374 }
 375
 376 /****************************************************************************
 377  Become the user of an authenticated connected named pipe.
 378  When this is called we are currently running as the connection
 379  user. Doesn't modify current_user.
 380 ****************************************************************************/
 381
 382 bool become_authenticated_pipe_user(pipes_struct *p)
 383 {
 384         if (!push_sec_ctx())
 385                 return False;
 386
 387         set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
 388                     p->server_info->utok.ngroups, p->server_info->utok.groups,
 389                     p->server_info->ptok);
 390
 391         return True;
 392 }
 393
 394 /****************************************************************************
 395  Unbecome the user of an authenticated connected named pipe.
 396  When this is called we are running as the authenticated pipe
 397  user and need to go back to being the connection user. Doesn't modify
 398  current_user.
 399 ****************************************************************************/
 400
 401 bool unbecome_authenticated_pipe_user(void)
 402 {
 403         return pop_sec_ctx();
 404 }
 405
 406 /****************************************************************************
 407  Utility functions used by become_xxx/unbecome_xxx.
 408 ****************************************************************************/
 409
 410 static void push_conn_ctx(void)
 411 {
 412         struct conn_ctx *ctx_p;
 413
 414         /* Check we don't overflow our stack */
 415
 416         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 417                 DEBUG(0, ("Connection context stack overflow!\n"));
 418                 smb_panic("Connection context stack overflow!\n");
 419         }
 420
 421         /* Store previous user context */
 422         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 423
 424         ctx_p->conn = current_user.conn;
 425         ctx_p->vuid = current_user.vuid;
 426
 427         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 428                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 429
 430         conn_ctx_stack_ndx++;
 431 }
 432
 433 static void pop_conn_ctx(void)
 434 {
 435         struct conn_ctx *ctx_p;
 436
 437         /* Check for stack underflow. */
 438
 439         if (conn_ctx_stack_ndx == 0) {
 440                 DEBUG(0, ("Connection context stack underflow!\n"));
 441                 smb_panic("Connection context stack underflow!\n");
 442         }
 443
 444         conn_ctx_stack_ndx--;
 445         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 446
 447         current_user.conn = ctx_p->conn;
 448         current_user.vuid = ctx_p->vuid;
 449
 450         ctx_p->conn = NULL;
 451         ctx_p->vuid = UID_FIELD_INVALID;
 452 }
 453
 454 /****************************************************************************
 455  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 456  restores the connection context.
 457 ****************************************************************************/
 458
 459 void become_root(void)
 460 {
 461          /*
 462           * no good way to handle push_sec_ctx() failing without changing
 463           * the prototype of become_root()
 464           */
 465         if (!push_sec_ctx()) {
 466                 smb_panic("become_root: push_sec_ctx failed");
 467         }
 468         push_conn_ctx();
 469         set_root_sec_ctx();
 470 }
 471
 472 /* Unbecome the root user */
 473
 474 void unbecome_root(void)
 475 {
 476         pop_sec_ctx();
 477         pop_conn_ctx();
 478 }
 479
 480 /****************************************************************************
 481  Push the current security context then force a change via change_to_user().
 482  Saves and restores the connection context.
 483 ****************************************************************************/
 484
 485 bool become_user(connection_struct *conn, uint16 vuid)
 486 {
 487         if (!push_sec_ctx())
 488                 return False;
 489
 490         push_conn_ctx();
 491
 492         if (!change_to_user(conn, vuid)) {
 493                 pop_sec_ctx();
 494                 pop_conn_ctx();
 495                 return False;
 496         }
 497
 498         return True;
 499 }
 500
 501 bool unbecome_user(void)
 502 {
 503         pop_sec_ctx();
 504         pop_conn_ctx();
 505         return True;
 506 }
 507
 508 /****************************************************************************
 509  Return the current user we are running effectively as on this connection.
 510  I'd like to make this return conn->server_info->utok.uid, but become_root()
 511  doesn't alter this value.
 512 ****************************************************************************/
 513
 514 uid_t get_current_uid(connection_struct *conn)
 515 {
 516         return current_user.ut.uid;
 517 }
 518
 519 /****************************************************************************
 520  Return the current group we are running effectively as on this connection.
 521  I'd like to make this return conn->server_info->utok.gid, but become_root()
 522  doesn't alter this value.
 523 ****************************************************************************/
 524
 525 gid_t get_current_gid(connection_struct *conn)
 526 {
 527         return current_user.ut.gid;
 528 }
 529
 530 /****************************************************************************
 531  Return the UNIX token we are running effectively as on this connection.
 532  I'd like to make this return &conn->server_info->utok, but become_root()
 533  doesn't alter this value.
 534 ****************************************************************************/
 535
 536 const UNIX_USER_TOKEN *get_current_utok(connection_struct *conn)
 537 {
 538         return &current_user.ut;
 539 }
 540
 541 const NT_USER_TOKEN *get_current_nttok(connection_struct *conn)
 542 {
 543         return current_user.nt_user_token;
 544 }
 545
 546 uint16_t get_current_vuid(connection_struct *conn)
 547 {
 548         return current_user.vuid;
 549 }