extern BOOL case_mangle;
extern BOOL case_sensitive;
extern BOOL use_mangled_map;
-extern fstring remote_machine;
extern userdom_struct current_user_info;
-extern fstring remote_machine;
/****************************************************************************
}
}
- lp_add_home(service, iHomeService, username, homedir);
+ if (!lp_add_home(service, iHomeService, username, homedir)) {
+ return -1;
+ }
return lp_servicenumber(service);
char *pszTemp;
DEBUG(3,("checking whether %s is a valid printer name...\n", service));
- pszTemp = PRINTCAP;
+ pszTemp = lp_printcapname();
if ((pszTemp != NULL) && pcap_printername_ok(service, pszTemp))
{
DEBUG(3,("%s is a valid printer name\n", service));
do some basic sainity checks on the share.
This function modifies dev, ecode.
****************************************************************************/
-static NTSTATUS share_sanity_checks(int snum, pstring dev)
+static NTSTATUS share_sanity_checks(int snum, fstring dev)
{
if (!lp_snum_ok(snum) ||
return NT_STATUS_ACCESS_DENIED;
}
- /* you can only connect to the IPC$ service as an ipc device */
- if (strequal(lp_fstype(snum), "IPC"))
- pstrcpy(dev,"IPC");
-
if (dev[0] == '?' || !dev[0]) {
if (lp_print_ok(snum)) {
- pstrcpy(dev,"LPT1:");
+ fstrcpy(dev,"LPT1:");
+ } else if (strequal(lp_fstype(snum), "IPC")) {
+ fstrcpy(dev, "IPC");
} else {
- pstrcpy(dev,"A:");
+ fstrcpy(dev,"A:");
}
}
- /* if the request is as a printer and you can't print then refuse */
- strupper(dev);
- if (!lp_print_ok(snum) && (strncmp(dev,"LPT",3) == 0)) {
- DEBUG(1,("Attempt to connect to non-printer as a printer\n"));
+ strupper_m(dev);
+
+ if (lp_print_ok(snum)) {
+ if (!strequal(dev, "LPT1:")) {
+ return NT_STATUS_BAD_DEVICE_TYPE;
+ }
+ } else if (strequal(lp_fstype(snum), "IPC")) {
+ if (!strequal(dev, "IPC")) {
+ return NT_STATUS_BAD_DEVICE_TYPE;
+ }
+ } else if (!strequal(dev, "A:")) {
return NT_STATUS_BAD_DEVICE_TYPE;
}
/* Behave as a printer if we are supposed to */
if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
- pstrcpy(dev, "LPT1:");
+ fstrcpy(dev, "LPT1:");
}
return NT_STATUS_OK;
/****************************************************************************
readonly share?
****************************************************************************/
-static void set_read_only(connection_struct *conn)
+static void set_read_only(connection_struct *conn, gid_t *groups, size_t n_groups)
{
char **list;
char *service = lp_servicename(conn->service);
str_list_copy(&list, lp_readlist(conn->service));
if (list) {
- if (!str_list_substitute(list, "%S", service)) {
+ if ( !str_list_sub_basic(list, current_user_info.smb_name) ) {
DEBUG(0, ("ERROR: read list substitution failed\n"));
}
- if (user_in_list(conn->user, list))
+ if (user_in_list(conn->user, (const char **)list, groups, n_groups))
conn->read_only = True;
str_list_free(&list);
}
str_list_copy(&list, lp_writelist(conn->service));
if (list) {
- if (!str_list_substitute(list, "%S", service)) {
+ if ( !str_list_sub_basic(list, current_user_info.smb_name) ) {
DEBUG(0, ("ERROR: write list substitution failed\n"));
}
- if (user_in_list(conn->user, list))
+ if (user_in_list(conn->user, (const char **)list, groups, n_groups))
conn->read_only = False;
str_list_free(&list);
}
/****************************************************************************
admin user check
****************************************************************************/
-static void set_admin_user(connection_struct *conn)
+static void set_admin_user(connection_struct *conn, gid_t *groups, size_t n_groups)
{
/* admin user check */
marked read_only. Changed as I don't think this is needed,
but old code left in case there is a problem here.
*/
- if (user_in_list(conn->user,lp_admin_users(conn->service))
+ if (user_in_list(conn->user,lp_admin_users(conn->service), groups, n_groups)
#if 0
&& !conn->read_only
#endif
) {
conn->admin_user = True;
+ conn->force_user = True; /* Admin users are effectivly 'forced' */
DEBUG(0,("%s logged in as admin user (root privileges)\n",conn->user));
} else {
conn->admin_user = False;
static connection_struct *make_connection_snum(int snum, user_struct *vuser,
DATA_BLOB password,
- char *dev, NTSTATUS *status)
+ const char *pdev, NTSTATUS *status)
{
struct passwd *pass = NULL;
BOOL guest = False;
- BOOL force = False;
connection_struct *conn;
struct stat st;
fstring user;
+ fstring dev;
+
*user = 0;
+ fstrcpy(dev, pdev);
if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
return NULL;
}
if (lp_guest_only(snum)) {
- char *guestname = lp_guestaccount();
+ const char *guestname = lp_guestaccount();
guest = True;
- force = True;
pass = getpwnam_alloc(guestname);
if (!pass) {
- DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname));
- *status = NT_STATUS_NO_SUCH_USER;
+ DEBUG(0,("make_connection_snum: Invalid guest account %s??\n",guestname));
conn_free(conn);
+ *status = NT_STATUS_NO_SUCH_USER;
return NULL;
}
fstrcpy(user,pass->pw_name);
conn->force_user = True;
+ conn->uid = pass->pw_uid;
+ conn->gid = pass->pw_gid;
string_set(&conn->user,pass->pw_name);
+ passwd_free(&pass);
DEBUG(3,("Guest only user %s\n",user));
} else if (vuser) {
if (vuser->guest) {
if (!lp_guest_ok(snum)) {
- DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)", lp_servicename(snum)));
- *status = NT_STATUS_ACCESS_DENIED;
+ DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)\n", lp_servicename(snum)));
conn_free(conn);
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
} else {
- if (!user_ok(vuser->user.unix_name, snum)) {
- DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)", vuser->user.unix_name, lp_servicename(snum)));
- *status = NT_STATUS_ACCESS_DENIED;
+ if (!user_ok(vuser->user.unix_name, snum, vuser->groups, vuser->n_groups)) {
+ DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)\n", vuser->user.unix_name, lp_servicename(snum)));
conn_free(conn);
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
are in share mode security */
add_session_user(lp_servicename(snum));
/* shall we let them in? */
- if (!authorise_login(snum,user,password,&guest,&force)) {
- DEBUG( 2, ( "Invalid username/password for %s [%s]\n",
- lp_servicename(snum), user ) );
+ if (!authorise_login(snum,user,password,&guest)) {
+ DEBUG( 2, ( "Invalid username/password for [%s]\n",
+ lp_servicename(snum)) );
+ conn_free(conn);
*status = NT_STATUS_WRONG_PASSWORD;
return NULL;
}
pass = Get_Pwnam(user);
- conn->force_user = force;
+ conn->force_user = True;
conn->uid = pass->pw_uid;
conn->gid = pass->pw_gid;
string_set(&conn->user, pass->pw_name);
string_set(&conn->user,user);
conn->nt_user_token = NULL;
- set_read_only(conn);
+ set_read_only(conn, vuser ? vuser->groups : NULL, vuser ? vuser->n_groups : 0);
- set_admin_user(conn);
+ set_admin_user(conn, vuser ? vuser->groups : NULL, vuser ? vuser->n_groups : 0);
/*
* If force user is true, then store the
- * given userid and also the primary groupid
+ * given userid and also the groups
* of the user we're forcing.
*/
conn->force_user = True;
DEBUG(3,("Forced user %s\n",user));
} else {
- conn_free(conn);
DEBUG(1,("Couldn't find user %s\n",fuser));
+ conn_free(conn);
*status = NT_STATUS_NO_SUCH_USER;
return NULL;
}
pstring tmp_gname;
BOOL user_must_be_member = False;
- StrnCpy(tmp_gname,lp_force_group(snum),sizeof(pstring)-1);
+ pstrcpy(tmp_gname,lp_force_group(snum));
if (tmp_gname[0] == '+') {
user_must_be_member = True;
- StrnCpy(gname,&tmp_gname[1],sizeof(pstring)-2);
+ /* even now, tmp_gname is null terminated */
+ pstrcpy(gname,&tmp_gname[1]);
} else {
- StrnCpy(gname,tmp_gname,sizeof(pstring)-1);
+ pstrcpy(gname,tmp_gname);
}
/* default service may be a group name */
pstring_sub(gname,"%S",lp_servicename(snum));
gid = nametogid(gname);
if (gid != (gid_t)-1) {
+
/*
* If the user has been forced and the forced group starts
* with a '+', then we only set the group to be the forced
* Otherwise, the meaning of the '+' would be ignored.
*/
if (conn->force_user && user_must_be_member) {
- if (user_in_group_list( user, gname )) {
+ if (user_in_group_list( user, gname, NULL, 0)) {
conn->gid = gid;
DEBUG(3,("Forced group %s for member %s\n",gname,user));
}
conn->gid = gid;
DEBUG(3,("Forced group %s\n",gname));
}
+ conn->force_group = True;
} else {
+ DEBUG(1,("Couldn't find group %s\n",gname));
conn_free(conn);
*status = NT_STATUS_NO_SUCH_GROUP;
- DEBUG(1,("Couldn't find group %s\n",gname));
+ return NULL;
}
}
#endif /* HAVE_GETGRNAM */
{
pstring s;
pstrcpy(s,lp_pathname(snum));
- standard_sub_conn(conn,s);
+ standard_sub_conn(conn,s,sizeof(s));
string_set(&conn->connectpath,s);
- DEBUG(3,("Connect path is %s\n",s));
+ DEBUG(3,("Connect path is '%s' for service [%s]\n",s, lp_servicename(snum)));
}
- /* groups stuff added by ih */
- conn->ngroups = 0;
- conn->groups = NULL;
-
- /* Find all the groups this uid is in and
- store them. Used by change_to_user() */
- initialise_groups(conn->user, conn->uid, conn->gid);
- get_current_groups(&conn->ngroups,&conn->groups);
+ if (conn->force_user || conn->force_group) {
+
+ /* groups stuff added by ih */
+ conn->ngroups = 0;
+ conn->groups = NULL;
- conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
- conn->ngroups, conn->groups,
- guest, NULL);
+ /* Find all the groups this uid is in and
+ store them. Used by change_to_user() */
+ initialise_groups(conn->user, conn->uid, conn->gid);
+ get_current_groups(conn->gid, &conn->ngroups,&conn->groups);
+
+ conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
+ conn->ngroups, conn->groups,
+ guest);
+ }
/*
* New code to check if there's a share security descripter
* added from NT server manager. This is done after the
* smb.conf checks are done as we need a uid and token. JRA.
+ *
*/
{
if (!can_write) {
if (!share_access_check(conn, snum, vuser, FILE_READ_DATA)) {
/* No access, read or write. */
- *status = NT_STATUS_ACCESS_DENIED;
DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
lp_servicename(snum)));
conn_free(conn);
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
} else {
conn->read_only = True;
if (!smbd_vfs_init(conn)) {
DEBUG(0, ("vfs_init failed for service %s\n", lp_servicename(SNUM(conn))));
conn_free(conn);
+ *status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
if (!claim_connection(conn,
lp_servicename(SNUM(conn)),
lp_max_connections(SNUM(conn)),
- False)) {
+ False,0)) {
DEBUG(1,("too many connections - rejected\n"));
- *status = NT_STATUS_INSUFFICIENT_RESOURCES;
conn_free(conn);
+ *status = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
int ret;
pstring cmd;
pstrcpy(cmd,lp_rootpreexec(SNUM(conn)));
- standard_sub_conn(conn,cmd);
+ standard_sub_conn(conn,cmd,sizeof(cmd));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
if (ret != 0 && lp_rootpreexec_close(SNUM(conn))) {
DEBUG(1,("root preexec gave %d - failing connection\n", ret));
yield_connection(conn, lp_servicename(SNUM(conn)));
conn_free(conn);
- *status = NT_STATUS_UNSUCCESSFUL;
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
*status = NT_STATUS_LOGON_FAILURE;
return NULL;
}
-
+
/* Remember that a different vuid can connect later without these checks... */
/* Preexecs are done here as they might make the dir we are to ChDir to below */
int ret;
pstring cmd;
pstrcpy(cmd,lp_preexec(SNUM(conn)));
- standard_sub_conn(conn,cmd);
+ standard_sub_conn(conn,cmd,sizeof(cmd));
ret = smbrun(cmd,NULL);
if (ret != 0 && lp_preexec_close(SNUM(conn))) {
DEBUG(1,("preexec gave %d - failing connection\n", ret));
change_to_root_user();
yield_connection(conn, lp_servicename(SNUM(conn)));
conn_free(conn);
- *status = NT_STATUS_UNSUCCESSFUL;
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
+
+#ifdef WITH_FAKE_KASERVER
+ if (lp_afs_share(SNUM(conn))) {
+ afs_login(conn);
+ }
+#endif
#if CHECK_PATH_ON_TCONX
/* win2000 does not check the permissions on the directory
I have disabled this chdir check (tridge) */
if (vfs_ChDir(conn,conn->connectpath) != 0) {
DEBUG(0,("%s (%s) Can't change directory to %s (%s)\n",
- remote_machine, conn->client_address,
+ get_remote_machine_name(), conn->client_address,
conn->connectpath,strerror(errno)));
change_to_root_user();
yield_connection(conn, lp_servicename(SNUM(conn)));
#else
/* the alternative is just to check the directory exists */
if (stat(conn->connectpath, &st) != 0 || !S_ISDIR(st.st_mode)) {
- DEBUG(0,("%s is not a directory\n", conn->connectpath));
+ DEBUG(0,("'%s' does not exist or is not a directory, when connecting to [%s]\n", conn->connectpath, lp_servicename(SNUM(conn))));
change_to_root_user();
yield_connection(conn, lp_servicename(SNUM(conn)));
conn_free(conn);
*/
if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
- dbgtext( "%s (%s) ", remote_machine, conn->client_address );
+ dbgtext( "%s (%s) ", get_remote_machine_name(), conn->client_address );
+ dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
dbgtext( "connect to service %s ", lp_servicename(SNUM(conn)) );
dbgtext( "initially as user %s ", user );
dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
/* Invoke VFS make connection hook */
- if (conn->vfs_ops.connect) {
- if (conn->vfs_ops.connect(conn, lp_servicename(snum), user) < 0) {
- DEBUG(0,("make_connection: VFS make connection failed!\n"));
- *status = NT_STATUS_UNSUCCESSFUL;
- change_to_root_user();
- conn_free(conn);
- return NULL;
- }
+ if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
+ DEBUG(0,("make_connection: VFS make connection failed!\n"));
+ change_to_root_user();
+ conn_free(conn);
+ *status = NT_STATUS_UNSUCCESSFUL;
+ return NULL;
}
/* we've finished with the user stuff - go back to root */
return(conn);
}
+/***************************************************************************************
+ Simple wrapper function for make_connection() to include a call to
+ vfs_chdir()
+ **************************************************************************************/
+
+connection_struct *make_connection_with_chdir(const char *service_in, DATA_BLOB password,
+ const char *dev, uint16 vuid, NTSTATUS *status)
+{
+ connection_struct *conn = NULL;
+
+ conn = make_connection(service_in, password, dev, vuid, status);
+
+ /*
+ * make_connection() does not change the directory for us any more
+ * so we have to do it as a separate step --jerry
+ */
+
+ if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
+ DEBUG(0,("move_driver_to_download_area: Can't change directory to %s for [print$] (%s)\n",
+ conn->connectpath,strerror(errno)));
+ yield_connection(conn, lp_servicename(SNUM(conn)));
+ conn_free(conn);
+ *status = NT_STATUS_UNSUCCESSFUL;
+ return NULL;
+ }
+
+ return conn;
+}
+
/****************************************************************************
Make a connection to a service.
*
****************************************************************************/
connection_struct *make_connection(const char *service_in, DATA_BLOB password,
- char *dev, uint16 vuid, NTSTATUS *status)
+ const char *pdev, uint16 vuid, NTSTATUS *status)
{
uid_t euid;
user_struct *vuser = NULL;
- pstring service;
+ fstring service;
+ fstring dev;
int snum = -1;
+ fstrcpy(dev, pdev);
+
/* This must ONLY BE CALLED AS ROOT. As it exits this function as root. */
if (!non_root_mode() && (euid = geteuid()) != 0) {
DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot (%u)\n", (unsigned int)euid ));
vuser = get_valid_user_struct(vuid);
if (!vuser) {
DEBUG(1,("make_connection: refusing to connect with no session setup\n"));
+ *status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
if (strequal(service_in,HOMES_NAME)) {
if(lp_security() != SEC_SHARE) {
DATA_BLOB no_pw = data_blob(NULL, 0);
- if (vuser->homes_snum != -1) {
- DEBUG(5, ("making a connection to [homes] service created at session setup time\n"));
- return make_connection_snum(vuser->homes_snum,
- vuser, no_pw,
- dev, status);
+ if (vuser->homes_snum == -1) {
+ DEBUG(2, ("[homes] share not available for this user because it was not found or created at session setup time\n"));
+ *status = NT_STATUS_BAD_NETWORK_NAME;
+ return NULL;
}
+ DEBUG(5, ("making a connection to [homes] service created at session setup time\n"));
+ return make_connection_snum(vuser->homes_snum,
+ vuser, no_pw,
+ dev, status);
} else {
/* Security = share. Try with current_user_info.smb_name
* as the username. */
}
}
} else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
- && strequal(service, lp_servicename(vuser->homes_snum))) {
+ && strequal(service_in, lp_servicename(vuser->homes_snum))) {
DATA_BLOB no_pw = data_blob(NULL, 0);
- DEBUG(5, ("making a connection to 'homes' service [%s] created at session setup time\n", service));
+ DEBUG(5, ("making a connection to 'homes' service [%s] created at session setup time\n", service_in));
return make_connection_snum(vuser->homes_snum,
vuser, no_pw,
dev, status);
}
- pstrcpy(service, service_in);
+ fstrcpy(service, service_in);
- strlower(service);
+ strlower_m(service);
snum = find_service(service);
}
DEBUG(0,("%s (%s) couldn't find service %s\n",
- remote_machine, client_addr(), service));
+ get_remote_machine_name(), client_addr(), service));
+ *status = NT_STATUS_BAD_NETWORK_NAME;
+ return NULL;
+ }
+
+ /* Handle non-Dfs clients attempting connections to msdfs proxy */
+ if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
+ DEBUG(3, ("refusing connection to dfs proxy '%s'\n", service));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
change_to_root_user();
DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
- remote_machine,conn->client_address,
+ get_remote_machine_name(),conn->client_address,
lp_servicename(SNUM(conn))));
- if (conn->vfs_ops.disconnect != NULL) {
-
- /* Call VFS disconnect hook */
-
- conn->vfs_ops.disconnect(conn);
-
- }
+ /* Call VFS disconnect hook */
+ SMB_VFS_DISCONNECT(conn);
yield_connection(conn, lp_servicename(SNUM(conn)));
change_to_user(conn, vuid)) {
pstring cmd;
pstrcpy(cmd,lp_postexec(SNUM(conn)));
- standard_sub_conn(conn,cmd);
+ standard_sub_conn(conn,cmd,sizeof(cmd));
smbrun(cmd,NULL);
change_to_root_user();
}
if (*lp_rootpostexec(SNUM(conn))) {
pstring cmd;
pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
- standard_sub_conn(conn,cmd);
+ standard_sub_conn(conn,cmd,sizeof(cmd));
smbrun(cmd,NULL);
}
git.samba.org / ira / wip.git / blobdiff