#include "includes.h"
-extern int DEBUGLEVEL;
-
extern struct timeval smb_last_time;
extern int case_default;
extern BOOL case_preserve;
/****************************************************************************
-load parameters specific to a connection/service
+ Load parameters specific to a connection/service.
****************************************************************************/
-BOOL become_service(connection_struct *conn,BOOL do_chdir)
+
+BOOL set_current_service(connection_struct *conn,BOOL do_chdir)
{
extern char magic_char;
static connection_struct *last_conn;
Add a home service. Returns the new service number or -1 if fail.
****************************************************************************/
-int add_home_service(char *service, char *homedir)
+int add_home_service(const char *service, const char *homedir)
{
int iHomeService;
int iService;
#endif
}
-
/****************************************************************************
- make a connection to a service
+ Make a connection to a service.
****************************************************************************/
-connection_struct *make_connection(char *service,char *password,
- int pwlen, char *dev,uint16 vuid, NTSTATUS *status)
+
+connection_struct *make_connection(char *service, DATA_BLOB password,
+ char *dev,uint16 vuid, NTSTATUS *status)
{
int snum;
struct passwd *pass = NULL;
BOOL guest = False;
BOOL force = False;
connection_struct *conn;
+ uid_t euid;
fstring user;
+ ZERO_STRUCT(user);
+
+ /* This must ONLY BE CALLED AS ROOT. As it exits this function as root. */
+ if (!non_root_mode() && (euid = geteuid()) != 0) {
+ DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot (%u)\n", (unsigned int)euid ));
+ smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
+ }
strlower(service);
snum = find_service(service);
+
if (snum < 0) {
if (strequal(service,"IPC$") || strequal(service,"ADMIN$")) {
DEBUG(3,("refusing IPC connection\n"));
DEBUG(0,("%s (%s) couldn't find service %s\n",
remote_machine, client_addr(), service));
- *status = NT_STATUS_BAD_NETWORK_PATH;
+ *status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
if (validated_username(vuid)) {
fstring unix_username;
fstrcpy(unix_username,validated_username(vuid));
- return(make_connection(unix_username,password,pwlen,dev,vuid,status));
+ return(make_connection(unix_username,password,dev,vuid,status));
}
} else {
/* Security = share. Try with current_user_info.smb_name
fstring unix_username;
fstrcpy(unix_username,current_user_info.smb_name);
map_username(unix_username);
- return(make_connection(unix_username,password,pwlen,dev,vuid,status));
+ return(make_connection(unix_username,password,dev,vuid,status));
}
}
}
/* shall we let them in? */
- if (!authorise_login(snum,user,password,pwlen,&guest,&force,vuid)) {
+ if (!authorise_login(snum,user,password,&guest,&force,vuid)) {
DEBUG( 2, ( "Invalid username/password for %s [%s]\n", service, user ) );
*status = NT_STATUS_WRONG_PASSWORD;
return NULL;
}
+
+ add_session_user(user);
conn = conn_new();
if (!conn) {
conn->nt_user_token = NULL;
set_read_only(conn);
-
+
set_admin_user(conn);
/*
/* Allow %S to be used by force user. */
pstring_sub(fuser,"%S",service);
- pass2 = (struct passwd *)Get_Pwnam(fuser,True);
+ pass2 = (struct passwd *)Get_Pwnam_Modify(fuser);
if (pass2) {
conn->uid = pass2->pw_uid;
conn->gid = pass2->pw_gid;
conn->groups = NULL;
/* Find all the groups this uid is in and
- store them. Used by become_user() */
+ store them. Used by change_to_user() */
initialise_groups(conn->user, conn->uid, conn->gid);
get_current_groups(&conn->ngroups,&conn->groups);
conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
conn->ngroups, conn->groups,
- guest);
+ guest, NULL);
/*
* New code to check if there's a share security descripter
}
/* Initialise VFS function pointers */
- if (!vfs_init(conn)) {
+ if (!smbd_vfs_init(conn)) {
DEBUG(0, ("vfs_init failed for service %s\n", lp_servicename(SNUM(conn))));
conn_free(conn);
return NULL;
}
+/* ROOT Activities: */
/* check number of connections */
if (!claim_connection(conn,
lp_servicename(SNUM(conn)),
conn_free(conn);
return NULL;
}
-
+
+ /* Preexecs are done here as they might make the dir we are to ChDir to below */
/* execute any "root preexec = " line */
if (*lp_rootpreexec(SNUM(conn))) {
int ret;
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
if (ret != 0 && lp_rootpreexec_close(SNUM(conn))) {
- DEBUG(1,("preexec gave %d - failing connection\n", ret));
+ DEBUG(1,("root preexec gave %d - failing connection\n", ret));
yield_connection(conn,
lp_servicename(SNUM(conn)),
lp_max_connections(SNUM(conn)));
return NULL;
}
}
-
- if (!become_user(conn, conn->vuid)) {
+
+/* USER Activites: */
+ if (!change_to_user(conn, conn->vuid)) {
+ /* No point continuing if they fail the basic checks */
DEBUG(0,("Can't become connected user!\n"));
- yield_connection(conn,
- lp_servicename(SNUM(conn)),
- lp_max_connections(SNUM(conn)));
conn_free(conn);
- *status = NT_STATUS_WRONG_PASSWORD;
+ *status = NT_STATUS_LOGON_FAILURE;
return NULL;
}
-
+
+ /* Remember that a different vuid can connect later without these checks... */
+
+ /* Preexecs are done here as they might make the dir we are to ChDir to below */
+ /* execute any "preexec = " line */
+ if (*lp_preexec(SNUM(conn))) {
+ int ret;
+ pstring cmd;
+ pstrcpy(cmd,lp_preexec(SNUM(conn)));
+ standard_sub_conn(conn,cmd);
+ ret = smbrun(cmd,NULL);
+ if (ret != 0 && lp_preexec_close(SNUM(conn))) {
+ DEBUG(1,("preexec gave %d - failing connection\n", ret));
+ change_to_root_user();
+ yield_connection(conn, lp_servicename(SNUM(conn)), lp_max_connections(SNUM(conn)));
+ conn_free(conn);
+ *status = NT_STATUS_UNSUCCESSFUL;
+ return NULL;
+ }
+ }
+
if (vfs_ChDir(conn,conn->connectpath) != 0) {
DEBUG(0,("%s (%s) Can't change directory to %s (%s)\n",
remote_machine, conn->client_address,
conn->connectpath,strerror(errno)));
- unbecome_user();
+ change_to_root_user();
yield_connection(conn,
lp_servicename(SNUM(conn)),
lp_max_connections(SNUM(conn)));
}
#endif
- add_session_user(user);
-
- /* execute any "preexec = " line */
- if (*lp_preexec(SNUM(conn))) {
- int ret;
- pstring cmd;
- pstrcpy(cmd,lp_preexec(SNUM(conn)));
- standard_sub_conn(conn,cmd);
- ret = smbrun(cmd,NULL);
- if (ret != 0 && lp_preexec_close(SNUM(conn))) {
- DEBUG(1,("preexec gave %d - failing connection\n", ret));
- yield_connection(conn, lp_servicename(SNUM(conn)), lp_max_connections(SNUM(conn)));
- conn_free(conn);
- *status = NT_STATUS_UNSUCCESSFUL;
- return NULL;
- }
- }
-
/*
* Print out the 'connected as' stuff here as we need
- * to know the effective uid and gid we will be using.
+ * to know the effective uid and gid we will be using
+ * (at least initially).
*/
if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
dbgtext( "%s (%s) ", remote_machine, conn->client_address );
dbgtext( "connect to service %s ", lp_servicename(SNUM(conn)) );
- dbgtext( "as user %s ", user );
+ dbgtext( "initially as user %s ", user );
dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
dbgtext( "(pid %d)\n", (int)sys_getpid() );
}
- /* we've finished with the sensitive stuff */
- unbecome_user();
-
/* Add veto/hide lists */
if (!IS_IPC(conn) && !IS_PRINT(conn)) {
set_namearray( &conn->veto_list, lp_veto_files(SNUM(conn)));
/* Invoke VFS make connection hook */
if (conn->vfs_ops.connect) {
- if (conn->vfs_ops.connect(conn, service, user) < 0)
+ if (conn->vfs_ops.connect(conn, service, user) < 0) {
+ DEBUG(0,("make_connection: VFS make connection failed!\n"));
+ *status = NT_STATUS_UNSUCCESSFUL;
+ change_to_root_user();
+ conn_free(conn);
return NULL;
+ }
}
+
+ /* we've finished with the user stuff - go back to root */
+ change_to_root_user();
return(conn);
}
{
DirCacheFlush(SNUM(conn));
- unbecome_user();
+ change_to_root_user();
DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
remote_machine,conn->client_address,
/* execute any "postexec = " line */
if (*lp_postexec(SNUM(conn)) &&
- become_user(conn, vuid)) {
+ change_to_user(conn, vuid)) {
pstring cmd;
pstrcpy(cmd,lp_postexec(SNUM(conn)));
standard_sub_conn(conn,cmd);
smbrun(cmd,NULL);
- unbecome_user();
+ change_to_root_user();
}
- unbecome_user();
+ change_to_root_user();
/* execute any "root postexec = " line */
if (*lp_rootpostexec(SNUM(conn))) {
pstring cmd;
}
conn_free(conn);
}
-
-
git.samba.org / ira / wip.git / blobdiff