Add a more explaining comment

[kai/samba-autobuild/.git] / source3 / smbd / share_access.c

diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
index 468f61560b927c10fdea0181816b7c2de572ade7..f5f79c86e571177d358cf3d02f06b2aacc7b72b4 100644 (file)
--- a/source3/smbd/share_access.c
+++ b/source3/smbd/share_access.c
@@ -5,7 +5,7 @@
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -14,8 +14,7 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
@@ -28,7 +27,7 @@
  * + and & may be combined
  */
 
-static BOOL do_group_checks(const char **name, const char **pattern)
+static bool do_group_checks(const char **name, const char **pattern)
 {
        if ((*name)[0] == '@') {
                *pattern = "&+";
@@ -63,18 +62,19 @@ static BOOL do_group_checks(const char **name, const char **pattern)
        return False;
 }
 
-static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
+static bool token_contains_name(TALLOC_CTX *mem_ctx,
                                const char *username,
+                               const char *domain,
                                const char *sharename,
                                const struct nt_user_token *token,
                                const char *name)
 {
        const char *prefix;
        DOM_SID sid;
-       enum SID_NAME_USE type;
+       enum lsa_SidType type;
 
        if (username != NULL) {
-               name = talloc_sub_basic(mem_ctx, username, name);
+               name = talloc_sub_basic(mem_ctx, username, domain, name);
        }
        if (sharename != NULL) {
                name = talloc_string_sub(mem_ctx, name, "%S", sharename);
@@ -83,7 +83,7 @@ static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
        if (name == NULL) {
                /* This is too security sensitive, better panic than return a
                 * result that might be interpreted in a wrong way. */
-               smb_panic("substitutions failed\n");
+               smb_panic("substitutions failed");
        }
        
        /* check to see is we already have a SID */
@@ -94,7 +94,7 @@ static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
        }
 
        if (!do_group_checks(&name, &prefix)) {
-               if (!lookup_name(mem_ctx, name, LOOKUP_NAME_ALL,
+               if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
                                 NULL, NULL, &sid, &type)) {
                        DEBUG(5, ("lookup_name %s failed\n", name));
                        return False;
@@ -109,7 +109,7 @@ static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
 
        for (/* initialized above */ ; *prefix != '\0'; prefix++) {
                if (*prefix == '+') {
-                       if (!lookup_name(mem_ctx, name,
+                       if (!lookup_name_smbconf(mem_ctx, name,
                                         LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
                                         NULL, NULL, &sid, &type)) {
                                DEBUG(5, ("lookup_name %s failed\n", name));
@@ -133,7 +133,7 @@ static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
                        }
                        continue;
                }
-               smb_panic("got invalid prefix from do_groups_check\n");
+               smb_panic("got invalid prefix from do_groups_check");
        }
        return False;
 }
@@ -149,7 +149,8 @@ static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
  * The other use is the netgroup check when using @group or &group.
  */
 
-BOOL token_contains_name_in_list(const char *username,
+bool token_contains_name_in_list(const char *username,
+                                const char *domain,
                                 const char *sharename,
                                 const struct nt_user_token *token,
                                 const char **list)
@@ -161,11 +162,12 @@ BOOL token_contains_name_in_list(const char *username,
        }
 
        if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
-               smb_panic("talloc_new failed\n");
+               smb_panic("talloc_new failed");
        }
 
        while (*list != NULL) {
-               if (token_contains_name(mem_ctx, username, sharename,token, *list)) {
+               if (token_contains_name(mem_ctx, username, domain, sharename,
+                                       token, *list)) {
                        TALLOC_FREE(mem_ctx);
                        return True;
                }
@@ -189,10 +191,12 @@ BOOL token_contains_name_in_list(const char *username,
  * The other use is the netgroup check when using @group or &group.
  */
 
-BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
+bool user_ok_token(const char *username, const char *domain,
+                  struct nt_user_token *token, int snum)
 {
        if (lp_invalid_users(snum) != NULL) {
-               if (token_contains_name_in_list(username, lp_servicename(snum),
+               if (token_contains_name_in_list(username, domain,
+                                               lp_servicename(snum),
                                                token,
                                                lp_invalid_users(snum))) {
                        DEBUG(10, ("User %s in 'invalid users'\n", username));
@@ -201,7 +205,7 @@ BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
        }
 
        if (lp_valid_users(snum) != NULL) {
-               if (!token_contains_name_in_list(username,
+               if (!token_contains_name_in_list(username, domain,
                                                 lp_servicename(snum), token,
                                                 lp_valid_users(snum))) {
                        DEBUG(10, ("User %s not in 'valid users'\n",
@@ -214,7 +218,12 @@ BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
                const char *list[2];
                list[0] = lp_username(snum);
                list[1] = NULL;
-               if (!token_contains_name_in_list(NULL, lp_servicename(snum),
+               if ((list[0] == NULL) || (*list[0] == '\0')) {
+                       DEBUG(0, ("'only user = yes' and no 'username ='\n"));
+                       return False;
+               }
+               if (!token_contains_name_in_list(NULL, domain,
+                                                lp_servicename(snum),
                                                 token, list)) {
                        DEBUG(10, ("%s != 'username'\n", username));
                        return False;
@@ -241,13 +250,14 @@ BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
  * The other use is the netgroup check when using @group or &group.
  */
 
-BOOL is_share_read_only_for_token(const char *username,
+bool is_share_read_only_for_token(const char *username,
+                                 const char *domain,
                                  struct nt_user_token *token, int snum)
 {
-       BOOL result = lp_readonly(snum);
+       bool result = lp_readonly(snum);
 
        if (lp_readlist(snum) != NULL) {
-               if (token_contains_name_in_list(username,
+               if (token_contains_name_in_list(username, domain,
                                                lp_servicename(snum), token,
                                                lp_readlist(snum))) {
                        result = True;
@@ -255,7 +265,7 @@ BOOL is_share_read_only_for_token(const char *username,
        }
 
        if (lp_writelist(snum) != NULL) {
-               if (token_contains_name_in_list(username,
+               if (token_contains_name_in_list(username, domain,
                                                lp_servicename(snum), token,
                                                lp_writelist(snum))) {
                        result = False;