2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 * No prefix means direct username
25 * @name means netgroup first, then unix group
26 * &name means netgroup
27 * +name means unix group
28 * + and & may be combined
31 static BOOL do_group_checks(const char **name, const char **pattern)
33 if ((*name)[0] == '@') {
39 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
45 if ((*name)[0] == '+') {
51 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
57 if ((*name)[0] == '&') {
66 static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
68 const char *sharename,
69 const struct nt_user_token *token,
74 enum SID_NAME_USE type;
76 if (username != NULL) {
77 name = talloc_sub_basic(mem_ctx, username, name);
79 if (sharename != NULL) {
80 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
84 /* This is too security sensitive, better panic than return a
85 * result that might be interpreted in a wrong way. */
86 smb_panic("substitutions failed\n");
89 if (!do_group_checks(&name, &prefix)) {
90 if (!lookup_name(mem_ctx, name, LOOKUP_NAME_ALL,
91 NULL, NULL, &sid, &type)) {
92 DEBUG(5, ("lookup_name %s failed\n", name));
95 if (type != SID_NAME_USER) {
96 DEBUG(5, ("%s is a %s, expected a user\n",
97 name, sid_type_lookup(type)));
100 return nt_token_check_sid(&sid, token);
103 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
104 if (*prefix == '+') {
105 if (!lookup_name(mem_ctx, name,
106 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
107 NULL, NULL, &sid, &type)) {
108 DEBUG(5, ("lookup_name %s failed\n", name));
111 if ((type != SID_NAME_DOM_GRP) &&
112 (type != SID_NAME_ALIAS) &&
113 (type != SID_NAME_WKN_GRP)) {
114 DEBUG(5, ("%s is a %s, expected a group\n",
115 name, sid_type_lookup(type)));
118 if (nt_token_check_sid(&sid, token)) {
123 if (*prefix == '&') {
124 if (user_in_netgroup(username, name)) {
129 smb_panic("got invalid prefix from do_groups_check\n");
135 * Check whether a user is contained in the list provided.
137 * Please note that the user name and share names passed in here mainly for
138 * the substitution routines that expand the parameter values, the decision
139 * whether a user is in the list is done after a lookup_name on the expanded
140 * parameter value, solely based on comparing the SIDs in token.
142 * The other use is the netgroup check when using @group or &group.
145 BOOL token_contains_name_in_list(const char *username,
146 const char *sharename,
147 const struct nt_user_token *token,
156 mem_ctx = talloc_new(NULL);
157 if (mem_ctx == NULL) {
158 smb_panic("talloc_new failed\n");
161 while (*list != NULL) {
162 if (token_contains_name(mem_ctx, username, sharename,
164 TALLOC_FREE(mem_ctx);
170 TALLOC_FREE(mem_ctx);
175 * Check whether the user described by "token" has access to share snum.
177 * This looks at "invalid users", "valid users" and "only user/username"
179 * Please note that the user name and share names passed in here mainly for
180 * the substitution routines that expand the parameter values, the decision
181 * whether a user is in the list is done after a lookup_name on the expanded
182 * parameter value, solely based on comparing the SIDs in token.
184 * The other use is the netgroup check when using @group or &group.
187 BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
189 if (lp_invalid_users(snum) != NULL) {
190 if (token_contains_name_in_list(username, lp_servicename(snum),
192 lp_invalid_users(snum))) {
193 DEBUG(10, ("User %s in 'invalid users'\n", username));
198 if (lp_valid_users(snum) != NULL) {
199 if (!token_contains_name_in_list(username,
200 lp_servicename(snum), token,
201 lp_valid_users(snum))) {
202 DEBUG(10, ("User %s no in 'valid users'\n", username));
207 if (lp_onlyuser(snum)) {
209 list[0] = lp_username(snum);
211 if (!token_contains_name_in_list(NULL, lp_servicename(snum),
213 DEBUG(10, ("%s != 'username'\n", username));
218 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
219 lp_servicename(snum), username));
225 * Check whether the user described by "token" is restricted to read-only
226 * access on share snum.
228 * This looks at "invalid users", "valid users" and "only user/username"
230 * Please note that the user name and share names passed in here mainly for
231 * the substitution routines that expand the parameter values, the decision
232 * whether a user is in the list is done after a lookup_name on the expanded
233 * parameter value, solely based on comparing the SIDs in token.
235 * The other use is the netgroup check when using @group or &group.
238 BOOL is_share_read_only_for_token(const char *username,
239 struct nt_user_token *token, int snum)
241 BOOL result = lp_readonly(snum);
243 if (lp_readlist(snum) != NULL) {
244 if (token_contains_name_in_list(username,
245 lp_servicename(snum), token,
246 lp_readlist(snum))) {
251 if (lp_writelist(snum) != NULL) {
252 if (token_contains_name_in_list(username,
253 lp_servicename(snum), token,
254 lp_writelist(snum))) {
259 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
260 "%s\n", lp_servicename(snum),
261 result ? "read-only" : "read-write", username));