Add check_user_share_access() which factors out the share security and read_only...
[kai/samba.git] / source3 / smbd / uid.c
1 /* 
2    Unix SMB/CIFS implementation.
3    uid/user handling
4    Copyright (C) Andrew Tridgell 1992-1998
5
6    This program is free software; you can redistribute it and/or modify
7    it under the terms of the GNU General Public License as published by
8    the Free Software Foundation; either version 3 of the License, or
9    (at your option) any later version.
10
11    This program is distributed in the hope that it will be useful,
12    but WITHOUT ANY WARRANTY; without even the implied warranty of
13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14    GNU General Public License for more details.
15
16    You should have received a copy of the GNU General Public License
17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
27 #include "auth.h"
28
29 /* what user is current? */
30 extern struct current_user current_user;
31
32 /****************************************************************************
33  Become the guest user without changing the security context stack.
34 ****************************************************************************/
35
36 bool change_to_guest(void)
37 {
38         struct passwd *pass;
39
40         pass = Get_Pwnam_alloc(talloc_tos(), lp_guestaccount());
41         if (!pass) {
42                 return false;
43         }
44
45 #ifdef AIX
46         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before 
47            setting IDs */
48         initgroups(pass->pw_name, pass->pw_gid);
49 #endif
50
51         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
52
53         current_user.conn = NULL;
54         current_user.vuid = UID_FIELD_INVALID;
55
56         TALLOC_FREE(pass);
57
58         return true;
59 }
60
61 /****************************************************************************
62  talloc free the conn->session_info if not used in the vuid cache.
63 ****************************************************************************/
64
65 static void free_conn_session_info_if_unused(connection_struct *conn)
66 {
67         unsigned int i;
68
69         for (i = 0; i < VUID_CACHE_SIZE; i++) {
70                 struct vuid_cache_entry *ent;
71                 ent = &conn->vuid_cache->array[i];
72                 if (ent->vuid != UID_FIELD_INVALID &&
73                                 conn->session_info == ent->session_info) {
74                         return;
75                 }
76         }
77         /* Not used, safe to free. */
78         TALLOC_FREE(conn->session_info);
79 }
80
81 /*******************************************************************
82  Calculate access mask and if this user can access this share.
83 ********************************************************************/
84
85 NTSTATUS check_user_share_access(connection_struct *conn,
86                                 const struct auth_session_info *session_info,
87                                 uint32_t *p_share_access,
88                                 bool *p_readonly_share)
89 {
90         int snum = SNUM(conn);
91         uint32_t share_access = 0;
92         bool readonly_share = false;
93
94         if (!user_ok_token(session_info->unix_info->unix_name,
95                            session_info->info->domain_name,
96                            session_info->security_token, snum)) {
97                 return NT_STATUS_ACCESS_DENIED;
98         }
99
100         readonly_share = is_share_read_only_for_token(
101                 session_info->unix_info->unix_name,
102                 session_info->info->domain_name,
103                 session_info->security_token,
104                 conn);
105
106         share_access = create_share_access_mask(snum,
107                                         readonly_share,
108                                         session_info->security_token);
109
110         if ((share_access & FILE_WRITE_DATA) == 0) {
111                 if ((share_access & FILE_READ_DATA) == 0) {
112                         /* No access, read or write. */
113                         DEBUG(0,("user %s connection to %s "
114                                 "denied due to share security "
115                                 "descriptor.\n",
116                                 session_info->unix_info->unix_name,
117                                 lp_servicename(talloc_tos(), snum)));
118                         return NT_STATUS_ACCESS_DENIED;
119                 }
120         }
121
122         if (!readonly_share &&
123             !(share_access & FILE_WRITE_DATA)) {
124                 /* smb.conf allows r/w, but the security descriptor denies
125                  * write. Fall back to looking at readonly. */
126                 readonly_share = True;
127                 DEBUG(5,("falling back to read-only access-evaluation due to "
128                          "security descriptor\n"));
129         }
130
131         *p_share_access = share_access;
132         *p_readonly_share = readonly_share;
133
134         return NT_STATUS_OK;
135 }
136
137 /*******************************************************************
138  Check if a username is OK.
139
140  This sets up conn->session_info with a copy related to this vuser that
141  later code can then mess with.
142 ********************************************************************/
143
144 static bool check_user_ok(connection_struct *conn,
145                         uint64_t vuid,
146                         const struct auth_session_info *session_info,
147                         int snum)
148 {
149         unsigned int i;
150         bool readonly_share;
151         bool admin_user;
152         struct vuid_cache_entry *ent = NULL;
153         uint32_t share_access = 0;
154
155         for (i=0; i<VUID_CACHE_SIZE; i++) {
156                 ent = &conn->vuid_cache->array[i];
157                 if (ent->vuid == vuid) {
158                         free_conn_session_info_if_unused(conn);
159                         conn->session_info = ent->session_info;
160                         conn->read_only = ent->read_only;
161                         conn->share_access = ent->share_access;
162                         return(True);
163                 }
164         }
165
166         if (!user_ok_token(session_info->unix_info->unix_name,
167                            session_info->info->domain_name,
168                            session_info->security_token, snum))
169                 return(False);
170
171         readonly_share = is_share_read_only_for_token(
172                 session_info->unix_info->unix_name,
173                 session_info->info->domain_name,
174                 session_info->security_token,
175                 conn);
176
177         share_access = create_share_access_mask(snum,
178                                                 readonly_share,
179                                                 session_info->security_token);
180
181         if ((share_access & FILE_WRITE_DATA) == 0) {
182                 if ((share_access & FILE_READ_DATA) == 0) {
183                         /* No access, read or write. */
184                         DEBUG(0,("user %s connection to %s "
185                                 "denied due to share security "
186                                 "descriptor.\n",
187                                 session_info->unix_info->unix_name,
188                                 lp_servicename(talloc_tos(), snum)));
189                         return false;
190                 }
191         }
192
193         if (!readonly_share &&
194             !(share_access & FILE_WRITE_DATA)) {
195                 /* smb.conf allows r/w, but the security descriptor denies
196                  * write. Fall back to looking at readonly. */
197                 readonly_share = True;
198                 DEBUG(5,("falling back to read-only access-evaluation due to "
199                          "security descriptor\n"));
200         }
201
202         admin_user = token_contains_name_in_list(
203                 session_info->unix_info->unix_name,
204                 session_info->info->domain_name,
205                 NULL, session_info->security_token, lp_admin_users(snum));
206
207         ent = &conn->vuid_cache->array[conn->vuid_cache->next_entry];
208
209         conn->vuid_cache->next_entry =
210                 (conn->vuid_cache->next_entry + 1) % VUID_CACHE_SIZE;
211
212         TALLOC_FREE(ent->session_info);
213
214         /*
215          * If force_user was set, all session_info's are based on the same
216          * username-based faked one.
217          */
218
219         ent->session_info = copy_session_info(
220                 conn, conn->force_user ? conn->session_info : session_info);
221
222         if (ent->session_info == NULL) {
223                 ent->vuid = UID_FIELD_INVALID;
224                 return false;
225         }
226
227         ent->vuid = vuid;
228         ent->read_only = readonly_share;
229         ent->share_access = share_access;
230         free_conn_session_info_if_unused(conn);
231         conn->session_info = ent->session_info;
232
233         conn->read_only = readonly_share;
234         conn->share_access = share_access;
235
236         if (admin_user) {
237                 DEBUG(2,("check_user_ok: user %s is an admin user. "
238                         "Setting uid as %d\n",
239                         conn->session_info->unix_info->unix_name,
240                         sec_initial_uid() ));
241                 conn->session_info->unix_token->uid = sec_initial_uid();
242         }
243
244         return(True);
245 }
246
247 /****************************************************************************
248  Become the user of a connection number without changing the security context
249  stack, but modify the current_user entries.
250 ****************************************************************************/
251
252 static bool change_to_user_internal(connection_struct *conn,
253                                     const struct auth_session_info *session_info,
254                                     uint64_t vuid)
255 {
256         int snum;
257         gid_t gid;
258         uid_t uid;
259         char group_c;
260         int num_groups = 0;
261         gid_t *group_list = NULL;
262         bool ok;
263
264         snum = SNUM(conn);
265
266         ok = check_user_ok(conn, vuid, session_info, snum);
267         if (!ok) {
268                 DEBUG(2,("SMB user %s (unix user %s) "
269                          "not permitted access to share %s.\n",
270                          session_info->unix_info->sanitized_username,
271                          session_info->unix_info->unix_name,
272                          lp_servicename(talloc_tos(), snum)));
273                 return false;
274         }
275
276         uid = conn->session_info->unix_token->uid;
277         gid = conn->session_info->unix_token->gid;
278         num_groups = conn->session_info->unix_token->ngroups;
279         group_list  = conn->session_info->unix_token->groups;
280
281         /*
282          * See if we should force group for this service. If so this overrides
283          * any group set in the force user code.
284          */
285         if((group_c = *lp_force_group(talloc_tos(), snum))) {
286
287                 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
288
289                 if (group_c == '+') {
290                         int i;
291
292                         /*
293                          * Only force group if the user is a member of the
294                          * service group. Check the group memberships for this
295                          * user (we already have this) to see if we should force
296                          * the group.
297                          */
298                         for (i = 0; i < num_groups; i++) {
299                                 if (group_list[i] == conn->force_group_gid) {
300                                         conn->session_info->unix_token->gid =
301                                                 conn->force_group_gid;
302                                         gid = conn->force_group_gid;
303                                         gid_to_sid(&conn->session_info->security_token
304                                                    ->sids[1], gid);
305                                         break;
306                                 }
307                         }
308                 } else {
309                         conn->session_info->unix_token->gid = conn->force_group_gid;
310                         gid = conn->force_group_gid;
311                         gid_to_sid(&conn->session_info->security_token->sids[1],
312                                    gid);
313                 }
314         }
315
316         /*Set current_user since we will immediately also call set_sec_ctx() */
317         current_user.ut.ngroups = num_groups;
318         current_user.ut.groups  = group_list;
319
320         set_sec_ctx(uid,
321                     gid,
322                     current_user.ut.ngroups,
323                     current_user.ut.groups,
324                     conn->session_info->security_token);
325
326         current_user.conn = conn;
327         current_user.vuid = vuid;
328
329         DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
330                  (int)getuid(),
331                  (int)geteuid(),
332                  (int)getgid(),
333                  (int)getegid()));
334
335         return true;
336 }
337
338 bool change_to_user(connection_struct *conn, uint64_t vuid)
339 {
340         struct user_struct *vuser;
341         int snum = SNUM(conn);
342
343         if (!conn) {
344                 DEBUG(2,("Connection not open\n"));
345                 return(False);
346         }
347
348         vuser = get_valid_user_struct(conn->sconn, vuid);
349
350         if ((current_user.conn == conn) &&
351                    (vuser != NULL) && (current_user.vuid == vuid) &&
352                    (current_user.ut.uid == vuser->session_info->unix_token->uid)) {
353                 DEBUG(4,("Skipping user change - already "
354                          "user\n"));
355                 return(True);
356         }
357
358         if (vuser == NULL) {
359                 /* Invalid vuid sent */
360                 DEBUG(2,("Invalid vuid %llu used on share %s.\n",
361                          (unsigned long long)vuid, lp_servicename(talloc_tos(),
362                                                                   snum)));
363                 return false;
364         }
365
366         return change_to_user_internal(conn, vuser->session_info, vuid);
367 }
368
369 static bool change_to_user_by_session(connection_struct *conn,
370                                       const struct auth_session_info *session_info)
371 {
372         SMB_ASSERT(conn != NULL);
373         SMB_ASSERT(session_info != NULL);
374
375         if ((current_user.conn == conn) &&
376             (current_user.ut.uid == session_info->unix_token->uid)) {
377                 DEBUG(7, ("Skipping user change - already user\n"));
378
379                 return true;
380         }
381
382         return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
383 }
384
385 /****************************************************************************
386  Go back to being root without changing the security context stack,
387  but modify the current_user entries.
388 ****************************************************************************/
389
390 bool smbd_change_to_root_user(void)
391 {
392         set_root_sec_ctx();
393
394         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
395                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
396
397         current_user.conn = NULL;
398         current_user.vuid = UID_FIELD_INVALID;
399
400         return(True);
401 }
402
403 /****************************************************************************
404  Become the user of an authenticated connected named pipe.
405  When this is called we are currently running as the connection
406  user. Doesn't modify current_user.
407 ****************************************************************************/
408
409 bool become_authenticated_pipe_user(struct auth_session_info *session_info)
410 {
411         if (!push_sec_ctx())
412                 return False;
413
414         set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
415                     session_info->unix_token->ngroups, session_info->unix_token->groups,
416                     session_info->security_token);
417
418         return True;
419 }
420
421 /****************************************************************************
422  Unbecome the user of an authenticated connected named pipe.
423  When this is called we are running as the authenticated pipe
424  user and need to go back to being the connection user. Doesn't modify
425  current_user.
426 ****************************************************************************/
427
428 bool unbecome_authenticated_pipe_user(void)
429 {
430         return pop_sec_ctx();
431 }
432
433 /****************************************************************************
434  Utility functions used by become_xxx/unbecome_xxx.
435 ****************************************************************************/
436
437 static void push_conn_ctx(void)
438 {
439         struct conn_ctx *ctx_p;
440
441         /* Check we don't overflow our stack */
442
443         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
444                 DEBUG(0, ("Connection context stack overflow!\n"));
445                 smb_panic("Connection context stack overflow!\n");
446         }
447
448         /* Store previous user context */
449         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
450
451         ctx_p->conn = current_user.conn;
452         ctx_p->vuid = current_user.vuid;
453
454         DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
455                 (unsigned long long)ctx_p->vuid, conn_ctx_stack_ndx));
456
457         conn_ctx_stack_ndx++;
458 }
459
460 static void pop_conn_ctx(void)
461 {
462         struct conn_ctx *ctx_p;
463
464         /* Check for stack underflow. */
465
466         if (conn_ctx_stack_ndx == 0) {
467                 DEBUG(0, ("Connection context stack underflow!\n"));
468                 smb_panic("Connection context stack underflow!\n");
469         }
470
471         conn_ctx_stack_ndx--;
472         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
473
474         current_user.conn = ctx_p->conn;
475         current_user.vuid = ctx_p->vuid;
476
477         ctx_p->conn = NULL;
478         ctx_p->vuid = UID_FIELD_INVALID;
479 }
480
481 /****************************************************************************
482  Temporarily become a root user.  Must match with unbecome_root(). Saves and
483  restores the connection context.
484 ****************************************************************************/
485
486 void smbd_become_root(void)
487 {
488          /*
489           * no good way to handle push_sec_ctx() failing without changing
490           * the prototype of become_root()
491           */
492         if (!push_sec_ctx()) {
493                 smb_panic("become_root: push_sec_ctx failed");
494         }
495         push_conn_ctx();
496         set_root_sec_ctx();
497 }
498
499 /* Unbecome the root user */
500
501 void smbd_unbecome_root(void)
502 {
503         pop_sec_ctx();
504         pop_conn_ctx();
505 }
506
507 /****************************************************************************
508  Push the current security context then force a change via change_to_user().
509  Saves and restores the connection context.
510 ****************************************************************************/
511
512 bool become_user(connection_struct *conn, uint64_t vuid)
513 {
514         if (!push_sec_ctx())
515                 return False;
516
517         push_conn_ctx();
518
519         if (!change_to_user(conn, vuid)) {
520                 pop_sec_ctx();
521                 pop_conn_ctx();
522                 return False;
523         }
524
525         return True;
526 }
527
528 bool become_user_by_session(connection_struct *conn,
529                             const struct auth_session_info *session_info)
530 {
531         if (!push_sec_ctx())
532                 return false;
533
534         push_conn_ctx();
535
536         if (!change_to_user_by_session(conn, session_info)) {
537                 pop_sec_ctx();
538                 pop_conn_ctx();
539                 return false;
540         }
541
542         return true;
543 }
544
545 bool unbecome_user(void)
546 {
547         pop_sec_ctx();
548         pop_conn_ctx();
549         return True;
550 }
551
552 /****************************************************************************
553  Return the current user we are running effectively as on this connection.
554  I'd like to make this return conn->session_info->unix_token->uid, but become_root()
555  doesn't alter this value.
556 ****************************************************************************/
557
558 uid_t get_current_uid(connection_struct *conn)
559 {
560         return current_user.ut.uid;
561 }
562
563 /****************************************************************************
564  Return the current group we are running effectively as on this connection.
565  I'd like to make this return conn->session_info->unix_token->gid, but become_root()
566  doesn't alter this value.
567 ****************************************************************************/
568
569 gid_t get_current_gid(connection_struct *conn)
570 {
571         return current_user.ut.gid;
572 }
573
574 /****************************************************************************
575  Return the UNIX token we are running effectively as on this connection.
576  I'd like to make this return &conn->session_info->unix_token-> but become_root()
577  doesn't alter this value.
578 ****************************************************************************/
579
580 const struct security_unix_token *get_current_utok(connection_struct *conn)
581 {
582         return &current_user.ut;
583 }
584
585 /****************************************************************************
586  Return the Windows token we are running effectively as on this connection.
587  If this is currently a NULL token as we're inside become_root() - a temporary
588  UNIX security override, then we search up the stack for the previous active
589  token.
590 ****************************************************************************/
591
592 const struct security_token *get_current_nttok(connection_struct *conn)
593 {
594         if (current_user.nt_user_token) {
595                 return current_user.nt_user_token;
596         }
597         return sec_ctx_active_token();
598 }
599
600 uint64_t get_current_vuid(connection_struct *conn)
601 {
602         return current_user.vuid;
603 }