-/*
+/*
Unix SMB/CIFS implementation.
Check access based on valid users, read list and friends
Copyright (C) Volker Lendecke 2005
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "smbd/smbd.h"
#include "smbd/globals.h"
+#include "../libcli/security/security.h"
+#include "passdb/lookup_sid.h"
+#include "auth.h"
/*
* No prefix means direct username
const char *username,
const char *domain,
const char *sharename,
- const struct nt_user_token *token,
+ const struct security_token *token,
const char *name)
{
const char *prefix;
struct dom_sid sid;
enum lsa_SidType type;
- struct smbd_server_connection *sconn = smbd_server_conn;
if (username != NULL) {
name = talloc_sub_basic(mem_ctx, username, domain, name);
* result that might be interpreted in a wrong way. */
smb_panic("substitutions failed");
}
-
+
/* check to see is we already have a SID */
if ( string_to_sid( &sid, name ) ) {
}
if (*prefix == '&') {
if (username) {
- if (user_in_netgroup(username, name)) {
+ if (user_in_netgroup(mem_ctx, username, name)) {
return True;
}
}
bool token_contains_name_in_list(const char *username,
const char *domain,
const char *sharename,
- const struct nt_user_token *token,
+ const struct security_token *token,
const char **list)
{
- TALLOC_CTX *mem_ctx;
-
if (list == NULL) {
return False;
}
-
- if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
- smb_panic("talloc_new failed");
- }
-
while (*list != NULL) {
- if (token_contains_name(mem_ctx, username, domain, sharename,
- token, *list)) {
- TALLOC_FREE(mem_ctx);
- return True;
+ TALLOC_CTX *frame = talloc_stackframe();
+ bool ret;
+
+ ret = token_contains_name(frame, username, domain, sharename,
+ token, *list);
+ TALLOC_FREE(frame);
+ if (ret) {
+ return true;
}
list += 1;
}
-
- TALLOC_FREE(mem_ctx);
return False;
}
*/
bool user_ok_token(const char *username, const char *domain,
- const struct nt_user_token *token, int snum)
+ const struct security_token *token, int snum)
{
if (lp_invalid_users(snum) != NULL) {
if (token_contains_name_in_list(username, domain,
- lp_servicename(snum),
+ lp_servicename(talloc_tos(), snum),
token,
lp_invalid_users(snum))) {
DEBUG(10, ("User %s in 'invalid users'\n", username));
if (lp_valid_users(snum) != NULL) {
if (!token_contains_name_in_list(username, domain,
- lp_servicename(snum), token,
+ lp_servicename(talloc_tos(), snum),
+ token,
lp_valid_users(snum))) {
DEBUG(10, ("User %s not in 'valid users'\n",
username));
if (lp_onlyuser(snum)) {
const char *list[2];
- list[0] = lp_username(snum);
+ list[0] = lp_username(talloc_tos(), snum);
list[1] = NULL;
if ((list[0] == NULL) || (*list[0] == '\0')) {
DEBUG(0, ("'only user = yes' and no 'username ='\n"));
return False;
}
if (!token_contains_name_in_list(NULL, domain,
- lp_servicename(snum),
+ lp_servicename(talloc_tos(), snum),
token, list)) {
DEBUG(10, ("%s != 'username'\n", username));
return False;
}
DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
- lp_servicename(snum), username));
+ lp_servicename(talloc_tos(), snum), username));
return True;
}
bool is_share_read_only_for_token(const char *username,
const char *domain,
- const struct nt_user_token *token,
+ const struct security_token *token,
connection_struct *conn)
{
int snum = SNUM(conn);
if (lp_readlist(snum) != NULL) {
if (token_contains_name_in_list(username, domain,
- lp_servicename(snum), token,
+ lp_servicename(talloc_tos(), snum),
+ token,
lp_readlist(snum))) {
result = True;
}
if (lp_writelist(snum) != NULL) {
if (token_contains_name_in_list(username, domain,
- lp_servicename(snum), token,
+ lp_servicename(talloc_tos(), snum),
+ token,
lp_writelist(snum))) {
result = False;
}
}
DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
- "%s\n", lp_servicename(snum),
+ "%s\n", lp_servicename(talloc_tos(), snum),
result ? "read-only" : "read-write", username));
return result;