source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/globals.h"
  22 #include "../librpc/gen_ndr/netlogon.h"
  23 #include "libcli/security/security.h"
  24
  25 /* what user is current? */
  26 extern struct current_user current_user;
  27
  28 /****************************************************************************
  29  Become the guest user without changing the security context stack.
  30 ****************************************************************************/
  31
  32 bool change_to_guest(void)
  33 {
  34         struct passwd *pass;
  35
  36         pass = Get_Pwnam_alloc(talloc_tos(), lp_guestaccount());
  37         if (!pass) {
  38                 return false;
  39         }
  40
  41 #ifdef AIX
  42         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  43            setting IDs */
  44         initgroups(pass->pw_name, pass->pw_gid);
  45 #endif
  46
  47         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  48
  49         current_user.conn = NULL;
  50         current_user.vuid = UID_FIELD_INVALID;
  51
  52         TALLOC_FREE(pass);
  53
  54         return true;
  55 }
  56
  57 /****************************************************************************
  58  talloc free the conn->server_info if not used in the vuid cache.
  59 ****************************************************************************/
  60
  61 static void free_conn_server_info_if_unused(connection_struct *conn)
  62 {
  63         unsigned int i;
  64
  65         for (i = 0; i < VUID_CACHE_SIZE; i++) {
  66                 struct vuid_cache_entry *ent;
  67                 ent = &conn->vuid_cache.array[i];
  68                 if (ent->vuid != UID_FIELD_INVALID &&
  69                                 conn->server_info == ent->server_info) {
  70                         return;
  71                 }
  72         }
  73         /* Not used, safe to free. */
  74         TALLOC_FREE(conn->server_info);
  75 }
  76
  77 /*******************************************************************
  78  Check if a username is OK.
  79
  80  This sets up conn->server_info with a copy related to this vuser that
  81  later code can then mess with.
  82 ********************************************************************/
  83
  84 static bool check_user_ok(connection_struct *conn,
  85                         uint16_t vuid,
  86                         const struct auth_serversupplied_info *server_info,
  87                         int snum)
  88 {
  89         bool valid_vuid = (vuid != UID_FIELD_INVALID);
  90         unsigned int i;
  91         bool readonly_share;
  92         bool admin_user;
  93
  94         if (valid_vuid) {
  95                 struct vuid_cache_entry *ent;
  96
  97                 for (i=0; i<VUID_CACHE_SIZE; i++) {
  98                         ent = &conn->vuid_cache.array[i];
  99                         if (ent->vuid == vuid) {
 100                                 free_conn_server_info_if_unused(conn);
 101                                 conn->server_info = ent->server_info;
 102                                 conn->read_only = ent->read_only;
 103                                 return(True);
 104                         }
 105                 }
 106         }
 107
 108         if (!user_ok_token(server_info->unix_name,
 109                            server_info->info3->base.domain.string,
 110                            server_info->security_token, snum))
 111                 return(False);
 112
 113         readonly_share = is_share_read_only_for_token(
 114                 server_info->unix_name,
 115                 server_info->info3->base.domain.string,
 116                 server_info->security_token,
 117                 conn);
 118
 119         if (!readonly_share &&
 120             !share_access_check(server_info->security_token, lp_servicename(snum),
 121                                 FILE_WRITE_DATA)) {
 122                 /* smb.conf allows r/w, but the security descriptor denies
 123                  * write. Fall back to looking at readonly. */
 124                 readonly_share = True;
 125                 DEBUG(5,("falling back to read-only access-evaluation due to "
 126                          "security descriptor\n"));
 127         }
 128
 129         if (!share_access_check(server_info->security_token, lp_servicename(snum),
 130                                 readonly_share ?
 131                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 132                 return False;
 133         }
 134
 135         admin_user = token_contains_name_in_list(
 136                 server_info->unix_name,
 137                 server_info->info3->base.domain.string,
 138                 NULL, server_info->security_token, lp_admin_users(snum));
 139
 140         if (valid_vuid) {
 141                 struct vuid_cache_entry *ent =
 142                         &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 143
 144                 conn->vuid_cache.next_entry =
 145                         (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
 146
 147                 TALLOC_FREE(ent->server_info);
 148
 149                 /*
 150                  * If force_user was set, all server_info's are based on the same
 151                  * username-based faked one.
 152                  */
 153
 154                 ent->server_info = copy_serverinfo(
 155                         conn, conn->force_user ? conn->server_info : server_info);
 156
 157                 if (ent->server_info == NULL) {
 158                         ent->vuid = UID_FIELD_INVALID;
 159                         return false;
 160                 }
 161
 162                 ent->vuid = vuid;
 163                 ent->read_only = readonly_share;
 164                 free_conn_server_info_if_unused(conn);
 165                 conn->server_info = ent->server_info;
 166         }
 167
 168         conn->read_only = readonly_share;
 169         if (admin_user) {
 170                 DEBUG(2,("check_user_ok: user %s is an admin user. "
 171                         "Setting uid as %d\n",
 172                         conn->server_info->unix_name,
 173                         sec_initial_uid() ));
 174                 conn->server_info->utok.uid = sec_initial_uid();
 175         }
 176
 177         return(True);
 178 }
 179
 180 /****************************************************************************
 181  Clear a vuid out of the connection's vuid cache
 182  This is only called on SMBulogoff.
 183 ****************************************************************************/
 184
 185 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 186 {
 187         int i;
 188
 189         for (i=0; i<VUID_CACHE_SIZE; i++) {
 190                 struct vuid_cache_entry *ent;
 191
 192                 ent = &conn->vuid_cache.array[i];
 193
 194                 if (ent->vuid == vuid) {
 195                         ent->vuid = UID_FIELD_INVALID;
 196                         /*
 197                          * We need to keep conn->server_info around
 198                          * if it's equal to ent->server_info as a SMBulogoff
 199                          * is often followed by a SMBtdis (with an invalid
 200                          * vuid). The debug code (or regular code in
 201                          * vfs_full_audit) wants to refer to the
 202                          * conn->server_info pointer to print debug
 203                          * statements. Theoretically this is a bug,
 204                          * as once the vuid is gone the server_info
 205                          * on the conn struct isn't valid any more,
 206                          * but there's enough code that assumes
 207                          * conn->server_info is never null that
 208                          * it's easier to hold onto the old pointer
 209                          * until we get a new sessionsetupX.
 210                          * As everything is hung off the
 211                          * conn pointer as a talloc context we're not
 212                          * leaking memory here. See bug #6315. JRA.
 213                          */
 214                         if (conn->server_info == ent->server_info) {
 215                                 ent->server_info = NULL;
 216                         } else {
 217                                 TALLOC_FREE(ent->server_info);
 218                         }
 219                         ent->read_only = False;
 220                 }
 221         }
 222 }
 223
 224 /****************************************************************************
 225  Become the user of a connection number without changing the security context
 226  stack, but modify the current_user entries.
 227 ****************************************************************************/
 228
 229 bool change_to_user(connection_struct *conn, uint16 vuid)
 230 {
 231         const struct auth_serversupplied_info *server_info = NULL;
 232         user_struct *vuser;
 233         int snum;
 234         gid_t gid;
 235         uid_t uid;
 236         char group_c;
 237         int num_groups = 0;
 238         gid_t *group_list = NULL;
 239
 240         if (!conn) {
 241                 DEBUG(2,("change_to_user: Connection not open\n"));
 242                 return(False);
 243         }
 244
 245         vuser = get_valid_user_struct(conn->sconn, vuid);
 246
 247         /*
 248          * We need a separate check in security=share mode due to vuid
 249          * always being UID_FIELD_INVALID. If we don't do this then
 250          * in share mode security we are *always* changing uid's between
 251          * SMB's - this hurts performance - Badly.
 252          */
 253
 254         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 255            (current_user.ut.uid == conn->server_info->utok.uid)) {
 256                 DEBUG(4,("change_to_user: Skipping user change - already "
 257                          "user\n"));
 258                 return(True);
 259         } else if ((current_user.conn == conn) &&
 260                    (vuser != NULL) && (current_user.vuid == vuid) &&
 261                    (current_user.ut.uid == vuser->server_info->utok.uid)) {
 262                 DEBUG(4,("change_to_user: Skipping user change - already "
 263                          "user\n"));
 264                 return(True);
 265         }
 266
 267         snum = SNUM(conn);
 268
 269         server_info = vuser ? vuser->server_info : conn->server_info;
 270
 271         if (!server_info) {
 272                 /* Invalid vuid sent - even with security = share. */
 273                 DEBUG(2,("change_to_user: Invalid vuid %d used on "
 274                          "share %s.\n",vuid, lp_servicename(snum) ));
 275                 return false;
 276         }
 277
 278         if (!check_user_ok(conn, vuid, server_info, snum)) {
 279                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 280                          "not permitted access to share %s.\n",
 281                          server_info->sanitized_username,
 282                          server_info->unix_name, vuid,
 283                          lp_servicename(snum)));
 284                 return false;
 285         }
 286
 287         /* security = share sets force_user. */
 288         if (!conn->force_user && !vuser) {
 289                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 290                         "share %s.\n",vuid, lp_servicename(snum) ));
 291                 return False;
 292         }
 293
 294         /*
 295          * conn->server_info is now correctly set up with a copy we can mess
 296          * with for force_group etc.
 297          */
 298
 299         uid = conn->server_info->utok.uid;
 300         gid = conn->server_info->utok.gid;
 301         num_groups = conn->server_info->utok.ngroups;
 302         group_list  = conn->server_info->utok.groups;
 303
 304         /*
 305          * See if we should force group for this service.
 306          * If so this overrides any group set in the force
 307          * user code.
 308          */
 309
 310         if((group_c = *lp_force_group(snum))) {
 311
 312                 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
 313
 314                 if(group_c == '+') {
 315
 316                         /*
 317                          * Only force group if the user is a member of
 318                          * the service group. Check the group memberships for
 319                          * this user (we already have this) to
 320                          * see if we should force the group.
 321                          */
 322
 323                         int i;
 324                         for (i = 0; i < num_groups; i++) {
 325                                 if (group_list[i]
 326                                     == conn->force_group_gid) {
 327                                         conn->server_info->utok.gid =
 328                                                 conn->force_group_gid;
 329                                         gid = conn->force_group_gid;
 330                                         gid_to_sid(&conn->server_info->security_token
 331                                                    ->sids[1], gid);
 332                                         break;
 333                                 }
 334                         }
 335                 } else {
 336                         conn->server_info->utok.gid = conn->force_group_gid;
 337                         gid = conn->force_group_gid;
 338                         gid_to_sid(&conn->server_info->security_token->sids[1],
 339                                    gid);
 340                 }
 341         }
 342
 343         /* Now set current_user since we will immediately also call
 344            set_sec_ctx() */
 345
 346         current_user.ut.ngroups = num_groups;
 347         current_user.ut.groups  = group_list;
 348
 349         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 350                     conn->server_info->security_token);
 351
 352         current_user.conn = conn;
 353         current_user.vuid = vuid;
 354
 355         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 356                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 357
 358         return(True);
 359 }
 360
 361 /****************************************************************************
 362  Go back to being root without changing the security context stack,
 363  but modify the current_user entries.
 364 ****************************************************************************/
 365
 366 bool change_to_root_user(void)
 367 {
 368         set_root_sec_ctx();
 369
 370         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 371                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 372
 373         current_user.conn = NULL;
 374         current_user.vuid = UID_FIELD_INVALID;
 375
 376         return(True);
 377 }
 378
 379 /****************************************************************************
 380  Become the user of an authenticated connected named pipe.
 381  When this is called we are currently running as the connection
 382  user. Doesn't modify current_user.
 383 ****************************************************************************/
 384
 385 bool become_authenticated_pipe_user(struct pipes_struct *p)
 386 {
 387         if (!push_sec_ctx())
 388                 return False;
 389
 390         set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
 391                     p->server_info->utok.ngroups, p->server_info->utok.groups,
 392                     p->server_info->security_token);
 393
 394         return True;
 395 }
 396
 397 /****************************************************************************
 398  Unbecome the user of an authenticated connected named pipe.
 399  When this is called we are running as the authenticated pipe
 400  user and need to go back to being the connection user. Doesn't modify
 401  current_user.
 402 ****************************************************************************/
 403
 404 bool unbecome_authenticated_pipe_user(void)
 405 {
 406         return pop_sec_ctx();
 407 }
 408
 409 /****************************************************************************
 410  Utility functions used by become_xxx/unbecome_xxx.
 411 ****************************************************************************/
 412
 413 static void push_conn_ctx(void)
 414 {
 415         struct conn_ctx *ctx_p;
 416
 417         /* Check we don't overflow our stack */
 418
 419         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 420                 DEBUG(0, ("Connection context stack overflow!\n"));
 421                 smb_panic("Connection context stack overflow!\n");
 422         }
 423
 424         /* Store previous user context */
 425         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 426
 427         ctx_p->conn = current_user.conn;
 428         ctx_p->vuid = current_user.vuid;
 429
 430         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 431                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 432
 433         conn_ctx_stack_ndx++;
 434 }
 435
 436 static void pop_conn_ctx(void)
 437 {
 438         struct conn_ctx *ctx_p;
 439
 440         /* Check for stack underflow. */
 441
 442         if (conn_ctx_stack_ndx == 0) {
 443                 DEBUG(0, ("Connection context stack underflow!\n"));
 444                 smb_panic("Connection context stack underflow!\n");
 445         }
 446
 447         conn_ctx_stack_ndx--;
 448         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 449
 450         current_user.conn = ctx_p->conn;
 451         current_user.vuid = ctx_p->vuid;
 452
 453         ctx_p->conn = NULL;
 454         ctx_p->vuid = UID_FIELD_INVALID;
 455 }
 456
 457 /****************************************************************************
 458  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 459  restores the connection context.
 460 ****************************************************************************/
 461
 462 void become_root(void)
 463 {
 464          /*
 465           * no good way to handle push_sec_ctx() failing without changing
 466           * the prototype of become_root()
 467           */
 468         if (!push_sec_ctx()) {
 469                 smb_panic("become_root: push_sec_ctx failed");
 470         }
 471         push_conn_ctx();
 472         set_root_sec_ctx();
 473 }
 474
 475 /* Unbecome the root user */
 476
 477 void unbecome_root(void)
 478 {
 479         pop_sec_ctx();
 480         pop_conn_ctx();
 481 }
 482
 483 /****************************************************************************
 484  Push the current security context then force a change via change_to_user().
 485  Saves and restores the connection context.
 486 ****************************************************************************/
 487
 488 bool become_user(connection_struct *conn, uint16 vuid)
 489 {
 490         if (!push_sec_ctx())
 491                 return False;
 492
 493         push_conn_ctx();
 494
 495         if (!change_to_user(conn, vuid)) {
 496                 pop_sec_ctx();
 497                 pop_conn_ctx();
 498                 return False;
 499         }
 500
 501         return True;
 502 }
 503
 504 bool unbecome_user(void)
 505 {
 506         pop_sec_ctx();
 507         pop_conn_ctx();
 508         return True;
 509 }
 510
 511 /****************************************************************************
 512  Return the current user we are running effectively as on this connection.
 513  I'd like to make this return conn->server_info->utok.uid, but become_root()
 514  doesn't alter this value.
 515 ****************************************************************************/
 516
 517 uid_t get_current_uid(connection_struct *conn)
 518 {
 519         return current_user.ut.uid;
 520 }
 521
 522 /****************************************************************************
 523  Return the current group we are running effectively as on this connection.
 524  I'd like to make this return conn->server_info->utok.gid, but become_root()
 525  doesn't alter this value.
 526 ****************************************************************************/
 527
 528 gid_t get_current_gid(connection_struct *conn)
 529 {
 530         return current_user.ut.gid;
 531 }
 532
 533 /****************************************************************************
 534  Return the UNIX token we are running effectively as on this connection.
 535  I'd like to make this return &conn->server_info->utok, but become_root()
 536  doesn't alter this value.
 537 ****************************************************************************/
 538
 539 const UNIX_USER_TOKEN *get_current_utok(connection_struct *conn)
 540 {
 541         return &current_user.ut;
 542 }
 543
 544 const struct security_token *get_current_nttok(connection_struct *conn)
 545 {
 546         return current_user.nt_user_token;
 547 }
 548
 549 uint16_t get_current_vuid(connection_struct *conn)
 550 {
 551         return current_user.vuid;
 552 }