source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/globals.h"
  22
  23 /* what user is current? */
  24 extern struct current_user current_user;
  25
  26 /****************************************************************************
  27  Become the guest user without changing the security context stack.
  28 ****************************************************************************/
  29
  30 bool change_to_guest(void)
  31 {
  32         struct passwd *pass;
  33
  34         pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
  35         if (!pass) {
  36                 return false;
  37         }
  38
  39 #ifdef AIX
  40         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  41            setting IDs */
  42         initgroups(pass->pw_name, pass->pw_gid);
  43 #endif
  44
  45         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  46
  47         current_user.conn = NULL;
  48         current_user.vuid = UID_FIELD_INVALID;
  49
  50         TALLOC_FREE(pass);
  51
  52         return true;
  53 }
  54
  55 /*******************************************************************
  56  Check if a username is OK.
  57
  58  This sets up conn->server_info with a copy related to this vuser that
  59  later code can then mess with.
  60 ********************************************************************/
  61
  62 static bool check_user_ok(connection_struct *conn,
  63                         uint16_t vuid,
  64                         const struct auth_serversupplied_info *server_info,
  65                         int snum)
  66 {
  67         bool valid_vuid = (vuid != UID_FIELD_INVALID);
  68         unsigned int i;
  69         bool readonly_share;
  70         bool admin_user;
  71
  72         if (valid_vuid) {
  73                 struct vuid_cache_entry *ent;
  74
  75                 for (i=0; i<VUID_CACHE_SIZE; i++) {
  76                         ent = &conn->vuid_cache.array[i];
  77                         if (ent->vuid == vuid) {
  78                                 conn->server_info = ent->server_info;
  79                                 conn->read_only = ent->read_only;
  80                                 conn->admin_user = ent->admin_user;
  81                                 return(True);
  82                         }
  83                 }
  84         }
  85
  86         if (!user_ok_token(server_info->unix_name,
  87                            pdb_get_domain(server_info->sam_account),
  88                            server_info->ptok, snum))
  89                 return(False);
  90
  91         readonly_share = is_share_read_only_for_token(
  92                 server_info->unix_name,
  93                 pdb_get_domain(server_info->sam_account),
  94                 server_info->ptok,
  95                 conn);
  96
  97         if (!readonly_share &&
  98             !share_access_check(server_info->ptok, lp_servicename(snum),
  99                                 FILE_WRITE_DATA)) {
 100                 /* smb.conf allows r/w, but the security descriptor denies
 101                  * write. Fall back to looking at readonly. */
 102                 readonly_share = True;
 103                 DEBUG(5,("falling back to read-only access-evaluation due to "
 104                          "security descriptor\n"));
 105         }
 106
 107         if (!share_access_check(server_info->ptok, lp_servicename(snum),
 108                                 readonly_share ?
 109                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 110                 return False;
 111         }
 112
 113         admin_user = token_contains_name_in_list(
 114                 server_info->unix_name,
 115                 pdb_get_domain(server_info->sam_account),
 116                 NULL, server_info->ptok, lp_admin_users(snum));
 117
 118         if (valid_vuid) {
 119                 struct vuid_cache_entry *ent =
 120                         &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 121
 122                 conn->vuid_cache.next_entry =
 123                         (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
 124
 125                 TALLOC_FREE(ent->server_info);
 126
 127                 /*
 128                  * If force_user was set, all server_info's are based on the same
 129                  * username-based faked one.
 130                  */
 131
 132                 ent->server_info = copy_serverinfo(
 133                         conn, conn->force_user ? conn->server_info : server_info);
 134
 135                 if (ent->server_info == NULL) {
 136                         ent->vuid = UID_FIELD_INVALID;
 137                         return false;
 138                 }
 139
 140                 ent->vuid = vuid;
 141                 ent->read_only = readonly_share;
 142                 ent->admin_user = admin_user;
 143                 conn->server_info = ent->server_info;
 144         }
 145
 146         conn->read_only = readonly_share;
 147         conn->admin_user = admin_user;
 148
 149         return(True);
 150 }
 151
 152 /****************************************************************************
 153  Clear a vuid out of the connection's vuid cache
 154 ****************************************************************************/
 155
 156 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 157 {
 158         int i;
 159
 160         for (i=0; i<VUID_CACHE_SIZE; i++) {
 161                 struct vuid_cache_entry *ent;
 162
 163                 ent = &conn->vuid_cache.array[i];
 164
 165                 if (ent->vuid == vuid) {
 166                         ent->vuid = UID_FIELD_INVALID;
 167                         TALLOC_FREE(ent->server_info);
 168                         ent->read_only = False;
 169                         ent->admin_user = False;
 170                 }
 171         }
 172 }
 173
 174 /****************************************************************************
 175  Become the user of a connection number without changing the security context
 176  stack, but modify the current_user entries.
 177 ****************************************************************************/
 178
 179 bool change_to_user(connection_struct *conn, uint16 vuid)
 180 {
 181         const struct auth_serversupplied_info *server_info = NULL;
 182         user_struct *vuser = get_valid_user_struct(vuid);
 183         int snum;
 184         gid_t gid;
 185         uid_t uid;
 186         char group_c;
 187         int num_groups = 0;
 188         gid_t *group_list = NULL;
 189
 190         if (!conn) {
 191                 DEBUG(2,("change_to_user: Connection not open\n"));
 192                 return(False);
 193         }
 194
 195         /*
 196          * We need a separate check in security=share mode due to vuid
 197          * always being UID_FIELD_INVALID. If we don't do this then
 198          * in share mode security we are *always* changing uid's between
 199          * SMB's - this hurts performance - Badly.
 200          */
 201
 202         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 203            (current_user.ut.uid == conn->server_info->utok.uid)) {
 204                 DEBUG(4,("change_to_user: Skipping user change - already "
 205                          "user\n"));
 206                 return(True);
 207         } else if ((current_user.conn == conn) &&
 208                    (vuser != NULL) && (current_user.vuid == vuid) &&
 209                    (current_user.ut.uid == vuser->server_info->utok.uid)) {
 210                 DEBUG(4,("change_to_user: Skipping user change - already "
 211                          "user\n"));
 212                 return(True);
 213         }
 214
 215         snum = SNUM(conn);
 216
 217         server_info = vuser ? vuser->server_info : conn->server_info;
 218
 219         if (!check_user_ok(conn, vuid, server_info, snum)) {
 220                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 221                          "not permitted access to share %s.\n",
 222                          server_info->sanitized_username,
 223                          server_info->unix_name, vuid,
 224                          lp_servicename(snum)));
 225                 return false;
 226         }
 227
 228         /*
 229          * conn->server_info is now correctly set up with a copy we can mess
 230          * with for force_group etc.
 231          */
 232
 233         if (conn->force_user) /* security = share sets this too */ {
 234                 uid = conn->server_info->utok.uid;
 235                 gid = conn->server_info->utok.gid;
 236                 group_list = conn->server_info->utok.groups;
 237                 num_groups = conn->server_info->utok.ngroups;
 238         } else if (vuser) {
 239                 uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
 240                 gid = conn->server_info->utok.gid;
 241                 num_groups = conn->server_info->utok.ngroups;
 242                 group_list  = conn->server_info->utok.groups;
 243         } else {
 244                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 245                          "share %s.\n",vuid, lp_servicename(snum) ));
 246                 return False;
 247         }
 248
 249         /*
 250          * See if we should force group for this service.
 251          * If so this overrides any group set in the force
 252          * user code.
 253          */
 254
 255         if((group_c = *lp_force_group(snum))) {
 256
 257                 if(group_c == '+') {
 258
 259                         /*
 260                          * Only force group if the user is a member of
 261                          * the service group. Check the group memberships for
 262                          * this user (we already have this) to
 263                          * see if we should force the group.
 264                          */
 265
 266                         int i;
 267                         for (i = 0; i < num_groups; i++) {
 268                                 if (group_list[i]
 269                                     == conn->server_info->utok.gid) {
 270                                         gid = conn->server_info->utok.gid;
 271                                         gid_to_sid(&conn->server_info->ptok
 272                                                    ->user_sids[1], gid);
 273                                         break;
 274                                 }
 275                         }
 276                 } else {
 277                         gid = conn->server_info->utok.gid;
 278                         gid_to_sid(&conn->server_info->ptok->user_sids[1],
 279                                    gid);
 280                 }
 281         }
 282
 283         /* Now set current_user since we will immediately also call
 284            set_sec_ctx() */
 285
 286         current_user.ut.ngroups = num_groups;
 287         current_user.ut.groups  = group_list;
 288
 289         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 290                     conn->server_info->ptok);
 291
 292         current_user.conn = conn;
 293         current_user.vuid = vuid;
 294
 295         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 296                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 297
 298         return(True);
 299 }
 300
 301 /****************************************************************************
 302  Go back to being root without changing the security context stack,
 303  but modify the current_user entries.
 304 ****************************************************************************/
 305
 306 bool change_to_root_user(void)
 307 {
 308         set_root_sec_ctx();
 309
 310         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 311                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 312
 313         current_user.conn = NULL;
 314         current_user.vuid = UID_FIELD_INVALID;
 315
 316         return(True);
 317 }
 318
 319 /****************************************************************************
 320  Become the user of an authenticated connected named pipe.
 321  When this is called we are currently running as the connection
 322  user. Doesn't modify current_user.
 323 ****************************************************************************/
 324
 325 bool become_authenticated_pipe_user(pipes_struct *p)
 326 {
 327         if (!push_sec_ctx())
 328                 return False;
 329
 330         set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
 331                     p->server_info->utok.ngroups, p->server_info->utok.groups,
 332                     p->server_info->ptok);
 333
 334         return True;
 335 }
 336
 337 /****************************************************************************
 338  Unbecome the user of an authenticated connected named pipe.
 339  When this is called we are running as the authenticated pipe
 340  user and need to go back to being the connection user. Doesn't modify
 341  current_user.
 342 ****************************************************************************/
 343
 344 bool unbecome_authenticated_pipe_user(void)
 345 {
 346         return pop_sec_ctx();
 347 }
 348
 349 /****************************************************************************
 350  Utility functions used by become_xxx/unbecome_xxx.
 351 ****************************************************************************/
 352
 353 static void push_conn_ctx(void)
 354 {
 355         struct conn_ctx *ctx_p;
 356
 357         /* Check we don't overflow our stack */
 358
 359         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 360                 DEBUG(0, ("Connection context stack overflow!\n"));
 361                 smb_panic("Connection context stack overflow!\n");
 362         }
 363
 364         /* Store previous user context */
 365         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 366
 367         ctx_p->conn = current_user.conn;
 368         ctx_p->vuid = current_user.vuid;
 369
 370         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 371                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 372
 373         conn_ctx_stack_ndx++;
 374 }
 375
 376 static void pop_conn_ctx(void)
 377 {
 378         struct conn_ctx *ctx_p;
 379
 380         /* Check for stack underflow. */
 381
 382         if (conn_ctx_stack_ndx == 0) {
 383                 DEBUG(0, ("Connection context stack underflow!\n"));
 384                 smb_panic("Connection context stack underflow!\n");
 385         }
 386
 387         conn_ctx_stack_ndx--;
 388         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 389
 390         current_user.conn = ctx_p->conn;
 391         current_user.vuid = ctx_p->vuid;
 392
 393         ctx_p->conn = NULL;
 394         ctx_p->vuid = UID_FIELD_INVALID;
 395 }
 396
 397 /****************************************************************************
 398  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 399  restores the connection context.
 400 ****************************************************************************/
 401
 402 void become_root(void)
 403 {
 404          /*
 405           * no good way to handle push_sec_ctx() failing without changing
 406           * the prototype of become_root()
 407           */
 408         if (!push_sec_ctx()) {
 409                 smb_panic("become_root: push_sec_ctx failed");
 410         }
 411         push_conn_ctx();
 412         set_root_sec_ctx();
 413 }
 414
 415 /* Unbecome the root user */
 416
 417 void unbecome_root(void)
 418 {
 419         pop_sec_ctx();
 420         pop_conn_ctx();
 421 }
 422
 423 /****************************************************************************
 424  Push the current security context then force a change via change_to_user().
 425  Saves and restores the connection context.
 426 ****************************************************************************/
 427
 428 bool become_user(connection_struct *conn, uint16 vuid)
 429 {
 430         if (!push_sec_ctx())
 431                 return False;
 432
 433         push_conn_ctx();
 434
 435         if (!change_to_user(conn, vuid)) {
 436                 pop_sec_ctx();
 437                 pop_conn_ctx();
 438                 return False;
 439         }
 440
 441         return True;
 442 }
 443
 444 bool unbecome_user(void)
 445 {
 446         pop_sec_ctx();
 447         pop_conn_ctx();
 448         return True;
 449 }