source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/globals.h"
  22
  23 /* what user is current? */
  24 extern struct current_user current_user;
  25
  26 /****************************************************************************
  27  Become the guest user without changing the security context stack.
  28 ****************************************************************************/
  29
  30 bool change_to_guest(void)
  31 {
  32         struct passwd *pass;
  33
  34         pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
  35         if (!pass) {
  36                 return false;
  37         }
  38
  39 #ifdef AIX
  40         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  41            setting IDs */
  42         initgroups(pass->pw_name, pass->pw_gid);
  43 #endif
  44
  45         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  46
  47         current_user.conn = NULL;
  48         current_user.vuid = UID_FIELD_INVALID;
  49
  50         TALLOC_FREE(pass);
  51
  52         return true;
  53 }
  54
  55 /****************************************************************************
  56  talloc free the conn->server_info if not used in the vuid cache.
  57 ****************************************************************************/
  58
  59 static void free_conn_server_info_if_unused(connection_struct *conn)
  60 {
  61         unsigned int i;
  62
  63         for (i = 0; i < VUID_CACHE_SIZE; i++) {
  64                 struct vuid_cache_entry *ent;
  65                 ent = &conn->vuid_cache.array[i];
  66                 if (ent->vuid != UID_FIELD_INVALID &&
  67                                 conn->server_info == ent->server_info) {
  68                         return;
  69                 }
  70         }
  71         /* Not used, safe to free. */
  72         TALLOC_FREE(conn->server_info);
  73 }
  74
  75 /*******************************************************************
  76  Check if a username is OK.
  77
  78  This sets up conn->server_info with a copy related to this vuser that
  79  later code can then mess with.
  80 ********************************************************************/
  81
  82 static bool check_user_ok(connection_struct *conn,
  83                         uint16_t vuid,
  84                         const struct auth_serversupplied_info *server_info,
  85                         int snum)
  86 {
  87         bool valid_vuid = (vuid != UID_FIELD_INVALID);
  88         unsigned int i;
  89         bool readonly_share;
  90         bool admin_user;
  91
  92         if (valid_vuid) {
  93                 struct vuid_cache_entry *ent;
  94
  95                 for (i=0; i<VUID_CACHE_SIZE; i++) {
  96                         ent = &conn->vuid_cache.array[i];
  97                         if (ent->vuid == vuid) {
  98                                 free_conn_server_info_if_unused(conn);
  99                                 conn->server_info = ent->server_info;
 100                                 conn->read_only = ent->read_only;
 101                                 conn->admin_user = ent->admin_user;
 102                                 return(True);
 103                         }
 104                 }
 105         }
 106
 107         if (!user_ok_token(server_info->unix_name,
 108                            pdb_get_domain(server_info->sam_account),
 109                            server_info->ptok, snum))
 110                 return(False);
 111
 112         readonly_share = is_share_read_only_for_token(
 113                 server_info->unix_name,
 114                 pdb_get_domain(server_info->sam_account),
 115                 server_info->ptok,
 116                 conn);
 117
 118         if (!readonly_share &&
 119             !share_access_check(server_info->ptok, lp_servicename(snum),
 120                                 FILE_WRITE_DATA)) {
 121                 /* smb.conf allows r/w, but the security descriptor denies
 122                  * write. Fall back to looking at readonly. */
 123                 readonly_share = True;
 124                 DEBUG(5,("falling back to read-only access-evaluation due to "
 125                          "security descriptor\n"));
 126         }
 127
 128         if (!share_access_check(server_info->ptok, lp_servicename(snum),
 129                                 readonly_share ?
 130                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 131                 return False;
 132         }
 133
 134         admin_user = token_contains_name_in_list(
 135                 server_info->unix_name,
 136                 pdb_get_domain(server_info->sam_account),
 137                 NULL, server_info->ptok, lp_admin_users(snum));
 138
 139         if (valid_vuid) {
 140                 struct vuid_cache_entry *ent =
 141                         &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 142
 143                 conn->vuid_cache.next_entry =
 144                         (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
 145
 146                 TALLOC_FREE(ent->server_info);
 147
 148                 /*
 149                  * If force_user was set, all server_info's are based on the same
 150                  * username-based faked one.
 151                  */
 152
 153                 ent->server_info = copy_serverinfo(
 154                         conn, conn->force_user ? conn->server_info : server_info);
 155
 156                 if (ent->server_info == NULL) {
 157                         ent->vuid = UID_FIELD_INVALID;
 158                         return false;
 159                 }
 160
 161                 ent->vuid = vuid;
 162                 ent->read_only = readonly_share;
 163                 ent->admin_user = admin_user;
 164                 free_conn_server_info_if_unused(conn);
 165                 conn->server_info = ent->server_info;
 166         }
 167
 168         conn->read_only = readonly_share;
 169         conn->admin_user = admin_user;
 170
 171         return(True);
 172 }
 173
 174 /****************************************************************************
 175  Clear a vuid out of the connection's vuid cache
 176  This is only called on SMBulogoff.
 177 ****************************************************************************/
 178
 179 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 180 {
 181         int i;
 182
 183         for (i=0; i<VUID_CACHE_SIZE; i++) {
 184                 struct vuid_cache_entry *ent;
 185
 186                 ent = &conn->vuid_cache.array[i];
 187
 188                 if (ent->vuid == vuid) {
 189                         ent->vuid = UID_FIELD_INVALID;
 190                         /*
 191                          * We need to keep conn->server_info around
 192                          * if it's equal to ent->server_info as a SMBulogoff
 193                          * is often followed by a SMBtdis (with an invalid
 194                          * vuid). The debug code (or regular code in
 195                          * vfs_full_audit) wants to refer to the
 196                          * conn->server_info pointer to print debug
 197                          * statements. Theoretically this is a bug,
 198                          * as once the vuid is gone the server_info
 199                          * on the conn struct isn't valid any more,
 200                          * but there's enough code that assumes
 201                          * conn->server_info is never null that
 202                          * it's easier to hold onto the old pointer
 203                          * until we get a new sessionsetupX.
 204                          * As everything is hung off the
 205                          * conn pointer as a talloc context we're not
 206                          * leaking memory here. See bug #6315. JRA.
 207                          */
 208                         if (conn->server_info == ent->server_info) {
 209                                 ent->server_info = NULL;
 210                         } else {
 211                                 TALLOC_FREE(ent->server_info);
 212                         }
 213                         ent->read_only = False;
 214                         ent->admin_user = False;
 215                 }
 216         }
 217 }
 218
 219 /****************************************************************************
 220  Become the user of a connection number without changing the security context
 221  stack, but modify the current_user entries.
 222 ****************************************************************************/
 223
 224 bool change_to_user(connection_struct *conn, uint16 vuid)
 225 {
 226         const struct auth_serversupplied_info *server_info = NULL;
 227         user_struct *vuser = get_valid_user_struct(vuid);
 228         int snum;
 229         gid_t gid;
 230         uid_t uid;
 231         char group_c;
 232         int num_groups = 0;
 233         gid_t *group_list = NULL;
 234
 235         if (!conn) {
 236                 DEBUG(2,("change_to_user: Connection not open\n"));
 237                 return(False);
 238         }
 239
 240         /*
 241          * We need a separate check in security=share mode due to vuid
 242          * always being UID_FIELD_INVALID. If we don't do this then
 243          * in share mode security we are *always* changing uid's between
 244          * SMB's - this hurts performance - Badly.
 245          */
 246
 247         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 248            (current_user.ut.uid == conn->server_info->utok.uid)) {
 249                 DEBUG(4,("change_to_user: Skipping user change - already "
 250                          "user\n"));
 251                 return(True);
 252         } else if ((current_user.conn == conn) &&
 253                    (vuser != NULL) && (current_user.vuid == vuid) &&
 254                    (current_user.ut.uid == vuser->server_info->utok.uid)) {
 255                 DEBUG(4,("change_to_user: Skipping user change - already "
 256                          "user\n"));
 257                 return(True);
 258         }
 259
 260         snum = SNUM(conn);
 261
 262         server_info = vuser ? vuser->server_info : conn->server_info;
 263
 264         if (!server_info) {
 265                 /* Invalid vuid sent - even with security = share. */
 266                 DEBUG(2,("change_to_user: Invalid vuid %d used on "
 267                          "share %s.\n",vuid, lp_servicename(snum) ));
 268                 return false;
 269         }
 270
 271         if (!check_user_ok(conn, vuid, server_info, snum)) {
 272                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 273                          "not permitted access to share %s.\n",
 274                          server_info->sanitized_username,
 275                          server_info->unix_name, vuid,
 276                          lp_servicename(snum)));
 277                 return false;
 278         }
 279
 280         /*
 281          * conn->server_info is now correctly set up with a copy we can mess
 282          * with for force_group etc.
 283          */
 284
 285         if (conn->force_user) /* security = share sets this too */ {
 286                 uid = conn->server_info->utok.uid;
 287                 gid = conn->server_info->utok.gid;
 288                 group_list = conn->server_info->utok.groups;
 289                 num_groups = conn->server_info->utok.ngroups;
 290         } else if (vuser) {
 291                 uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
 292                 gid = conn->server_info->utok.gid;
 293                 num_groups = conn->server_info->utok.ngroups;
 294                 group_list  = conn->server_info->utok.groups;
 295         } else {
 296                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 297                          "share %s.\n",vuid, lp_servicename(snum) ));
 298                 return False;
 299         }
 300
 301         /*
 302          * See if we should force group for this service.
 303          * If so this overrides any group set in the force
 304          * user code.
 305          */
 306
 307         if((group_c = *lp_force_group(snum))) {
 308
 309                 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
 310
 311                 if(group_c == '+') {
 312
 313                         /*
 314                          * Only force group if the user is a member of
 315                          * the service group. Check the group memberships for
 316                          * this user (we already have this) to
 317                          * see if we should force the group.
 318                          */
 319
 320                         int i;
 321                         for (i = 0; i < num_groups; i++) {
 322                                 if (group_list[i]
 323                                     == conn->force_group_gid) {
 324                                         conn->server_info->utok.gid =
 325                                                 conn->force_group_gid;
 326                                         gid = conn->force_group_gid;
 327                                         gid_to_sid(&conn->server_info->ptok
 328                                                    ->user_sids[1], gid);
 329                                         break;
 330                                 }
 331                         }
 332                 } else {
 333                         conn->server_info->utok.gid = conn->force_group_gid;
 334                         gid = conn->force_group_gid;
 335                         gid_to_sid(&conn->server_info->ptok->user_sids[1],
 336                                    gid);
 337                 }
 338         }
 339
 340         /* Now set current_user since we will immediately also call
 341            set_sec_ctx() */
 342
 343         current_user.ut.ngroups = num_groups;
 344         current_user.ut.groups  = group_list;
 345
 346         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 347                     conn->server_info->ptok);
 348
 349         current_user.conn = conn;
 350         current_user.vuid = vuid;
 351
 352         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 353                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 354
 355         return(True);
 356 }
 357
 358 /****************************************************************************
 359  Go back to being root without changing the security context stack,
 360  but modify the current_user entries.
 361 ****************************************************************************/
 362
 363 bool change_to_root_user(void)
 364 {
 365         set_root_sec_ctx();
 366
 367         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 368                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 369
 370         current_user.conn = NULL;
 371         current_user.vuid = UID_FIELD_INVALID;
 372
 373         return(True);
 374 }
 375
 376 /****************************************************************************
 377  Become the user of an authenticated connected named pipe.
 378  When this is called we are currently running as the connection
 379  user. Doesn't modify current_user.
 380 ****************************************************************************/
 381
 382 bool become_authenticated_pipe_user(pipes_struct *p)
 383 {
 384         if (!push_sec_ctx())
 385                 return False;
 386
 387         set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
 388                     p->server_info->utok.ngroups, p->server_info->utok.groups,
 389                     p->server_info->ptok);
 390
 391         return True;
 392 }
 393
 394 /****************************************************************************
 395  Unbecome the user of an authenticated connected named pipe.
 396  When this is called we are running as the authenticated pipe
 397  user and need to go back to being the connection user. Doesn't modify
 398  current_user.
 399 ****************************************************************************/
 400
 401 bool unbecome_authenticated_pipe_user(void)
 402 {
 403         return pop_sec_ctx();
 404 }
 405
 406 /****************************************************************************
 407  Utility functions used by become_xxx/unbecome_xxx.
 408 ****************************************************************************/
 409
 410 static void push_conn_ctx(void)
 411 {
 412         struct conn_ctx *ctx_p;
 413
 414         /* Check we don't overflow our stack */
 415
 416         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 417                 DEBUG(0, ("Connection context stack overflow!\n"));
 418                 smb_panic("Connection context stack overflow!\n");
 419         }
 420
 421         /* Store previous user context */
 422         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 423
 424         ctx_p->conn = current_user.conn;
 425         ctx_p->vuid = current_user.vuid;
 426
 427         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 428                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 429
 430         conn_ctx_stack_ndx++;
 431 }
 432
 433 static void pop_conn_ctx(void)
 434 {
 435         struct conn_ctx *ctx_p;
 436
 437         /* Check for stack underflow. */
 438
 439         if (conn_ctx_stack_ndx == 0) {
 440                 DEBUG(0, ("Connection context stack underflow!\n"));
 441                 smb_panic("Connection context stack underflow!\n");
 442         }
 443
 444         conn_ctx_stack_ndx--;
 445         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 446
 447         current_user.conn = ctx_p->conn;
 448         current_user.vuid = ctx_p->vuid;
 449
 450         ctx_p->conn = NULL;
 451         ctx_p->vuid = UID_FIELD_INVALID;
 452 }
 453
 454 /****************************************************************************
 455  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 456  restores the connection context.
 457 ****************************************************************************/
 458
 459 void become_root(void)
 460 {
 461          /*
 462           * no good way to handle push_sec_ctx() failing without changing
 463           * the prototype of become_root()
 464           */
 465         if (!push_sec_ctx()) {
 466                 smb_panic("become_root: push_sec_ctx failed");
 467         }
 468         push_conn_ctx();
 469         set_root_sec_ctx();
 470 }
 471
 472 /* Unbecome the root user */
 473
 474 void unbecome_root(void)
 475 {
 476         pop_sec_ctx();
 477         pop_conn_ctx();
 478 }
 479
 480 /****************************************************************************
 481  Push the current security context then force a change via change_to_user().
 482  Saves and restores the connection context.
 483 ****************************************************************************/
 484
 485 bool become_user(connection_struct *conn, uint16 vuid)
 486 {
 487         if (!push_sec_ctx())
 488                 return False;
 489
 490         push_conn_ctx();
 491
 492         if (!change_to_user(conn, vuid)) {
 493                 pop_sec_ctx();
 494                 pop_conn_ctx();
 495                 return False;
 496         }
 497
 498         return True;
 499 }
 500
 501 bool unbecome_user(void)
 502 {
 503         pop_sec_ctx();
 504         pop_conn_ctx();
 505         return True;
 506 }