2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern struct timeval smb_last_time;
24 extern userdom_struct current_user_info;
27 /****************************************************************************
28 Load parameters specific to a connection/service.
29 ****************************************************************************/
31 BOOL set_current_service(connection_struct *conn,BOOL do_chdir)
33 extern char magic_char;
34 static connection_struct *last_conn;
42 conn->lastused = smb_last_time.tv_sec;
47 vfs_ChDir(conn,conn->connectpath) != 0 &&
48 vfs_ChDir(conn,conn->origpath) != 0) {
49 DEBUG(0,("chdir (%s) failed\n",
54 if (conn == last_conn)
59 magic_char = lp_magicchar(snum);
63 /****************************************************************************
64 Add a home service. Returns the new service number or -1 if fail.
65 ****************************************************************************/
67 int add_home_service(const char *service, const char *username, const char *homedir)
71 if (!service || !homedir)
74 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
78 * If this is a winbindd provided username, remove
79 * the domain component before adding the service.
80 * Log a warning if the "path=" parameter does not
85 const char *p = strchr(service,*lp_winbind_separator());
87 /* We only want the 'user' part of the string */
93 if (!lp_add_home(service, iHomeService, username, homedir)) {
97 return lp_servicenumber(service);
103 * Find a service entry.
105 * @param service is modified (to canonical form??)
108 int find_service(fstring service)
112 all_string_sub(service,"\\","/",0);
114 iService = lp_servicenumber(service);
116 /* now handle the special case of a home directory */
118 char *phome_dir = get_user_home_dir(service);
122 * Try mapping the servicename, it may
123 * be a Windows to unix mapped user name.
125 if(map_username(service))
126 phome_dir = get_user_home_dir(service);
129 DEBUG(3,("checking for home directory %s gave %s\n",service,
130 phome_dir?phome_dir:"(NULL)"));
132 iService = add_home_service(service,service /* 'username' */, phome_dir);
135 /* If we still don't have a service, attempt to add it as a printer. */
139 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) >= 0) {
142 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
143 pszTemp = lp_printcapname();
144 if ((pszTemp != NULL) && pcap_printername_ok(service, pszTemp)) {
145 DEBUG(3,("%s is a valid printer name\n", service));
146 DEBUG(3,("adding %s as a printer service\n", service));
147 lp_add_printer(service, iPrinterService);
148 iService = lp_servicenumber(service);
150 DEBUG(0,("failed to add %s as a printer service!\n", service));
153 DEBUG(3,("%s is not a valid printer name\n", service));
158 /* Check for default vfs service? Unsure whether to implement this */
162 /* just possibly it's a default service? */
164 char *pdefservice = lp_defaultservice();
165 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
167 * We need to do a local copy here as lp_defaultservice()
168 * returns one of the rotating lp_string buffers that
169 * could get overwritten by the recursive find_service() call
170 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
173 pstrcpy(defservice, pdefservice);
174 iService = find_service(defservice);
176 all_string_sub(service, "_","/",0);
177 iService = lp_add_service(service, iService);
183 if (!VALID_SNUM(iService)) {
184 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
190 DEBUG(3,("find_service() failed to find service %s\n", service));
196 /****************************************************************************
197 do some basic sainity checks on the share.
198 This function modifies dev, ecode.
199 ****************************************************************************/
201 static NTSTATUS share_sanity_checks(int snum, fstring dev)
204 if (!lp_snum_ok(snum) ||
205 !check_access(smbd_server_fd(),
206 lp_hostsallow(snum), lp_hostsdeny(snum))) {
207 return NT_STATUS_ACCESS_DENIED;
210 if (dev[0] == '?' || !dev[0]) {
211 if (lp_print_ok(snum)) {
212 fstrcpy(dev,"LPT1:");
213 } else if (strequal(lp_fstype(snum), "IPC")) {
222 if (lp_print_ok(snum)) {
223 if (!strequal(dev, "LPT1:")) {
224 return NT_STATUS_BAD_DEVICE_TYPE;
226 } else if (strequal(lp_fstype(snum), "IPC")) {
227 if (!strequal(dev, "IPC")) {
228 return NT_STATUS_BAD_DEVICE_TYPE;
230 } else if (!strequal(dev, "A:")) {
231 return NT_STATUS_BAD_DEVICE_TYPE;
234 /* Behave as a printer if we are supposed to */
235 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
236 fstrcpy(dev, "LPT1:");
242 /****************************************************************************
243 Make a connection, given the snum to connect to, and the vuser of the
244 connecting user if appropriate.
245 ****************************************************************************/
247 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
249 const char *pdev, NTSTATUS *status)
251 struct passwd *pass = NULL;
253 connection_struct *conn;
261 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
267 DEBUG(0,("Couldn't find free connection.\n"));
268 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
272 if (lp_guest_only(snum)) {
273 const char *guestname = lp_guestaccount();
275 pass = getpwnam_alloc(guestname);
277 DEBUG(0,("make_connection_snum: Invalid guest account %s??\n",guestname));
279 *status = NT_STATUS_NO_SUCH_USER;
282 fstrcpy(user,pass->pw_name);
283 conn->force_user = True;
284 conn->uid = pass->pw_uid;
285 conn->gid = pass->pw_gid;
286 string_set(&conn->user,pass->pw_name);
288 DEBUG(3,("Guest only user %s\n",user));
291 if (!lp_guest_ok(snum)) {
292 DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)\n", lp_servicename(snum)));
294 *status = NT_STATUS_ACCESS_DENIED;
298 if (!user_ok(vuser->user.unix_name, snum, vuser->groups, vuser->n_groups)) {
299 DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)\n", vuser->user.unix_name, lp_servicename(snum)));
301 *status = NT_STATUS_ACCESS_DENIED;
305 conn->vuid = vuser->vuid;
306 conn->uid = vuser->uid;
307 conn->gid = vuser->gid;
308 string_set(&conn->user,vuser->user.unix_name);
309 fstrcpy(user,vuser->user.unix_name);
310 guest = vuser->guest;
311 } else if (lp_security() == SEC_SHARE) {
312 /* add it as a possible user name if we
313 are in share mode security */
314 add_session_user(lp_servicename(snum));
315 /* shall we let them in? */
316 if (!authorise_login(snum,user,password,&guest)) {
317 DEBUG( 2, ( "Invalid username/password for [%s]\n",
318 lp_servicename(snum)) );
320 *status = NT_STATUS_WRONG_PASSWORD;
323 pass = Get_Pwnam(user);
324 conn->force_user = True;
325 conn->uid = pass->pw_uid;
326 conn->gid = pass->pw_gid;
327 string_set(&conn->user, pass->pw_name);
328 fstrcpy(user, pass->pw_name);
331 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
333 *status = NT_STATUS_ACCESS_DENIED;
337 add_session_user(user);
339 safe_strcpy(conn->client_address, client_addr(),
340 sizeof(conn->client_address)-1);
341 conn->num_files_open = 0;
342 conn->lastused = time(NULL);
343 conn->service = snum;
345 conn->printer = (strncmp(dev,"LPT",3) == 0);
346 conn->ipc = ((strncmp(dev,"IPC",3) == 0) || strequal(dev,"ADMIN$"));
349 /* Case options for the share. */
350 conn->case_sensitive = lp_casesensitive(snum);
351 conn->case_preserve = lp_preservecase(snum);
352 conn->short_case_preserve = lp_shortpreservecase(snum);
354 conn->veto_list = NULL;
355 conn->hide_list = NULL;
356 conn->veto_oplock_list = NULL;
357 string_set(&conn->dirpath,"");
358 string_set(&conn->user,user);
359 conn->nt_user_token = NULL;
361 conn->read_only = lp_readonly(conn->service);
362 conn->admin_user = False;
365 * If force user is true, then store the
366 * given userid and also the groups
367 * of the user we're forcing.
370 if (*lp_force_user(snum)) {
371 struct passwd *pass2;
373 pstrcpy(fuser,lp_force_user(snum));
375 /* Allow %S to be used by force user. */
376 pstring_sub(fuser,"%S",lp_servicename(snum));
378 pass2 = (struct passwd *)Get_Pwnam(fuser);
380 conn->uid = pass2->pw_uid;
381 conn->gid = pass2->pw_gid;
382 string_set(&conn->user,pass2->pw_name);
383 fstrcpy(user,pass2->pw_name);
384 conn->force_user = True;
385 DEBUG(3,("Forced user %s\n",user));
387 DEBUG(1,("Couldn't find user %s\n",fuser));
389 *status = NT_STATUS_NO_SUCH_USER;
396 * If force group is true, then override
397 * any groupid stored for the connecting user.
400 if (*lp_force_group(snum)) {
404 BOOL user_must_be_member = False;
406 pstrcpy(tmp_gname,lp_force_group(snum));
408 if (tmp_gname[0] == '+') {
409 user_must_be_member = True;
410 /* even now, tmp_gname is null terminated */
411 pstrcpy(gname,&tmp_gname[1]);
413 pstrcpy(gname,tmp_gname);
415 /* default service may be a group name */
416 pstring_sub(gname,"%S",lp_servicename(snum));
417 gid = nametogid(gname);
419 if (gid != (gid_t)-1) {
422 * If the user has been forced and the forced group starts
423 * with a '+', then we only set the group to be the forced
424 * group if the forced user is a member of that group.
425 * Otherwise, the meaning of the '+' would be ignored.
427 if (conn->force_user && user_must_be_member) {
428 if (user_in_group_list( user, gname, NULL, 0)) {
430 DEBUG(3,("Forced group %s for member %s\n",gname,user));
434 DEBUG(3,("Forced group %s\n",gname));
436 conn->force_group = True;
438 DEBUG(1,("Couldn't find group %s\n",gname));
440 *status = NT_STATUS_NO_SUCH_GROUP;
444 #endif /* HAVE_GETGRNAM */
448 pstrcpy(s,lp_pathname(snum));
449 standard_sub_conn(conn,s,sizeof(s));
450 string_set(&conn->connectpath,s);
451 DEBUG(3,("Connect path is '%s' for service [%s]\n",s, lp_servicename(snum)));
454 if (conn->force_user || conn->force_group) {
456 /* groups stuff added by ih */
460 /* Find all the groups this uid is in and
461 store them. Used by change_to_user() */
462 initialise_groups(conn->user, conn->uid, conn->gid);
463 get_current_groups(conn->gid, &conn->ngroups,&conn->groups);
465 conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
466 conn->ngroups, conn->groups,
471 * New code to check if there's a share security descripter
472 * added from NT server manager. This is done after the
473 * smb.conf checks are done as we need a uid and token. JRA.
478 BOOL can_write = share_access_check(conn, snum, vuser, FILE_WRITE_DATA);
481 if (!share_access_check(conn, snum, vuser, FILE_READ_DATA)) {
482 /* No access, read or write. */
483 DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
484 lp_servicename(snum)));
486 *status = NT_STATUS_ACCESS_DENIED;
489 conn->read_only = True;
493 /* Initialise VFS function pointers */
495 if (!smbd_vfs_init(conn)) {
496 DEBUG(0, ("vfs_init failed for service %s\n", lp_servicename(SNUM(conn))));
498 *status = NT_STATUS_BAD_NETWORK_NAME;
503 * If widelinks are disallowed we need to canonicalise the
504 * connect path here to ensure we don't have any symlinks in
505 * the connectpath. We will be checking all paths on this
506 * connection are below this directory. We must do this after
507 * the VFS init as we depend on the realpath() pointer in the vfs table. JRA.
509 if (!lp_widelinks(snum)) {
511 pstrcpy(s,conn->connectpath);
512 canonicalize_path(conn, s);
513 string_set(&conn->connectpath,s);
516 /* ROOT Activities: */
517 /* check number of connections */
518 if (!claim_connection(conn,
519 lp_servicename(SNUM(conn)),
520 lp_max_connections(SNUM(conn)),
522 DEBUG(1,("too many connections - rejected\n"));
524 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
528 /* Preexecs are done here as they might make the dir we are to ChDir to below */
529 /* execute any "root preexec = " line */
530 if (*lp_rootpreexec(SNUM(conn))) {
533 pstrcpy(cmd,lp_rootpreexec(SNUM(conn)));
534 standard_sub_conn(conn,cmd,sizeof(cmd));
535 DEBUG(5,("cmd=%s\n",cmd));
536 ret = smbrun(cmd,NULL);
537 if (ret != 0 && lp_rootpreexec_close(SNUM(conn))) {
538 DEBUG(1,("root preexec gave %d - failing connection\n", ret));
539 yield_connection(conn, lp_servicename(SNUM(conn)));
541 *status = NT_STATUS_ACCESS_DENIED;
546 /* USER Activites: */
547 if (!change_to_user(conn, conn->vuid)) {
548 /* No point continuing if they fail the basic checks */
549 DEBUG(0,("Can't become connected user!\n"));
551 *status = NT_STATUS_LOGON_FAILURE;
555 /* Remember that a different vuid can connect later without these checks... */
557 /* Preexecs are done here as they might make the dir we are to ChDir to below */
558 /* execute any "preexec = " line */
559 if (*lp_preexec(SNUM(conn))) {
562 pstrcpy(cmd,lp_preexec(SNUM(conn)));
563 standard_sub_conn(conn,cmd,sizeof(cmd));
564 ret = smbrun(cmd,NULL);
565 if (ret != 0 && lp_preexec_close(SNUM(conn))) {
566 DEBUG(1,("preexec gave %d - failing connection\n", ret));
567 change_to_root_user();
568 yield_connection(conn, lp_servicename(SNUM(conn)));
570 *status = NT_STATUS_ACCESS_DENIED;
575 #ifdef WITH_FAKE_KASERVER
576 if (lp_afs_share(SNUM(conn))) {
581 #if CHECK_PATH_ON_TCONX
582 /* win2000 does not check the permissions on the directory
583 during the tree connect, instead relying on permission
584 check during individual operations. To match this behaviour
585 I have disabled this chdir check (tridge) */
586 if (vfs_ChDir(conn,conn->connectpath) != 0) {
587 DEBUG(0,("%s (%s) Can't change directory to %s (%s)\n",
588 get_remote_machine_name(), conn->client_address,
589 conn->connectpath,strerror(errno)));
590 change_to_root_user();
591 yield_connection(conn, lp_servicename(SNUM(conn)));
593 *status = NT_STATUS_BAD_NETWORK_NAME;
597 /* the alternative is just to check the directory exists */
598 if (stat(conn->connectpath, &st) != 0 || !S_ISDIR(st.st_mode)) {
599 DEBUG(0,("'%s' does not exist or is not a directory, when connecting to [%s]\n", conn->connectpath, lp_servicename(SNUM(conn))));
600 change_to_root_user();
601 yield_connection(conn, lp_servicename(SNUM(conn)));
603 *status = NT_STATUS_BAD_NETWORK_NAME;
608 string_set(&conn->origpath,conn->connectpath);
610 #if SOFTLINK_OPTIMISATION
611 /* resolve any soft links early if possible */
612 if (vfs_ChDir(conn,conn->connectpath) == 0) {
614 pstrcpy(s,conn->connectpath);
616 string_set(&conn->connectpath,s);
617 vfs_ChDir(conn,conn->connectpath);
622 * Print out the 'connected as' stuff here as we need
623 * to know the effective uid and gid we will be using
624 * (at least initially).
627 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
628 dbgtext( "%s (%s) ", get_remote_machine_name(), conn->client_address );
629 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
630 dbgtext( "connect to service %s ", lp_servicename(SNUM(conn)) );
631 dbgtext( "initially as user %s ", user );
632 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
633 dbgtext( "(pid %d)\n", (int)sys_getpid() );
636 /* Add veto/hide lists */
637 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
638 set_namearray( &conn->veto_list, lp_veto_files(SNUM(conn)));
639 set_namearray( &conn->hide_list, lp_hide_files(SNUM(conn)));
640 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(SNUM(conn)));
643 /* Invoke VFS make connection hook */
645 if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
646 DEBUG(0,("make_connection: VFS make connection failed!\n"));
647 change_to_root_user();
649 *status = NT_STATUS_UNSUCCESSFUL;
653 /* we've finished with the user stuff - go back to root */
654 change_to_root_user();
659 /***************************************************************************************
660 Simple wrapper function for make_connection() to include a call to
662 **************************************************************************************/
664 connection_struct *make_connection_with_chdir(const char *service_in, DATA_BLOB password,
665 const char *dev, uint16 vuid, NTSTATUS *status)
667 connection_struct *conn = NULL;
669 conn = make_connection(service_in, password, dev, vuid, status);
672 * make_connection() does not change the directory for us any more
673 * so we have to do it as a separate step --jerry
676 if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
677 DEBUG(0,("move_driver_to_download_area: Can't change directory to %s for [print$] (%s)\n",
678 conn->connectpath,strerror(errno)));
679 yield_connection(conn, lp_servicename(SNUM(conn)));
681 *status = NT_STATUS_UNSUCCESSFUL;
688 /****************************************************************************
689 Make a connection to a service.
692 ****************************************************************************/
694 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
695 const char *pdev, uint16 vuid, NTSTATUS *status)
698 user_struct *vuser = NULL;
705 /* This must ONLY BE CALLED AS ROOT. As it exits this function as root. */
706 if (!non_root_mode() && (euid = geteuid()) != 0) {
707 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot (%u)\n", (unsigned int)euid ));
708 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
711 if(lp_security() != SEC_SHARE) {
712 vuser = get_valid_user_struct(vuid);
714 DEBUG(1,("make_connection: refusing to connect with no session setup\n"));
715 *status = NT_STATUS_ACCESS_DENIED;
720 /* Logic to try and connect to the correct [homes] share, preferably without too many
721 getpwnam() lookups. This is particulary nasty for winbind usernames, where the
722 share name isn't the same as unix username.
724 The snum of the homes share is stored on the vuser at session setup time.
727 if (strequal(service_in,HOMES_NAME)) {
728 if(lp_security() != SEC_SHARE) {
729 DATA_BLOB no_pw = data_blob(NULL, 0);
730 if (vuser->homes_snum == -1) {
731 DEBUG(2, ("[homes] share not available for this user because it was not found or created at session setup time\n"));
732 *status = NT_STATUS_BAD_NETWORK_NAME;
735 DEBUG(5, ("making a connection to [homes] service created at session setup time\n"));
736 return make_connection_snum(vuser->homes_snum,
740 /* Security = share. Try with current_user_info.smb_name
741 * as the username. */
742 if (*current_user_info.smb_name) {
743 fstring unix_username;
744 fstrcpy(unix_username,
745 current_user_info.smb_name);
746 map_username(unix_username);
747 snum = find_service(unix_username);
750 DEBUG(5, ("making a connection to 'homes' service %s based on security=share\n", service_in));
751 return make_connection_snum(snum, NULL,
756 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
757 && strequal(service_in, lp_servicename(vuser->homes_snum))) {
758 DATA_BLOB no_pw = data_blob(NULL, 0);
759 DEBUG(5, ("making a connection to 'homes' service [%s] created at session setup time\n", service_in));
760 return make_connection_snum(vuser->homes_snum,
765 fstrcpy(service, service_in);
769 snum = find_service(service);
772 if (strequal(service,"IPC$") || strequal(service,"ADMIN$")) {
773 DEBUG(3,("refusing IPC connection to %s\n", service));
774 *status = NT_STATUS_ACCESS_DENIED;
778 DEBUG(0,("%s (%s) couldn't find service %s\n",
779 get_remote_machine_name(), client_addr(), service));
780 *status = NT_STATUS_BAD_NETWORK_NAME;
784 /* Handle non-Dfs clients attempting connections to msdfs proxy */
785 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
786 DEBUG(3, ("refusing connection to dfs proxy '%s'\n", service));
787 *status = NT_STATUS_BAD_NETWORK_NAME;
791 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
793 return make_connection_snum(snum, vuser,
798 /****************************************************************************
800 ****************************************************************************/
801 void close_cnum(connection_struct *conn, uint16 vuid)
803 DirCacheFlush(SNUM(conn));
805 file_close_conn(conn);
806 dptr_closecnum(conn);
808 change_to_root_user();
810 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
811 get_remote_machine_name(),conn->client_address,
812 lp_servicename(SNUM(conn))));
814 /* Call VFS disconnect hook */
815 SMB_VFS_DISCONNECT(conn);
817 yield_connection(conn, lp_servicename(SNUM(conn)));
819 /* make sure we leave the directory available for unmount */
820 vfs_ChDir(conn, "/");
822 /* execute any "postexec = " line */
823 if (*lp_postexec(SNUM(conn)) &&
824 change_to_user(conn, vuid)) {
826 pstrcpy(cmd,lp_postexec(SNUM(conn)));
827 standard_sub_conn(conn,cmd,sizeof(cmd));
829 change_to_root_user();
832 change_to_root_user();
833 /* execute any "root postexec = " line */
834 if (*lp_rootpostexec(SNUM(conn))) {
836 pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
837 standard_sub_conn(conn,cmd,sizeof(cmd));
844 /****************************************************************************
845 Remove stale printers
846 ****************************************************************************/
848 void remove_stale_printers( void )
850 int snum, iNumServices, printersServiceNum;
853 iNumServices = lp_numservices();
854 printersServiceNum = lp_servicenumber( PRINTERS_NAME);
855 for( snum = 0; snum < iNumServices; snum++) {
856 /* Never remove PRINTERS_NAME */
857 if ( snum == printersServiceNum)
859 pname = lp_printername( snum);
860 /* Is snum a print service and still in the printing subsystem? */
861 if ( lp_print_ok( snum) && !pcap_printername_ok( pname, NULL)) {
862 DEBUG( 3, ( "Removing printer: %s\n", pname));
863 lp_killservice( snum);
git.samba.org / sfrench / samba-autobuild / .git / blob