#include "libcli/wbclient/wbclient.h"
#define TEVENT_DEPRECATED
#include <tevent.h>
+#include "../lib/util/setid.h"
+
+NTSTATUS ntvfs_unixuid_init(TALLOC_CTX *);
struct unixuid_private {
- struct wbc_context *wbc_ctx;
- struct unix_sec_ctx *last_sec_ctx;
+ struct security_unix_token *last_sec_ctx;
struct security_token *last_token;
};
-
-struct unix_sec_ctx {
- uid_t uid;
- gid_t gid;
- uint_t ngroups;
- gid_t *groups;
-};
-
/*
- pull the current security context into a unix_sec_ctx
+ pull the current security context into a security_unix_token
*/
-static struct unix_sec_ctx *save_unix_security(TALLOC_CTX *mem_ctx)
+static struct security_unix_token *save_unix_security(TALLOC_CTX *mem_ctx)
{
- struct unix_sec_ctx *sec = talloc(mem_ctx, struct unix_sec_ctx);
+ struct security_unix_token *sec = talloc(mem_ctx, struct security_unix_token);
if (sec == NULL) {
return NULL;
}
}
/*
- set the current security context from a unix_sec_ctx
+ set the current security context from a security_unix_token
*/
-static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
+static NTSTATUS set_unix_security(struct security_unix_token *sec)
{
- seteuid(0);
+ samba_seteuid(0);
- if (setgroups(sec->ngroups, sec->groups) != 0) {
+ if (samba_setgroups(sec->ngroups, sec->groups) != 0) {
+ DBG_ERR("*** samba_setgroups failed\n");
return NT_STATUS_ACCESS_DENIED;
}
- if (setegid(sec->gid) != 0) {
+ if (samba_setegid(sec->gid) != 0) {
+ DBG_ERR("*** samba_setegid(%u) failed\n", sec->gid);
return NT_STATUS_ACCESS_DENIED;
}
- if (seteuid(sec->uid) != 0) {
+ if (samba_seteuid(sec->uid) != 0) {
+ DBG_ERR("*** samba_seteuid(%u) failed\n", sec->uid);
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
void *stack_ptr,
const char *location)
{
- struct unix_sec_ctx *sec_ctx;
+ struct security_unix_token *sec_ctx;
if (unixuid_nesting_level == 0) {
/* we don't need to do anything unless we are nested
DEBUG(0,("%s: Failed to save security context\n", location));
return -1;
}
- *(struct unix_sec_ctx **)stack_ptr = sec_ctx;
- if (seteuid(0) != 0 || setegid(0) != 0) {
+ *(struct security_unix_token **)stack_ptr = sec_ctx;
+ if (samba_seteuid(0) != 0 || samba_setegid(0) != 0) {
DEBUG(0,("%s: Failed to change to root\n", location));
return -1;
}
/* called when we come out of a nesting level */
NTSTATUS status;
- sec_ctx = *(struct unix_sec_ctx **)stack_ptr;
+ sec_ctx = *(struct security_unix_token **)stack_ptr;
if (sec_ctx == NULL) {
/* this happens the first time this function
is called, as we install the hook while
return 0;
}
- sec_ctx = talloc_get_type_abort(sec_ctx, struct unix_sec_ctx);
+ sec_ctx = talloc_get_type_abort(sec_ctx, struct security_unix_token);
status = set_unix_security(sec_ctx);
talloc_free(sec_ctx);
if (!NT_STATUS_IS_OK(status)) {
/*
- form a unix_sec_ctx from the current security_token
+ form a security_unix_token from the current security_token
*/
static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req,
struct security_token *token,
- struct unix_sec_ctx **sec)
+ struct security_unix_token **sec)
{
- struct unixuid_private *priv = ntvfs->private_data;
- int i;
- NTSTATUS status;
- struct id_mapping *ids;
- struct composite_context *ctx;
- *sec = talloc(req, struct unix_sec_ctx);
-
- /* we can't do unix security without a user and group */
- if (token->num_sids < 2) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- ids = talloc_array(req, struct id_mapping, token->num_sids);
- NT_STATUS_HAVE_NO_MEMORY(ids);
-
- ids[0].unixid = NULL;
- ids[0].sid = token->user_sid;
- ids[0].status = NT_STATUS_NONE_MAPPED;
-
- ids[1].unixid = NULL;
- ids[1].sid = token->group_sid;
- ids[1].status = NT_STATUS_NONE_MAPPED;
-
- (*sec)->ngroups = token->num_sids - 2;
- (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
- NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
-
- for (i=0;i<(*sec)->ngroups;i++) {
- ids[i+2].unixid = NULL;
- ids[i+2].sid = token->sids[i+2];
- ids[i+2].status = NT_STATUS_NONE_MAPPED;
- }
-
- ctx = wbc_sids_to_xids_send(priv->wbc_ctx, ids, token->num_sids, ids);
- NT_STATUS_HAVE_NO_MEMORY(ctx);
-
- status = wbc_sids_to_xids_recv(ctx, &ids);
- NT_STATUS_NOT_OK_RETURN(status);
-
- if (ids[0].unixid->type == ID_TYPE_BOTH ||
- ids[0].unixid->type == ID_TYPE_UID) {
- (*sec)->uid = ids[0].unixid->id;
- } else {
- return NT_STATUS_INVALID_SID;
- }
-
- if (ids[1].unixid->type == ID_TYPE_BOTH ||
- ids[1].unixid->type == ID_TYPE_GID) {
- (*sec)->gid = ids[1].unixid->id;
- } else {
- return NT_STATUS_INVALID_SID;
- }
-
- for (i=0;i<(*sec)->ngroups;i++) {
- if (ids[i+2].unixid->type == ID_TYPE_BOTH ||
- ids[i+2].unixid->type == ID_TYPE_GID) {
- (*sec)->groups[i] = ids[i+2].unixid->id;
- } else {
- return NT_STATUS_INVALID_SID;
- }
- }
-
- return NT_STATUS_OK;
+ return security_token_to_unix_token(req,
+ ntvfs->ctx->event_ctx,
+ token, sec);
}
/*
setup our unix security context according to the session authentication info
*/
static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, struct unix_sec_ctx **sec)
+ struct ntvfs_request *req, struct security_unix_token **sec)
{
struct unixuid_private *priv = ntvfs->private_data;
struct security_token *token;
- struct unix_sec_ctx *newsec;
+ struct security_unix_token *newsec;
NTSTATUS status;
- if (req->session_info == NULL) {
+ /* If we are asked to set up, but have not had a successful
+ * session setup or tree connect, then these may not be filled
+ * in. ACCESS_DENIED is the right error code here */
+ if (req->session_info == NULL || priv == NULL) {
return NT_STATUS_ACCESS_DENIED;
}
*/
#define PASS_THRU_REQ(ntvfs, req, op, args) do { \
NTSTATUS status2; \
- struct unix_sec_ctx *sec; \
+ struct security_unix_token *sec; \
status = unixuid_setup_security(ntvfs, req, &sec); \
NT_STATUS_NOT_OK_RETURN(status); \
unixuid_nesting_level++; \
return NT_STATUS_NO_MEMORY;
}
- priv->wbc_ctx = wbc_init(priv, ntvfs->ctx->msg_ctx,
- ntvfs->ctx->event_ctx);
- if (priv->wbc_ctx == NULL) {
- talloc_free(priv);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
priv->last_sec_ctx = NULL;
priv->last_token = NULL;
ntvfs->private_data = priv;
/*
initialise the unixuid backend, registering ourselves with the ntvfs subsystem
*/
-NTSTATUS ntvfs_unixuid_init(void)
+NTSTATUS ntvfs_unixuid_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
struct ntvfs_ops ops;
ZERO_STRUCT(ops);
/* fill in all the operations */
- ops.connect = unixuid_connect;
- ops.disconnect = unixuid_disconnect;
- ops.unlink = unixuid_unlink;
- ops.chkpath = unixuid_chkpath;
- ops.qpathinfo = unixuid_qpathinfo;
- ops.setpathinfo = unixuid_setpathinfo;
- ops.open = unixuid_open;
- ops.mkdir = unixuid_mkdir;
- ops.rmdir = unixuid_rmdir;
- ops.rename = unixuid_rename;
- ops.copy = unixuid_copy;
- ops.ioctl = unixuid_ioctl;
- ops.read = unixuid_read;
- ops.write = unixuid_write;
- ops.seek = unixuid_seek;
- ops.flush = unixuid_flush;
- ops.close = unixuid_close;
- ops.exit = unixuid_exit;
- ops.lock = unixuid_lock;
- ops.setfileinfo = unixuid_setfileinfo;
- ops.qfileinfo = unixuid_qfileinfo;
- ops.fsinfo = unixuid_fsinfo;
- ops.lpq = unixuid_lpq;
- ops.search_first = unixuid_search_first;
- ops.search_next = unixuid_search_next;
- ops.search_close = unixuid_search_close;
- ops.trans = unixuid_trans;
- ops.logoff = unixuid_logoff;
- ops.async_setup = unixuid_async_setup;
- ops.cancel = unixuid_cancel;
- ops.notify = unixuid_notify;
+ ops.connect_fn = unixuid_connect;
+ ops.disconnect_fn = unixuid_disconnect;
+ ops.unlink_fn = unixuid_unlink;
+ ops.chkpath_fn = unixuid_chkpath;
+ ops.qpathinfo_fn = unixuid_qpathinfo;
+ ops.setpathinfo_fn = unixuid_setpathinfo;
+ ops.open_fn = unixuid_open;
+ ops.mkdir_fn = unixuid_mkdir;
+ ops.rmdir_fn = unixuid_rmdir;
+ ops.rename_fn = unixuid_rename;
+ ops.copy_fn = unixuid_copy;
+ ops.ioctl_fn = unixuid_ioctl;
+ ops.read_fn = unixuid_read;
+ ops.write_fn = unixuid_write;
+ ops.seek_fn = unixuid_seek;
+ ops.flush_fn = unixuid_flush;
+ ops.close_fn = unixuid_close;
+ ops.exit_fn = unixuid_exit;
+ ops.lock_fn = unixuid_lock;
+ ops.setfileinfo_fn = unixuid_setfileinfo;
+ ops.qfileinfo_fn = unixuid_qfileinfo;
+ ops.fsinfo_fn = unixuid_fsinfo;
+ ops.lpq_fn = unixuid_lpq;
+ ops.search_first_fn = unixuid_search_first;
+ ops.search_next_fn = unixuid_search_next;
+ ops.search_close_fn = unixuid_search_close;
+ ops.trans_fn = unixuid_trans;
+ ops.logoff_fn = unixuid_logoff;
+ ops.async_setup_fn = unixuid_async_setup;
+ ops.cancel_fn = unixuid_cancel;
+ ops.notify_fn = unixuid_notify;
ops.name = "unixuid";