2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24 #include "passdb/lookup_sid.h"
28 * No prefix means direct username
29 * @name means netgroup first, then unix group
30 * &name means netgroup
31 * +name means unix group
32 * + and & may be combined
35 static bool do_group_checks(const char **name, const char **pattern)
37 if ((*name)[0] == '@') {
43 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
49 if ((*name)[0] == '+') {
55 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
61 if ((*name)[0] == '&') {
70 static bool token_contains_name(TALLOC_CTX *mem_ctx,
73 const char *sharename,
74 const struct security_token *token,
79 enum lsa_SidType type;
81 if (username != NULL) {
82 name = talloc_sub_basic(mem_ctx, username, domain, name);
84 if (sharename != NULL) {
85 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
89 /* This is too security sensitive, better panic than return a
90 * result that might be interpreted in a wrong way. */
91 smb_panic("substitutions failed");
94 if ( string_to_sid( &sid, name ) ) {
95 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
96 return nt_token_check_sid( &sid, token );
99 if (!do_group_checks(&name, &prefix)) {
100 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
101 NULL, NULL, &sid, &type)) {
102 DEBUG(5, ("lookup_name %s failed\n", name));
105 if (type != SID_NAME_USER) {
106 DEBUG(5, ("%s is a %s, expected a user\n",
107 name, sid_type_lookup(type)));
110 return nt_token_check_sid(&sid, token);
113 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
114 if (*prefix == '+') {
115 if (!lookup_name_smbconf(mem_ctx, name,
116 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
117 NULL, NULL, &sid, &type)) {
118 DEBUG(5, ("lookup_name %s failed\n", name));
121 if ((type != SID_NAME_DOM_GRP) &&
122 (type != SID_NAME_ALIAS) &&
123 (type != SID_NAME_WKN_GRP)) {
124 DEBUG(5, ("%s is a %s, expected a group\n",
125 name, sid_type_lookup(type)));
128 if (nt_token_check_sid(&sid, token)) {
133 if (*prefix == '&') {
135 if (user_in_netgroup(mem_ctx, username, name)) {
141 smb_panic("got invalid prefix from do_groups_check");
147 * Check whether a user is contained in the list provided.
149 * Please note that the user name and share names passed in here mainly for
150 * the substitution routines that expand the parameter values, the decision
151 * whether a user is in the list is done after a lookup_name on the expanded
152 * parameter value, solely based on comparing the SIDs in token.
154 * The other use is the netgroup check when using @group or &group.
157 bool token_contains_name_in_list(const char *username,
159 const char *sharename,
160 const struct security_token *token,
166 while (*list != NULL) {
167 TALLOC_CTX *frame = talloc_stackframe();
170 ret = token_contains_name(frame, username, domain, sharename,
182 * Check whether the user described by "token" has access to share snum.
184 * This looks at "invalid users" and "valid users".
186 * Please note that the user name and share names passed in here mainly for
187 * the substitution routines that expand the parameter values, the decision
188 * whether a user is in the list is done after a lookup_name on the expanded
189 * parameter value, solely based on comparing the SIDs in token.
191 * The other use is the netgroup check when using @group or &group.
194 bool user_ok_token(const char *username, const char *domain,
195 const struct security_token *token, int snum)
197 if (lp_invalid_users(snum) != NULL) {
198 if (token_contains_name_in_list(username, domain,
199 lp_servicename(talloc_tos(), snum),
201 lp_invalid_users(snum))) {
202 DEBUG(10, ("User %s in 'invalid users'\n", username));
207 if (lp_valid_users(snum) != NULL) {
208 if (!token_contains_name_in_list(username, domain,
209 lp_servicename(talloc_tos(), snum),
211 lp_valid_users(snum))) {
212 DEBUG(10, ("User %s not in 'valid users'\n",
218 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
219 lp_servicename(talloc_tos(), snum), username));
225 * Check whether the user described by "token" is restricted to read-only
226 * access on share snum.
228 * This looks at "read list", "write list" and "read only".
230 * Please note that the user name and share names passed in here mainly for
231 * the substitution routines that expand the parameter values, the decision
232 * whether a user is in the list is done after a lookup_name on the expanded
233 * parameter value, solely based on comparing the SIDs in token.
235 * The other use is the netgroup check when using @group or &group.
238 bool is_share_read_only_for_token(const char *username,
240 const struct security_token *token,
241 connection_struct *conn)
243 int snum = SNUM(conn);
244 bool result = conn->read_only;
246 if (lp_read_list(snum) != NULL) {
247 if (token_contains_name_in_list(username, domain,
248 lp_servicename(talloc_tos(), snum),
250 lp_read_list(snum))) {
255 if (lp_write_list(snum) != NULL) {
256 if (token_contains_name_in_list(username, domain,
257 lp_servicename(talloc_tos(), snum),
259 lp_write_list(snum))) {
264 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
265 "%s\n", lp_servicename(talloc_tos(), snum),
266 result ? "read-only" : "read-write", username));
git.samba.org / vlendec / samba-autobuild / .git / blob