search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nfs4acls: Use talloc_realloc()
[Samba.git] / source3 / smbd / uid.c
blob6eb53920abf107946060a329796c251b57a04ab4
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
27 #include "auth.h"
28
29 /* what user is current? */
30 extern struct current_user current_user;
31
32 /****************************************************************************
33 Become the guest user without changing the security context stack.
34 ****************************************************************************/
35
36 bool change_to_guest(void)
37 {
38 struct passwd *pass;
39
40 pass = Get_Pwnam_alloc(talloc_tos(), lp_guest_account());
41 if (!pass) {
42 return false;
43 }
44
45 #ifdef AIX
46 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
47 setting IDs */
48 initgroups(pass->pw_name, pass->pw_gid);
49 #endif
50
51 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
52
53 current_user.conn = NULL;
54 current_user.vuid = UID_FIELD_INVALID;
55
56 TALLOC_FREE(pass);
57
58 return true;
59 }
60
61 /****************************************************************************
62 talloc free the conn->session_info if not used in the vuid cache.
63 ****************************************************************************/
64
65 static void free_conn_session_info_if_unused(connection_struct *conn)
66 {
67 unsigned int i;
68
69 for (i = 0; i < VUID_CACHE_SIZE; i++) {
70 struct vuid_cache_entry *ent;
71 ent = &conn->vuid_cache->array[i];
72 if (ent->vuid != UID_FIELD_INVALID &&
73 conn->session_info == ent->session_info) {
74 return;
75 }
76 }
77 /* Not used, safe to free. */
78 TALLOC_FREE(conn->session_info);
79 }
80
81 /****************************************************************************
82 Setup the share access mask for a connection.
83 ****************************************************************************/
84
85 static uint32_t create_share_access_mask(int snum,
86 bool readonly_share,
87 const struct security_token *token)
88 {
89 uint32_t share_access = 0;
90
91 share_access_check(token,
92 lp_servicename(talloc_tos(), snum),
93 MAXIMUM_ALLOWED_ACCESS,
94 &share_access);
95
96 if (readonly_share) {
97 share_access &=
98 ~(SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
99 SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
100 SEC_DIR_DELETE_CHILD );
101 }
102
103 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
104 share_access |= SEC_FLAG_SYSTEM_SECURITY;
105 }
106 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
107 share_access |= SEC_RIGHTS_PRIV_RESTORE;
108 }
109 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
110 share_access |= SEC_RIGHTS_PRIV_BACKUP;
111 }
112 if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
113 share_access |= SEC_STD_WRITE_OWNER;
114 }
115
116 return share_access;
117 }
118
119 /*******************************************************************
120 Calculate access mask and if this user can access this share.
121 ********************************************************************/
122
123 NTSTATUS check_user_share_access(connection_struct *conn,
124 const struct auth_session_info *session_info,
125 uint32_t *p_share_access,
126 bool *p_readonly_share)
127 {
128 int snum = SNUM(conn);
129 uint32_t share_access = 0;
130 bool readonly_share = false;
131
132 if (!user_ok_token(session_info->unix_info->unix_name,
133 session_info->info->domain_name,
134 session_info->security_token, snum)) {
135 return NT_STATUS_ACCESS_DENIED;
136 }
137
138 readonly_share = is_share_read_only_for_token(
139 session_info->unix_info->unix_name,
140 session_info->info->domain_name,
141 session_info->security_token,
142 conn);
143
144 share_access = create_share_access_mask(snum,
145 readonly_share,
146 session_info->security_token);
147
148 if ((share_access & (FILE_READ_DATA|FILE_WRITE_DATA)) == 0) {
149 /* No access, read or write. */
150 DEBUG(3,("user %s connection to %s denied due to share "
151 "security descriptor.\n",
152 session_info->unix_info->unix_name,
153 lp_servicename(talloc_tos(), snum)));
154 return NT_STATUS_ACCESS_DENIED;
155 }
156
157 if (!readonly_share &&
158 !(share_access & FILE_WRITE_DATA)) {
159 /* smb.conf allows r/w, but the security descriptor denies
160 * write. Fall back to looking at readonly. */
161 readonly_share = True;
162 DEBUG(5,("falling back to read-only access-evaluation due to "
163 "security descriptor\n"));
164 }
165
166 *p_share_access = share_access;
167 *p_readonly_share = readonly_share;
168
169 return NT_STATUS_OK;
170 }
171
172 /*******************************************************************
173 Check if a username is OK.
174
175 This sets up conn->session_info with a copy related to this vuser that
176 later code can then mess with.
177 ********************************************************************/
178
179 static bool check_user_ok(connection_struct *conn,
180 uint64_t vuid,
181 const struct auth_session_info *session_info,
182 int snum)
183 {
184 unsigned int i;
185 bool readonly_share = false;
186 bool admin_user = false;
187 struct vuid_cache_entry *ent = NULL;
188 uint32_t share_access = 0;
189 NTSTATUS status;
190
191 for (i=0; i<VUID_CACHE_SIZE; i++) {
192 ent = &conn->vuid_cache->array[i];
193 if (ent->vuid == vuid) {
194 if (vuid == UID_FIELD_INVALID) {
195 /*
196 * Slow path, we don't care
197 * about the array traversal.
198 */
199 continue;
200 }
201 free_conn_session_info_if_unused(conn);
202 conn->session_info = ent->session_info;
203 conn->read_only = ent->read_only;
204 conn->share_access = ent->share_access;
205 return(True);
206 }
207 }
208
209 status = check_user_share_access(conn,
210 session_info,
211 &share_access,
212 &readonly_share);
213 if (!NT_STATUS_IS_OK(status)) {
214 return false;
215 }
216
217 admin_user = token_contains_name_in_list(
218 session_info->unix_info->unix_name,
219 session_info->info->domain_name,
220 NULL, session_info->security_token, lp_admin_users(snum));
221
222 ent = &conn->vuid_cache->array[conn->vuid_cache->next_entry];
223
224 conn->vuid_cache->next_entry =
225 (conn->vuid_cache->next_entry + 1) % VUID_CACHE_SIZE;
226
227 TALLOC_FREE(ent->session_info);
228
229 /*
230 * If force_user was set, all session_info's are based on the same
231 * username-based faked one.
232 */
233
234 ent->session_info = copy_session_info(
235 conn, conn->force_user ? conn->session_info : session_info);
236
237 if (ent->session_info == NULL) {
238 ent->vuid = UID_FIELD_INVALID;
239 return false;
240 }
241
242 /*
243 * It's actually OK to call check_user_ok() with
244 * vuid == UID_FIELD_INVALID as called from change_to_user_by_session().
245 * All this will do is throw away one entry in the cache.
246 */
247
248 ent->vuid = vuid;
249 ent->read_only = readonly_share;
250 ent->share_access = share_access;
251 free_conn_session_info_if_unused(conn);
252 conn->session_info = ent->session_info;
253 if (vuid == UID_FIELD_INVALID) {
254 /*
255 * Not strictly needed, just make it really
256 * clear this entry is actually an unused one.
257 */
258 ent->read_only = false;
259 ent->share_access = 0;
260 ent->session_info = NULL;
261 }
262
263 conn->read_only = readonly_share;
264 conn->share_access = share_access;
265
266 if (admin_user) {
267 DEBUG(2,("check_user_ok: user %s is an admin user. "
268 "Setting uid as %d\n",
269 conn->session_info->unix_info->unix_name,
270 sec_initial_uid() ));
271 conn->session_info->unix_token->uid = sec_initial_uid();
272 }
273
274 return(True);
275 }
276
277 /****************************************************************************
278 Become the user of a connection number without changing the security context
279 stack, but modify the current_user entries.
280 ****************************************************************************/
281
282 static bool change_to_user_internal(connection_struct *conn,
283 const struct auth_session_info *session_info,
284 uint64_t vuid)
285 {
286 int snum;
287 gid_t gid;
288 uid_t uid;
289 char group_c;
290 int num_groups = 0;
291 gid_t *group_list = NULL;
292 bool ok;
293
294 snum = SNUM(conn);
295
296 ok = check_user_ok(conn, vuid, session_info, snum);
297 if (!ok) {
298 DEBUG(2,("SMB user %s (unix user %s) "
299 "not permitted access to share %s.\n",
300 session_info->unix_info->sanitized_username,
301 session_info->unix_info->unix_name,
302 lp_servicename(talloc_tos(), snum)));
303 return false;
304 }
305
306 uid = conn->session_info->unix_token->uid;
307 gid = conn->session_info->unix_token->gid;
308 num_groups = conn->session_info->unix_token->ngroups;
309 group_list = conn->session_info->unix_token->groups;
310
311 /*
312 * See if we should force group for this service. If so this overrides
313 * any group set in the force user code.
314 */
315 if((group_c = *lp_force_group(talloc_tos(), snum))) {
316
317 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
318
319 if (group_c == '+') {
320 int i;
321
322 /*
323 * Only force group if the user is a member of the
324 * service group. Check the group memberships for this
325 * user (we already have this) to see if we should force
326 * the group.
327 */
328 for (i = 0; i < num_groups; i++) {
329 if (group_list[i] == conn->force_group_gid) {
330 conn->session_info->unix_token->gid =
331 conn->force_group_gid;
332 gid = conn->force_group_gid;
333 gid_to_sid(&conn->session_info->security_token
334 ->sids[1], gid);
335 break;
336 }
337 }
338 } else {
339 conn->session_info->unix_token->gid = conn->force_group_gid;
340 gid = conn->force_group_gid;
341 gid_to_sid(&conn->session_info->security_token->sids[1],
342 gid);
343 }
344 }
345
346 /*Set current_user since we will immediately also call set_sec_ctx() */
347 current_user.ut.ngroups = num_groups;
348 current_user.ut.groups = group_list;
349
350 set_sec_ctx(uid,
351 gid,
352 current_user.ut.ngroups,
353 current_user.ut.groups,
354 conn->session_info->security_token);
355
356 current_user.conn = conn;
357 current_user.vuid = vuid;
358
359 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
360 (int)getuid(),
361 (int)geteuid(),
362 (int)getgid(),
363 (int)getegid()));
364
365 return true;
366 }
367
368 bool change_to_user(connection_struct *conn, uint64_t vuid)
369 {
370 struct user_struct *vuser;
371 int snum = SNUM(conn);
372
373 if (!conn) {
374 DEBUG(2,("Connection not open\n"));
375 return(False);
376 }
377
378 vuser = get_valid_user_struct(conn->sconn, vuid);
379
380 if ((current_user.conn == conn) &&
381 (vuser != NULL) && (current_user.vuid == vuid) &&
382 (current_user.ut.uid == vuser->session_info->unix_token->uid)) {
383 DEBUG(4,("Skipping user change - already "
384 "user\n"));
385 return(True);
386 }
387
388 if (vuser == NULL) {
389 /* Invalid vuid sent */
390 DEBUG(2,("Invalid vuid %llu used on share %s.\n",
391 (unsigned long long)vuid, lp_servicename(talloc_tos(),
392 snum)));
393 return false;
394 }
395
396 return change_to_user_internal(conn, vuser->session_info, vuid);
397 }
398
399 static bool change_to_user_by_session(connection_struct *conn,
400 const struct auth_session_info *session_info)
401 {
402 SMB_ASSERT(conn != NULL);
403 SMB_ASSERT(session_info != NULL);
404
405 if ((current_user.conn == conn) &&
406 (current_user.ut.uid == session_info->unix_token->uid)) {
407 DEBUG(7, ("Skipping user change - already user\n"));
408
409 return true;
410 }
411
412 return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
413 }
414
415 /****************************************************************************
416 Go back to being root without changing the security context stack,
417 but modify the current_user entries.
418 ****************************************************************************/
419
420 bool smbd_change_to_root_user(void)
421 {
422 set_root_sec_ctx();
423
424 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
425 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
426
427 current_user.conn = NULL;
428 current_user.vuid = UID_FIELD_INVALID;
429
430 return(True);
431 }
432
433 /****************************************************************************
434 Become the user of an authenticated connected named pipe.
435 When this is called we are currently running as the connection
436 user. Doesn't modify current_user.
437 ****************************************************************************/
438
439 bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info)
440 {
441 if (!push_sec_ctx())
442 return False;
443
444 set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
445 session_info->unix_token->ngroups, session_info->unix_token->groups,
446 session_info->security_token);
447
448 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
449 (int)getuid(),
450 (int)geteuid(),
451 (int)getgid(),
452 (int)getegid()));
453
454 return True;
455 }
456
457 /****************************************************************************
458 Unbecome the user of an authenticated connected named pipe.
459 When this is called we are running as the authenticated pipe
460 user and need to go back to being the connection user. Doesn't modify
461 current_user.
462 ****************************************************************************/
463
464 bool smbd_unbecome_authenticated_pipe_user(void)
465 {
466 return pop_sec_ctx();
467 }
468
469 /****************************************************************************
470 Utility functions used by become_xxx/unbecome_xxx.
471 ****************************************************************************/
472
473 static void push_conn_ctx(void)
474 {
475 struct conn_ctx *ctx_p;
476
477 /* Check we don't overflow our stack */
478
479 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
480 DEBUG(0, ("Connection context stack overflow!\n"));
481 smb_panic("Connection context stack overflow!\n");
482 }
483
484 /* Store previous user context */
485 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
486
487 ctx_p->conn = current_user.conn;
488 ctx_p->vuid = current_user.vuid;
489
490 DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
491 (unsigned long long)ctx_p->vuid, conn_ctx_stack_ndx));
492
493 conn_ctx_stack_ndx++;
494 }
495
496 static void pop_conn_ctx(void)
497 {
498 struct conn_ctx *ctx_p;
499
500 /* Check for stack underflow. */
501
502 if (conn_ctx_stack_ndx == 0) {
503 DEBUG(0, ("Connection context stack underflow!\n"));
504 smb_panic("Connection context stack underflow!\n");
505 }
506
507 conn_ctx_stack_ndx--;
508 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
509
510 current_user.conn = ctx_p->conn;
511 current_user.vuid = ctx_p->vuid;
512
513 ctx_p->conn = NULL;
514 ctx_p->vuid = UID_FIELD_INVALID;
515 }
516
517 /****************************************************************************
518 Temporarily become a root user. Must match with unbecome_root(). Saves and
519 restores the connection context.
520 ****************************************************************************/
521
522 void smbd_become_root(void)
523 {
524 /*
525 * no good way to handle push_sec_ctx() failing without changing
526 * the prototype of become_root()
527 */
528 if (!push_sec_ctx()) {
529 smb_panic("become_root: push_sec_ctx failed");
530 }
531 push_conn_ctx();
532 set_root_sec_ctx();
533 }
534
535 /* Unbecome the root user */
536
537 void smbd_unbecome_root(void)
538 {
539 pop_sec_ctx();
540 pop_conn_ctx();
541 }
542
543 /****************************************************************************
544 Push the current security context then force a change via change_to_user().
545 Saves and restores the connection context.
546 ****************************************************************************/
547
548 bool become_user(connection_struct *conn, uint64_t vuid)
549 {
550 if (!push_sec_ctx())
551 return False;
552
553 push_conn_ctx();
554
555 if (!change_to_user(conn, vuid)) {
556 pop_sec_ctx();
557 pop_conn_ctx();
558 return False;
559 }
560
561 return True;
562 }
563
564 bool become_user_by_session(connection_struct *conn,
565 const struct auth_session_info *session_info)
566 {
567 if (!push_sec_ctx())
568 return false;
569
570 push_conn_ctx();
571
572 if (!change_to_user_by_session(conn, session_info)) {
573 pop_sec_ctx();
574 pop_conn_ctx();
575 return false;
576 }
577
578 return true;
579 }
580
581 bool unbecome_user(void)
582 {
583 pop_sec_ctx();
584 pop_conn_ctx();
585 return True;
586 }
587
588 /****************************************************************************
589 Return the current user we are running effectively as on this connection.
590 I'd like to make this return conn->session_info->unix_token->uid, but become_root()
591 doesn't alter this value.
592 ****************************************************************************/
593
594 uid_t get_current_uid(connection_struct *conn)
595 {
596 return current_user.ut.uid;
597 }
598
599 /****************************************************************************
600 Return the current group we are running effectively as on this connection.
601 I'd like to make this return conn->session_info->unix_token->gid, but become_root()
602 doesn't alter this value.
603 ****************************************************************************/
604
605 gid_t get_current_gid(connection_struct *conn)
606 {
607 return current_user.ut.gid;
608 }
609
610 /****************************************************************************
611 Return the UNIX token we are running effectively as on this connection.
612 I'd like to make this return &conn->session_info->unix_token-> but become_root()
613 doesn't alter this value.
614 ****************************************************************************/
615
616 const struct security_unix_token *get_current_utok(connection_struct *conn)
617 {
618 return &current_user.ut;
619 }
620
621 /****************************************************************************
622 Return the Windows token we are running effectively as on this connection.
623 If this is currently a NULL token as we're inside become_root() - a temporary
624 UNIX security override, then we search up the stack for the previous active
625 token.
626 ****************************************************************************/
627
628 const struct security_token *get_current_nttok(connection_struct *conn)
629 {
630 if (current_user.nt_user_token) {
631 return current_user.nt_user_token;
632 }
633 return sec_ctx_active_token();
634 }
635
636 uint64_t get_current_vuid(connection_struct *conn)
637 {
638 return current_user.vuid;
639 }
Samba GIT mirror