search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13316: Let the carnage begin....
[Samba.git] / source / auth / auth_rhosts.c
blobe310fa80fd5de1f452f04f519b0b624592fe828d
1 /*
2 Unix SMB/CIFS implementation.
3 Main SMB reply routines
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #undef DBGC_CLASS
24 #define DBGC_CLASS DBGC_AUTH
25
26 /****************************************************************************
27 Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from
28 unix info.
29 ****************************************************************************/
30
31 static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
32 {
33 BOOL pdb_ret;
34 NTSTATUS nt_status;
35 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) {
36 return nt_status;
37 }
38
39 become_root();
40 pdb_ret = pdb_getsampwnam(*account, user);
41 unbecome_root();
42
43 if (!pdb_ret) {
44
45 struct passwd *pass = Get_Pwnam(user);
46 if (!pass)
47 return NT_STATUS_NO_SUCH_USER;
48
49 if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) {
50 return nt_status;
51 }
52 }
53 return NT_STATUS_OK;
54 }
55
56 /****************************************************************************
57 Read the a hosts.equiv or .rhosts file and check if it
58 allows this user from this machine.
59 ****************************************************************************/
60
61 static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file)
62 {
63 int plus_allowed = 1;
64 char *file_host;
65 char *file_user;
66 char **lines = file_lines_load(equiv_file, NULL,0);
67 int i;
68
69 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
70 if (! lines) {
71 return False;
72 }
73 for (i=0; lines[i]; i++) {
74 char *buf = lines[i];
75 trim_char(buf,' ',' ');
76
77 if (buf[0] != '#' && buf[0] != '\n') {
78 BOOL is_group = False;
79 int plus = 1;
80 char *bp = buf;
81
82 if (strcmp(buf, "NO_PLUS\n") == 0) {
83 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
84 plus_allowed = 0;
85 } else {
86 if (buf[0] == '+') {
87 bp++;
88 if (*bp == '\n' && plus_allowed) {
89 /* a bare plus means everbody allowed */
90 DEBUG(6, ("check_user_equiv everybody allowed\n"));
91 file_lines_free(lines);
92 return True;
93 }
94 } else if (buf[0] == '-') {
95 bp++;
96 plus = 0;
97 }
98 if (*bp == '@') {
99 is_group = True;
100 bp++;
101 }
102 file_host = strtok(bp, " \t\n");
103 file_user = strtok(NULL, " \t\n");
104 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
105 file_user ? file_user : "(null)" ));
106
107 if (file_host && *file_host) {
108 BOOL host_ok = False;
109
110 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
111 if (is_group) {
112 static char *mydomain = NULL;
113 if (!mydomain) {
114 yp_get_default_domain(&mydomain);
115 }
116 if (mydomain && innetgr(file_host,remote,user,mydomain)) {
117 host_ok = True;
118 }
119 }
120 #else
121 if (is_group) {
122 DEBUG(1,("Netgroups not configured\n"));
123 continue;
124 }
125 #endif
126
127 /* is it this host */
128 /* the fact that remote has come from a call of gethostbyaddr
129 * means that it may have the fully qualified domain name
130 * so we could look up the file version to get it into
131 * a canonical form, but I would rather just type it
132 * in full in the equiv file
133 */
134
135 if (!host_ok && !is_group && strequal(remote, file_host)) {
136 host_ok = True;
137 }
138
139 if (!host_ok) {
140 continue;
141 }
142
143 /* is it this user */
144 if (file_user == 0 || strequal(user, file_user)) {
145 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
146 (plus ? "+" : "-"), file_host,
147 (file_user ? file_user : "")));
148 file_lines_free(lines);
149 return (plus ? True : False);
150 }
151 }
152 }
153 }
154 }
155
156 file_lines_free(lines);
157 return False;
158 }
159
160 /****************************************************************************
161 check for a possible hosts equiv or rhosts entry for the user
162 ****************************************************************************/
163
164 static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
165 {
166 uid_t uid;
167 char *fname = NULL;
168
169 fname = lp_hosts_equiv();
170 if (!sid_to_uid(pdb_get_user_sid(account), &uid))
171 return False;
172
173 /* note: don't allow hosts.equiv on root */
174 if (fname && *fname && uid != 0) {
175 if (check_user_equiv(pdb_get_username(account),client_name(),fname))
176 return True;
177 }
178
179 return False;
180 }
181
182
183 /****************************************************************************
184 Check for a valid .rhosts/hosts.equiv entry for this user
185 ****************************************************************************/
186
187 static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context,
188 void *my_private_data,
189 TALLOC_CTX *mem_ctx,
190 const auth_usersupplied_info *user_info,
191 auth_serversupplied_info **server_info)
192 {
193 NTSTATUS nt_status;
194 SAM_ACCOUNT *account = NULL;
195 if (!NT_STATUS_IS_OK(nt_status =
196 auth_get_sam_account(user_info->internal_username,
197 &account))) {
198 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
199 nt_status = NT_STATUS_NOT_IMPLEMENTED;
200 return nt_status;
201 }
202
203 if (check_hosts_equiv(account)) {
204 nt_status = make_server_info_sam(server_info, account);
205 if (!NT_STATUS_IS_OK(nt_status)) {
206 pdb_free_sam(&account);
207 }
208 } else {
209 pdb_free_sam(&account);
210 nt_status = NT_STATUS_NOT_IMPLEMENTED;
211 }
212
213 return nt_status;
214 }
215
216 /* module initialisation */
217 static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
218 {
219 if (!make_auth_methods(auth_context, auth_method)) {
220 return NT_STATUS_NO_MEMORY;
221 }
222
223 (*auth_method)->auth = check_hostsequiv_security;
224 (*auth_method)->name = "hostsequiv";
225 return NT_STATUS_OK;
226 }
227
228
229 /****************************************************************************
230 Check for a valid .rhosts/hosts.equiv entry for this user
231 ****************************************************************************/
232
233 static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
234 void *my_private_data,
235 TALLOC_CTX *mem_ctx,
236 const auth_usersupplied_info *user_info,
237 auth_serversupplied_info **server_info)
238 {
239 NTSTATUS nt_status;
240 SAM_ACCOUNT *account = NULL;
241 pstring rhostsfile;
242 const char *home;
243
244 if (!NT_STATUS_IS_OK(nt_status =
245 auth_get_sam_account(user_info->internal_username,
246 &account))) {
247 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
248 nt_status = NT_STATUS_NOT_IMPLEMENTED;
249 return nt_status;
250 }
251
252 home = pdb_get_unix_homedir(account);
253
254 if (home) {
255 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
256 become_root();
257 if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
258 nt_status = make_server_info_sam(server_info, account);
259 if (!NT_STATUS_IS_OK(nt_status)) {
260 pdb_free_sam(&account);
261 }
262 } else {
263 pdb_free_sam(&account);
264 }
265 unbecome_root();
266 } else {
267 pdb_free_sam(&account);
268 nt_status = NT_STATUS_NOT_IMPLEMENTED;
269 }
270
271 return nt_status;
272 }
273
274 /* module initialisation */
275 static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
276 {
277 if (!make_auth_methods(auth_context, auth_method)) {
278 return NT_STATUS_NO_MEMORY;
279 }
280
281 (*auth_method)->auth = check_rhosts_security;
282 (*auth_method)->name = "rhosts";
283 return NT_STATUS_OK;
284 }
285
286 NTSTATUS auth_rhosts_init(void)
287 {
288 smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts);
289 smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv);
290 return NT_STATUS_OK;
291 }
Samba GIT mirror