2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 extern userdom_struct current_user_info
;
24 static bool canonicalize_connect_path(connection_struct
*conn
)
26 #ifdef REALPATH_TAKES_NULL
28 char *resolved_name
= SMB_VFS_REALPATH(conn
,conn
->connectpath
,NULL
);
32 ret
= set_conn_connectpath(conn
,resolved_name
);
33 SAFE_FREE(resolved_name
);
36 char resolved_name_buf
[PATH_MAX
+1];
37 char *resolved_name
= SMB_VFS_REALPATH(conn
,conn
->connectpath
,resolved_name_buf
);
41 return set_conn_connectpath(conn
,resolved_name
);
42 #endif /* REALPATH_TAKES_NULL */
45 /****************************************************************************
46 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
47 absolute path stating in / and not ending in /.
48 Observent people will notice a similarity between this and check_path_syntax :-).
49 ****************************************************************************/
51 bool set_conn_connectpath(connection_struct
*conn
, const char *connectpath
)
55 const char *s
= connectpath
;
56 bool start_of_name_component
= true;
58 if (connectpath
== NULL
|| connectpath
[0] == '\0') {
62 destname
= SMB_STRDUP(connectpath
);
68 *d
++ = '/'; /* Always start with root. */
72 /* Eat multiple '/' */
76 if ((d
> destname
+ 1) && (*s
!= '\0')) {
79 start_of_name_component
= True
;
83 if (start_of_name_component
) {
84 if ((s
[0] == '.') && (s
[1] == '.') && (s
[2] == '/' || s
[2] == '\0')) {
85 /* Uh oh - "/../" or "/..\0" ! */
87 /* Go past the ../ or .. */
91 s
+= 2; /* Go past the .. */
94 /* If we just added a '/' - delete it */
95 if ((d
> destname
) && (*(d
-1) == '/')) {
100 /* Are we at the start ? Can't go back further if so. */
102 *d
++ = '/'; /* Can't delete root */
105 /* Go back one level... */
106 /* Decrement d first as d points to the *next* char to write into. */
107 for (d
--; d
> destname
; d
--) {
112 /* We're still at the start of a name component, just the previous one. */
114 } else if ((s
[0] == '.') && ((s
[1] == '\0') || s
[1] == '/')) {
115 /* Component of pathname can't be "." only - skip the '.' . */
129 /* Get the size of the next MB character. */
130 next_codepoint(s
,&siz
);
151 start_of_name_component
= false;
155 /* And must not end in '/' */
156 if (d
> destname
+ 1 && (*(d
-1) == '/')) {
160 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
161 lp_servicename(SNUM(conn
)), destname
));
163 string_set(&conn
->connectpath
, destname
);
168 /****************************************************************************
169 Load parameters specific to a connection/service.
170 ****************************************************************************/
172 bool set_current_service(connection_struct
*conn
, uint16 flags
, bool do_chdir
)
174 static connection_struct
*last_conn
;
175 static uint16 last_flags
;
183 conn
->lastused_count
++;
188 vfs_ChDir(conn
,conn
->connectpath
) != 0 &&
189 vfs_ChDir(conn
,conn
->origpath
) != 0) {
190 DEBUG(0,("chdir (%s) failed\n",
195 if ((conn
== last_conn
) && (last_flags
== flags
)) {
202 /* Obey the client case sensitivity requests - only for clients that support it. */
203 switch (lp_casesensitive(snum
)) {
206 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
207 enum remote_arch_types ra_type
= get_remote_arch();
208 if ((ra_type
!= RA_SAMBA
) && (ra_type
!= RA_CIFSFS
)) {
209 /* Client can't support per-packet case sensitive pathnames. */
210 conn
->case_sensitive
= False
;
212 conn
->case_sensitive
= !(flags
& FLAG_CASELESS_PATHNAMES
);
217 conn
->case_sensitive
= True
;
220 conn
->case_sensitive
= False
;
226 static int load_registry_service(const char *servicename
)
228 struct registry_key
*key
;
234 struct registry_value
*value
;
238 if (!lp_registry_shares()) {
242 if ((servicename
== NULL
) || (*servicename
== '\0')) {
246 if (strequal(servicename
, GLOBAL_NAME
)) {
250 if (asprintf(&path
, "%s\\%s", KEY_SMBCONF
, servicename
) == -1) {
254 err
= reg_open_path(NULL
, path
, REG_KEY_READ
, get_root_nt_token(),
258 if (!W_ERROR_IS_OK(err
)) {
262 res
= lp_add_service(servicename
, -1);
268 W_ERROR_IS_OK(reg_enumvalue(key
, key
, i
, &value_name
, &value
));
270 switch (value
->type
) {
273 if (asprintf(&tmp
, "%d", value
->v
.dword
) == -1) {
276 lp_do_parameter(res
, value_name
, tmp
);
281 lp_do_parameter(res
, value_name
, value
->v
.sz
.str
);
285 /* Ignore all the rest */
289 TALLOC_FREE(value_name
);
293 if (!service_ok(res
)) {
303 void load_registry_shares(void)
305 struct registry_key
*key
;
310 DEBUG(8, ("load_registry_shares()\n"));
311 if (!lp_registry_shares()) {
315 err
= reg_open_path(NULL
, KEY_SMBCONF
, REG_KEY_READ
,
316 get_root_nt_token(), &key
);
317 if (!(W_ERROR_IS_OK(err
))) {
321 for (i
=0; W_ERROR_IS_OK(reg_enumkey(key
, key
, i
, &name
, NULL
)); i
++) {
322 load_registry_service(name
);
330 /****************************************************************************
331 Add a home service. Returns the new service number or -1 if fail.
332 ****************************************************************************/
334 int add_home_service(const char *service
, const char *username
, const char *homedir
)
338 if (!service
|| !homedir
|| homedir
[0] == '\0')
341 if ((iHomeService
= lp_servicenumber(HOMES_NAME
)) < 0) {
342 if ((iHomeService
= load_registry_service(HOMES_NAME
)) < 0) {
348 * If this is a winbindd provided username, remove
349 * the domain component before adding the service.
350 * Log a warning if the "path=" parameter does not
351 * include any macros.
355 const char *p
= strchr(service
,*lp_winbind_separator());
357 /* We only want the 'user' part of the string */
363 if (!lp_add_home(service
, iHomeService
, username
, homedir
)) {
367 return lp_servicenumber(service
);
372 * Find a service entry.
374 * @param service is modified (to canonical form??)
377 int find_service(fstring service
)
381 all_string_sub(service
,"\\","/",0);
383 iService
= lp_servicenumber(service
);
385 /* now handle the special case of a home directory */
387 char *phome_dir
= get_user_home_dir(talloc_tos(), service
);
391 * Try mapping the servicename, it may
392 * be a Windows to unix mapped user name.
394 if(map_username(service
))
395 phome_dir
= get_user_home_dir(
396 talloc_tos(), service
);
399 DEBUG(3,("checking for home directory %s gave %s\n",service
,
400 phome_dir
?phome_dir
:"(NULL)"));
402 iService
= add_home_service(service
,service
/* 'username' */, phome_dir
);
405 /* If we still don't have a service, attempt to add it as a printer. */
409 if ((iPrinterService
= lp_servicenumber(PRINTERS_NAME
)) < 0) {
410 iPrinterService
= load_registry_service(PRINTERS_NAME
);
412 if (iPrinterService
) {
413 DEBUG(3,("checking whether %s is a valid printer name...\n", service
));
414 if (pcap_printername_ok(service
)) {
415 DEBUG(3,("%s is a valid printer name\n", service
));
416 DEBUG(3,("adding %s as a printer service\n", service
));
417 lp_add_printer(service
, iPrinterService
);
418 iService
= lp_servicenumber(service
);
420 DEBUG(0,("failed to add %s as a printer service!\n", service
));
423 DEBUG(3,("%s is not a valid printer name\n", service
));
428 /* Check for default vfs service? Unsure whether to implement this */
433 iService
= load_registry_service(service
);
436 /* Is it a usershare service ? */
437 if (iService
< 0 && *lp_usershare_path()) {
438 /* Ensure the name is canonicalized. */
440 iService
= load_usershare_service(service
);
443 /* just possibly it's a default service? */
445 char *pdefservice
= lp_defaultservice();
446 if (pdefservice
&& *pdefservice
&& !strequal(pdefservice
,service
) && !strstr_m(service
,"..")) {
448 * We need to do a local copy here as lp_defaultservice()
449 * returns one of the rotating lp_string buffers that
450 * could get overwritten by the recursive find_service() call
451 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
453 char *defservice
= SMB_STRDUP(pdefservice
);
459 /* Disallow anything except explicit share names. */
460 if (strequal(defservice
,HOMES_NAME
) ||
461 strequal(defservice
, PRINTERS_NAME
) ||
462 strequal(defservice
, "IPC$")) {
463 SAFE_FREE(defservice
);
467 iService
= find_service(defservice
);
469 all_string_sub(service
, "_","/",0);
470 iService
= lp_add_service(service
, iService
);
472 SAFE_FREE(defservice
);
477 if (!VALID_SNUM(iService
)) {
478 DEBUG(0,("Invalid snum %d for %s\n",iService
, service
));
486 DEBUG(3,("find_service() failed to find service %s\n", service
));
492 /****************************************************************************
493 do some basic sainity checks on the share.
494 This function modifies dev, ecode.
495 ****************************************************************************/
497 static NTSTATUS
share_sanity_checks(int snum
, fstring dev
)
500 if (!lp_snum_ok(snum
) ||
501 !check_access(smbd_server_fd(),
502 lp_hostsallow(snum
), lp_hostsdeny(snum
))) {
503 return NT_STATUS_ACCESS_DENIED
;
506 if (dev
[0] == '?' || !dev
[0]) {
507 if (lp_print_ok(snum
)) {
508 fstrcpy(dev
,"LPT1:");
509 } else if (strequal(lp_fstype(snum
), "IPC")) {
518 if (lp_print_ok(snum
)) {
519 if (!strequal(dev
, "LPT1:")) {
520 return NT_STATUS_BAD_DEVICE_TYPE
;
522 } else if (strequal(lp_fstype(snum
), "IPC")) {
523 if (!strequal(dev
, "IPC")) {
524 return NT_STATUS_BAD_DEVICE_TYPE
;
526 } else if (!strequal(dev
, "A:")) {
527 return NT_STATUS_BAD_DEVICE_TYPE
;
530 /* Behave as a printer if we are supposed to */
531 if (lp_print_ok(snum
) && (strcmp(dev
, "A:") == 0)) {
532 fstrcpy(dev
, "LPT1:");
539 * Go through lookup_name etc to find the force'd group.
541 * Create a new token from src_token, replacing the primary group sid with the
545 static NTSTATUS
find_forced_group(bool force_user
,
546 int snum
, const char *username
,
550 NTSTATUS result
= NT_STATUS_NO_SUCH_GROUP
;
551 TALLOC_CTX
*frame
= talloc_stackframe();
553 enum lsa_SidType type
;
555 bool user_must_be_member
= False
;
558 groupname
= talloc_strdup(talloc_tos(), lp_force_group(snum
));
559 if (groupname
== NULL
) {
560 DEBUG(1, ("talloc_strdup failed\n"));
561 result
= NT_STATUS_NO_MEMORY
;
565 if (groupname
[0] == '+') {
566 user_must_be_member
= True
;
570 groupname
= talloc_string_sub(talloc_tos(), groupname
,
571 "%S", lp_servicename(snum
));
572 if (groupname
== NULL
) {
573 DEBUG(1, ("talloc_string_sub failed\n"));
574 result
= NT_STATUS_NO_MEMORY
;
578 if (!lookup_name_smbconf(talloc_tos(), groupname
,
579 LOOKUP_NAME_ALL
|LOOKUP_NAME_GROUP
,
580 NULL
, NULL
, &group_sid
, &type
)) {
581 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
586 if ((type
!= SID_NAME_DOM_GRP
) && (type
!= SID_NAME_ALIAS
) &&
587 (type
!= SID_NAME_WKN_GRP
)) {
588 DEBUG(10, ("%s is a %s, not a group\n", groupname
,
589 sid_type_lookup(type
)));
593 if (!sid_to_gid(&group_sid
, &gid
)) {
594 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
595 sid_string_dbg(&group_sid
), groupname
));
600 * If the user has been forced and the forced group starts with a '+',
601 * then we only set the group to be the forced group if the forced
602 * user is a member of that group. Otherwise, the meaning of the '+'
606 if (force_user
&& user_must_be_member
) {
607 if (user_in_group_sid(username
, &group_sid
)) {
608 sid_copy(pgroup_sid
, &group_sid
);
610 DEBUG(3,("Forced group %s for member %s\n",
611 groupname
, username
));
613 DEBUG(0,("find_forced_group: forced user %s is not a member "
614 "of forced group %s. Disallowing access.\n",
615 username
, groupname
));
616 result
= NT_STATUS_MEMBER_NOT_IN_GROUP
;
620 sid_copy(pgroup_sid
, &group_sid
);
622 DEBUG(3,("Forced group %s\n", groupname
));
625 result
= NT_STATUS_OK
;
631 /****************************************************************************
632 Create an auth_serversupplied_info structure for a connection_struct
633 ****************************************************************************/
635 static NTSTATUS
create_connection_server_info(TALLOC_CTX
*mem_ctx
, int snum
,
636 struct auth_serversupplied_info
*vuid_serverinfo
,
638 struct auth_serversupplied_info
**presult
)
640 if (lp_guest_only(snum
)) {
641 return make_server_info_guest(mem_ctx
, presult
);
644 if (vuid_serverinfo
!= NULL
) {
646 struct auth_serversupplied_info
*result
;
649 * This is the normal security != share case where we have a
650 * valid vuid from the session setup. */
652 if (vuid_serverinfo
->guest
) {
653 if (!lp_guest_ok(snum
)) {
654 DEBUG(2, ("guest user (from session setup) "
655 "not permitted to access this share "
656 "(%s)\n", lp_servicename(snum
)));
657 return NT_STATUS_ACCESS_DENIED
;
660 if (!user_ok_token(vuid_serverinfo
->unix_name
,
661 pdb_get_domain(vuid_serverinfo
->sam_account
),
662 vuid_serverinfo
->ptok
, snum
)) {
663 DEBUG(2, ("user '%s' (from session setup) not "
664 "permitted to access this share "
666 vuid_serverinfo
->unix_name
,
667 lp_servicename(snum
)));
668 return NT_STATUS_ACCESS_DENIED
;
672 result
= copy_serverinfo(mem_ctx
, vuid_serverinfo
);
673 if (result
== NULL
) {
674 return NT_STATUS_NO_MEMORY
;
681 if (lp_security() == SEC_SHARE
) {
686 /* add the sharename as a possible user name if we
687 are in share mode security */
689 add_session_user(lp_servicename(snum
));
691 /* shall we let them in? */
693 if (!authorise_login(snum
,user
,password
,&guest
)) {
694 DEBUG( 2, ( "Invalid username/password for [%s]\n",
695 lp_servicename(snum
)) );
696 return NT_STATUS_WRONG_PASSWORD
;
699 return make_serverinfo_from_username(mem_ctx
, user
, guest
,
703 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
704 return NT_STATUS_ACCESS_DENIED
;
708 /****************************************************************************
709 Make a connection, given the snum to connect to, and the vuser of the
710 connecting user if appropriate.
711 ****************************************************************************/
713 static connection_struct
*make_connection_snum(int snum
, user_struct
*vuser
,
718 connection_struct
*conn
;
722 char addr
[INET6_ADDRSTRLEN
];
723 bool on_err_call_dis_hook
= false;
727 SET_STAT_INVALID(st
);
729 if (NT_STATUS_IS_ERR(*pstatus
= share_sanity_checks(snum
, dev
))) {
735 DEBUG(0,("Couldn't find free connection.\n"));
736 *pstatus
= NT_STATUS_INSUFFICIENT_RESOURCES
;
740 conn
->params
->service
= snum
;
742 status
= create_connection_server_info(
743 conn
, snum
, vuser
? vuser
->server_info
: NULL
, password
,
746 if (!NT_STATUS_IS_OK(status
)) {
747 DEBUG(1, ("create_connection_server_info failed: %s\n",
754 if ((lp_guest_only(snum
)) || (lp_security() == SEC_SHARE
)) {
755 conn
->force_user
= true;
758 add_session_user(conn
->server_info
->unix_name
);
760 safe_strcpy(conn
->client_address
,
761 client_addr(get_client_fd(),addr
,sizeof(addr
)),
762 sizeof(conn
->client_address
)-1);
763 conn
->num_files_open
= 0;
764 conn
->lastused
= conn
->lastused_count
= time(NULL
);
766 conn
->printer
= (strncmp(dev
,"LPT",3) == 0);
767 conn
->ipc
= ( (strncmp(dev
,"IPC",3) == 0) ||
768 ( lp_enable_asu_support() && strequal(dev
,"ADMIN$")) );
771 /* Case options for the share. */
772 if (lp_casesensitive(snum
) == Auto
) {
773 /* We will be setting this per packet. Set to be case
774 * insensitive for now. */
775 conn
->case_sensitive
= False
;
777 conn
->case_sensitive
= (bool)lp_casesensitive(snum
);
780 conn
->case_preserve
= lp_preservecase(snum
);
781 conn
->short_case_preserve
= lp_shortpreservecase(snum
);
783 conn
->encrypt_level
= lp_smb_encrypt(snum
);
785 conn
->veto_list
= NULL
;
786 conn
->hide_list
= NULL
;
787 conn
->veto_oplock_list
= NULL
;
788 conn
->aio_write_behind_list
= NULL
;
789 string_set(&conn
->dirpath
,"");
791 conn
->read_only
= lp_readonly(SNUM(conn
));
792 conn
->admin_user
= False
;
794 if (*lp_force_user(snum
)) {
797 * Replace conn->server_info with a completely faked up one
798 * from the username we are forced into :-)
802 struct auth_serversupplied_info
*forced_serverinfo
;
804 fuser
= talloc_string_sub(conn
, lp_force_user(snum
), "%S",
805 lp_servicename(snum
));
808 *pstatus
= NT_STATUS_NO_MEMORY
;
812 status
= make_serverinfo_from_username(
813 conn
, fuser
, conn
->server_info
->guest
,
815 if (!NT_STATUS_IS_OK(status
)) {
821 TALLOC_FREE(conn
->server_info
);
822 conn
->server_info
= forced_serverinfo
;
824 conn
->force_user
= True
;
825 DEBUG(3,("Forced user %s\n", fuser
));
829 * If force group is true, then override
830 * any groupid stored for the connecting user.
833 if (*lp_force_group(snum
)) {
835 status
= find_forced_group(
836 conn
->force_user
, snum
, conn
->server_info
->unix_name
,
837 &conn
->server_info
->ptok
->user_sids
[1],
838 &conn
->server_info
->utok
.gid
);
840 if (!NT_STATUS_IS_OK(status
)) {
847 * We need to cache this gid, to use within
848 * change_to_user() separately from the conn->server_info
849 * struct. We only use conn->server_info directly if
850 * "force_user" was set.
852 conn
->force_group_gid
= conn
->server_info
->utok
.gid
;
855 conn
->vuid
= (vuser
!= NULL
) ? vuser
->vuid
: UID_FIELD_INVALID
;
858 char *s
= talloc_sub_advanced(talloc_tos(),
859 lp_servicename(SNUM(conn
)),
860 conn
->server_info
->unix_name
,
862 conn
->server_info
->utok
.gid
,
863 conn
->server_info
->sanitized_username
,
864 pdb_get_domain(conn
->server_info
->sam_account
),
868 *pstatus
= NT_STATUS_NO_MEMORY
;
872 if (!set_conn_connectpath(conn
,s
)) {
875 *pstatus
= NT_STATUS_NO_MEMORY
;
878 DEBUG(3,("Connect path is '%s' for service [%s]\n",s
,
879 lp_servicename(snum
)));
884 * New code to check if there's a share security descripter
885 * added from NT server manager. This is done after the
886 * smb.conf checks are done as we need a uid and token. JRA.
891 bool can_write
= False
;
893 can_write
= share_access_check(conn
->server_info
->ptok
,
894 lp_servicename(snum
),
898 if (!share_access_check(conn
->server_info
->ptok
,
899 lp_servicename(snum
),
901 /* No access, read or write. */
902 DEBUG(0,("make_connection: connection to %s "
903 "denied due to security "
905 lp_servicename(snum
)));
907 *pstatus
= NT_STATUS_ACCESS_DENIED
;
910 conn
->read_only
= True
;
914 /* Initialise VFS function pointers */
916 if (!smbd_vfs_init(conn
)) {
917 DEBUG(0, ("vfs_init failed for service %s\n",
918 lp_servicename(snum
)));
920 *pstatus
= NT_STATUS_BAD_NETWORK_NAME
;
925 * If widelinks are disallowed we need to canonicalise the connect
926 * path here to ensure we don't have any symlinks in the
927 * connectpath. We will be checking all paths on this connection are
928 * below this directory. We must do this after the VFS init as we
929 * depend on the realpath() pointer in the vfs table. JRA.
931 if (!lp_widelinks(snum
)) {
932 if (!canonicalize_connect_path(conn
)) {
933 DEBUG(0, ("canonicalize_connect_path failed "
934 "for service %s, path %s\n",
935 lp_servicename(snum
),
938 *pstatus
= NT_STATUS_BAD_NETWORK_NAME
;
943 if ((!conn
->printer
) && (!conn
->ipc
)) {
944 conn
->notify_ctx
= notify_init(conn
, server_id_self(),
945 smbd_messaging_context(),
946 smbd_event_context(),
950 /* ROOT Activities: */
952 * Enforce the max connections parameter.
955 if ((lp_max_connections(snum
) > 0)
956 && (count_current_connections(lp_servicename(SNUM(conn
)), True
) >=
957 lp_max_connections(snum
))) {
959 DEBUG(1, ("Max connections (%d) exceeded for %s\n",
960 lp_max_connections(snum
), lp_servicename(snum
)));
962 *pstatus
= NT_STATUS_INSUFFICIENT_RESOURCES
;
967 * Get us an entry in the connections db
969 if (!claim_connection(conn
, lp_servicename(snum
), 0)) {
970 DEBUG(1, ("Could not store connections entry\n"));
972 *pstatus
= NT_STATUS_INTERNAL_DB_ERROR
;
976 /* Preexecs are done here as they might make the dir we are to ChDir
978 /* execute any "root preexec = " line */
979 if (*lp_rootpreexec(snum
)) {
980 char *cmd
= talloc_sub_advanced(talloc_tos(),
981 lp_servicename(SNUM(conn
)),
982 conn
->server_info
->unix_name
,
984 conn
->server_info
->utok
.gid
,
985 conn
->server_info
->sanitized_username
,
986 pdb_get_domain(conn
->server_info
->sam_account
),
987 lp_rootpreexec(snum
));
988 DEBUG(5,("cmd=%s\n",cmd
));
989 ret
= smbrun(cmd
,NULL
);
991 if (ret
!= 0 && lp_rootpreexec_close(snum
)) {
992 DEBUG(1,("root preexec gave %d - failing "
993 "connection\n", ret
));
994 yield_connection(conn
, lp_servicename(snum
));
996 *pstatus
= NT_STATUS_ACCESS_DENIED
;
1001 /* USER Activites: */
1002 if (!change_to_user(conn
, conn
->vuid
)) {
1003 /* No point continuing if they fail the basic checks */
1004 DEBUG(0,("Can't become connected user!\n"));
1005 yield_connection(conn
, lp_servicename(snum
));
1007 *pstatus
= NT_STATUS_LOGON_FAILURE
;
1011 /* Remember that a different vuid can connect later without these
1014 /* Preexecs are done here as they might make the dir we are to ChDir
1017 /* execute any "preexec = " line */
1018 if (*lp_preexec(snum
)) {
1019 char *cmd
= talloc_sub_advanced(talloc_tos(),
1020 lp_servicename(SNUM(conn
)),
1021 conn
->server_info
->unix_name
,
1023 conn
->server_info
->utok
.gid
,
1024 conn
->server_info
->sanitized_username
,
1025 pdb_get_domain(conn
->server_info
->sam_account
),
1027 ret
= smbrun(cmd
,NULL
);
1029 if (ret
!= 0 && lp_preexec_close(snum
)) {
1030 DEBUG(1,("preexec gave %d - failing connection\n",
1032 *pstatus
= NT_STATUS_ACCESS_DENIED
;
1037 #ifdef WITH_FAKE_KASERVER
1038 if (lp_afs_share(snum
)) {
1043 /* Add veto/hide lists */
1044 if (!IS_IPC(conn
) && !IS_PRINT(conn
)) {
1045 set_namearray( &conn
->veto_list
, lp_veto_files(snum
));
1046 set_namearray( &conn
->hide_list
, lp_hide_files(snum
));
1047 set_namearray( &conn
->veto_oplock_list
, lp_veto_oplocks(snum
));
1048 set_namearray( &conn
->aio_write_behind_list
,
1049 lp_aio_write_behind(snum
));
1052 /* Invoke VFS make connection hook - do this before the VFS_STAT call
1053 to allow any filesystems needing user credentials to initialize
1056 if (SMB_VFS_CONNECT(conn
, lp_servicename(snum
),
1057 conn
->server_info
->unix_name
) < 0) {
1058 DEBUG(0,("make_connection: VFS make connection failed!\n"));
1059 *pstatus
= NT_STATUS_UNSUCCESSFUL
;
1063 /* Any error exit after here needs to call the disconnect hook. */
1064 on_err_call_dis_hook
= true;
1066 /* win2000 does not check the permissions on the directory
1067 during the tree connect, instead relying on permission
1068 check during individual operations. To match this behaviour
1069 I have disabled this chdir check (tridge) */
1070 /* the alternative is just to check the directory exists */
1071 if ((ret
= SMB_VFS_STAT(conn
, conn
->connectpath
, &st
)) != 0 ||
1072 !S_ISDIR(st
.st_mode
)) {
1073 if (ret
== 0 && !S_ISDIR(st
.st_mode
)) {
1074 DEBUG(0,("'%s' is not a directory, when connecting to "
1075 "[%s]\n", conn
->connectpath
,
1076 lp_servicename(snum
)));
1078 DEBUG(0,("'%s' does not exist or permission denied "
1079 "when connecting to [%s] Error was %s\n",
1080 conn
->connectpath
, lp_servicename(snum
),
1083 *pstatus
= NT_STATUS_BAD_NETWORK_NAME
;
1087 string_set(&conn
->origpath
,conn
->connectpath
);
1089 #if SOFTLINK_OPTIMISATION
1090 /* resolve any soft links early if possible */
1091 if (vfs_ChDir(conn
,conn
->connectpath
) == 0) {
1092 TALLOC_CTX
*ctx
= talloc_tos();
1093 char *s
= vfs_GetWd(ctx
,s
);
1095 *status
= map_nt_error_from_unix(errno
);
1098 if (!set_conn_connectpath(conn
,s
)) {
1099 *status
= NT_STATUS_NO_MEMORY
;
1102 vfs_ChDir(conn
,conn
->connectpath
);
1106 /* Figure out the characteristics of the underlying filesystem. This
1107 * assumes that all the filesystem mounted withing a share path have
1108 * the same characteristics, which is likely but not guaranteed.
1111 conn
->fs_capabilities
= SMB_VFS_FS_CAPABILITIES(conn
);
1114 * Print out the 'connected as' stuff here as we need
1115 * to know the effective uid and gid we will be using
1116 * (at least initially).
1119 if( DEBUGLVL( IS_IPC(conn
) ? 3 : 1 ) ) {
1120 dbgtext( "%s (%s) ", get_remote_machine_name(),
1121 conn
->client_address
);
1122 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
1123 dbgtext( "connect to service %s ", lp_servicename(snum
) );
1124 dbgtext( "initially as user %s ",
1125 conn
->server_info
->unix_name
);
1126 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1127 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1130 /* we've finished with the user stuff - go back to root */
1131 change_to_root_user();
1136 change_to_root_user();
1137 if (on_err_call_dis_hook
) {
1138 /* Call VFS disconnect hook */
1139 SMB_VFS_DISCONNECT(conn
);
1141 yield_connection(conn
, lp_servicename(snum
));
1146 /***************************************************************************************
1147 Simple wrapper function for make_connection() to include a call to
1149 **************************************************************************************/
1151 connection_struct
*make_connection_with_chdir(const char *service_in
,
1153 const char *dev
, uint16 vuid
,
1156 connection_struct
*conn
= NULL
;
1158 conn
= make_connection(service_in
, password
, dev
, vuid
, status
);
1161 * make_connection() does not change the directory for us any more
1162 * so we have to do it as a separate step --jerry
1165 if ( conn
&& vfs_ChDir(conn
,conn
->connectpath
) != 0 ) {
1166 DEBUG(0,("make_connection_with_chdir: Can't change "
1167 "directory to %s for [print$] (%s)\n",
1168 conn
->connectpath
,strerror(errno
)));
1169 yield_connection(conn
, lp_servicename(SNUM(conn
)));
1171 *status
= NT_STATUS_UNSUCCESSFUL
;
1178 /****************************************************************************
1179 Make a connection to a service.
1182 ****************************************************************************/
1184 connection_struct
*make_connection(const char *service_in
, DATA_BLOB password
,
1185 const char *pdev
, uint16 vuid
,
1189 user_struct
*vuser
= NULL
;
1193 char addr
[INET6_ADDRSTRLEN
];
1197 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1199 if (!non_root_mode() && (euid
= geteuid()) != 0) {
1200 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1201 "(%u)\n", (unsigned int)euid
));
1202 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1205 if (conn_num_open() > 2047) {
1206 *status
= NT_STATUS_INSUFF_SERVER_RESOURCES
;
1210 if(lp_security() != SEC_SHARE
) {
1211 vuser
= get_valid_user_struct(vuid
);
1213 DEBUG(1,("make_connection: refusing to connect with "
1214 "no session setup\n"));
1215 *status
= NT_STATUS_ACCESS_DENIED
;
1220 /* Logic to try and connect to the correct [homes] share, preferably
1221 without too many getpwnam() lookups. This is particulary nasty for
1222 winbind usernames, where the share name isn't the same as unix
1225 The snum of the homes share is stored on the vuser at session setup
1229 if (strequal(service_in
,HOMES_NAME
)) {
1230 if(lp_security() != SEC_SHARE
) {
1231 DATA_BLOB no_pw
= data_blob_null
;
1232 if (vuser
->homes_snum
== -1) {
1233 DEBUG(2, ("[homes] share not available for "
1234 "this user because it was not found "
1235 "or created at session setup "
1237 *status
= NT_STATUS_BAD_NETWORK_NAME
;
1240 DEBUG(5, ("making a connection to [homes] service "
1241 "created at session setup time\n"));
1242 return make_connection_snum(vuser
->homes_snum
,
1246 /* Security = share. Try with
1247 * current_user_info.smb_name as the username. */
1248 if (*current_user_info
.smb_name
) {
1249 fstring unix_username
;
1250 fstrcpy(unix_username
,
1251 current_user_info
.smb_name
);
1252 map_username(unix_username
);
1253 snum
= find_service(unix_username
);
1256 DEBUG(5, ("making a connection to 'homes' "
1257 "service %s based on "
1258 "security=share\n", service_in
));
1259 return make_connection_snum(snum
, NULL
,
1264 } else if ((lp_security() != SEC_SHARE
) && (vuser
->homes_snum
!= -1)
1265 && strequal(service_in
,
1266 lp_servicename(vuser
->homes_snum
))) {
1267 DATA_BLOB no_pw
= data_blob_null
;
1268 DEBUG(5, ("making a connection to 'homes' service [%s] "
1269 "created at session setup time\n", service_in
));
1270 return make_connection_snum(vuser
->homes_snum
,
1275 fstrcpy(service
, service_in
);
1277 strlower_m(service
);
1279 snum
= find_service(service
);
1282 if (strequal(service
,"IPC$") ||
1283 (lp_enable_asu_support() && strequal(service
,"ADMIN$"))) {
1284 DEBUG(3,("refusing IPC connection to %s\n", service
));
1285 *status
= NT_STATUS_ACCESS_DENIED
;
1289 DEBUG(0,("%s (%s) couldn't find service %s\n",
1290 get_remote_machine_name(),
1291 client_addr(get_client_fd(),addr
,sizeof(addr
)),
1293 *status
= NT_STATUS_BAD_NETWORK_NAME
;
1297 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1298 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum
) != '\0')) {
1299 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1300 "(pointing to %s)\n",
1301 service
, lp_msdfs_proxy(snum
)));
1302 *status
= NT_STATUS_BAD_NETWORK_NAME
;
1306 DEBUG(5, ("making a connection to 'normal' service %s\n", service
));
1308 return make_connection_snum(snum
, vuser
,
1313 /****************************************************************************
1315 ****************************************************************************/
1317 void close_cnum(connection_struct
*conn
, uint16 vuid
)
1320 pipe_close_conn(conn
);
1322 file_close_conn(conn
);
1323 dptr_closecnum(conn
);
1326 change_to_root_user();
1328 DEBUG(IS_IPC(conn
)?3:1, ("%s (%s) closed connection to service %s\n",
1329 get_remote_machine_name(),
1330 conn
->client_address
,
1331 lp_servicename(SNUM(conn
))));
1333 /* Call VFS disconnect hook */
1334 SMB_VFS_DISCONNECT(conn
);
1336 yield_connection(conn
, lp_servicename(SNUM(conn
)));
1338 /* make sure we leave the directory available for unmount */
1339 vfs_ChDir(conn
, "/");
1341 /* execute any "postexec = " line */
1342 if (*lp_postexec(SNUM(conn
)) &&
1343 change_to_user(conn
, vuid
)) {
1344 char *cmd
= talloc_sub_advanced(talloc_tos(),
1345 lp_servicename(SNUM(conn
)),
1346 conn
->server_info
->unix_name
,
1348 conn
->server_info
->utok
.gid
,
1349 conn
->server_info
->sanitized_username
,
1350 pdb_get_domain(conn
->server_info
->sam_account
),
1351 lp_postexec(SNUM(conn
)));
1354 change_to_root_user();
1357 change_to_root_user();
1358 /* execute any "root postexec = " line */
1359 if (*lp_rootpostexec(SNUM(conn
))) {
1360 char *cmd
= talloc_sub_advanced(talloc_tos(),
1361 lp_servicename(SNUM(conn
)),
1362 conn
->server_info
->unix_name
,
1364 conn
->server_info
->utok
.gid
,
1365 conn
->server_info
->sanitized_username
,
1366 pdb_get_domain(conn
->server_info
->sam_account
),
1367 lp_rootpostexec(SNUM(conn
)));