search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r15166: finial packaging changes (hopefully)
[Samba.git] / source / auth / auth_rhosts.c
blob23e276bc84e1f852eb09b1059f4c24a31f131235
1 /*
2 Unix SMB/CIFS implementation.
3 Main SMB reply routines
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #undef DBGC_CLASS
24 #define DBGC_CLASS DBGC_AUTH
25
26 /****************************************************************************
27 Create a struct samu - either by looking in the pdb, or by faking it up from
28 unix info.
29 ****************************************************************************/
30
31 static NTSTATUS auth_get_sam_account(const char *user, struct samu **account)
32 {
33 BOOL pdb_ret;
34 NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
35
36 if ( !(*account = samu_new( NULL )) ) {
37 return NT_STATUS_NO_MEMORY;
38 }
39
40 become_root();
41 pdb_ret = pdb_getsampwnam(*account, user);
42 unbecome_root();
43
44 if (!pdb_ret)
45 {
46 struct passwd *pass;
47
48 if ( !(pass = Get_Pwnam( user )) ) {
49 return NT_STATUS_NO_SUCH_USER;
50 }
51
52 nt_status = samu_set_unix( *account, pass );
53 }
54
55 return nt_status;
56 }
57
58 /****************************************************************************
59 Read the a hosts.equiv or .rhosts file and check if it
60 allows this user from this machine.
61 ****************************************************************************/
62
63 static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file)
64 {
65 int plus_allowed = 1;
66 char *file_host;
67 char *file_user;
68 char **lines = file_lines_load(equiv_file, NULL,0);
69 int i;
70
71 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
72 if (! lines) {
73 return False;
74 }
75 for (i=0; lines[i]; i++) {
76 char *buf = lines[i];
77 trim_char(buf,' ',' ');
78
79 if (buf[0] != '#' && buf[0] != '\n') {
80 BOOL is_group = False;
81 int plus = 1;
82 char *bp = buf;
83
84 if (strcmp(buf, "NO_PLUS\n") == 0) {
85 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
86 plus_allowed = 0;
87 } else {
88 if (buf[0] == '+') {
89 bp++;
90 if (*bp == '\n' && plus_allowed) {
91 /* a bare plus means everbody allowed */
92 DEBUG(6, ("check_user_equiv everybody allowed\n"));
93 file_lines_free(lines);
94 return True;
95 }
96 } else if (buf[0] == '-') {
97 bp++;
98 plus = 0;
99 }
100 if (*bp == '@') {
101 is_group = True;
102 bp++;
103 }
104 file_host = strtok(bp, " \t\n");
105 file_user = strtok(NULL, " \t\n");
106 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
107 file_user ? file_user : "(null)" ));
108
109 if (file_host && *file_host) {
110 BOOL host_ok = False;
111
112 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
113 if (is_group) {
114 static char *mydomain = NULL;
115 if (!mydomain) {
116 yp_get_default_domain(&mydomain);
117 }
118 if (mydomain && innetgr(file_host,remote,user,mydomain)) {
119 host_ok = True;
120 }
121 }
122 #else
123 if (is_group) {
124 DEBUG(1,("Netgroups not configured\n"));
125 continue;
126 }
127 #endif
128
129 /* is it this host */
130 /* the fact that remote has come from a call of gethostbyaddr
131 * means that it may have the fully qualified domain name
132 * so we could look up the file version to get it into
133 * a canonical form, but I would rather just type it
134 * in full in the equiv file
135 */
136
137 if (!host_ok && !is_group && strequal(remote, file_host)) {
138 host_ok = True;
139 }
140
141 if (!host_ok) {
142 continue;
143 }
144
145 /* is it this user */
146 if (file_user == 0 || strequal(user, file_user)) {
147 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
148 (plus ? "+" : "-"), file_host,
149 (file_user ? file_user : "")));
150 file_lines_free(lines);
151 return (plus ? True : False);
152 }
153 }
154 }
155 }
156 }
157
158 file_lines_free(lines);
159 return False;
160 }
161
162 /****************************************************************************
163 check for a possible hosts equiv or rhosts entry for the user
164 ****************************************************************************/
165
166 static BOOL check_hosts_equiv(struct samu *account)
167 {
168 uid_t uid;
169 char *fname = NULL;
170
171 fname = lp_hosts_equiv();
172 if (!sid_to_uid(pdb_get_user_sid(account), &uid))
173 return False;
174
175 /* note: don't allow hosts.equiv on root */
176 if (fname && *fname && uid != 0) {
177 if (check_user_equiv(pdb_get_username(account),client_name(),fname))
178 return True;
179 }
180
181 return False;
182 }
183
184
185 /****************************************************************************
186 Check for a valid .rhosts/hosts.equiv entry for this user
187 ****************************************************************************/
188
189 static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context,
190 void *my_private_data,
191 TALLOC_CTX *mem_ctx,
192 const auth_usersupplied_info *user_info,
193 auth_serversupplied_info **server_info)
194 {
195 NTSTATUS nt_status;
196 struct samu *account = NULL;
197 if (!NT_STATUS_IS_OK(nt_status =
198 auth_get_sam_account(user_info->internal_username,
199 &account))) {
200 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
201 nt_status = NT_STATUS_NOT_IMPLEMENTED;
202 return nt_status;
203 }
204
205 if (check_hosts_equiv(account)) {
206 nt_status = make_server_info_sam(server_info, account);
207 if (!NT_STATUS_IS_OK(nt_status)) {
208 TALLOC_FREE(account);
209 }
210 } else {
211 TALLOC_FREE(account);
212 nt_status = NT_STATUS_NOT_IMPLEMENTED;
213 }
214
215 return nt_status;
216 }
217
218 /* module initialisation */
219 static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
220 {
221 if (!make_auth_methods(auth_context, auth_method)) {
222 return NT_STATUS_NO_MEMORY;
223 }
224
225 (*auth_method)->auth = check_hostsequiv_security;
226 (*auth_method)->name = "hostsequiv";
227 return NT_STATUS_OK;
228 }
229
230
231 /****************************************************************************
232 Check for a valid .rhosts/hosts.equiv entry for this user
233 ****************************************************************************/
234
235 static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
236 void *my_private_data,
237 TALLOC_CTX *mem_ctx,
238 const auth_usersupplied_info *user_info,
239 auth_serversupplied_info **server_info)
240 {
241 NTSTATUS nt_status;
242 struct samu *account = NULL;
243 pstring rhostsfile;
244 const char *home;
245
246 if (!NT_STATUS_IS_OK(nt_status =
247 auth_get_sam_account(user_info->internal_username,
248 &account))) {
249 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
250 nt_status = NT_STATUS_NOT_IMPLEMENTED;
251 return nt_status;
252 }
253
254 home = pdb_get_unix_homedir(account);
255
256 if (home) {
257 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
258 become_root();
259 if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
260 nt_status = make_server_info_sam(server_info, account);
261 if (!NT_STATUS_IS_OK(nt_status)) {
262 TALLOC_FREE(account);
263 }
264 } else {
265 TALLOC_FREE(account);
266 }
267 unbecome_root();
268 } else {
269 TALLOC_FREE(account);
270 nt_status = NT_STATUS_NOT_IMPLEMENTED;
271 }
272
273 return nt_status;
274 }
275
276 /* module initialisation */
277 static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
278 {
279 if (!make_auth_methods(auth_context, auth_method)) {
280 return NT_STATUS_NO_MEMORY;
281 }
282
283 (*auth_method)->auth = check_rhosts_security;
284 (*auth_method)->name = "rhosts";
285 return NT_STATUS_OK;
286 }
287
288 NTSTATUS auth_rhosts_init(void)
289 {
290 smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts);
291 smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv);
292 return NT_STATUS_OK;
293 }
Samba GIT mirror