search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
build-docs: Use 'git clean' instead of 'git-clean'.
[Samba.git] / source / smbd / uid.c
blobc238f40cfdb97b3ab49000448e8279aaf897e181
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 /* what user is current? */
23 extern struct current_user current_user;
24
25 /****************************************************************************
26 Become the guest user without changing the security context stack.
27 ****************************************************************************/
28
29 bool change_to_guest(void)
30 {
31 static struct passwd *pass=NULL;
32
33 if (!pass) {
34 /* Don't need to free() this as its stored in a static */
35 pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
36 if (!pass)
37 return(False);
38 }
39
40 #ifdef AIX
41 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
42 setting IDs */
43 initgroups(pass->pw_name, pass->pw_gid);
44 #endif
45
46 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
47
48 current_user.conn = NULL;
49 current_user.vuid = UID_FIELD_INVALID;
50
51 TALLOC_FREE(pass);
52 pass = NULL;
53
54 return True;
55 }
56
57 /*******************************************************************
58 Check if a username is OK.
59
60 This sets up conn->server_info with a copy related to this vuser that
61 later code can then mess with.
62 ********************************************************************/
63
64 static bool check_user_ok(connection_struct *conn, uint16_t vuid,
65 struct auth_serversupplied_info *server_info,
66 int snum)
67 {
68 unsigned int i;
69 struct vuid_cache_entry *ent = NULL;
70 bool readonly_share;
71 bool admin_user;
72
73 for (i=0; i<VUID_CACHE_SIZE; i++) {
74 ent = &conn->vuid_cache.array[i];
75 if (ent->vuid == vuid) {
76 conn->server_info = ent->server_info;
77 conn->read_only = ent->read_only;
78 conn->admin_user = ent->admin_user;
79 return(True);
80 }
81 }
82
83 if (!user_ok_token(server_info->unix_name,
84 pdb_get_domain(server_info->sam_account),
85 server_info->ptok, snum))
86 return(False);
87
88 readonly_share = is_share_read_only_for_token(
89 server_info->unix_name,
90 pdb_get_domain(server_info->sam_account),
91 server_info->ptok,
92 conn);
93
94 if (!readonly_share &&
95 !share_access_check(server_info->ptok, lp_servicename(snum),
96 FILE_WRITE_DATA)) {
97 /* smb.conf allows r/w, but the security descriptor denies
98 * write. Fall back to looking at readonly. */
99 readonly_share = True;
100 DEBUG(5,("falling back to read-only access-evaluation due to "
101 "security descriptor\n"));
102 }
103
104 if (!share_access_check(server_info->ptok, lp_servicename(snum),
105 readonly_share ?
106 FILE_READ_DATA : FILE_WRITE_DATA)) {
107 return False;
108 }
109
110 admin_user = token_contains_name_in_list(
111 server_info->unix_name,
112 pdb_get_domain(server_info->sam_account),
113 NULL, server_info->ptok, lp_admin_users(snum));
114
115 ent = &conn->vuid_cache.array[conn->vuid_cache.next_entry];
116
117 conn->vuid_cache.next_entry =
118 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
119
120 TALLOC_FREE(ent->server_info);
121
122 /*
123 * If force_user was set, all server_info's are based on the same
124 * username-based faked one.
125 */
126
127 ent->server_info = copy_serverinfo(
128 conn, conn->force_user ? conn->server_info : server_info);
129
130 if (ent->server_info == NULL) {
131 ent->vuid = UID_FIELD_INVALID;
132 return false;
133 }
134
135 ent->vuid = vuid;
136 ent->read_only = readonly_share;
137 ent->admin_user = admin_user;
138
139 conn->read_only = ent->read_only;
140 conn->admin_user = ent->admin_user;
141 conn->server_info = ent->server_info;
142
143 return(True);
144 }
145
146 /****************************************************************************
147 Clear a vuid out of the connection's vuid cache
148 ****************************************************************************/
149
150 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
151 {
152 int i;
153
154 for (i=0; i<VUID_CACHE_SIZE; i++) {
155 struct vuid_cache_entry *ent;
156
157 ent = &conn->vuid_cache.array[i];
158
159 if (ent->vuid == vuid) {
160 ent->vuid = UID_FIELD_INVALID;
161 TALLOC_FREE(ent->server_info);
162 ent->read_only = False;
163 ent->admin_user = False;
164 }
165 }
166 }
167
168 /****************************************************************************
169 Become the user of a connection number without changing the security context
170 stack, but modify the current_user entries.
171 ****************************************************************************/
172
173 bool change_to_user(connection_struct *conn, uint16 vuid)
174 {
175 user_struct *vuser = get_valid_user_struct(vuid);
176 int snum;
177 gid_t gid;
178 uid_t uid;
179 char group_c;
180 int num_groups = 0;
181 gid_t *group_list = NULL;
182
183 if (!conn) {
184 DEBUG(2,("change_to_user: Connection not open\n"));
185 return(False);
186 }
187
188 /*
189 * We need a separate check in security=share mode due to vuid
190 * always being UID_FIELD_INVALID. If we don't do this then
191 * in share mode security we are *always* changing uid's between
192 * SMB's - this hurts performance - Badly.
193 */
194
195 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
196 (current_user.ut.uid == conn->server_info->utok.uid)) {
197 DEBUG(4,("change_to_user: Skipping user change - already "
198 "user\n"));
199 return(True);
200 } else if ((current_user.conn == conn) &&
201 (vuser != NULL) && (current_user.vuid == vuid) &&
202 (current_user.ut.uid == vuser->server_info->utok.uid)) {
203 DEBUG(4,("change_to_user: Skipping user change - already "
204 "user\n"));
205 return(True);
206 }
207
208 snum = SNUM(conn);
209
210 if ((vuser) && !check_user_ok(conn, vuid, vuser->server_info, snum)) {
211 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
212 "not permitted access to share %s.\n",
213 vuser->server_info->sanitized_username,
214 vuser->server_info->unix_name, vuid,
215 lp_servicename(snum)));
216 return False;
217 }
218
219 /*
220 * conn->server_info is now correctly set up with a copy we can mess
221 * with for force_group etc.
222 */
223
224 if (conn->force_user) /* security = share sets this too */ {
225 uid = conn->server_info->utok.uid;
226 gid = conn->server_info->utok.gid;
227 group_list = conn->server_info->utok.groups;
228 num_groups = conn->server_info->utok.ngroups;
229 } else if (vuser) {
230 uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
231 gid = conn->server_info->utok.gid;
232 num_groups = conn->server_info->utok.ngroups;
233 group_list = conn->server_info->utok.groups;
234 } else {
235 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
236 "share %s.\n",vuid, lp_servicename(snum) ));
237 return False;
238 }
239
240 /*
241 * See if we should force group for this service.
242 * If so this overrides any group set in the force
243 * user code.
244 */
245
246 if((group_c = *lp_force_group(snum))) {
247
248 if(group_c == '+') {
249
250 /*
251 * Only force group if the user is a member of
252 * the service group. Check the group memberships for
253 * this user (we already have this) to
254 * see if we should force the group.
255 */
256
257 int i;
258 for (i = 0; i < num_groups; i++) {
259 if (group_list[i]
260 == conn->server_info->utok.gid) {
261 gid = conn->server_info->utok.gid;
262 gid_to_sid(&conn->server_info->ptok
263 ->user_sids[1], gid);
264 break;
265 }
266 }
267 } else {
268 gid = conn->server_info->utok.gid;
269 gid_to_sid(&conn->server_info->ptok->user_sids[1],
270 gid);
271 }
272 }
273
274 /* Now set current_user since we will immediately also call
275 set_sec_ctx() */
276
277 current_user.ut.ngroups = num_groups;
278 current_user.ut.groups = group_list;
279
280 set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
281 conn->server_info->ptok);
282
283 current_user.conn = conn;
284 current_user.vuid = vuid;
285
286 DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
287 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
288
289 return(True);
290 }
291
292 /****************************************************************************
293 Go back to being root without changing the security context stack,
294 but modify the current_user entries.
295 ****************************************************************************/
296
297 bool change_to_root_user(void)
298 {
299 set_root_sec_ctx();
300
301 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
302 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
303
304 current_user.conn = NULL;
305 current_user.vuid = UID_FIELD_INVALID;
306
307 return(True);
308 }
309
310 /****************************************************************************
311 Become the user of an authenticated connected named pipe.
312 When this is called we are currently running as the connection
313 user. Doesn't modify current_user.
314 ****************************************************************************/
315
316 bool become_authenticated_pipe_user(pipes_struct *p)
317 {
318 if (!push_sec_ctx())
319 return False;
320
321 set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid,
322 p->pipe_user.ut.ngroups, p->pipe_user.ut.groups,
323 p->pipe_user.nt_user_token);
324
325 return True;
326 }
327
328 /****************************************************************************
329 Unbecome the user of an authenticated connected named pipe.
330 When this is called we are running as the authenticated pipe
331 user and need to go back to being the connection user. Doesn't modify
332 current_user.
333 ****************************************************************************/
334
335 bool unbecome_authenticated_pipe_user(void)
336 {
337 return pop_sec_ctx();
338 }
339
340 /****************************************************************************
341 Utility functions used by become_xxx/unbecome_xxx.
342 ****************************************************************************/
343
344 struct conn_ctx {
345 connection_struct *conn;
346 uint16 vuid;
347 };
348
349 /* A stack of current_user connection contexts. */
350
351 static struct conn_ctx conn_ctx_stack[MAX_SEC_CTX_DEPTH];
352 static int conn_ctx_stack_ndx;
353
354 static void push_conn_ctx(void)
355 {
356 struct conn_ctx *ctx_p;
357
358 /* Check we don't overflow our stack */
359
360 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
361 DEBUG(0, ("Connection context stack overflow!\n"));
362 smb_panic("Connection context stack overflow!\n");
363 }
364
365 /* Store previous user context */
366 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
367
368 ctx_p->conn = current_user.conn;
369 ctx_p->vuid = current_user.vuid;
370
371 DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
372 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
373
374 conn_ctx_stack_ndx++;
375 }
376
377 static void pop_conn_ctx(void)
378 {
379 struct conn_ctx *ctx_p;
380
381 /* Check for stack underflow. */
382
383 if (conn_ctx_stack_ndx == 0) {
384 DEBUG(0, ("Connection context stack underflow!\n"));
385 smb_panic("Connection context stack underflow!\n");
386 }
387
388 conn_ctx_stack_ndx--;
389 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
390
391 current_user.conn = ctx_p->conn;
392 current_user.vuid = ctx_p->vuid;
393
394 ctx_p->conn = NULL;
395 ctx_p->vuid = UID_FIELD_INVALID;
396 }
397
398 /****************************************************************************
399 Temporarily become a root user. Must match with unbecome_root(). Saves and
400 restores the connection context.
401 ****************************************************************************/
402
403 void become_root(void)
404 {
405 /*
406 * no good way to handle push_sec_ctx() failing without changing
407 * the prototype of become_root()
408 */
409 if (!push_sec_ctx()) {
410 smb_panic("become_root: push_sec_ctx failed");
411 }
412 push_conn_ctx();
413 set_root_sec_ctx();
414 }
415
416 /* Unbecome the root user */
417
418 void unbecome_root(void)
419 {
420 pop_sec_ctx();
421 pop_conn_ctx();
422 }
423
424 /****************************************************************************
425 Push the current security context then force a change via change_to_user().
426 Saves and restores the connection context.
427 ****************************************************************************/
428
429 bool become_user(connection_struct *conn, uint16 vuid)
430 {
431 if (!push_sec_ctx())
432 return False;
433
434 push_conn_ctx();
435
436 if (!change_to_user(conn, vuid)) {
437 pop_sec_ctx();
438 pop_conn_ctx();
439 return False;
440 }
441
442 return True;
443 }
444
445 bool unbecome_user(void)
446 {
447 pop_sec_ctx();
448 pop_conn_ctx();
449 return True;
450 }
Samba GIT mirror