s4-smbtorture: remove another incarnation of test_ClosePrinter.
[Samba.git] / source3 / smbd / share_access.c
blob6f3bfd020aa2e0c099853ffa929ee7aae8c5b016
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
21 #include "smbd/globals.h"
24 * No prefix means direct username
25 * @name means netgroup first, then unix group
26 * &name means netgroup
27 * +name means unix group
28 * + and & may be combined
31 static bool do_group_checks(const char **name, const char **pattern)
33 if ((*name)[0] == '@') {
34 *pattern = "&+";
35 *name += 1;
36 return True;
39 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
40 *pattern = "+&";
41 *name += 2;
42 return True;
45 if ((*name)[0] == '+') {
46 *pattern = "+";
47 *name += 1;
48 return True;
51 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
52 *pattern = "&+";
53 *name += 2;
54 return True;
57 if ((*name)[0] == '&') {
58 *pattern = "&";
59 *name += 1;
60 return True;
63 return False;
66 static bool token_contains_name(TALLOC_CTX *mem_ctx,
67 const char *username,
68 const char *domain,
69 const char *sharename,
70 const struct nt_user_token *token,
71 const char *name)
73 const char *prefix;
74 struct dom_sid sid;
75 enum lsa_SidType type;
77 if (username != NULL) {
78 name = talloc_sub_basic(mem_ctx, username, domain, name);
80 if (sharename != NULL) {
81 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
84 if (name == NULL) {
85 /* This is too security sensitive, better panic than return a
86 * result that might be interpreted in a wrong way. */
87 smb_panic("substitutions failed");
90 /* check to see is we already have a SID */
92 if ( string_to_sid( &sid, name ) ) {
93 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
94 return nt_token_check_sid( &sid, token );
97 if (!do_group_checks(&name, &prefix)) {
98 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
99 NULL, NULL, &sid, &type)) {
100 DEBUG(5, ("lookup_name %s failed\n", name));
101 return False;
103 if (type != SID_NAME_USER) {
104 DEBUG(5, ("%s is a %s, expected a user\n",
105 name, sid_type_lookup(type)));
106 return False;
108 return nt_token_check_sid(&sid, token);
111 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
112 if (*prefix == '+') {
113 if (!lookup_name_smbconf(mem_ctx, name,
114 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
115 NULL, NULL, &sid, &type)) {
116 DEBUG(5, ("lookup_name %s failed\n", name));
117 return False;
119 if ((type != SID_NAME_DOM_GRP) &&
120 (type != SID_NAME_ALIAS) &&
121 (type != SID_NAME_WKN_GRP)) {
122 DEBUG(5, ("%s is a %s, expected a group\n",
123 name, sid_type_lookup(type)));
124 return False;
126 if (nt_token_check_sid(&sid, token)) {
127 return True;
129 continue;
131 if (*prefix == '&') {
132 if (username) {
133 if (user_in_netgroup(username, name)) {
134 return True;
137 continue;
139 smb_panic("got invalid prefix from do_groups_check");
141 return False;
145 * Check whether a user is contained in the list provided.
147 * Please note that the user name and share names passed in here mainly for
148 * the substitution routines that expand the parameter values, the decision
149 * whether a user is in the list is done after a lookup_name on the expanded
150 * parameter value, solely based on comparing the SIDs in token.
152 * The other use is the netgroup check when using @group or &group.
155 bool token_contains_name_in_list(const char *username,
156 const char *domain,
157 const char *sharename,
158 const struct nt_user_token *token,
159 const char **list)
161 TALLOC_CTX *mem_ctx;
163 if (list == NULL) {
164 return False;
167 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
168 smb_panic("talloc_new failed");
171 while (*list != NULL) {
172 if (token_contains_name(mem_ctx, username, domain, sharename,
173 token, *list)) {
174 TALLOC_FREE(mem_ctx);
175 return True;
177 list += 1;
180 TALLOC_FREE(mem_ctx);
181 return False;
185 * Check whether the user described by "token" has access to share snum.
187 * This looks at "invalid users", "valid users" and "only user/username"
189 * Please note that the user name and share names passed in here mainly for
190 * the substitution routines that expand the parameter values, the decision
191 * whether a user is in the list is done after a lookup_name on the expanded
192 * parameter value, solely based on comparing the SIDs in token.
194 * The other use is the netgroup check when using @group or &group.
197 bool user_ok_token(const char *username, const char *domain,
198 const struct nt_user_token *token, int snum)
200 if (lp_invalid_users(snum) != NULL) {
201 if (token_contains_name_in_list(username, domain,
202 lp_servicename(snum),
203 token,
204 lp_invalid_users(snum))) {
205 DEBUG(10, ("User %s in 'invalid users'\n", username));
206 return False;
210 if (lp_valid_users(snum) != NULL) {
211 if (!token_contains_name_in_list(username, domain,
212 lp_servicename(snum), token,
213 lp_valid_users(snum))) {
214 DEBUG(10, ("User %s not in 'valid users'\n",
215 username));
216 return False;
220 if (lp_onlyuser(snum)) {
221 const char *list[2];
222 list[0] = lp_username(snum);
223 list[1] = NULL;
224 if ((list[0] == NULL) || (*list[0] == '\0')) {
225 DEBUG(0, ("'only user = yes' and no 'username ='\n"));
226 return False;
228 if (!token_contains_name_in_list(NULL, domain,
229 lp_servicename(snum),
230 token, list)) {
231 DEBUG(10, ("%s != 'username'\n", username));
232 return False;
236 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
237 lp_servicename(snum), username));
239 return True;
243 * Check whether the user described by "token" is restricted to read-only
244 * access on share snum.
246 * This looks at "invalid users", "valid users" and "only user/username"
248 * Please note that the user name and share names passed in here mainly for
249 * the substitution routines that expand the parameter values, the decision
250 * whether a user is in the list is done after a lookup_name on the expanded
251 * parameter value, solely based on comparing the SIDs in token.
253 * The other use is the netgroup check when using @group or &group.
256 bool is_share_read_only_for_token(const char *username,
257 const char *domain,
258 const struct nt_user_token *token,
259 connection_struct *conn)
261 int snum = SNUM(conn);
262 bool result = conn->read_only;
264 if (lp_readlist(snum) != NULL) {
265 if (token_contains_name_in_list(username, domain,
266 lp_servicename(snum), token,
267 lp_readlist(snum))) {
268 result = True;
272 if (lp_writelist(snum) != NULL) {
273 if (token_contains_name_in_list(username, domain,
274 lp_servicename(snum), token,
275 lp_writelist(snum))) {
276 result = False;
280 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
281 "%s\n", lp_servicename(snum),
282 result ? "read-only" : "read-write", username));
284 return result;