search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3/lanman: Workaround for KB932762.
[Samba.git] / source / smbd / share_access.c
blobef898b87e16cf82a0e3492350a3d8b10077c0a90
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 /*
23 * No prefix means direct username
24 * @name means netgroup first, then unix group
25 * &name means netgroup
26 * +name means unix group
27 * + and & may be combined
28 */
29
30 extern userdom_struct current_user_info;
31
32 static bool do_group_checks(const char **name, const char **pattern)
33 {
34 if ((*name)[0] == '@') {
35 *pattern = "&+";
36 *name += 1;
37 return True;
38 }
39
40 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
41 *pattern = "+&";
42 *name += 2;
43 return True;
44 }
45
46 if ((*name)[0] == '+') {
47 *pattern = "+";
48 *name += 1;
49 return True;
50 }
51
52 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
53 *pattern = "&+";
54 *name += 2;
55 return True;
56 }
57
58 if ((*name)[0] == '&') {
59 *pattern = "&";
60 *name += 1;
61 return True;
62 }
63
64 return False;
65 }
66
67 static bool token_contains_name(TALLOC_CTX *mem_ctx,
68 const char *username,
69 const char *sharename,
70 const struct nt_user_token *token,
71 const char *name)
72 {
73 const char *prefix;
74 DOM_SID sid;
75 enum lsa_SidType type;
76
77 if (username != NULL) {
78 name = talloc_sub_basic(mem_ctx, username,
79 current_user_info.domain, name);
80 }
81 if (sharename != NULL) {
82 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
83 }
84
85 if (name == NULL) {
86 /* This is too security sensitive, better panic than return a
87 * result that might be interpreted in a wrong way. */
88 smb_panic("substitutions failed");
89 }
90
91 /* check to see is we already have a SID */
92
93 if ( string_to_sid( &sid, name ) ) {
94 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
95 return nt_token_check_sid( &sid, token );
96 }
97
98 if (!do_group_checks(&name, &prefix)) {
99 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
100 NULL, NULL, &sid, &type)) {
101 DEBUG(5, ("lookup_name %s failed\n", name));
102 return False;
103 }
104 if (type != SID_NAME_USER) {
105 DEBUG(5, ("%s is a %s, expected a user\n",
106 name, sid_type_lookup(type)));
107 return False;
108 }
109 return nt_token_check_sid(&sid, token);
110 }
111
112 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
113 if (*prefix == '+') {
114 if (!lookup_name_smbconf(mem_ctx, name,
115 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
116 NULL, NULL, &sid, &type)) {
117 DEBUG(5, ("lookup_name %s failed\n", name));
118 return False;
119 }
120 if ((type != SID_NAME_DOM_GRP) &&
121 (type != SID_NAME_ALIAS) &&
122 (type != SID_NAME_WKN_GRP)) {
123 DEBUG(5, ("%s is a %s, expected a group\n",
124 name, sid_type_lookup(type)));
125 return False;
126 }
127 if (nt_token_check_sid(&sid, token)) {
128 return True;
129 }
130 continue;
131 }
132 if (*prefix == '&') {
133 if (user_in_netgroup(username, name)) {
134 return True;
135 }
136 continue;
137 }
138 smb_panic("got invalid prefix from do_groups_check");
139 }
140 return False;
141 }
142
143 /*
144 * Check whether a user is contained in the list provided.
145 *
146 * Please note that the user name and share names passed in here mainly for
147 * the substitution routines that expand the parameter values, the decision
148 * whether a user is in the list is done after a lookup_name on the expanded
149 * parameter value, solely based on comparing the SIDs in token.
150 *
151 * The other use is the netgroup check when using @group or &group.
152 */
153
154 bool token_contains_name_in_list(const char *username,
155 const char *sharename,
156 const struct nt_user_token *token,
157 const char **list)
158 {
159 TALLOC_CTX *mem_ctx;
160
161 if (list == NULL) {
162 return False;
163 }
164
165 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
166 smb_panic("talloc_new failed");
167 }
168
169 while (*list != NULL) {
170 if (token_contains_name(mem_ctx, username, sharename,token, *list)) {
171 TALLOC_FREE(mem_ctx);
172 return True;
173 }
174 list += 1;
175 }
176
177 TALLOC_FREE(mem_ctx);
178 return False;
179 }
180
181 /*
182 * Check whether the user described by "token" has access to share snum.
183 *
184 * This looks at "invalid users", "valid users" and "only user/username"
185 *
186 * Please note that the user name and share names passed in here mainly for
187 * the substitution routines that expand the parameter values, the decision
188 * whether a user is in the list is done after a lookup_name on the expanded
189 * parameter value, solely based on comparing the SIDs in token.
190 *
191 * The other use is the netgroup check when using @group or &group.
192 */
193
194 bool user_ok_token(const char *username, const struct nt_user_token *token, int snum)
195 {
196 if (lp_invalid_users(snum) != NULL) {
197 if (token_contains_name_in_list(username, lp_servicename(snum),
198 token,
199 lp_invalid_users(snum))) {
200 DEBUG(10, ("User %s in 'invalid users'\n", username));
201 return False;
202 }
203 }
204
205 if (lp_valid_users(snum) != NULL) {
206 if (!token_contains_name_in_list(username,
207 lp_servicename(snum), token,
208 lp_valid_users(snum))) {
209 DEBUG(10, ("User %s not in 'valid users'\n",
210 username));
211 return False;
212 }
213 }
214
215 if (lp_onlyuser(snum)) {
216 const char *list[2];
217 list[0] = lp_username(snum);
218 list[1] = NULL;
219 if ((list[0] == NULL) || (*list[0] == '\0')) {
220 DEBUG(0, ("'only user = yes' and no 'username ='\n"));
221 return False;
222 }
223 if (!token_contains_name_in_list(NULL, lp_servicename(snum),
224 token, list)) {
225 DEBUG(10, ("%s != 'username'\n", username));
226 return False;
227 }
228 }
229
230 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
231 lp_servicename(snum), username));
232
233 return True;
234 }
235
236 /*
237 * Check whether the user described by "token" is restricted to read-only
238 * access on share snum.
239 *
240 * This looks at "invalid users", "valid users" and "only user/username"
241 *
242 * Please note that the user name and share names passed in here mainly for
243 * the substitution routines that expand the parameter values, the decision
244 * whether a user is in the list is done after a lookup_name on the expanded
245 * parameter value, solely based on comparing the SIDs in token.
246 *
247 * The other use is the netgroup check when using @group or &group.
248 */
249
250 bool is_share_read_only_for_token(const char *username,
251 const struct nt_user_token *token,
252 connection_struct *conn)
253 {
254 int snum = SNUM(conn);
255 bool result = conn->read_only;
256
257 if (lp_readlist(snum) != NULL) {
258 if (token_contains_name_in_list(username,
259 lp_servicename(snum), token,
260 lp_readlist(snum))) {
261 result = True;
262 }
263 }
264
265 if (lp_writelist(snum) != NULL) {
266 if (token_contains_name_in_list(username,
267 lp_servicename(snum), token,
268 lp_writelist(snum))) {
269 result = False;
270 }
271 }
272
273 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
274 "%s\n", lp_servicename(snum),
275 result ? "read-only" : "read-write", username));
276
277 return result;
278 }
Samba GIT mirror