2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24 #include "passdb/lookup_sid.h"
26 #include "source3/lib/substitute.h"
29 * We dropped NIS support in 2021, but need to keep configs working.
31 * TODO FIXME: Remove me in future
34 static bool do_group_checks(const char **name
, const char **pattern
)
36 if ((*name
)[0] == '@') {
42 if (((*name
)[0] == '+') && ((*name
)[1] == '&')) {
48 if ((*name
)[0] == '+') {
54 if (((*name
)[0] == '&') && ((*name
)[1] == '+')) {
60 if ((*name
)[0] == '&') {
69 static bool token_contains_name(TALLOC_CTX
*mem_ctx
,
72 const char *sharename
,
73 const struct security_token
*token
,
78 enum lsa_SidType type
;
80 if (username
!= NULL
) {
81 size_t domain_len
= domain
!= NULL
? strlen(domain
) : 0;
83 /* Check if username starts with domain name */
85 const char *sep
= lp_winbind_separator();
86 int cmp
= strncasecmp_m(username
, domain
, domain_len
);
87 if (cmp
== 0 && sep
[0] == username
[domain_len
]) {
88 /* Move after the winbind separator */
94 name
= talloc_sub_basic(mem_ctx
,
95 username
+ domain_len
,
99 if (sharename
!= NULL
) {
100 name
= talloc_string_sub(mem_ctx
, name
, "%S", sharename
);
104 /* This is too security sensitive, better panic than return a
105 * result that might be interpreted in a wrong way. */
106 smb_panic("substitutions failed");
109 if ( string_to_sid( &sid
, name
) ) {
110 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name
));
111 return nt_token_check_sid( &sid
, token
);
114 if (!do_group_checks(&name
, &prefix
)) {
115 if (!lookup_name_smbconf(mem_ctx
, name
, LOOKUP_NAME_ALL
,
116 NULL
, NULL
, &sid
, &type
)) {
117 DEBUG(5, ("lookup_name %s failed\n", name
));
120 if (type
!= SID_NAME_USER
) {
121 DEBUG(5, ("%s is a %s, expected a user\n",
122 name
, sid_type_lookup(type
)));
125 return nt_token_check_sid(&sid
, token
);
128 for (/* initialized above */ ; *prefix
!= '\0'; prefix
++) {
129 if (*prefix
== '+') {
130 if (!lookup_name_smbconf(mem_ctx
, name
,
131 LOOKUP_NAME_ALL
|LOOKUP_NAME_GROUP
,
132 NULL
, NULL
, &sid
, &type
)) {
133 DEBUG(5, ("lookup_name %s failed\n", name
));
136 if ((type
!= SID_NAME_DOM_GRP
) &&
137 (type
!= SID_NAME_ALIAS
) &&
138 (type
!= SID_NAME_WKN_GRP
)) {
139 DEBUG(5, ("%s is a %s, expected a group\n",
140 name
, sid_type_lookup(type
)));
143 if (nt_token_check_sid(&sid
, token
)) {
148 if (*prefix
== '&') {
151 smb_panic("got invalid prefix from do_groups_check");
157 * Check whether a user is contained in the list provided.
159 * Please note that the user name and share names passed in here mainly for
160 * the substitution routines that expand the parameter values, the decision
161 * whether a user is in the list is done after a lookup_name on the expanded
162 * parameter value, solely based on comparing the SIDs in token.
164 * The other use is the netgroup check when using @group or &group.
167 bool token_contains_name_in_list(const char *username
,
169 const char *sharename
,
170 const struct security_token
*token
,
176 while (*list
!= NULL
) {
177 TALLOC_CTX
*frame
= talloc_stackframe();
180 ret
= token_contains_name(frame
, username
, domain
, sharename
,
192 * Check whether the user described by "token" has access to share snum.
194 * This looks at "invalid users" and "valid users".
196 * Please note that the user name and share names passed in here mainly for
197 * the substitution routines that expand the parameter values, the decision
198 * whether a user is in the list is done after a lookup_name on the expanded
199 * parameter value, solely based on comparing the SIDs in token.
201 * The other use is the netgroup check when using @group or &group.
204 bool user_ok_token(const char *username
, const char *domain
,
205 const struct security_token
*token
, int snum
)
207 const struct loadparm_substitution
*lp_sub
=
208 loadparm_s3_global_substitution();
210 if (lp_invalid_users(snum
) != NULL
) {
211 if (token_contains_name_in_list(username
, domain
,
212 lp_servicename(talloc_tos(), lp_sub
, snum
),
214 lp_invalid_users(snum
))) {
215 DEBUG(10, ("User %s in 'invalid users'\n", username
));
220 if (lp_valid_users(snum
) != NULL
) {
221 if (!token_contains_name_in_list(username
, domain
,
222 lp_servicename(talloc_tos(), lp_sub
, snum
),
224 lp_valid_users(snum
))) {
225 DEBUG(10, ("User %s not in 'valid users'\n",
231 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
232 lp_servicename(talloc_tos(), lp_sub
, snum
), username
));
238 * Check whether the user described by "token" is restricted to read-only
239 * access on share snum.
241 * This looks at "read list", "write list" and "read only".
243 * Please note that the user name and share names passed in here mainly for
244 * the substitution routines that expand the parameter values, the decision
245 * whether a user is in the list is done after a lookup_name on the expanded
246 * parameter value, solely based on comparing the SIDs in token.
248 * The other use is the netgroup check when using @group or &group.
251 bool is_share_read_only_for_token(const char *username
,
253 const struct security_token
*token
,
254 connection_struct
*conn
)
256 const struct loadparm_substitution
*lp_sub
=
257 loadparm_s3_global_substitution();
258 int snum
= SNUM(conn
);
259 bool result
= conn
->read_only
;
261 if (lp_read_list(snum
) != NULL
) {
262 if (token_contains_name_in_list(username
, domain
,
263 lp_servicename(talloc_tos(), lp_sub
, snum
),
265 lp_read_list(snum
))) {
270 if (lp_write_list(snum
) != NULL
) {
271 if (token_contains_name_in_list(username
, domain
,
272 lp_servicename(talloc_tos(), lp_sub
, snum
),
274 lp_write_list(snum
))) {
279 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
280 "%s\n", lp_servicename(talloc_tos(), lp_sub
, snum
),
281 result
? "read-only" : "read-write", username
));