search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/krb5: Add more encryption type constants
[Samba.git] / source3 / smbd / share_access.c
blobc44c4bd8c69489cdb8d904b79ef25441aeadcde6
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24 #include "passdb/lookup_sid.h"
25 #include "auth.h"
26 #include "source3/lib/substitute.h"
27
28 /*
29 * We dropped NIS support in 2021, but need to keep configs working.
30 *
31 * TODO FIXME: Remove me in future
32 */
33
34 static bool do_group_checks(const char **name, const char **pattern)
35 {
36 if ((*name)[0] == '@') {
37 *pattern = "+";
38 *name += 1;
39 return True;
40 }
41
42 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
43 *pattern = "+";
44 *name += 2;
45 return True;
46 }
47
48 if ((*name)[0] == '+') {
49 *pattern = "+";
50 *name += 1;
51 return True;
52 }
53
54 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
55 *pattern = "+";
56 *name += 2;
57 return True;
58 }
59
60 if ((*name)[0] == '&') {
61 *pattern = "+";
62 *name += 1;
63 return True;
64 }
65
66 return False;
67 }
68
69 static bool token_contains_name(TALLOC_CTX *mem_ctx,
70 const char *username,
71 const char *domain,
72 const char *sharename,
73 const struct security_token *token,
74 const char *name)
75 {
76 const char *prefix;
77 struct dom_sid sid;
78 enum lsa_SidType type;
79
80 if (username != NULL) {
81 size_t domain_len = domain != NULL ? strlen(domain) : 0;
82
83 /* Check if username starts with domain name */
84 if (domain_len > 0) {
85 const char *sep = lp_winbind_separator();
86 int cmp = strncasecmp_m(username, domain, domain_len);
87 if (cmp == 0 && sep[0] == username[domain_len]) {
88 /* Move after the winbind separator */
89 domain_len += 1;
90 } else {
91 domain_len = 0;
92 }
93 }
94 name = talloc_sub_basic(mem_ctx,
95 username + domain_len,
96 domain,
97 name);
98 }
99 if (sharename != NULL) {
100 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
101 }
102
103 if (name == NULL) {
104 /* This is too security sensitive, better panic than return a
105 * result that might be interpreted in a wrong way. */
106 smb_panic("substitutions failed");
107 }
108
109 if ( string_to_sid( &sid, name ) ) {
110 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
111 return nt_token_check_sid( &sid, token );
112 }
113
114 if (!do_group_checks(&name, &prefix)) {
115 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
116 NULL, NULL, &sid, &type)) {
117 DEBUG(5, ("lookup_name %s failed\n", name));
118 return False;
119 }
120 if (type != SID_NAME_USER) {
121 DEBUG(5, ("%s is a %s, expected a user\n",
122 name, sid_type_lookup(type)));
123 return False;
124 }
125 return nt_token_check_sid(&sid, token);
126 }
127
128 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
129 if (*prefix == '+') {
130 if (!lookup_name_smbconf(mem_ctx, name,
131 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
132 NULL, NULL, &sid, &type)) {
133 DEBUG(5, ("lookup_name %s failed\n", name));
134 return False;
135 }
136 if ((type != SID_NAME_DOM_GRP) &&
137 (type != SID_NAME_ALIAS) &&
138 (type != SID_NAME_WKN_GRP)) {
139 DEBUG(5, ("%s is a %s, expected a group\n",
140 name, sid_type_lookup(type)));
141 return False;
142 }
143 if (nt_token_check_sid(&sid, token)) {
144 return True;
145 }
146 continue;
147 }
148 if (*prefix == '&') {
149 continue;
150 }
151 smb_panic("got invalid prefix from do_groups_check");
152 }
153 return False;
154 }
155
156 /*
157 * Check whether a user is contained in the list provided.
158 *
159 * Please note that the user name and share names passed in here mainly for
160 * the substitution routines that expand the parameter values, the decision
161 * whether a user is in the list is done after a lookup_name on the expanded
162 * parameter value, solely based on comparing the SIDs in token.
163 *
164 * The other use is the netgroup check when using @group or &group.
165 */
166
167 bool token_contains_name_in_list(const char *username,
168 const char *domain,
169 const char *sharename,
170 const struct security_token *token,
171 const char **list)
172 {
173 if (list == NULL) {
174 return False;
175 }
176 while (*list != NULL) {
177 TALLOC_CTX *frame = talloc_stackframe();
178 bool ret;
179
180 ret = token_contains_name(frame, username, domain, sharename,
181 token, *list);
182 TALLOC_FREE(frame);
183 if (ret) {
184 return true;
185 }
186 list += 1;
187 }
188 return False;
189 }
190
191 /*
192 * Check whether the user described by "token" has access to share snum.
193 *
194 * This looks at "invalid users" and "valid users".
195 *
196 * Please note that the user name and share names passed in here mainly for
197 * the substitution routines that expand the parameter values, the decision
198 * whether a user is in the list is done after a lookup_name on the expanded
199 * parameter value, solely based on comparing the SIDs in token.
200 *
201 * The other use is the netgroup check when using @group or &group.
202 */
203
204 bool user_ok_token(const char *username, const char *domain,
205 const struct security_token *token, int snum)
206 {
207 const struct loadparm_substitution *lp_sub =
208 loadparm_s3_global_substitution();
209
210 if (lp_invalid_users(snum) != NULL) {
211 if (token_contains_name_in_list(username, domain,
212 lp_servicename(talloc_tos(), lp_sub, snum),
213 token,
214 lp_invalid_users(snum))) {
215 DEBUG(10, ("User %s in 'invalid users'\n", username));
216 return False;
217 }
218 }
219
220 if (lp_valid_users(snum) != NULL) {
221 if (!token_contains_name_in_list(username, domain,
222 lp_servicename(talloc_tos(), lp_sub, snum),
223 token,
224 lp_valid_users(snum))) {
225 DEBUG(10, ("User %s not in 'valid users'\n",
226 username));
227 return False;
228 }
229 }
230
231 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
232 lp_servicename(talloc_tos(), lp_sub, snum), username));
233
234 return True;
235 }
236
237 /*
238 * Check whether the user described by "token" is restricted to read-only
239 * access on share snum.
240 *
241 * This looks at "read list", "write list" and "read only".
242 *
243 * Please note that the user name and share names passed in here mainly for
244 * the substitution routines that expand the parameter values, the decision
245 * whether a user is in the list is done after a lookup_name on the expanded
246 * parameter value, solely based on comparing the SIDs in token.
247 *
248 * The other use is the netgroup check when using @group or &group.
249 */
250
251 bool is_share_read_only_for_token(const char *username,
252 const char *domain,
253 const struct security_token *token,
254 connection_struct *conn)
255 {
256 const struct loadparm_substitution *lp_sub =
257 loadparm_s3_global_substitution();
258 int snum = SNUM(conn);
259 bool result = conn->read_only;
260
261 if (lp_read_list(snum) != NULL) {
262 if (token_contains_name_in_list(username, domain,
263 lp_servicename(talloc_tos(), lp_sub, snum),
264 token,
265 lp_read_list(snum))) {
266 result = True;
267 }
268 }
269
270 if (lp_write_list(snum) != NULL) {
271 if (token_contains_name_in_list(username, domain,
272 lp_servicename(talloc_tos(), lp_sub, snum),
273 token,
274 lp_write_list(snum))) {
275 result = False;
276 }
277 }
278
279 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
280 "%s\n", lp_servicename(talloc_tos(), lp_sub, snum),
281 result ? "read-only" : "read-write", username));
282
283 return result;
284 }
Samba GIT mirror