search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug 9811 - Old DOS SMB CTEMP request uses a non-VFS function to access the filesy...
[Samba.git] / source3 / smbd / uid.c
blob7a48cb2945cc3c852c4466b8f75f044d5b0d1c2b
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
27 #include "auth.h"
28
29 /* what user is current? */
30 extern struct current_user current_user;
31
32 /****************************************************************************
33 Become the guest user without changing the security context stack.
34 ****************************************************************************/
35
36 bool change_to_guest(void)
37 {
38 struct passwd *pass;
39
40 pass = Get_Pwnam_alloc(talloc_tos(), lp_guestaccount());
41 if (!pass) {
42 return false;
43 }
44
45 #ifdef AIX
46 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
47 setting IDs */
48 initgroups(pass->pw_name, pass->pw_gid);
49 #endif
50
51 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
52
53 current_user.conn = NULL;
54 current_user.vuid = UID_FIELD_INVALID;
55
56 TALLOC_FREE(pass);
57
58 return true;
59 }
60
61 /****************************************************************************
62 talloc free the conn->session_info if not used in the vuid cache.
63 ****************************************************************************/
64
65 static void free_conn_session_info_if_unused(connection_struct *conn)
66 {
67 unsigned int i;
68
69 for (i = 0; i < VUID_CACHE_SIZE; i++) {
70 struct vuid_cache_entry *ent;
71 ent = &conn->vuid_cache.array[i];
72 if (ent->vuid != UID_FIELD_INVALID &&
73 conn->session_info == ent->session_info) {
74 return;
75 }
76 }
77 /* Not used, safe to free. */
78 TALLOC_FREE(conn->session_info);
79 }
80
81 /*******************************************************************
82 Check if a username is OK.
83
84 This sets up conn->session_info with a copy related to this vuser that
85 later code can then mess with.
86 ********************************************************************/
87
88 static bool check_user_ok(connection_struct *conn,
89 uint16_t vuid,
90 const struct auth_serversupplied_info *session_info,
91 int snum)
92 {
93 bool valid_vuid = (vuid != UID_FIELD_INVALID);
94 unsigned int i;
95 bool readonly_share;
96 bool admin_user;
97
98 if (valid_vuid) {
99 struct vuid_cache_entry *ent;
100
101 for (i=0; i<VUID_CACHE_SIZE; i++) {
102 ent = &conn->vuid_cache.array[i];
103 if (ent->vuid == vuid) {
104 free_conn_session_info_if_unused(conn);
105 conn->session_info = ent->session_info;
106 conn->read_only = ent->read_only;
107 return(True);
108 }
109 }
110 }
111
112 if (!user_ok_token(session_info->unix_name,
113 session_info->info3->base.domain.string,
114 session_info->security_token, snum))
115 return(False);
116
117 readonly_share = is_share_read_only_for_token(
118 session_info->unix_name,
119 session_info->info3->base.domain.string,
120 session_info->security_token,
121 conn);
122
123 if (!readonly_share &&
124 !share_access_check(session_info->security_token,
125 lp_servicename(snum), FILE_WRITE_DATA,
126 NULL)) {
127 /* smb.conf allows r/w, but the security descriptor denies
128 * write. Fall back to looking at readonly. */
129 readonly_share = True;
130 DEBUG(5,("falling back to read-only access-evaluation due to "
131 "security descriptor\n"));
132 }
133
134 if (!share_access_check(session_info->security_token,
135 lp_servicename(snum),
136 readonly_share ?
137 FILE_READ_DATA : FILE_WRITE_DATA,
138 NULL)) {
139 return False;
140 }
141
142 admin_user = token_contains_name_in_list(
143 session_info->unix_name,
144 session_info->info3->base.domain.string,
145 NULL, session_info->security_token, lp_admin_users(snum));
146
147 if (valid_vuid) {
148 struct vuid_cache_entry *ent =
149 &conn->vuid_cache.array[conn->vuid_cache.next_entry];
150
151 conn->vuid_cache.next_entry =
152 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
153
154 TALLOC_FREE(ent->session_info);
155
156 /*
157 * If force_user was set, all session_info's are based on the same
158 * username-based faked one.
159 */
160
161 ent->session_info = copy_serverinfo(
162 conn, conn->force_user ? conn->session_info : session_info);
163
164 if (ent->session_info == NULL) {
165 ent->vuid = UID_FIELD_INVALID;
166 return false;
167 }
168
169 ent->vuid = vuid;
170 ent->read_only = readonly_share;
171 free_conn_session_info_if_unused(conn);
172 conn->session_info = ent->session_info;
173 }
174
175 conn->read_only = readonly_share;
176 if (admin_user) {
177 DEBUG(2,("check_user_ok: user %s is an admin user. "
178 "Setting uid as %d\n",
179 conn->session_info->unix_name,
180 sec_initial_uid() ));
181 conn->session_info->utok.uid = sec_initial_uid();
182 }
183
184 return(True);
185 }
186
187 /****************************************************************************
188 Clear a vuid out of the connection's vuid cache
189 This is only called on SMBulogoff.
190 ****************************************************************************/
191
192 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
193 {
194 int i;
195
196 for (i=0; i<VUID_CACHE_SIZE; i++) {
197 struct vuid_cache_entry *ent;
198
199 ent = &conn->vuid_cache.array[i];
200
201 if (ent->vuid == vuid) {
202 ent->vuid = UID_FIELD_INVALID;
203 /*
204 * We need to keep conn->session_info around
205 * if it's equal to ent->session_info as a SMBulogoff
206 * is often followed by a SMBtdis (with an invalid
207 * vuid). The debug code (or regular code in
208 * vfs_full_audit) wants to refer to the
209 * conn->session_info pointer to print debug
210 * statements. Theoretically this is a bug,
211 * as once the vuid is gone the session_info
212 * on the conn struct isn't valid any more,
213 * but there's enough code that assumes
214 * conn->session_info is never null that
215 * it's easier to hold onto the old pointer
216 * until we get a new sessionsetupX.
217 * As everything is hung off the
218 * conn pointer as a talloc context we're not
219 * leaking memory here. See bug #6315. JRA.
220 */
221 if (conn->session_info == ent->session_info) {
222 ent->session_info = NULL;
223 } else {
224 TALLOC_FREE(ent->session_info);
225 }
226 ent->read_only = False;
227 }
228 }
229 }
230
231 /****************************************************************************
232 Become the user of a connection number without changing the security context
233 stack, but modify the current_user entries.
234 ****************************************************************************/
235
236 static bool change_to_user_internal(connection_struct *conn,
237 const struct auth_serversupplied_info *session_info,
238 uint16_t vuid)
239 {
240 int snum;
241 gid_t gid;
242 uid_t uid;
243 char group_c;
244 int num_groups = 0;
245 gid_t *group_list = NULL;
246 bool ok;
247
248 snum = SNUM(conn);
249
250 ok = check_user_ok(conn, vuid, session_info, snum);
251 if (!ok) {
252 DEBUG(2,("SMB user %s (unix user %s) "
253 "not permitted access to share %s.\n",
254 session_info->sanitized_username,
255 session_info->unix_name,
256 lp_servicename(snum)));
257 return false;
258 }
259
260 uid = conn->session_info->utok.uid;
261 gid = conn->session_info->utok.gid;
262 num_groups = conn->session_info->utok.ngroups;
263 group_list = conn->session_info->utok.groups;
264
265 /*
266 * See if we should force group for this service. If so this overrides
267 * any group set in the force user code.
268 */
269 if((group_c = *lp_force_group(snum))) {
270
271 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
272
273 if (group_c == '+') {
274 int i;
275
276 /*
277 * Only force group if the user is a member of the
278 * service group. Check the group memberships for this
279 * user (we already have this) to see if we should force
280 * the group.
281 */
282 for (i = 0; i < num_groups; i++) {
283 if (group_list[i] == conn->force_group_gid) {
284 conn->session_info->utok.gid =
285 conn->force_group_gid;
286 gid = conn->force_group_gid;
287 gid_to_sid(&conn->session_info->security_token
288 ->sids[1], gid);
289 break;
290 }
291 }
292 } else {
293 conn->session_info->utok.gid = conn->force_group_gid;
294 gid = conn->force_group_gid;
295 gid_to_sid(&conn->session_info->security_token->sids[1],
296 gid);
297 }
298 }
299
300 /*Set current_user since we will immediately also call set_sec_ctx() */
301 current_user.ut.ngroups = num_groups;
302 current_user.ut.groups = group_list;
303
304 set_sec_ctx(uid,
305 gid,
306 current_user.ut.ngroups,
307 current_user.ut.groups,
308 conn->session_info->security_token);
309
310 current_user.conn = conn;
311 current_user.vuid = vuid;
312
313 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
314 (int)getuid(),
315 (int)geteuid(),
316 (int)getgid(),
317 (int)getegid()));
318
319 return true;
320 }
321
322 bool change_to_user(connection_struct *conn, uint16_t vuid)
323 {
324 const struct auth_serversupplied_info *session_info = NULL;
325 user_struct *vuser;
326 int snum = SNUM(conn);
327
328 if (!conn) {
329 DEBUG(2,("Connection not open\n"));
330 return(False);
331 }
332
333 vuser = get_valid_user_struct(conn->sconn, vuid);
334
335 /*
336 * We need a separate check in security=share mode due to vuid
337 * always being UID_FIELD_INVALID. If we don't do this then
338 * in share mode security we are *always* changing uid's between
339 * SMB's - this hurts performance - Badly.
340 */
341
342 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
343 (current_user.ut.uid == conn->session_info->utok.uid)) {
344 DEBUG(4,("Skipping user change - already "
345 "user\n"));
346 return(True);
347 } else if ((current_user.conn == conn) &&
348 (vuser != NULL) && (current_user.vuid == vuid) &&
349 (current_user.ut.uid == vuser->session_info->utok.uid)) {
350 DEBUG(4,("Skipping user change - already "
351 "user\n"));
352 return(True);
353 }
354
355 session_info = vuser ? vuser->session_info : conn->session_info;
356
357 if (session_info == NULL) {
358 /* Invalid vuid sent - even with security = share. */
359 DEBUG(2,("Invalid vuid %d used on "
360 "share %s.\n", vuid, lp_servicename(snum) ));
361 return false;
362 }
363
364 /* security = share sets force_user. */
365 if (!conn->force_user && vuser == NULL) {
366 DEBUG(2,("Invalid vuid used %d in accessing "
367 "share %s.\n", vuid, lp_servicename(snum) ));
368 return False;
369 }
370
371 return change_to_user_internal(conn, session_info, vuid);
372 }
373
374 bool change_to_user_by_session(connection_struct *conn,
375 const struct auth_serversupplied_info *session_info)
376 {
377 SMB_ASSERT(conn != NULL);
378 SMB_ASSERT(session_info != NULL);
379
380 if ((current_user.conn == conn) &&
381 (current_user.ut.uid == session_info->utok.uid)) {
382 DEBUG(7, ("Skipping user change - already user\n"));
383
384 return true;
385 }
386
387 return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
388 }
389
390 /****************************************************************************
391 Go back to being root without changing the security context stack,
392 but modify the current_user entries.
393 ****************************************************************************/
394
395 bool change_to_root_user(void)
396 {
397 set_root_sec_ctx();
398
399 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
400 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
401
402 current_user.conn = NULL;
403 current_user.vuid = UID_FIELD_INVALID;
404
405 return(True);
406 }
407
408 /****************************************************************************
409 Become the user of an authenticated connected named pipe.
410 When this is called we are currently running as the connection
411 user. Doesn't modify current_user.
412 ****************************************************************************/
413
414 bool become_authenticated_pipe_user(struct auth_serversupplied_info *session_info)
415 {
416 if (!push_sec_ctx())
417 return False;
418
419 set_sec_ctx(session_info->utok.uid, session_info->utok.gid,
420 session_info->utok.ngroups, session_info->utok.groups,
421 session_info->security_token);
422
423 return True;
424 }
425
426 /****************************************************************************
427 Unbecome the user of an authenticated connected named pipe.
428 When this is called we are running as the authenticated pipe
429 user and need to go back to being the connection user. Doesn't modify
430 current_user.
431 ****************************************************************************/
432
433 bool unbecome_authenticated_pipe_user(void)
434 {
435 return pop_sec_ctx();
436 }
437
438 /****************************************************************************
439 Utility functions used by become_xxx/unbecome_xxx.
440 ****************************************************************************/
441
442 static void push_conn_ctx(void)
443 {
444 struct conn_ctx *ctx_p;
445
446 /* Check we don't overflow our stack */
447
448 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
449 DEBUG(0, ("Connection context stack overflow!\n"));
450 smb_panic("Connection context stack overflow!\n");
451 }
452
453 /* Store previous user context */
454 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
455
456 ctx_p->conn = current_user.conn;
457 ctx_p->vuid = current_user.vuid;
458
459 DEBUG(4, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
460 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
461
462 conn_ctx_stack_ndx++;
463 }
464
465 static void pop_conn_ctx(void)
466 {
467 struct conn_ctx *ctx_p;
468
469 /* Check for stack underflow. */
470
471 if (conn_ctx_stack_ndx == 0) {
472 DEBUG(0, ("Connection context stack underflow!\n"));
473 smb_panic("Connection context stack underflow!\n");
474 }
475
476 conn_ctx_stack_ndx--;
477 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
478
479 current_user.conn = ctx_p->conn;
480 current_user.vuid = ctx_p->vuid;
481
482 ctx_p->conn = NULL;
483 ctx_p->vuid = UID_FIELD_INVALID;
484 }
485
486 /****************************************************************************
487 Temporarily become a root user. Must match with unbecome_root(). Saves and
488 restores the connection context.
489 ****************************************************************************/
490
491 void become_root(void)
492 {
493 /*
494 * no good way to handle push_sec_ctx() failing without changing
495 * the prototype of become_root()
496 */
497 if (!push_sec_ctx()) {
498 smb_panic("become_root: push_sec_ctx failed");
499 }
500 push_conn_ctx();
501 set_root_sec_ctx();
502 }
503
504 /* Unbecome the root user */
505
506 void unbecome_root(void)
507 {
508 pop_sec_ctx();
509 pop_conn_ctx();
510 }
511
512 /****************************************************************************
513 Push the current security context then force a change via change_to_user().
514 Saves and restores the connection context.
515 ****************************************************************************/
516
517 bool become_user(connection_struct *conn, uint16 vuid)
518 {
519 if (!push_sec_ctx())
520 return False;
521
522 push_conn_ctx();
523
524 if (!change_to_user(conn, vuid)) {
525 pop_sec_ctx();
526 pop_conn_ctx();
527 return False;
528 }
529
530 return True;
531 }
532
533 bool become_user_by_session(connection_struct *conn,
534 const struct auth_serversupplied_info *session_info)
535 {
536 if (!push_sec_ctx())
537 return false;
538
539 push_conn_ctx();
540
541 if (!change_to_user_by_session(conn, session_info)) {
542 pop_sec_ctx();
543 pop_conn_ctx();
544 return false;
545 }
546
547 return true;
548 }
549
550 bool unbecome_user(void)
551 {
552 pop_sec_ctx();
553 pop_conn_ctx();
554 return True;
555 }
556
557 /****************************************************************************
558 Return the current user we are running effectively as on this connection.
559 I'd like to make this return conn->session_info->utok.uid, but become_root()
560 doesn't alter this value.
561 ****************************************************************************/
562
563 uid_t get_current_uid(connection_struct *conn)
564 {
565 return current_user.ut.uid;
566 }
567
568 /****************************************************************************
569 Return the current group we are running effectively as on this connection.
570 I'd like to make this return conn->session_info->utok.gid, but become_root()
571 doesn't alter this value.
572 ****************************************************************************/
573
574 gid_t get_current_gid(connection_struct *conn)
575 {
576 return current_user.ut.gid;
577 }
578
579 /****************************************************************************
580 Return the UNIX token we are running effectively as on this connection.
581 I'd like to make this return &conn->session_info->utok, but become_root()
582 doesn't alter this value.
583 ****************************************************************************/
584
585 const struct security_unix_token *get_current_utok(connection_struct *conn)
586 {
587 return &current_user.ut;
588 }
589
590 const struct security_token *get_current_nttok(connection_struct *conn)
591 {
592 return current_user.nt_user_token;
593 }
594
595 uint16_t get_current_vuid(connection_struct *conn)
596 {
597 return current_user.vuid;
598 }
Samba GIT mirror