search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Return "blocker_pid" from do_lock()
[Samba.git] / source3 / smbd / uid.c
bloba4bcb747d37e61b1856a10f4e173cea6c2847762
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
27 #include "auth.h"
28 #include "../auth/auth_util.h"
29
30 /* what user is current? */
31 extern struct current_user current_user;
32
33 /****************************************************************************
34 Become the guest user without changing the security context stack.
35 ****************************************************************************/
36
37 bool change_to_guest(void)
38 {
39 struct passwd *pass;
40
41 pass = Get_Pwnam_alloc(talloc_tos(), lp_guest_account());
42 if (!pass) {
43 return false;
44 }
45
46 #ifdef AIX
47 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
48 setting IDs */
49 initgroups(pass->pw_name, pass->pw_gid);
50 #endif
51
52 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
53
54 current_user.conn = NULL;
55 current_user.vuid = UID_FIELD_INVALID;
56 current_user.need_chdir = false;
57 current_user.done_chdir = false;
58
59 TALLOC_FREE(pass);
60
61 return true;
62 }
63
64 /****************************************************************************
65 talloc free the conn->session_info if not used in the vuid cache.
66 ****************************************************************************/
67
68 static void free_conn_session_info_if_unused(connection_struct *conn)
69 {
70 unsigned int i;
71
72 for (i = 0; i < VUID_CACHE_SIZE; i++) {
73 struct vuid_cache_entry *ent;
74 ent = &conn->vuid_cache->array[i];
75 if (ent->vuid != UID_FIELD_INVALID &&
76 conn->session_info == ent->session_info) {
77 return;
78 }
79 }
80 /* Not used, safe to free. */
81 TALLOC_FREE(conn->session_info);
82 }
83
84 /****************************************************************************
85 Setup the share access mask for a connection.
86 ****************************************************************************/
87
88 static uint32_t create_share_access_mask(int snum,
89 bool readonly_share,
90 const struct security_token *token)
91 {
92 uint32_t share_access = 0;
93
94 share_access_check(token,
95 lp_const_servicename(snum),
96 MAXIMUM_ALLOWED_ACCESS,
97 &share_access);
98
99 if (readonly_share) {
100 share_access &=
101 ~(SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
102 SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
103 SEC_DIR_DELETE_CHILD );
104 }
105
106 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
107 share_access |= SEC_FLAG_SYSTEM_SECURITY;
108 }
109 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
110 share_access |= SEC_RIGHTS_PRIV_RESTORE;
111 }
112 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
113 share_access |= SEC_RIGHTS_PRIV_BACKUP;
114 }
115 if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
116 share_access |= SEC_STD_WRITE_OWNER;
117 }
118
119 return share_access;
120 }
121
122 /*******************************************************************
123 Calculate access mask and if this user can access this share.
124 ********************************************************************/
125
126 NTSTATUS check_user_share_access(connection_struct *conn,
127 const struct auth_session_info *session_info,
128 uint32_t *p_share_access,
129 bool *p_readonly_share)
130 {
131 int snum = SNUM(conn);
132 uint32_t share_access = 0;
133 bool readonly_share = false;
134
135 if (!user_ok_token(session_info->unix_info->unix_name,
136 session_info->info->domain_name,
137 session_info->security_token, snum)) {
138 return NT_STATUS_ACCESS_DENIED;
139 }
140
141 readonly_share = is_share_read_only_for_token(
142 session_info->unix_info->unix_name,
143 session_info->info->domain_name,
144 session_info->security_token,
145 conn);
146
147 share_access = create_share_access_mask(snum,
148 readonly_share,
149 session_info->security_token);
150
151 if ((share_access & (FILE_READ_DATA|FILE_WRITE_DATA)) == 0) {
152 /* No access, read or write. */
153 DBG_NOTICE("user %s connection to %s denied due to share "
154 "security descriptor.\n",
155 session_info->unix_info->unix_name,
156 lp_const_servicename(snum));
157 return NT_STATUS_ACCESS_DENIED;
158 }
159
160 if (!readonly_share &&
161 !(share_access & FILE_WRITE_DATA)) {
162 /* smb.conf allows r/w, but the security descriptor denies
163 * write. Fall back to looking at readonly. */
164 readonly_share = true;
165 DBG_INFO("falling back to read-only access-evaluation due to "
166 "security descriptor\n");
167 }
168
169 *p_share_access = share_access;
170 *p_readonly_share = readonly_share;
171
172 return NT_STATUS_OK;
173 }
174
175 /*******************************************************************
176 Check if a username is OK.
177
178 This sets up conn->session_info with a copy related to this vuser that
179 later code can then mess with.
180 ********************************************************************/
181
182 static bool check_user_ok(connection_struct *conn,
183 uint64_t vuid,
184 const struct auth_session_info *session_info,
185 int snum)
186 {
187 unsigned int i;
188 bool readonly_share = false;
189 bool admin_user = false;
190 struct vuid_cache_entry *ent = NULL;
191 uint32_t share_access = 0;
192 NTSTATUS status;
193
194 for (i=0; i<VUID_CACHE_SIZE; i++) {
195 ent = &conn->vuid_cache->array[i];
196 if (ent->vuid == vuid) {
197 if (vuid == UID_FIELD_INVALID) {
198 /*
199 * Slow path, we don't care
200 * about the array traversal.
201 */
202 continue;
203 }
204 free_conn_session_info_if_unused(conn);
205 conn->session_info = ent->session_info;
206 conn->read_only = ent->read_only;
207 conn->share_access = ent->share_access;
208 conn->vuid = ent->vuid;
209 return(True);
210 }
211 }
212
213 status = check_user_share_access(conn,
214 session_info,
215 &share_access,
216 &readonly_share);
217 if (!NT_STATUS_IS_OK(status)) {
218 return false;
219 }
220
221 admin_user = token_contains_name_in_list(
222 session_info->unix_info->unix_name,
223 session_info->info->domain_name,
224 NULL, session_info->security_token, lp_admin_users(snum));
225
226 ent = &conn->vuid_cache->array[conn->vuid_cache->next_entry];
227
228 conn->vuid_cache->next_entry =
229 (conn->vuid_cache->next_entry + 1) % VUID_CACHE_SIZE;
230
231 TALLOC_FREE(ent->session_info);
232
233 /*
234 * If force_user was set, all session_info's are based on the same
235 * username-based faked one.
236 */
237
238 ent->session_info = copy_session_info(
239 conn, conn->force_user ? conn->session_info : session_info);
240
241 if (ent->session_info == NULL) {
242 ent->vuid = UID_FIELD_INVALID;
243 return false;
244 }
245
246 if (admin_user) {
247 DEBUG(2,("check_user_ok: user %s is an admin user. "
248 "Setting uid as %d\n",
249 ent->session_info->unix_info->unix_name,
250 sec_initial_uid() ));
251 ent->session_info->unix_token->uid = sec_initial_uid();
252 }
253
254 /*
255 * It's actually OK to call check_user_ok() with
256 * vuid == UID_FIELD_INVALID as called from change_to_user_by_session().
257 * All this will do is throw away one entry in the cache.
258 */
259
260 ent->vuid = vuid;
261 ent->read_only = readonly_share;
262 ent->share_access = share_access;
263 free_conn_session_info_if_unused(conn);
264 conn->session_info = ent->session_info;
265 conn->vuid = ent->vuid;
266 if (vuid == UID_FIELD_INVALID) {
267 /*
268 * Not strictly needed, just make it really
269 * clear this entry is actually an unused one.
270 */
271 ent->read_only = false;
272 ent->share_access = 0;
273 ent->session_info = NULL;
274 }
275
276 conn->read_only = readonly_share;
277 conn->share_access = share_access;
278
279 return(True);
280 }
281
282 /****************************************************************************
283 Become the user of a connection number without changing the security context
284 stack, but modify the current_user entries.
285 ****************************************************************************/
286
287 static bool change_to_user_internal(connection_struct *conn,
288 const struct auth_session_info *session_info,
289 uint64_t vuid)
290 {
291 int snum;
292 gid_t gid;
293 uid_t uid;
294 const char *force_group_name;
295 char group_c;
296 int num_groups = 0;
297 gid_t *group_list = NULL;
298 bool ok;
299
300 if ((current_user.conn == conn) &&
301 (current_user.vuid == vuid) &&
302 (current_user.need_chdir == conn->tcon_done) &&
303 (current_user.ut.uid == session_info->unix_token->uid))
304 {
305 DBG_INFO("Skipping user change - already user\n");
306 return true;
307 }
308
309 set_current_user_info(session_info->unix_info->sanitized_username,
310 session_info->unix_info->unix_name,
311 session_info->info->domain_name);
312
313 snum = SNUM(conn);
314
315 ok = check_user_ok(conn, vuid, session_info, snum);
316 if (!ok) {
317 DBG_WARNING("SMB user %s (unix user %s) "
318 "not permitted access to share %s.\n",
319 session_info->unix_info->sanitized_username,
320 session_info->unix_info->unix_name,
321 lp_const_servicename(snum));
322 return false;
323 }
324
325 uid = conn->session_info->unix_token->uid;
326 gid = conn->session_info->unix_token->gid;
327 num_groups = conn->session_info->unix_token->ngroups;
328 group_list = conn->session_info->unix_token->groups;
329
330 /*
331 * See if we should force group for this service. If so this overrides
332 * any group set in the force user code.
333 */
334 force_group_name = lp_force_group(talloc_tos(), snum);
335 group_c = *force_group_name;
336
337 if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
338 /*
339 * This can happen if "force group" is added to a
340 * share definition whilst an existing connection
341 * to that share exists. In that case, don't change
342 * the existing credentials for force group, only
343 * do so for new connections.
344 *
345 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
346 */
347 DBG_INFO("Not forcing group %s on existing connection to "
348 "share %s for SMB user %s (unix user %s)\n",
349 force_group_name,
350 lp_const_servicename(snum),
351 session_info->unix_info->sanitized_username,
352 session_info->unix_info->unix_name);
353 }
354
355 if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
356 /*
357 * Only force group for connections where
358 * conn->force_group_gid has already been set
359 * to the correct value (i.e. the connection
360 * happened after the 'force group' definition
361 * was added to the share definition. Connections
362 * that were made before force group was added
363 * should stay with their existing credentials.
364 *
365 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
366 */
367
368 if (group_c == '+') {
369 int i;
370
371 /*
372 * Only force group if the user is a member of the
373 * service group. Check the group memberships for this
374 * user (we already have this) to see if we should force
375 * the group.
376 */
377 for (i = 0; i < num_groups; i++) {
378 if (group_list[i] == conn->force_group_gid) {
379 conn->session_info->unix_token->gid =
380 conn->force_group_gid;
381 gid = conn->force_group_gid;
382 gid_to_sid(&conn->session_info->security_token
383 ->sids[1], gid);
384 break;
385 }
386 }
387 } else {
388 conn->session_info->unix_token->gid = conn->force_group_gid;
389 gid = conn->force_group_gid;
390 gid_to_sid(&conn->session_info->security_token->sids[1],
391 gid);
392 }
393 }
394
395 /*Set current_user since we will immediately also call set_sec_ctx() */
396 current_user.ut.ngroups = num_groups;
397 current_user.ut.groups = group_list;
398
399 set_sec_ctx(uid,
400 gid,
401 current_user.ut.ngroups,
402 current_user.ut.groups,
403 conn->session_info->security_token);
404
405 current_user.conn = conn;
406 current_user.vuid = vuid;
407 current_user.need_chdir = conn->tcon_done;
408
409 if (current_user.need_chdir) {
410 ok = chdir_current_service(conn);
411 if (!ok) {
412 DBG_ERR("chdir_current_service() failed!\n");
413 return false;
414 }
415 current_user.done_chdir = true;
416 }
417
418 if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
419 struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn);
420 if (cwdfname == NULL) {
421 return false;
422 }
423 DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
424 (int)getuid(),
425 (int)geteuid(),
426 (int)getgid(),
427 (int)getegid(),
428 cwdfname->base_name);
429 TALLOC_FREE(cwdfname);
430 }
431
432 return true;
433 }
434
435 bool change_to_user(connection_struct *conn, uint64_t vuid)
436 {
437 struct user_struct *vuser;
438 int snum = SNUM(conn);
439
440 if (!conn) {
441 DEBUG(2,("Connection not open\n"));
442 return(False);
443 }
444
445 vuser = get_valid_user_struct(conn->sconn, vuid);
446 if (vuser == NULL) {
447 /* Invalid vuid sent */
448 DBG_WARNING("Invalid vuid %llu used on share %s.\n",
449 (unsigned long long)vuid,
450 lp_const_servicename(snum));
451 return false;
452 }
453
454 return change_to_user_internal(conn, vuser->session_info, vuid);
455 }
456
457 bool change_to_user_by_fsp(struct files_struct *fsp)
458 {
459 return change_to_user(fsp->conn, fsp->vuid);
460 }
461
462 static bool change_to_user_by_session(connection_struct *conn,
463 const struct auth_session_info *session_info)
464 {
465 SMB_ASSERT(conn != NULL);
466 SMB_ASSERT(session_info != NULL);
467
468 return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
469 }
470
471 /****************************************************************************
472 Go back to being root without changing the security context stack,
473 but modify the current_user entries.
474 ****************************************************************************/
475
476 bool smbd_change_to_root_user(void)
477 {
478 set_root_sec_ctx();
479
480 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
481 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
482
483 current_user.conn = NULL;
484 current_user.vuid = UID_FIELD_INVALID;
485 current_user.need_chdir = false;
486 current_user.done_chdir = false;
487
488 return(True);
489 }
490
491 /****************************************************************************
492 Become the user of an authenticated connected named pipe.
493 When this is called we are currently running as the connection
494 user. Doesn't modify current_user.
495 ****************************************************************************/
496
497 bool smbd_become_authenticated_pipe_user(struct auth_session_info *session_info)
498 {
499 if (!push_sec_ctx())
500 return False;
501
502 set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
503 session_info->unix_token->ngroups, session_info->unix_token->groups,
504 session_info->security_token);
505
506 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
507 (int)getuid(),
508 (int)geteuid(),
509 (int)getgid(),
510 (int)getegid()));
511
512 return True;
513 }
514
515 /****************************************************************************
516 Unbecome the user of an authenticated connected named pipe.
517 When this is called we are running as the authenticated pipe
518 user and need to go back to being the connection user. Doesn't modify
519 current_user.
520 ****************************************************************************/
521
522 bool smbd_unbecome_authenticated_pipe_user(void)
523 {
524 return pop_sec_ctx();
525 }
526
527 /****************************************************************************
528 Utility functions used by become_xxx/unbecome_xxx.
529 ****************************************************************************/
530
531 static void push_conn_ctx(void)
532 {
533 struct conn_ctx *ctx_p;
534 extern userdom_struct current_user_info;
535
536 /* Check we don't overflow our stack */
537
538 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
539 DEBUG(0, ("Connection context stack overflow!\n"));
540 smb_panic("Connection context stack overflow!\n");
541 }
542
543 /* Store previous user context */
544 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
545
546 ctx_p->conn = current_user.conn;
547 ctx_p->vuid = current_user.vuid;
548 ctx_p->need_chdir = current_user.need_chdir;
549 ctx_p->done_chdir = current_user.done_chdir;
550 ctx_p->user_info = current_user_info;
551
552 DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
553 (unsigned long long)ctx_p->vuid, conn_ctx_stack_ndx));
554
555 conn_ctx_stack_ndx++;
556 }
557
558 static void pop_conn_ctx(void)
559 {
560 struct conn_ctx *ctx_p;
561
562 /* Check for stack underflow. */
563
564 if (conn_ctx_stack_ndx == 0) {
565 DEBUG(0, ("Connection context stack underflow!\n"));
566 smb_panic("Connection context stack underflow!\n");
567 }
568
569 conn_ctx_stack_ndx--;
570 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
571
572 set_current_user_info(ctx_p->user_info.smb_name,
573 ctx_p->user_info.unix_name,
574 ctx_p->user_info.domain);
575
576 /*
577 * Check if the current context did a chdir_current_service()
578 * and restore the cwd_fname of the previous context
579 * if needed.
580 */
581 if (current_user.done_chdir && ctx_p->need_chdir) {
582 int ret;
583
584 ret = vfs_ChDir(ctx_p->conn, ctx_p->conn->cwd_fname);
585 if (ret != 0) {
586 DBG_ERR("vfs_ChDir() failed!\n");
587 smb_panic("vfs_ChDir() failed!\n");
588 }
589 }
590
591 current_user.conn = ctx_p->conn;
592 current_user.vuid = ctx_p->vuid;
593 current_user.need_chdir = ctx_p->need_chdir;
594 current_user.done_chdir = ctx_p->done_chdir;
595
596 *ctx_p = (struct conn_ctx) {
597 .vuid = UID_FIELD_INVALID,
598 };
599 }
600
601 /****************************************************************************
602 Temporarily become a root user. Must match with unbecome_root(). Saves and
603 restores the connection context.
604 ****************************************************************************/
605
606 void smbd_become_root(void)
607 {
608 /*
609 * no good way to handle push_sec_ctx() failing without changing
610 * the prototype of become_root()
611 */
612 if (!push_sec_ctx()) {
613 smb_panic("become_root: push_sec_ctx failed");
614 }
615 push_conn_ctx();
616 set_root_sec_ctx();
617 }
618
619 /* Unbecome the root user */
620
621 void smbd_unbecome_root(void)
622 {
623 pop_sec_ctx();
624 pop_conn_ctx();
625 }
626
627 /****************************************************************************
628 Push the current security context then force a change via change_to_user().
629 Saves and restores the connection context.
630 ****************************************************************************/
631
632 bool become_user(connection_struct *conn, uint64_t vuid)
633 {
634 if (!push_sec_ctx())
635 return False;
636
637 push_conn_ctx();
638
639 if (!change_to_user(conn, vuid)) {
640 pop_sec_ctx();
641 pop_conn_ctx();
642 return False;
643 }
644
645 return True;
646 }
647
648 bool become_user_by_fsp(struct files_struct *fsp)
649 {
650 return become_user(fsp->conn, fsp->vuid);
651 }
652
653 bool become_user_by_session(connection_struct *conn,
654 const struct auth_session_info *session_info)
655 {
656 if (!push_sec_ctx())
657 return false;
658
659 push_conn_ctx();
660
661 if (!change_to_user_by_session(conn, session_info)) {
662 pop_sec_ctx();
663 pop_conn_ctx();
664 return false;
665 }
666
667 return true;
668 }
669
670 bool unbecome_user(void)
671 {
672 pop_sec_ctx();
673 pop_conn_ctx();
674 return True;
675 }
676
677 /****************************************************************************
678 Return the current user we are running effectively as on this connection.
679 I'd like to make this return conn->session_info->unix_token->uid, but become_root()
680 doesn't alter this value.
681 ****************************************************************************/
682
683 uid_t get_current_uid(connection_struct *conn)
684 {
685 return current_user.ut.uid;
686 }
687
688 /****************************************************************************
689 Return the current group we are running effectively as on this connection.
690 I'd like to make this return conn->session_info->unix_token->gid, but become_root()
691 doesn't alter this value.
692 ****************************************************************************/
693
694 gid_t get_current_gid(connection_struct *conn)
695 {
696 return current_user.ut.gid;
697 }
698
699 /****************************************************************************
700 Return the UNIX token we are running effectively as on this connection.
701 I'd like to make this return &conn->session_info->unix_token-> but become_root()
702 doesn't alter this value.
703 ****************************************************************************/
704
705 const struct security_unix_token *get_current_utok(connection_struct *conn)
706 {
707 return &current_user.ut;
708 }
709
710 /****************************************************************************
711 Return the Windows token we are running effectively as on this connection.
712 If this is currently a NULL token as we're inside become_root() - a temporary
713 UNIX security override, then we search up the stack for the previous active
714 token.
715 ****************************************************************************/
716
717 const struct security_token *get_current_nttok(connection_struct *conn)
718 {
719 if (current_user.nt_user_token) {
720 return current_user.nt_user_token;
721 }
722 return sec_ctx_active_token();
723 }
724
725 uint64_t get_current_vuid(connection_struct *conn)
726 {
727 return current_user.vuid;
728 }
Samba GIT mirror