search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove a bunch of direct inbuf references by adding "buf" to smb_request
[Samba.git] / source3 / smbd / uid.c
blob8998f6a371bd0adb9e549ef825ea0c216904b7c5
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 /* what user is current? */
23 extern struct current_user current_user;
24
25 /****************************************************************************
26 Become the guest user without changing the security context stack.
27 ****************************************************************************/
28
29 bool change_to_guest(void)
30 {
31 static struct passwd *pass=NULL;
32
33 if (!pass) {
34 /* Don't need to free() this as its stored in a static */
35 pass = getpwnam_alloc(NULL, lp_guestaccount());
36 if (!pass)
37 return(False);
38 }
39
40 #ifdef AIX
41 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
42 setting IDs */
43 initgroups(pass->pw_name, pass->pw_gid);
44 #endif
45
46 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
47
48 current_user.conn = NULL;
49 current_user.vuid = UID_FIELD_INVALID;
50
51 TALLOC_FREE(pass);
52 pass = NULL;
53
54 return True;
55 }
56
57 /*******************************************************************
58 Check if a username is OK.
59
60 This sets up conn->server_info with a copy related to this vuser that
61 later code can then mess with.
62 ********************************************************************/
63
64 static bool check_user_ok(connection_struct *conn, uint16_t vuid,
65 struct auth_serversupplied_info *server_info,
66 int snum)
67 {
68 unsigned int i;
69 struct vuid_cache_entry *ent = NULL;
70 bool readonly_share;
71 bool admin_user;
72
73 for (i=0; i<VUID_CACHE_SIZE; i++) {
74 ent = &conn->vuid_cache.array[i];
75 if (ent->vuid == vuid) {
76 conn->server_info = ent->server_info;
77 conn->read_only = ent->read_only;
78 conn->admin_user = ent->admin_user;
79 return(True);
80 }
81 }
82
83 if (!user_ok_token(server_info->unix_name,
84 pdb_get_domain(server_info->sam_account),
85 server_info->ptok, snum))
86 return(False);
87
88 readonly_share = is_share_read_only_for_token(
89 server_info->unix_name,
90 pdb_get_domain(server_info->sam_account),
91 server_info->ptok, snum);
92
93 if (!readonly_share &&
94 !share_access_check(server_info->ptok, lp_servicename(snum),
95 FILE_WRITE_DATA)) {
96 /* smb.conf allows r/w, but the security descriptor denies
97 * write. Fall back to looking at readonly. */
98 readonly_share = True;
99 DEBUG(5,("falling back to read-only access-evaluation due to "
100 "security descriptor\n"));
101 }
102
103 if (!share_access_check(server_info->ptok, lp_servicename(snum),
104 readonly_share ?
105 FILE_READ_DATA : FILE_WRITE_DATA)) {
106 return False;
107 }
108
109 admin_user = token_contains_name_in_list(
110 server_info->unix_name,
111 pdb_get_domain(server_info->sam_account),
112 NULL, server_info->ptok, lp_admin_users(snum));
113
114 ent = &conn->vuid_cache.array[conn->vuid_cache.next_entry];
115
116 conn->vuid_cache.next_entry =
117 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
118
119 TALLOC_FREE(ent->server_info);
120
121 /*
122 * If force_user was set, all server_info's are based on the same
123 * username-based faked one.
124 */
125
126 ent->server_info = copy_serverinfo(
127 conn, conn->force_user ? conn->server_info : server_info);
128
129 if (ent->server_info == NULL) {
130 ent->vuid = UID_FIELD_INVALID;
131 return false;
132 }
133
134 ent->vuid = vuid;
135 ent->read_only = readonly_share;
136 ent->admin_user = admin_user;
137
138 conn->read_only = ent->read_only;
139 conn->admin_user = ent->admin_user;
140 conn->server_info = ent->server_info;
141
142 return(True);
143 }
144
145 /****************************************************************************
146 Clear a vuid out of the connection's vuid cache
147 ****************************************************************************/
148
149 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
150 {
151 int i;
152
153 for (i=0; i<VUID_CACHE_SIZE; i++) {
154 struct vuid_cache_entry *ent;
155
156 ent = &conn->vuid_cache.array[i];
157
158 if (ent->vuid == vuid) {
159 ent->vuid = UID_FIELD_INVALID;
160 TALLOC_FREE(ent->server_info);
161 ent->read_only = False;
162 ent->admin_user = False;
163 }
164 }
165 }
166
167 /****************************************************************************
168 Become the user of a connection number without changing the security context
169 stack, but modify the current_user entries.
170 ****************************************************************************/
171
172 bool change_to_user(connection_struct *conn, uint16 vuid)
173 {
174 user_struct *vuser = get_valid_user_struct(vuid);
175 int snum;
176 gid_t gid;
177 uid_t uid;
178 char group_c;
179 int num_groups = 0;
180 gid_t *group_list = NULL;
181
182 if (!conn) {
183 DEBUG(2,("change_to_user: Connection not open\n"));
184 return(False);
185 }
186
187 /*
188 * We need a separate check in security=share mode due to vuid
189 * always being UID_FIELD_INVALID. If we don't do this then
190 * in share mode security we are *always* changing uid's between
191 * SMB's - this hurts performance - Badly.
192 */
193
194 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
195 (current_user.ut.uid == conn->server_info->utok.uid)) {
196 DEBUG(4,("change_to_user: Skipping user change - already "
197 "user\n"));
198 return(True);
199 } else if ((current_user.conn == conn) &&
200 (vuser != NULL) && (current_user.vuid == vuid) &&
201 (current_user.ut.uid == vuser->server_info->utok.uid)) {
202 DEBUG(4,("change_to_user: Skipping user change - already "
203 "user\n"));
204 return(True);
205 }
206
207 snum = SNUM(conn);
208
209 if ((vuser) && !check_user_ok(conn, vuid, vuser->server_info, snum)) {
210 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
211 "not permitted access to share %s.\n",
212 vuser->server_info->sanitized_username,
213 vuser->server_info->unix_name, vuid,
214 lp_servicename(snum)));
215 return False;
216 }
217
218 /*
219 * conn->server_info is now correctly set up with a copy we can mess
220 * with for force_group etc.
221 */
222
223 if (conn->force_user) /* security = share sets this too */ {
224 uid = conn->server_info->utok.uid;
225 gid = conn->server_info->utok.gid;
226 group_list = conn->server_info->utok.groups;
227 num_groups = conn->server_info->utok.ngroups;
228 } else if (vuser) {
229 uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
230 gid = conn->server_info->utok.gid;
231 num_groups = conn->server_info->utok.ngroups;
232 group_list = conn->server_info->utok.groups;
233 } else {
234 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
235 "share %s.\n",vuid, lp_servicename(snum) ));
236 return False;
237 }
238
239 /*
240 * See if we should force group for this service.
241 * If so this overrides any group set in the force
242 * user code.
243 */
244
245 if((group_c = *lp_force_group(snum))) {
246
247 if(group_c == '+') {
248
249 /*
250 * Only force group if the user is a member of
251 * the service group. Check the group memberships for
252 * this user (we already have this) to
253 * see if we should force the group.
254 */
255
256 int i;
257 for (i = 0; i < num_groups; i++) {
258 if (group_list[i]
259 == conn->server_info->utok.gid) {
260 gid = conn->server_info->utok.gid;
261 gid_to_sid(&conn->server_info->ptok
262 ->user_sids[1], gid);
263 break;
264 }
265 }
266 } else {
267 gid = conn->server_info->utok.gid;
268 gid_to_sid(&conn->server_info->ptok->user_sids[1],
269 gid);
270 }
271 }
272
273 /* Now set current_user since we will immediately also call
274 set_sec_ctx() */
275
276 current_user.ut.ngroups = num_groups;
277 current_user.ut.groups = group_list;
278
279 set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
280 conn->server_info->ptok);
281
282 current_user.conn = conn;
283 current_user.vuid = vuid;
284
285 DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
286 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
287
288 return(True);
289 }
290
291 /****************************************************************************
292 Go back to being root without changing the security context stack,
293 but modify the current_user entries.
294 ****************************************************************************/
295
296 bool change_to_root_user(void)
297 {
298 set_root_sec_ctx();
299
300 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
301 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
302
303 current_user.conn = NULL;
304 current_user.vuid = UID_FIELD_INVALID;
305
306 return(True);
307 }
308
309 /****************************************************************************
310 Become the user of an authenticated connected named pipe.
311 When this is called we are currently running as the connection
312 user. Doesn't modify current_user.
313 ****************************************************************************/
314
315 bool become_authenticated_pipe_user(pipes_struct *p)
316 {
317 if (!push_sec_ctx())
318 return False;
319
320 set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid,
321 p->pipe_user.ut.ngroups, p->pipe_user.ut.groups,
322 p->pipe_user.nt_user_token);
323
324 return True;
325 }
326
327 /****************************************************************************
328 Unbecome the user of an authenticated connected named pipe.
329 When this is called we are running as the authenticated pipe
330 user and need to go back to being the connection user. Doesn't modify
331 current_user.
332 ****************************************************************************/
333
334 bool unbecome_authenticated_pipe_user(void)
335 {
336 return pop_sec_ctx();
337 }
338
339 /****************************************************************************
340 Utility functions used by become_xxx/unbecome_xxx.
341 ****************************************************************************/
342
343 struct conn_ctx {
344 connection_struct *conn;
345 uint16 vuid;
346 };
347
348 /* A stack of current_user connection contexts. */
349
350 static struct conn_ctx conn_ctx_stack[MAX_SEC_CTX_DEPTH];
351 static int conn_ctx_stack_ndx;
352
353 static void push_conn_ctx(void)
354 {
355 struct conn_ctx *ctx_p;
356
357 /* Check we don't overflow our stack */
358
359 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
360 DEBUG(0, ("Connection context stack overflow!\n"));
361 smb_panic("Connection context stack overflow!\n");
362 }
363
364 /* Store previous user context */
365 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
366
367 ctx_p->conn = current_user.conn;
368 ctx_p->vuid = current_user.vuid;
369
370 DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
371 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
372
373 conn_ctx_stack_ndx++;
374 }
375
376 static void pop_conn_ctx(void)
377 {
378 struct conn_ctx *ctx_p;
379
380 /* Check for stack underflow. */
381
382 if (conn_ctx_stack_ndx == 0) {
383 DEBUG(0, ("Connection context stack underflow!\n"));
384 smb_panic("Connection context stack underflow!\n");
385 }
386
387 conn_ctx_stack_ndx--;
388 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
389
390 current_user.conn = ctx_p->conn;
391 current_user.vuid = ctx_p->vuid;
392
393 ctx_p->conn = NULL;
394 ctx_p->vuid = UID_FIELD_INVALID;
395 }
396
397 /****************************************************************************
398 Temporarily become a root user. Must match with unbecome_root(). Saves and
399 restores the connection context.
400 ****************************************************************************/
401
402 void become_root(void)
403 {
404 /*
405 * no good way to handle push_sec_ctx() failing without changing
406 * the prototype of become_root()
407 */
408 if (!push_sec_ctx()) {
409 smb_panic("become_root: push_sec_ctx failed");
410 }
411 push_conn_ctx();
412 set_root_sec_ctx();
413 }
414
415 /* Unbecome the root user */
416
417 void unbecome_root(void)
418 {
419 pop_sec_ctx();
420 pop_conn_ctx();
421 }
422
423 /****************************************************************************
424 Push the current security context then force a change via change_to_user().
425 Saves and restores the connection context.
426 ****************************************************************************/
427
428 bool become_user(connection_struct *conn, uint16 vuid)
429 {
430 if (!push_sec_ctx())
431 return False;
432
433 push_conn_ctx();
434
435 if (!change_to_user(conn, vuid)) {
436 pop_sec_ctx();
437 pop_conn_ctx();
438 return False;
439 }
440
441 return True;
442 }
443
444 bool unbecome_user(void)
445 {
446 pop_sec_ctx();
447 pop_conn_ctx();
448 return True;
449 }
Samba GIT mirror