search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-passdb: use passdb headers where needed.
[Samba.git] / source3 / smbd / share_access.c
blob0c368aae795d8d0ddfe041c1b709e45f516aa7bd
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/globals.h"
22 #include "../libcli/security/security.h"
23 #include "passdb/lookup_sid.h"
24
25 /*
26 * No prefix means direct username
27 * @name means netgroup first, then unix group
28 * &name means netgroup
29 * +name means unix group
30 * + and & may be combined
31 */
32
33 static bool do_group_checks(const char **name, const char **pattern)
34 {
35 if ((*name)[0] == '@') {
36 *pattern = "&+";
37 *name += 1;
38 return True;
39 }
40
41 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
42 *pattern = "+&";
43 *name += 2;
44 return True;
45 }
46
47 if ((*name)[0] == '+') {
48 *pattern = "+";
49 *name += 1;
50 return True;
51 }
52
53 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
54 *pattern = "&+";
55 *name += 2;
56 return True;
57 }
58
59 if ((*name)[0] == '&') {
60 *pattern = "&";
61 *name += 1;
62 return True;
63 }
64
65 return False;
66 }
67
68 static bool token_contains_name(TALLOC_CTX *mem_ctx,
69 const char *username,
70 const char *domain,
71 const char *sharename,
72 const struct security_token *token,
73 const char *name)
74 {
75 const char *prefix;
76 struct dom_sid sid;
77 enum lsa_SidType type;
78
79 if (username != NULL) {
80 name = talloc_sub_basic(mem_ctx, username, domain, name);
81 }
82 if (sharename != NULL) {
83 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
84 }
85
86 if (name == NULL) {
87 /* This is too security sensitive, better panic than return a
88 * result that might be interpreted in a wrong way. */
89 smb_panic("substitutions failed");
90 }
91
92 /* check to see is we already have a SID */
93
94 if ( string_to_sid( &sid, name ) ) {
95 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
96 return nt_token_check_sid( &sid, token );
97 }
98
99 if (!do_group_checks(&name, &prefix)) {
100 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
101 NULL, NULL, &sid, &type)) {
102 DEBUG(5, ("lookup_name %s failed\n", name));
103 return False;
104 }
105 if (type != SID_NAME_USER) {
106 DEBUG(5, ("%s is a %s, expected a user\n",
107 name, sid_type_lookup(type)));
108 return False;
109 }
110 return nt_token_check_sid(&sid, token);
111 }
112
113 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
114 if (*prefix == '+') {
115 if (!lookup_name_smbconf(mem_ctx, name,
116 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
117 NULL, NULL, &sid, &type)) {
118 DEBUG(5, ("lookup_name %s failed\n", name));
119 return False;
120 }
121 if ((type != SID_NAME_DOM_GRP) &&
122 (type != SID_NAME_ALIAS) &&
123 (type != SID_NAME_WKN_GRP)) {
124 DEBUG(5, ("%s is a %s, expected a group\n",
125 name, sid_type_lookup(type)));
126 return False;
127 }
128 if (nt_token_check_sid(&sid, token)) {
129 return True;
130 }
131 continue;
132 }
133 if (*prefix == '&') {
134 if (username) {
135 if (user_in_netgroup(mem_ctx, username, name)) {
136 return True;
137 }
138 }
139 continue;
140 }
141 smb_panic("got invalid prefix from do_groups_check");
142 }
143 return False;
144 }
145
146 /*
147 * Check whether a user is contained in the list provided.
148 *
149 * Please note that the user name and share names passed in here mainly for
150 * the substitution routines that expand the parameter values, the decision
151 * whether a user is in the list is done after a lookup_name on the expanded
152 * parameter value, solely based on comparing the SIDs in token.
153 *
154 * The other use is the netgroup check when using @group or &group.
155 */
156
157 bool token_contains_name_in_list(const char *username,
158 const char *domain,
159 const char *sharename,
160 const struct security_token *token,
161 const char **list)
162 {
163 TALLOC_CTX *mem_ctx;
164
165 if (list == NULL) {
166 return False;
167 }
168
169 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
170 smb_panic("talloc_new failed");
171 }
172
173 while (*list != NULL) {
174 if (token_contains_name(mem_ctx, username, domain, sharename,
175 token, *list)) {
176 TALLOC_FREE(mem_ctx);
177 return True;
178 }
179 list += 1;
180 }
181
182 TALLOC_FREE(mem_ctx);
183 return False;
184 }
185
186 /*
187 * Check whether the user described by "token" has access to share snum.
188 *
189 * This looks at "invalid users", "valid users" and "only user/username"
190 *
191 * Please note that the user name and share names passed in here mainly for
192 * the substitution routines that expand the parameter values, the decision
193 * whether a user is in the list is done after a lookup_name on the expanded
194 * parameter value, solely based on comparing the SIDs in token.
195 *
196 * The other use is the netgroup check when using @group or &group.
197 */
198
199 bool user_ok_token(const char *username, const char *domain,
200 const struct security_token *token, int snum)
201 {
202 if (lp_invalid_users(snum) != NULL) {
203 if (token_contains_name_in_list(username, domain,
204 lp_servicename(snum),
205 token,
206 lp_invalid_users(snum))) {
207 DEBUG(10, ("User %s in 'invalid users'\n", username));
208 return False;
209 }
210 }
211
212 if (lp_valid_users(snum) != NULL) {
213 if (!token_contains_name_in_list(username, domain,
214 lp_servicename(snum), token,
215 lp_valid_users(snum))) {
216 DEBUG(10, ("User %s not in 'valid users'\n",
217 username));
218 return False;
219 }
220 }
221
222 if (lp_onlyuser(snum)) {
223 const char *list[2];
224 list[0] = lp_username(snum);
225 list[1] = NULL;
226 if ((list[0] == NULL) || (*list[0] == '\0')) {
227 DEBUG(0, ("'only user = yes' and no 'username ='\n"));
228 return False;
229 }
230 if (!token_contains_name_in_list(NULL, domain,
231 lp_servicename(snum),
232 token, list)) {
233 DEBUG(10, ("%s != 'username'\n", username));
234 return False;
235 }
236 }
237
238 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
239 lp_servicename(snum), username));
240
241 return True;
242 }
243
244 /*
245 * Check whether the user described by "token" is restricted to read-only
246 * access on share snum.
247 *
248 * This looks at "invalid users", "valid users" and "only user/username"
249 *
250 * Please note that the user name and share names passed in here mainly for
251 * the substitution routines that expand the parameter values, the decision
252 * whether a user is in the list is done after a lookup_name on the expanded
253 * parameter value, solely based on comparing the SIDs in token.
254 *
255 * The other use is the netgroup check when using @group or &group.
256 */
257
258 bool is_share_read_only_for_token(const char *username,
259 const char *domain,
260 const struct security_token *token,
261 connection_struct *conn)
262 {
263 int snum = SNUM(conn);
264 bool result = conn->read_only;
265
266 if (lp_readlist(snum) != NULL) {
267 if (token_contains_name_in_list(username, domain,
268 lp_servicename(snum), token,
269 lp_readlist(snum))) {
270 result = True;
271 }
272 }
273
274 if (lp_writelist(snum) != NULL) {
275 if (token_contains_name_in_list(username, domain,
276 lp_servicename(snum), token,
277 lp_writelist(snum))) {
278 result = False;
279 }
280 }
281
282 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
283 "%s\n", lp_servicename(snum),
284 result ? "read-only" : "read-write", username));
285
286 return result;
287 }
Samba GIT mirror