search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nsswitch: Fix getting data out of pam_get_data()
[Samba.git] / source3 / smbd / share_access.c
blob45928144693f757875227333c65583ce10a16e7f
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24 #include "passdb/lookup_sid.h"
25 #include "auth.h"
26 #include "source3/lib/substitute.h"
27
28 /*
29 * No prefix means direct username
30 * @name means netgroup first, then unix group
31 * &name means netgroup
32 * +name means unix group
33 * + and & may be combined
34 */
35
36 static bool do_group_checks(const char **name, const char **pattern)
37 {
38 if ((*name)[0] == '@') {
39 *pattern = "&+";
40 *name += 1;
41 return True;
42 }
43
44 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
45 *pattern = "+&";
46 *name += 2;
47 return True;
48 }
49
50 if ((*name)[0] == '+') {
51 *pattern = "+";
52 *name += 1;
53 return True;
54 }
55
56 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
57 *pattern = "&+";
58 *name += 2;
59 return True;
60 }
61
62 if ((*name)[0] == '&') {
63 *pattern = "&";
64 *name += 1;
65 return True;
66 }
67
68 return False;
69 }
70
71 static bool token_contains_name(TALLOC_CTX *mem_ctx,
72 const char *username,
73 const char *domain,
74 const char *sharename,
75 const struct security_token *token,
76 const char *name)
77 {
78 const char *prefix;
79 struct dom_sid sid;
80 enum lsa_SidType type;
81
82 if (username != NULL) {
83 size_t domain_len = domain != NULL ? strlen(domain) : 0;
84
85 /* Check if username starts with domain name */
86 if (domain_len > 0) {
87 const char *sep = lp_winbind_separator();
88 int cmp = strncasecmp_m(username, domain, domain_len);
89 if (cmp == 0 && sep[0] == username[domain_len]) {
90 /* Move after the winbind separator */
91 domain_len += 1;
92 } else {
93 domain_len = 0;
94 }
95 }
96 name = talloc_sub_basic(mem_ctx,
97 username + domain_len,
98 domain,
99 name);
100 }
101 if (sharename != NULL) {
102 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
103 }
104
105 if (name == NULL) {
106 /* This is too security sensitive, better panic than return a
107 * result that might be interpreted in a wrong way. */
108 smb_panic("substitutions failed");
109 }
110
111 if ( string_to_sid( &sid, name ) ) {
112 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
113 return nt_token_check_sid( &sid, token );
114 }
115
116 if (!do_group_checks(&name, &prefix)) {
117 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
118 NULL, NULL, &sid, &type)) {
119 DEBUG(5, ("lookup_name %s failed\n", name));
120 return False;
121 }
122 if (type != SID_NAME_USER) {
123 DEBUG(5, ("%s is a %s, expected a user\n",
124 name, sid_type_lookup(type)));
125 return False;
126 }
127 return nt_token_check_sid(&sid, token);
128 }
129
130 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
131 if (*prefix == '+') {
132 if (!lookup_name_smbconf(mem_ctx, name,
133 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
134 NULL, NULL, &sid, &type)) {
135 DEBUG(5, ("lookup_name %s failed\n", name));
136 return False;
137 }
138 if ((type != SID_NAME_DOM_GRP) &&
139 (type != SID_NAME_ALIAS) &&
140 (type != SID_NAME_WKN_GRP)) {
141 DEBUG(5, ("%s is a %s, expected a group\n",
142 name, sid_type_lookup(type)));
143 return False;
144 }
145 if (nt_token_check_sid(&sid, token)) {
146 return True;
147 }
148 continue;
149 }
150 if (*prefix == '&') {
151 if (username) {
152 if (user_in_netgroup(mem_ctx, username, name)) {
153 return True;
154 }
155 }
156 continue;
157 }
158 smb_panic("got invalid prefix from do_groups_check");
159 }
160 return False;
161 }
162
163 /*
164 * Check whether a user is contained in the list provided.
165 *
166 * Please note that the user name and share names passed in here mainly for
167 * the substitution routines that expand the parameter values, the decision
168 * whether a user is in the list is done after a lookup_name on the expanded
169 * parameter value, solely based on comparing the SIDs in token.
170 *
171 * The other use is the netgroup check when using @group or &group.
172 */
173
174 bool token_contains_name_in_list(const char *username,
175 const char *domain,
176 const char *sharename,
177 const struct security_token *token,
178 const char **list)
179 {
180 if (list == NULL) {
181 return False;
182 }
183 while (*list != NULL) {
184 TALLOC_CTX *frame = talloc_stackframe();
185 bool ret;
186
187 ret = token_contains_name(frame, username, domain, sharename,
188 token, *list);
189 TALLOC_FREE(frame);
190 if (ret) {
191 return true;
192 }
193 list += 1;
194 }
195 return False;
196 }
197
198 /*
199 * Check whether the user described by "token" has access to share snum.
200 *
201 * This looks at "invalid users" and "valid users".
202 *
203 * Please note that the user name and share names passed in here mainly for
204 * the substitution routines that expand the parameter values, the decision
205 * whether a user is in the list is done after a lookup_name on the expanded
206 * parameter value, solely based on comparing the SIDs in token.
207 *
208 * The other use is the netgroup check when using @group or &group.
209 */
210
211 bool user_ok_token(const char *username, const char *domain,
212 const struct security_token *token, int snum)
213 {
214 const struct loadparm_substitution *lp_sub =
215 loadparm_s3_global_substitution();
216
217 if (lp_invalid_users(snum) != NULL) {
218 if (token_contains_name_in_list(username, domain,
219 lp_servicename(talloc_tos(), lp_sub, snum),
220 token,
221 lp_invalid_users(snum))) {
222 DEBUG(10, ("User %s in 'invalid users'\n", username));
223 return False;
224 }
225 }
226
227 if (lp_valid_users(snum) != NULL) {
228 if (!token_contains_name_in_list(username, domain,
229 lp_servicename(talloc_tos(), lp_sub, snum),
230 token,
231 lp_valid_users(snum))) {
232 DEBUG(10, ("User %s not in 'valid users'\n",
233 username));
234 return False;
235 }
236 }
237
238 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
239 lp_servicename(talloc_tos(), lp_sub, snum), username));
240
241 return True;
242 }
243
244 /*
245 * Check whether the user described by "token" is restricted to read-only
246 * access on share snum.
247 *
248 * This looks at "read list", "write list" and "read only".
249 *
250 * Please note that the user name and share names passed in here mainly for
251 * the substitution routines that expand the parameter values, the decision
252 * whether a user is in the list is done after a lookup_name on the expanded
253 * parameter value, solely based on comparing the SIDs in token.
254 *
255 * The other use is the netgroup check when using @group or &group.
256 */
257
258 bool is_share_read_only_for_token(const char *username,
259 const char *domain,
260 const struct security_token *token,
261 connection_struct *conn)
262 {
263 const struct loadparm_substitution *lp_sub =
264 loadparm_s3_global_substitution();
265 int snum = SNUM(conn);
266 bool result = conn->read_only;
267
268 if (lp_read_list(snum) != NULL) {
269 if (token_contains_name_in_list(username, domain,
270 lp_servicename(talloc_tos(), lp_sub, snum),
271 token,
272 lp_read_list(snum))) {
273 result = True;
274 }
275 }
276
277 if (lp_write_list(snum) != NULL) {
278 if (token_contains_name_in_list(username, domain,
279 lp_servicename(talloc_tos(), lp_sub, snum),
280 token,
281 lp_write_list(snum))) {
282 result = False;
283 }
284 }
285
286 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
287 "%s\n", lp_servicename(talloc_tos(), lp_sub, snum),
288 result ? "read-only" : "read-write", username));
289
290 return result;
291 }
Samba GIT mirror