2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24 #include "passdb/lookup_sid.h"
28 * No prefix means direct username
29 * @name means netgroup first, then unix group
30 * &name means netgroup
31 * +name means unix group
32 * + and & may be combined
35 static bool do_group_checks(const char **name
, const char **pattern
)
37 if ((*name
)[0] == '@') {
43 if (((*name
)[0] == '+') && ((*name
)[1] == '&')) {
49 if ((*name
)[0] == '+') {
55 if (((*name
)[0] == '&') && ((*name
)[1] == '+')) {
61 if ((*name
)[0] == '&') {
70 static bool token_contains_name(TALLOC_CTX
*mem_ctx
,
73 const char *sharename
,
74 const struct security_token
*token
,
79 enum lsa_SidType type
;
81 if (username
!= NULL
) {
82 name
= talloc_sub_basic(mem_ctx
, username
, domain
, name
);
84 if (sharename
!= NULL
) {
85 name
= talloc_string_sub(mem_ctx
, name
, "%S", sharename
);
89 /* This is too security sensitive, better panic than return a
90 * result that might be interpreted in a wrong way. */
91 smb_panic("substitutions failed");
94 /* check to see is we already have a SID */
96 if ( string_to_sid( &sid
, name
) ) {
97 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name
));
98 return nt_token_check_sid( &sid
, token
);
101 if (!do_group_checks(&name
, &prefix
)) {
102 if (!lookup_name_smbconf(mem_ctx
, name
, LOOKUP_NAME_ALL
,
103 NULL
, NULL
, &sid
, &type
)) {
104 DEBUG(5, ("lookup_name %s failed\n", name
));
107 if (type
!= SID_NAME_USER
) {
108 DEBUG(5, ("%s is a %s, expected a user\n",
109 name
, sid_type_lookup(type
)));
112 return nt_token_check_sid(&sid
, token
);
115 for (/* initialized above */ ; *prefix
!= '\0'; prefix
++) {
116 if (*prefix
== '+') {
117 if (!lookup_name_smbconf(mem_ctx
, name
,
118 LOOKUP_NAME_ALL
|LOOKUP_NAME_GROUP
,
119 NULL
, NULL
, &sid
, &type
)) {
120 DEBUG(5, ("lookup_name %s failed\n", name
));
123 if ((type
!= SID_NAME_DOM_GRP
) &&
124 (type
!= SID_NAME_ALIAS
) &&
125 (type
!= SID_NAME_WKN_GRP
)) {
126 DEBUG(5, ("%s is a %s, expected a group\n",
127 name
, sid_type_lookup(type
)));
130 if (nt_token_check_sid(&sid
, token
)) {
135 if (*prefix
== '&') {
137 if (user_in_netgroup(mem_ctx
, username
, name
)) {
143 smb_panic("got invalid prefix from do_groups_check");
149 * Check whether a user is contained in the list provided.
151 * Please note that the user name and share names passed in here mainly for
152 * the substitution routines that expand the parameter values, the decision
153 * whether a user is in the list is done after a lookup_name on the expanded
154 * parameter value, solely based on comparing the SIDs in token.
156 * The other use is the netgroup check when using @group or &group.
159 bool token_contains_name_in_list(const char *username
,
161 const char *sharename
,
162 const struct security_token
*token
,
171 if ( (mem_ctx
= talloc_new(NULL
)) == NULL
) {
172 smb_panic("talloc_new failed");
175 while (*list
!= NULL
) {
176 if (token_contains_name(mem_ctx
, username
, domain
, sharename
,
178 TALLOC_FREE(mem_ctx
);
184 TALLOC_FREE(mem_ctx
);
189 * Check whether the user described by "token" has access to share snum.
191 * This looks at "invalid users", "valid users" and "only user/username"
193 * Please note that the user name and share names passed in here mainly for
194 * the substitution routines that expand the parameter values, the decision
195 * whether a user is in the list is done after a lookup_name on the expanded
196 * parameter value, solely based on comparing the SIDs in token.
198 * The other use is the netgroup check when using @group or &group.
201 bool user_ok_token(const char *username
, const char *domain
,
202 const struct security_token
*token
, int snum
)
204 if (lp_invalid_users(snum
) != NULL
) {
205 if (token_contains_name_in_list(username
, domain
,
206 lp_servicename(talloc_tos(), snum
),
208 lp_invalid_users(snum
))) {
209 DEBUG(10, ("User %s in 'invalid users'\n", username
));
214 if (lp_valid_users(snum
) != NULL
) {
215 if (!token_contains_name_in_list(username
, domain
,
216 lp_servicename(talloc_tos(), snum
),
218 lp_valid_users(snum
))) {
219 DEBUG(10, ("User %s not in 'valid users'\n",
225 if (lp_onlyuser(snum
)) {
227 list
[0] = lp_username(talloc_tos(), snum
);
229 if ((list
[0] == NULL
) || (*list
[0] == '\0')) {
230 DEBUG(0, ("'only user = yes' and no 'username ='\n"));
233 if (!token_contains_name_in_list(NULL
, domain
,
234 lp_servicename(talloc_tos(), snum
),
236 DEBUG(10, ("%s != 'username'\n", username
));
241 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
242 lp_servicename(talloc_tos(), snum
), username
));
248 * Check whether the user described by "token" is restricted to read-only
249 * access on share snum.
251 * This looks at "invalid users", "valid users" and "only user/username"
253 * Please note that the user name and share names passed in here mainly for
254 * the substitution routines that expand the parameter values, the decision
255 * whether a user is in the list is done after a lookup_name on the expanded
256 * parameter value, solely based on comparing the SIDs in token.
258 * The other use is the netgroup check when using @group or &group.
261 bool is_share_read_only_for_token(const char *username
,
263 const struct security_token
*token
,
264 connection_struct
*conn
)
266 int snum
= SNUM(conn
);
267 bool result
= conn
->read_only
;
269 if (lp_readlist(snum
) != NULL
) {
270 if (token_contains_name_in_list(username
, domain
,
271 lp_servicename(talloc_tos(), snum
),
273 lp_readlist(snum
))) {
278 if (lp_writelist(snum
) != NULL
) {
279 if (token_contains_name_in_list(username
, domain
,
280 lp_servicename(talloc_tos(), snum
),
282 lp_writelist(snum
))) {
287 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
288 "%s\n", lp_servicename(talloc_tos(), snum
),
289 result
? "read-only" : "read-write", username
));