search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'samba-4.0.13' into v4-0-test
[Samba.git] / source3 / smbd / uid.c
blob852ae392abb052fb6f489c7ec770122b6728221b
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
27 #include "auth.h"
28
29 /* what user is current? */
30 extern struct current_user current_user;
31
32 /****************************************************************************
33 Become the guest user without changing the security context stack.
34 ****************************************************************************/
35
36 bool change_to_guest(void)
37 {
38 struct passwd *pass;
39
40 pass = Get_Pwnam_alloc(talloc_tos(), lp_guestaccount());
41 if (!pass) {
42 return false;
43 }
44
45 #ifdef AIX
46 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
47 setting IDs */
48 initgroups(pass->pw_name, pass->pw_gid);
49 #endif
50
51 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
52
53 current_user.conn = NULL;
54 current_user.vuid = UID_FIELD_INVALID;
55
56 TALLOC_FREE(pass);
57
58 return true;
59 }
60
61 /****************************************************************************
62 talloc free the conn->session_info if not used in the vuid cache.
63 ****************************************************************************/
64
65 static void free_conn_session_info_if_unused(connection_struct *conn)
66 {
67 unsigned int i;
68
69 for (i = 0; i < VUID_CACHE_SIZE; i++) {
70 struct vuid_cache_entry *ent;
71 ent = &conn->vuid_cache.array[i];
72 if (ent->vuid != UID_FIELD_INVALID &&
73 conn->session_info == ent->session_info) {
74 return;
75 }
76 }
77 /* Not used, safe to free. */
78 TALLOC_FREE(conn->session_info);
79 }
80
81 /****************************************************************************
82 Setup the share access mask for a connection.
83 ****************************************************************************/
84
85 static uint32_t create_share_access_mask(int snum,
86 bool readonly_share,
87 const struct security_token *token)
88 {
89 uint32_t share_access = 0;
90
91 share_access_check(token,
92 lp_servicename(talloc_tos(), snum),
93 MAXIMUM_ALLOWED_ACCESS,
94 &share_access);
95
96 if (readonly_share) {
97 share_access &=
98 ~(SEC_FILE_WRITE_DATA | SEC_FILE_APPEND_DATA |
99 SEC_FILE_WRITE_EA | SEC_FILE_WRITE_ATTRIBUTE |
100 SEC_DIR_DELETE_CHILD );
101 }
102
103 if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
104 share_access |= SEC_FLAG_SYSTEM_SECURITY;
105 }
106 if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
107 share_access |= (SEC_RIGHTS_PRIV_RESTORE);
108 }
109 if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
110 share_access |= (SEC_RIGHTS_PRIV_BACKUP);
111 }
112 if (security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
113 share_access |= (SEC_STD_WRITE_OWNER);
114 }
115
116 return share_access;
117 }
118
119 /*******************************************************************
120 Calculate access mask and if this user can access this share.
121 ********************************************************************/
122
123 NTSTATUS check_user_share_access(connection_struct *conn,
124 const struct auth_session_info *session_info,
125 uint32_t *p_share_access,
126 bool *p_readonly_share)
127 {
128 int snum = SNUM(conn);
129 uint32_t share_access = 0;
130 bool readonly_share = false;
131
132 if (!user_ok_token(session_info->unix_info->unix_name,
133 session_info->info->domain_name,
134 session_info->security_token, snum))
135 return NT_STATUS_ACCESS_DENIED;
136
137 readonly_share = is_share_read_only_for_token(
138 session_info->unix_info->unix_name,
139 session_info->info->domain_name,
140 session_info->security_token,
141 conn);
142
143 share_access = create_share_access_mask(snum,
144 readonly_share,
145 session_info->security_token);
146
147 if ((share_access & FILE_WRITE_DATA) == 0) {
148 if ((share_access & FILE_READ_DATA) == 0) {
149 /* No access, read or write. */
150 DEBUG(0,("user %s connection to %s "
151 "denied due to share security "
152 "descriptor.\n",
153 session_info->unix_info->unix_name,
154 lp_servicename(talloc_tos(), snum)));
155 return NT_STATUS_ACCESS_DENIED;
156 }
157 }
158
159 if (!readonly_share &&
160 !(share_access & FILE_WRITE_DATA)) {
161 /* smb.conf allows r/w, but the security descriptor denies
162 * write. Fall back to looking at readonly. */
163 readonly_share = True;
164 DEBUG(5,("falling back to read-only access-evaluation due to "
165 "security descriptor\n"));
166 }
167
168 *p_share_access = share_access;
169 *p_readonly_share = readonly_share;
170
171 return NT_STATUS_OK;
172 }
173
174 /*******************************************************************
175 Check if a username is OK.
176
177 This sets up conn->session_info with a copy related to this vuser that
178 later code can then mess with.
179 ********************************************************************/
180
181 static bool check_user_ok(connection_struct *conn,
182 uint64_t vuid,
183 const struct auth_session_info *session_info,
184 int snum)
185 {
186 unsigned int i;
187 bool readonly_share = false;
188 bool admin_user = false;
189 struct vuid_cache_entry *ent = NULL;
190 uint32_t share_access = 0;
191 unsigned int share_array_index;
192 NTSTATUS status;
193
194 for (i=0; i<VUID_CACHE_SIZE; i++) {
195 ent = &conn->vuid_cache.array[i];
196 if (ent->vuid == vuid) {
197 if (vuid == UID_FIELD_INVALID) {
198 /*
199 * Slow path, we don't care
200 * about the array traversal.
201 */
202 continue;
203 }
204 free_conn_session_info_if_unused(conn);
205 conn->session_info = ent->session_info;
206 conn->read_only = ent->read_only;
207 conn->share_access = get_connection_share_access_list_entry(
208 conn,
209 i);
210 return(True);
211 }
212 }
213
214 status = check_user_share_access(conn,
215 session_info,
216 &share_access,
217 &readonly_share);
218 if (!NT_STATUS_IS_OK(status)) {
219 return false;
220 }
221
222
223 admin_user = token_contains_name_in_list(
224 session_info->unix_info->unix_name,
225 session_info->info->domain_name,
226 NULL, session_info->security_token, lp_admin_users(snum));
227
228 share_array_index = conn->vuid_cache.next_entry;
229 ent = &conn->vuid_cache.array[conn->vuid_cache.next_entry];
230
231 conn->vuid_cache.next_entry =
232 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
233
234 TALLOC_FREE(ent->session_info);
235
236 /*
237 * If force_user was set, all session_info's are based on the same
238 * username-based faked one.
239 */
240
241 ent->session_info = copy_session_info(
242 conn, conn->force_user ? conn->session_info : session_info);
243
244 if (ent->session_info == NULL) {
245 ent->vuid = UID_FIELD_INVALID;
246 return false;
247 }
248
249 /*
250 * It's actually OK to call check_user_ok() with
251 * vuid == UID_FIELD_INVALID as called from change_to_user_by_session().
252 * All this will do is throw away one entry in the cache.
253 */
254 ent->vuid = vuid;
255 ent->read_only = readonly_share;
256 set_connection_share_access_list_entry(conn,
257 share_array_index,
258 share_access);
259 free_conn_session_info_if_unused(conn);
260 conn->session_info = ent->session_info;
261 if (vuid == UID_FIELD_INVALID) {
262 /*
263 * Not strictly needed, just make it really
264 * clear this entry is actually an unused one.
265 */
266 ent->read_only = false;
267 set_connection_share_access_list_entry(conn,
268 share_array_index,
269 0);
270 ent->session_info = NULL;
271 }
272
273 conn->read_only = readonly_share;
274 conn->share_access = share_access;
275
276 if (admin_user) {
277 DEBUG(2,("check_user_ok: user %s is an admin user. "
278 "Setting uid as %d\n",
279 conn->session_info->unix_info->unix_name,
280 sec_initial_uid() ));
281 conn->session_info->unix_token->uid = sec_initial_uid();
282 }
283
284 return(True);
285 }
286
287 /****************************************************************************
288 Become the user of a connection number without changing the security context
289 stack, but modify the current_user entries.
290 ****************************************************************************/
291
292 static bool change_to_user_internal(connection_struct *conn,
293 const struct auth_session_info *session_info,
294 uint64_t vuid)
295 {
296 int snum;
297 gid_t gid;
298 uid_t uid;
299 char group_c;
300 int num_groups = 0;
301 gid_t *group_list = NULL;
302 bool ok;
303
304 snum = SNUM(conn);
305
306 ok = check_user_ok(conn, vuid, session_info, snum);
307 if (!ok) {
308 DEBUG(2,("SMB user %s (unix user %s) "
309 "not permitted access to share %s.\n",
310 session_info->unix_info->sanitized_username,
311 session_info->unix_info->unix_name,
312 lp_servicename(talloc_tos(), snum)));
313 return false;
314 }
315
316 uid = conn->session_info->unix_token->uid;
317 gid = conn->session_info->unix_token->gid;
318 num_groups = conn->session_info->unix_token->ngroups;
319 group_list = conn->session_info->unix_token->groups;
320
321 /*
322 * See if we should force group for this service. If so this overrides
323 * any group set in the force user code.
324 */
325 if((group_c = *lp_force_group(talloc_tos(), snum))) {
326
327 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
328
329 if (group_c == '+') {
330 int i;
331
332 /*
333 * Only force group if the user is a member of the
334 * service group. Check the group memberships for this
335 * user (we already have this) to see if we should force
336 * the group.
337 */
338 for (i = 0; i < num_groups; i++) {
339 if (group_list[i] == conn->force_group_gid) {
340 conn->session_info->unix_token->gid =
341 conn->force_group_gid;
342 gid = conn->force_group_gid;
343 gid_to_sid(&conn->session_info->security_token
344 ->sids[1], gid);
345 break;
346 }
347 }
348 } else {
349 conn->session_info->unix_token->gid = conn->force_group_gid;
350 gid = conn->force_group_gid;
351 gid_to_sid(&conn->session_info->security_token->sids[1],
352 gid);
353 }
354 }
355
356 /*Set current_user since we will immediately also call set_sec_ctx() */
357 current_user.ut.ngroups = num_groups;
358 current_user.ut.groups = group_list;
359
360 set_sec_ctx(uid,
361 gid,
362 current_user.ut.ngroups,
363 current_user.ut.groups,
364 conn->session_info->security_token);
365
366 current_user.conn = conn;
367 current_user.vuid = vuid;
368
369 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
370 (int)getuid(),
371 (int)geteuid(),
372 (int)getgid(),
373 (int)getegid()));
374
375 return true;
376 }
377
378 bool change_to_user(connection_struct *conn, uint64_t vuid)
379 {
380 struct user_struct *vuser;
381 int snum = SNUM(conn);
382
383 if (!conn) {
384 DEBUG(2,("Connection not open\n"));
385 return(False);
386 }
387
388 vuser = get_valid_user_struct(conn->sconn, vuid);
389
390 if ((current_user.conn == conn) &&
391 (vuser != NULL) && (current_user.vuid == vuid) &&
392 (current_user.ut.uid == vuser->session_info->unix_token->uid)) {
393 DEBUG(4,("Skipping user change - already "
394 "user\n"));
395 return(True);
396 }
397
398 if (vuser == NULL) {
399 /* Invalid vuid sent */
400 DEBUG(2,("Invalid vuid %llu used on share %s.\n",
401 (unsigned long long)vuid, lp_servicename(talloc_tos(),
402 snum)));
403 return false;
404 }
405
406 return change_to_user_internal(conn, vuser->session_info, vuid);
407 }
408
409 static bool change_to_user_by_session(connection_struct *conn,
410 const struct auth_session_info *session_info)
411 {
412 SMB_ASSERT(conn != NULL);
413 SMB_ASSERT(session_info != NULL);
414
415 if ((current_user.conn == conn) &&
416 (current_user.ut.uid == session_info->unix_token->uid)) {
417 DEBUG(7, ("Skipping user change - already user\n"));
418
419 return true;
420 }
421
422 return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
423 }
424
425 /****************************************************************************
426 Go back to being root without changing the security context stack,
427 but modify the current_user entries.
428 ****************************************************************************/
429
430 bool smbd_change_to_root_user(void)
431 {
432 set_root_sec_ctx();
433
434 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
435 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
436
437 current_user.conn = NULL;
438 current_user.vuid = UID_FIELD_INVALID;
439
440 return(True);
441 }
442
443 /****************************************************************************
444 Become the user of an authenticated connected named pipe.
445 When this is called we are currently running as the connection
446 user. Doesn't modify current_user.
447 ****************************************************************************/
448
449 bool become_authenticated_pipe_user(struct auth_session_info *session_info)
450 {
451 if (!push_sec_ctx())
452 return False;
453
454 set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
455 session_info->unix_token->ngroups, session_info->unix_token->groups,
456 session_info->security_token);
457
458 return True;
459 }
460
461 /****************************************************************************
462 Unbecome the user of an authenticated connected named pipe.
463 When this is called we are running as the authenticated pipe
464 user and need to go back to being the connection user. Doesn't modify
465 current_user.
466 ****************************************************************************/
467
468 bool unbecome_authenticated_pipe_user(void)
469 {
470 return pop_sec_ctx();
471 }
472
473 /****************************************************************************
474 Utility functions used by become_xxx/unbecome_xxx.
475 ****************************************************************************/
476
477 static void push_conn_ctx(void)
478 {
479 struct conn_ctx *ctx_p;
480
481 /* Check we don't overflow our stack */
482
483 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
484 DEBUG(0, ("Connection context stack overflow!\n"));
485 smb_panic("Connection context stack overflow!\n");
486 }
487
488 /* Store previous user context */
489 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
490
491 ctx_p->conn = current_user.conn;
492 ctx_p->vuid = current_user.vuid;
493
494 DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
495 (unsigned long long)ctx_p->vuid, conn_ctx_stack_ndx));
496
497 conn_ctx_stack_ndx++;
498 }
499
500 static void pop_conn_ctx(void)
501 {
502 struct conn_ctx *ctx_p;
503
504 /* Check for stack underflow. */
505
506 if (conn_ctx_stack_ndx == 0) {
507 DEBUG(0, ("Connection context stack underflow!\n"));
508 smb_panic("Connection context stack underflow!\n");
509 }
510
511 conn_ctx_stack_ndx--;
512 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
513
514 current_user.conn = ctx_p->conn;
515 current_user.vuid = ctx_p->vuid;
516
517 ctx_p->conn = NULL;
518 ctx_p->vuid = UID_FIELD_INVALID;
519 }
520
521 /****************************************************************************
522 Temporarily become a root user. Must match with unbecome_root(). Saves and
523 restores the connection context.
524 ****************************************************************************/
525
526 void smbd_become_root(void)
527 {
528 /*
529 * no good way to handle push_sec_ctx() failing without changing
530 * the prototype of become_root()
531 */
532 if (!push_sec_ctx()) {
533 smb_panic("become_root: push_sec_ctx failed");
534 }
535 push_conn_ctx();
536 set_root_sec_ctx();
537 }
538
539 /* Unbecome the root user */
540
541 void smbd_unbecome_root(void)
542 {
543 pop_sec_ctx();
544 pop_conn_ctx();
545 }
546
547 /****************************************************************************
548 Push the current security context then force a change via change_to_user().
549 Saves and restores the connection context.
550 ****************************************************************************/
551
552 bool become_user(connection_struct *conn, uint64_t vuid)
553 {
554 if (!push_sec_ctx())
555 return False;
556
557 push_conn_ctx();
558
559 if (!change_to_user(conn, vuid)) {
560 pop_sec_ctx();
561 pop_conn_ctx();
562 return False;
563 }
564
565 return True;
566 }
567
568 bool become_user_by_session(connection_struct *conn,
569 const struct auth_session_info *session_info)
570 {
571 if (!push_sec_ctx())
572 return false;
573
574 push_conn_ctx();
575
576 if (!change_to_user_by_session(conn, session_info)) {
577 pop_sec_ctx();
578 pop_conn_ctx();
579 return false;
580 }
581
582 return true;
583 }
584
585 bool unbecome_user(void)
586 {
587 pop_sec_ctx();
588 pop_conn_ctx();
589 return True;
590 }
591
592 /****************************************************************************
593 Return the current user we are running effectively as on this connection.
594 I'd like to make this return conn->session_info->unix_token->uid, but become_root()
595 doesn't alter this value.
596 ****************************************************************************/
597
598 uid_t get_current_uid(connection_struct *conn)
599 {
600 return current_user.ut.uid;
601 }
602
603 /****************************************************************************
604 Return the current group we are running effectively as on this connection.
605 I'd like to make this return conn->session_info->unix_token->gid, but become_root()
606 doesn't alter this value.
607 ****************************************************************************/
608
609 gid_t get_current_gid(connection_struct *conn)
610 {
611 return current_user.ut.gid;
612 }
613
614 /****************************************************************************
615 Return the UNIX token we are running effectively as on this connection.
616 I'd like to make this return &conn->session_info->unix_token-> but become_root()
617 doesn't alter this value.
618 ****************************************************************************/
619
620 const struct security_unix_token *get_current_utok(connection_struct *conn)
621 {
622 return &current_user.ut;
623 }
624
625 /****************************************************************************
626 Return the Windows token we are running effectively as on this connection.
627 If this is currently a NULL token as we're inside become_root() - a temporary
628 UNIX security override, then we search up the stack for the previous active
629 token.
630 ****************************************************************************/
631
632 const struct security_token *get_current_nttok(connection_struct *conn)
633 {
634 if (current_user.nt_user_token) {
635 return current_user.nt_user_token;
636 }
637 return sec_ctx_active_token();
638 }
639
640 uint64_t get_current_vuid(connection_struct *conn)
641 {
642 return current_user.vuid;
643 }
Samba GIT mirror