search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/krb5: Clarify checksum type assertion message
[Samba.git] / source3 / smbd / share_access.c
blob57754a0f7663b9e19195af5509177b68d060a932
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24 #include "passdb/lookup_sid.h"
25 #include "auth.h"
26
27 /*
28 * No prefix means direct username
29 * @name means netgroup first, then unix group
30 * &name means netgroup
31 * +name means unix group
32 * + and & may be combined
33 */
34
35 static bool do_group_checks(const char **name, const char **pattern)
36 {
37 if ((*name)[0] == '@') {
38 *pattern = "&+";
39 *name += 1;
40 return True;
41 }
42
43 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
44 *pattern = "+&";
45 *name += 2;
46 return True;
47 }
48
49 if ((*name)[0] == '+') {
50 *pattern = "+";
51 *name += 1;
52 return True;
53 }
54
55 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
56 *pattern = "&+";
57 *name += 2;
58 return True;
59 }
60
61 if ((*name)[0] == '&') {
62 *pattern = "&";
63 *name += 1;
64 return True;
65 }
66
67 return False;
68 }
69
70 static bool token_contains_name(TALLOC_CTX *mem_ctx,
71 const char *username,
72 const char *domain,
73 const char *sharename,
74 const struct security_token *token,
75 const char *name)
76 {
77 const char *prefix;
78 struct dom_sid sid;
79 enum lsa_SidType type;
80
81 if (username != NULL) {
82 size_t domain_len = strlen(domain);
83
84 /* Check if username starts with domain name */
85 if (domain_len > 0) {
86 const char *sep = lp_winbind_separator();
87 int cmp = strncasecmp_m(username, domain, domain_len);
88 if (cmp == 0 && sep[0] == username[domain_len]) {
89 /* Move after the winbind separator */
90 domain_len += 1;
91 } else {
92 domain_len = 0;
93 }
94 }
95 name = talloc_sub_basic(mem_ctx,
96 username + domain_len,
97 domain,
98 name);
99 }
100 if (sharename != NULL) {
101 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
102 }
103
104 if (name == NULL) {
105 /* This is too security sensitive, better panic than return a
106 * result that might be interpreted in a wrong way. */
107 smb_panic("substitutions failed");
108 }
109
110 if ( string_to_sid( &sid, name ) ) {
111 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
112 return nt_token_check_sid( &sid, token );
113 }
114
115 if (!do_group_checks(&name, &prefix)) {
116 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
117 NULL, NULL, &sid, &type)) {
118 DEBUG(5, ("lookup_name %s failed\n", name));
119 return False;
120 }
121 if (type != SID_NAME_USER) {
122 DEBUG(5, ("%s is a %s, expected a user\n",
123 name, sid_type_lookup(type)));
124 return False;
125 }
126 return nt_token_check_sid(&sid, token);
127 }
128
129 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
130 if (*prefix == '+') {
131 if (!lookup_name_smbconf(mem_ctx, name,
132 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
133 NULL, NULL, &sid, &type)) {
134 DEBUG(5, ("lookup_name %s failed\n", name));
135 return False;
136 }
137 if ((type != SID_NAME_DOM_GRP) &&
138 (type != SID_NAME_ALIAS) &&
139 (type != SID_NAME_WKN_GRP)) {
140 DEBUG(5, ("%s is a %s, expected a group\n",
141 name, sid_type_lookup(type)));
142 return False;
143 }
144 if (nt_token_check_sid(&sid, token)) {
145 return True;
146 }
147 continue;
148 }
149 if (*prefix == '&') {
150 if (username) {
151 if (user_in_netgroup(mem_ctx, username, name)) {
152 return True;
153 }
154 }
155 continue;
156 }
157 smb_panic("got invalid prefix from do_groups_check");
158 }
159 return False;
160 }
161
162 /*
163 * Check whether a user is contained in the list provided.
164 *
165 * Please note that the user name and share names passed in here mainly for
166 * the substitution routines that expand the parameter values, the decision
167 * whether a user is in the list is done after a lookup_name on the expanded
168 * parameter value, solely based on comparing the SIDs in token.
169 *
170 * The other use is the netgroup check when using @group or &group.
171 */
172
173 bool token_contains_name_in_list(const char *username,
174 const char *domain,
175 const char *sharename,
176 const struct security_token *token,
177 const char **list)
178 {
179 if (list == NULL) {
180 return False;
181 }
182 while (*list != NULL) {
183 TALLOC_CTX *frame = talloc_stackframe();
184 bool ret;
185
186 ret = token_contains_name(frame, username, domain, sharename,
187 token, *list);
188 TALLOC_FREE(frame);
189 if (ret) {
190 return true;
191 }
192 list += 1;
193 }
194 return False;
195 }
196
197 /*
198 * Check whether the user described by "token" has access to share snum.
199 *
200 * This looks at "invalid users" and "valid users".
201 *
202 * Please note that the user name and share names passed in here mainly for
203 * the substitution routines that expand the parameter values, the decision
204 * whether a user is in the list is done after a lookup_name on the expanded
205 * parameter value, solely based on comparing the SIDs in token.
206 *
207 * The other use is the netgroup check when using @group or &group.
208 */
209
210 bool user_ok_token(const char *username, const char *domain,
211 const struct security_token *token, int snum)
212 {
213 const struct loadparm_substitution *lp_sub =
214 loadparm_s3_global_substitution();
215
216 if (lp_invalid_users(snum) != NULL) {
217 if (token_contains_name_in_list(username, domain,
218 lp_servicename(talloc_tos(), lp_sub, snum),
219 token,
220 lp_invalid_users(snum))) {
221 DEBUG(10, ("User %s in 'invalid users'\n", username));
222 return False;
223 }
224 }
225
226 if (lp_valid_users(snum) != NULL) {
227 if (!token_contains_name_in_list(username, domain,
228 lp_servicename(talloc_tos(), lp_sub, snum),
229 token,
230 lp_valid_users(snum))) {
231 DEBUG(10, ("User %s not in 'valid users'\n",
232 username));
233 return False;
234 }
235 }
236
237 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
238 lp_servicename(talloc_tos(), lp_sub, snum), username));
239
240 return True;
241 }
242
243 /*
244 * Check whether the user described by "token" is restricted to read-only
245 * access on share snum.
246 *
247 * This looks at "read list", "write list" and "read only".
248 *
249 * Please note that the user name and share names passed in here mainly for
250 * the substitution routines that expand the parameter values, the decision
251 * whether a user is in the list is done after a lookup_name on the expanded
252 * parameter value, solely based on comparing the SIDs in token.
253 *
254 * The other use is the netgroup check when using @group or &group.
255 */
256
257 bool is_share_read_only_for_token(const char *username,
258 const char *domain,
259 const struct security_token *token,
260 connection_struct *conn)
261 {
262 const struct loadparm_substitution *lp_sub =
263 loadparm_s3_global_substitution();
264 int snum = SNUM(conn);
265 bool result = conn->read_only;
266
267 if (lp_read_list(snum) != NULL) {
268 if (token_contains_name_in_list(username, domain,
269 lp_servicename(talloc_tos(), lp_sub, snum),
270 token,
271 lp_read_list(snum))) {
272 result = True;
273 }
274 }
275
276 if (lp_write_list(snum) != NULL) {
277 if (token_contains_name_in_list(username, domain,
278 lp_servicename(talloc_tos(), lp_sub, snum),
279 token,
280 lp_write_list(snum))) {
281 result = False;
282 }
283 }
284
285 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
286 "%s\n", lp_servicename(talloc_tos(), lp_sub, snum),
287 result ? "read-only" : "read-write", username));
288
289 return result;
290 }
Samba GIT mirror