search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r14736: - the ntvfs subsystem should not know about smb_server.h
[Samba/aatanasov.git] / source / ntvfs / unixuid / vfs_unixuid.c
blob9d8b058b7acd0bb94416a2d486e328b1289496ed
1 /*
2 Unix SMB/CIFS implementation.
3
4 a pass-thru NTVFS module to setup a security context using unix
5 uid/gid
6
7 Copyright (C) Andrew Tridgell 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "system/filesys.h"
26 #include "system/passwd.h"
27 #include "auth/auth.h"
28 #include "ntvfs/ntvfs.h"
29
30 struct unixuid_private {
31 struct sidmap_context *sidmap;
32 struct unix_sec_ctx *last_sec_ctx;
33 struct security_token *last_token;
34 };
35
36
37
38 struct unix_sec_ctx {
39 uid_t uid;
40 gid_t gid;
41 uint_t ngroups;
42 gid_t *groups;
43 };
44
45 /*
46 pull the current security context into a unix_sec_ctx
47 */
48 static struct unix_sec_ctx *save_unix_security(TALLOC_CTX *mem_ctx)
49 {
50 struct unix_sec_ctx *sec = talloc(mem_ctx, struct unix_sec_ctx);
51 if (sec == NULL) {
52 return NULL;
53 }
54 sec->uid = geteuid();
55 sec->gid = getegid();
56 sec->ngroups = getgroups(0, NULL);
57 if (sec->ngroups == -1) {
58 talloc_free(sec);
59 return NULL;
60 }
61 sec->groups = talloc_array(sec, gid_t, sec->ngroups);
62 if (sec->groups == NULL) {
63 talloc_free(sec);
64 return NULL;
65 }
66
67 if (getgroups(sec->ngroups, sec->groups) != sec->ngroups) {
68 talloc_free(sec);
69 return NULL;
70 }
71
72 return sec;
73 }
74
75 /*
76 set the current security context from a unix_sec_ctx
77 */
78 static NTSTATUS set_unix_security(struct unix_sec_ctx *sec)
79 {
80 seteuid(0);
81
82 if (setgroups(sec->ngroups, sec->groups) != 0) {
83 return NT_STATUS_ACCESS_DENIED;
84 }
85 if (setegid(sec->gid) != 0) {
86 return NT_STATUS_ACCESS_DENIED;
87 }
88 if (seteuid(sec->uid) != 0) {
89 return NT_STATUS_ACCESS_DENIED;
90 }
91 return NT_STATUS_OK;
92 }
93
94 /*
95 form a unix_sec_ctx from the current security_token
96 */
97 static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
98 struct ntvfs_request *req,
99 struct security_token *token,
100 struct unix_sec_ctx **sec)
101 {
102 struct unixuid_private *private = ntvfs->private_data;
103 int i;
104 NTSTATUS status;
105 *sec = talloc(req, struct unix_sec_ctx);
106
107 /* we can't do unix security without a user and group */
108 if (token->num_sids < 2) {
109 return NT_STATUS_ACCESS_DENIED;
110 }
111
112 status = sidmap_sid_to_unixuid(private->sidmap,
113 token->user_sid, &(*sec)->uid);
114 if (!NT_STATUS_IS_OK(status)) {
115 return status;
116 }
117
118 status = sidmap_sid_to_unixgid(private->sidmap,
119 token->group_sid, &(*sec)->gid);
120 if (!NT_STATUS_IS_OK(status)) {
121 return status;
122 }
123
124 (*sec)->ngroups = token->num_sids - 2;
125 (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
126 if ((*sec)->groups == NULL) {
127 return NT_STATUS_NO_MEMORY;
128 }
129
130 for (i=0;i<(*sec)->ngroups;i++) {
131 status = sidmap_sid_to_unixgid(private->sidmap,
132 token->sids[i+2], &(*sec)->groups[i]);
133 if (!NT_STATUS_IS_OK(status)) {
134 return status;
135 }
136 }
137
138 return NT_STATUS_OK;
139 }
140
141 /*
142 setup our unix security context according to the session authentication info
143 */
144 static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
145 struct ntvfs_request *req, struct unix_sec_ctx **sec)
146 {
147 struct unixuid_private *private = ntvfs->private_data;
148 struct security_token *token;
149 struct unix_sec_ctx *newsec;
150 NTSTATUS status;
151
152 if (req->session_info == NULL) {
153 return NT_STATUS_ACCESS_DENIED;
154 }
155
156 token = req->session_info->security_token;
157
158 *sec = save_unix_security(req);
159 if (*sec == NULL) {
160 return NT_STATUS_NO_MEMORY;
161 }
162
163 if (token == private->last_token) {
164 newsec = private->last_sec_ctx;
165 } else {
166 status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
167 if (!NT_STATUS_IS_OK(status)) {
168 return status;
169 }
170 if (private->last_sec_ctx) {
171 talloc_free(private->last_sec_ctx);
172 }
173 private->last_sec_ctx = newsec;
174 private->last_token = token;
175 talloc_steal(private, newsec);
176 }
177
178 status = set_unix_security(newsec);
179 if (!NT_STATUS_IS_OK(status)) {
180 return status;
181 }
182
183 return NT_STATUS_OK;
184 }
185
186 /*
187 this pass through macro operates on request contexts
188 */
189 #define PASS_THRU_REQ(ntvfs, req, op, args) do { \
190 NTSTATUS status2; \
191 struct unix_sec_ctx *sec; \
192 status = unixuid_setup_security(ntvfs, req, &sec); \
193 if (NT_STATUS_IS_OK(status)) status = ntvfs_next_##op args; \
194 status2 = set_unix_security(sec); \
195 if (!NT_STATUS_IS_OK(status2)) smb_panic("Unable to reset security context"); \
196 } while (0)
197
198
199
200 /*
201 connect to a share - used when a tree_connect operation comes in.
202 */
203 static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs,
204 struct ntvfs_request *req, const char *sharename)
205 {
206 struct unixuid_private *private;
207 NTSTATUS status;
208
209 private = talloc(ntvfs, struct unixuid_private);
210 if (!private) {
211 return NT_STATUS_NO_MEMORY;
212 }
213
214 private->sidmap = sidmap_open(private);
215 if (private->sidmap == NULL) {
216 return NT_STATUS_INTERNAL_DB_CORRUPTION;
217 }
218
219 ntvfs->private_data = private;
220 private->last_sec_ctx = NULL;
221 private->last_token = NULL;
222
223 /* we don't use PASS_THRU_REQ here, as the connect operation runs with
224 root privileges. This allows the backends to setup any database
225 links they might need during the connect. */
226 status = ntvfs_next_connect(ntvfs, req, sharename);
227
228 return status;
229 }
230
231 /*
232 disconnect from a share
233 */
234 static NTSTATUS unixuid_disconnect(struct ntvfs_module_context *ntvfs)
235 {
236 struct unixuid_private *private = ntvfs->private_data;
237 NTSTATUS status;
238
239 talloc_free(private);
240 ntvfs->private_data = NULL;
241
242 status = ntvfs_next_disconnect(ntvfs);
243
244 return status;
245 }
246
247
248 /*
249 delete a file
250 */
251 static NTSTATUS unixuid_unlink(struct ntvfs_module_context *ntvfs,
252 struct ntvfs_request *req,
253 union smb_unlink *unl)
254 {
255 NTSTATUS status;
256
257 PASS_THRU_REQ(ntvfs, req, unlink, (ntvfs, req, unl));
258
259 return status;
260 }
261
262 /*
263 ioctl interface
264 */
265 static NTSTATUS unixuid_ioctl(struct ntvfs_module_context *ntvfs,
266 struct ntvfs_request *req, union smb_ioctl *io)
267 {
268 NTSTATUS status;
269
270 PASS_THRU_REQ(ntvfs, req, ioctl, (ntvfs, req, io));
271
272 return status;
273 }
274
275 /*
276 check if a directory exists
277 */
278 static NTSTATUS unixuid_chkpath(struct ntvfs_module_context *ntvfs,
279 struct ntvfs_request *req,
280 union smb_chkpath *cp)
281 {
282 NTSTATUS status;
283
284 PASS_THRU_REQ(ntvfs, req, chkpath, (ntvfs, req, cp));
285
286 return status;
287 }
288
289 /*
290 return info on a pathname
291 */
292 static NTSTATUS unixuid_qpathinfo(struct ntvfs_module_context *ntvfs,
293 struct ntvfs_request *req, union smb_fileinfo *info)
294 {
295 NTSTATUS status;
296
297 PASS_THRU_REQ(ntvfs, req, qpathinfo, (ntvfs, req, info));
298
299 return status;
300 }
301
302 /*
303 query info on a open file
304 */
305 static NTSTATUS unixuid_qfileinfo(struct ntvfs_module_context *ntvfs,
306 struct ntvfs_request *req, union smb_fileinfo *info)
307 {
308 NTSTATUS status;
309
310 PASS_THRU_REQ(ntvfs, req, qfileinfo, (ntvfs, req, info));
311
312 return status;
313 }
314
315
316 /*
317 set info on a pathname
318 */
319 static NTSTATUS unixuid_setpathinfo(struct ntvfs_module_context *ntvfs,
320 struct ntvfs_request *req, union smb_setfileinfo *st)
321 {
322 NTSTATUS status;
323
324 PASS_THRU_REQ(ntvfs, req, setpathinfo, (ntvfs, req, st));
325
326 return status;
327 }
328
329 /*
330 open a file
331 */
332 static NTSTATUS unixuid_open(struct ntvfs_module_context *ntvfs,
333 struct ntvfs_request *req, union smb_open *io)
334 {
335 NTSTATUS status;
336
337 PASS_THRU_REQ(ntvfs, req, open, (ntvfs, req, io));
338
339 return status;
340 }
341
342 /*
343 create a directory
344 */
345 static NTSTATUS unixuid_mkdir(struct ntvfs_module_context *ntvfs,
346 struct ntvfs_request *req, union smb_mkdir *md)
347 {
348 NTSTATUS status;
349
350 PASS_THRU_REQ(ntvfs, req, mkdir, (ntvfs, req, md));
351
352 return status;
353 }
354
355 /*
356 remove a directory
357 */
358 static NTSTATUS unixuid_rmdir(struct ntvfs_module_context *ntvfs,
359 struct ntvfs_request *req, struct smb_rmdir *rd)
360 {
361 NTSTATUS status;
362
363 PASS_THRU_REQ(ntvfs, req, rmdir, (ntvfs, req, rd));
364
365 return status;
366 }
367
368 /*
369 rename a set of files
370 */
371 static NTSTATUS unixuid_rename(struct ntvfs_module_context *ntvfs,
372 struct ntvfs_request *req, union smb_rename *ren)
373 {
374 NTSTATUS status;
375
376 PASS_THRU_REQ(ntvfs, req, rename, (ntvfs, req, ren));
377
378 return status;
379 }
380
381 /*
382 copy a set of files
383 */
384 static NTSTATUS unixuid_copy(struct ntvfs_module_context *ntvfs,
385 struct ntvfs_request *req, struct smb_copy *cp)
386 {
387 NTSTATUS status;
388
389 PASS_THRU_REQ(ntvfs, req, copy, (ntvfs, req, cp));
390
391 return status;
392 }
393
394 /*
395 read from a file
396 */
397 static NTSTATUS unixuid_read(struct ntvfs_module_context *ntvfs,
398 struct ntvfs_request *req, union smb_read *rd)
399 {
400 NTSTATUS status;
401
402 PASS_THRU_REQ(ntvfs, req, read, (ntvfs, req, rd));
403
404 return status;
405 }
406
407 /*
408 write to a file
409 */
410 static NTSTATUS unixuid_write(struct ntvfs_module_context *ntvfs,
411 struct ntvfs_request *req, union smb_write *wr)
412 {
413 NTSTATUS status;
414
415 PASS_THRU_REQ(ntvfs, req, write, (ntvfs, req, wr));
416
417 return status;
418 }
419
420 /*
421 seek in a file
422 */
423 static NTSTATUS unixuid_seek(struct ntvfs_module_context *ntvfs,
424 struct ntvfs_request *req,
425 union smb_seek *io)
426 {
427 NTSTATUS status;
428
429 PASS_THRU_REQ(ntvfs, req, seek, (ntvfs, req, io));
430
431 return status;
432 }
433
434 /*
435 flush a file
436 */
437 static NTSTATUS unixuid_flush(struct ntvfs_module_context *ntvfs,
438 struct ntvfs_request *req,
439 union smb_flush *io)
440 {
441 NTSTATUS status;
442
443 PASS_THRU_REQ(ntvfs, req, flush, (ntvfs, req, io));
444
445 return status;
446 }
447
448 /*
449 close a file
450 */
451 static NTSTATUS unixuid_close(struct ntvfs_module_context *ntvfs,
452 struct ntvfs_request *req, union smb_close *io)
453 {
454 NTSTATUS status;
455
456 PASS_THRU_REQ(ntvfs, req, close, (ntvfs, req, io));
457
458 return status;
459 }
460
461 /*
462 exit - closing files
463 */
464 static NTSTATUS unixuid_exit(struct ntvfs_module_context *ntvfs,
465 struct ntvfs_request *req)
466 {
467 NTSTATUS status;
468
469 PASS_THRU_REQ(ntvfs, req, exit, (ntvfs, req));
470
471 return status;
472 }
473
474 /*
475 logoff - closing files
476 */
477 static NTSTATUS unixuid_logoff(struct ntvfs_module_context *ntvfs,
478 struct ntvfs_request *req)
479 {
480 struct unixuid_private *private = ntvfs->private_data;
481 NTSTATUS status;
482
483 PASS_THRU_REQ(ntvfs, req, logoff, (ntvfs, req));
484
485 private->last_token = NULL;
486
487 return status;
488 }
489
490 /*
491 async setup
492 */
493 static NTSTATUS unixuid_async_setup(struct ntvfs_module_context *ntvfs,
494 struct ntvfs_request *req,
495 void *private)
496 {
497 NTSTATUS status;
498
499 PASS_THRU_REQ(ntvfs, req, async_setup, (ntvfs, req, private));
500
501 return status;
502 }
503
504 /*
505 cancel an async request
506 */
507 static NTSTATUS unixuid_cancel(struct ntvfs_module_context *ntvfs,
508 struct ntvfs_request *req)
509 {
510 NTSTATUS status;
511
512 PASS_THRU_REQ(ntvfs, req, cancel, (ntvfs, req));
513
514 return status;
515 }
516
517 /*
518 change notify
519 */
520 static NTSTATUS unixuid_notify(struct ntvfs_module_context *ntvfs,
521 struct ntvfs_request *req, struct smb_notify *info)
522 {
523 NTSTATUS status;
524
525 PASS_THRU_REQ(ntvfs, req, notify, (ntvfs, req, info));
526
527 return status;
528 }
529
530 /*
531 lock a byte range
532 */
533 static NTSTATUS unixuid_lock(struct ntvfs_module_context *ntvfs,
534 struct ntvfs_request *req, union smb_lock *lck)
535 {
536 NTSTATUS status;
537
538 PASS_THRU_REQ(ntvfs, req, lock, (ntvfs, req, lck));
539
540 return status;
541 }
542
543 /*
544 set info on a open file
545 */
546 static NTSTATUS unixuid_setfileinfo(struct ntvfs_module_context *ntvfs,
547 struct ntvfs_request *req,
548 union smb_setfileinfo *info)
549 {
550 NTSTATUS status;
551
552 PASS_THRU_REQ(ntvfs, req, setfileinfo, (ntvfs, req, info));
553
554 return status;
555 }
556
557
558 /*
559 return filesystem space info
560 */
561 static NTSTATUS unixuid_fsinfo(struct ntvfs_module_context *ntvfs,
562 struct ntvfs_request *req, union smb_fsinfo *fs)
563 {
564 NTSTATUS status;
565
566 PASS_THRU_REQ(ntvfs, req, fsinfo, (ntvfs, req, fs));
567
568 return status;
569 }
570
571 /*
572 return print queue info
573 */
574 static NTSTATUS unixuid_lpq(struct ntvfs_module_context *ntvfs,
575 struct ntvfs_request *req, union smb_lpq *lpq)
576 {
577 NTSTATUS status;
578
579 PASS_THRU_REQ(ntvfs, req, lpq, (ntvfs, req, lpq));
580
581 return status;
582 }
583
584 /*
585 list files in a directory matching a wildcard pattern
586 */
587 static NTSTATUS unixuid_search_first(struct ntvfs_module_context *ntvfs,
588 struct ntvfs_request *req, union smb_search_first *io,
589 void *search_private,
590 BOOL (*callback)(void *, union smb_search_data *))
591 {
592 NTSTATUS status;
593
594 PASS_THRU_REQ(ntvfs, req, search_first, (ntvfs, req, io, search_private, callback));
595
596 return status;
597 }
598
599 /* continue a search */
600 static NTSTATUS unixuid_search_next(struct ntvfs_module_context *ntvfs,
601 struct ntvfs_request *req, union smb_search_next *io,
602 void *search_private,
603 BOOL (*callback)(void *, union smb_search_data *))
604 {
605 NTSTATUS status;
606
607 PASS_THRU_REQ(ntvfs, req, search_next, (ntvfs, req, io, search_private, callback));
608
609 return status;
610 }
611
612 /* close a search */
613 static NTSTATUS unixuid_search_close(struct ntvfs_module_context *ntvfs,
614 struct ntvfs_request *req, union smb_search_close *io)
615 {
616 NTSTATUS status;
617
618 PASS_THRU_REQ(ntvfs, req, search_close, (ntvfs, req, io));
619
620 return status;
621 }
622
623 /* SMBtrans - not used on file shares */
624 static NTSTATUS unixuid_trans(struct ntvfs_module_context *ntvfs,
625 struct ntvfs_request *req, struct smb_trans2 *trans2)
626 {
627 NTSTATUS status;
628
629 PASS_THRU_REQ(ntvfs, req, trans, (ntvfs, req, trans2));
630
631 return status;
632 }
633
634 /*
635 initialise the unixuid backend, registering ourselves with the ntvfs subsystem
636 */
637 NTSTATUS ntvfs_unixuid_init(void)
638 {
639 NTSTATUS ret;
640 struct ntvfs_ops ops;
641
642 ZERO_STRUCT(ops);
643
644 /* fill in all the operations */
645 ops.connect = unixuid_connect;
646 ops.disconnect = unixuid_disconnect;
647 ops.unlink = unixuid_unlink;
648 ops.chkpath = unixuid_chkpath;
649 ops.qpathinfo = unixuid_qpathinfo;
650 ops.setpathinfo = unixuid_setpathinfo;
651 ops.open = unixuid_open;
652 ops.mkdir = unixuid_mkdir;
653 ops.rmdir = unixuid_rmdir;
654 ops.rename = unixuid_rename;
655 ops.copy = unixuid_copy;
656 ops.ioctl = unixuid_ioctl;
657 ops.read = unixuid_read;
658 ops.write = unixuid_write;
659 ops.seek = unixuid_seek;
660 ops.flush = unixuid_flush;
661 ops.close = unixuid_close;
662 ops.exit = unixuid_exit;
663 ops.lock = unixuid_lock;
664 ops.setfileinfo = unixuid_setfileinfo;
665 ops.qfileinfo = unixuid_qfileinfo;
666 ops.fsinfo = unixuid_fsinfo;
667 ops.lpq = unixuid_lpq;
668 ops.search_first = unixuid_search_first;
669 ops.search_next = unixuid_search_next;
670 ops.search_close = unixuid_search_close;
671 ops.trans = unixuid_trans;
672 ops.logoff = unixuid_logoff;
673 ops.async_setup = unixuid_async_setup;
674 ops.cancel = unixuid_cancel;
675 ops.notify = unixuid_notify;
676
677 ops.name = "unixuid";
678
679 /* we register under all 3 backend types, as we are not type specific */
680 ops.type = NTVFS_DISK;
681 ret = ntvfs_register(&ops);
682 if (!NT_STATUS_IS_OK(ret)) goto failed;
683
684 ops.type = NTVFS_PRINT;
685 ret = ntvfs_register(&ops);
686 if (!NT_STATUS_IS_OK(ret)) goto failed;
687
688 ops.type = NTVFS_IPC;
689 ret = ntvfs_register(&ops);
690 if (!NT_STATUS_IS_OK(ret)) goto failed;
691
692 failed:
693 return ret;
694 }
aatanasov's samba4 branch