search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patch from Andrew Bartlett <abartlet@samba.org> for security=server core
[Samba/bb.git] / source3 / auth / auth_rhosts.c
blobb295df9328f2be655242bdb4695fec72f3e9dede
1 /*
2 Unix SMB/CIFS implementation.
3 Main SMB reply routines
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #undef DBGC_CLASS
24 #define DBGC_CLASS DBGC_AUTH
25
26 /****************************************************************************
27 Read the a hosts.equiv or .rhosts file and check if it
28 allows this user from this machine.
29 ****************************************************************************/
30
31 static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file)
32 {
33 int plus_allowed = 1;
34 char *file_host;
35 char *file_user;
36 char **lines = file_lines_load(equiv_file, NULL);
37 int i;
38
39 DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
40 if (! lines) return False;
41 for (i=0; lines[i]; i++) {
42 char *buf = lines[i];
43 trim_char(buf,' ',' ');
44
45 if (buf[0] != '#' && buf[0] != '\n')
46 {
47 BOOL is_group = False;
48 int plus = 1;
49 char *bp = buf;
50 if (strcmp(buf, "NO_PLUS\n") == 0)
51 {
52 DEBUG(6, ("check_user_equiv NO_PLUS\n"));
53 plus_allowed = 0;
54 }
55 else {
56 if (buf[0] == '+')
57 {
58 bp++;
59 if (*bp == '\n' && plus_allowed)
60 {
61 /* a bare plus means everbody allowed */
62 DEBUG(6, ("check_user_equiv everybody allowed\n"));
63 file_lines_free(lines);
64 return True;
65 }
66 }
67 else if (buf[0] == '-')
68 {
69 bp++;
70 plus = 0;
71 }
72 if (*bp == '@')
73 {
74 is_group = True;
75 bp++;
76 }
77 file_host = strtok(bp, " \t\n");
78 file_user = strtok(NULL, " \t\n");
79 DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)",
80 file_user ? file_user : "(null)" ));
81 if (file_host && *file_host)
82 {
83 BOOL host_ok = False;
84
85 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
86 if (is_group)
87 {
88 static char *mydomain = NULL;
89 if (!mydomain)
90 yp_get_default_domain(&mydomain);
91 if (mydomain && innetgr(file_host,remote,user,mydomain))
92 host_ok = True;
93 }
94 #else
95 if (is_group)
96 {
97 DEBUG(1,("Netgroups not configured\n"));
98 continue;
99 }
100 #endif
101
102 /* is it this host */
103 /* the fact that remote has come from a call of gethostbyaddr
104 * means that it may have the fully qualified domain name
105 * so we could look up the file version to get it into
106 * a canonical form, but I would rather just type it
107 * in full in the equiv file
108 */
109 if (!host_ok && !is_group && strequal(remote, file_host))
110 host_ok = True;
111
112 if (!host_ok)
113 continue;
114
115 /* is it this user */
116 if (file_user == 0 || strequal(user, file_user))
117 {
118 DEBUG(5, ("check_user_equiv matched %s%s %s\n",
119 (plus ? "+" : "-"), file_host,
120 (file_user ? file_user : "")));
121 file_lines_free(lines);
122 return (plus ? True : False);
123 }
124 }
125 }
126 }
127 }
128 file_lines_free(lines);
129 return False;
130 }
131
132 /****************************************************************************
133 check for a possible hosts equiv or rhosts entry for the user
134 ****************************************************************************/
135
136 static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
137 {
138 uid_t uid;
139 char *fname = NULL;
140
141 fname = lp_hosts_equiv();
142 if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(account), &uid)))
143 return False;
144
145 /* note: don't allow hosts.equiv on root */
146 if (fname && *fname && uid != 0) {
147 if (check_user_equiv(pdb_get_username(account),client_name(),fname))
148 return True;
149 }
150
151 return False;
152 }
153
154
155 /****************************************************************************
156 Check for a valid .rhosts/hosts.equiv entry for this user
157 ****************************************************************************/
158
159 static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context,
160 void *my_private_data,
161 TALLOC_CTX *mem_ctx,
162 const auth_usersupplied_info *user_info,
163 auth_serversupplied_info **server_info)
164 {
165 NTSTATUS nt_status;
166 SAM_ACCOUNT *account = NULL;
167 if (!NT_STATUS_IS_OK(nt_status =
168 auth_get_sam_account(user_info->internal_username.str,
169 &account))) {
170 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
171 nt_status = NT_STATUS_NOT_IMPLEMENTED;
172 return nt_status;
173 }
174
175 if (check_hosts_equiv(account)) {
176 nt_status = make_server_info_sam(server_info, account);
177 } else {
178 pdb_free_sam(&account);
179 nt_status = NT_STATUS_NOT_IMPLEMENTED;
180 }
181
182 return nt_status;
183 }
184
185 /* module initialisation */
186 static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
187 {
188 if (!make_auth_methods(auth_context, auth_method)) {
189 return NT_STATUS_NO_MEMORY;
190 }
191
192 (*auth_method)->auth = check_hostsequiv_security;
193 (*auth_method)->name = "hostsequiv";
194 return NT_STATUS_OK;
195 }
196
197
198 /****************************************************************************
199 Check for a valid .rhosts/hosts.equiv entry for this user
200 ****************************************************************************/
201
202 static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
203 void *my_private_data,
204 TALLOC_CTX *mem_ctx,
205 const auth_usersupplied_info *user_info,
206 auth_serversupplied_info **server_info)
207 {
208 NTSTATUS nt_status;
209 SAM_ACCOUNT *account = NULL;
210 pstring rhostsfile;
211 const char *home;
212
213 if (!NT_STATUS_IS_OK(nt_status =
214 auth_get_sam_account(user_info->internal_username.str,
215 &account))) {
216 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER))
217 nt_status = NT_STATUS_NOT_IMPLEMENTED;
218 return nt_status;
219 }
220
221 home = pdb_get_unix_homedir(account);
222
223 if (home) {
224 slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
225 become_root();
226 if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
227 nt_status = make_server_info_sam(server_info, account);
228 } else {
229 pdb_free_sam(&account);
230 }
231 unbecome_root();
232 } else {
233 pdb_free_sam(&account);
234 nt_status = NT_STATUS_NOT_IMPLEMENTED;
235 }
236
237 return nt_status;
238 }
239
240 /* module initialisation */
241 static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
242 {
243 if (!make_auth_methods(auth_context, auth_method)) {
244 return NT_STATUS_NO_MEMORY;
245 }
246
247 (*auth_method)->auth = check_rhosts_security;
248 (*auth_method)->name = "rhosts";
249 return NT_STATUS_OK;
250 }
251
252 NTSTATUS auth_rhosts_init(void)
253 {
254 smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts);
255 smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv);
256 return NT_STATUS_OK;
257 }