search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Make smbd aware of permission change of usershare. Since usershare are relatively...
[Samba/bb.git] / source3 / smbd / uid.c
blob8e5a386a2dcb19f5222c5437363ae33d60ae012f
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/globals.h"
22
23 /* what user is current? */
24 extern struct current_user current_user;
25
26 /****************************************************************************
27 Become the guest user without changing the security context stack.
28 ****************************************************************************/
29
30 bool change_to_guest(void)
31 {
32 struct passwd *pass;
33
34 pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
35 if (!pass) {
36 return false;
37 }
38
39 #ifdef AIX
40 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
41 setting IDs */
42 initgroups(pass->pw_name, pass->pw_gid);
43 #endif
44
45 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
46
47 current_user.conn = NULL;
48 current_user.vuid = UID_FIELD_INVALID;
49
50 TALLOC_FREE(pass);
51
52 return true;
53 }
54
55 /****************************************************************************
56 talloc free the conn->server_info if not used in the vuid cache.
57 ****************************************************************************/
58
59 static void free_conn_server_info_if_unused(connection_struct *conn)
60 {
61 unsigned int i;
62
63 for (i = 0; i < VUID_CACHE_SIZE; i++) {
64 struct vuid_cache_entry *ent;
65 ent = &conn->vuid_cache.array[i];
66 if (ent->vuid != UID_FIELD_INVALID &&
67 conn->server_info == ent->server_info) {
68 return;
69 }
70 }
71 /* Not used, safe to free. */
72 TALLOC_FREE(conn->server_info);
73 }
74
75 /*******************************************************************
76 Check if a username is OK.
77
78 This sets up conn->server_info with a copy related to this vuser that
79 later code can then mess with.
80 ********************************************************************/
81
82 static bool check_user_ok(connection_struct *conn,
83 uint16_t vuid,
84 const struct auth_serversupplied_info *server_info,
85 int snum, bool recheck, NTSTATUS *pstatus)
86 {
87 bool valid_vuid = (vuid != UID_FIELD_INVALID);
88 unsigned int i;
89 bool readonly_share;
90 bool admin_user;
91 struct vuid_cache_entry *ent0;
92
93 if (pstatus) {
94 *pstatus = NT_STATUS_OK;
95 }
96
97 if (valid_vuid) {
98 struct vuid_cache_entry *ent;
99
100 for (i=0; i<VUID_CACHE_SIZE; i++) {
101 ent = &conn->vuid_cache.array[i];
102 if (ent->vuid == vuid) {
103 free_conn_server_info_if_unused(conn);
104 ent0 = ent;
105 if (!recheck) {
106 conn->server_info = ent->server_info;
107 conn->read_only = ent->read_only;
108 conn->admin_user = ent->admin_user;
109 return(True);
110 } else {
111 break;
112 }
113 }
114 }
115 }
116
117 if (!user_ok_token(server_info->unix_name,
118 pdb_get_domain(server_info->sam_account),
119 server_info->ptok, snum)) {
120 if (pstatus) {
121 *pstatus = NT_STATUS_ACCESS_DENIED;
122 }
123 return(False);
124 }
125
126 readonly_share = is_share_read_only_for_token(
127 server_info->unix_name,
128 pdb_get_domain(server_info->sam_account),
129 server_info->ptok,
130 conn);
131
132 if (!readonly_share &&
133 !share_access_check(server_info->ptok, lp_servicename(snum),
134 FILE_WRITE_DATA)) {
135 /* smb.conf allows r/w, but the security descriptor denies
136 * write. Fall back to looking at readonly. */
137 readonly_share = True;
138 DEBUG(5,("falling back to read-only access-evaluation due to "
139 "security descriptor\n"));
140 }
141
142 if (!share_access_check(server_info->ptok, lp_servicename(snum),
143 readonly_share ?
144 FILE_READ_DATA : FILE_WRITE_DATA)) {
145 if (pstatus) {
146 *pstatus = NT_STATUS_ACCESS_DENIED;
147 }
148 return False;
149 }
150
151 admin_user = token_contains_name_in_list(
152 server_info->unix_name,
153 pdb_get_domain(server_info->sam_account),
154 NULL, server_info->ptok, lp_admin_users(snum));
155
156 if (valid_vuid) {
157 struct vuid_cache_entry *ent = NULL;
158
159 if (!recheck || i == VUID_CACHE_SIZE) {
160 /* find a new entry and fill it. */
161 ent = &conn->vuid_cache.array[conn->vuid_cache.next_entry];
162
163 conn->vuid_cache.next_entry =
164 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
165
166 TALLOC_FREE(ent->server_info);
167 } else if (recheck && (i < VUID_CACHE_SIZE) && (ent0->vuid == vuid)) {
168 /* she perform forced recheck, replace the old one. */
169 ent = ent0;
170 } else {
171 /* must not happen */
172 DEBUG(0, ("check_user_ok: recheck %s\n", recheck ? "true" : "false"));
173 DEBUG(0, ("check_user_ok: vuid cache %d -- %d\n", i, VUID_CACHE_SIZE));
174 DEBUG(0, ("check_user_ok: vuid %d -- %d\n", ent0->vuid, vuid));
175 smb_panic("should not happen");
176 }
177
178 /*
179 * If force_user was set, all server_info's are based on the same
180 * username-based faked one.
181 */
182
183 ent->server_info = copy_serverinfo(
184 conn, conn->force_user ? conn->server_info : server_info);
185
186 if (ent->server_info == NULL) {
187 ent->vuid = UID_FIELD_INVALID;
188 if (pstatus) {
189 *pstatus = NT_STATUS_NO_MEMORY;
190 }
191 return false;
192 }
193
194 ent->vuid = vuid;
195 ent->read_only = readonly_share;
196 ent->admin_user = admin_user;
197 free_conn_server_info_if_unused(conn);
198 conn->server_info = ent->server_info;
199 }
200
201 conn->read_only = readonly_share;
202 conn->admin_user = admin_user;
203
204 return(True);
205 }
206
207 /****************************************************************************
208 Clear a vuid out of the connection's vuid cache
209 This is only called on SMBulogoff.
210 ****************************************************************************/
211
212 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
213 {
214 int i;
215
216 for (i=0; i<VUID_CACHE_SIZE; i++) {
217 struct vuid_cache_entry *ent;
218
219 ent = &conn->vuid_cache.array[i];
220
221 if (ent->vuid == vuid) {
222 ent->vuid = UID_FIELD_INVALID;
223 /*
224 * We need to keep conn->server_info around
225 * if it's equal to ent->server_info as a SMBulogoff
226 * is often followed by a SMBtdis (with an invalid
227 * vuid). The debug code (or regular code in
228 * vfs_full_audit) wants to refer to the
229 * conn->server_info pointer to print debug
230 * statements. Theoretically this is a bug,
231 * as once the vuid is gone the server_info
232 * on the conn struct isn't valid any more,
233 * but there's enough code that assumes
234 * conn->server_info is never null that
235 * it's easier to hold onto the old pointer
236 * until we get a new sessionsetupX.
237 * As everything is hung off the
238 * conn pointer as a talloc context we're not
239 * leaking memory here. See bug #6315. JRA.
240 */
241 if (conn->server_info == ent->server_info) {
242 ent->server_info = NULL;
243 } else {
244 TALLOC_FREE(ent->server_info);
245 }
246 ent->read_only = False;
247 ent->admin_user = False;
248 }
249 }
250 }
251
252 /****************************************************************************
253 Become the user of a connection number without changing the security context
254 stack, but modify the current_user entries.
255 ****************************************************************************/
256
257 bool change_to_user_force_recheck(connection_struct *conn, uint16 vuid,
258 bool recheck, NTSTATUS *pstatus)
259 {
260 const struct auth_serversupplied_info *server_info = NULL;
261 struct smbd_server_connection *sconn = smbd_server_conn;
262 user_struct *vuser = get_valid_user_struct(sconn, vuid);
263 int snum;
264 gid_t gid;
265 uid_t uid;
266 char group_c;
267 int num_groups = 0;
268 gid_t *group_list = NULL;
269
270 if (!conn) {
271 DEBUG(2,("change_to_user: Connection not open\n"));
272 if (pstatus) {
273 *pstatus = NT_STATUS_INVALID_HANDLE;
274 }
275 return(False);
276 }
277
278 /*
279 * We need a separate check in security=share mode due to vuid
280 * always being UID_FIELD_INVALID. If we don't do this then
281 * in share mode security we are *always* changing uid's between
282 * SMB's - this hurts performance - Badly.
283 */
284
285 if (!recheck) {
286 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
287 (current_user.ut.uid == conn->server_info->utok.uid)) {
288 DEBUG(4,("change_to_user: Skipping user change - already "
289 "user\n"));
290 return(True);
291 } else if ((current_user.conn == conn) &&
292 (vuser != NULL) && (current_user.vuid == vuid) &&
293 (current_user.ut.uid == vuser->server_info->utok.uid)) {
294 DEBUG(4,("change_to_user: Skipping user change - already "
295 "user\n"));
296 return(True);
297 }
298 }
299
300 snum = SNUM(conn);
301
302 server_info = vuser ? vuser->server_info : conn->server_info;
303
304 if (!server_info) {
305 /* Invalid vuid sent - even with security = share. */
306 DEBUG(2,("change_to_user: Invalid vuid %d used on "
307 "share %s.\n",vuid, lp_servicename(snum) ));
308 if (pstatus) {
309 *pstatus = NT_STATUS_ACCESS_VIOLATION;
310 }
311 return false;
312 }
313
314 if (!check_user_ok(conn, vuid, server_info, snum, recheck, pstatus)) {
315 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
316 "not permitted access to share %s.\n",
317 server_info->sanitized_username,
318 server_info->unix_name, vuid,
319 lp_servicename(snum)));
320 return false;
321 }
322
323 /*
324 * conn->server_info is now correctly set up with a copy we can mess
325 * with for force_group etc.
326 */
327
328 if (conn->force_user) /* security = share sets this too */ {
329 uid = conn->server_info->utok.uid;
330 gid = conn->server_info->utok.gid;
331 group_list = conn->server_info->utok.groups;
332 num_groups = conn->server_info->utok.ngroups;
333 } else if (vuser) {
334 uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
335 gid = conn->server_info->utok.gid;
336 num_groups = conn->server_info->utok.ngroups;
337 group_list = conn->server_info->utok.groups;
338 } else {
339 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
340 "share %s.\n",vuid, lp_servicename(snum) ));
341 if (pstatus) {
342 *pstatus = NT_STATUS_DOS(ERRSRV, ERRbaduid);
343 }
344 return False;
345 }
346
347 /*
348 * See if we should force group for this service.
349 * If so this overrides any group set in the force
350 * user code.
351 */
352
353 if((group_c = *lp_force_group(snum))) {
354
355 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
356
357 if(group_c == '+') {
358
359 /*
360 * Only force group if the user is a member of
361 * the service group. Check the group memberships for
362 * this user (we already have this) to
363 * see if we should force the group.
364 */
365
366 int i;
367 for (i = 0; i < num_groups; i++) {
368 if (group_list[i]
369 == conn->force_group_gid) {
370 conn->server_info->utok.gid =
371 conn->force_group_gid;
372 gid = conn->force_group_gid;
373 gid_to_sid(&conn->server_info->ptok
374 ->user_sids[1], gid);
375 break;
376 }
377 }
378 } else {
379 conn->server_info->utok.gid = conn->force_group_gid;
380 gid = conn->force_group_gid;
381 gid_to_sid(&conn->server_info->ptok->user_sids[1],
382 gid);
383 }
384 }
385
386 /* Now set current_user since we will immediately also call
387 set_sec_ctx() */
388
389 current_user.ut.ngroups = num_groups;
390 current_user.ut.groups = group_list;
391
392 set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
393 conn->server_info->ptok);
394
395 current_user.conn = conn;
396 current_user.vuid = vuid;
397
398 DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
399 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
400
401 if (pstatus) {
402 *pstatus = NT_STATUS_OK;
403 }
404 return(True);
405 }
406
407 /****************************************************************************
408 Go back to being root without changing the security context stack,
409 but modify the current_user entries.
410 ****************************************************************************/
411
412 bool change_to_root_user(void)
413 {
414 set_root_sec_ctx();
415
416 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
417 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
418
419 current_user.conn = NULL;
420 current_user.vuid = UID_FIELD_INVALID;
421
422 return(True);
423 }
424
425 /****************************************************************************
426 Become the user of an authenticated connected named pipe.
427 When this is called we are currently running as the connection
428 user. Doesn't modify current_user.
429 ****************************************************************************/
430
431 bool become_authenticated_pipe_user(pipes_struct *p)
432 {
433 if (!push_sec_ctx())
434 return False;
435
436 set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
437 p->server_info->utok.ngroups, p->server_info->utok.groups,
438 p->server_info->ptok);
439
440 return True;
441 }
442
443 /****************************************************************************
444 Unbecome the user of an authenticated connected named pipe.
445 When this is called we are running as the authenticated pipe
446 user and need to go back to being the connection user. Doesn't modify
447 current_user.
448 ****************************************************************************/
449
450 bool unbecome_authenticated_pipe_user(void)
451 {
452 return pop_sec_ctx();
453 }
454
455 /****************************************************************************
456 Utility functions used by become_xxx/unbecome_xxx.
457 ****************************************************************************/
458
459 static void push_conn_ctx(void)
460 {
461 struct conn_ctx *ctx_p;
462
463 /* Check we don't overflow our stack */
464
465 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
466 DEBUG(0, ("Connection context stack overflow!\n"));
467 smb_panic("Connection context stack overflow!\n");
468 }
469
470 /* Store previous user context */
471 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
472
473 ctx_p->conn = current_user.conn;
474 ctx_p->vuid = current_user.vuid;
475
476 DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
477 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
478
479 conn_ctx_stack_ndx++;
480 }
481
482 static void pop_conn_ctx(void)
483 {
484 struct conn_ctx *ctx_p;
485
486 /* Check for stack underflow. */
487
488 if (conn_ctx_stack_ndx == 0) {
489 DEBUG(0, ("Connection context stack underflow!\n"));
490 smb_panic("Connection context stack underflow!\n");
491 }
492
493 conn_ctx_stack_ndx--;
494 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
495
496 current_user.conn = ctx_p->conn;
497 current_user.vuid = ctx_p->vuid;
498
499 ctx_p->conn = NULL;
500 ctx_p->vuid = UID_FIELD_INVALID;
501 }
502
503 /****************************************************************************
504 Temporarily become a root user. Must match with unbecome_root(). Saves and
505 restores the connection context.
506 ****************************************************************************/
507
508 void become_root(void)
509 {
510 /*
511 * no good way to handle push_sec_ctx() failing without changing
512 * the prototype of become_root()
513 */
514 if (!push_sec_ctx()) {
515 smb_panic("become_root: push_sec_ctx failed");
516 }
517 push_conn_ctx();
518 set_root_sec_ctx();
519 }
520
521 /* Unbecome the root user */
522
523 void unbecome_root(void)
524 {
525 pop_sec_ctx();
526 pop_conn_ctx();
527 }
528
529 /****************************************************************************
530 Push the current security context then force a change via change_to_user().
531 Saves and restores the connection context.
532 ****************************************************************************/
533
534 bool become_user(connection_struct *conn, uint16 vuid)
535 {
536 if (!push_sec_ctx())
537 return False;
538
539 push_conn_ctx();
540
541 if (!change_to_user(conn, vuid)) {
542 pop_sec_ctx();
543 pop_conn_ctx();
544 return False;
545 }
546
547 return True;
548 }
549
550 bool unbecome_user(void)
551 {
552 pop_sec_ctx();
553 pop_conn_ctx();
554 return True;
555 }