search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
BUG 417: fix %UuGg variables expansion in include lines setging the current_user_info...
[Samba/bb.git] / source / lib / username.c
blobac5530b5c71dd7b2c04cc93be56f377cd5a05e71
1 /*
2 Unix SMB/CIFS implementation.
3 Username handling
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Jeremy Allison 1997-2001.
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23
24 /* internal functions */
25 static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (const char *), int N);
26 static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N);
27
28 /*****************************************************************
29 Check if a user or group name is local (this is a *local* name for
30 *local* people, there's nothing for you here...).
31 *****************************************************************/
32
33 static BOOL name_is_local(const char *name)
34 {
35 return !(strchr_m(name, *lp_winbind_separator()));
36 }
37
38 /*****************************************************************
39 Splits passed user or group name to domain and user/group name parts
40 Returns True if name was splitted and False otherwise.
41 *****************************************************************/
42
43 BOOL split_domain_and_name(const char *name, char *domain, char* username)
44 {
45 char *p = strchr(name,*lp_winbind_separator());
46
47
48 /* Parse a string of the form DOMAIN/user into a domain and a user */
49 DEBUG(10,("split_domain_and_name: checking whether name |%s| local or not\n", name));
50
51 if (p) {
52 fstrcpy(username, p+1);
53 fstrcpy(domain, name);
54 domain[PTR_DIFF(p, name)] = 0;
55 } else if (lp_winbind_use_default_domain()) {
56 fstrcpy(username, name);
57 fstrcpy(domain, lp_workgroup());
58 } else {
59 return False;
60 }
61
62 DEBUG(10,("split_domain_and_name: all is fine, domain is |%s| and name is |%s|\n", domain, username));
63 return True;
64 }
65
66 /****************************************************************************
67 Get a users home directory.
68 ****************************************************************************/
69
70 char *get_user_home_dir(const char *user)
71 {
72 static struct passwd *pass;
73
74 /* Ensure the user exists. */
75
76 pass = Get_Pwnam(user);
77
78 if (!pass)
79 return(NULL);
80 /* Return home directory from struct passwd. */
81
82 return(pass->pw_dir);
83 }
84
85 /*******************************************************************
86 Map a username from a dos name to a unix name by looking in the username
87 map. Note that this modifies the name in place.
88 This is the main function that should be called *once* on
89 any incoming or new username - in order to canonicalize the name.
90 This is being done to de-couple the case conversions from the user mapping
91 function. Previously, the map_username was being called
92 every time Get_Pwnam was called.
93 Returns True if username was changed, false otherwise.
94 ********************************************************************/
95
96 BOOL map_username(char *user)
97 {
98 static BOOL initialised=False;
99 static fstring last_from,last_to;
100 XFILE *f;
101 char *mapfile = lp_username_map();
102 char *s;
103 pstring buf;
104 BOOL mapped_user = False;
105
106 if (!*user)
107 return False;
108
109 if (!*mapfile)
110 return False;
111
112 if (!initialised) {
113 *last_from = *last_to = 0;
114 initialised = True;
115 }
116
117 if (strequal(user,last_to))
118 return False;
119
120 if (strequal(user,last_from)) {
121 DEBUG(3,("Mapped user %s to %s\n",user,last_to));
122 fstrcpy(user,last_to);
123 return True;
124 }
125
126 f = x_fopen(mapfile,O_RDONLY, 0);
127 if (!f) {
128 DEBUG(0,("can't open username map %s. Error %s\n",mapfile, strerror(errno) ));
129 return False;
130 }
131
132 DEBUG(4,("Scanning username map %s\n",mapfile));
133
134 while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) {
135 char *unixname = s;
136 char *dosname = strchr_m(unixname,'=');
137 char **dosuserlist;
138 BOOL return_if_mapped = False;
139
140 if (!dosname)
141 continue;
142
143 *dosname++ = 0;
144
145 while (isspace((int)*unixname))
146 unixname++;
147
148 if ('!' == *unixname) {
149 return_if_mapped = True;
150 unixname++;
151 while (*unixname && isspace((int)*unixname))
152 unixname++;
153 }
154
155 if (!*unixname || strchr_m("#;",*unixname))
156 continue;
157
158 {
159 int l = strlen(unixname);
160 while (l && isspace((int)unixname[l-1])) {
161 unixname[l-1] = 0;
162 l--;
163 }
164 }
165
166 dosuserlist = str_list_make(dosname, NULL);
167 if (!dosuserlist) {
168 DEBUG(0,("Unable to build user list\n"));
169 return False;
170 }
171
172 if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist, NULL, 0)) {
173 DEBUG(3,("Mapped user %s to %s\n",user,unixname));
174 mapped_user = True;
175 fstrcpy(last_from,user);
176 sscanf(unixname,"%s",user);
177 fstrcpy(last_to,user);
178 if(return_if_mapped) {
179 str_list_free (&dosuserlist);
180 x_fclose(f);
181 return True;
182 }
183 }
184
185 str_list_free (&dosuserlist);
186 }
187
188 x_fclose(f);
189
190 /*
191 * Setup the last_from and last_to as an optimization so
192 * that we don't scan the file again for the same user.
193 */
194 fstrcpy(last_from,user);
195 fstrcpy(last_to,user);
196
197 return mapped_user;
198 }
199
200 /****************************************************************************
201 * A wrapper for sys_getpwnam(). The following variations are tried:
202 * - as transmitted
203 * - in all lower case if this differs from transmitted
204 * - in all upper case if this differs from transmitted
205 * - using lp_usernamelevel() for permutations.
206 ****************************************************************************/
207
208 static struct passwd *Get_Pwnam_ret = NULL;
209
210 static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
211 {
212 struct passwd *ret = NULL;
213
214 if (!user2 || !(*user2))
215 return(NULL);
216
217 if (!user || !(*user))
218 return(NULL);
219
220 /* Try in all lower case first as this is the most
221 common case on UNIX systems */
222 strlower_m(user2);
223 DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
224 ret = getpwnam_alloc(user2);
225 if(ret)
226 goto done;
227
228 /* Try as given, if username wasn't originally lowercase */
229 if(strcmp(user, user2) != 0) {
230 DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n", user));
231 ret = getpwnam_alloc(user);
232 if(ret)
233 goto done;
234 }
235
236 /* Try as uppercase, if username wasn't originally uppercase */
237 strupper_m(user2);
238 if(strcmp(user, user2) != 0) {
239 DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n", user2));
240 ret = getpwnam_alloc(user2);
241 if(ret)
242 goto done;
243 }
244
245 /* Try all combinations up to usernamelevel */
246 strlower_m(user2);
247 DEBUG(5,("Checking combinations of %d uppercase letters in %s\n", lp_usernamelevel(), user2));
248 ret = uname_string_combinations(user2, getpwnam_alloc, lp_usernamelevel());
249
250 done:
251 DEBUG(5,("Get_Pwnam_internals %s find user [%s]!\n",ret ? "did":"didn't", user));
252
253 /* This call used to just return the 'passwd' static buffer.
254 This could then have accidental reuse implications, so
255 we now malloc a copy, and free it in the next use.
256
257 This should cause the (ab)user to segfault if it
258 uses an old struct.
259
260 This is better than useing the wrong data in security
261 critical operations.
262
263 The real fix is to make the callers free the returned
264 malloc'ed data.
265 */
266
267 if (Get_Pwnam_ret) {
268 passwd_free(&Get_Pwnam_ret);
269 }
270
271 Get_Pwnam_ret = ret;
272
273 return ret;
274 }
275
276 /****************************************************************************
277 Get_Pwnam wrapper without modification.
278 NOTE: This with NOT modify 'user'!
279 ****************************************************************************/
280
281 struct passwd *Get_Pwnam(const char *user)
282 {
283 fstring user2;
284 struct passwd *ret;
285
286 if ( *user == '\0' ) {
287 DEBUG(10,("Get_Pwnam: empty username!\n"));
288 return NULL;
289 }
290
291 fstrcpy(user2, user);
292
293 DEBUG(5,("Finding user %s\n", user));
294
295 ret = Get_Pwnam_internals(user, user2);
296
297 return ret;
298 }
299
300 /****************************************************************************
301 Check if a user is in a netgroup user list. If at first we don't succeed,
302 try lower case.
303 ****************************************************************************/
304
305 static BOOL user_in_netgroup_list(const char *user, const char *ngname)
306 {
307 #ifdef HAVE_NETGROUP
308 static char *mydomain = NULL;
309 fstring lowercase_user, lowercase_ngname;
310
311 if (mydomain == NULL)
312 yp_get_default_domain(&mydomain);
313
314 if(mydomain == NULL) {
315 DEBUG(5,("Unable to get default yp domain\n"));
316 return False;
317 }
318
319 DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
320 user, mydomain, ngname));
321 DEBUG(5,("innetgr is %s\n", innetgr(ngname, NULL, user, mydomain)
322 ? "TRUE" : "FALSE"));
323
324 if (innetgr(ngname, NULL, user, mydomain))
325 return (True);
326
327 /*
328 * Ok, innetgr is case sensitive. Try once more with lowercase
329 * just in case. Attempt to fix #703. JRA.
330 */
331
332 fstrcpy(lowercase_user, user);
333 strlower_m(lowercase_user);
334 fstrcpy(lowercase_ngname, ngname);
335 strlower_m(lowercase_ngname);
336
337 if (innetgr(lowercase_ngname, NULL, lowercase_user, mydomain))
338 return (True);
339
340 #endif /* HAVE_NETGROUP */
341 return False;
342 }
343
344 /****************************************************************************
345 Check if a user is in a winbind group.
346 ****************************************************************************/
347
348 static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL *winbind_answered)
349 {
350 int i;
351 gid_t gid, gid_low, gid_high;
352 BOOL ret = False;
353 static gid_t *groups = NULL;
354 static int num_groups = 0;
355 static fstring last_user = "";
356
357 *winbind_answered = False;
358
359 if ((gid = nametogid(gname)) == (gid_t)-1) {
360 DEBUG(0,("user_in_winbind_group_list: nametogid for group %s failed.\n",
361 gname ));
362 goto err;
363 }
364
365 if (!lp_idmap_gid(&gid_low, &gid_high)) {
366 DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname));
367 goto err;
368 }
369
370 if (gid < gid_low || gid > gid_high) {
371 DEBUG(4, ("group %s is not a winbind group\n", gname));
372 goto err;
373 }
374
375 /* try to user the last user we looked up */
376 /* otherwise fall back to lookups */
377
378 if ( !strequal( last_user, user ) || !groups )
379 {
380 /* clear any cached information */
381
382 SAFE_FREE(groups);
383 fstrcpy( last_user, "" );
384
385 /*
386 * Get the gid's that this user belongs to.
387 */
388
389 if ((num_groups = winbind_getgroups(user, &groups)) == -1)
390 return False;
391
392 if ( num_groups == -1 )
393 return False;
394
395 if ( num_groups == 0 ) {
396 *winbind_answered = True;
397 return False;
398 }
399
400 /* save the last username */
401
402 fstrcpy( last_user, user );
403
404 }
405 else
406 DEBUG(10,("user_in_winbind_group_list: using cached user groups for [%s]\n", user));
407
408 if ( DEBUGLEVEL >= 10 ) {
409 DEBUG(10,("user_in_winbind_group_list: using groups -- "));
410 for ( i=0; i<num_groups; i++ )
411 DEBUGADD(10,("%lu ", (unsigned long)groups[i]));
412 DEBUGADD(10,("\n"));
413 }
414
415 /*
416 * Now we have the gid list for this user - convert the gname
417 * to a gid_t via either winbind or the local UNIX lookup and do the comparison.
418 */
419
420 for (i = 0; i < num_groups; i++) {
421 if (gid == groups[i]) {
422 ret = True;
423 break;
424 }
425 }
426
427 *winbind_answered = True;
428 SAFE_FREE(groups);
429 return ret;
430
431 err:
432
433 *winbind_answered = False;
434 SAFE_FREE(groups);
435 return False;
436 }
437
438 /****************************************************************************
439 Check if a user is in a UNIX group.
440 ****************************************************************************/
441
442 BOOL user_in_unix_group_list(const char *user,const char *gname)
443 {
444 struct passwd *pass = Get_Pwnam(user);
445 struct sys_userlist *user_list;
446 struct sys_userlist *member;
447
448 DEBUG(10,("user_in_unix_group_list: checking user %s in group %s\n", user, gname));
449
450 /*
451 * We need to check the users primary group as this
452 * group is implicit and often not listed in the group database.
453 */
454
455 if (pass) {
456 if (strequal(gname,gidtoname(pass->pw_gid))) {
457 DEBUG(10,("user_in_unix_group_list: group %s is primary group.\n", gname ));
458 return True;
459 }
460 }
461
462 user_list = get_users_in_group(gname);
463 if (user_list == NULL) {
464 DEBUG(10,("user_in_unix_group_list: no such group %s\n", gname ));
465 return False;
466 }
467
468 for (member = user_list; member; member = member->next) {
469 DEBUG(10,("user_in_unix_group_list: checking user %s against member %s\n",
470 user, member->unix_name ));
471 if (strequal(member->unix_name,user)) {
472 free_userlist(user_list);
473 return(True);
474 }
475 }
476
477 free_userlist(user_list);
478 return False;
479 }
480
481 /****************************************************************************
482 Check if a user is in a group list. Ask winbind first, then use UNIX.
483 ****************************************************************************/
484
485 BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups, size_t n_groups)
486 {
487 BOOL winbind_answered = False;
488 BOOL ret;
489 gid_t gid;
490 unsigned i;
491
492 gid = nametogid(gname);
493 if (gid == (gid_t)-1)
494 return False;
495
496 if (groups && n_groups > 0) {
497 for (i=0; i < n_groups; i++) {
498 if (groups[i] == gid) {
499 return True;
500 }
501 }
502 return False;
503 }
504
505 /* fallback if we don't yet have the group list */
506
507 ret = user_in_winbind_group_list(user, gname, &winbind_answered);
508 if (!winbind_answered)
509 ret = user_in_unix_group_list(user, gname);
510
511 if (ret)
512 DEBUG(10,("user_in_group_list: user |%s| is in group |%s|\n", user, gname));
513 return ret;
514 }
515
516 /****************************************************************************
517 Check if a user is in a user list - can check combinations of UNIX
518 and netgroup lists.
519 ****************************************************************************/
520
521 BOOL user_in_list(const char *user,const char **list, gid_t *groups, size_t n_groups)
522 {
523 if (!list || !*list)
524 return False;
525
526 DEBUG(10,("user_in_list: checking user %s in list\n", user));
527
528 while (*list) {
529
530 DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list));
531
532 /*
533 * Check raw username.
534 */
535 if (strequal(user, *list))
536 return(True);
537
538 /*
539 * Now check to see if any combination
540 * of UNIX and netgroups has been specified.
541 */
542
543 if(**list == '@') {
544 /*
545 * Old behaviour. Check netgroup list
546 * followed by UNIX list.
547 */
548 if(user_in_netgroup_list(user, *list +1))
549 return True;
550 if(user_in_group_list(user, *list +1, groups, n_groups))
551 return True;
552 } else if (**list == '+') {
553
554 if((*(*list +1)) == '&') {
555 /*
556 * Search UNIX list followed by netgroup.
557 */
558 if(user_in_group_list(user, *list +2, groups, n_groups))
559 return True;
560 if(user_in_netgroup_list(user, *list +2))
561 return True;
562
563 } else {
564
565 /*
566 * Just search UNIX list.
567 */
568
569 if(user_in_group_list(user, *list +1, groups, n_groups))
570 return True;
571 }
572
573 } else if (**list == '&') {
574
575 if(*(*list +1) == '+') {
576 /*
577 * Search netgroup list followed by UNIX list.
578 */
579 if(user_in_netgroup_list(user, *list +2))
580 return True;
581 if(user_in_group_list(user, *list +2, groups, n_groups))
582 return True;
583 } else {
584 /*
585 * Just search netgroup list.
586 */
587 if(user_in_netgroup_list(user, *list +1))
588 return True;
589 }
590 } else if (!name_is_local(*list)) {
591 /*
592 * If user name did not match and token is not
593 * a unix group and the token has a winbind separator in the
594 * name then see if it is a Windows group.
595 */
596
597 DOM_SID g_sid;
598 enum SID_NAME_USE name_type;
599 BOOL winbind_answered = False;
600 BOOL ret;
601 fstring groupname, domain;
602
603 /* Parse a string of the form DOMAIN/user into a domain and a user */
604
605 char *p = strchr(*list,*lp_winbind_separator());
606
607 DEBUG(10,("user_in_list: checking if user |%s| is in winbind group |%s|\n", user, *list));
608
609 if (p) {
610 fstrcpy(groupname, p+1);
611 fstrcpy(domain, *list);
612 domain[PTR_DIFF(p, *list)] = 0;
613
614 /* Check to see if name is a Windows group; Win2k native mode DCs
615 will return domain local groups; while NT4 or mixed mode 2k DCs
616 will not */
617
618 if ( winbind_lookup_name(domain, groupname, &g_sid, &name_type)
619 && ( name_type==SID_NAME_DOM_GRP ||
620 (strequal(lp_workgroup(), domain) && name_type==SID_NAME_ALIAS) ) )
621 {
622
623 /* Check if user name is in the Windows group */
624 ret = user_in_winbind_group_list(user, *list, &winbind_answered);
625
626 if (winbind_answered && ret == True) {
627 DEBUG(10,("user_in_list: user |%s| is in winbind group |%s|\n", user, *list));
628 return ret;
629 }
630 }
631 }
632 }
633
634 list++;
635 }
636 return(False);
637 }
638
639 /* The functions below have been taken from password.c and slightly modified */
640 /****************************************************************************
641 Apply a function to upper/lower case combinations
642 of a string and return true if one of them returns true.
643 Try all combinations with N uppercase letters.
644 offset is the first char to try and change (start with 0)
645 it assumes the string starts lowercased
646 ****************************************************************************/
647
648 static struct passwd *uname_string_combinations2(char *s,int offset,struct passwd *(*fn)(const char *),int N)
649 {
650 ssize_t len = (ssize_t)strlen(s);
651 int i;
652 struct passwd *ret;
653
654 if (N <= 0 || offset >= len)
655 return(fn(s));
656
657 for (i=offset;i<(len-(N-1));i++) {
658 char c = s[i];
659 if (!islower((int)c))
660 continue;
661 s[i] = toupper(c);
662 ret = uname_string_combinations2(s,i+1,fn,N-1);
663 if(ret)
664 return(ret);
665 s[i] = c;
666 }
667 return(NULL);
668 }
669
670 /****************************************************************************
671 Apply a function to upper/lower case combinations
672 of a string and return true if one of them returns true.
673 Try all combinations with up to N uppercase letters.
674 offset is the first char to try and change (start with 0)
675 it assumes the string starts lowercased
676 ****************************************************************************/
677
678 static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(const char *),int N)
679 {
680 int n;
681 struct passwd *ret;
682
683 for (n=1;n<=N;n++) {
684 ret = uname_string_combinations2(s,0,fn,n);
685 if(ret)
686 return(ret);
687 }
688 return(NULL);
689 }
690