search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
format-subunit: Hide reason if it is None.
[Samba/eduardoll.git] / source3 / smbd / uid.c
blob5e61098ecba0740be97143cc1259ca0b04b16c8d
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/globals.h"
22
23 /* what user is current? */
24 extern struct current_user current_user;
25
26 /****************************************************************************
27 Become the guest user without changing the security context stack.
28 ****************************************************************************/
29
30 bool change_to_guest(void)
31 {
32 struct passwd *pass;
33
34 pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
35 if (!pass) {
36 return false;
37 }
38
39 #ifdef AIX
40 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
41 setting IDs */
42 initgroups(pass->pw_name, pass->pw_gid);
43 #endif
44
45 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
46
47 current_user.conn = NULL;
48 current_user.vuid = UID_FIELD_INVALID;
49
50 TALLOC_FREE(pass);
51
52 return true;
53 }
54
55 /****************************************************************************
56 talloc free the conn->server_info if not used in the vuid cache.
57 ****************************************************************************/
58
59 static void free_conn_server_info_if_unused(connection_struct *conn)
60 {
61 unsigned int i;
62
63 for (i = 0; i < VUID_CACHE_SIZE; i++) {
64 struct vuid_cache_entry *ent;
65 ent = &conn->vuid_cache.array[i];
66 if (ent->vuid != UID_FIELD_INVALID &&
67 conn->server_info == ent->server_info) {
68 return;
69 }
70 }
71 /* Not used, safe to free. */
72 TALLOC_FREE(conn->server_info);
73 }
74
75 /*******************************************************************
76 Check if a username is OK.
77
78 This sets up conn->server_info with a copy related to this vuser that
79 later code can then mess with.
80 ********************************************************************/
81
82 static bool check_user_ok(connection_struct *conn,
83 uint16_t vuid,
84 const struct auth_serversupplied_info *server_info,
85 int snum)
86 {
87 bool valid_vuid = (vuid != UID_FIELD_INVALID);
88 unsigned int i;
89 bool readonly_share;
90 bool admin_user;
91
92 if (valid_vuid) {
93 struct vuid_cache_entry *ent;
94
95 for (i=0; i<VUID_CACHE_SIZE; i++) {
96 ent = &conn->vuid_cache.array[i];
97 if (ent->vuid == vuid) {
98 free_conn_server_info_if_unused(conn);
99 conn->server_info = ent->server_info;
100 conn->read_only = ent->read_only;
101 return(True);
102 }
103 }
104 }
105
106 if (!user_ok_token(server_info->unix_name,
107 pdb_get_domain(server_info->sam_account),
108 server_info->ptok, snum))
109 return(False);
110
111 readonly_share = is_share_read_only_for_token(
112 server_info->unix_name,
113 pdb_get_domain(server_info->sam_account),
114 server_info->ptok,
115 conn);
116
117 if (!readonly_share &&
118 !share_access_check(server_info->ptok, lp_servicename(snum),
119 FILE_WRITE_DATA)) {
120 /* smb.conf allows r/w, but the security descriptor denies
121 * write. Fall back to looking at readonly. */
122 readonly_share = True;
123 DEBUG(5,("falling back to read-only access-evaluation due to "
124 "security descriptor\n"));
125 }
126
127 if (!share_access_check(server_info->ptok, lp_servicename(snum),
128 readonly_share ?
129 FILE_READ_DATA : FILE_WRITE_DATA)) {
130 return False;
131 }
132
133 admin_user = token_contains_name_in_list(
134 server_info->unix_name,
135 pdb_get_domain(server_info->sam_account),
136 NULL, server_info->ptok, lp_admin_users(snum));
137
138 if (valid_vuid) {
139 struct vuid_cache_entry *ent =
140 &conn->vuid_cache.array[conn->vuid_cache.next_entry];
141
142 conn->vuid_cache.next_entry =
143 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
144
145 TALLOC_FREE(ent->server_info);
146
147 /*
148 * If force_user was set, all server_info's are based on the same
149 * username-based faked one.
150 */
151
152 ent->server_info = copy_serverinfo(
153 conn, conn->force_user ? conn->server_info : server_info);
154
155 if (ent->server_info == NULL) {
156 ent->vuid = UID_FIELD_INVALID;
157 return false;
158 }
159
160 ent->vuid = vuid;
161 ent->read_only = readonly_share;
162 free_conn_server_info_if_unused(conn);
163 conn->server_info = ent->server_info;
164 }
165
166 conn->read_only = readonly_share;
167 if (admin_user) {
168 DEBUG(2,("check_user_ok: user %s is an admin user. "
169 "Setting uid as %d\n",
170 conn->server_info->unix_name,
171 sec_initial_uid() ));
172 conn->server_info->utok.uid = sec_initial_uid();
173 }
174
175 return(True);
176 }
177
178 /****************************************************************************
179 Clear a vuid out of the connection's vuid cache
180 This is only called on SMBulogoff.
181 ****************************************************************************/
182
183 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
184 {
185 int i;
186
187 for (i=0; i<VUID_CACHE_SIZE; i++) {
188 struct vuid_cache_entry *ent;
189
190 ent = &conn->vuid_cache.array[i];
191
192 if (ent->vuid == vuid) {
193 ent->vuid = UID_FIELD_INVALID;
194 /*
195 * We need to keep conn->server_info around
196 * if it's equal to ent->server_info as a SMBulogoff
197 * is often followed by a SMBtdis (with an invalid
198 * vuid). The debug code (or regular code in
199 * vfs_full_audit) wants to refer to the
200 * conn->server_info pointer to print debug
201 * statements. Theoretically this is a bug,
202 * as once the vuid is gone the server_info
203 * on the conn struct isn't valid any more,
204 * but there's enough code that assumes
205 * conn->server_info is never null that
206 * it's easier to hold onto the old pointer
207 * until we get a new sessionsetupX.
208 * As everything is hung off the
209 * conn pointer as a talloc context we're not
210 * leaking memory here. See bug #6315. JRA.
211 */
212 if (conn->server_info == ent->server_info) {
213 ent->server_info = NULL;
214 } else {
215 TALLOC_FREE(ent->server_info);
216 }
217 ent->read_only = False;
218 }
219 }
220 }
221
222 /****************************************************************************
223 Become the user of a connection number without changing the security context
224 stack, but modify the current_user entries.
225 ****************************************************************************/
226
227 bool change_to_user(connection_struct *conn, uint16 vuid)
228 {
229 const struct auth_serversupplied_info *server_info = NULL;
230 struct smbd_server_connection *sconn = smbd_server_conn;
231 user_struct *vuser = get_valid_user_struct(sconn, vuid);
232 int snum;
233 gid_t gid;
234 uid_t uid;
235 char group_c;
236 int num_groups = 0;
237 gid_t *group_list = NULL;
238
239 if (!conn) {
240 DEBUG(2,("change_to_user: Connection not open\n"));
241 return(False);
242 }
243
244 /*
245 * We need a separate check in security=share mode due to vuid
246 * always being UID_FIELD_INVALID. If we don't do this then
247 * in share mode security we are *always* changing uid's between
248 * SMB's - this hurts performance - Badly.
249 */
250
251 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
252 (current_user.ut.uid == conn->server_info->utok.uid)) {
253 DEBUG(4,("change_to_user: Skipping user change - already "
254 "user\n"));
255 return(True);
256 } else if ((current_user.conn == conn) &&
257 (vuser != NULL) && (current_user.vuid == vuid) &&
258 (current_user.ut.uid == vuser->server_info->utok.uid)) {
259 DEBUG(4,("change_to_user: Skipping user change - already "
260 "user\n"));
261 return(True);
262 }
263
264 snum = SNUM(conn);
265
266 server_info = vuser ? vuser->server_info : conn->server_info;
267
268 if (!server_info) {
269 /* Invalid vuid sent - even with security = share. */
270 DEBUG(2,("change_to_user: Invalid vuid %d used on "
271 "share %s.\n",vuid, lp_servicename(snum) ));
272 return false;
273 }
274
275 if (!check_user_ok(conn, vuid, server_info, snum)) {
276 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
277 "not permitted access to share %s.\n",
278 server_info->sanitized_username,
279 server_info->unix_name, vuid,
280 lp_servicename(snum)));
281 return false;
282 }
283
284 /* security = share sets force_user. */
285 if (!conn->force_user && !vuser) {
286 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
287 "share %s.\n",vuid, lp_servicename(snum) ));
288 return False;
289 }
290
291 /*
292 * conn->server_info is now correctly set up with a copy we can mess
293 * with for force_group etc.
294 */
295
296 uid = conn->server_info->utok.uid;
297 gid = conn->server_info->utok.gid;
298 num_groups = conn->server_info->utok.ngroups;
299 group_list = conn->server_info->utok.groups;
300
301 /*
302 * See if we should force group for this service.
303 * If so this overrides any group set in the force
304 * user code.
305 */
306
307 if((group_c = *lp_force_group(snum))) {
308
309 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
310
311 if(group_c == '+') {
312
313 /*
314 * Only force group if the user is a member of
315 * the service group. Check the group memberships for
316 * this user (we already have this) to
317 * see if we should force the group.
318 */
319
320 int i;
321 for (i = 0; i < num_groups; i++) {
322 if (group_list[i]
323 == conn->force_group_gid) {
324 conn->server_info->utok.gid =
325 conn->force_group_gid;
326 gid = conn->force_group_gid;
327 gid_to_sid(&conn->server_info->ptok
328 ->user_sids[1], gid);
329 break;
330 }
331 }
332 } else {
333 conn->server_info->utok.gid = conn->force_group_gid;
334 gid = conn->force_group_gid;
335 gid_to_sid(&conn->server_info->ptok->user_sids[1],
336 gid);
337 }
338 }
339
340 /* Now set current_user since we will immediately also call
341 set_sec_ctx() */
342
343 current_user.ut.ngroups = num_groups;
344 current_user.ut.groups = group_list;
345
346 set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
347 conn->server_info->ptok);
348
349 current_user.conn = conn;
350 current_user.vuid = vuid;
351
352 DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
353 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
354
355 return(True);
356 }
357
358 /****************************************************************************
359 Go back to being root without changing the security context stack,
360 but modify the current_user entries.
361 ****************************************************************************/
362
363 bool change_to_root_user(void)
364 {
365 set_root_sec_ctx();
366
367 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
368 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
369
370 current_user.conn = NULL;
371 current_user.vuid = UID_FIELD_INVALID;
372
373 return(True);
374 }
375
376 /****************************************************************************
377 Become the user of an authenticated connected named pipe.
378 When this is called we are currently running as the connection
379 user. Doesn't modify current_user.
380 ****************************************************************************/
381
382 bool become_authenticated_pipe_user(pipes_struct *p)
383 {
384 if (!push_sec_ctx())
385 return False;
386
387 set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
388 p->server_info->utok.ngroups, p->server_info->utok.groups,
389 p->server_info->ptok);
390
391 return True;
392 }
393
394 /****************************************************************************
395 Unbecome the user of an authenticated connected named pipe.
396 When this is called we are running as the authenticated pipe
397 user and need to go back to being the connection user. Doesn't modify
398 current_user.
399 ****************************************************************************/
400
401 bool unbecome_authenticated_pipe_user(void)
402 {
403 return pop_sec_ctx();
404 }
405
406 /****************************************************************************
407 Utility functions used by become_xxx/unbecome_xxx.
408 ****************************************************************************/
409
410 static void push_conn_ctx(void)
411 {
412 struct conn_ctx *ctx_p;
413
414 /* Check we don't overflow our stack */
415
416 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
417 DEBUG(0, ("Connection context stack overflow!\n"));
418 smb_panic("Connection context stack overflow!\n");
419 }
420
421 /* Store previous user context */
422 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
423
424 ctx_p->conn = current_user.conn;
425 ctx_p->vuid = current_user.vuid;
426
427 DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
428 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
429
430 conn_ctx_stack_ndx++;
431 }
432
433 static void pop_conn_ctx(void)
434 {
435 struct conn_ctx *ctx_p;
436
437 /* Check for stack underflow. */
438
439 if (conn_ctx_stack_ndx == 0) {
440 DEBUG(0, ("Connection context stack underflow!\n"));
441 smb_panic("Connection context stack underflow!\n");
442 }
443
444 conn_ctx_stack_ndx--;
445 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
446
447 current_user.conn = ctx_p->conn;
448 current_user.vuid = ctx_p->vuid;
449
450 ctx_p->conn = NULL;
451 ctx_p->vuid = UID_FIELD_INVALID;
452 }
453
454 /****************************************************************************
455 Temporarily become a root user. Must match with unbecome_root(). Saves and
456 restores the connection context.
457 ****************************************************************************/
458
459 void become_root(void)
460 {
461 /*
462 * no good way to handle push_sec_ctx() failing without changing
463 * the prototype of become_root()
464 */
465 if (!push_sec_ctx()) {
466 smb_panic("become_root: push_sec_ctx failed");
467 }
468 push_conn_ctx();
469 set_root_sec_ctx();
470 }
471
472 /* Unbecome the root user */
473
474 void unbecome_root(void)
475 {
476 pop_sec_ctx();
477 pop_conn_ctx();
478 }
479
480 /****************************************************************************
481 Push the current security context then force a change via change_to_user().
482 Saves and restores the connection context.
483 ****************************************************************************/
484
485 bool become_user(connection_struct *conn, uint16 vuid)
486 {
487 if (!push_sec_ctx())
488 return False;
489
490 push_conn_ctx();
491
492 if (!change_to_user(conn, vuid)) {
493 pop_sec_ctx();
494 pop_conn_ctx();
495 return False;
496 }
497
498 return True;
499 }
500
501 bool unbecome_user(void)
502 {
503 pop_sec_ctx();
504 pop_conn_ctx();
505 return True;
506 }
507
508 /****************************************************************************
509 Return the current user we are running effectively as on this connection.
510 I'd like to make this return conn->server_info->utok.uid, but become_root()
511 doesn't alter this value.
512 ****************************************************************************/
513
514 uid_t get_current_uid(connection_struct *conn)
515 {
516 return current_user.ut.uid;
517 }
518
519 /****************************************************************************
520 Return the current group we are running effectively as on this connection.
521 I'd like to make this return conn->server_info->utok.gid, but become_root()
522 doesn't alter this value.
523 ****************************************************************************/
524
525 gid_t get_current_gid(connection_struct *conn)
526 {
527 return current_user.ut.gid;
528 }
529
530 /****************************************************************************
531 Return the UNIX token we are running effectively as on this connection.
532 I'd like to make this return &conn->server_info->utok, but become_root()
533 doesn't alter this value.
534 ****************************************************************************/
535
536 const UNIX_USER_TOKEN *get_current_utok(connection_struct *conn)
537 {
538 return &current_user.ut;
539 }
540
541 const NT_USER_TOKEN *get_current_nttok(connection_struct *conn)
542 {
543 return current_user.nt_user_token;
544 }
545
546 uint16_t get_current_vuid(connection_struct *conn)
547 {
548 return current_user.vuid;
549 }
Eduardo's samba4 branches