source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21
  22 /* what user is current? */
  23 extern struct current_user current_user;
  24
  25 /****************************************************************************
  26  Iterator functions for getting all gid's from current_user.
  27 ****************************************************************************/
  28
  29 gid_t get_current_user_gid_first(int *piterator)
  30 {
  31         *piterator = 0;
  32         return current_user.ut.gid;
  33 }
  34
  35 gid_t get_current_user_gid_next(int *piterator)
  36 {
  37         gid_t ret;
  38
  39         if (!current_user.ut.groups || *piterator >= current_user.ut.ngroups) {
  40                 return (gid_t)-1;
  41         }
  42
  43         ret = current_user.ut.groups[*piterator];
  44         (*piterator) += 1;
  45         return ret;
  46 }
  47
  48 /****************************************************************************
  49  Become the guest user without changing the security context stack.
  50 ****************************************************************************/
  51
  52 bool change_to_guest(void)
  53 {
  54         static struct passwd *pass=NULL;
  55
  56         if (!pass) {
  57                 /* Don't need to free() this as its stored in a static */
  58                 pass = getpwnam_alloc(NULL, lp_guestaccount());
  59                 if (!pass)
  60                         return(False);
  61         }
  62
  63 #ifdef AIX
  64         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  65            setting IDs */
  66         initgroups(pass->pw_name, pass->pw_gid);
  67 #endif
  68
  69         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  70
  71         current_user.conn = NULL;
  72         current_user.vuid = UID_FIELD_INVALID;
  73
  74         TALLOC_FREE(pass);
  75         pass = NULL;
  76
  77         return True;
  78 }
  79
  80 /*******************************************************************
  81  Check if a username is OK.
  82 ********************************************************************/
  83
  84 static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
  85 {
  86         unsigned int i;
  87         struct vuid_cache_entry *ent = NULL;
  88         bool readonly_share;
  89         NT_USER_TOKEN *token;
  90
  91         for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) {
  92                 if (conn->vuid_cache.array[i].vuid == vuser->vuid) {
  93                         ent = &conn->vuid_cache.array[i];
  94                         conn->read_only = ent->read_only;
  95                         conn->admin_user = ent->admin_user;
  96                         return(True);
  97                 }
  98         }
  99
 100         if (!user_ok_token(vuser->user.unix_name, vuser->server_info->ptok,
 101                            snum))
 102                 return(False);
 103
 104         readonly_share = is_share_read_only_for_token(
 105                 vuser->user.unix_name, vuser->server_info->ptok, SNUM(conn));
 106
 107         token = conn->nt_user_token ?
 108                 conn->nt_user_token : vuser->server_info->ptok;
 109
 110         if (!readonly_share &&
 111             !share_access_check(token, lp_servicename(snum),
 112                                 FILE_WRITE_DATA)) {
 113                 /* smb.conf allows r/w, but the security descriptor denies
 114                  * write. Fall back to looking at readonly. */
 115                 readonly_share = True;
 116                 DEBUG(5,("falling back to read-only access-evaluation due to "
 117                          "security descriptor\n"));
 118         }
 119
 120         if (!share_access_check(token, lp_servicename(snum),
 121                                 readonly_share ?
 122                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 123                 return False;
 124         }
 125
 126         i = conn->vuid_cache.entries % VUID_CACHE_SIZE;
 127         if (conn->vuid_cache.entries < VUID_CACHE_SIZE)
 128                 conn->vuid_cache.entries++;
 129
 130         ent = &conn->vuid_cache.array[i];
 131         ent->vuid = vuser->vuid;
 132         ent->read_only = readonly_share;
 133
 134         ent->admin_user = token_contains_name_in_list(
 135                 vuser->user.unix_name, NULL, vuser->server_info->ptok,
 136                 lp_admin_users(SNUM(conn)));
 137
 138         conn->read_only = ent->read_only;
 139         conn->admin_user = ent->admin_user;
 140
 141         return(True);
 142 }
 143
 144 /****************************************************************************
 145  Become the user of a connection number without changing the security context
 146  stack, but modify the current_user entries.
 147 ****************************************************************************/
 148
 149 bool change_to_user(connection_struct *conn, uint16 vuid)
 150 {
 151         user_struct *vuser = get_valid_user_struct(vuid);
 152         int snum;
 153         gid_t gid;
 154         uid_t uid;
 155         char group_c;
 156         bool must_free_token = False;
 157         NT_USER_TOKEN *token = NULL;
 158         int num_groups = 0;
 159         gid_t *group_list = NULL;
 160
 161         if (!conn) {
 162                 DEBUG(2,("change_to_user: Connection not open\n"));
 163                 return(False);
 164         }
 165
 166         /*
 167          * We need a separate check in security=share mode due to vuid
 168          * always being UID_FIELD_INVALID. If we don't do this then
 169          * in share mode security we are *always* changing uid's between
 170          * SMB's - this hurts performance - Badly.
 171          */
 172
 173         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 174            (current_user.ut.uid == conn->uid)) {
 175                 DEBUG(4,("change_to_user: Skipping user change - already "
 176                          "user\n"));
 177                 return(True);
 178         } else if ((current_user.conn == conn) &&
 179                    (vuser != 0) && (current_user.vuid == vuid) &&
 180                    (current_user.ut.uid == vuser->uid)) {
 181                 DEBUG(4,("change_to_user: Skipping user change - already "
 182                          "user\n"));
 183                 return(True);
 184         }
 185
 186         snum = SNUM(conn);
 187
 188         if ((vuser) && !check_user_ok(conn, vuser, snum)) {
 189                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 190                          "not permitted access to share %s.\n",
 191                          vuser->user.smb_name, vuser->user.unix_name, vuid,
 192                          lp_servicename(snum)));
 193                 return False;
 194         }
 195
 196         if (conn->force_user) /* security = share sets this too */ {
 197                 uid = conn->uid;
 198                 gid = conn->gid;
 199                 group_list = conn->groups;
 200                 num_groups = conn->ngroups;
 201                 token = conn->nt_user_token;
 202         } else if (vuser) {
 203                 uid = conn->admin_user ? 0 : vuser->uid;
 204                 gid = vuser->gid;
 205                 num_groups = vuser->n_groups;
 206                 group_list  = vuser->groups;
 207                 token = vuser->server_info->ptok;
 208         } else {
 209                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 210                          "share %s.\n",vuid, lp_servicename(snum) ));
 211                 return False;
 212         }
 213
 214         /*
 215          * See if we should force group for this service.
 216          * If so this overrides any group set in the force
 217          * user code.
 218          */
 219
 220         if((group_c = *lp_force_group(snum))) {
 221
 222                 token = dup_nt_token(NULL, token);
 223                 if (token == NULL) {
 224                         DEBUG(0, ("dup_nt_token failed\n"));
 225                         return False;
 226                 }
 227                 must_free_token = True;
 228
 229                 if(group_c == '+') {
 230
 231                         /*
 232                          * Only force group if the user is a member of
 233                          * the service group. Check the group memberships for
 234                          * this user (we already have this) to
 235                          * see if we should force the group.
 236                          */
 237
 238                         int i;
 239                         for (i = 0; i < num_groups; i++) {
 240                                 if (group_list[i] == conn->gid) {
 241                                         gid = conn->gid;
 242                                         gid_to_sid(&token->user_sids[1], gid);
 243                                         break;
 244                                 }
 245                         }
 246                 } else {
 247                         gid = conn->gid;
 248                         gid_to_sid(&token->user_sids[1], gid);
 249                 }
 250         }
 251
 252         /* Now set current_user since we will immediately also call
 253            set_sec_ctx() */
 254
 255         current_user.ut.ngroups = num_groups;
 256         current_user.ut.groups  = group_list;
 257
 258         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 259                     token);
 260
 261         /*
 262          * Free the new token (as set_sec_ctx copies it).
 263          */
 264
 265         if (must_free_token)
 266                 TALLOC_FREE(token);
 267
 268         current_user.conn = conn;
 269         current_user.vuid = vuid;
 270
 271         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 272                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 273
 274         return(True);
 275 }
 276
 277 /****************************************************************************
 278  Go back to being root without changing the security context stack,
 279  but modify the current_user entries.
 280 ****************************************************************************/
 281
 282 bool change_to_root_user(void)
 283 {
 284         set_root_sec_ctx();
 285
 286         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 287                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 288
 289         current_user.conn = NULL;
 290         current_user.vuid = UID_FIELD_INVALID;
 291
 292         return(True);
 293 }
 294
 295 /****************************************************************************
 296  Become the user of an authenticated connected named pipe.
 297  When this is called we are currently running as the connection
 298  user. Doesn't modify current_user.
 299 ****************************************************************************/
 300
 301 bool become_authenticated_pipe_user(pipes_struct *p)
 302 {
 303         if (!push_sec_ctx())
 304                 return False;
 305
 306         set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid,
 307                     p->pipe_user.ut.ngroups, p->pipe_user.ut.groups,
 308                     p->pipe_user.nt_user_token);
 309
 310         return True;
 311 }
 312
 313 /****************************************************************************
 314  Unbecome the user of an authenticated connected named pipe.
 315  When this is called we are running as the authenticated pipe
 316  user and need to go back to being the connection user. Doesn't modify
 317  current_user.
 318 ****************************************************************************/
 319
 320 bool unbecome_authenticated_pipe_user(void)
 321 {
 322         return pop_sec_ctx();
 323 }
 324
 325 /****************************************************************************
 326  Utility functions used by become_xxx/unbecome_xxx.
 327 ****************************************************************************/
 328
 329 struct conn_ctx {
 330         connection_struct *conn;
 331         uint16 vuid;
 332 };
 333
 334 /* A stack of current_user connection contexts. */
 335
 336 static struct conn_ctx conn_ctx_stack[MAX_SEC_CTX_DEPTH];
 337 static int conn_ctx_stack_ndx;
 338
 339 static void push_conn_ctx(void)
 340 {
 341         struct conn_ctx *ctx_p;
 342
 343         /* Check we don't overflow our stack */
 344
 345         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 346                 DEBUG(0, ("Connection context stack overflow!\n"));
 347                 smb_panic("Connection context stack overflow!\n");
 348         }
 349
 350         /* Store previous user context */
 351         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 352
 353         ctx_p->conn = current_user.conn;
 354         ctx_p->vuid = current_user.vuid;
 355
 356         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 357                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 358
 359         conn_ctx_stack_ndx++;
 360 }
 361
 362 static void pop_conn_ctx(void)
 363 {
 364         struct conn_ctx *ctx_p;
 365
 366         /* Check for stack underflow. */
 367
 368         if (conn_ctx_stack_ndx == 0) {
 369                 DEBUG(0, ("Connection context stack underflow!\n"));
 370                 smb_panic("Connection context stack underflow!\n");
 371         }
 372
 373         conn_ctx_stack_ndx--;
 374         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 375
 376         current_user.conn = ctx_p->conn;
 377         current_user.vuid = ctx_p->vuid;
 378
 379         ctx_p->conn = NULL;
 380         ctx_p->vuid = UID_FIELD_INVALID;
 381 }
 382
 383 /****************************************************************************
 384  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 385  restores the connection context.
 386 ****************************************************************************/
 387
 388 void become_root(void)
 389 {
 390          /*
 391           * no good way to handle push_sec_ctx() failing without changing
 392           * the prototype of become_root()
 393           */
 394         if (!push_sec_ctx()) {
 395                 smb_panic("become_root: push_sec_ctx failed");
 396         }
 397         push_conn_ctx();
 398         set_root_sec_ctx();
 399 }
 400
 401 /* Unbecome the root user */
 402
 403 void unbecome_root(void)
 404 {
 405         pop_sec_ctx();
 406         pop_conn_ctx();
 407 }
 408
 409 /****************************************************************************
 410  Push the current security context then force a change via change_to_user().
 411  Saves and restores the connection context.
 412 ****************************************************************************/
 413
 414 bool become_user(connection_struct *conn, uint16 vuid)
 415 {
 416         if (!push_sec_ctx())
 417                 return False;
 418
 419         push_conn_ctx();
 420
 421         if (!change_to_user(conn, vuid)) {
 422                 pop_sec_ctx();
 423                 pop_conn_ctx();
 424                 return False;
 425         }
 426
 427         return True;
 428 }
 429
 430 bool unbecome_user(void)
 431 {
 432         pop_sec_ctx();
 433         pop_conn_ctx();
 434         return True;
 435 }