search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
If we have blacklisted mmap() try to avoid using it accidentally by
[Samba/gebeck_regimport.git] / source / lib / username.c
blob6321d4702127b402cd1d8af5c5bfdf6c50e689a6
1 /*
2 Unix SMB/CIFS implementation.
3 Username handling
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Jeremy Allison 1997-2001.
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23
24 /* internal functions */
25 static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) (const char *), int N);
26 static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N);
27
28 /*****************************************************************
29 Check if a user or group name is local (this is a *local* name for
30 *local* people, there's nothing for you here...).
31 *****************************************************************/
32
33 static BOOL name_is_local(const char *name)
34 {
35 return !(strchr_m(name, *lp_winbind_separator()));
36 }
37
38 /*****************************************************************
39 Splits passed user or group name to domain and user/group name parts
40 Returns True if name was splitted and False otherwise.
41 *****************************************************************/
42
43 BOOL split_domain_and_name(const char *name, char *domain, char* username)
44 {
45 char *p = strchr(name,*lp_winbind_separator());
46
47
48 /* Parse a string of the form DOMAIN/user into a domain and a user */
49 DEBUG(10,("split_domain_and_name: checking whether name |%s| local or not\n", name));
50
51 if (p) {
52 fstrcpy(username, p+1);
53 fstrcpy(domain, name);
54 domain[PTR_DIFF(p, name)] = 0;
55 } else if (lp_winbind_use_default_domain()) {
56 fstrcpy(username, name);
57 fstrcpy(domain, lp_workgroup());
58 } else {
59 return False;
60 }
61
62 DEBUG(10,("split_domain_and_name: all is fine, domain is |%s| and name is |%s|\n", domain, username));
63 return True;
64 }
65
66 /****************************************************************************
67 Get a users home directory.
68 ****************************************************************************/
69
70 char *get_user_home_dir(const char *user)
71 {
72 static struct passwd *pass;
73
74 /* Ensure the user exists. */
75
76 pass = Get_Pwnam(user);
77
78 if (!pass)
79 return(NULL);
80 /* Return home directory from struct passwd. */
81
82 return(pass->pw_dir);
83 }
84
85 /*******************************************************************
86 Map a username from a dos name to a unix name by looking in the username
87 map. Note that this modifies the name in place.
88 This is the main function that should be called *once* on
89 any incoming or new username - in order to canonicalize the name.
90 This is being done to de-couple the case conversions from the user mapping
91 function. Previously, the map_username was being called
92 every time Get_Pwnam was called.
93 Returns True if username was changed, false otherwise.
94 ********************************************************************/
95
96 BOOL map_username(char *user)
97 {
98 static BOOL initialised=False;
99 static fstring last_from,last_to;
100 XFILE *f;
101 char *mapfile = lp_username_map();
102 char *s;
103 pstring buf;
104 BOOL mapped_user = False;
105
106 if (!*user)
107 return False;
108
109 if (!*mapfile)
110 return False;
111
112 if (!initialised) {
113 *last_from = *last_to = 0;
114 initialised = True;
115 }
116
117 if (strequal(user,last_to))
118 return False;
119
120 if (strequal(user,last_from)) {
121 DEBUG(3,("Mapped user %s to %s\n",user,last_to));
122 fstrcpy(user,last_to);
123 return True;
124 }
125
126 f = x_fopen(mapfile,O_RDONLY, 0);
127 if (!f) {
128 DEBUG(0,("can't open username map %s. Error %s\n",mapfile, strerror(errno) ));
129 return False;
130 }
131
132 DEBUG(4,("Scanning username map %s\n",mapfile));
133
134 while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) {
135 char *unixname = s;
136 char *dosname = strchr_m(unixname,'=');
137 char **dosuserlist;
138 BOOL return_if_mapped = False;
139
140 if (!dosname)
141 continue;
142
143 *dosname++ = 0;
144
145 while (isspace((int)*unixname))
146 unixname++;
147
148 if ('!' == *unixname) {
149 return_if_mapped = True;
150 unixname++;
151 while (*unixname && isspace((int)*unixname))
152 unixname++;
153 }
154
155 if (!*unixname || strchr_m("#;",*unixname))
156 continue;
157
158 {
159 int l = strlen(unixname);
160 while (l && isspace((int)unixname[l-1])) {
161 unixname[l-1] = 0;
162 l--;
163 }
164 }
165
166 dosuserlist = str_list_make(dosname, NULL);
167 if (!dosuserlist) {
168 DEBUG(0,("Unable to build user list\n"));
169 return False;
170 }
171
172 if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist, NULL, 0)) {
173 DEBUG(3,("Mapped user %s to %s\n",user,unixname));
174 mapped_user = True;
175 fstrcpy(last_from,user);
176 sscanf(unixname,"%s",user);
177 fstrcpy(last_to,user);
178 if(return_if_mapped) {
179 str_list_free (&dosuserlist);
180 x_fclose(f);
181 return True;
182 }
183 }
184
185 str_list_free (&dosuserlist);
186 }
187
188 x_fclose(f);
189
190 /*
191 * Setup the last_from and last_to as an optimization so
192 * that we don't scan the file again for the same user.
193 */
194 fstrcpy(last_from,user);
195 fstrcpy(last_to,user);
196
197 return mapped_user;
198 }
199
200 /****************************************************************************
201 * A wrapper for sys_getpwnam(). The following variations are tried:
202 * - as transmitted
203 * - in all lower case if this differs from transmitted
204 * - in all upper case if this differs from transmitted
205 * - using lp_usernamelevel() for permutations.
206 ****************************************************************************/
207
208 static struct passwd *Get_Pwnam_ret = NULL;
209
210 static struct passwd *Get_Pwnam_internals(const char *user, char *user2)
211 {
212 struct passwd *ret = NULL;
213
214 if (!user2 || !(*user2))
215 return(NULL);
216
217 if (!user || !(*user))
218 return(NULL);
219
220 /* Try in all lower case first as this is the most
221 common case on UNIX systems */
222 strlower_m(user2);
223 DEBUG(5,("Trying _Get_Pwnam(), username as lowercase is %s\n",user2));
224 ret = getpwnam_alloc(user2);
225 if(ret)
226 goto done;
227
228 /* Try as given, if username wasn't originally lowercase */
229 if(strcmp(user, user2) != 0) {
230 DEBUG(5,("Trying _Get_Pwnam(), username as given is %s\n", user));
231 ret = getpwnam_alloc(user);
232 if(ret)
233 goto done;
234 }
235
236 /* Try as uppercase, if username wasn't originally uppercase */
237 strupper_m(user2);
238 if(strcmp(user, user2) != 0) {
239 DEBUG(5,("Trying _Get_Pwnam(), username as uppercase is %s\n", user2));
240 ret = getpwnam_alloc(user2);
241 if(ret)
242 goto done;
243 }
244
245 /* Try all combinations up to usernamelevel */
246 strlower_m(user2);
247 DEBUG(5,("Checking combinations of %d uppercase letters in %s\n", lp_usernamelevel(), user2));
248 ret = uname_string_combinations(user2, getpwnam_alloc, lp_usernamelevel());
249
250 done:
251 DEBUG(5,("Get_Pwnam_internals %s find user [%s]!\n",ret ? "did":"didn't", user));
252
253 /* This call used to just return the 'passwd' static buffer.
254 This could then have accidental reuse implications, so
255 we now malloc a copy, and free it in the next use.
256
257 This should cause the (ab)user to segfault if it
258 uses an old struct.
259
260 This is better than useing the wrong data in security
261 critical operations.
262
263 The real fix is to make the callers free the returned
264 malloc'ed data.
265 */
266
267 if (Get_Pwnam_ret) {
268 passwd_free(&Get_Pwnam_ret);
269 }
270
271 Get_Pwnam_ret = ret;
272
273 return ret;
274 }
275
276 /****************************************************************************
277 Get_Pwnam wrapper without modification.
278 NOTE: This with NOT modify 'user'!
279 ****************************************************************************/
280
281 struct passwd *Get_Pwnam(const char *user)
282 {
283 fstring user2;
284 struct passwd *ret;
285
286 fstrcpy(user2, user);
287
288 DEBUG(5,("Finding user %s\n", user));
289
290 ret = Get_Pwnam_internals(user, user2);
291
292 return ret;
293 }
294
295 /****************************************************************************
296 Check if a user is in a netgroup user list.
297 ****************************************************************************/
298
299 static BOOL user_in_netgroup_list(const char *user, const char *ngname)
300 {
301 #ifdef HAVE_NETGROUP
302 static char *mydomain = NULL;
303 if (mydomain == NULL)
304 yp_get_default_domain(&mydomain);
305
306 if(mydomain == NULL) {
307 DEBUG(5,("Unable to get default yp domain\n"));
308 return False;
309 }
310
311 DEBUG(5,("looking for user %s of domain %s in netgroup %s\n",
312 user, mydomain, ngname));
313 DEBUG(5,("innetgr is %s\n", innetgr(ngname, NULL, user, mydomain)
314 ? "TRUE" : "FALSE"));
315
316 if (innetgr(ngname, NULL, user, mydomain))
317 return (True);
318 #endif /* HAVE_NETGROUP */
319 return False;
320 }
321
322 /****************************************************************************
323 Check if a user is in a winbind group.
324 ****************************************************************************/
325
326 static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL *winbind_answered)
327 {
328 int i;
329 gid_t gid, gid_low, gid_high;
330 BOOL ret = False;
331 static gid_t *groups = NULL;
332 static int num_groups = 0;
333 static fstring last_user = "";
334
335 *winbind_answered = False;
336
337 if ((gid = nametogid(gname)) == (gid_t)-1) {
338 DEBUG(0,("user_in_winbind_group_list: nametogid for group %s failed.\n",
339 gname ));
340 goto err;
341 }
342
343 if (!lp_idmap_gid(&gid_low, &gid_high)) {
344 DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname));
345 goto err;
346 }
347
348 if (gid < gid_low || gid > gid_high) {
349 DEBUG(4, ("group %s is not a winbind group\n", gname));
350 goto err;
351 }
352
353 /* try to user the last user we looked up */
354 /* otherwise fall back to lookups */
355
356 if ( !strequal( last_user, user ) || !groups )
357 {
358 /* clear any cached information */
359
360 SAFE_FREE(groups);
361 fstrcpy( last_user, "" );
362
363 /*
364 * Get the gid's that this user belongs to.
365 */
366
367 if ((num_groups = winbind_getgroups(user, &groups)) == -1)
368 return False;
369
370 if ( num_groups == -1 )
371 return False;
372
373 if ( num_groups == 0 ) {
374 *winbind_answered = True;
375 return False;
376 }
377
378 /* save the last username */
379
380 fstrcpy( last_user, user );
381
382 }
383 else
384 DEBUG(10,("user_in_winbind_group_list: using cached user groups for [%s]\n", user));
385
386 if ( DEBUGLEVEL >= 10 ) {
387 DEBUG(10,("user_in_winbind_group_list: using groups -- "));
388 for ( i=0; i<num_groups; i++ )
389 DEBUGADD(10,("%lu ", (unsigned long)groups[i]));
390 DEBUGADD(10,("\n"));
391 }
392
393 /*
394 * Now we have the gid list for this user - convert the gname
395 * to a gid_t via either winbind or the local UNIX lookup and do the comparison.
396 */
397
398 for (i = 0; i < num_groups; i++) {
399 if (gid == groups[i]) {
400 ret = True;
401 break;
402 }
403 }
404
405 *winbind_answered = True;
406 SAFE_FREE(groups);
407 return ret;
408
409 err:
410
411 *winbind_answered = False;
412 SAFE_FREE(groups);
413 return False;
414 }
415
416 /****************************************************************************
417 Check if a user is in a UNIX group.
418 ****************************************************************************/
419
420 BOOL user_in_unix_group_list(const char *user,const char *gname)
421 {
422 struct passwd *pass = Get_Pwnam(user);
423 struct sys_userlist *user_list;
424 struct sys_userlist *member;
425
426 DEBUG(10,("user_in_unix_group_list: checking user %s in group %s\n", user, gname));
427
428 /*
429 * We need to check the users primary group as this
430 * group is implicit and often not listed in the group database.
431 */
432
433 if (pass) {
434 if (strequal(gname,gidtoname(pass->pw_gid))) {
435 DEBUG(10,("user_in_unix_group_list: group %s is primary group.\n", gname ));
436 return True;
437 }
438 }
439
440 user_list = get_users_in_group(gname);
441 if (user_list == NULL) {
442 DEBUG(10,("user_in_unix_group_list: no such group %s\n", gname ));
443 return False;
444 }
445
446 for (member = user_list; member; member = member->next) {
447 DEBUG(10,("user_in_unix_group_list: checking user %s against member %s\n",
448 user, member->unix_name ));
449 if (strequal(member->unix_name,user)) {
450 free_userlist(user_list);
451 return(True);
452 }
453 }
454
455 free_userlist(user_list);
456 return False;
457 }
458
459 /****************************************************************************
460 Check if a user is in a group list. Ask winbind first, then use UNIX.
461 ****************************************************************************/
462
463 BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups, size_t n_groups)
464 {
465 BOOL winbind_answered = False;
466 BOOL ret;
467 gid_t gid;
468 unsigned i;
469
470 gid = nametogid(gname);
471 if (gid == (gid_t)-1)
472 return False;
473
474 if (groups && n_groups > 0) {
475 for (i=0; i < n_groups; i++) {
476 if (groups[i] == gid) {
477 return True;
478 }
479 }
480 return False;
481 }
482
483 /* fallback if we don't yet have the group list */
484
485 ret = user_in_winbind_group_list(user, gname, &winbind_answered);
486 if (!winbind_answered)
487 ret = user_in_unix_group_list(user, gname);
488
489 if (ret)
490 DEBUG(10,("user_in_group_list: user |%s| is in group |%s|\n", user, gname));
491 return ret;
492 }
493
494 /****************************************************************************
495 Check if a user is in a user list - can check combinations of UNIX
496 and netgroup lists.
497 ****************************************************************************/
498
499 BOOL user_in_list(const char *user,const char **list, gid_t *groups, size_t n_groups)
500 {
501 if (!list || !*list)
502 return False;
503
504 DEBUG(10,("user_in_list: checking user %s in list\n", user));
505
506 while (*list) {
507
508 DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list));
509
510 /*
511 * Check raw username.
512 */
513 if (strequal(user, *list))
514 return(True);
515
516 /*
517 * Now check to see if any combination
518 * of UNIX and netgroups has been specified.
519 */
520
521 if(**list == '@') {
522 /*
523 * Old behaviour. Check netgroup list
524 * followed by UNIX list.
525 */
526 if(user_in_netgroup_list(user, *list +1))
527 return True;
528 if(user_in_group_list(user, *list +1, groups, n_groups))
529 return True;
530 } else if (**list == '+') {
531
532 if((*(*list +1)) == '&') {
533 /*
534 * Search UNIX list followed by netgroup.
535 */
536 if(user_in_group_list(user, *list +2, groups, n_groups))
537 return True;
538 if(user_in_netgroup_list(user, *list +2))
539 return True;
540
541 } else {
542
543 /*
544 * Just search UNIX list.
545 */
546
547 if(user_in_group_list(user, *list +1, groups, n_groups))
548 return True;
549 }
550
551 } else if (**list == '&') {
552
553 if(*(*list +1) == '+') {
554 /*
555 * Search netgroup list followed by UNIX list.
556 */
557 if(user_in_netgroup_list(user, *list +2))
558 return True;
559 if(user_in_group_list(user, *list +2, groups, n_groups))
560 return True;
561 } else {
562 /*
563 * Just search netgroup list.
564 */
565 if(user_in_netgroup_list(user, *list +1))
566 return True;
567 }
568 } else if (!name_is_local(*list)) {
569 /*
570 * If user name did not match and token is not
571 * a unix group and the token has a winbind separator in the
572 * name then see if it is a Windows group.
573 */
574
575 DOM_SID g_sid;
576 enum SID_NAME_USE name_type;
577 BOOL winbind_answered = False;
578 BOOL ret;
579 fstring groupname, domain;
580
581 /* Parse a string of the form DOMAIN/user into a domain and a user */
582
583 char *p = strchr(*list,*lp_winbind_separator());
584
585 DEBUG(10,("user_in_list: checking if user |%s| is in winbind group |%s|\n", user, *list));
586
587 if (p) {
588 fstrcpy(groupname, p+1);
589 fstrcpy(domain, *list);
590 domain[PTR_DIFF(p, *list)] = 0;
591
592 /* Check to see if name is a Windows group; Win2k native mode DCs
593 will return domain local groups; while NT4 or mixed mode 2k DCs
594 will not */
595
596 if ( winbind_lookup_name(domain, groupname, &g_sid, &name_type)
597 && ( name_type==SID_NAME_DOM_GRP ||
598 (strequal(lp_workgroup(), domain) && name_type==SID_NAME_ALIAS) ) )
599 {
600
601 /* Check if user name is in the Windows group */
602 ret = user_in_winbind_group_list(user, *list, &winbind_answered);
603
604 if (winbind_answered && ret == True) {
605 DEBUG(10,("user_in_list: user |%s| is in winbind group |%s|\n", user, *list));
606 return ret;
607 }
608 }
609 }
610 }
611
612 list++;
613 }
614 return(False);
615 }
616
617 /* The functions below have been taken from password.c and slightly modified */
618 /****************************************************************************
619 Apply a function to upper/lower case combinations
620 of a string and return true if one of them returns true.
621 Try all combinations with N uppercase letters.
622 offset is the first char to try and change (start with 0)
623 it assumes the string starts lowercased
624 ****************************************************************************/
625
626 static struct passwd *uname_string_combinations2(char *s,int offset,struct passwd *(*fn)(const char *),int N)
627 {
628 ssize_t len = (ssize_t)strlen(s);
629 int i;
630 struct passwd *ret;
631
632 if (N <= 0 || offset >= len)
633 return(fn(s));
634
635 for (i=offset;i<(len-(N-1));i++) {
636 char c = s[i];
637 if (!islower((int)c))
638 continue;
639 s[i] = toupper(c);
640 ret = uname_string_combinations2(s,i+1,fn,N-1);
641 if(ret)
642 return(ret);
643 s[i] = c;
644 }
645 return(NULL);
646 }
647
648 /****************************************************************************
649 Apply a function to upper/lower case combinations
650 of a string and return true if one of them returns true.
651 Try all combinations with up to N uppercase letters.
652 offset is the first char to try and change (start with 0)
653 it assumes the string starts lowercased
654 ****************************************************************************/
655
656 static struct passwd * uname_string_combinations(char *s,struct passwd * (*fn)(const char *),int N)
657 {
658 int n;
659 struct passwd *ret;
660
661 for (n=1;n<=N;n++) {
662 ret = uname_string_combinations2(s,0,fn,n);
663 if(ret)
664 return(ret);
665 }
666 return(NULL);
667 }
668
reg import