2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 * No prefix means direct username
25 * @name means netgroup first, then unix group
26 * &name means netgroup
27 * +name means unix group
28 * + and & may be combined
31 static BOOL
do_group_checks(const char **name
, const char **pattern
)
33 if ((*name
)[0] == '@') {
39 if (((*name
)[0] == '+') && ((*name
)[1] == '&')) {
45 if ((*name
)[0] == '+') {
51 if (((*name
)[0] == '&') && ((*name
)[1] == '+')) {
57 if ((*name
)[0] == '&') {
66 static BOOL
token_contains_name(TALLOC_CTX
*mem_ctx
,
68 const char *sharename
,
69 const struct nt_user_token
*token
,
74 enum SID_NAME_USE type
;
76 if (username
!= NULL
) {
77 name
= talloc_sub_basic(mem_ctx
, username
, name
);
79 if (sharename
!= NULL
) {
80 name
= talloc_string_sub(mem_ctx
, name
, "%S", sharename
);
84 /* This is too security sensitive, better panic than return a
85 * result that might be interpreted in a wrong way. */
86 smb_panic("substitutions failed\n");
89 /* check to see is we already have a SID */
91 if ( string_to_sid( &sid
, name
) ) {
92 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name
));
93 return nt_token_check_sid( &sid
, token
);
96 if (!do_group_checks(&name
, &prefix
)) {
97 if (!lookup_name(mem_ctx
, name
, LOOKUP_NAME_ALL
,
98 NULL
, NULL
, &sid
, &type
)) {
99 DEBUG(5, ("lookup_name %s failed\n", name
));
102 if (type
!= SID_NAME_USER
) {
103 DEBUG(5, ("%s is a %s, expected a user\n",
104 name
, sid_type_lookup(type
)));
107 return nt_token_check_sid(&sid
, token
);
110 for (/* initialized above */ ; *prefix
!= '\0'; prefix
++) {
111 if (*prefix
== '+') {
112 if (!lookup_name(mem_ctx
, name
,
113 LOOKUP_NAME_ALL
|LOOKUP_NAME_GROUP
,
114 NULL
, NULL
, &sid
, &type
)) {
115 DEBUG(5, ("lookup_name %s failed\n", name
));
118 if ((type
!= SID_NAME_DOM_GRP
) &&
119 (type
!= SID_NAME_ALIAS
) &&
120 (type
!= SID_NAME_WKN_GRP
)) {
121 DEBUG(5, ("%s is a %s, expected a group\n",
122 name
, sid_type_lookup(type
)));
125 if (nt_token_check_sid(&sid
, token
)) {
130 if (*prefix
== '&') {
131 if (user_in_netgroup(username
, name
)) {
136 smb_panic("got invalid prefix from do_groups_check\n");
142 * Check whether a user is contained in the list provided.
144 * Please note that the user name and share names passed in here mainly for
145 * the substitution routines that expand the parameter values, the decision
146 * whether a user is in the list is done after a lookup_name on the expanded
147 * parameter value, solely based on comparing the SIDs in token.
149 * The other use is the netgroup check when using @group or &group.
152 BOOL
token_contains_name_in_list(const char *username
,
153 const char *sharename
,
154 const struct nt_user_token
*token
,
163 if ( (mem_ctx
= talloc_new(NULL
)) == NULL
) {
164 smb_panic("talloc_new failed\n");
167 while (*list
!= NULL
) {
168 if (token_contains_name(mem_ctx
, username
, sharename
,token
, *list
)) {
169 TALLOC_FREE(mem_ctx
);
175 TALLOC_FREE(mem_ctx
);
180 * Check whether the user described by "token" has access to share snum.
182 * This looks at "invalid users", "valid users" and "only user/username"
184 * Please note that the user name and share names passed in here mainly for
185 * the substitution routines that expand the parameter values, the decision
186 * whether a user is in the list is done after a lookup_name on the expanded
187 * parameter value, solely based on comparing the SIDs in token.
189 * The other use is the netgroup check when using @group or &group.
192 BOOL
user_ok_token(const char *username
, struct nt_user_token
*token
, int snum
)
194 if (lp_invalid_users(snum
) != NULL
) {
195 if (token_contains_name_in_list(username
, lp_servicename(snum
),
197 lp_invalid_users(snum
))) {
198 DEBUG(10, ("User %s in 'invalid users'\n", username
));
203 if (lp_valid_users(snum
) != NULL
) {
204 if (!token_contains_name_in_list(username
,
205 lp_servicename(snum
), token
,
206 lp_valid_users(snum
))) {
207 DEBUG(10, ("User %s no in 'valid users'\n", username
));
212 if (lp_onlyuser(snum
)) {
214 list
[0] = lp_username(snum
);
216 if (!token_contains_name_in_list(NULL
, lp_servicename(snum
),
218 DEBUG(10, ("%s != 'username'\n", username
));
223 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
224 lp_servicename(snum
), username
));
230 * Check whether the user described by "token" is restricted to read-only
231 * access on share snum.
233 * This looks at "invalid users", "valid users" and "only user/username"
235 * Please note that the user name and share names passed in here mainly for
236 * the substitution routines that expand the parameter values, the decision
237 * whether a user is in the list is done after a lookup_name on the expanded
238 * parameter value, solely based on comparing the SIDs in token.
240 * The other use is the netgroup check when using @group or &group.
243 BOOL
is_share_read_only_for_token(const char *username
,
244 struct nt_user_token
*token
, int snum
)
246 BOOL result
= lp_readonly(snum
);
248 if (lp_readlist(snum
) != NULL
) {
249 if (token_contains_name_in_list(username
,
250 lp_servicename(snum
), token
,
251 lp_readlist(snum
))) {
256 if (lp_writelist(snum
) != NULL
) {
257 if (token_contains_name_in_list(username
,
258 lp_servicename(snum
), token
,
259 lp_writelist(snum
))) {
264 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
265 "%s\n", lp_servicename(snum
),
266 result
? "read-only" : "read-write", username
));