waf: support --without-ad-dc for Heimdal (embedded and system) as well
[Samba/vl.git] / source3 / smbd / uid.c
blob27d7d1a413b8bd5f5bde8bc862a7cc2582e78af1
1 /*
2 Unix SMB/CIFS implementation.
3 uid/user handling
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../librpc/gen_ndr/netlogon.h"
25 #include "libcli/security/security.h"
26 #include "passdb/lookup_sid.h"
27 #include "auth.h"
29 /* what user is current? */
30 extern struct current_user current_user;
32 /****************************************************************************
33 Become the guest user without changing the security context stack.
34 ****************************************************************************/
36 bool change_to_guest(void)
38 struct passwd *pass;
40 pass = Get_Pwnam_alloc(talloc_tos(), lp_guestaccount());
41 if (!pass) {
42 return false;
45 #ifdef AIX
46 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
47 setting IDs */
48 initgroups(pass->pw_name, pass->pw_gid);
49 #endif
51 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
53 current_user.conn = NULL;
54 current_user.vuid = UID_FIELD_INVALID;
56 TALLOC_FREE(pass);
58 return true;
61 /****************************************************************************
62 talloc free the conn->session_info if not used in the vuid cache.
63 ****************************************************************************/
65 static void free_conn_session_info_if_unused(connection_struct *conn)
67 unsigned int i;
69 for (i = 0; i < VUID_CACHE_SIZE; i++) {
70 struct vuid_cache_entry *ent;
71 ent = &conn->vuid_cache.array[i];
72 if (ent->vuid != UID_FIELD_INVALID &&
73 conn->session_info == ent->session_info) {
74 return;
77 /* Not used, safe to free. */
78 TALLOC_FREE(conn->session_info);
81 /*******************************************************************
82 Check if a username is OK.
84 This sets up conn->session_info with a copy related to this vuser that
85 later code can then mess with.
86 ********************************************************************/
88 static bool check_user_ok(connection_struct *conn,
89 uint64_t vuid,
90 const struct auth_session_info *session_info,
91 int snum)
93 bool valid_vuid = (vuid != UID_FIELD_INVALID);
94 unsigned int i;
95 bool readonly_share;
96 bool admin_user;
98 if (valid_vuid) {
99 struct vuid_cache_entry *ent;
101 for (i=0; i<VUID_CACHE_SIZE; i++) {
102 ent = &conn->vuid_cache.array[i];
103 if (ent->vuid == vuid) {
104 free_conn_session_info_if_unused(conn);
105 conn->session_info = ent->session_info;
106 conn->read_only = ent->read_only;
107 return(True);
112 if (!user_ok_token(session_info->unix_info->unix_name,
113 session_info->info->domain_name,
114 session_info->security_token, snum))
115 return(False);
117 readonly_share = is_share_read_only_for_token(
118 session_info->unix_info->unix_name,
119 session_info->info->domain_name,
120 session_info->security_token,
121 conn);
123 if (!readonly_share &&
124 !share_access_check(session_info->security_token,
125 lp_servicename(snum), FILE_WRITE_DATA,
126 NULL)) {
127 /* smb.conf allows r/w, but the security descriptor denies
128 * write. Fall back to looking at readonly. */
129 readonly_share = True;
130 DEBUG(5,("falling back to read-only access-evaluation due to "
131 "security descriptor\n"));
134 if (!share_access_check(session_info->security_token,
135 lp_servicename(snum),
136 readonly_share ?
137 FILE_READ_DATA : FILE_WRITE_DATA,
138 NULL)) {
139 return False;
142 admin_user = token_contains_name_in_list(
143 session_info->unix_info->unix_name,
144 session_info->info->domain_name,
145 NULL, session_info->security_token, lp_admin_users(snum));
147 if (valid_vuid) {
148 struct vuid_cache_entry *ent =
149 &conn->vuid_cache.array[conn->vuid_cache.next_entry];
151 conn->vuid_cache.next_entry =
152 (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
154 TALLOC_FREE(ent->session_info);
157 * If force_user was set, all session_info's are based on the same
158 * username-based faked one.
161 ent->session_info = copy_session_info(
162 conn, conn->force_user ? conn->session_info : session_info);
164 if (ent->session_info == NULL) {
165 ent->vuid = UID_FIELD_INVALID;
166 return false;
169 ent->vuid = vuid;
170 ent->read_only = readonly_share;
171 free_conn_session_info_if_unused(conn);
172 conn->session_info = ent->session_info;
175 conn->read_only = readonly_share;
176 if (admin_user) {
177 DEBUG(2,("check_user_ok: user %s is an admin user. "
178 "Setting uid as %d\n",
179 conn->session_info->unix_info->unix_name,
180 sec_initial_uid() ));
181 conn->session_info->unix_token->uid = sec_initial_uid();
184 return(True);
187 /****************************************************************************
188 Become the user of a connection number without changing the security context
189 stack, but modify the current_user entries.
190 ****************************************************************************/
192 static bool change_to_user_internal(connection_struct *conn,
193 const struct auth_session_info *session_info,
194 uint64_t vuid)
196 int snum;
197 gid_t gid;
198 uid_t uid;
199 char group_c;
200 int num_groups = 0;
201 gid_t *group_list = NULL;
202 bool ok;
204 snum = SNUM(conn);
206 ok = check_user_ok(conn, vuid, session_info, snum);
207 if (!ok) {
208 DEBUG(2,("SMB user %s (unix user %s) "
209 "not permitted access to share %s.\n",
210 session_info->unix_info->sanitized_username,
211 session_info->unix_info->unix_name,
212 lp_servicename(snum)));
213 return false;
216 uid = conn->session_info->unix_token->uid;
217 gid = conn->session_info->unix_token->gid;
218 num_groups = conn->session_info->unix_token->ngroups;
219 group_list = conn->session_info->unix_token->groups;
222 * See if we should force group for this service. If so this overrides
223 * any group set in the force user code.
225 if((group_c = *lp_force_group(snum))) {
227 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
229 if (group_c == '+') {
230 int i;
233 * Only force group if the user is a member of the
234 * service group. Check the group memberships for this
235 * user (we already have this) to see if we should force
236 * the group.
238 for (i = 0; i < num_groups; i++) {
239 if (group_list[i] == conn->force_group_gid) {
240 conn->session_info->unix_token->gid =
241 conn->force_group_gid;
242 gid = conn->force_group_gid;
243 gid_to_sid(&conn->session_info->security_token
244 ->sids[1], gid);
245 break;
248 } else {
249 conn->session_info->unix_token->gid = conn->force_group_gid;
250 gid = conn->force_group_gid;
251 gid_to_sid(&conn->session_info->security_token->sids[1],
252 gid);
256 /*Set current_user since we will immediately also call set_sec_ctx() */
257 current_user.ut.ngroups = num_groups;
258 current_user.ut.groups = group_list;
260 set_sec_ctx(uid,
261 gid,
262 current_user.ut.ngroups,
263 current_user.ut.groups,
264 conn->session_info->security_token);
266 current_user.conn = conn;
267 current_user.vuid = vuid;
269 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
270 (int)getuid(),
271 (int)geteuid(),
272 (int)getgid(),
273 (int)getegid()));
275 return true;
278 bool change_to_user(connection_struct *conn, uint64_t vuid)
280 const struct auth_session_info *session_info = NULL;
281 struct user_struct *vuser;
282 int snum = SNUM(conn);
284 if (!conn) {
285 DEBUG(2,("Connection not open\n"));
286 return(False);
289 vuser = get_valid_user_struct(conn->sconn, vuid);
291 if ((current_user.conn == conn) &&
292 (vuser != NULL) && (current_user.vuid == vuid) &&
293 (current_user.ut.uid == vuser->session_info->unix_token->uid)) {
294 DEBUG(4,("Skipping user change - already "
295 "user\n"));
296 return(True);
299 if (vuser == NULL) {
300 /* Invalid vuid sent */
301 DEBUG(2,("Invalid vuid %llu used on share %s.\n",
302 (unsigned long long)vuid, lp_servicename(snum)));
303 return false;
306 session_info = vuser->session_info;
308 if (!conn->force_user && vuser == NULL) {
309 DEBUG(2,("Invalid vuid used %llu in accessing share %s.\n",
310 (unsigned long long)vuid, lp_servicename(snum)));
311 return False;
314 return change_to_user_internal(conn, session_info, vuid);
317 static bool change_to_user_by_session(connection_struct *conn,
318 const struct auth_session_info *session_info)
320 SMB_ASSERT(conn != NULL);
321 SMB_ASSERT(session_info != NULL);
323 if ((current_user.conn == conn) &&
324 (current_user.ut.uid == session_info->unix_token->uid)) {
325 DEBUG(7, ("Skipping user change - already user\n"));
327 return true;
330 return change_to_user_internal(conn, session_info, UID_FIELD_INVALID);
333 /****************************************************************************
334 Go back to being root without changing the security context stack,
335 but modify the current_user entries.
336 ****************************************************************************/
338 bool smbd_change_to_root_user(void)
340 set_root_sec_ctx();
342 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
343 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
345 current_user.conn = NULL;
346 current_user.vuid = UID_FIELD_INVALID;
348 return(True);
351 /****************************************************************************
352 Become the user of an authenticated connected named pipe.
353 When this is called we are currently running as the connection
354 user. Doesn't modify current_user.
355 ****************************************************************************/
357 bool become_authenticated_pipe_user(struct auth_session_info *session_info)
359 if (!push_sec_ctx())
360 return False;
362 set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid,
363 session_info->unix_token->ngroups, session_info->unix_token->groups,
364 session_info->security_token);
366 return True;
369 /****************************************************************************
370 Unbecome the user of an authenticated connected named pipe.
371 When this is called we are running as the authenticated pipe
372 user and need to go back to being the connection user. Doesn't modify
373 current_user.
374 ****************************************************************************/
376 bool unbecome_authenticated_pipe_user(void)
378 return pop_sec_ctx();
381 /****************************************************************************
382 Utility functions used by become_xxx/unbecome_xxx.
383 ****************************************************************************/
385 static void push_conn_ctx(void)
387 struct conn_ctx *ctx_p;
389 /* Check we don't overflow our stack */
391 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
392 DEBUG(0, ("Connection context stack overflow!\n"));
393 smb_panic("Connection context stack overflow!\n");
396 /* Store previous user context */
397 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
399 ctx_p->conn = current_user.conn;
400 ctx_p->vuid = current_user.vuid;
402 DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
403 (unsigned long long)ctx_p->vuid, conn_ctx_stack_ndx));
405 conn_ctx_stack_ndx++;
408 static void pop_conn_ctx(void)
410 struct conn_ctx *ctx_p;
412 /* Check for stack underflow. */
414 if (conn_ctx_stack_ndx == 0) {
415 DEBUG(0, ("Connection context stack underflow!\n"));
416 smb_panic("Connection context stack underflow!\n");
419 conn_ctx_stack_ndx--;
420 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
422 current_user.conn = ctx_p->conn;
423 current_user.vuid = ctx_p->vuid;
425 ctx_p->conn = NULL;
426 ctx_p->vuid = UID_FIELD_INVALID;
429 /****************************************************************************
430 Temporarily become a root user. Must match with unbecome_root(). Saves and
431 restores the connection context.
432 ****************************************************************************/
434 void smbd_become_root(void)
437 * no good way to handle push_sec_ctx() failing without changing
438 * the prototype of become_root()
440 if (!push_sec_ctx()) {
441 smb_panic("become_root: push_sec_ctx failed");
443 push_conn_ctx();
444 set_root_sec_ctx();
447 /* Unbecome the root user */
449 void smbd_unbecome_root(void)
451 pop_sec_ctx();
452 pop_conn_ctx();
455 /****************************************************************************
456 Push the current security context then force a change via change_to_user().
457 Saves and restores the connection context.
458 ****************************************************************************/
460 bool become_user(connection_struct *conn, uint64_t vuid)
462 if (!push_sec_ctx())
463 return False;
465 push_conn_ctx();
467 if (!change_to_user(conn, vuid)) {
468 pop_sec_ctx();
469 pop_conn_ctx();
470 return False;
473 return True;
476 bool become_user_by_session(connection_struct *conn,
477 const struct auth_session_info *session_info)
479 if (!push_sec_ctx())
480 return false;
482 push_conn_ctx();
484 if (!change_to_user_by_session(conn, session_info)) {
485 pop_sec_ctx();
486 pop_conn_ctx();
487 return false;
490 return true;
493 bool unbecome_user(void)
495 pop_sec_ctx();
496 pop_conn_ctx();
497 return True;
500 /****************************************************************************
501 Return the current user we are running effectively as on this connection.
502 I'd like to make this return conn->session_info->unix_token->uid, but become_root()
503 doesn't alter this value.
504 ****************************************************************************/
506 uid_t get_current_uid(connection_struct *conn)
508 return current_user.ut.uid;
511 /****************************************************************************
512 Return the current group we are running effectively as on this connection.
513 I'd like to make this return conn->session_info->unix_token->gid, but become_root()
514 doesn't alter this value.
515 ****************************************************************************/
517 gid_t get_current_gid(connection_struct *conn)
519 return current_user.ut.gid;
522 /****************************************************************************
523 Return the UNIX token we are running effectively as on this connection.
524 I'd like to make this return &conn->session_info->unix_token-> but become_root()
525 doesn't alter this value.
526 ****************************************************************************/
528 const struct security_unix_token *get_current_utok(connection_struct *conn)
530 return &current_user.ut;
533 const struct security_token *get_current_nttok(connection_struct *conn)
535 return current_user.nt_user_token;
538 uint64_t get_current_vuid(connection_struct *conn)
540 return current_user.vuid;