2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "system/passwd.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "source3/smbd/smbXsrv_session.h"
25 #include "../librpc/gen_ndr/netlogon.h"
26 #include "libcli/security/security.h"
27 #include "passdb/lookup_sid.h"
29 #include "../auth/auth_util.h"
30 #include "source3/lib/substitute.h"
32 /* what user is current? */
33 extern struct current_user current_user
;
35 /****************************************************************************
36 Become the guest user without changing the security context stack.
37 ****************************************************************************/
39 bool change_to_guest(void)
43 pass
= Get_Pwnam_alloc(talloc_tos(), lp_guest_account());
49 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
51 initgroups(pass
->pw_name
, pass
->pw_gid
);
54 set_sec_ctx(pass
->pw_uid
, pass
->pw_gid
, 0, NULL
, NULL
);
56 current_user
.conn
= NULL
;
57 current_user
.vuid
= UID_FIELD_INVALID
;
64 /****************************************************************************
65 talloc free the conn->session_info if not used in the vuid cache.
66 ****************************************************************************/
68 static void free_conn_session_info_if_unused(connection_struct
*conn
)
72 for (i
= 0; i
< VUID_CACHE_SIZE
; i
++) {
73 struct vuid_cache_entry
*ent
;
74 ent
= &conn
->vuid_cache
->array
[i
];
75 if (ent
->vuid
!= UID_FIELD_INVALID
&&
76 conn
->session_info
== ent
->session_info
) {
80 /* Not used, safe to free. */
81 TALLOC_FREE(conn
->session_info
);
84 /****************************************************************************
85 Setup the share access mask for a connection.
86 ****************************************************************************/
88 static uint32_t create_share_access_mask(int snum
,
90 const struct security_token
*token
)
92 uint32_t share_access
= 0;
94 share_access_check(token
,
95 lp_const_servicename(snum
),
96 MAXIMUM_ALLOWED_ACCESS
,
101 ~(SEC_FILE_WRITE_DATA
| SEC_FILE_APPEND_DATA
|
102 SEC_FILE_WRITE_EA
| SEC_FILE_WRITE_ATTRIBUTE
|
103 SEC_DIR_DELETE_CHILD
);
106 if (security_token_has_privilege(token
, SEC_PRIV_SECURITY
)) {
107 share_access
|= SEC_FLAG_SYSTEM_SECURITY
;
109 if (security_token_has_privilege(token
, SEC_PRIV_RESTORE
)) {
110 share_access
|= SEC_RIGHTS_PRIV_RESTORE
;
112 if (security_token_has_privilege(token
, SEC_PRIV_BACKUP
)) {
113 share_access
|= SEC_RIGHTS_PRIV_BACKUP
;
115 if (security_token_has_privilege(token
, SEC_PRIV_TAKE_OWNERSHIP
)) {
116 share_access
|= SEC_STD_WRITE_OWNER
;
122 /*******************************************************************
123 Calculate access mask and if this user can access this share.
124 ********************************************************************/
126 NTSTATUS
check_user_share_access(connection_struct
*conn
,
127 const struct auth_session_info
*session_info
,
128 uint32_t *p_share_access
,
129 bool *p_readonly_share
)
131 int snum
= SNUM(conn
);
132 uint32_t share_access
= 0;
133 bool readonly_share
= false;
135 if (!user_ok_token(session_info
->unix_info
->unix_name
,
136 session_info
->info
->domain_name
,
137 session_info
->security_token
, snum
)) {
138 return NT_STATUS_ACCESS_DENIED
;
141 readonly_share
= is_share_read_only_for_token(
142 session_info
->unix_info
->unix_name
,
143 session_info
->info
->domain_name
,
144 session_info
->security_token
,
147 share_access
= create_share_access_mask(snum
,
149 session_info
->security_token
);
151 if ((share_access
& (FILE_READ_DATA
|FILE_WRITE_DATA
)) == 0) {
152 /* No access, read or write. */
153 DBG_NOTICE("user %s connection to %s denied due to share "
154 "security descriptor.\n",
155 session_info
->unix_info
->unix_name
,
156 lp_const_servicename(snum
));
157 return NT_STATUS_ACCESS_DENIED
;
160 if (!readonly_share
&&
161 !(share_access
& FILE_WRITE_DATA
)) {
162 /* smb.conf allows r/w, but the security descriptor denies
163 * write. Fall back to looking at readonly. */
164 readonly_share
= true;
165 DBG_INFO("falling back to read-only access-evaluation due to "
166 "security descriptor\n");
169 *p_share_access
= share_access
;
170 *p_readonly_share
= readonly_share
;
175 /*******************************************************************
176 Check if a username is OK.
178 This sets up conn->session_info with a copy related to this vuser that
179 later code can then mess with.
180 ********************************************************************/
182 static bool check_user_ok(connection_struct
*conn
,
184 const struct auth_session_info
*session_info
,
188 bool readonly_share
= false;
189 bool admin_user
= false;
190 struct vuid_cache_entry
*ent
= NULL
;
191 uint32_t share_access
= 0;
194 for (i
=0; i
<VUID_CACHE_SIZE
; i
++) {
195 ent
= &conn
->vuid_cache
->array
[i
];
196 if (ent
->vuid
== vuid
) {
197 if (vuid
== UID_FIELD_INVALID
) {
199 * Slow path, we don't care
200 * about the array traversal.
204 free_conn_session_info_if_unused(conn
);
205 conn
->session_info
= ent
->session_info
;
206 conn
->read_only
= ent
->read_only
;
207 conn
->share_access
= ent
->share_access
;
208 conn
->vuid
= ent
->vuid
;
213 status
= check_user_share_access(conn
,
217 if (!NT_STATUS_IS_OK(status
)) {
221 admin_user
= token_contains_name_in_list(
222 session_info
->unix_info
->unix_name
,
223 session_info
->info
->domain_name
,
224 NULL
, session_info
->security_token
, lp_admin_users(snum
));
226 ent
= &conn
->vuid_cache
->array
[conn
->vuid_cache
->next_entry
];
228 conn
->vuid_cache
->next_entry
=
229 (conn
->vuid_cache
->next_entry
+ 1) % VUID_CACHE_SIZE
;
231 TALLOC_FREE(ent
->session_info
);
234 * If force_user was set, all session_info's are based on the same
235 * username-based faked one.
238 ent
->session_info
= copy_session_info(
239 conn
, conn
->force_user
? conn
->session_info
: session_info
);
241 if (ent
->session_info
== NULL
) {
242 ent
->vuid
= UID_FIELD_INVALID
;
247 DEBUG(2,("check_user_ok: user %s is an admin user. "
248 "Setting uid as %d\n",
249 ent
->session_info
->unix_info
->unix_name
,
250 sec_initial_uid() ));
251 ent
->session_info
->unix_token
->uid
= sec_initial_uid();
255 * It's actually OK to call check_user_ok() with
256 * vuid == UID_FIELD_INVALID as called from become_user_by_session().
257 * All this will do is throw away one entry in the cache.
261 ent
->read_only
= readonly_share
;
262 ent
->share_access
= share_access
;
263 free_conn_session_info_if_unused(conn
);
264 conn
->session_info
= ent
->session_info
;
265 conn
->vuid
= ent
->vuid
;
266 if (vuid
== UID_FIELD_INVALID
) {
268 * Not strictly needed, just make it really
269 * clear this entry is actually an unused one.
271 ent
->read_only
= false;
272 ent
->share_access
= 0;
273 ent
->session_info
= NULL
;
276 conn
->read_only
= readonly_share
;
277 conn
->share_access
= share_access
;
282 static void print_impersonation_info(connection_struct
*conn
)
284 struct smb_filename
*cwdfname
= NULL
;
286 if (!CHECK_DEBUGLVL(DBGLVL_INFO
)) {
290 cwdfname
= vfs_GetWd(talloc_tos(), conn
);
291 if (cwdfname
== NULL
) {
295 DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
300 cwdfname
->base_name
);
301 TALLOC_FREE(cwdfname
);
304 /****************************************************************************
305 Become the user of a connection number without changing the security context
306 stack, but modify the current_user entries.
307 ****************************************************************************/
309 static bool change_to_user_impersonate(connection_struct
*conn
,
310 const struct auth_session_info
*session_info
,
313 const struct loadparm_substitution
*lp_sub
=
314 loadparm_s3_global_substitution();
318 const char *force_group_name
;
321 gid_t
*group_list
= NULL
;
324 if ((current_user
.conn
== conn
) &&
325 (current_user
.vuid
== vuid
) &&
326 (current_user
.ut
.uid
== session_info
->unix_token
->uid
))
328 DBG_INFO("Skipping user change - already user\n");
332 set_current_user_info(session_info
->unix_info
->sanitized_username
,
333 session_info
->unix_info
->unix_name
,
334 session_info
->info
->domain_name
);
338 ok
= check_user_ok(conn
, vuid
, session_info
, snum
);
340 DBG_WARNING("SMB user %s (unix user %s) "
341 "not permitted access to share %s.\n",
342 session_info
->unix_info
->sanitized_username
,
343 session_info
->unix_info
->unix_name
,
344 lp_const_servicename(snum
));
348 uid
= conn
->session_info
->unix_token
->uid
;
349 gid
= conn
->session_info
->unix_token
->gid
;
350 num_groups
= conn
->session_info
->unix_token
->ngroups
;
351 group_list
= conn
->session_info
->unix_token
->groups
;
354 * See if we should force group for this service. If so this overrides
355 * any group set in the force user code.
357 force_group_name
= lp_force_group(talloc_tos(), lp_sub
, snum
);
358 group_c
= *force_group_name
;
360 if ((group_c
!= '\0') && (conn
->force_group_gid
== (gid_t
)-1)) {
362 * This can happen if "force group" is added to a
363 * share definition whilst an existing connection
364 * to that share exists. In that case, don't change
365 * the existing credentials for force group, only
366 * do so for new connections.
368 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
370 DBG_INFO("Not forcing group %s on existing connection to "
371 "share %s for SMB user %s (unix user %s)\n",
373 lp_const_servicename(snum
),
374 session_info
->unix_info
->sanitized_username
,
375 session_info
->unix_info
->unix_name
);
378 if((group_c
!= '\0') && (conn
->force_group_gid
!= (gid_t
)-1)) {
380 * Only force group for connections where
381 * conn->force_group_gid has already been set
382 * to the correct value (i.e. the connection
383 * happened after the 'force group' definition
384 * was added to the share definition. Connections
385 * that were made before force group was added
386 * should stay with their existing credentials.
388 * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
391 if (group_c
== '+') {
395 * Only force group if the user is a member of the
396 * service group. Check the group memberships for this
397 * user (we already have this) to see if we should force
400 for (i
= 0; i
< num_groups
; i
++) {
401 if (group_list
[i
] == conn
->force_group_gid
) {
402 conn
->session_info
->unix_token
->gid
=
403 conn
->force_group_gid
;
404 gid
= conn
->force_group_gid
;
405 gid_to_sid(&conn
->session_info
->security_token
411 conn
->session_info
->unix_token
->gid
= conn
->force_group_gid
;
412 gid
= conn
->force_group_gid
;
413 gid_to_sid(&conn
->session_info
->security_token
->sids
[1],
422 conn
->session_info
->security_token
);
424 current_user
.conn
= conn
;
425 current_user
.vuid
= vuid
;
430 * Impersonate user and change directory to service
432 * change_to_user_and_service() is used to impersonate the user associated with
433 * the given vuid and to change the working directory of the process to the
434 * service base directory.
436 bool change_to_user_and_service(connection_struct
*conn
, uint64_t vuid
)
438 int snum
= SNUM(conn
);
439 struct auth_session_info
*si
= NULL
;
444 DBG_WARNING("Connection not open\n");
448 status
= smbXsrv_session_info_lookup(conn
->sconn
->client
,
451 if (!NT_STATUS_IS_OK(status
)) {
452 DBG_WARNING("Invalid vuid %llu used on share %s.\n",
453 (unsigned long long)vuid
,
454 lp_const_servicename(snum
));
458 ok
= change_to_user_impersonate(conn
, si
, vuid
);
463 if (conn
->tcon_done
) {
464 ok
= chdir_current_service(conn
);
470 print_impersonation_info(conn
);
475 * Impersonate user and change directory to service
477 * change_to_user_and_service_by_fsp() is used to impersonate the user
478 * associated with the given vuid and to change the working directory of the
479 * process to the service base directory.
481 bool change_to_user_and_service_by_fsp(struct files_struct
*fsp
)
483 return change_to_user_and_service(fsp
->conn
, fsp
->vuid
);
486 /****************************************************************************
487 Go back to being root without changing the security context stack,
488 but modify the current_user entries.
489 ****************************************************************************/
491 bool smbd_change_to_root_user(void)
495 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
496 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
498 current_user
.conn
= NULL
;
499 current_user
.vuid
= UID_FIELD_INVALID
;
504 /****************************************************************************
505 Become the user of an authenticated connected named pipe.
506 When this is called we are currently running as the connection
507 user. Doesn't modify current_user.
508 ****************************************************************************/
510 bool smbd_become_authenticated_pipe_user(struct auth_session_info
*session_info
)
515 set_current_user_info(session_info
->unix_info
->sanitized_username
,
516 session_info
->unix_info
->unix_name
,
517 session_info
->info
->domain_name
);
519 set_sec_ctx(session_info
->unix_token
->uid
, session_info
->unix_token
->gid
,
520 session_info
->unix_token
->ngroups
, session_info
->unix_token
->groups
,
521 session_info
->security_token
);
523 DEBUG(5, ("Impersonated user: uid=(%d,%d), gid=(%d,%d)\n",
532 /****************************************************************************
533 Unbecome the user of an authenticated connected named pipe.
534 When this is called we are running as the authenticated pipe
535 user and need to go back to being the connection user. Doesn't modify
537 ****************************************************************************/
539 bool smbd_unbecome_authenticated_pipe_user(void)
541 return pop_sec_ctx();
544 /****************************************************************************
545 Utility functions used by become_xxx/unbecome_xxx.
546 ****************************************************************************/
548 static void push_conn_ctx(void)
550 struct conn_ctx
*ctx_p
;
551 extern userdom_struct current_user_info
;
553 /* Check we don't overflow our stack */
555 if (conn_ctx_stack_ndx
== MAX_SEC_CTX_DEPTH
) {
556 DEBUG(0, ("Connection context stack overflow!\n"));
557 smb_panic("Connection context stack overflow!\n");
560 /* Store previous user context */
561 ctx_p
= &conn_ctx_stack
[conn_ctx_stack_ndx
];
563 ctx_p
->conn
= current_user
.conn
;
564 ctx_p
->vuid
= current_user
.vuid
;
565 ctx_p
->user_info
= current_user_info
;
567 DEBUG(4, ("push_conn_ctx(%llu) : conn_ctx_stack_ndx = %d\n",
568 (unsigned long long)ctx_p
->vuid
, conn_ctx_stack_ndx
));
570 conn_ctx_stack_ndx
++;
573 static void pop_conn_ctx(void)
575 struct conn_ctx
*ctx_p
;
577 /* Check for stack underflow. */
579 if (conn_ctx_stack_ndx
== 0) {
580 DEBUG(0, ("Connection context stack underflow!\n"));
581 smb_panic("Connection context stack underflow!\n");
584 conn_ctx_stack_ndx
--;
585 ctx_p
= &conn_ctx_stack
[conn_ctx_stack_ndx
];
587 set_current_user_info(ctx_p
->user_info
.smb_name
,
588 ctx_p
->user_info
.unix_name
,
589 ctx_p
->user_info
.domain
);
591 current_user
.conn
= ctx_p
->conn
;
592 current_user
.vuid
= ctx_p
->vuid
;
594 *ctx_p
= (struct conn_ctx
) {
595 .vuid
= UID_FIELD_INVALID
,
599 /****************************************************************************
600 Temporarily become a root user. Must match with unbecome_root(). Saves and
601 restores the connection context.
602 ****************************************************************************/
604 void smbd_become_root(void)
607 * no good way to handle push_sec_ctx() failing without changing
608 * the prototype of become_root()
610 if (!push_sec_ctx()) {
611 smb_panic("become_root: push_sec_ctx failed");
617 /* Unbecome the root user */
619 void smbd_unbecome_root(void)
625 /****************************************************************************
626 Push the current security context then force a change via change_to_user().
627 Saves and restores the connection context.
628 ****************************************************************************/
630 bool become_user_without_service(connection_struct
*conn
, uint64_t vuid
)
632 struct auth_session_info
*session_info
= NULL
;
633 int snum
= SNUM(conn
);
638 DBG_WARNING("Connection not open\n");
642 status
= smbXsrv_session_info_lookup(conn
->sconn
->client
,
645 if (!NT_STATUS_IS_OK(status
)) {
646 /* Invalid vuid sent */
647 DBG_WARNING("Invalid vuid %llu used on share %s.\n",
648 (unsigned long long)vuid
,
649 lp_const_servicename(snum
));
660 ok
= change_to_user_impersonate(conn
, session_info
, vuid
);
670 bool become_user_without_service_by_fsp(struct files_struct
*fsp
)
672 return become_user_without_service(fsp
->conn
, fsp
->vuid
);
675 bool become_user_without_service_by_session(connection_struct
*conn
,
676 const struct auth_session_info
*session_info
)
680 SMB_ASSERT(conn
!= NULL
);
681 SMB_ASSERT(session_info
!= NULL
);
690 ok
= change_to_user_impersonate(conn
, session_info
, UID_FIELD_INVALID
);
700 bool unbecome_user_without_service(void)
707 /****************************************************************************
708 Return the current user we are running effectively as on this connection.
709 I'd like to make this return conn->session_info->unix_token->uid, but become_root()
710 doesn't alter this value.
711 ****************************************************************************/
713 uid_t
get_current_uid(connection_struct
*conn
)
715 return current_user
.ut
.uid
;
718 /****************************************************************************
719 Return the current group we are running effectively as on this connection.
720 I'd like to make this return conn->session_info->unix_token->gid, but become_root()
721 doesn't alter this value.
722 ****************************************************************************/
724 gid_t
get_current_gid(connection_struct
*conn
)
726 return current_user
.ut
.gid
;
729 /****************************************************************************
730 Return the UNIX token we are running effectively as on this connection.
731 I'd like to make this return &conn->session_info->unix_token-> but become_root()
732 doesn't alter this value.
733 ****************************************************************************/
735 const struct security_unix_token
*get_current_utok(connection_struct
*conn
)
737 return ¤t_user
.ut
;
740 /****************************************************************************
741 Return the Windows token we are running effectively as on this connection.
742 If this is currently a NULL token as we're inside become_root() - a temporary
743 UNIX security override, then we search up the stack for the previous active
745 ****************************************************************************/
747 const struct security_token
*get_current_nttok(connection_struct
*conn
)
749 if (current_user
.nt_user_token
) {
750 return current_user
.nt_user_token
;
752 return sec_ctx_active_token();