Context Navigation

source: branches/samba-3.3.x/source/smbd/uid.c@ 310

Visit:

Last change on this file since 310 was 274, checked in by Herwig Bauernfeind, 16 years ago
Update 3.3 branch to 3.3.5
File size: 14.6 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	uid/user handling
4	Copyright (C) Andrew Tridgell 1992-1998
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21
22	/* what user is current? */
23	extern struct current_user current_user;
24
25	/****************************************************************************
26	Become the guest user without changing the security context stack.
27	****************************************************************************/
28
29	bool change_to_guest(void)
30	{
31	static struct passwd *pass=NULL;
32
33	if (!pass) {
34	/* Don't need to free() this as its stored in a static */
35	pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
36	if (!pass)
37	return(False);
38	}
39
40	#ifdef AIX
41	/* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
42	setting IDs */
43	initgroups(pass->pw_name, pass->pw_gid);
44	#endif
45
46	set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
47
48	current_user.conn = NULL;
49	current_user.vuid = UID_FIELD_INVALID;
50
51	TALLOC_FREE(pass);
52	pass = NULL;
53
54	return True;
55	}
56
57	/****************************************************************************
58	talloc free the conn->server_info if not used in the vuid cache.
59	****************************************************************************/
60
61	static void free_conn_server_info_if_unused(connection_struct *conn)
62	{
63	unsigned int i;
64
65	for (i = 0; i < VUID_CACHE_SIZE; i++) {
66	struct vuid_cache_entry *ent;
67	ent = &conn->vuid_cache.array[i];
68	if (ent->vuid != UID_FIELD_INVALID &&
69	conn->server_info == ent->server_info) {
70	return;
71	}
72	}
73	/* Not used, safe to free. */
74	TALLOC_FREE(conn->server_info);
75	}
76
77	/*******************************************************************
78	Check if a username is OK.
79
80	This sets up conn->server_info with a copy related to this vuser that
81	later code can then mess with.
82	********************************************************************/
83
84	static bool check_user_ok(connection_struct *conn,
85	uint16_t vuid,
86	const struct auth_serversupplied_info *server_info,
87	int snum)
88	{
89	bool valid_vuid = (vuid != UID_FIELD_INVALID);
90	unsigned int i;
91	bool readonly_share;
92	bool admin_user;
93
94	if (valid_vuid) {
95	struct vuid_cache_entry *ent;
96
97	for (i=0; i<VUID_CACHE_SIZE; i++) {
98	ent = &conn->vuid_cache.array[i];
99	if (ent->vuid == vuid) {
100	free_conn_server_info_if_unused(conn);
101	conn->server_info = ent->server_info;
102	conn->read_only = ent->read_only;
103	conn->admin_user = ent->admin_user;
104	return(True);
105	}
106	}
107	}
108
109	if (!user_ok_token(server_info->unix_name,
110	pdb_get_domain(server_info->sam_account),
111	server_info->ptok, snum))
112	return(False);
113
114	readonly_share = is_share_read_only_for_token(
115	server_info->unix_name,
116	pdb_get_domain(server_info->sam_account),
117	server_info->ptok,
118	conn);
119
120	if (!readonly_share &&
121	!share_access_check(server_info->ptok, lp_servicename(snum),
122	FILE_WRITE_DATA)) {
123	/* smb.conf allows r/w, but the security descriptor denies
124	* write. Fall back to looking at readonly. */
125	readonly_share = True;
126	DEBUG(5,("falling back to read-only access-evaluation due to "
127	"security descriptor\n"));
128	}
129
130	if (!share_access_check(server_info->ptok, lp_servicename(snum),
131	readonly_share ?
132	FILE_READ_DATA : FILE_WRITE_DATA)) {
133	return False;
134	}
135
136	admin_user = token_contains_name_in_list(
137	server_info->unix_name,
138	pdb_get_domain(server_info->sam_account),
139	NULL, server_info->ptok, lp_admin_users(snum));
140
141	if (valid_vuid) {
142	struct vuid_cache_entry *ent =
143	&conn->vuid_cache.array[conn->vuid_cache.next_entry];
144
145	conn->vuid_cache.next_entry =
146	(conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
147
148	TALLOC_FREE(ent->server_info);
149
150	/*
151	* If force_user was set, all server_info's are based on the same
152	* username-based faked one.
153	*/
154
155	ent->server_info = copy_serverinfo(
156	conn, conn->force_user ? conn->server_info : server_info);
157
158	if (ent->server_info == NULL) {
159	ent->vuid = UID_FIELD_INVALID;
160	return false;
161	}
162
163	ent->vuid = vuid;
164	ent->read_only = readonly_share;
165	ent->admin_user = admin_user;
166	free_conn_server_info_if_unused(conn);
167	conn->server_info = ent->server_info;
168	}
169
170	conn->read_only = readonly_share;
171	conn->admin_user = admin_user;
172
173	return(True);
174	}
175
176	/****************************************************************************
177	Clear a vuid out of the connection's vuid cache
178	This is only called on SMBulogoff.
179	****************************************************************************/
180
181	void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
182	{
183	int i;
184
185	for (i=0; i<VUID_CACHE_SIZE; i++) {
186	struct vuid_cache_entry *ent;
187
188	ent = &conn->vuid_cache.array[i];
189
190	if (ent->vuid == vuid) {
191	ent->vuid = UID_FIELD_INVALID;
192	/*
193	* We need to keep conn->server_info around
194	* if it's equal to ent->server_info as a SMBulogoff
195	* is often followed by a SMBtdis (with an invalid
196	* vuid). The debug code (or regular code in
197	* vfs_full_audit) wants to refer to the
198	* conn->server_info pointer to print debug
199	* statements. Theoretically this is a bug,
200	* as once the vuid is gone the server_info
201	* on the conn struct isn't valid any more,
202	* but there's enough code that assumes
203	* conn->server_info is never null that
204	* it's easier to hold onto the old pointer
205	* until we get a new sessionsetupX.
206	* As everything is hung off the
207	* conn pointer as a talloc context we're not
208	* leaking memory here. See bug #6315. JRA.
209	*/
210	if (conn->server_info == ent->server_info) {
211	ent->server_info = NULL;
212	} else {
213	TALLOC_FREE(ent->server_info);
214	}
215	ent->read_only = False;
216	ent->admin_user = False;
217	}
218	}
219	}
220
221	/****************************************************************************
222	Become the user of a connection number without changing the security context
223	stack, but modify the current_user entries.
224	****************************************************************************/
225
226	bool change_to_user(connection_struct *conn, uint16 vuid)
227	{
228	const struct auth_serversupplied_info *server_info = NULL;
229	user_struct *vuser = get_valid_user_struct(vuid);
230	int snum;
231	gid_t gid;
232	uid_t uid;
233	char group_c;
234	int num_groups = 0;
235	gid_t *group_list = NULL;
236
237	if (!conn) {
238	DEBUG(2,("change_to_user: Connection not open\n"));
239	return(False);
240	}
241
242	/*
243	* We need a separate check in security=share mode due to vuid
244	* always being UID_FIELD_INVALID. If we don't do this then
245	* in share mode security we are always changing uid's between
246	* SMB's - this hurts performance - Badly.
247	*/
248
249	if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
250	(current_user.ut.uid == conn->server_info->utok.uid)) {
251	DEBUG(4,("change_to_user: Skipping user change - already "
252	"user\n"));
253	return(True);
254	} else if ((current_user.conn == conn) &&
255	(vuser != NULL) && (current_user.vuid == vuid) &&
256	(current_user.ut.uid == vuser->server_info->utok.uid)) {
257	DEBUG(4,("change_to_user: Skipping user change - already "
258	"user\n"));
259	return(True);
260	}
261
262	snum = SNUM(conn);
263
264	server_info = vuser ? vuser->server_info : conn->server_info;
265
266	if (!server_info) {
267	/* Invalid vuid sent - even with security = share. */
268	DEBUG(2,("change_to_user: Invalid vuid %d used on "
269	"share %s.\n",vuid, lp_servicename(snum) ));
270	return false;
271	}
272
273	if (!check_user_ok(conn, vuid, server_info, snum)) {
274	DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
275	"not permitted access to share %s.\n",
276	server_info->sanitized_username,
277	server_info->unix_name, vuid,
278	lp_servicename(snum)));
279	return false;
280	}
281
282	/*
283	* conn->server_info is now correctly set up with a copy we can mess
284	* with for force_group etc.
285	*/
286
287	if (conn->force_user) /* security = share sets this too */ {
288	uid = conn->server_info->utok.uid;
289	gid = conn->server_info->utok.gid;
290	group_list = conn->server_info->utok.groups;
291	num_groups = conn->server_info->utok.ngroups;
292	} else if (vuser) {
293	uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
294	gid = conn->server_info->utok.gid;
295	num_groups = conn->server_info->utok.ngroups;
296	group_list = conn->server_info->utok.groups;
297	} else {
298	DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
299	"share %s.\n",vuid, lp_servicename(snum) ));
300	return False;
301	}
302
303	/*
304	* See if we should force group for this service.
305	* If so this overrides any group set in the force
306	* user code.
307	*/
308
309	if((group_c = *lp_force_group(snum))) {
310
311	SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
312
313	if(group_c == '+') {
314
315	/*
316	* Only force group if the user is a member of
317	* the service group. Check the group memberships for
318	* this user (we already have this) to
319	* see if we should force the group.
320	*/
321
322	int i;
323	for (i = 0; i < num_groups; i++) {
324	if (group_list[i]
325	== conn->force_group_gid) {
326	conn->server_info->utok.gid =
327	conn->force_group_gid;
328	gid = conn->force_group_gid;
329	gid_to_sid(&conn->server_info->ptok
330	->user_sids[1], gid);
331	break;
332	}
333	}
334	} else {
335	conn->server_info->utok.gid = conn->force_group_gid;
336	gid = conn->force_group_gid;
337	gid_to_sid(&conn->server_info->ptok->user_sids[1],
338	gid);
339	}
340	}
341
342	/* Now set current_user since we will immediately also call
343	set_sec_ctx() */
344
345	current_user.ut.ngroups = num_groups;
346	current_user.ut.groups = group_list;
347
348	set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
349	conn->server_info->ptok);
350
351	current_user.conn = conn;
352	current_user.vuid = vuid;
353
354	DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
355	(int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
356
357	return(True);
358	}
359
360	/****************************************************************************
361	Go back to being root without changing the security context stack,
362	but modify the current_user entries.
363	****************************************************************************/
364
365	bool change_to_root_user(void)
366	{
367	set_root_sec_ctx();
368
369	DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
370	(int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
371
372	current_user.conn = NULL;
373	current_user.vuid = UID_FIELD_INVALID;
374
375	return(True);
376	}
377
378	/****************************************************************************
379	Become the user of an authenticated connected named pipe.
380	When this is called we are currently running as the connection
381	user. Doesn't modify current_user.
382	****************************************************************************/
383
384	bool become_authenticated_pipe_user(pipes_struct *p)
385	{
386	if (!push_sec_ctx())
387	return False;
388
389	set_sec_ctx(p->pipe_user.ut.uid, p->pipe_user.ut.gid,
390	p->pipe_user.ut.ngroups, p->pipe_user.ut.groups,
391	p->pipe_user.nt_user_token);
392
393	return True;
394	}
395
396	/****************************************************************************
397	Unbecome the user of an authenticated connected named pipe.
398	When this is called we are running as the authenticated pipe
399	user and need to go back to being the connection user. Doesn't modify
400	current_user.
401	****************************************************************************/
402
403	bool unbecome_authenticated_pipe_user(void)
404	{
405	return pop_sec_ctx();
406	}
407
408	/****************************************************************************
409	Utility functions used by become_xxx/unbecome_xxx.
410	****************************************************************************/
411
412	struct conn_ctx {
413	connection_struct *conn;
414	uint16 vuid;
415	};
416
417	/* A stack of current_user connection contexts. */
418
419	static struct conn_ctx conn_ctx_stack[MAX_SEC_CTX_DEPTH];
420	static int conn_ctx_stack_ndx;
421
422	static void push_conn_ctx(void)
423	{
424	struct conn_ctx *ctx_p;
425
426	/* Check we don't overflow our stack */
427
428	if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
429	DEBUG(0, ("Connection context stack overflow!\n"));
430	smb_panic("Connection context stack overflow!\n");
431	}
432
433	/* Store previous user context */
434	ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
435
436	ctx_p->conn = current_user.conn;
437	ctx_p->vuid = current_user.vuid;
438
439	DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
440	(unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
441
442	conn_ctx_stack_ndx++;
443	}
444
445	static void pop_conn_ctx(void)
446	{
447	struct conn_ctx *ctx_p;
448
449	/* Check for stack underflow. */
450
451	if (conn_ctx_stack_ndx == 0) {
452	DEBUG(0, ("Connection context stack underflow!\n"));
453	smb_panic("Connection context stack underflow!\n");
454	}
455
456	conn_ctx_stack_ndx--;
457	ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
458
459	current_user.conn = ctx_p->conn;
460	current_user.vuid = ctx_p->vuid;
461
462	ctx_p->conn = NULL;
463	ctx_p->vuid = UID_FIELD_INVALID;
464	}
465
466	/****************************************************************************
467	Temporarily become a root user. Must match with unbecome_root(). Saves and
468	restores the connection context.
469	****************************************************************************/
470
471	void become_root(void)
472	{
473	/*
474	* no good way to handle push_sec_ctx() failing without changing
475	* the prototype of become_root()
476	*/
477	if (!push_sec_ctx()) {
478	smb_panic("become_root: push_sec_ctx failed");
479	}
480	push_conn_ctx();
481	set_root_sec_ctx();
482	}
483
484	/* Unbecome the root user */
485
486	void unbecome_root(void)
487	{
488	pop_sec_ctx();
489	pop_conn_ctx();
490	}
491
492	/****************************************************************************
493	Push the current security context then force a change via change_to_user().
494	Saves and restores the connection context.
495	****************************************************************************/
496
497	bool become_user(connection_struct *conn, uint16 vuid)
498	{
499	if (!push_sec_ctx())
500	return False;
501
502	push_conn_ctx();
503
504	if (!change_to_user(conn, vuid)) {
505	pop_sec_ctx();
506	pop_conn_ctx();
507	return False;
508	}
509
510	return True;
511	}
512
513	bool unbecome_user(void)
514	{
515	pop_sec_ctx();
516	pop_conn_ctx();
517	return True;
518	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: