Context Navigation

source: trunk/server/source3/smbd/uid.c@ 696

Visit:

Last change on this file since 696 was 596, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update trunk to 3.5.8
File size: 14.4 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	uid/user handling
4	Copyright (C) Andrew Tridgell 1992-1998
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21	#include "smbd/globals.h"
22
23	/* what user is current? */
24	extern struct current_user current_user;
25
26	/****************************************************************************
27	Become the guest user without changing the security context stack.
28	****************************************************************************/
29
30	bool change_to_guest(void)
31	{
32	struct passwd *pass;
33
34	pass = Get_Pwnam_alloc(talloc_autofree_context(), lp_guestaccount());
35	if (!pass) {
36	return false;
37	}
38
39	#ifdef AIX
40	/* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
41	setting IDs */
42	initgroups(pass->pw_name, pass->pw_gid);
43	#endif
44
45	set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
46
47	current_user.conn = NULL;
48	current_user.vuid = UID_FIELD_INVALID;
49
50	TALLOC_FREE(pass);
51
52	return true;
53	}
54
55	/****************************************************************************
56	talloc free the conn->server_info if not used in the vuid cache.
57	****************************************************************************/
58
59	static void free_conn_server_info_if_unused(connection_struct *conn)
60	{
61	unsigned int i;
62
63	for (i = 0; i < VUID_CACHE_SIZE; i++) {
64	struct vuid_cache_entry *ent;
65	ent = &conn->vuid_cache.array[i];
66	if (ent->vuid != UID_FIELD_INVALID &&
67	conn->server_info == ent->server_info) {
68	return;
69	}
70	}
71	/* Not used, safe to free. */
72	TALLOC_FREE(conn->server_info);
73	}
74
75	/*******************************************************************
76	Check if a username is OK.
77
78	This sets up conn->server_info with a copy related to this vuser that
79	later code can then mess with.
80	********************************************************************/
81
82	static bool check_user_ok(connection_struct *conn,
83	uint16_t vuid,
84	const struct auth_serversupplied_info *server_info,
85	int snum)
86	{
87	bool valid_vuid = (vuid != UID_FIELD_INVALID);
88	unsigned int i;
89	bool readonly_share;
90	bool admin_user;
91
92	if (valid_vuid) {
93	struct vuid_cache_entry *ent;
94
95	for (i=0; i<VUID_CACHE_SIZE; i++) {
96	ent = &conn->vuid_cache.array[i];
97	if (ent->vuid == vuid) {
98	free_conn_server_info_if_unused(conn);
99	conn->server_info = ent->server_info;
100	conn->read_only = ent->read_only;
101	conn->admin_user = ent->admin_user;
102	return(True);
103	}
104	}
105	}
106
107	if (!user_ok_token(server_info->unix_name,
108	pdb_get_domain(server_info->sam_account),
109	server_info->ptok, snum))
110	return(False);
111
112	readonly_share = is_share_read_only_for_token(
113	server_info->unix_name,
114	pdb_get_domain(server_info->sam_account),
115	server_info->ptok,
116	conn);
117
118	if (!readonly_share &&
119	!share_access_check(server_info->ptok, lp_servicename(snum),
120	FILE_WRITE_DATA)) {
121	/* smb.conf allows r/w, but the security descriptor denies
122	* write. Fall back to looking at readonly. */
123	readonly_share = True;
124	DEBUG(5,("falling back to read-only access-evaluation due to "
125	"security descriptor\n"));
126	}
127
128	if (!share_access_check(server_info->ptok, lp_servicename(snum),
129	readonly_share ?
130	FILE_READ_DATA : FILE_WRITE_DATA)) {
131	return False;
132	}
133
134	admin_user = token_contains_name_in_list(
135	server_info->unix_name,
136	pdb_get_domain(server_info->sam_account),
137	NULL, server_info->ptok, lp_admin_users(snum));
138
139	if (valid_vuid) {
140	struct vuid_cache_entry *ent =
141	&conn->vuid_cache.array[conn->vuid_cache.next_entry];
142
143	conn->vuid_cache.next_entry =
144	(conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
145
146	TALLOC_FREE(ent->server_info);
147
148	/*
149	* If force_user was set, all server_info's are based on the same
150	* username-based faked one.
151	*/
152
153	ent->server_info = copy_serverinfo(
154	conn, conn->force_user ? conn->server_info : server_info);
155
156	if (ent->server_info == NULL) {
157	ent->vuid = UID_FIELD_INVALID;
158	return false;
159	}
160
161	ent->vuid = vuid;
162	ent->read_only = readonly_share;
163	ent->admin_user = admin_user;
164	free_conn_server_info_if_unused(conn);
165	conn->server_info = ent->server_info;
166	}
167
168	conn->read_only = readonly_share;
169	conn->admin_user = admin_user;
170
171	return(True);
172	}
173
174	/****************************************************************************
175	Clear a vuid out of the connection's vuid cache
176	This is only called on SMBulogoff.
177	****************************************************************************/
178
179	void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
180	{
181	int i;
182
183	for (i=0; i<VUID_CACHE_SIZE; i++) {
184	struct vuid_cache_entry *ent;
185
186	ent = &conn->vuid_cache.array[i];
187
188	if (ent->vuid == vuid) {
189	ent->vuid = UID_FIELD_INVALID;
190	/*
191	* We need to keep conn->server_info around
192	* if it's equal to ent->server_info as a SMBulogoff
193	* is often followed by a SMBtdis (with an invalid
194	* vuid). The debug code (or regular code in
195	* vfs_full_audit) wants to refer to the
196	* conn->server_info pointer to print debug
197	* statements. Theoretically this is a bug,
198	* as once the vuid is gone the server_info
199	* on the conn struct isn't valid any more,
200	* but there's enough code that assumes
201	* conn->server_info is never null that
202	* it's easier to hold onto the old pointer
203	* until we get a new sessionsetupX.
204	* As everything is hung off the
205	* conn pointer as a talloc context we're not
206	* leaking memory here. See bug #6315. JRA.
207	*/
208	if (conn->server_info == ent->server_info) {
209	ent->server_info = NULL;
210	} else {
211	TALLOC_FREE(ent->server_info);
212	}
213	ent->read_only = False;
214	ent->admin_user = False;
215	}
216	}
217	}
218
219	/****************************************************************************
220	Become the user of a connection number without changing the security context
221	stack, but modify the current_user entries.
222	****************************************************************************/
223
224	bool change_to_user(connection_struct *conn, uint16 vuid)
225	{
226	const struct auth_serversupplied_info *server_info = NULL;
227	struct smbd_server_connection *sconn = smbd_server_conn;
228	user_struct *vuser = get_valid_user_struct(sconn, vuid);
229	int snum;
230	gid_t gid;
231	uid_t uid;
232	char group_c;
233	int num_groups = 0;
234	gid_t *group_list = NULL;
235
236	if (!conn) {
237	DEBUG(2,("change_to_user: Connection not open\n"));
238	return(False);
239	}
240
241	/*
242	* We need a separate check in security=share mode due to vuid
243	* always being UID_FIELD_INVALID. If we don't do this then
244	* in share mode security we are always changing uid's between
245	* SMB's - this hurts performance - Badly.
246	*/
247
248	if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
249	(current_user.ut.uid == conn->server_info->utok.uid)) {
250	DEBUG(4,("change_to_user: Skipping user change - already "
251	"user\n"));
252	return(True);
253	} else if ((current_user.conn == conn) &&
254	(vuser != NULL) && (current_user.vuid == vuid) &&
255	(current_user.ut.uid == vuser->server_info->utok.uid)) {
256	DEBUG(4,("change_to_user: Skipping user change - already "
257	"user\n"));
258	return(True);
259	}
260
261	snum = SNUM(conn);
262
263	server_info = vuser ? vuser->server_info : conn->server_info;
264
265	if (!server_info) {
266	/* Invalid vuid sent - even with security = share. */
267	DEBUG(2,("change_to_user: Invalid vuid %d used on "
268	"share %s.\n",vuid, lp_servicename(snum) ));
269	return false;
270	}
271
272	if (!check_user_ok(conn, vuid, server_info, snum)) {
273	DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
274	"not permitted access to share %s.\n",
275	server_info->sanitized_username,
276	server_info->unix_name, vuid,
277	lp_servicename(snum)));
278	return false;
279	}
280
281	/*
282	* conn->server_info is now correctly set up with a copy we can mess
283	* with for force_group etc.
284	*/
285
286	if (conn->force_user) /* security = share sets this too */ {
287	uid = conn->server_info->utok.uid;
288	gid = conn->server_info->utok.gid;
289	group_list = conn->server_info->utok.groups;
290	num_groups = conn->server_info->utok.ngroups;
291	} else if (vuser) {
292	uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
293	gid = conn->server_info->utok.gid;
294	num_groups = conn->server_info->utok.ngroups;
295	group_list = conn->server_info->utok.groups;
296	} else {
297	DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
298	"share %s.\n",vuid, lp_servicename(snum) ));
299	return False;
300	}
301
302	/*
303	* See if we should force group for this service.
304	* If so this overrides any group set in the force
305	* user code.
306	*/
307
308	if((group_c = *lp_force_group(snum))) {
309
310	SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
311
312	if(group_c == '+') {
313
314	/*
315	* Only force group if the user is a member of
316	* the service group. Check the group memberships for
317	* this user (we already have this) to
318	* see if we should force the group.
319	*/
320
321	int i;
322	for (i = 0; i < num_groups; i++) {
323	if (group_list[i]
324	== conn->force_group_gid) {
325	conn->server_info->utok.gid =
326	conn->force_group_gid;
327	gid = conn->force_group_gid;
328	gid_to_sid(&conn->server_info->ptok
329	->user_sids[1], gid);
330	break;
331	}
332	}
333	} else {
334	conn->server_info->utok.gid = conn->force_group_gid;
335	gid = conn->force_group_gid;
336	gid_to_sid(&conn->server_info->ptok->user_sids[1],
337	gid);
338	}
339	}
340
341	/* Now set current_user since we will immediately also call
342	set_sec_ctx() */
343
344	current_user.ut.ngroups = num_groups;
345	current_user.ut.groups = group_list;
346
347	set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
348	conn->server_info->ptok);
349
350	current_user.conn = conn;
351	current_user.vuid = vuid;
352
353	DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
354	(int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
355
356	return(True);
357	}
358
359	/****************************************************************************
360	Go back to being root without changing the security context stack,
361	but modify the current_user entries.
362	****************************************************************************/
363
364	bool change_to_root_user(void)
365	{
366	set_root_sec_ctx();
367
368	DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
369	(int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
370
371	current_user.conn = NULL;
372	current_user.vuid = UID_FIELD_INVALID;
373
374	return(True);
375	}
376
377	/****************************************************************************
378	Become the user of an authenticated connected named pipe.
379	When this is called we are currently running as the connection
380	user. Doesn't modify current_user.
381	****************************************************************************/
382
383	bool become_authenticated_pipe_user(pipes_struct *p)
384	{
385	if (!push_sec_ctx())
386	return False;
387
388	set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
389	p->server_info->utok.ngroups, p->server_info->utok.groups,
390	p->server_info->ptok);
391
392	return True;
393	}
394
395	/****************************************************************************
396	Unbecome the user of an authenticated connected named pipe.
397	When this is called we are running as the authenticated pipe
398	user and need to go back to being the connection user. Doesn't modify
399	current_user.
400	****************************************************************************/
401
402	bool unbecome_authenticated_pipe_user(void)
403	{
404	return pop_sec_ctx();
405	}
406
407	/****************************************************************************
408	Utility functions used by become_xxx/unbecome_xxx.
409	****************************************************************************/
410
411	static void push_conn_ctx(void)
412	{
413	struct conn_ctx *ctx_p;
414
415	/* Check we don't overflow our stack */
416
417	if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
418	DEBUG(0, ("Connection context stack overflow!\n"));
419	smb_panic("Connection context stack overflow!\n");
420	}
421
422	/* Store previous user context */
423	ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
424
425	ctx_p->conn = current_user.conn;
426	ctx_p->vuid = current_user.vuid;
427
428	DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
429	(unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
430
431	conn_ctx_stack_ndx++;
432	}
433
434	static void pop_conn_ctx(void)
435	{
436	struct conn_ctx *ctx_p;
437
438	/* Check for stack underflow. */
439
440	if (conn_ctx_stack_ndx == 0) {
441	DEBUG(0, ("Connection context stack underflow!\n"));
442	smb_panic("Connection context stack underflow!\n");
443	}
444
445	conn_ctx_stack_ndx--;
446	ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
447
448	current_user.conn = ctx_p->conn;
449	current_user.vuid = ctx_p->vuid;
450
451	ctx_p->conn = NULL;
452	ctx_p->vuid = UID_FIELD_INVALID;
453	}
454
455	/****************************************************************************
456	Temporarily become a root user. Must match with unbecome_root(). Saves and
457	restores the connection context.
458	****************************************************************************/
459
460	void become_root(void)
461	{
462	/*
463	* no good way to handle push_sec_ctx() failing without changing
464	* the prototype of become_root()
465	*/
466	if (!push_sec_ctx()) {
467	smb_panic("become_root: push_sec_ctx failed");
468	}
469	push_conn_ctx();
470	set_root_sec_ctx();
471	}
472
473	/* Unbecome the root user */
474
475	void unbecome_root(void)
476	{
477	pop_sec_ctx();
478	pop_conn_ctx();
479	}
480
481	/****************************************************************************
482	Push the current security context then force a change via change_to_user().
483	Saves and restores the connection context.
484	****************************************************************************/
485
486	bool become_user(connection_struct *conn, uint16 vuid)
487	{
488	if (!push_sec_ctx())
489	return False;
490
491	push_conn_ctx();
492
493	if (!change_to_user(conn, vuid)) {
494	pop_sec_ctx();
495	pop_conn_ctx();
496	return False;
497	}
498
499	return True;
500	}
501
502	bool unbecome_user(void)
503	{
504	pop_sec_ctx();
505	pop_conn_ctx();
506	return True;
507	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: