source: vendor/3.6.9/source3/smbd/share_access.c

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago

Samba Server: update vendor to 3.6.0
File size: 7.7 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18*/
19
20#include "includes.h"
21#include "smbd/smbd.h"
22#include "smbd/globals.h"
23#include "../libcli/security/security.h"
24#include "passdb/lookup_sid.h"
25#include "auth.h"
26
27/*
28 * No prefix means direct username
29 * @name means netgroup first, then unix group
30 * &name means netgroup
31 * +name means unix group
32 * + and & may be combined
33 */
34
35static bool do_group_checks(const char **name, const char **pattern)
36{
37 if ((*name)[0] == '@') {
38 *pattern = "&+";
39 *name += 1;
40 return True;
41 }
42
43 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
44 *pattern = "+&";
45 *name += 2;
46 return True;
47 }
48
49 if ((*name)[0] == '+') {
50 *pattern = "+";
51 *name += 1;
52 return True;
53 }
54
55 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
56 *pattern = "&+";
57 *name += 2;
58 return True;
59 }
60
61 if ((*name)[0] == '&') {
62 *pattern = "&";
63 *name += 1;
64 return True;
65 }
66
67 return False;
68}
69
70static bool token_contains_name(TALLOC_CTX *mem_ctx,
71 const char *username,
72 const char *domain,
73 const char *sharename,
74 const struct security_token *token,
75 const char *name)
76{
77 const char *prefix;
78 struct dom_sid sid;
79 enum lsa_SidType type;
80
81 if (username != NULL) {
82 name = talloc_sub_basic(mem_ctx, username, domain, name);
83 }
84 if (sharename != NULL) {
85 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
86 }
87
88 if (name == NULL) {
89 /* This is too security sensitive, better panic than return a
90 * result that might be interpreted in a wrong way. */
91 smb_panic("substitutions failed");
92 }
93
94 /* check to see is we already have a SID */
95
96 if ( string_to_sid( &sid, name ) ) {
97 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
98 return nt_token_check_sid( &sid, token );
99 }
100
101 if (!do_group_checks(&name, &prefix)) {
102 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
103 NULL, NULL, &sid, &type)) {
104 DEBUG(5, ("lookup_name %s failed\n", name));
105 return False;
106 }
107 if (type != SID_NAME_USER) {
108 DEBUG(5, ("%s is a %s, expected a user\n",
109 name, sid_type_lookup(type)));
110 return False;
111 }
112 return nt_token_check_sid(&sid, token);
113 }
114
115 for (/* initialized above */ ; *prefix != '\0'; prefix++) {
116 if (*prefix == '+') {
117 if (!lookup_name_smbconf(mem_ctx, name,
118 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
119 NULL, NULL, &sid, &type)) {
120 DEBUG(5, ("lookup_name %s failed\n", name));
121 return False;
122 }
123 if ((type != SID_NAME_DOM_GRP) &&
124 (type != SID_NAME_ALIAS) &&
125 (type != SID_NAME_WKN_GRP)) {
126 DEBUG(5, ("%s is a %s, expected a group\n",
127 name, sid_type_lookup(type)));
128 return False;
129 }
130 if (nt_token_check_sid(&sid, token)) {
131 return True;
132 }
133 continue;
134 }
135 if (*prefix == '&') {
136 if (username) {
137 if (user_in_netgroup(mem_ctx, username, name)) {
138 return True;
139 }
140 }
141 continue;
142 }
143 smb_panic("got invalid prefix from do_groups_check");
144 }
145 return False;
146}
147
148/*
149 * Check whether a user is contained in the list provided.
150 *
151 * Please note that the user name and share names passed in here mainly for
152 * the substitution routines that expand the parameter values, the decision
153 * whether a user is in the list is done after a lookup_name on the expanded
154 * parameter value, solely based on comparing the SIDs in token.
155 *
156 * The other use is the netgroup check when using @group or &group.
157 */
158
159bool token_contains_name_in_list(const char *username,
160 const char *domain,
161 const char *sharename,
162 const struct security_token *token,
163 const char **list)
164{
165 TALLOC_CTX *mem_ctx;
166
167 if (list == NULL) {
168 return False;
169 }
170
171 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
172 smb_panic("talloc_new failed");
173 }
174
175 while (*list != NULL) {
176 if (token_contains_name(mem_ctx, username, domain, sharename,
177 token, *list)) {
178 TALLOC_FREE(mem_ctx);
179 return True;
180 }
181 list += 1;
182 }
183
184 TALLOC_FREE(mem_ctx);
185 return False;
186}
187
188/*
189 * Check whether the user described by "token" has access to share snum.
190 *
191 * This looks at "invalid users", "valid users" and "only user/username"
192 *
193 * Please note that the user name and share names passed in here mainly for
194 * the substitution routines that expand the parameter values, the decision
195 * whether a user is in the list is done after a lookup_name on the expanded
196 * parameter value, solely based on comparing the SIDs in token.
197 *
198 * The other use is the netgroup check when using @group or &group.
199 */
200
201bool user_ok_token(const char *username, const char *domain,
202 const struct security_token *token, int snum)
203{
204 if (lp_invalid_users(snum) != NULL) {
205 if (token_contains_name_in_list(username, domain,
206 lp_servicename(snum),
207 token,
208 lp_invalid_users(snum))) {
209 DEBUG(10, ("User %s in 'invalid users'\n", username));
210 return False;
211 }
212 }
213
214 if (lp_valid_users(snum) != NULL) {
215 if (!token_contains_name_in_list(username, domain,
216 lp_servicename(snum), token,
217 lp_valid_users(snum))) {
218 DEBUG(10, ("User %s not in 'valid users'\n",
219 username));
220 return False;
221 }
222 }
223
224 if (lp_onlyuser(snum)) {
225 const char *list[2];
226 list[0] = lp_username(snum);
227 list[1] = NULL;
228 if ((list[0] == NULL) || (*list[0] == '\0')) {
229 DEBUG(0, ("'only user = yes' and no 'username ='\n"));
230 return False;
231 }
232 if (!token_contains_name_in_list(NULL, domain,
233 lp_servicename(snum),
234 token, list)) {
235 DEBUG(10, ("%s != 'username'\n", username));
236 return False;
237 }
238 }
239
240 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
241 lp_servicename(snum), username));
242
243 return True;
244}
245
246/*
247 * Check whether the user described by "token" is restricted to read-only
248 * access on share snum.
249 *
250 * This looks at "invalid users", "valid users" and "only user/username"
251 *
252 * Please note that the user name and share names passed in here mainly for
253 * the substitution routines that expand the parameter values, the decision
254 * whether a user is in the list is done after a lookup_name on the expanded
255 * parameter value, solely based on comparing the SIDs in token.
256 *
257 * The other use is the netgroup check when using @group or &group.
258 */
259
260bool is_share_read_only_for_token(const char *username,
261 const char *domain,
262 const struct security_token *token,
263 connection_struct *conn)
264{
265 int snum = SNUM(conn);
266 bool result = conn->read_only;
267
268 if (lp_readlist(snum) != NULL) {
269 if (token_contains_name_in_list(username, domain,
270 lp_servicename(snum), token,
271 lp_readlist(snum))) {
272 result = True;
273 }
274 }
275
276 if (lp_writelist(snum) != NULL) {
277 if (token_contains_name_in_list(username, domain,
278 lp_servicename(snum), token,
279 lp_writelist(snum))) {
280 result = False;
281 }
282 }
283
284 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
285 "%s\n", lp_servicename(snum),
286 result ? "read-only" : "read-write", username));
287
288 return result;
289}
Note: See TracBrowser for help on using the repository browser.