1/* 2 Unix SMB/CIFS implementation. 3 uid/user handling 4 Copyright (C) Andrew Tridgell 1992-1998 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License as published by 8 the Free Software Foundation; either version 2 of the License, or 9 (at your option) any later version. 10 11 This program is distributed in the hope that it will be useful, 12 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 GNU General Public License for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with this program; if not, write to the Free Software 18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 19*/ 20 21#include "includes.h" 22 23/* what user is current? */ 24extern struct current_user current_user; 25 26/**************************************************************************** 27 Become the guest user without changing the security context stack. 28****************************************************************************/ 29 30BOOL change_to_guest(void) 31{ 32 static struct passwd *pass=NULL; 33 34 if (!pass) { 35 /* Don't need to free() this as its stored in a static */ 36 pass = getpwnam_alloc(lp_guestaccount()); 37 if (!pass) 38 return(False); 39 } 40 41#ifdef AIX 42 /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before 43 setting IDs */ 44 initgroups(pass->pw_name, pass->pw_gid); 45#endif 46 47 set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL); 48 49 current_user.conn = NULL; 50 current_user.vuid = UID_FIELD_INVALID; 51 52 passwd_free(&pass); 53 54 return True; 55} 56 57/**************************************************************************** 58 Readonly share for this user ? 59****************************************************************************/ 60 61static BOOL is_share_read_only_for_user(connection_struct *conn, user_struct *vuser) 62{ 63 char **list; 64 const char *service = lp_servicename(conn->service); 65 BOOL read_only_ret = lp_readonly(conn->service); 66 67 if (!service) 68 return read_only_ret; 69 70 str_list_copy(&list, lp_readlist(conn->service)); 71 if (list) { 72 if (!str_list_sub_basic(list, vuser->user.smb_name) ) { 73 DEBUG(0, ("is_share_read_only_for_user: ERROR: read list substitution failed\n")); 74 } 75 if (!str_list_substitute(list, "%S", service)) { 76 DEBUG(0, ("is_share_read_only_for_user: ERROR: read list service substitution failed\n")); 77 } 78 if (user_in_list(vuser->user.unix_name, (const char **)list, vuser->groups, vuser->n_groups)) { 79 read_only_ret = True; 80 } 81 str_list_free(&list); 82 } 83 84 str_list_copy(&list, lp_writelist(conn->service)); 85 if (list) { 86 if (!str_list_sub_basic(list, vuser->user.smb_name) ) { 87 DEBUG(0, ("is_share_read_only_for_user: ERROR: write list substitution failed\n")); 88 } 89 if (!str_list_substitute(list, "%S", service)) { 90 DEBUG(0, ("is_share_read_only_for_user: ERROR: write list service substitution failed\n")); 91 } 92 if (user_in_list(vuser->user.unix_name, (const char **)list, vuser->groups, vuser->n_groups)) { 93 read_only_ret = False; 94 } 95 str_list_free(&list); 96 } 97 98 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user %s\n", 99 service, read_only_ret ? "read-only" : "read-write", vuser->user.unix_name )); 100 101 return read_only_ret; 102} 103 104/******************************************************************* 105 Check if a username is OK. 106********************************************************************/ 107 108static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) 109{ 110 unsigned int i; 111 struct vuid_cache_entry *ent = NULL; 112 BOOL readonly_share; 113 114 for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) { 115 if (conn->vuid_cache.array[i].vuid == vuser->vuid) { 116 ent = &conn->vuid_cache.array[i]; 117 conn->read_only = ent->read_only; 118 conn->admin_user = ent->admin_user; 119 return(True); 120 } 121 } 122 123 if (!user_ok(vuser->user.unix_name,snum, vuser->groups, vuser->n_groups)) 124 return(False); 125 126 readonly_share = is_share_read_only_for_user(conn, vuser); 127 128 if (!readonly_share && 129 !share_access_check(conn, snum, vuser, FILE_WRITE_DATA)) { 130 /* smb.conf allows r/w, but the security descriptor denies 131 * write. Fall back to looking at readonly. */ 132 readonly_share = True; 133 DEBUG(5,("falling back to read-only access-evaluation due to security descriptor\n")); 134 } 135 136 if (!share_access_check(conn, snum, vuser, readonly_share ? FILE_READ_DATA : FILE_WRITE_DATA)) { 137 return False; 138 } 139 140 i = conn->vuid_cache.entries % VUID_CACHE_SIZE; 141 if (conn->vuid_cache.entries < VUID_CACHE_SIZE) 142 conn->vuid_cache.entries++; 143 144 ent = &conn->vuid_cache.array[i]; 145 ent->vuid = vuser->vuid; 146 ent->read_only = readonly_share; 147 148 if (user_in_list(vuser->user.unix_name ,lp_admin_users(conn->service), vuser->groups, vuser->n_groups)) { 149 ent->admin_user = True; 150 } else { 151 ent->admin_user = False; 152 } 153 154 conn->read_only = ent->read_only; 155 conn->admin_user = ent->admin_user; 156 157 return(True); 158} 159 160/**************************************************************************** 161 Become the user of a connection number without changing the security context 162 stack, but modify the currnet_user entries. 163****************************************************************************/ 164 165BOOL change_to_user(connection_struct *conn, uint16 vuid) 166{ 167 user_struct *vuser = get_valid_user_struct(vuid); 168 int snum; 169 gid_t gid; 170 uid_t uid; 171 char group_c; 172 BOOL must_free_token = False; 173 NT_USER_TOKEN *token = NULL; 174 175 if (!conn) { 176 DEBUG(2,("change_to_user: Connection not open\n")); 177 return(False); 178 } 179 180 /* 181 * We need a separate check in security=share mode due to vuid 182 * always being UID_FIELD_INVALID. If we don't do this then 183 * in share mode security we are *always* changing uid's between 184 * SMB's - this hurts performance - Badly. 185 */ 186 187 if((lp_security() == SEC_SHARE) && (current_user.conn == conn) && 188 (current_user.uid == conn->uid)) { 189 DEBUG(4,("change_to_user: Skipping user change - already user\n")); 190 return(True); 191 } else if ((current_user.conn == conn) && 192 (vuser != 0) && (current_user.vuid == vuid) && 193 (current_user.uid == vuser->uid)) { 194 DEBUG(4,("change_to_user: Skipping user change - already user\n")); 195 return(True); 196 } 197 198 snum = SNUM(conn); 199 200 if ((vuser) && !check_user_ok(conn, vuser, snum)) { 201 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) not permitted access to share %s.\n", 202 vuser->user.smb_name, vuser->user.unix_name, vuid, lp_servicename(snum))); 203 return False; 204 } 205 206 if (conn->force_user) /* security = share sets this too */ { 207 uid = conn->uid; 208 gid = conn->gid; 209 current_user.groups = conn->groups; 210 current_user.ngroups = conn->ngroups; 211 token = conn->nt_user_token; 212 } else if (vuser) { 213 uid = conn->admin_user ? 0 : vuser->uid; 214 gid = vuser->gid; 215 current_user.ngroups = vuser->n_groups; 216 current_user.groups = vuser->groups; 217 token = vuser->nt_user_token; 218 } else { 219 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing share %s.\n",vuid, lp_servicename(snum) )); 220 return False; 221 } 222 223 /* 224 * See if we should force group for this service. 225 * If so this overrides any group set in the force 226 * user code. 227 */ 228 229 if((group_c = *lp_force_group(snum))) { 230 BOOL is_guest = False; 231 232 if(group_c == '+') { 233 234 /* 235 * Only force group if the user is a member of 236 * the service group. Check the group memberships for 237 * this user (we already have this) to 238 * see if we should force the group. 239 */ 240 241 int i; 242 for (i = 0; i < current_user.ngroups; i++) { 243 if (current_user.groups[i] == conn->gid) { 244 gid = conn->gid; 245 break; 246 } 247 } 248 } else { 249 gid = conn->gid; 250 } 251 252 /* 253 * We've changed the group list in the token - we must 254 * re-create it. 255 */ 256 257 if (vuser && vuser->guest) 258 is_guest = True; 259 260 token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest); 261 if (!token) { 262 DEBUG(1, ("change_to_user: create_nt_token failed!\n")); 263 return False; 264 } 265 must_free_token = True; 266 } 267 268 set_sec_ctx(uid, gid, current_user.ngroups, current_user.groups, token); 269 270 /* 271 * Free the new token (as set_sec_ctx copies it). 272 */ 273 274 if (must_free_token) 275 delete_nt_token(&token); 276 277 current_user.conn = conn; 278 current_user.vuid = vuid; 279 280 DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n", 281 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid())); 282 283 return(True); 284} 285 286/**************************************************************************** 287 Go back to being root without changing the security context stack, 288 but modify the current_user entries. 289****************************************************************************/ 290 291BOOL change_to_root_user(void) 292{ 293 set_root_sec_ctx(); 294 295 DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n", 296 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid())); 297 298 current_user.conn = NULL; 299 current_user.vuid = UID_FIELD_INVALID; 300 301 return(True); 302} 303 304/**************************************************************************** 305 Become the user of an authenticated connected named pipe. 306 When this is called we are currently running as the connection 307 user. Doesn't modify current_user. 308****************************************************************************/ 309 310BOOL become_authenticated_pipe_user(pipes_struct *p) 311{ 312 if (!push_sec_ctx()) 313 return False; 314 315 set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid, 316 p->pipe_user.ngroups, p->pipe_user.groups, p->pipe_user.nt_user_token); 317 318 return True; 319} 320 321/**************************************************************************** 322 Unbecome the user of an authenticated connected named pipe. 323 When this is called we are running as the authenticated pipe 324 user and need to go back to being the connection user. Doesn't modify 325 current_user. 326****************************************************************************/ 327 328BOOL unbecome_authenticated_pipe_user(void) 329{ 330 return pop_sec_ctx(); 331} 332 333/**************************************************************************** 334 Utility functions used by become_xxx/unbecome_xxx. 335****************************************************************************/ 336 337struct conn_ctx { 338 connection_struct *conn; 339 uint16 vuid; 340}; 341 342/* A stack of current_user connection contexts. */ 343 344static struct conn_ctx conn_ctx_stack[MAX_SEC_CTX_DEPTH]; 345static int conn_ctx_stack_ndx; 346 347static void push_conn_ctx(void) 348{ 349 struct conn_ctx *ctx_p; 350 351 /* Check we don't overflow our stack */ 352 353 if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) { 354 DEBUG(0, ("Connection context stack overflow!\n")); 355 smb_panic("Connection context stack overflow!\n"); 356 } 357 358 /* Store previous user context */ 359 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx]; 360 361 ctx_p->conn = current_user.conn; 362 ctx_p->vuid = current_user.vuid; 363 364 DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n", 365 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx )); 366 367 conn_ctx_stack_ndx++; 368} 369 370static void pop_conn_ctx(void) 371{ 372 struct conn_ctx *ctx_p; 373 374 /* Check for stack underflow. */ 375 376 if (conn_ctx_stack_ndx == 0) { 377 DEBUG(0, ("Connection context stack underflow!\n")); 378 smb_panic("Connection context stack underflow!\n"); 379 } 380 381 conn_ctx_stack_ndx--; 382 ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx]; 383 384 current_user.conn = ctx_p->conn; 385 current_user.vuid = ctx_p->vuid; 386 387 ctx_p->conn = NULL; 388 ctx_p->vuid = UID_FIELD_INVALID; 389} 390 391/**************************************************************************** 392 Temporarily become a root user. Must match with unbecome_root(). Saves and 393 restores the connection context. 394****************************************************************************/ 395 396void become_root(void) 397{ 398 push_sec_ctx(); 399 push_conn_ctx(); 400 set_root_sec_ctx(); 401} 402 403/* Unbecome the root user */ 404 405void unbecome_root(void) 406{ 407 pop_sec_ctx(); 408 pop_conn_ctx(); 409} 410 411/**************************************************************************** 412 Push the current security context then force a change via change_to_user(). 413 Saves and restores the connection context. 414****************************************************************************/ 415 416BOOL become_user(connection_struct *conn, uint16 vuid) 417{ 418 if (!push_sec_ctx()) 419 return False; 420 421 push_conn_ctx(); 422 423 if (!change_to_user(conn, vuid)) { 424 pop_sec_ctx(); 425 pop_conn_ctx(); 426 return False; 427 } 428 429 return True; 430} 431 432BOOL unbecome_user(void) 433{ 434 pop_sec_ctx(); 435 pop_conn_ctx(); 436 return True; 437} 438 439