From: Gerald Carter Date: Fri, 12 May 2006 21:00:52 +0000 (+0000) Subject: r15549: removing rhosts and 'hosts equiv' authentication features X-Git-Tag: samba-misc-tags/initial-v3-0-unstable~3032 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=d19dad88155f985f113c667b6bdad5a1b25eca18;p=samba.git r15549: removing rhosts and 'hosts equiv' authentication features --- diff --git a/source/Makefile.in b/source/Makefile.in index 2d0ac9ab7a9..32243b47597 100644 --- a/source/Makefile.in +++ b/source/Makefile.in @@ -383,7 +383,6 @@ DCUTIL_OBJ = libsmb/namequery_dc.o libsmb/trustdom_cache.o libsmb/trusts_util.o AUTH_BUILTIN_OBJ = auth/auth_builtin.o AUTH_DOMAIN_OBJ = auth/auth_domain.o AUTH_SAM_OBJ = auth/auth_sam.o -AUTH_RHOSTS_OBJ = auth/auth_rhosts.o AUTH_SERVER_OBJ = auth/auth_server.o AUTH_UNIX_OBJ = auth/auth_unix.o AUTH_WINBIND_OBJ = auth/auth_winbind.o @@ -1216,10 +1215,6 @@ bin/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_PICOBJ) bin/.dummy @$(SHLD) $(LDSHFLAGS) -o $@ $(PAM_WINBIND_PICOBJ) \ @SONAMEFLAG@`basename $@` -lpam @INIPARSERLIBS@ -bin/rhosts.@SHLIBEXT@: $(AUTH_RHOSTS_OBJ:.o=.@PICSUFFIX@) - @echo "Building plugin $@" - @$(SHLD) $(LDSHFLAGS) -o $@ $(AUTH_RHOSTS_OBJ:.o=.@PICSUFFIX@) @SONAMEFLAG@`basename $@` - bin/builtin.@SHLIBEXT@: $(AUTH_BUILTIN_OBJ:.o=.@PICSUFFIX@) @echo "Building plugin $@" @$(SHLD) $(LDSHFLAGS) -o $@ $(AUTH_BUILTIN_OBJ:.o=.@PICSUFFIX@) @SONAMEFLAG@`basename $@` diff --git a/source/auth/auth_rhosts.c b/source/auth/auth_rhosts.c deleted file mode 100644 index 23e276bc84e..00000000000 --- a/source/auth/auth_rhosts.c +++ /dev/null @@ -1,293 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Main SMB reply routines - Copyright (C) Andrew Tridgell 1992-1998 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_AUTH - -/**************************************************************************** - Create a struct samu - either by looking in the pdb, or by faking it up from - unix info. -****************************************************************************/ - -static NTSTATUS auth_get_sam_account(const char *user, struct samu **account) -{ - BOOL pdb_ret; - NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; - - if ( !(*account = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - become_root(); - pdb_ret = pdb_getsampwnam(*account, user); - unbecome_root(); - - if (!pdb_ret) - { - struct passwd *pass; - - if ( !(pass = Get_Pwnam( user )) ) { - return NT_STATUS_NO_SUCH_USER; - } - - nt_status = samu_set_unix( *account, pass ); - } - - return nt_status; -} - -/**************************************************************************** - Read the a hosts.equiv or .rhosts file and check if it - allows this user from this machine. -****************************************************************************/ - -static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file) -{ - int plus_allowed = 1; - char *file_host; - char *file_user; - char **lines = file_lines_load(equiv_file, NULL,0); - int i; - - DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); - if (! lines) { - return False; - } - for (i=0; lines[i]; i++) { - char *buf = lines[i]; - trim_char(buf,' ',' '); - - if (buf[0] != '#' && buf[0] != '\n') { - BOOL is_group = False; - int plus = 1; - char *bp = buf; - - if (strcmp(buf, "NO_PLUS\n") == 0) { - DEBUG(6, ("check_user_equiv NO_PLUS\n")); - plus_allowed = 0; - } else { - if (buf[0] == '+') { - bp++; - if (*bp == '\n' && plus_allowed) { - /* a bare plus means everbody allowed */ - DEBUG(6, ("check_user_equiv everybody allowed\n")); - file_lines_free(lines); - return True; - } - } else if (buf[0] == '-') { - bp++; - plus = 0; - } - if (*bp == '@') { - is_group = True; - bp++; - } - file_host = strtok(bp, " \t\n"); - file_user = strtok(NULL, " \t\n"); - DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", - file_user ? file_user : "(null)" )); - - if (file_host && *file_host) { - BOOL host_ok = False; - -#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) - if (is_group) { - static char *mydomain = NULL; - if (!mydomain) { - yp_get_default_domain(&mydomain); - } - if (mydomain && innetgr(file_host,remote,user,mydomain)) { - host_ok = True; - } - } -#else - if (is_group) { - DEBUG(1,("Netgroups not configured\n")); - continue; - } -#endif - - /* is it this host */ - /* the fact that remote has come from a call of gethostbyaddr - * means that it may have the fully qualified domain name - * so we could look up the file version to get it into - * a canonical form, but I would rather just type it - * in full in the equiv file - */ - - if (!host_ok && !is_group && strequal(remote, file_host)) { - host_ok = True; - } - - if (!host_ok) { - continue; - } - - /* is it this user */ - if (file_user == 0 || strequal(user, file_user)) { - DEBUG(5, ("check_user_equiv matched %s%s %s\n", - (plus ? "+" : "-"), file_host, - (file_user ? file_user : ""))); - file_lines_free(lines); - return (plus ? True : False); - } - } - } - } - } - - file_lines_free(lines); - return False; -} - -/**************************************************************************** -check for a possible hosts equiv or rhosts entry for the user -****************************************************************************/ - -static BOOL check_hosts_equiv(struct samu *account) -{ - uid_t uid; - char *fname = NULL; - - fname = lp_hosts_equiv(); - if (!sid_to_uid(pdb_get_user_sid(account), &uid)) - return False; - - /* note: don't allow hosts.equiv on root */ - if (fname && *fname && uid != 0) { - if (check_user_equiv(pdb_get_username(account),client_name(),fname)) - return True; - } - - return False; -} - - -/**************************************************************************** - Check for a valid .rhosts/hosts.equiv entry for this user -****************************************************************************/ - -static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - struct samu *account = NULL; - if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username, - &account))) { - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) - nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; - } - - if (check_hosts_equiv(account)) { - nt_status = make_server_info_sam(server_info, account); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(account); - } - } else { - TALLOC_FREE(account); - nt_status = NT_STATUS_NOT_IMPLEMENTED; - } - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_hostsequiv_security; - (*auth_method)->name = "hostsequiv"; - return NT_STATUS_OK; -} - - -/**************************************************************************** - Check for a valid .rhosts/hosts.equiv entry for this user -****************************************************************************/ - -static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - struct samu *account = NULL; - pstring rhostsfile; - const char *home; - - if (!NT_STATUS_IS_OK(nt_status = - auth_get_sam_account(user_info->internal_username, - &account))) { - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) - nt_status = NT_STATUS_NOT_IMPLEMENTED; - return nt_status; - } - - home = pdb_get_unix_homedir(account); - - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - become_root(); - if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { - nt_status = make_server_info_sam(server_info, account); - if (!NT_STATUS_IS_OK(nt_status)) { - TALLOC_FREE(account); - } - } else { - TALLOC_FREE(account); - } - unbecome_root(); - } else { - TALLOC_FREE(account); - nt_status = NT_STATUS_NOT_IMPLEMENTED; - } - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_rhosts_security; - (*auth_method)->name = "rhosts"; - return NT_STATUS_OK; -} - -NTSTATUS auth_rhosts_init(void) -{ - smb_register_auth(AUTH_INTERFACE_VERSION, "rhosts", auth_init_rhosts); - smb_register_auth(AUTH_INTERFACE_VERSION, "hostsequiv", auth_init_hostsequiv); - return NT_STATUS_OK; -} diff --git a/source/configure.in b/source/configure.in index 21545a34af9..079202ac3b0 100644 --- a/source/configure.in +++ b/source/configure.in @@ -545,7 +545,7 @@ DYNEXP= dnl Add modules that have to be built by default here dnl These have to be built static: -default_static_modules="pdb_smbpasswd pdb_tdbsam rpc_lsa rpc_samr rpc_reg rpc_lsa_ds rpc_wks rpc_svcctl rpc_ntsvcs rpc_net rpc_netdfs rpc_srv rpc_spoolss rpc_eventlog auth_rhosts auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin" +default_static_modules="pdb_smbpasswd pdb_tdbsam rpc_lsa rpc_samr rpc_reg rpc_lsa_ds rpc_wks rpc_svcctl rpc_ntsvcs rpc_net rpc_netdfs rpc_srv rpc_spoolss rpc_eventlog auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin" dnl These are preferably build shared, and static if dlopen() is not available default_shared_modules="vfs_recycle vfs_audit vfs_extd_audit vfs_full_audit vfs_netatalk vfs_fake_perms vfs_default_quota vfs_readonly vfs_cap vfs_expand_msdfs vfs_shadow_copy charset_CP850 charset_CP437 auth_script" @@ -5522,7 +5522,6 @@ SMB_MODULE(charset_CP437, modules/CP437.o, "bin/CP437.$SHLIBEXT", CHARSET) SMB_MODULE(charset_macosxfs, modules/charset_macosxfs.o,"bin/macosxfs.$SHLIBEXT", CHARSET) SMB_SUBSYSTEM(CHARSET,lib/iconv.o) -SMB_MODULE(auth_rhosts, \$(AUTH_RHOSTS_OBJ), "bin/rhosts.$SHLIBEXT", AUTH) SMB_MODULE(auth_sam, \$(AUTH_SAM_OBJ), "bin/sam.$SHLIBEXT", AUTH) SMB_MODULE(auth_unix, \$(AUTH_UNIX_OBJ), "bin/unix.$SHLIBEXT", AUTH) SMB_MODULE(auth_winbind, \$(AUTH_WINBIND_OBJ), "bin/winbind.$SHLIBEXT", AUTH) diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 38e1bd6dd0a..c4ef9ef3ea5 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -114,7 +114,6 @@ typedef struct { char *szGetQuota; char *szSetQuota; char *szMsgCommand; - char *szHostsEquiv; char *szServerString; char *szAutoServices; char *szPasswdProgram; @@ -852,7 +851,6 @@ static struct parm_struct parm_table[] = { {"client schannel", P_ENUM, P_GLOBAL, &Globals.clientSchannel, NULL, enum_bool_auto, FLAG_BASIC | FLAG_ADVANCED}, {"server schannel", P_ENUM, P_GLOBAL, &Globals.serverSchannel, NULL, enum_bool_auto, FLAG_BASIC | FLAG_ADVANCED}, {"allow trusted domains", P_BOOL, P_GLOBAL, &Globals.bAllowTrustedDomains, NULL, NULL, FLAG_ADVANCED}, - {"hosts equiv", P_STRING, P_GLOBAL, &Globals.szHostsEquiv, NULL, NULL, FLAG_ADVANCED}, {"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, FLAG_ADVANCED}, {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, FLAG_ADVANCED}, {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, FLAG_ADVANCED}, @@ -1773,7 +1771,6 @@ FN_GLOBAL_STRING(lp_defaultservice, &Globals.szDefaultService) FN_GLOBAL_STRING(lp_msg_command, &Globals.szMsgCommand) FN_GLOBAL_STRING(lp_get_quota_command, &Globals.szGetQuota) FN_GLOBAL_STRING(lp_set_quota_command, &Globals.szSetQuota) -FN_GLOBAL_STRING(lp_hosts_equiv, &Globals.szHostsEquiv) FN_GLOBAL_STRING(lp_auto_services, &Globals.szAutoServices) FN_GLOBAL_STRING(lp_passwd_program, &Globals.szPasswdProgram) FN_GLOBAL_STRING(lp_passwd_chat, &Globals.szPasswdChat) diff --git a/source/utils/testparm.c b/source/utils/testparm.c index 8b9ff4710e0..fe2d26afca7 100644 --- a/source/utils/testparm.c +++ b/source/utils/testparm.c @@ -95,15 +95,6 @@ to a valid password server.\n", sec_setting ); } - /* - * Check 'hosts equiv' and 'use rhosts' compatibility with 'hostname lookup' value. - */ - - if(*lp_hosts_equiv() && !lp_hostname_lookups()) { - fprintf(stderr, "ERROR: The setting 'hosts equiv = %s' requires that 'hostname lookups = yes'.\n", lp_hosts_equiv()); - ret = 1; - } - /* * Password chat sanity checks. */