source3/smbd/uid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    uid/user handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "smbd/globals.h"
  22
  23 /* what user is current? */
  24 extern struct current_user current_user;
  25
  26 /****************************************************************************
  27  Become the guest user without changing the security context stack.
  28 ****************************************************************************/
  29
  30 bool change_to_guest(void)
  31 {
  32         struct passwd *pass;
  33
  34         pass = getpwnam_alloc(talloc_autofree_context(), lp_guestaccount());
  35         if (!pass) {
  36                 return false;
  37         }
  38
  39 #ifdef AIX
  40         /* MWW: From AIX FAQ patch to WU-ftpd: call initgroups before
  41            setting IDs */
  42         initgroups(pass->pw_name, pass->pw_gid);
  43 #endif
  44
  45         set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
  46
  47         current_user.conn = NULL;
  48         current_user.vuid = UID_FIELD_INVALID;
  49
  50         TALLOC_FREE(pass);
  51
  52         return true;
  53 }
  54
  55 /*******************************************************************
  56  Check if a username is OK.
  57
  58  This sets up conn->server_info with a copy related to this vuser that
  59  later code can then mess with.
  60 ********************************************************************/
  61
  62 static bool check_user_ok(connection_struct *conn,
  63                         uint16_t vuid,
  64                         const struct auth_serversupplied_info *server_info,
  65                         int snum)
  66 {
  67         bool valid_vuid = (vuid != UID_FIELD_INVALID);
  68         unsigned int i;
  69         bool readonly_share;
  70         bool admin_user;
  71
  72         if (valid_vuid) {
  73                 struct vuid_cache_entry *ent;
  74
  75                 for (i=0; i<VUID_CACHE_SIZE; i++) {
  76                         ent = &conn->vuid_cache.array[i];
  77                         if (ent->vuid == vuid) {
  78                                 conn->server_info = ent->server_info;
  79                                 conn->read_only = ent->read_only;
  80                                 conn->admin_user = ent->admin_user;
  81                                 return(True);
  82                         }
  83                 }
  84         }
  85
  86         if (!user_ok_token(server_info->unix_name,
  87                            pdb_get_domain(server_info->sam_account),
  88                            server_info->ptok, snum))
  89                 return(False);
  90
  91         readonly_share = is_share_read_only_for_token(
  92                 server_info->unix_name,
  93                 pdb_get_domain(server_info->sam_account),
  94                 server_info->ptok,
  95                 conn);
  96
  97         if (!readonly_share &&
  98             !share_access_check(server_info->ptok, lp_servicename(snum),
  99                                 FILE_WRITE_DATA)) {
 100                 /* smb.conf allows r/w, but the security descriptor denies
 101                  * write. Fall back to looking at readonly. */
 102                 readonly_share = True;
 103                 DEBUG(5,("falling back to read-only access-evaluation due to "
 104                          "security descriptor\n"));
 105         }
 106
 107         if (!share_access_check(server_info->ptok, lp_servicename(snum),
 108                                 readonly_share ?
 109                                 FILE_READ_DATA : FILE_WRITE_DATA)) {
 110                 return False;
 111         }
 112
 113         admin_user = token_contains_name_in_list(
 114                 server_info->unix_name,
 115                 pdb_get_domain(server_info->sam_account),
 116                 NULL, server_info->ptok, lp_admin_users(snum));
 117
 118         if (valid_vuid) {
 119                 struct vuid_cache_entry *ent =
 120                         &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 121
 122                 conn->vuid_cache.next_entry =
 123                         (conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
 124
 125                 TALLOC_FREE(ent->server_info);
 126
 127                 /*
 128                  * If force_user was set, all server_info's are based on the same
 129                  * username-based faked one.
 130                  */
 131
 132                 ent->server_info = copy_serverinfo(
 133                         conn, conn->force_user ? conn->server_info : server_info);
 134
 135                 if (ent->server_info == NULL) {
 136                         ent->vuid = UID_FIELD_INVALID;
 137                         return false;
 138                 }
 139
 140                 ent->vuid = vuid;
 141                 ent->read_only = readonly_share;
 142                 ent->admin_user = admin_user;
 143                 conn->server_info = ent->server_info;
 144         }
 145
 146         conn->read_only = readonly_share;
 147         conn->admin_user = admin_user;
 148
 149         return(True);
 150 }
 151
 152 /****************************************************************************
 153  Clear a vuid out of the connection's vuid cache
 154 ****************************************************************************/
 155
 156 void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
 157 {
 158         int i;
 159
 160         for (i=0; i<VUID_CACHE_SIZE; i++) {
 161                 struct vuid_cache_entry *ent;
 162
 163                 ent = &conn->vuid_cache.array[i];
 164
 165                 if (ent->vuid == vuid) {
 166                         ent->vuid = UID_FIELD_INVALID;
 167                         TALLOC_FREE(ent->server_info);
 168                         ent->read_only = False;
 169                         ent->admin_user = False;
 170                 }
 171         }
 172 }
 173
 174 /****************************************************************************
 175  Become the user of a connection number without changing the security context
 176  stack, but modify the current_user entries.
 177 ****************************************************************************/
 178
 179 bool change_to_user(connection_struct *conn, uint16 vuid)
 180 {
 181         const struct auth_serversupplied_info *server_info = NULL;
 182         user_struct *vuser = get_valid_user_struct(vuid);
 183         int snum;
 184         gid_t gid;
 185         uid_t uid;
 186         char group_c;
 187         int num_groups = 0;
 188         gid_t *group_list = NULL;
 189
 190         if (!conn) {
 191                 DEBUG(2,("change_to_user: Connection not open\n"));
 192                 return(False);
 193         }
 194
 195         /*
 196          * We need a separate check in security=share mode due to vuid
 197          * always being UID_FIELD_INVALID. If we don't do this then
 198          * in share mode security we are *always* changing uid's between
 199          * SMB's - this hurts performance - Badly.
 200          */
 201
 202         if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
 203            (current_user.ut.uid == conn->server_info->utok.uid)) {
 204                 DEBUG(4,("change_to_user: Skipping user change - already "
 205                          "user\n"));
 206                 return(True);
 207         } else if ((current_user.conn == conn) &&
 208                    (vuser != NULL) && (current_user.vuid == vuid) &&
 209                    (current_user.ut.uid == vuser->server_info->utok.uid)) {
 210                 DEBUG(4,("change_to_user: Skipping user change - already "
 211                          "user\n"));
 212                 return(True);
 213         }
 214
 215         snum = SNUM(conn);
 216
 217         server_info = vuser ? vuser->server_info : conn->server_info;
 218
 219         if (!check_user_ok(conn, vuid, server_info, snum)) {
 220                 DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 221                          "not permitted access to share %s.\n",
 222                          server_info->sanitized_username,
 223                          server_info->unix_name, vuid,
 224                          lp_servicename(snum)));
 225                 return false;
 226         }
 227
 228         /*
 229          * conn->server_info is now correctly set up with a copy we can mess
 230          * with for force_group etc.
 231          */
 232
 233         if (conn->force_user) /* security = share sets this too */ {
 234                 uid = conn->server_info->utok.uid;
 235                 gid = conn->server_info->utok.gid;
 236                 group_list = conn->server_info->utok.groups;
 237                 num_groups = conn->server_info->utok.ngroups;
 238         } else if (vuser) {
 239                 uid = conn->admin_user ? 0 : vuser->server_info->utok.uid;
 240                 gid = conn->server_info->utok.gid;
 241                 num_groups = conn->server_info->utok.ngroups;
 242                 group_list  = conn->server_info->utok.groups;
 243         } else {
 244                 DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
 245                          "share %s.\n",vuid, lp_servicename(snum) ));
 246                 return False;
 247         }
 248
 249         /*
 250          * See if we should force group for this service.
 251          * If so this overrides any group set in the force
 252          * user code.
 253          */
 254
 255         if((group_c = *lp_force_group(snum))) {
 256
 257                 SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
 258
 259                 if(group_c == '+') {
 260
 261                         /*
 262                          * Only force group if the user is a member of
 263                          * the service group. Check the group memberships for
 264                          * this user (we already have this) to
 265                          * see if we should force the group.
 266                          */
 267
 268                         int i;
 269                         for (i = 0; i < num_groups; i++) {
 270                                 if (group_list[i]
 271                                     == conn->force_group_gid) {
 272                                         conn->server_info->utok.gid =
 273                                                 conn->force_group_gid;
 274                                         gid = conn->force_group_gid;
 275                                         gid_to_sid(&conn->server_info->ptok
 276                                                    ->user_sids[1], gid);
 277                                         break;
 278                                 }
 279                         }
 280                 } else {
 281                         conn->server_info->utok.gid = conn->force_group_gid;
 282                         gid = conn->force_group_gid;
 283                         gid_to_sid(&conn->server_info->ptok->user_sids[1],
 284                                    gid);
 285                 }
 286         }
 287
 288         /* Now set current_user since we will immediately also call
 289            set_sec_ctx() */
 290
 291         current_user.ut.ngroups = num_groups;
 292         current_user.ut.groups  = group_list;
 293
 294         set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
 295                     conn->server_info->ptok);
 296
 297         current_user.conn = conn;
 298         current_user.vuid = vuid;
 299
 300         DEBUG(5,("change_to_user uid=(%d,%d) gid=(%d,%d)\n",
 301                  (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 302
 303         return(True);
 304 }
 305
 306 /****************************************************************************
 307  Go back to being root without changing the security context stack,
 308  but modify the current_user entries.
 309 ****************************************************************************/
 310
 311 bool change_to_root_user(void)
 312 {
 313         set_root_sec_ctx();
 314
 315         DEBUG(5,("change_to_root_user: now uid=(%d,%d) gid=(%d,%d)\n",
 316                 (int)getuid(),(int)geteuid(),(int)getgid(),(int)getegid()));
 317
 318         current_user.conn = NULL;
 319         current_user.vuid = UID_FIELD_INVALID;
 320
 321         return(True);
 322 }
 323
 324 /****************************************************************************
 325  Become the user of an authenticated connected named pipe.
 326  When this is called we are currently running as the connection
 327  user. Doesn't modify current_user.
 328 ****************************************************************************/
 329
 330 bool become_authenticated_pipe_user(pipes_struct *p)
 331 {
 332         if (!push_sec_ctx())
 333                 return False;
 334
 335         set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
 336                     p->server_info->utok.ngroups, p->server_info->utok.groups,
 337                     p->server_info->ptok);
 338
 339         return True;
 340 }
 341
 342 /****************************************************************************
 343  Unbecome the user of an authenticated connected named pipe.
 344  When this is called we are running as the authenticated pipe
 345  user and need to go back to being the connection user. Doesn't modify
 346  current_user.
 347 ****************************************************************************/
 348
 349 bool unbecome_authenticated_pipe_user(void)
 350 {
 351         return pop_sec_ctx();
 352 }
 353
 354 /****************************************************************************
 355  Utility functions used by become_xxx/unbecome_xxx.
 356 ****************************************************************************/
 357
 358 static void push_conn_ctx(void)
 359 {
 360         struct conn_ctx *ctx_p;
 361
 362         /* Check we don't overflow our stack */
 363
 364         if (conn_ctx_stack_ndx == MAX_SEC_CTX_DEPTH) {
 365                 DEBUG(0, ("Connection context stack overflow!\n"));
 366                 smb_panic("Connection context stack overflow!\n");
 367         }
 368
 369         /* Store previous user context */
 370         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 371
 372         ctx_p->conn = current_user.conn;
 373         ctx_p->vuid = current_user.vuid;
 374
 375         DEBUG(3, ("push_conn_ctx(%u) : conn_ctx_stack_ndx = %d\n",
 376                 (unsigned int)ctx_p->vuid, conn_ctx_stack_ndx ));
 377
 378         conn_ctx_stack_ndx++;
 379 }
 380
 381 static void pop_conn_ctx(void)
 382 {
 383         struct conn_ctx *ctx_p;
 384
 385         /* Check for stack underflow. */
 386
 387         if (conn_ctx_stack_ndx == 0) {
 388                 DEBUG(0, ("Connection context stack underflow!\n"));
 389                 smb_panic("Connection context stack underflow!\n");
 390         }
 391
 392         conn_ctx_stack_ndx--;
 393         ctx_p = &conn_ctx_stack[conn_ctx_stack_ndx];
 394
 395         current_user.conn = ctx_p->conn;
 396         current_user.vuid = ctx_p->vuid;
 397
 398         ctx_p->conn = NULL;
 399         ctx_p->vuid = UID_FIELD_INVALID;
 400 }
 401
 402 /****************************************************************************
 403  Temporarily become a root user.  Must match with unbecome_root(). Saves and
 404  restores the connection context.
 405 ****************************************************************************/
 406
 407 void become_root(void)
 408 {
 409          /*
 410           * no good way to handle push_sec_ctx() failing without changing
 411           * the prototype of become_root()
 412           */
 413         if (!push_sec_ctx()) {
 414                 smb_panic("become_root: push_sec_ctx failed");
 415         }
 416         push_conn_ctx();
 417         set_root_sec_ctx();
 418 }
 419
 420 /* Unbecome the root user */
 421
 422 void unbecome_root(void)
 423 {
 424         pop_sec_ctx();
 425         pop_conn_ctx();
 426 }
 427
 428 /****************************************************************************
 429  Push the current security context then force a change via change_to_user().
 430  Saves and restores the connection context.
 431 ****************************************************************************/
 432
 433 bool become_user(connection_struct *conn, uint16 vuid)
 434 {
 435         if (!push_sec_ctx())
 436                 return False;
 437
 438         push_conn_ctx();
 439
 440         if (!change_to_user(conn, vuid)) {
 441                 pop_sec_ctx();
 442                 pop_conn_ctx();
 443                 return False;
 444         }
 445
 446         return True;
 447 }
 448
 449 bool unbecome_user(void)
 450 {
 451         pop_sec_ctx();
 452         pop_conn_ctx();
 453         return True;
 454 }