2
Unix SMB/CIFS implementation.
3
Check access based on valid users, read list and friends
4
Copyright (C) Volker Lendecke 2005
6
This program is free software; you can redistribute it and/or modify
7
it under the terms of the GNU General Public License as published by
8
the Free Software Foundation; either version 3 of the License, or
9
(at your option) any later version.
11
This program is distributed in the hope that it will be useful,
12
but WITHOUT ANY WARRANTY; without even the implied warranty of
13
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
GNU General Public License for more details.
16
You should have received a copy of the GNU General Public License
17
along with this program. If not, see <http://www.gnu.org/licenses/>.
23
* No prefix means direct username
24
* @name means netgroup first, then unix group
25
* &name means netgroup
26
* +name means unix group
27
* + and & may be combined
30
static bool do_group_checks(const char **name, const char **pattern)
32
if ((*name)[0] == '@') {
38
if (((*name)[0] == '+') && ((*name)[1] == '&')) {
44
if ((*name)[0] == '+') {
50
if (((*name)[0] == '&') && ((*name)[1] == '+')) {
56
if ((*name)[0] == '&') {
65
static bool token_contains_name(TALLOC_CTX *mem_ctx,
68
const char *sharename,
69
const struct nt_user_token *token,
74
enum lsa_SidType type;
76
if (username != NULL) {
77
name = talloc_sub_basic(mem_ctx, username, domain, name);
79
if (sharename != NULL) {
80
name = talloc_string_sub(mem_ctx, name, "%S", sharename);
84
/* This is too security sensitive, better panic than return a
85
* result that might be interpreted in a wrong way. */
86
smb_panic("substitutions failed");
89
/* check to see is we already have a SID */
91
if ( string_to_sid( &sid, name ) ) {
92
DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
93
return nt_token_check_sid( &sid, token );
96
if (!do_group_checks(&name, &prefix)) {
97
if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
98
NULL, NULL, &sid, &type)) {
99
DEBUG(5, ("lookup_name %s failed\n", name));
102
if (type != SID_NAME_USER) {
103
DEBUG(5, ("%s is a %s, expected a user\n",
104
name, sid_type_lookup(type)));
107
return nt_token_check_sid(&sid, token);
110
for (/* initialized above */ ; *prefix != '\0'; prefix++) {
111
if (*prefix == '+') {
112
if (!lookup_name_smbconf(mem_ctx, name,
113
LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
114
NULL, NULL, &sid, &type)) {
115
DEBUG(5, ("lookup_name %s failed\n", name));
118
if ((type != SID_NAME_DOM_GRP) &&
119
(type != SID_NAME_ALIAS) &&
120
(type != SID_NAME_WKN_GRP)) {
121
DEBUG(5, ("%s is a %s, expected a group\n",
122
name, sid_type_lookup(type)));
125
if (nt_token_check_sid(&sid, token)) {
130
if (*prefix == '&') {
131
if (user_in_netgroup(username, name)) {
136
smb_panic("got invalid prefix from do_groups_check");
142
* Check whether a user is contained in the list provided.
144
* Please note that the user name and share names passed in here mainly for
145
* the substitution routines that expand the parameter values, the decision
146
* whether a user is in the list is done after a lookup_name on the expanded
147
* parameter value, solely based on comparing the SIDs in token.
149
* The other use is the netgroup check when using @group or &group.
152
bool token_contains_name_in_list(const char *username,
154
const char *sharename,
155
const struct nt_user_token *token,
164
if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
165
smb_panic("talloc_new failed");
168
while (*list != NULL) {
169
if (token_contains_name(mem_ctx, username, domain, sharename,
171
TALLOC_FREE(mem_ctx);
177
TALLOC_FREE(mem_ctx);
182
* Check whether the user described by "token" has access to share snum.
184
* This looks at "invalid users", "valid users" and "only user/username"
186
* Please note that the user name and share names passed in here mainly for
187
* the substitution routines that expand the parameter values, the decision
188
* whether a user is in the list is done after a lookup_name on the expanded
189
* parameter value, solely based on comparing the SIDs in token.
191
* The other use is the netgroup check when using @group or &group.
194
bool user_ok_token(const char *username, const char *domain,
195
const struct nt_user_token *token, int snum)
197
if (lp_invalid_users(snum) != NULL) {
198
if (token_contains_name_in_list(username, domain,
199
lp_servicename(snum),
201
lp_invalid_users(snum))) {
202
DEBUG(10, ("User %s in 'invalid users'\n", username));
207
if (lp_valid_users(snum) != NULL) {
208
if (!token_contains_name_in_list(username, domain,
209
lp_servicename(snum), token,
210
lp_valid_users(snum))) {
211
DEBUG(10, ("User %s not in 'valid users'\n",
217
if (lp_onlyuser(snum)) {
219
list[0] = lp_username(snum);
221
if ((list[0] == NULL) || (*list[0] == '\0')) {
222
DEBUG(0, ("'only user = yes' and no 'username ='\n"));
225
if (!token_contains_name_in_list(NULL, domain,
226
lp_servicename(snum),
228
DEBUG(10, ("%s != 'username'\n", username));
233
DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
234
lp_servicename(snum), username));
240
* Check whether the user described by "token" is restricted to read-only
241
* access on share snum.
243
* This looks at "invalid users", "valid users" and "only user/username"
245
* Please note that the user name and share names passed in here mainly for
246
* the substitution routines that expand the parameter values, the decision
247
* whether a user is in the list is done after a lookup_name on the expanded
248
* parameter value, solely based on comparing the SIDs in token.
250
* The other use is the netgroup check when using @group or &group.
253
bool is_share_read_only_for_token(const char *username,
255
const struct nt_user_token *token,
256
connection_struct *conn)
258
int snum = SNUM(conn);
259
bool result = conn->read_only;
261
if (lp_readlist(snum) != NULL) {
262
if (token_contains_name_in_list(username, domain,
263
lp_servicename(snum), token,
264
lp_readlist(snum))) {
269
if (lp_writelist(snum) != NULL) {
270
if (token_contains_name_in_list(username, domain,
271
lp_servicename(snum), token,
272
lp_writelist(snum))) {
277
DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
278
"%s\n", lp_servicename(snum),
279
result ? "read-only" : "read-write", username));