diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2002-08-20 01:54:28 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2002-08-20 01:54:28 +0000 |
| commit | 8674440d81f703cb59979426c92ed54de8e5f2ed (patch) | |
| tree | 033da6bfa721b02c1a087ee478d3593997f30e2a /source3/smbd/uid.c | |
| parent | 03615599919f94c5ed56e9824343b02f4f3e0b71 (diff) | |
| download | samba-8674440d81f703cb59979426c92ed54de8e5f2ed.tar.gz samba-8674440d81f703cb59979426c92ed54de8e5f2ed.tar.bz2 samba-8674440d81f703cb59979426c92ed54de8e5f2ed.zip | |
Based orginally by work by Kai, this patch moves our NT_TOKEN generation into
our authenticaion code - removing some of the duplication from the current
code.
This also gets us *much* closer to supporting a real SAM backend, becouse the
SAM can give us the right info then.
This also changes our service.c code, so that we do a VUID (rather than uid)
cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached
equivilant) on every packet, for the same r or rw mode the whole share was open
for.
Andrew Bartlett
(This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902)
Diffstat (limited to 'source3/smbd/uid.c')
| -rw-r--r-- | source3/smbd/uid.c | 38 |
1 files changed, 20 insertions, 18 deletions
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index c0bacf8f91..6f91065ceb 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -59,18 +59,26 @@ BOOL change_to_guest(void) static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) { int i; - for (i=0;i<conn->uid_cache.entries;i++) - if (conn->uid_cache.list[i] == vuser->uid) + for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) + if (conn->vuid_cache.list[i] == vuser->vuid) return(True); + if ((conn->force_user || conn->force_group) + && (conn->vuid != vuser->vuid)) { + return False; + } + if (!user_ok(vuser->user.unix_name,snum)) return(False); - i = conn->uid_cache.entries % UID_CACHE_SIZE; - conn->uid_cache.list[i] = vuser->uid; + if (!share_access_check(conn, snum, vuser, conn->read_only ? FILE_READ_DATA : FILE_WRITE_DATA)) { + return False; + } + + i = conn->vuid_cache.entries % VUID_CACHE_SIZE; + conn->vuid_cache.list[i] = vuser->vuid; - if (conn->uid_cache.entries < UID_CACHE_SIZE) - conn->uid_cache.entries++; + conn->vuid_cache.entries++; return(True); } @@ -115,27 +123,21 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid) snum = SNUM(conn); - if((vuser != NULL) && !check_user_ok(conn, vuser, snum)) - return False; - - if (conn->force_user || - conn->admin_user || - (lp_security() == SEC_SHARE)) { + if (conn->force_user) /* security = share sets this too */ { uid = conn->uid; gid = conn->gid; current_user.groups = conn->groups; current_user.ngroups = conn->ngroups; token = conn->nt_user_token; - } else { - if (!vuser) { - DEBUG(2,("change_to_user: Invalid vuid used %d\n",vuid)); - return(False); - } + } else if ((vuser) && check_user_ok(conn, vuser, snum)) { uid = vuser->uid; gid = vuser->gid; current_user.ngroups = vuser->n_groups; current_user.groups = vuser->groups; token = vuser->nt_user_token; + } else { + DEBUG(2,("change_to_user: Invalid vuid used %d or vuid not permitted access to share.\n",vuid)); + return False; } /* @@ -175,7 +177,7 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid) if (vuser && vuser->guest) is_guest = True; - token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest, NULL); + token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest); must_free_token = True; } |