diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-07-15 14:59:14 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-07-20 09:17:10 +1000 |
| commit | 6d741e918f145c6ec62c22358aabc8162db108fd (patch) | |
| tree | 4d562524b2ff71892911331d707e23045984b0d3 /source3/smbd | |
| parent | f16d8f4eb86ecc4741c25e5ed87b2ea4c6717a31 (diff) | |
| download | samba-6d741e918f145c6ec62c22358aabc8162db108fd.tar.gz samba-6d741e918f145c6ec62c22358aabc8162db108fd.tar.bz2 samba-6d741e918f145c6ec62c22358aabc8162db108fd.zip | |
s3-auth Use *unix_token rather than utok in struct auth3_session_info
This brings this structure one step closer to the struct auth_session_info.
A few SMB_ASSERT calls are added in some key places to ensure that
this pointer is initialised, to make tracing any bugs here easier in
future.
NOTE: Many of the users of this structure should be reviewed, as unix
and NT access checks are mixed in a way that should just be done using
the NT ACL. This patch has not changed this behaviour however.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/connection.c | 7 | ||||
| -rw-r--r-- | source3/smbd/lanman.c | 6 | ||||
| -rw-r--r-- | source3/smbd/msg_idmap.c | 10 | ||||
| -rw-r--r-- | source3/smbd/password.c | 12 | ||||
| -rw-r--r-- | source3/smbd/reply.c | 4 | ||||
| -rw-r--r-- | source3/smbd/service.c | 14 | ||||
| -rw-r--r-- | source3/smbd/session.c | 7 | ||||
| -rw-r--r-- | source3/smbd/trans2.c | 14 | ||||
| -rw-r--r-- | source3/smbd/uid.c | 30 |
9 files changed, 58 insertions, 46 deletions
diff --git a/source3/smbd/connection.c b/source3/smbd/connection.c index 048604c5c9..7e49664162 100644 --- a/source3/smbd/connection.c +++ b/source3/smbd/connection.c @@ -149,13 +149,16 @@ bool claim_connection(connection_struct *conn, const char *name) return False; } + /* Make clear that we require the optional unix_token in the source3 code */ + SMB_ASSERT(conn->session_info->unix_token); + /* fill in the crec */ ZERO_STRUCT(crec); crec.magic = 0x280267; crec.pid = sconn_server_id(conn->sconn); crec.cnum = conn->cnum; - crec.uid = conn->session_info->utok.uid; - crec.gid = conn->session_info->utok.gid; + crec.uid = conn->session_info->unix_token->uid; + crec.gid = conn->session_info->unix_token->gid; strlcpy(crec.servicename, lp_servicename(SNUM(conn)), sizeof(crec.servicename)); crec.start = time(NULL); diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 63fdd03f44..f84540fbec 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -119,7 +119,7 @@ static int CopyExpanded(connection_struct *conn, lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, buf); @@ -170,7 +170,7 @@ static int StrlenExpanded(connection_struct *conn, int snum, char *s) lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, buf); @@ -4635,7 +4635,7 @@ static bool api_WWkstaUserLogon(struct smbd_server_connection *sconn, if(vuser != NULL) { DEBUG(3,(" Username of UID %d is %s\n", - (int)vuser->session_info->utok.uid, + (int)vuser->session_info->unix_token->uid, vuser->session_info->unix_name)); } diff --git a/source3/smbd/msg_idmap.c b/source3/smbd/msg_idmap.c index 2a00f1bbb9..b534ac3846 100644 --- a/source3/smbd/msg_idmap.c +++ b/source3/smbd/msg_idmap.c @@ -73,7 +73,7 @@ static bool parse_id(const char* str, struct id* id) static bool uid_in_use(const struct user_struct* user, uid_t uid) { while (user) { - if (user->session_info && (user->session_info->utok.uid == uid)) { + if (user->session_info && (user->session_info->unix_token->uid == uid)) { return true; } user = user->next; @@ -86,12 +86,12 @@ static bool gid_in_use(const struct user_struct* user, gid_t gid) while (user) { if (user->session_info != NULL) { int i; - struct security_unix_token utok = user->session_info->utok; - if (utok.gid == gid) { + struct security_unix_token *utok = user->session_info->unix_token; + if (utok->gid == gid) { return true; } - for(i=0; i<utok.ngroups; i++) { - if (utok.groups[i] == gid) { + for(i=0; i<utok->ngroups; i++) { + if (utok->groups[i] == gid) { return true; } } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index f32989da54..fb88fd3319 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -284,9 +284,12 @@ int register_existing_vuid(struct smbd_server_connection *sconn, vuser->session_info->sanitized_username = talloc_strdup( vuser->session_info, tmp); + /* Make clear that we require the optional unix_token in the source3 code */ + SMB_ASSERT(vuser->session_info->unix_token); + DEBUG(10,("register_existing_vuid: (%u,%u) %s %s %s guest=%d\n", - (unsigned int)vuser->session_info->utok.uid, - (unsigned int)vuser->session_info->utok.gid, + (unsigned int)vuser->session_info->unix_token->uid, + (unsigned int)vuser->session_info->unix_token->gid, vuser->session_info->unix_name, vuser->session_info->sanitized_username, vuser->session_info->info3->base.domain.string, @@ -302,8 +305,11 @@ int register_existing_vuid(struct smbd_server_connection *sconn, goto fail; } + /* Make clear that we require the optional unix_token in the source3 code */ + SMB_ASSERT(vuser->session_info->unix_token); + DEBUG(3,("register_existing_vuid: UNIX uid %d is UNIX user %s, " - "and will be vuid %u\n", (int)vuser->session_info->utok.uid, + "and will be vuid %u\n", (int)vuser->session_info->unix_token->uid, vuser->session_info->unix_name, vuser->vuid)); if (!session_claim(sconn, vuser)) { diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 25e1aafa0e..e740fb4c57 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -2563,7 +2563,7 @@ static NTSTATUS do_unlink(connection_struct *conn, } /* The set is across all open files on this dev/inode pair. */ - if (!set_delete_on_close(fsp, True, &conn->session_info->utok)) { + if (!set_delete_on_close(fsp, True, conn->session_info->unix_token)) { close_file(req, fsp, NORMAL_CLOSE); return NT_STATUS_ACCESS_DENIED; } @@ -5677,7 +5677,7 @@ void reply_rmdir(struct smb_request *req) goto out; } - if (!set_delete_on_close(fsp, true, &conn->session_info->utok)) { + if (!set_delete_on_close(fsp, true, conn->session_info->unix_token)) { close_file(req, fsp, ERROR_CLOSE); reply_nterror(req, NT_STATUS_ACCESS_DENIED); goto out; diff --git a/source3/smbd/service.c b/source3/smbd/service.c index c772b8a069..0c86ec09f9 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -498,7 +498,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) status = find_forced_group( conn->force_user, snum, conn->session_info->unix_name, &conn->session_info->security_token->sids[1], - &conn->session_info->utok.gid); + &conn->session_info->unix_token->gid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -510,7 +510,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) * struct. We only use conn->session_info directly if * "force_user" was set. */ - conn->force_group_gid = conn->session_info->utok.gid; + conn->force_group_gid = conn->session_info->unix_token->gid; } return NT_STATUS_OK; @@ -615,7 +615,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, lp_pathname(snum)); @@ -737,7 +737,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, lp_rootpreexec(snum)); @@ -775,7 +775,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn, lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, lp_preexec(snum)); @@ -1095,7 +1095,7 @@ void close_cnum(connection_struct *conn, uint16 vuid) lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, lp_postexec(SNUM(conn))); @@ -1111,7 +1111,7 @@ void close_cnum(connection_struct *conn, uint16 vuid) lp_servicename(SNUM(conn)), conn->session_info->unix_name, conn->connectpath, - conn->session_info->utok.gid, + conn->session_info->unix_token->gid, conn->session_info->sanitized_username, conn->session_info->info3->base.domain.string, lp_rootpostexec(SNUM(conn))); diff --git a/source3/smbd/session.c b/source3/smbd/session.c index 379a66ce8f..184ce1b3a5 100644 --- a/source3/smbd/session.c +++ b/source3/smbd/session.c @@ -136,12 +136,15 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser) return false; } + /* Make clear that we require the optional unix_token in the source3 code */ + SMB_ASSERT(vuser->session_info->unix_token); + fstrcpy(sessionid.username, vuser->session_info->unix_name); fstrcpy(sessionid.hostname, sconn->remote_hostname); sessionid.id_num = i; /* Only valid for utmp sessions */ sessionid.pid = pid; - sessionid.uid = vuser->session_info->utok.uid; - sessionid.gid = vuser->session_info->utok.gid; + sessionid.uid = vuser->session_info->unix_token->uid; + sessionid.gid = vuser->session_info->unix_token->gid; fstrcpy(sessionid.remote_machine, get_remote_machine_name()); fstrcpy(sessionid.ip_addr_str, raddr); sessionid.connect_start = time(NULL); diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c index b853722eae..bfde938635 100644 --- a/source3/smbd/trans2.c +++ b/source3/smbd/trans2.c @@ -3386,7 +3386,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned + 4 /* num_sids */ + 4 /* SID bytes */ + 4 /* pad/reserved */ - + (conn->session_info->utok.ngroups * 8) + + (conn->session_info->unix_token->ngroups * 8) /* groups list */ + (conn->session_info->security_token->num_sids * SID_MAX_SIZE) @@ -3395,9 +3395,9 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned SIVAL(pdata, 0, flags); SIVAL(pdata, 4, SMB_WHOAMI_MASK); SBIG_UINT(pdata, 8, - (uint64_t)conn->session_info->utok.uid); + (uint64_t)conn->session_info->unix_token->uid); SBIG_UINT(pdata, 16, - (uint64_t)conn->session_info->utok.gid); + (uint64_t)conn->session_info->unix_token->gid); if (data_len >= max_data_bytes) { @@ -3412,7 +3412,7 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned break; } - SIVAL(pdata, 24, conn->session_info->utok.ngroups); + SIVAL(pdata, 24, conn->session_info->unix_token->ngroups); SIVAL(pdata, 28, conn->session_info->security_token->num_sids); /* We walk the SID list twice, but this call is fairly @@ -3434,9 +3434,9 @@ cBytesSector=%u, cUnitTotal=%u, cUnitAvail=%d\n", (unsigned int)bsize, (unsigned data_len = 40; /* GID list */ - for (i = 0; i < conn->session_info->utok.ngroups; ++i) { + for (i = 0; i < conn->session_info->unix_token->ngroups; ++i) { SBIG_UINT(pdata, data_len, - (uint64_t)conn->session_info->utok.groups[i]); + (uint64_t)conn->session_info->unix_token->groups[i]); data_len += 8; } @@ -5817,7 +5817,7 @@ static NTSTATUS smb_set_file_disposition_info(connection_struct *conn, /* The set is across all open files on this dev/inode pair. */ if (!set_delete_on_close(fsp, delete_on_close, - &conn->session_info->utok)) { + conn->session_info->unix_token)) { return NT_STATUS_ACCESS_DENIED; } return NT_STATUS_OK; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 5d703e3a18..b6ea7674b1 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -178,7 +178,7 @@ static bool check_user_ok(connection_struct *conn, "Setting uid as %d\n", conn->session_info->unix_name, sec_initial_uid() )); - conn->session_info->utok.uid = sec_initial_uid(); + conn->session_info->unix_token->uid = sec_initial_uid(); } return(True); @@ -213,10 +213,10 @@ static bool change_to_user_internal(connection_struct *conn, return false; } - uid = conn->session_info->utok.uid; - gid = conn->session_info->utok.gid; - num_groups = conn->session_info->utok.ngroups; - group_list = conn->session_info->utok.groups; + uid = conn->session_info->unix_token->uid; + gid = conn->session_info->unix_token->gid; + num_groups = conn->session_info->unix_token->ngroups; + group_list = conn->session_info->unix_token->groups; /* * See if we should force group for this service. If so this overrides @@ -237,7 +237,7 @@ static bool change_to_user_internal(connection_struct *conn, */ for (i = 0; i < num_groups; i++) { if (group_list[i] == conn->force_group_gid) { - conn->session_info->utok.gid = + conn->session_info->unix_token->gid = conn->force_group_gid; gid = conn->force_group_gid; gid_to_sid(&conn->session_info->security_token @@ -246,7 +246,7 @@ static bool change_to_user_internal(connection_struct *conn, } } } else { - conn->session_info->utok.gid = conn->force_group_gid; + conn->session_info->unix_token->gid = conn->force_group_gid; gid = conn->force_group_gid; gid_to_sid(&conn->session_info->security_token->sids[1], gid); @@ -296,13 +296,13 @@ bool change_to_user(connection_struct *conn, uint16_t vuid) */ if((lp_security() == SEC_SHARE) && (current_user.conn == conn) && - (current_user.ut.uid == conn->session_info->utok.uid)) { + (current_user.ut.uid == conn->session_info->unix_token->uid)) { DEBUG(4,("Skipping user change - already " "user\n")); return(True); } else if ((current_user.conn == conn) && (vuser != NULL) && (current_user.vuid == vuid) && - (current_user.ut.uid == vuser->session_info->utok.uid)) { + (current_user.ut.uid == vuser->session_info->unix_token->uid)) { DEBUG(4,("Skipping user change - already " "user\n")); return(True); @@ -334,7 +334,7 @@ bool change_to_user_by_session(connection_struct *conn, SMB_ASSERT(session_info != NULL); if ((current_user.conn == conn) && - (current_user.ut.uid == session_info->utok.uid)) { + (current_user.ut.uid == session_info->unix_token->uid)) { DEBUG(7, ("Skipping user change - already user\n")); return true; @@ -372,8 +372,8 @@ bool become_authenticated_pipe_user(struct auth3_session_info *session_info) if (!push_sec_ctx()) return False; - set_sec_ctx(session_info->utok.uid, session_info->utok.gid, - session_info->utok.ngroups, session_info->utok.groups, + set_sec_ctx(session_info->unix_token->uid, session_info->unix_token->gid, + session_info->unix_token->ngroups, session_info->unix_token->groups, session_info->security_token); return True; @@ -512,7 +512,7 @@ bool unbecome_user(void) /**************************************************************************** Return the current user we are running effectively as on this connection. - I'd like to make this return conn->session_info->utok.uid, but become_root() + I'd like to make this return conn->session_info->unix_token->uid, but become_root() doesn't alter this value. ****************************************************************************/ @@ -523,7 +523,7 @@ uid_t get_current_uid(connection_struct *conn) /**************************************************************************** Return the current group we are running effectively as on this connection. - I'd like to make this return conn->session_info->utok.gid, but become_root() + I'd like to make this return conn->session_info->unix_token->gid, but become_root() doesn't alter this value. ****************************************************************************/ @@ -534,7 +534,7 @@ gid_t get_current_gid(connection_struct *conn) /**************************************************************************** Return the UNIX token we are running effectively as on this connection. - I'd like to make this return &conn->session_info->utok, but become_root() + I'd like to make this return &conn->session_info->unix_token-> but become_root() doesn't alter this value. ****************************************************************************/ |