diff options
-rw-r--r-- | librpc/idl/auth.idl | 1 | ||||
-rw-r--r-- | source3/Makefile.in | 2 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 5 | ||||
-rw-r--r-- | source3/rpc_server/lsa/srv_lsa_nt.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/rpc_handles.c | 3 | ||||
-rw-r--r-- | source3/smbd/lanman.c | 2 | ||||
-rw-r--r-- | source3/smbd/password.c | 9 | ||||
-rw-r--r-- | source3/smbd/service.c | 10 | ||||
-rw-r--r-- | source3/smbd/session.c | 3 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 7 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 9 |
11 files changed, 31 insertions, 22 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl index f1f888c0dd..3b4853b657 100644 --- a/librpc/idl/auth.idl +++ b/librpc/idl/auth.idl @@ -65,7 +65,6 @@ interface auth /* These match exactly the values from the * auth_serversupplied_info, but should be changed to * checks involving just the SIDs */ - boolean8 guest; boolean8 system; [unique,charset(UTF8),string] char *unix_name; diff --git a/source3/Makefile.in b/source3/Makefile.in index 0a72cf579a..51b0a7cb67 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \ lib/ldap_escape.o @CHARSET_STATIC@ \ ../libcli/security/secdesc.o ../libcli/security/access_check.o \ ../libcli/security/secace.o ../libcli/security/object_tree.o \ - ../libcli/security/sddl.o \ + ../libcli/security/sddl.o ../libcli/security/session.o \ ../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \ lib/fncall.o \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d5ca1a206b..b0deb2c8ab 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -504,7 +504,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - session_info->unix_info->guest = server_info->guest; session_info->unix_info->system = server_info->system; if (session_key) { @@ -993,8 +992,8 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO /* This element must be provided to convert back to an auth_serversupplied_info */ SMB_ASSERT(src->unix_info); - dst->guest = src->unix_info->guest; - dst->system = src->unix_info->system; + dst->guest = true; + dst->system = false; /* This element must be provided to convert back to an * auth_serversupplied_info. This needs to be from hte diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index 8aea353679..5877c7b295 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -2400,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p, return NT_STATUS_INVALID_PARAMETER; } - if (p->session_info->unix_info->guest) { + if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) { /* * I'm 99% sure this is not the right place to do this, * global_sid_Anonymous should probably be put into the token diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c index f3a97b37a2..3500a228d5 100644 --- a/source3/rpc_server/rpc_handles.c +++ b/source3/rpc_server/rpc_handles.c @@ -25,6 +25,7 @@ #include "auth.h" #include "ntdomain.h" #include "rpc_server/rpc_ncacn_np.h" +#include "../libcli/security/security.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -346,7 +347,7 @@ bool pipe_access_check(struct pipes_struct *p) return True; } - if (p->session_info->unix_info->guest) { + if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) { return False; } } diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 4f905cf9b1..292ebf4385 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -5857,7 +5857,7 @@ void api_reply(connection_struct *conn, uint16 vuid, if (api_commands[i].auth_user && lp_restrict_anonymous()) { user_struct *user = get_valid_user_struct(req->sconn, vuid); - if (!user || user->session_info->unix_info->guest) { + if (!user || security_session_user_level(user->session_info, NULL) < SECURITY_USER) { reply_nterror(req, NT_STATUS_ACCESS_DENIED); return; } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index d529dc1a63..e23818f2d1 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -24,6 +24,7 @@ #include "smbd/globals.h" #include "../librpc/gen_ndr/netlogon.h" #include "auth.h" +#include "../libcli/security/security.h" /* Fix up prototypes for OSX 10.4, where they're missing */ #ifndef HAVE_SETNETGRENT_PROTOTYPE @@ -269,6 +270,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn, { fstring tmp; user_struct *vuser; + bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER; vuser = get_partial_auth_user_struct(sconn, vuid); if (!vuser) { @@ -294,7 +296,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn, vuser->session_info->unix_info->unix_name, vuser->session_info->unix_info->sanitized_username, vuser->session_info->info->domain_name, - vuser->session_info->unix_info->guest )); + guest)); DEBUG(3, ("register_existing_vuid: User name: %s\t" "Real name: %s\n", vuser->session_info->unix_info->unix_name, @@ -328,13 +330,14 @@ int register_existing_vuid(struct smbd_server_connection *sconn, vuser->homes_snum = -1; - if (!vuser->session_info->unix_info->guest) { + + if (!guest) { vuser->homes_snum = register_homes_share( vuser->session_info->unix_info->unix_name); } if (srv_is_signing_negotiated(sconn) && - !vuser->session_info->unix_info->guest) { + !guest) { /* Try and turn on server signing on the first non-guest * sessionsetup. */ srv_set_signing(sconn, diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 71681aeca2..f1d2ca040d 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -394,8 +394,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc * This is the normal security != share case where we have a * valid vuid from the session setup. */ - if (vuid_serverinfo->unix_info->guest) { - if (!lp_guest_ok(snum)) { + if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) { + if (!lp_guest_ok(snum)) { DEBUG(2, ("guest user (from session setup) " "not permitted to access this share " "(%s)\n", lp_servicename(snum))); @@ -467,6 +467,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) char *fuser; struct auth_session_info *forced_serverinfo; + bool guest; fuser = talloc_string_sub(conn, lp_force_user(snum), "%S", lp_const_servicename(snum)); @@ -474,8 +475,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) return NT_STATUS_NO_MEMORY; } + guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER; + status = make_session_info_from_username( - conn, fuser, conn->session_info->unix_info->guest, + conn, fuser, + guest, &forced_serverinfo); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/smbd/session.c b/source3/smbd/session.c index 9b8d11cc65..10f7defb81 100644 --- a/source3/smbd/session.c +++ b/source3/smbd/session.c @@ -33,6 +33,7 @@ #include "session.h" #include "auth.h" #include "../lib/tsocket/tsocket.h" +#include "../libcli/security/security.h" /******************************************************************** called when a session is created @@ -53,7 +54,7 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser) /* don't register sessions for the guest user - its just too expensive to go through pam session code for browsing etc */ - if (vuser->session_info->unix_info->guest) { + if (security_session_user_level(vuser->session_info, NULL) < SECURITY_USER) { return True; } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index b6a3243b85..2df8b435e5 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -35,6 +35,7 @@ #include "auth.h" #include "messages.h" #include "smbprofile.h" +#include "../libcli/security/security.h" /* For split krb5 SPNEGO blobs. */ struct pending_auth_data { @@ -441,7 +442,7 @@ static void reply_spnego_kerberos(struct smb_request *req, SSVAL(req->outbuf, smb_vwv3, 0); - if (session_info->unix_info->guest) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { SSVAL(req->outbuf,smb_vwv2,1); } @@ -535,7 +536,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, SSVAL(req->outbuf, smb_vwv3, 0); - if (session_info->unix_info->guest) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { SSVAL(req->outbuf,smb_vwv2,1); } } @@ -1702,7 +1703,7 @@ void reply_sesssetup_and_X(struct smb_request *req) /* perhaps grab OS version here?? */ } - if (session_info->unix_info->guest) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { SSVAL(req->outbuf,smb_vwv2,1); } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 9475ffb363..7a83953256 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -31,6 +31,7 @@ #include "../lib/util/asn1.h" #include "auth.h" #include "../lib/tsocket/tsocket.h" +#include "../libcli/security/security.h" static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req, uint64_t in_session_id, @@ -253,7 +254,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, session->do_signing = true; } - if (session->session_info->unix_info->guest) { + if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) { /* we map anonymous to guest internally */ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; @@ -280,7 +281,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, session->session_info->unix_info->sanitized_username = talloc_strdup(session->session_info, tmp); - if (!session->session_info->unix_info->guest) { + if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) { session->compat_vuser->homes_snum = register_homes_share(session->session_info->unix_info->unix_name); } @@ -460,7 +461,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s session->do_signing = true; } - if (session->session_info->unix_info->guest) { + if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) { /* we map anonymous to guest internally */ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; @@ -491,7 +492,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s session->session_info->unix_info->sanitized_username = talloc_strdup( session->session_info, tmp); - if (!session->compat_vuser->session_info->unix_info->guest) { + if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) { session->compat_vuser->homes_snum = register_homes_share(session->session_info->unix_info->unix_name); } |