diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/proto.h | 5 | ||||
-rw-r--r-- | source3/printing/nt_printing.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_spoolss_nt.c | 16 | ||||
-rw-r--r-- | source3/smbd/service.c | 1 | ||||
-rw-r--r-- | source3/smbd/share_access.c | 26 | ||||
-rw-r--r-- | source3/smbd/uid.c | 9 |
6 files changed, 38 insertions, 21 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 719eacb42e..afce9ae63b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -10237,11 +10237,14 @@ void reply_sesssetup_and_X(struct smb_request *req); /* The following definitions come from smbd/share_access.c */ bool token_contains_name_in_list(const char *username, + const char *domain, const char *sharename, const struct nt_user_token *token, const char **list); -bool user_ok_token(const char *username, struct nt_user_token *token, int snum); +bool user_ok_token(const char *username, const char *domain, + struct nt_user_token *token, int snum); bool is_share_read_only_for_token(const char *username, + const char *domain, struct nt_user_token *token, int snum); /* The following definitions come from smbd/srvstr.c */ diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c index 3a7f1174bd..c13ab5a180 100644 --- a/source3/printing/nt_printing.c +++ b/source3/printing/nt_printing.c @@ -5835,7 +5835,7 @@ bool print_access_check(struct current_user *user, int snum, int access_type) /* see if we need to try the printer admin list */ if ((access_granted == 0) && - (token_contains_name_in_list(uidtoname(user->ut.uid), NULL, + (token_contains_name_in_list(uidtoname(user->ut.uid), NULL, NULL, user->nt_user_token, lp_printer_admin(snum)))) { talloc_destroy(mem_ctx); diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 0e98a39426..06b3d4a07a 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -1649,7 +1649,8 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) && !token_contains_name_in_list( - uidtoname(p->pipe_user.ut.uid), NULL, + uidtoname(p->pipe_user.ut.uid), + NULL, NULL, p->pipe_user.nt_user_token, lp_printer_admin(snum))) { close_printer_handle(p, handle); @@ -1703,7 +1704,7 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u, return WERR_ACCESS_DENIED; } - if (!user_ok_token(uidtoname(p->pipe_user.ut.uid), + if (!user_ok_token(uidtoname(p->pipe_user.ut.uid), NULL, p->pipe_user.nt_user_token, snum) || !print_access_check(&p->pipe_user, snum, printer_default->access_required)) { @@ -2008,8 +2009,10 @@ WERROR _spoolss_deleteprinterdriver(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIVER if ( (p->pipe_user.ut.uid != 0) && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) - && !token_contains_name_in_list( uidtoname(p->pipe_user.ut.uid), - NULL, p->pipe_user.nt_user_token, lp_printer_admin(-1)) ) + && !token_contains_name_in_list( + uidtoname(p->pipe_user.ut.uid), NULL, + NULL, p->pipe_user.nt_user_token, + lp_printer_admin(-1)) ) { return WERR_ACCESS_DENIED; } @@ -2103,8 +2106,9 @@ WERROR _spoolss_deleteprinterdriverex(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIV if ( (p->pipe_user.ut.uid != 0) && !user_has_privileges(p->pipe_user.nt_user_token, &se_printop ) - && !token_contains_name_in_list( uidtoname(p->pipe_user.ut.uid), - NULL, p->pipe_user.nt_user_token, lp_printer_admin(-1)) ) + && !token_contains_name_in_list( + uidtoname(p->pipe_user.ut.uid), NULL, NULL, + p->pipe_user.nt_user_token, lp_printer_admin(-1)) ) { return WERR_ACCESS_DENIED; } diff --git a/source3/smbd/service.c b/source3/smbd/service.c index c90d4d16bc..4092928de1 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -646,6 +646,7 @@ static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum, } } else { if (!user_ok_token(vuid_serverinfo->unix_name, + pdb_get_domain(vuid_serverinfo->sam_account), vuid_serverinfo->ptok, snum)) { DEBUG(2, ("user '%s' (from session setup) not " "permitted to access this share " diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c index 512126254a..f5f79c86e5 100644 --- a/source3/smbd/share_access.c +++ b/source3/smbd/share_access.c @@ -27,8 +27,6 @@ * + and & may be combined */ -extern userdom_struct current_user_info; - static bool do_group_checks(const char **name, const char **pattern) { if ((*name)[0] == '@') { @@ -66,6 +64,7 @@ static bool do_group_checks(const char **name, const char **pattern) static bool token_contains_name(TALLOC_CTX *mem_ctx, const char *username, + const char *domain, const char *sharename, const struct nt_user_token *token, const char *name) @@ -75,8 +74,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, enum lsa_SidType type; if (username != NULL) { - name = talloc_sub_basic(mem_ctx, username, - current_user_info.domain, name); + name = talloc_sub_basic(mem_ctx, username, domain, name); } if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); @@ -152,6 +150,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, */ bool token_contains_name_in_list(const char *username, + const char *domain, const char *sharename, const struct nt_user_token *token, const char **list) @@ -167,7 +166,8 @@ bool token_contains_name_in_list(const char *username, } while (*list != NULL) { - if (token_contains_name(mem_ctx, username, sharename,token, *list)) { + if (token_contains_name(mem_ctx, username, domain, sharename, + token, *list)) { TALLOC_FREE(mem_ctx); return True; } @@ -191,10 +191,12 @@ bool token_contains_name_in_list(const char *username, * The other use is the netgroup check when using @group or &group. */ -bool user_ok_token(const char *username, struct nt_user_token *token, int snum) +bool user_ok_token(const char *username, const char *domain, + struct nt_user_token *token, int snum) { if (lp_invalid_users(snum) != NULL) { - if (token_contains_name_in_list(username, lp_servicename(snum), + if (token_contains_name_in_list(username, domain, + lp_servicename(snum), token, lp_invalid_users(snum))) { DEBUG(10, ("User %s in 'invalid users'\n", username)); @@ -203,7 +205,7 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum) } if (lp_valid_users(snum) != NULL) { - if (!token_contains_name_in_list(username, + if (!token_contains_name_in_list(username, domain, lp_servicename(snum), token, lp_valid_users(snum))) { DEBUG(10, ("User %s not in 'valid users'\n", @@ -220,7 +222,8 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum) DEBUG(0, ("'only user = yes' and no 'username ='\n")); return False; } - if (!token_contains_name_in_list(NULL, lp_servicename(snum), + if (!token_contains_name_in_list(NULL, domain, + lp_servicename(snum), token, list)) { DEBUG(10, ("%s != 'username'\n", username)); return False; @@ -248,12 +251,13 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum) */ bool is_share_read_only_for_token(const char *username, + const char *domain, struct nt_user_token *token, int snum) { bool result = lp_readonly(snum); if (lp_readlist(snum) != NULL) { - if (token_contains_name_in_list(username, + if (token_contains_name_in_list(username, domain, lp_servicename(snum), token, lp_readlist(snum))) { result = True; @@ -261,7 +265,7 @@ bool is_share_read_only_for_token(const char *username, } if (lp_writelist(snum) != NULL) { - if (token_contains_name_in_list(username, + if (token_contains_name_in_list(username, domain, lp_servicename(snum), token, lp_writelist(snum))) { result = False; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 310ad4d23a..b0f8cb224b 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -78,12 +78,15 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum) } if (!user_ok_token(vuser->server_info->unix_name, + pdb_get_domain(vuser->server_info->sam_account), vuser->server_info->ptok, snum)) return(False); readonly_share = is_share_read_only_for_token( - vuser->server_info->unix_name, vuser->server_info->ptok, + vuser->server_info->unix_name, + pdb_get_domain(vuser->server_info->sam_account), + vuser->server_info->ptok, SNUM(conn)); if (!readonly_share && @@ -127,7 +130,9 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum) ent->read_only = readonly_share; ent->admin_user = token_contains_name_in_list( - vuser->server_info->unix_name, NULL, vuser->server_info->ptok, + vuser->server_info->unix_name, + pdb_get_domain(vuser->server_info->sam_account), + NULL, vuser->server_info->ptok, lp_admin_users(SNUM(conn))); conn->read_only = ent->read_only; |