From 8674440d81f703cb59979426c92ed54de8e5f2ed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 20 Aug 2002 01:54:28 +0000 Subject: Based orginally by work by Kai, this patch moves our NT_TOKEN generation into our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902) --- source3/auth/auth_builtin.c | 9 +- source3/auth/auth_sam.c | 6 +- source3/auth/auth_server.c | 4 +- source3/auth/auth_util.c | 494 ++++++++++++++++++++++++++++++------- source3/auth/auth_winbind.c | 2 +- source3/include/local.h | 2 +- source3/include/smb.h | 7 +- source3/rpc_server/srv_pipe.c | 35 +-- source3/rpc_server/srv_srvsvc_nt.c | 6 +- source3/smbd/conn.c | 24 +- source3/smbd/password.c | 156 +++--------- source3/smbd/service.c | 35 +-- source3/smbd/sesssetup.c | 4 +- source3/smbd/uid.c | 38 +-- 14 files changed, 536 insertions(+), 286 deletions(-) diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 5ce7075ab9..bba1ad98bd 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -41,13 +41,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; if (!(user_info->internal_username.str - && *user_info->internal_username.str)) { - if (make_server_info_guest(server_info)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } + && *user_info->internal_username.str)) + nt_status = make_server_info_guest(server_info); return nt_status; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 155370546a..50f1e5dac9 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -403,9 +403,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, return nt_status; } - if (!make_server_info_sam(server_info, sampass)) { - DEBUG(0,("failed to malloc memory for server_info\n")); - return NT_STATUS_NO_MEMORY; + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { + DEBUG(0,("failed to malloc memory for server_info ret: %s\n", nt_errstr(nt_status))); + return nt_status; } lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index f227c9125c..0ed905e79c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -375,9 +375,7 @@ use this machine as the password server.\n")); if NT_STATUS_IS_OK(nt_status) { struct passwd *pass = Get_Pwnam(user_info->internal_username.str); if (pass) { - if (!make_server_info_pw(server_info, pass)) { - nt_status = NT_STATUS_NO_MEMORY; - } + nt_status = make_server_info_pw(server_info, pass); } else { nt_status = NT_STATUS_NO_SUCH_USER; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f914d91871..51b8005634 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,6 +26,11 @@ #define DBGC_CLASS DBGC_AUTH extern pstring global_myname; +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Network; +extern DOM_SID global_sid_Builtin_Guests; +extern DOM_SID global_sid_Authenticated_Users; + /**************************************************************************** Create a UNIX user on demand. @@ -455,37 +460,298 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) auth_flags, True); } +/**************************************************************************** + prints a NT_USER_TOKEN to debug output. +****************************************************************************/ + +void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) +{ + fstring sid_str; + int i; + + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", + sid_to_string(sid_str, &token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); + for (i = 0; i < token->num_sids; i++) + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, + sid_to_string(sid_str, &token->user_sids[i]))); +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, + int n_groupSIDs, DOM_SID *groupSIDs, + BOOL is_guest, NT_USER_TOKEN **token) +{ + NTSTATUS nt_status = NT_STATUS_OK; + NT_USER_TOKEN *ptoken; + int i; + int sid_ndx; + + if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + ZERO_STRUCTP(ptoken); + + ptoken->num_sids = n_groupSIDs + 5; + + if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids); + + /* + * Note - user SID *MUST* be first in token ! + * se_access_check depends on this. + * + * Primary group SID is second in token. Convention. + */ + + sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid); + if (group_sid) + sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid); + + /* + * Finally add the "standard" SIDs. + * The only difference between guest and "anonymous" (which we + * don't really support) is the addition of Authenticated_Users. + */ + + sid_copy(&ptoken->user_sids[2], &global_sid_World); + sid_copy(&ptoken->user_sids[3], &global_sid_Network); + + if (is_guest) + sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests); + else + sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users); + + sid_ndx = 5; /* next available spot */ + + for (i = 0; i < n_groupSIDs; i++) { + int check_sid_idx; + for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { + if (sid_equal(&ptoken->user_sids[check_sid_idx], + &groupSIDs[i])) { + break; + } + } + + if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { + sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]); + } else { + ptoken->num_sids--; + } + } + + debug_nt_user_token(DBGC_AUTH, 10, ptoken); + + *token = ptoken; + + return nt_status; +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest) +{ + DOM_SID user_sid; + DOM_SID group_sid; + DOM_SID *group_sids; + NT_USER_TOKEN *token; + int i; + + if (!uid_to_sid(&user_sid, uid)) { + return NULL; + } + if (!gid_to_sid(&group_sid, gid)) { + return NULL; + } + + group_sids = malloc(sizeof(DOM_SID) * ngroups); + if (!group_sids) { + DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); + return NULL; + } + + for (i = 0; i < ngroups; i++) { + if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); + SAFE_FREE(group_sids); + return NULL; + } + } + + if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, + ngroups, group_sids, is_guest, &token))) { + SAFE_FREE(group_sids); + return NULL; + } + + SAFE_FREE(group_sids); + + return token; +} + +/****************************************************************************** + * this function returns the groups (SIDs) of the local SAM the user is in. + * If this samba server is a DC of the domain the user belongs to, it returns + * both domain groups and local / builtin groups. If the user is in a trusted + * domain, or samba is a member server of a domain, then this function returns + * local and builtin groups the user is a member of. + * + * currently this is a hack, as there is no sam implementation that is capable + * of groups. + ******************************************************************************/ + +static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, + int *n_groups, DOM_SID **groups, gid_t **unix_groups) +{ + uid_t uid; + enum SID_NAME_USE snu; + fstring str; + int n_unix_groups; + int i; + struct passwd *usr; + + *n_groups = 0; + *groups = NULL; + + if (!sid_to_uid(user_sid, &uid, &snu)) { + DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", sid_to_string(str, user_sid))); + return NT_STATUS_NO_SUCH_USER; + } + + usr = getpwuid_alloc(uid); + + n_unix_groups = groups_max(); + if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { + DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); + passwd_free(&usr); + return NT_STATUS_NO_MEMORY; + } + + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + *unix_groups = realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); + SAFE_FREE(unix_groups); + passwd_free(&usr); + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + } + } + + passwd_free(&usr); + + DEBUG(5,("get_user_groups_from_local_sam: user is in the unix following groups\n")); + for (i = 0; i < n_unix_groups; i++) + DEBUGADD(5,("supplementary group gid:%ld\n",(long int)(*unix_groups)[i])); + + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { + DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_MEMORY; + } + + *n_groups = n_unix_groups; + + for (i = 0; i < *n_groups; i++) { + if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); + SAFE_FREE(groups); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_SUCH_USER; + } + } + + return NT_STATUS_OK; +} + /*************************************************************************** Make a user_info struct ***************************************************************************/ -static BOOL make_server_info(auth_serversupplied_info **server_info) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - return True; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->sam_account = sampass; + + return NT_STATUS_OK; } /*************************************************************************** Make (and fill) a user_info struct from a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) { - if (!make_server_info(server_info)) { - return False; + NTSTATUS nt_status = NT_STATUS_OK; + const DOM_SID *user_sid = pdb_get_user_sid(sampass); + const DOM_SID *group_sid = pdb_get_group_sid(sampass); + int n_groupSIDs = 0; + DOM_SID *groupSIDs = NULL; + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + BOOL is_guest; + uint32 rid; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { + return nt_status; } + + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + &n_groupSIDs, &groupSIDs, &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + free_server_info(server_info); + return nt_status; + } + + is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; + if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, + n_groupSIDs, groupSIDs, is_guest, + &token))) + { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(groupSIDs); + SAFE_FREE(unix_groups); + free_server_info(server_info); + return nt_status; + } + + SAFE_FREE(groupSIDs); + + (*server_info)->n_groups = n_groupSIDs; + (*server_info)->groups = unix_groups; + + (*server_info)->ptok = token; + + debug_nt_user_token(DBGC_AUTH, 5, token); DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); - return True; + + return nt_status; } /*************************************************************************** @@ -493,75 +759,42 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s to a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) +NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { + NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; - if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) { - return False; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { + return nt_status; } return make_server_info_sam(server_info, sampass); } /*************************************************************************** - Free a user_info struct + Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -void free_user_info(auth_usersupplied_info **user_info) +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) { - DEBUG(5,("attempting to free (and zero) a user_info structure\n")); - if (*user_info != NULL) { - if ((*user_info)->smb_name.str) { - DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); - } - SAFE_FREE((*user_info)->smb_name.str); - SAFE_FREE((*user_info)->internal_username.str); - SAFE_FREE((*user_info)->client_domain.str); - SAFE_FREE((*user_info)->domain.str); - SAFE_FREE((*user_info)->wksta_name.str); - data_blob_free(&(*user_info)->lm_resp); - data_blob_free(&(*user_info)->nt_resp); - SAFE_FREE((*user_info)->interactive_password); - data_blob_clear_free(&(*user_info)->plaintext_password); - ZERO_STRUCT(**user_info); + NTSTATUS nt_status; + SAM_ACCOUNT *sampass = NULL; + DOM_SID guest_sid; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { + return nt_status; } - SAFE_FREE(*user_info); -} -/*************************************************************************** - Clear out a server_info struct that has been allocated -***************************************************************************/ + sid_copy(&guest_sid, get_global_sam_sid()); + sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); -void free_server_info(auth_serversupplied_info **server_info) -{ - if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); - - /* call pam_end here, unless we know we are keeping it */ - delete_nt_token( &(*server_info)->ptok ); - ZERO_STRUCT(**server_info); + if (!pdb_getsampwsid(sampass, &guest_sid)) { + return NT_STATUS_NO_SUCH_USER; } - SAFE_FREE(*server_info); -} -/*************************************************************************** - Make a server_info struct for a guest user -***************************************************************************/ + nt_status = make_server_info_sam(server_info, sampass); -BOOL make_server_info_guest(auth_serversupplied_info **server_info) -{ - struct passwd *pass = getpwnam_alloc(lp_guestaccount()); - - if (pass) { - if (!make_server_info_pw(server_info, pass)) { - passwd_free(&pass); - return False; - } - (*server_info)->guest = True; - passwd_free(&pass); - return True; - } - DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n")); - return False; + (*server_info)->guest = True; + + return nt_status; } /*************************************************************************** @@ -589,6 +822,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; + int n_lgroupSIDs; + DOM_SID *lgroupSIDs = NULL; + + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + + DOM_SID *all_group_SIDs; + int i; + /* Here is where we should check the list of trusted domains, and verify that the SID @@ -698,49 +940,115 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!make_server_info_sam(server_info, sam_account)) { - DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); - return NT_STATUS_NO_MEMORY; + return nt_status; } /* Store the user group information in the server_info returned to the caller. */ - if (info3->num_groups2 != 0) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - return nt_status; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3->num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(&user_sid, + &n_lgroupSIDs, + &lgroupSIDs, + &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + return nt_status; + } + + (*server_info)->groups = unix_groups; + (*server_info)->n_groups = n_lgroupSIDs; + + /* Create a 'combined' list of all SIDs we might want in the SD */ + all_group_SIDs = malloc(sizeof(DOM_SID) * (n_lgroupSIDs+info3->num_groups2)); + if (!all_group_SIDs) { + DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(lgroupSIDs); + return NT_STATUS_NO_MEMORY; + } + + /* Copy the 'local' sids */ + memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); + SAFE_FREE(lgroupSIDs); + + /* and create (by appending rids) the 'domain' sids */ + for (i = 0; i < info3->num_groups2; i++) { + sid_copy(&all_group_SIDs[i+n_lgroupSIDs+1], &(info3->dom_sid.sid)); + if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs+1], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + SAFE_FREE(lgroupSIDs); return nt_status; } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); - if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { - nt_status = NT_STATUS_INVALID_PARAMETER; - free_server_info(server_info); - return nt_status; - } - } } + + /* Where are the 'global' sids... */ + + /* can the user be guest? if yes, where is it stored? */ + if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(&user_sid, &group_sid, + n_lgroupSIDs+info3->num_groups2, all_group_SIDs, + False, &token))) { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(all_group_SIDs); + return nt_status; + } + + (*server_info)->ptok = token; + + SAFE_FREE(all_group_SIDs); + + debug_nt_user_token(DBGC_AUTH, 5, token); + return NT_STATUS_OK; } +/*************************************************************************** + Free a user_info struct +***************************************************************************/ + +void free_user_info(auth_usersupplied_info **user_info) +{ + DEBUG(5,("attempting to free (and zero) a user_info structure\n")); + if (*user_info != NULL) { + if ((*user_info)->smb_name.str) { + DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + } + SAFE_FREE((*user_info)->smb_name.str); + SAFE_FREE((*user_info)->internal_username.str); + SAFE_FREE((*user_info)->client_domain.str); + SAFE_FREE((*user_info)->domain.str); + SAFE_FREE((*user_info)->wksta_name.str); + data_blob_free(&(*user_info)->lm_resp); + data_blob_free(&(*user_info)->nt_resp); + SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->plaintext_password); + ZERO_STRUCT(**user_info); + } + SAFE_FREE(*user_info); +} + +/*************************************************************************** + Clear out a server_info struct that has been allocated +***************************************************************************/ + +void free_server_info(auth_serversupplied_info **server_info) +{ + DEBUG(5,("attempting to free (and zero) a server_info structure\n")); + if (*server_info != NULL) { + pdb_free_sam(&(*server_info)->sam_account); + + /* call pam_end here, unless we know we are keeping it */ + delete_nt_token( &(*server_info)->ptok ); + SAFE_FREE((*server_info)->groups); + ZERO_STRUCT(**server_info); + } + SAFE_FREE(*server_info); +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 5bdccd39f3..10788721fd 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -4,7 +4,7 @@ Winbind authentication mechnism Copyright (C) Tim Potter 2000 - Copyright (C) Andrew Bartlett 2001 + Copyright (C) Andrew Bartlett 2001 - 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/source3/include/local.h b/source3/include/local.h index 46349cfa6d..15231e92ee 100644 --- a/source3/include/local.h +++ b/source3/include/local.h @@ -117,7 +117,7 @@ #endif /* the size of the uid cache used to reduce valid user checks */ -#define UID_CACHE_SIZE 4 +#define VUID_CACHE_SIZE 32 /* the following control timings of various actions. Don't change them unless you know what you are doing. These are all in seconds */ diff --git a/source3/include/smb.h b/source3/include/smb.h index 263dd67c54..1ff0f1c328 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -430,9 +430,9 @@ typedef struct time_t status_time; } dir_status_struct; -struct uid_cache { +struct vuid_cache { int entries; - uid_t list[UID_CACHE_SIZE]; + uint16 list[VUID_CACHE_SIZE]; }; typedef struct @@ -461,7 +461,8 @@ typedef struct connection_struct unsigned cnum; /* an index passed over the wire */ int service; BOOL force_user; - struct uid_cache uid_cache; + BOOL force_group; + struct vuid_cache vuid_cache; void *dirptr; BOOL printer; BOOL ipc; diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index b7be415abc..62e10c9965 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -427,27 +427,30 @@ failed authentication on named pipe %s.\n", domain, user_name, wks, p->name )); memcpy(p->session_key, server_info->session_key, sizeof(p->session_key)); - uid = pdb_get_uid(server_info->sam_account); - gid = pdb_get_gid(server_info->sam_account); - - p->pipe_user.uid = uid; - p->pipe_user.gid = gid; - - /* Set up pipe user group membership. */ - initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid); - get_current_groups(p->pipe_user.gid, &p->pipe_user.ngroups, &p->pipe_user.groups); + p->pipe_user.uid = pdb_get_uid(server_info->sam_account); + p->pipe_user.gid = pdb_get_gid(server_info->sam_account); + + p->pipe_user.ngroups = server_info->n_groups; + if (p->pipe_user.ngroups) { + if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) { + DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n")); + free_server_info(&server_info); + return False; + } + } if (server_info->ptok) - add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok); - - /* Create an NT_USER_TOKEN struct for this user. */ - p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid, - p->pipe_user.ngroups, p->pipe_user.groups, - server_info->guest, server_info->ptok); + p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok); + else { + DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n")); + p->pipe_user.nt_user_token = NULL; + free_server_info(&server_info); + return False; + } p->ntlmssp_auth_validated = True; - pdb_free_sam(&server_info->sam_account); + free_server_info(&server_info); return True; } diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c index 5c1038949b..69945b50b8 100644 --- a/source3/rpc_server/srv_srvsvc_nt.c +++ b/source3/rpc_server/srv_srvsvc_nt.c @@ -338,10 +338,10 @@ BOOL share_access_check(connection_struct *conn, int snum, user_struct *vuser, u if (!psd) goto out; - if (vuser) - token = vuser->nt_user_token; - else + if (conn->nt_user_token) token = conn->nt_user_token; + else + token = vuser->nt_user_token; ret = se_access_check(psd, token, desired_access, &granted, &status); diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c index d70e50f899..22407348e8 100644 --- a/source3/smbd/conn.c +++ b/source3/smbd/conn.c @@ -131,7 +131,7 @@ void conn_close_all(void) connection_struct *conn, *next; for (conn=Connections;conn;conn=next) { next=conn->next; - close_cnum(conn, (uint16)-1); + close_cnum(conn, conn->vuid); } } @@ -157,6 +157,27 @@ BOOL conn_idle_all(time_t t, int deadtime) return allidle; } +/**************************************************************************** +clear a vuid out of the validity cache, and as the 'owner' of a connection. +****************************************************************************/ +void conn_clear_vuid_cache(uint16 vuid) +{ + connection_struct *conn; + int i; + + for (conn=Connections;conn;conn=conn->next) { + if (conn->vuid == vuid) { + conn->vuid = UID_FIELD_INVALID; + } + + for (i=0;ivuid_cache.entries && i< VUID_CACHE_SIZE;i++) { + if (conn->vuid_cache.list[i] == vuid) { + conn->vuid_cache.list[i] = UID_FIELD_INVALID; + } + } + } +} + /**************************************************************************** Free a conn structure. ****************************************************************************/ @@ -191,7 +212,6 @@ void conn_free(connection_struct *conn) conn->ngroups = 0; } - delete_nt_token(&conn->nt_user_token); free_namearray(conn->veto_list); free_namearray(conn->hide_list); free_namearray(conn->veto_oplock_list); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index cfac7cf695..f3a09e8c64 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -69,6 +69,10 @@ void invalidate_vuid(uint16 vuid) DLIST_REMOVE(validated_users, vuser); + /* clear the vuid from the 'cache' on each connection, and + from the vuid 'owner' of connections */ + conn_clear_vuid_cache(vuid); + SAFE_FREE(vuser->groups); delete_nt_token(&vuser->nt_user_token); SAFE_FREE(vuser); @@ -89,95 +93,6 @@ void invalidate_all_vuids(void) } } -/**************************************************************************** - Create the SID list for this user. -****************************************************************************/ - -NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest, NT_USER_TOKEN *sup_tok) -{ - extern DOM_SID global_sid_World; - extern DOM_SID global_sid_Network; - extern DOM_SID global_sid_Builtin_Guests; - extern DOM_SID global_sid_Authenticated_Users; - NT_USER_TOKEN *token; - DOM_SID *psids; - int i, psid_ndx = 0; - size_t num_sids = 0; - fstring sid_str; - - if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) - return NULL; - - ZERO_STRUCTP(token); - - /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */ - num_sids = 5 + ngroups; - - if (sup_tok && sup_tok->num_sids) - num_sids += sup_tok->num_sids; - - if ((token->user_sids = (DOM_SID *)malloc( num_sids*sizeof(DOM_SID))) == NULL) { - SAFE_FREE(token); - return NULL; - } - - psids = token->user_sids; - - /* - * Note - user SID *MUST* be first in token ! - * se_access_check depends on this. - */ - - uid_to_sid( &psids[PRIMARY_USER_SID_INDEX], uid); - psid_ndx++; - - /* - * Primary group SID is second in token. Convention. - */ - - gid_to_sid( &psids[PRIMARY_GROUP_SID_INDEX], gid); - psid_ndx++; - - /* Now add the group SIDs. */ - - for (i = 0; i < ngroups; i++) { - if (groups[i] != gid) { - gid_to_sid( &psids[psid_ndx++], groups[i]); - } - } - - if (sup_tok) { - /* Now add the additional SIDs from the supplimentary token. */ - for (i = 0; i < sup_tok->num_sids; i++) - sid_copy( &psids[psid_ndx++], &sup_tok->user_sids[i] ); - } - - /* - * Finally add the "standard" SIDs. - * The only difference between guest and "anonymous" (which we - * don't really support) is the addition of Authenticated_Users. - */ - - sid_copy( &psids[psid_ndx++], &global_sid_World); - sid_copy( &psids[psid_ndx++], &global_sid_Network); - - if (is_guest) - sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests); - else - sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users); - - token->num_sids = psid_ndx; - - /* Dump list of sids in token */ - - for (i = 0; i < token->num_sids; i++) { - DEBUG(5, ("user token sid %s\n", - sid_to_string(sid_str, &token->user_sids[i]))); - } - - return token; -} - /**************************************************************************** register a uid/name pair as being valid and that a valid password has been given. vuid is biased by an offset. This allows us to @@ -187,8 +102,6 @@ tell random client vuid's (normally zero) from valid vuids. int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) { user_struct *vuser = NULL; - uid_t uid; - gid_t gid; /* Ensure no vuid gets registered in share level security. */ if(lp_security() == SEC_SHARE) @@ -205,15 +118,6 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) ZERO_STRUCTP(vuser); - if (!IS_SAM_UNIX_USER(server_info->sam_account)) { - DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT (flags:%x)\n", pdb_get_init_flag(server_info->sam_account))); - free(vuser); - return UID_FIELD_INVALID; - } - - uid = pdb_get_uid(server_info->sam_account); - gid = pdb_get_gid(server_info->sam_account); - /* Allocate a free vuid. Yes this is a linear search... :-) */ while( get_valid_user_struct(next_vuid) != NULL ) { next_vuid++; @@ -225,18 +129,38 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid )); vuser->vuid = next_vuid; - vuser->uid = uid; - vuser->gid = gid; + + /* the next functions should be done by a SID mapping system (SMS) as + * the new real sam db won't have reference to unix uids or gids + */ + if (!IS_SAM_UNIX_USER(server_info->sam_account)) { + DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT (flags:%x)\n", pdb_get_init_flag(server_info->sam_account))); + free(vuser); + return UID_FIELD_INVALID; + } + + vuser->uid = pdb_get_uid(server_info->sam_account); + vuser->gid = pdb_get_gid(server_info->sam_account); + + vuser->n_groups = server_info->n_groups; + if (vuser->n_groups) { + if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) { + DEBUG(0,("register_vuid: failed to memdup vuser->groups\n")); + free(vuser); + return UID_FIELD_INVALID; + } + } + vuser->guest = server_info->guest; - fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); - fstrcpy(vuser->user.smb_name, smb_name); + fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); + fstrcpy(vuser->user.smb_name, smb_name); fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account)); { /* Keep the homedir handy */ const char *homedir = pdb_get_homedir(server_info->sam_account); - const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); + const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); /* should be optained by SMS */ const char *logon_script = pdb_get_logon_script(server_info->sam_account); if (homedir) { vuser->homedir = smb_xstrdup(homedir); @@ -260,19 +184,13 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name)); - vuser->n_groups = 0; - vuser->groups = NULL; - - /* Find all the groups this uid is in and store them. - Used by change_to_user() */ - initialise_groups(vuser->user.unix_name, vuser->uid, vuser->gid); - get_current_groups(vuser->gid, &vuser->n_groups, &vuser->groups); - - if (server_info->ptok) - add_supplementary_nt_login_groups(&vuser->n_groups, &vuser->groups, &server_info->ptok); - - /* Create an NT_USER_TOKEN struct for this user. */ - vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, vuser->guest, server_info->ptok); + if (server_info->ptok) { + vuser->nt_user_token = dup_nt_token(server_info->ptok); + } else { + DEBUG(1, ("server_info does not contain a user_token - cannot continue\n")); + free(vuser); + return UID_FIELD_INVALID; + } DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid)); @@ -451,7 +369,7 @@ static char *validate_group(char *group, DATA_BLOB password,int snum) Note this is *NOT* used when logging on using sessionsetup_and_X. ****************************************************************************/ -BOOL authorise_login(int snum,char *user, DATA_BLOB password, +BOOL authorise_login(int snum, fstring user, DATA_BLOB password, BOOL *guest) { BOOL ok = False; diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 6f83a2d3b7..7c38cf5793 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -305,6 +305,7 @@ static void set_admin_user(connection_struct *conn) #endif ) { conn->admin_user = True; + conn->force_user = True; /* Admin users are effectivly 'forced' */ DEBUG(0,("%s logged in as admin user (root privileges)\n",conn->user)); } else { conn->admin_user = False; @@ -329,7 +330,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, { struct passwd *pass = NULL; BOOL guest = False; - BOOL force = False; connection_struct *conn; struct stat st; fstring user; @@ -349,7 +349,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, if (lp_guest_only(snum)) { const char *guestname = lp_guestaccount(); guest = True; - force = True; pass = getpwnam_alloc(guestname); if (!pass) { DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname)); @@ -397,7 +396,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, return NULL; } pass = Get_Pwnam(user); - conn->force_user = force; + conn->force_user = True; conn->uid = pass->pw_uid; conn->gid = pass->pw_gid; string_set(&conn->user, pass->pw_name); @@ -434,7 +433,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, /* * If force user is true, then store the - * given userid and also the primary groupid + * given userid and also the groups * of the user we're forcing. */ @@ -492,6 +491,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, gid = nametogid(gname); if (gid != (gid_t)-1) { + /* * If the user has been forced and the forced group starts * with a '+', then we only set the group to be the forced @@ -507,6 +507,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, conn->gid = gid; DEBUG(3,("Forced group %s\n",gname)); } + conn->force_group = True; } else { DEBUG(1,("Couldn't find group %s\n",gname)); conn_free(conn); @@ -524,23 +525,27 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, DEBUG(3,("Connect path is '%s' for service [%s]\n",s, lp_servicename(snum))); } - /* groups stuff added by ih */ - conn->ngroups = 0; - conn->groups = NULL; - - /* Find all the groups this uid is in and - store them. Used by change_to_user() */ - initialise_groups(conn->user, conn->uid, conn->gid); - get_current_groups(conn->gid, &conn->ngroups,&conn->groups); + if (conn->force_user || conn->force_group) { + + /* groups stuff added by ih */ + conn->ngroups = 0; + conn->groups = NULL; + + /* Find all the groups this uid is in and + store them. Used by change_to_user() */ + initialise_groups(conn->user, conn->uid, conn->gid); + get_current_groups(conn->gid, &conn->ngroups,&conn->groups); - conn->nt_user_token = create_nt_token(conn->uid, conn->gid, - conn->ngroups, conn->groups, - guest, NULL); + conn->nt_user_token = create_nt_token(conn->uid, conn->gid, + conn->ngroups, conn->groups, + guest); + } /* * New code to check if there's a share security descripter * added from NT server manager. This is done after the * smb.conf checks are done as we need a uid and token. JRA. + * */ { diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 77f93812dd..a49982dcfe 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -177,9 +177,9 @@ static int reply_spnego_kerberos(connection_struct *conn, return ERROR_NT(NT_STATUS_NO_SUCH_USER); } - if (!make_server_info_pw(&server_info,pw)) { + if (!NT_STATUS_IS_OK(ret = make_server_info_pw(&server_info,pw))) { DEBUG(1,("make_server_info_from_pw failed!\n")); - return ERROR_NT(NT_STATUS_NO_MEMORY); + return ERROR_NT(ret); } sess_vuid = register_vuid(server_info, user); diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index c0bacf8f91..6f91065ceb 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -59,18 +59,26 @@ BOOL change_to_guest(void) static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) { int i; - for (i=0;iuid_cache.entries;i++) - if (conn->uid_cache.list[i] == vuser->uid) + for (i=0;ivuid_cache.entries && i< VUID_CACHE_SIZE;i++) + if (conn->vuid_cache.list[i] == vuser->vuid) return(True); + if ((conn->force_user || conn->force_group) + && (conn->vuid != vuser->vuid)) { + return False; + } + if (!user_ok(vuser->user.unix_name,snum)) return(False); - i = conn->uid_cache.entries % UID_CACHE_SIZE; - conn->uid_cache.list[i] = vuser->uid; + if (!share_access_check(conn, snum, vuser, conn->read_only ? FILE_READ_DATA : FILE_WRITE_DATA)) { + return False; + } + + i = conn->vuid_cache.entries % VUID_CACHE_SIZE; + conn->vuid_cache.list[i] = vuser->vuid; - if (conn->uid_cache.entries < UID_CACHE_SIZE) - conn->uid_cache.entries++; + conn->vuid_cache.entries++; return(True); } @@ -115,27 +123,21 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid) snum = SNUM(conn); - if((vuser != NULL) && !check_user_ok(conn, vuser, snum)) - return False; - - if (conn->force_user || - conn->admin_user || - (lp_security() == SEC_SHARE)) { + if (conn->force_user) /* security = share sets this too */ { uid = conn->uid; gid = conn->gid; current_user.groups = conn->groups; current_user.ngroups = conn->ngroups; token = conn->nt_user_token; - } else { - if (!vuser) { - DEBUG(2,("change_to_user: Invalid vuid used %d\n",vuid)); - return(False); - } + } else if ((vuser) && check_user_ok(conn, vuser, snum)) { uid = vuser->uid; gid = vuser->gid; current_user.ngroups = vuser->n_groups; current_user.groups = vuser->groups; token = vuser->nt_user_token; + } else { + DEBUG(2,("change_to_user: Invalid vuid used %d or vuid not permitted access to share.\n",vuid)); + return False; } /* @@ -175,7 +177,7 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid) if (vuser && vuser->guest) is_guest = True; - token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest, NULL); + token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest); must_free_token = True; } -- cgit