From e72ecdc862804339912325fe848401e8ec57cde7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 02:35:54 +0000 Subject: Merge of server-side authentication changes to 3.0: - user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060) --- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_rhosts.c | 68 +++++++++++++++++++--------------- source3/auth/auth_util.c | 73 ++++++++++++++++++++++++------------- source3/include/smb.h | 2 + source3/lib/username.c | 57 +++++++++++++++++++++-------- source3/rpc_server/srv_netlog_nt.c | 2 +- source3/rpc_server/srv_samr_nt.c | 20 +++++----- source3/rpc_server/srv_spoolss_nt.c | 6 +-- source3/smbd/password.c | 59 ++++++++++++++++++++---------- source3/smbd/posix_acls.c | 2 +- source3/smbd/service.c | 22 +++++------ source3/smbd/sesssetup.c | 60 +++++++++++++----------------- source3/smbd/uid.c | 4 +- 13 files changed, 224 insertions(+), 153 deletions(-) diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 43542b2474..d32d248296 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) } NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, - DATA_BLOB request, DATA_BLOB *reply) + const DATA_BLOB request, DATA_BLOB *reply) { return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply); } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 4ed0e6bbc4..5451f7d930 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -129,23 +129,19 @@ static BOOL check_user_equiv(const char *user, const char *remote, const char *e return False; } - /**************************************************************************** check for a possible hosts equiv or rhosts entry for the user ****************************************************************************/ -static BOOL check_hosts_equiv(struct passwd *pass) +static BOOL check_hosts_equiv(SAM_ACCOUNT *account) { char *fname = NULL; - if (!pass) - return(False); - fname = lp_hosts_equiv(); /* note: don't allow hosts.equiv on root */ - if (fname && *fname && (pass->pw_uid != 0)) { - if (check_user_equiv(pass->pw_name,client_name(),fname)) + if (IS_SAM_UNIX_USER(account) && fname && *fname && (pdb_get_uid(account) != 0)) { + if (check_user_equiv(pdb_get_username(account),client_name(),fname)) return(True); } @@ -164,15 +160,18 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - struct passwd *pass = Get_Pwnam(user_info->internal_username.str); - - if (pass) { - if (check_hosts_equiv(pass)) { - nt_status = NT_STATUS_OK; - make_server_info_pw(server_info, pass); - } + SAM_ACCOUNT *account = NULL; + if (!NT_STATUS_IS_OK(nt_status = + auth_get_sam_account(user_info->internal_username.str, + &account))) { + return nt_status; + } + + if (check_hosts_equiv(account)) { + nt_status = make_server_info_sam(server_info, account); } else { - nt_status = NT_STATUS_NO_SUCH_USER; + pdb_free_sam(&account); + nt_status = NT_STATUS_LOGON_FAILURE; } return nt_status; @@ -186,6 +185,7 @@ NTSTATUS auth_init_hostsequiv(struct auth_context *auth_context, const char* par } (*auth_method)->auth = check_hostsequiv_security; + (*auth_method)->name = "hostsequiv"; return NT_STATUS_OK; } @@ -201,24 +201,33 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - struct passwd *pass = Get_Pwnam(user_info->internal_username.str); + SAM_ACCOUNT *account = NULL; pstring rhostsfile; + const char *home; - if (pass) { - char *home = pass->pw_dir; - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - become_root(); - if (check_user_equiv(pass->pw_name,client_name(),rhostsfile)) { - nt_status = NT_STATUS_OK; - make_server_info_pw(server_info, pass); - } - unbecome_root(); - } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(nt_status = + auth_get_sam_account(user_info->internal_username.str, + &account))) { + return nt_status; } + home = pdb_get_unix_homedir(account); + + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + become_root(); + if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) { + nt_status = make_server_info_sam(server_info, account); + } else { + pdb_free_sam(&account); + nt_status = NT_STATUS_LOGON_FAILURE; + } + unbecome_root(); + } else { + pdb_free_sam(&account); + nt_status = NT_STATUS_LOGON_FAILURE; + } + return nt_status; } @@ -230,5 +239,6 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, } (*auth_method)->auth = check_rhosts_security; + (*auth_method)->name = "rhosts"; return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bbe0c7cf43..7d85153bd0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -77,6 +77,36 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli } } +/**************************************************************************** + Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from + unix info. +****************************************************************************/ + +NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) +{ + BOOL pdb_ret; + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { + return nt_status; + } + + become_root(); + pdb_ret = pdb_getsampwnam(*account, user); + unbecome_root(); + + if (!pdb_ret) { + + struct passwd *pass = Get_Pwnam(user); + if (!pass) + return NT_STATUS_NO_SUCH_USER; + + if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { + return nt_status; + } + } + return NT_STATUS_OK; +} + /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ @@ -641,34 +671,25 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, +static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, int *n_groups, DOM_SID **groups, gid_t **unix_groups) { uid_t uid; - enum SID_NAME_USE snu; - fstring str; + gid_t gid; int n_unix_groups; int i; struct passwd *usr; - + *n_groups = 0; *groups = NULL; - - if (!sid_to_uid(user_sid, &uid, &snu)) { - DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", - sid_to_string(str, user_sid))); - /* This might be a non-unix account */ - return NT_STATUS_OK; - } - /* - * This is _essential_ to prevent occasional segfaults when - * winbind can't find uid -> username mapping - */ - if (!(usr = getpwuid_alloc(uid))) { - DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid)); + if (!IS_SAM_UNIX_USER(sampass)) { + DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); return NT_STATUS_NO_SUCH_USER; - }; + } + + uid = pdb_get_uid(sampass); + gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { @@ -677,7 +698,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, return NT_STATUS_NO_MEMORY; } - if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { gid_t *groups_tmp; groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { @@ -687,7 +708,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } *unix_groups = groups_tmp; - if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); passwd_free(&usr); @@ -695,9 +716,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } } - debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups); - - passwd_free(&usr); + debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); if (n_unix_groups > 0) { *groups = malloc(sizeof(DOM_SID) * n_unix_groups); @@ -763,7 +782,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + = get_user_groups_from_local_sam(sampass, &n_groupSIDs, &groupSIDs, &unix_groups))) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); @@ -838,7 +857,9 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) nt_status = make_server_info_sam(server_info, sampass); - (*server_info)->guest = True; + if (NT_STATUS_IS_OK(nt_status)) { + (*server_info)->guest = True; + } return nt_status; } @@ -996,7 +1017,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(&user_sid, + = get_user_groups_from_local_sam(sam_account, &n_lgroupSIDs, &lgroupSIDs, &unix_groups))) diff --git a/source3/include/smb.h b/source3/include/smb.h index 279b79eace..f96a19954a 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1642,6 +1642,8 @@ typedef struct user_struct TDB key string */ int homes_snum; + struct auth_serversupplied_info *server_info; + } user_struct; diff --git a/source3/lib/username.c b/source3/lib/username.c index b1c9ca0f08..b8f33494ee 100644 --- a/source3/lib/username.c +++ b/source3/lib/username.c @@ -169,7 +169,7 @@ BOOL map_username(char *user) return False; } - if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist)) { + if (strchr_m(dosname,'*') || user_in_list(user, (const char **)dosuserlist, NULL, 0)) { DEBUG(3,("Mapped user %s to %s\n",user,unixname)); mapped_user = True; fstrcpy(last_from,user); @@ -328,11 +328,27 @@ static BOOL user_in_winbind_group_list(const char *user, const char *gname, BOOL int num_groups; int i; gid_t *groups = NULL; - gid_t gid; + gid_t gid, gid_low, gid_high; BOOL ret = False; *winbind_answered = False; + if ((gid = nametogid(gname)) == (gid_t)-1) { + DEBUG(0,("user_in_winbind_group_list: nametogid for group %s failed.\n", + gname )); + goto err; + } + + if (!lp_winbind_gid(&gid_low, &gid_high)) { + DEBUG(4, ("winbind gid range not configured, therefore %s cannot be a winbind group\n", gname)); + goto err; + } + + if (gid < gid_low || gid > gid_high) { + DEBUG(4, ("group %s is not a winbind group\n", gname)); + goto err; + } + /* * Get the gid's that this user belongs to. */ @@ -361,12 +377,6 @@ failed with error %s\n", strerror(errno) )); * to a gid_t via either winbind or the local UNIX lookup and do the comparison. */ - if ((gid = nametogid(gname)) == (gid_t)-1) { - DEBUG(0,("user_in_winbind_group_list: winbind_lookup_name for group %s failed.\n", - gname )); - goto err; - } - for (i = 0; i < num_groups; i++) { if (gid == groups[i]) { ret = True; @@ -389,7 +399,7 @@ failed with error %s\n", strerror(errno) )); Check if a user is in a UNIX group. ****************************************************************************/ -static BOOL user_in_unix_group_list(const char *user,const char *gname) +BOOL user_in_unix_group_list(const char *user,const char *gname) { struct passwd *pass = Get_Pwnam(user); struct sys_userlist *user_list; @@ -432,10 +442,27 @@ static BOOL user_in_unix_group_list(const char *user,const char *gname) Check if a user is in a group list. Ask winbind first, then use UNIX. ****************************************************************************/ -BOOL user_in_group_list(const char *user, const char *gname) +BOOL user_in_group_list(const char *user, const char *gname, gid_t *groups, size_t n_groups) { BOOL winbind_answered = False; BOOL ret; + gid_t gid; + unsigned i; + + gid = nametogid(gname); + if (gid == (gid_t)-1) + return False; + + if (groups && n_groups > 0) { + for (i=0; i < n_groups; i++) { + if (groups[i] == gid) { + return True; + } + } + return False; + } + + /* fallback if we don't yet have the group list */ ret = user_in_winbind_group_list(user, gname, &winbind_answered); if (!winbind_answered) @@ -451,7 +478,7 @@ BOOL user_in_group_list(const char *user, const char *gname) and netgroup lists. ****************************************************************************/ -BOOL user_in_list(const char *user,const char **list) +BOOL user_in_list(const char *user,const char **list, gid_t *groups, size_t n_groups) { if (!list || !*list) return False; @@ -480,7 +507,7 @@ BOOL user_in_list(const char *user,const char **list) */ if(user_in_netgroup_list(user, *list +1)) return True; - if(user_in_group_list(user, *list +1)) + if(user_in_group_list(user, *list +1, groups, n_groups)) return True; } else if (**list == '+') { @@ -488,7 +515,7 @@ BOOL user_in_list(const char *user,const char **list) /* * Search UNIX list followed by netgroup. */ - if(user_in_group_list(user, *list +2)) + if(user_in_group_list(user, *list +2, groups, n_groups)) return True; if(user_in_netgroup_list(user, *list +2)) return True; @@ -499,7 +526,7 @@ BOOL user_in_list(const char *user,const char **list) * Just search UNIX list. */ - if(user_in_group_list(user, *list +1)) + if(user_in_group_list(user, *list +1, groups, n_groups)) return True; } @@ -511,7 +538,7 @@ BOOL user_in_list(const char *user,const char **list) */ if(user_in_netgroup_list(user, *list +2)) return True; - if(user_in_group_list(user, *list +2)) + if(user_in_group_list(user, *list +2, groups, n_groups)) return True; } else { /* diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 8070cdd984..6182da53d9 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -668,7 +668,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * fstring group_sid_string; uchar user_sess_key[16]; uchar netlogon_sess_key[16]; - + sampw = server_info->sam_account; /* set up pointer indicating user/password failed to be found */ diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 2896fd79e4..d766e9c19e 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -3427,7 +3427,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_group_list(pwd->pw_name, grp_name)) { + if(user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_IN_ALIAS; } @@ -3439,7 +3439,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); /* check if the user has been added then ... */ - if(!user_in_group_list(pwd->pw_name, grp_name)) { + if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ } @@ -3485,7 +3485,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE if ((grp=getgrgid(map.gid)) == NULL) return NT_STATUS_NO_SUCH_ALIAS; - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ fstrcpy(grp_name, grp->gr_name); /* check if the user exists before trying to remove it from the group */ @@ -3497,7 +3497,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE } /* if the user is not in the group */ - if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_IN_ALIAS; } @@ -3505,7 +3505,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */ } @@ -3583,11 +3583,11 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD return NT_STATUS_NO_SUCH_GROUP; } - /* we need to copy the name otherwise it's overloaded in user_in_group_list */ + /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */ fstrcpy(grp_name, grp->gr_name); /* if the user is already in the group */ - if(user_in_group_list(pwd->pw_name, grp_name)) { + if(user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_IN_GROUP; } @@ -3601,7 +3601,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD smb_add_user_group(grp_name, pwd->pw_name); /* check if the user has been added then ... */ - if(!user_in_group_list(pwd->pw_name, grp_name)) { + if(!user_in_unix_group_list(pwd->pw_name, grp_name)) { passwd_free(&pwd); return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */ } @@ -3662,7 +3662,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE } /* if the user is not in the group */ - if (!user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_MEMBER_NOT_IN_GROUP; } @@ -3670,7 +3670,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE smb_delete_user_group(grp_name, pdb_get_username(sam_pass)); /* check if the user has been removed then ... */ - if (user_in_group_list(pdb_get_username(sam_pass), grp_name)) { + if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) { pdb_free_sam(&sam_pass); return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */ } diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c index 3605c1a24d..93566c2bb7 100644 --- a/source3/rpc_server/srv_spoolss_nt.c +++ b/source3/rpc_server/srv_spoolss_nt.c @@ -1606,7 +1606,7 @@ Can't find printer handle we created for printer %s\n", name )); /* if the user is not root and not a printer admin, then fail */ if ( user.uid != 0 - && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum)) ) + && !user_in_list(uidtoname(user.uid), lp_printer_admin(snum), user.groups, user.ngroups) ) { close_printer_handle(p, handle); return WERR_ACCESS_DENIED; @@ -1653,7 +1653,7 @@ Can't find printer handle we created for printer %s\n", name )); /* check smb.conf parameters and the the sec_desc */ - if (!user_ok(uidtoname(user.uid), snum) || !print_access_check(&user, snum, printer_default->access_required)) { + if (!user_ok(uidtoname(user.uid), snum, user.groups, user.ngroups) || !print_access_check(&user, snum, printer_default->access_required)) { DEBUG(3, ("access DENIED for printer open\n")); close_printer_handle(p, handle); return WERR_ACCESS_DENIED; @@ -8992,7 +8992,7 @@ WERROR _spoolss_enumprinterdataex(pipes_struct *p, SPOOL_Q_ENUMPRINTERDATAEX *q_ done: if ( printer ) - free_a_printer(&printer, 2); + free_a_printer(&printer, 2); return result; } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 4ce99e96bb..784c1525c8 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -62,11 +62,15 @@ void invalidate_vuid(uint16 vuid) if (vuser == NULL) return; - + SAFE_FREE(vuser->homedir); - + SAFE_FREE(vuser->unix_homedir); + SAFE_FREE(vuser->logon_script); + session_yield(vuser); + free_server_info(&vuser->server_info); + DLIST_REMOVE(validated_users, vuser); /* clear the vuid from the 'cache' on each connection, and @@ -93,11 +97,15 @@ void invalidate_all_vuids(void) } } -/**************************************************************************** -register a uid/name pair as being valid and that a valid password -has been given. vuid is biased by an offset. This allows us to -tell random client vuid's (normally zero) from valid vuids. -****************************************************************************/ +/** + * register that a valid login has been performed, establish 'session'. + * @param server_info The token returned from the authentication process. + * (now 'owned' by register_vuid) + * + * @return Newly allocated vuid, biased by an offset. (This allows us to + * tell random client vuid's (normally zero) from valid vuids.) + * + */ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) { @@ -136,6 +144,7 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) if (!IS_SAM_UNIX_USER(server_info->sam_account)) { DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n")); free(vuser); + free_server_info(&server_info); return UID_FIELD_INVALID; } @@ -147,20 +156,24 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) { DEBUG(0,("register_vuid: failed to memdup vuser->groups\n")); free(vuser); + free_server_info(&server_info); return UID_FIELD_INVALID; } } vuser->guest = server_info->guest; fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); - fstrcpy(vuser->user.smb_name, smb_name); + + /* This is a potentially untrusted username */ + alpha_strcpy(vuser->user.smb_name, smb_name, ". _-$", sizeof(vuser->user.smb_name)); + fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account)); { /* Keep the homedir handy */ const char *homedir = pdb_get_homedir(server_info->sam_account); - const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); /* should be optained by SMS */ + const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); const char *logon_script = pdb_get_logon_script(server_info->sam_account); if (homedir) { vuser->homedir = smb_xstrdup(homedir); @@ -188,10 +201,18 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name) vuser->nt_user_token = dup_nt_token(server_info->ptok); } else { DEBUG(1, ("server_info does not contain a user_token - cannot continue\n")); - free(vuser); + free_server_info(&server_info); + SAFE_FREE(vuser->homedir); + SAFE_FREE(vuser->unix_homedir); + SAFE_FREE(vuser->logon_script); + + SAFE_FREE(vuser); return UID_FIELD_INVALID; } + /* use this to keep tabs on all our info from the authentication */ + vuser->server_info = server_info; + DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid)); next_vuid++; @@ -246,7 +267,7 @@ void add_session_user(const char *user) /**************************************************************************** check if a username is valid ****************************************************************************/ -BOOL user_ok(const char *user,int snum) +BOOL user_ok(const char *user,int snum, gid_t *groups, size_t n_groups) { char **valid, **invalid; BOOL ret; @@ -257,7 +278,7 @@ BOOL user_ok(const char *user,int snum) if (lp_invalid_users(snum)) { str_list_copy(&invalid, lp_invalid_users(snum)); if (invalid && str_list_substitute(invalid, "%S", lp_servicename(snum))) { - ret = !user_in_list(user, (const char **)invalid); + ret = !user_in_list(user, (const char **)invalid, groups, n_groups); } } if (invalid) @@ -266,7 +287,7 @@ BOOL user_ok(const char *user,int snum) if (ret && lp_valid_users(snum)) { str_list_copy(&valid, lp_valid_users(snum)); if (valid && str_list_substitute(valid, "%S", lp_servicename(snum))) { - ret = user_in_list(user, (const char **)valid); + ret = user_in_list(user, (const char **)valid, groups, n_groups); } } if (valid) @@ -275,7 +296,7 @@ BOOL user_ok(const char *user,int snum) if (ret && lp_onlyuser(snum)) { char **user_list = str_list_make (lp_username(snum), NULL); if (user_list && str_list_substitute(user_list, "%S", lp_servicename(snum))) { - ret = user_in_list(user, (const char **)user_list); + ret = user_in_list(user, (const char **)user_list, groups, n_groups); } if (user_list) str_list_free (&user_list); } @@ -294,7 +315,7 @@ static char *validate_group(char *group, DATA_BLOB password,int snum) setnetgrent(group); while (getnetgrent(&host, &user, &domain)) { if (user) { - if (user_ok(user, snum) && + if (user_ok(user, snum, NULL, 0) && password_ok(user,password)) { endnetgrent(); return(user); @@ -349,7 +370,7 @@ static char *validate_group(char *group, DATA_BLOB password,int snum) while (*member) { static fstring name; fstrcpy(name,member); - if (user_ok(name,snum) && + if (user_ok(name,snum, NULL, 0) && password_ok(name,password)) { endgrent(); return(&name[0]); @@ -408,7 +429,7 @@ BOOL authorise_login(int snum, fstring user, DATA_BLOB password, auser = strtok(NULL,LIST_SEP)) { fstring user2; fstrcpy(user2,auser); - if (!user_ok(user2,snum)) + if (!user_ok(user2,snum, NULL, 0)) continue; if (password_ok(user2,password)) { @@ -443,7 +464,7 @@ and given password ok (%s)\n", user)); } else { fstring user2; fstrcpy(user2,auser); - if (user_ok(user2,snum) && password_ok(user2,password)) { + if (user_ok(user2,snum, NULL, 0) && password_ok(user2,password)) { ok = True; fstrcpy(user,user2); DEBUG(3,("authorise_login: ACCEPTED: user list username \ @@ -468,7 +489,7 @@ and given password ok (%s)\n", user)); *guest = True; } - if (ok && !user_ok(user,snum)) { + if (ok && !user_ok(user, snum, NULL, 0)) { DEBUG(0,("authorise_login: rejected invalid user %s\n",user)); ok = False; } diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c index ee8a4430e1..93a57925f1 100644 --- a/source3/smbd/posix_acls.c +++ b/source3/smbd/posix_acls.c @@ -573,7 +573,7 @@ static BOOL uid_entry_in_group( canon_ace *uid_ace, canon_ace *group_ace ) * not uids/gids. */ - return user_in_group_list(u_name, g_name ); + return user_in_group_list(u_name, g_name, NULL, 0); } /**************************************************************************** diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 2a41a6db1c..1c7e4017b0 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -258,7 +258,7 @@ static NTSTATUS share_sanity_checks(int snum, pstring dev) /**************************************************************************** readonly share? ****************************************************************************/ -static void set_read_only(connection_struct *conn) +static void set_read_only(connection_struct *conn, gid_t *groups, size_t n_groups) { char **list; char *service = lp_servicename(conn->service); @@ -271,7 +271,7 @@ static void set_read_only(connection_struct *conn) if (!str_list_substitute(list, "%S", service)) { DEBUG(0, ("ERROR: read list substitution failed\n")); } - if (user_in_list(conn->user, (const char **)list)) + if (user_in_list(conn->user, (const char **)list, groups, n_groups)) conn->read_only = True; str_list_free(&list); } @@ -281,7 +281,7 @@ static void set_read_only(connection_struct *conn) if (!str_list_substitute(list, "%S", service)) { DEBUG(0, ("ERROR: write list substitution failed\n")); } - if (user_in_list(conn->user, (const char **)list)) + if (user_in_list(conn->user, (const char **)list, groups, n_groups)) conn->read_only = False; str_list_free(&list); } @@ -291,7 +291,7 @@ static void set_read_only(connection_struct *conn) /**************************************************************************** admin user check ****************************************************************************/ -static void set_admin_user(connection_struct *conn) +static void set_admin_user(connection_struct *conn, gid_t *groups, size_t n_groups) { /* admin user check */ @@ -299,7 +299,7 @@ static void set_admin_user(connection_struct *conn) marked read_only. Changed as I don't think this is needed, but old code left in case there is a problem here. */ - if (user_in_list(conn->user,lp_admin_users(conn->service)) + if (user_in_list(conn->user,lp_admin_users(conn->service), groups, n_groups) #if 0 && !conn->read_only #endif @@ -364,14 +364,14 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, } else if (vuser) { if (vuser->guest) { if (!lp_guest_ok(snum)) { - DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)", lp_servicename(snum))); + DEBUG(2, ("guest user (from session setup) not permitted to access this share (%s)\n", lp_servicename(snum))); conn_free(conn); *status = NT_STATUS_ACCESS_DENIED; return NULL; } } else { - if (!user_ok(vuser->user.unix_name, snum)) { - DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)", vuser->user.unix_name, lp_servicename(snum))); + if (!user_ok(vuser->user.unix_name, snum, vuser->groups, vuser->n_groups)) { + DEBUG(2, ("user '%s' (from session setup) not permitted to access this share (%s)\n", vuser->user.unix_name, lp_servicename(snum))); conn_free(conn); *status = NT_STATUS_ACCESS_DENIED; return NULL; @@ -427,9 +427,9 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, string_set(&conn->user,user); conn->nt_user_token = NULL; - set_read_only(conn); + set_read_only(conn, vuser ? vuser->groups : NULL, vuser ? vuser->n_groups : 0); - set_admin_user(conn); + set_admin_user(conn, vuser ? vuser->groups : NULL, vuser ? vuser->n_groups : 0); /* * If force user is true, then store the @@ -499,7 +499,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, * Otherwise, the meaning of the '+' would be ignored. */ if (conn->force_user && user_must_be_member) { - if (user_in_group_list( user, gname )) { + if (user_in_group_list( user, gname, NULL, 0)) { conn->gid = gid; DEBUG(3,("Forced group %s for member %s\n",gname,user)); } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index bb7d17be56..eafe805aba 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -148,6 +148,7 @@ static int reply_spnego_kerberos(connection_struct *conn, DATA_BLOB auth_data; auth_serversupplied_info *server_info = NULL; ADS_STRUCT *ads; + BOOL foreign = False; if (!spnego_parse_krb5_wrap(*secblob, &ticket)) { return ERROR_NT(NT_STATUS_LOGON_FAILURE); @@ -168,6 +169,8 @@ static int reply_spnego_kerberos(connection_struct *conn, return ERROR_NT(NT_STATUS_LOGON_FAILURE); } + data_blob_free(&auth_data); + DEBUG(3,("Ticket name is [%s]\n", client)); p = strchr_m(client, '@'); @@ -183,12 +186,20 @@ static int reply_spnego_kerberos(connection_struct *conn, if (!lp_allow_trusted_domains()) { return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - /* this gives a fully qualified user name (ie. with full realm). - that leads to very long usernames, but what else can we do? */ - asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client); - } else { - user = strdup(client); + foreign = True; + } + + /* this gives a fully qualified user name (ie. with full realm). + that leads to very long usernames, but what else can we do? */ + asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client); + + pw = Get_Pwnam(user); + if (!pw && !foreign) { + pw = Get_Pwnam(client); + SAFE_FREE(user); + user = smb_xstrdup(client); } + ads_destroy(&ads); /* setup the string used by %U */ @@ -196,19 +207,6 @@ static int reply_spnego_kerberos(connection_struct *conn, reload_services(True); - /* the password is good - let them in */ - pw = Get_Pwnam(user); - if (!pw && !strstr(user, lp_winbind_separator())) { - char *user2; - /* try it with a winbind domain prefix */ - asprintf(&user2, "%s%s%s", lp_workgroup(), lp_winbind_separator(), user); - pw = Get_Pwnam(user2); - if (pw) { - free(user); - user = user2; - } - } - if (!pw) { DEBUG(1,("Username %s is invalid on this system\n",user)); return ERROR_NT(NT_STATUS_NO_SUCH_USER); @@ -219,10 +217,10 @@ static int reply_spnego_kerberos(connection_struct *conn, return ERROR_NT(ret); } + /* register_vuid keeps the server info */ sess_vuid = register_vuid(server_info, user); free(user); - free_server_info(&server_info); if (sess_vuid == -1) { return ERROR_NT(NT_STATUS_LOGON_FAILURE); @@ -263,8 +261,10 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf, if (NT_STATUS_IS_OK(nt_status)) { int sess_vuid; - sess_vuid = register_vuid(server_info, (*auth_ntlmssp_state)->ntlmssp_state->user /* check this for weird */); - + /* register_vuid keeps the server info */ + sess_vuid = register_vuid(server_info, (*auth_ntlmssp_state)->ntlmssp_state->user); + (*auth_ntlmssp_state)->server_info = NULL; + if (sess_vuid == -1) { nt_status = NT_STATUS_LOGON_FAILURE; } else { @@ -272,7 +272,7 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf, set_message(outbuf,4,0,True); SSVAL(outbuf, smb_vwv3, 0); - if ((*auth_ntlmssp_state)->server_info && (*auth_ntlmssp_state)->server_info->guest) { + if (server_info->guest) { SSVAL(outbuf,smb_vwv2,1); } @@ -285,7 +285,7 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf, data_blob_free(&response); if (!ret || !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - auth_ntlmssp_end(&global_ntlmssp_state); + auth_ntlmssp_end(auth_ntlmssp_state); } return ret; @@ -463,7 +463,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, extern BOOL global_encrypted_passwords_negotiated; extern BOOL global_spnego_negotiated; extern int Protocol; - extern userdom_struct current_user_info; extern int max_send; auth_usersupplied_info *user_info = NULL; @@ -584,13 +583,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, domain,native_os,native_lanman)); } - /* don't allow for weird usernames or domains */ - alpha_strcpy(user, user, ". _-$", sizeof(user)); - alpha_strcpy(domain, domain, ". _-@", sizeof(domain)); - if (strstr(user, "..") || strstr(domain,"..")) { - return ERROR_NT(NT_STATUS_LOGON_FAILURE); - } - DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", domain, user, get_remote_machine_name())); if (*user) { @@ -609,7 +601,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, fstrcpy(sub_user, lp_guestaccount()); } - fstrcpy(current_user_info.smb_name,sub_user); + sub_set_smb_name(sub_user); reload_services(True); @@ -692,15 +684,13 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* register the name and uid as being validated, so further connections to a uid can get through without a password, on the same VC */ + /* register_vuid keeps the server info */ sess_vuid = register_vuid(server_info, sub_user); - - free_server_info(&server_info); if (sess_vuid == -1) { return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - SSVAL(outbuf,smb_uid,sess_vuid); SSVAL(inbuf,smb_uid,sess_vuid); diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 7c0d3805e7..6ac3528b1a 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -60,7 +60,7 @@ BOOL change_to_guest(void) static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) { - int i; + unsigned i; for (i=0;ivuid_cache.entries && i< VUID_CACHE_SIZE;i++) if (conn->vuid_cache.list[i] == vuser->vuid) return(True); @@ -70,7 +70,7 @@ static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) return False; } - if (!user_ok(vuser->user.unix_name,snum)) + if (!user_ok(vuser->user.unix_name,snum, vuser->groups, vuser->n_groups)) return(False); if (!share_access_check(conn, snum, vuser, conn->read_only ? FILE_READ_DATA : FILE_WRITE_DATA)) { -- cgit