From f048209484b10ed397c55864ca9ee29789f4e372 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 3 Jul 2000 06:52:31 +0000 Subject: Some more sec_ctx changes. Modified some fields in the pipe_struct structure so authenticated pipe users can have their unix groups set when become_authenticated_pipe_user() is called. (This used to be commit 55c9bf124dc661df43bfe582ef14b1297aeaf0fa) --- source3/include/ntdomain.h | 28 ++++++++++++++-------------- source3/include/smb.h | 9 +++++---- source3/rpc_server/srv_pipe.c | 38 ++++++++++++++++++++------------------ source3/rpc_server/srv_pipe_hnd.c | 10 ++++++++-- source3/smbd/uid.c | 3 ++- 5 files changed, 49 insertions(+), 39 deletions(-) diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index 424a99c700..7b652cad05 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -164,22 +164,22 @@ typedef struct pipes_struct /* * Unix user name and credentials. */ - fstring unix_user_name; - uid_t uid; - gid_t gid; - /* - * Set to true when an RPC bind has been done on this pipe. - */ - - BOOL pipe_bound; - - /* - * Set to true when we should return fault PDU's for everything. - */ - - BOOL fault_state; + fstring pipe_user_name; + user_struct pipe_user; + /* + * Set to true when an RPC bind has been done on this pipe. + */ + + BOOL pipe_bound; + + /* + * Set to true when we should return fault PDU's for everything. + */ + + BOOL fault_state; + /* * Struct to deal with multiple pdu inputs. */ diff --git a/source3/include/smb.h b/source3/include/smb.h index cb53e7b59e..fdd987457b 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1687,10 +1687,6 @@ struct ncacn_np #include "rpc_creds.h" #include "rpc_secdes.h" #include "nt_printing.h" -#include "ntdomain.h" - -#include "client.h" -#include "rpcclient.h" typedef struct { @@ -1717,6 +1713,11 @@ typedef struct struct dcinfo dc; } user_struct; +#include "ntdomain.h" + +#include "client.h" +#include "rpcclient.h" + /* * Size of new password account encoding string. DO NOT CHANGE. */ diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index a5d69efd7e..f6746367bb 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -260,7 +260,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm uchar lm_owf[24]; uchar nt_owf[24]; fstring user_name; - fstring unix_user_name; + fstring pipe_user_name; fstring domain; fstring wks; BOOL guest_user = False; @@ -272,7 +272,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm DEBUG(5,("api_pipe_ntlmssp_verify: checking user details\n")); memset(p->user_name, '\0', sizeof(p->user_name)); - memset(p->unix_user_name, '\0', sizeof(p->unix_user_name)); + memset(p->pipe_user_name, '\0', sizeof(p->pipe_user_name)); memset(p->domain, '\0', sizeof(p->domain)); memset(p->wks, '\0', sizeof(p->wks)); @@ -317,8 +317,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm { guest_user = True; - fstrcpy(unix_user_name, lp_guestaccount(-1)); - DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", unix_user_name)); + fstrcpy(pipe_user_name, lp_guestaccount(-1)); + DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name)); smb_passwd_ptr = null_smb_passwd; @@ -329,8 +329,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm * function. */ - fstrcpy(unix_user_name, user_name); - (void)map_username(unix_user_name); + fstrcpy(pipe_user_name, user_name); + (void)map_username(pipe_user_name); /* * Do the length checking only if user is not NULL. @@ -353,8 +353,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm * Find the user in the unix password db. */ - if(!(pass = Get_Pwnam(unix_user_name,True))) { - DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",unix_user_name)); + if(!(pass = Get_Pwnam(pipe_user_name,True))) { + DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",pipe_user_name)); return(False); } @@ -362,17 +362,17 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm become_root(); - if(!(p->ntlmssp_auth_validated = pass_check_smb(unix_user_name, domain, + if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain, (uchar*)p->challenge, lm_owf, nt_owf, NULL))) { DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ -failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name )); +failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name )); unbecome_root(); return False; } - if(!(smb_pass = getsmbpwnam(unix_user_name))) { + if(!(smb_pass = getsmbpwnam(pipe_user_name))) { DEBUG(1,("api_pipe_ntlmssp_verify: Cannot find user %s in smb passwd database.\n", - unix_user_name)); + pipe_user_name)); unbecome_root(); return False; } @@ -381,18 +381,18 @@ failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name if (smb_pass == NULL) { DEBUG(1,("api_pipe_ntlmssp_verify: Couldn't find user '%s' in smb_passwd file.\n", - unix_user_name)); + pipe_user_name)); return(False); } /* Quit if the account was disabled. */ if((smb_pass->acct_ctrl & ACB_DISABLED) || !smb_pass->smb_passwd) { - DEBUG(1,("Account for user '%s' was disabled.\n", unix_user_name)); + DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name)); return(False); } if(!smb_pass->smb_nt_passwd) { - DEBUG(1,("Account for user '%s' has no NT password hash.\n", unix_user_name)); + DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name)); return(False); } @@ -439,7 +439,7 @@ failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name } fstrcpy(p->user_name, user_name); - fstrcpy(p->unix_user_name, unix_user_name); + fstrcpy(p->pipe_user_name, pipe_user_name); fstrcpy(p->domain, domain); fstrcpy(p->wks, wks); @@ -447,8 +447,10 @@ failed authentication on named pipe %s.\n", domain, unix_user_name, wks, p->name * Store the UNIX credential data (uid/gid pair) in the pipe structure. */ - p->uid = pass->pw_uid; - p->gid = pass->pw_gid; + p->pipe_user.uid = pass->pw_uid; + p->pipe_user.gid = pass->pw_gid; + + /* XXX also set up pipe user group membership */ p->ntlmssp_auth_validated = True; return True; diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index b11c76b75d..faba41b925 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -106,6 +106,8 @@ static BOOL pipe_init_outgoing_data(output_data *o_data) Attempt to find a remote process to communicate RPC's with. ****************************************************************************/ +#if 0 + static void attempt_remote_rpc_connect(pipes_struct *p) { struct user_creds usr; @@ -152,6 +154,8 @@ static void attempt_remote_rpc_connect(pipes_struct *p) DEBUG(10,("attempt_remote_rpc_connect: msrpc redirect failed - using local implementation.\n")); } +#endif + /**************************************************************************** Find first available pipe slot. ****************************************************************************/ @@ -248,8 +252,10 @@ pipes_struct *open_rpc_pipe_p(char *pipe_name, */ prs_init(&p->out_data.rdata, 0, 4, MARSHALL); - p->uid = (uid_t)-1; - p->gid = (gid_t)-1; + ZERO_STRUCT(p->pipe_user); + + p->pipe_user.uid = (uid_t)-1; + p->pipe_user.gid = (gid_t)-1; fstrcpy(p->name, pipe_name); diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index e66abd1e98..2078bb5a7d 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -203,7 +203,8 @@ BOOL become_authenticated_pipe_user(pipes_struct *p) return False; } - set_sec_ctx(p->uid, p->gid, 0, NULL); /* fix group stuff */ + set_sec_ctx(p->pipe_user.uid, p->pipe_user.gid, + p->pipe_user.n_groups, p->pipe_user.groups); return True; } -- cgit