From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 3 Feb 2006 22:19:41 +0000
Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This
 used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)

---
 source3/auth/auth_rhosts.c | 190 +++++++++++++++++++++++----------------------
 1 file changed, 97 insertions(+), 93 deletions(-)

(limited to 'source3/auth/auth_rhosts.c')

diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c
index b561e3d42b..e310fa80fd 100644
--- a/source3/auth/auth_rhosts.c
+++ b/source3/auth/auth_rhosts.c
@@ -60,103 +60,101 @@ static NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account)
 
 static BOOL check_user_equiv(const char *user, const char *remote, const char *equiv_file)
 {
-  int plus_allowed = 1;
-  char *file_host;
-  char *file_user;
-  char **lines = file_lines_load(equiv_file, NULL);
-  int i;
-
-  DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
-  if (! lines) return False;
-  for (i=0; lines[i]; i++) {
-    char *buf = lines[i];
-    trim_char(buf,' ',' ');
-
-    if (buf[0] != '#' && buf[0] != '\n') 
-    {
-      BOOL is_group = False;
-      int plus = 1;
-      char *bp = buf;
-      if (strcmp(buf, "NO_PLUS\n") == 0)
-      {
-	DEBUG(6, ("check_user_equiv NO_PLUS\n"));
-	plus_allowed = 0;
-      }
-      else {
-	if (buf[0] == '+') 
-	{
-	  bp++;
-	  if (*bp == '\n' && plus_allowed) 
-	  {
-	    /* a bare plus means everbody allowed */
-	    DEBUG(6, ("check_user_equiv everybody allowed\n"));
-	    file_lines_free(lines);
-	    return True;
-	  }
-	}
-	else if (buf[0] == '-')
-	{
-	  bp++;
-	  plus = 0;
-	}
-	if (*bp == '@') 
-	{
-	  is_group = True;
-	  bp++;
+	int plus_allowed = 1;
+	char *file_host;
+	char *file_user;
+	char **lines = file_lines_load(equiv_file, NULL,0);
+	int i;
+
+	DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
+	if (! lines) {
+		return False;
 	}
-	file_host = strtok(bp, " \t\n");
-	file_user = strtok(NULL, " \t\n");
-	DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", 
-                 file_user ? file_user : "(null)" ));
-	if (file_host && *file_host) 
-	{
-	  BOOL host_ok = False;
+	for (i=0; lines[i]; i++) {
+		char *buf = lines[i];
+		trim_char(buf,' ',' ');
+
+		if (buf[0] != '#' && buf[0] != '\n') {
+			BOOL is_group = False;
+			int plus = 1;
+			char *bp = buf;
+
+			if (strcmp(buf, "NO_PLUS\n") == 0) {
+				DEBUG(6, ("check_user_equiv NO_PLUS\n"));
+				plus_allowed = 0;
+			} else {
+				if (buf[0] == '+') {
+					bp++;
+					if (*bp == '\n' && plus_allowed) {
+						/* a bare plus means everbody allowed */
+						DEBUG(6, ("check_user_equiv everybody allowed\n"));
+						file_lines_free(lines);
+						return True;
+					}
+				} else if (buf[0] == '-') {
+					bp++;
+					plus = 0;
+				}
+				if (*bp == '@') {
+					is_group = True;
+					bp++;
+				}
+				file_host = strtok(bp, " \t\n");
+				file_user = strtok(NULL, " \t\n");
+				DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", 
+					file_user ? file_user : "(null)" ));
+
+				if (file_host && *file_host) {
+					BOOL host_ok = False;
 
 #if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
-	  if (is_group)
-	    {
-	      static char *mydomain = NULL;
-	      if (!mydomain)
-		yp_get_default_domain(&mydomain);
-	      if (mydomain && innetgr(file_host,remote,user,mydomain))
-		host_ok = True;
-	    }
+					if (is_group) {
+						static char *mydomain = NULL;
+						if (!mydomain) {
+							yp_get_default_domain(&mydomain);
+						}
+						if (mydomain && innetgr(file_host,remote,user,mydomain)) {
+							host_ok = True;
+						}
+					}
 #else
-	  if (is_group)
-	    {
-	      DEBUG(1,("Netgroups not configured\n"));
-	      continue;
-	    }
+					if (is_group) {
+						DEBUG(1,("Netgroups not configured\n"));
+						continue;
+					}
 #endif
 
-	  /* is it this host */
-	  /* the fact that remote has come from a call of gethostbyaddr
-	   * means that it may have the fully qualified domain name
-	   * so we could look up the file version to get it into
-	   * a canonical form, but I would rather just type it
-	   * in full in the equiv file
-	   */
-	  if (!host_ok && !is_group && strequal(remote, file_host))
-	    host_ok = True;
-
-	  if (!host_ok)
-	    continue;
-
-	  /* is it this user */
-	  if (file_user == 0 || strequal(user, file_user)) 
-	    {
-	      DEBUG(5, ("check_user_equiv matched %s%s %s\n",
-			(plus ? "+" : "-"), file_host,
-			(file_user ? file_user : "")));
-	      file_lines_free(lines);
-	      return (plus ? True : False);
-	    }
+					/* is it this host */
+					/* the fact that remote has come from a call of gethostbyaddr
+					 * means that it may have the fully qualified domain name
+					 * so we could look up the file version to get it into
+					 * a canonical form, but I would rather just type it
+					 * in full in the equiv file
+					 */
+
+					if (!host_ok && !is_group && strequal(remote, file_host)) {
+						host_ok = True;
+					}
+
+					if (!host_ok) {
+						continue;
+					}
+
+					/* is it this user */
+					if (file_user == 0 || strequal(user, file_user)) {
+						DEBUG(5, ("check_user_equiv matched %s%s %s\n",
+							(plus ? "+" : "-"), file_host,
+							(file_user ? file_user : "")));
+						file_lines_free(lines);
+						return (plus ? True : False);
+					}
+				}
+			}
+		}
 	}
-      }
-    }
-  }
-  file_lines_free(lines);
-  return False;
+
+	file_lines_free(lines);
+	return False;
 }
 
 /****************************************************************************
@@ -169,7 +167,7 @@ static BOOL check_hosts_equiv(SAM_ACCOUNT *account)
 	char *fname = NULL;
 
 	fname = lp_hosts_equiv();
-	if (!NT_STATUS_IS_OK(sid_to_uid(pdb_get_user_sid(account), &uid)))
+	if (!sid_to_uid(pdb_get_user_sid(account), &uid))
 		return False;
 
 	/* note: don't allow hosts.equiv on root */
@@ -195,7 +193,7 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex
 	NTSTATUS nt_status;
 	SAM_ACCOUNT *account = NULL;
 	if (!NT_STATUS_IS_OK(nt_status = 
-			     auth_get_sam_account(user_info->internal_username.str, 
+			     auth_get_sam_account(user_info->internal_username,
 						  &account))) {
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) 
 			nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -204,6 +202,9 @@ static NTSTATUS check_hostsequiv_security(const struct auth_context *auth_contex
 
 	if (check_hosts_equiv(account)) {
 		nt_status = make_server_info_sam(server_info, account);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			pdb_free_sam(&account);
+		}
 	} else {
 		pdb_free_sam(&account);
 		nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -241,7 +242,7 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
 	const char *home;
 	
 	if (!NT_STATUS_IS_OK(nt_status = 
-			     auth_get_sam_account(user_info->internal_username.str, 
+			     auth_get_sam_account(user_info->internal_username,
 						  &account))) {
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) 
 			nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -255,6 +256,9 @@ static NTSTATUS check_rhosts_security(const struct auth_context *auth_context,
 		become_root();
 		if (check_user_equiv(pdb_get_username(account),client_name(),rhostsfile)) {
 			nt_status = make_server_info_sam(server_info, account);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				pdb_free_sam(&account);
+			}
 		} else {
 			pdb_free_sam(&account);
 		}
-- 
cgit