00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021 #include "includes.h"
00022
00023
00024
00025
00026
00027
00028
00029
00030
00031 extern userdom_struct current_user_info;
00032
00033 static BOOL do_group_checks(const char **name, const char **pattern)
00034 {
00035 if ((*name)[0] == '@') {
00036 *pattern = "&+";
00037 *name += 1;
00038 return True;
00039 }
00040
00041 if (((*name)[0] == '+') && ((*name)[1] == '&')) {
00042 *pattern = "+&";
00043 *name += 2;
00044 return True;
00045 }
00046
00047 if ((*name)[0] == '+') {
00048 *pattern = "+";
00049 *name += 1;
00050 return True;
00051 }
00052
00053 if (((*name)[0] == '&') && ((*name)[1] == '+')) {
00054 *pattern = "&+";
00055 *name += 2;
00056 return True;
00057 }
00058
00059 if ((*name)[0] == '&') {
00060 *pattern = "&";
00061 *name += 1;
00062 return True;
00063 }
00064
00065 return False;
00066 }
00067
00068 static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
00069 const char *username,
00070 const char *sharename,
00071 const struct nt_user_token *token,
00072 const char *name)
00073 {
00074 const char *prefix;
00075 DOM_SID sid;
00076 enum lsa_SidType type;
00077
00078 if (username != NULL) {
00079 name = talloc_sub_basic(mem_ctx, username,
00080 current_user_info.domain, name);
00081 }
00082 if (sharename != NULL) {
00083 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
00084 }
00085
00086 if (name == NULL) {
00087
00088
00089 smb_panic("substitutions failed\n");
00090 }
00091
00092
00093
00094 if ( string_to_sid( &sid, name ) ) {
00095 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
00096 return nt_token_check_sid( &sid, token );
00097 }
00098
00099 if (!do_group_checks(&name, &prefix)) {
00100 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
00101 NULL, NULL, &sid, &type)) {
00102 DEBUG(5, ("lookup_name %s failed\n", name));
00103 return False;
00104 }
00105 if (type != SID_NAME_USER) {
00106 DEBUG(5, ("%s is a %s, expected a user\n",
00107 name, sid_type_lookup(type)));
00108 return False;
00109 }
00110 return nt_token_check_sid(&sid, token);
00111 }
00112
00113 for ( ; *prefix != '\0'; prefix++) {
00114 if (*prefix == '+') {
00115 if (!lookup_name_smbconf(mem_ctx, name,
00116 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
00117 NULL, NULL, &sid, &type)) {
00118 DEBUG(5, ("lookup_name %s failed\n", name));
00119 return False;
00120 }
00121 if ((type != SID_NAME_DOM_GRP) &&
00122 (type != SID_NAME_ALIAS) &&
00123 (type != SID_NAME_WKN_GRP)) {
00124 DEBUG(5, ("%s is a %s, expected a group\n",
00125 name, sid_type_lookup(type)));
00126 return False;
00127 }
00128 if (nt_token_check_sid(&sid, token)) {
00129 return True;
00130 }
00131 continue;
00132 }
00133 if (*prefix == '&') {
00134 if (user_in_netgroup(username, name)) {
00135 return True;
00136 }
00137 continue;
00138 }
00139 smb_panic("got invalid prefix from do_groups_check\n");
00140 }
00141 return False;
00142 }
00143
00144
00145
00146
00147
00148
00149
00150
00151
00152
00153
00154
00155 BOOL token_contains_name_in_list(const char *username,
00156 const char *sharename,
00157 const struct nt_user_token *token,
00158 const char **list)
00159 {
00160 TALLOC_CTX *mem_ctx;
00161
00162 if (list == NULL) {
00163 return False;
00164 }
00165
00166 if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
00167 smb_panic("talloc_new failed\n");
00168 }
00169
00170 while (*list != NULL) {
00171 if (token_contains_name(mem_ctx, username, sharename,token, *list)) {
00172 TALLOC_FREE(mem_ctx);
00173 return True;
00174 }
00175 list += 1;
00176 }
00177
00178 TALLOC_FREE(mem_ctx);
00179 return False;
00180 }
00181
00182
00183
00184
00185
00186
00187
00188
00189
00190
00191
00192
00193
00194
00195 BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
00196 {
00197 if (lp_invalid_users(snum) != NULL) {
00198 if (token_contains_name_in_list(username, lp_servicename(snum),
00199 token,
00200 lp_invalid_users(snum))) {
00201 DEBUG(10, ("User %s in 'invalid users'\n", username));
00202 return False;
00203 }
00204 }
00205
00206 if (lp_valid_users(snum) != NULL) {
00207 if (!token_contains_name_in_list(username,
00208 lp_servicename(snum), token,
00209 lp_valid_users(snum))) {
00210 DEBUG(10, ("User %s not in 'valid users'\n",
00211 username));
00212 return False;
00213 }
00214 }
00215
00216 if (lp_onlyuser(snum)) {
00217 const char *list[2];
00218 list[0] = lp_username(snum);
00219 list[1] = NULL;
00220 if ((list[0] == NULL) || (*list[0] == '\0')) {
00221 DEBUG(0, ("'only user = yes' and no 'username ='\n"));
00222 return False;
00223 }
00224 if (!token_contains_name_in_list(NULL, lp_servicename(snum),
00225 token, list)) {
00226 DEBUG(10, ("%s != 'username'\n", username));
00227 return False;
00228 }
00229 }
00230
00231 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
00232 lp_servicename(snum), username));
00233
00234 return True;
00235 }
00236
00237
00238
00239
00240
00241
00242
00243
00244
00245
00246
00247
00248
00249
00250
00251 BOOL is_share_read_only_for_token(const char *username,
00252 struct nt_user_token *token, int snum)
00253 {
00254 BOOL result = lp_readonly(snum);
00255
00256 if (lp_readlist(snum) != NULL) {
00257 if (token_contains_name_in_list(username,
00258 lp_servicename(snum), token,
00259 lp_readlist(snum))) {
00260 result = True;
00261 }
00262 }
00263
00264 if (lp_writelist(snum) != NULL) {
00265 if (token_contains_name_in_list(username,
00266 lp_servicename(snum), token,
00267 lp_writelist(snum))) {
00268 result = False;
00269 }
00270 }
00271
00272 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
00273 "%s\n", lp_servicename(snum),
00274 result ? "read-only" : "read-write", username));
00275
00276 return result;
00277 }