smbd/share_access.c

説明を見る。
00001 /* 
00002    Unix SMB/CIFS implementation.
00003    Check access based on valid users, read list and friends
00004    Copyright (C) Volker Lendecke 2005
00005    
00006    This program is free software; you can redistribute it and/or modify
00007    it under the terms of the GNU General Public License as published by
00008    the Free Software Foundation; either version 2 of the License, or
00009    (at your option) any later version.
00010    
00011    This program is distributed in the hope that it will be useful,
00012    but WITHOUT ANY WARRANTY; without even the implied warranty of
00013    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00014    GNU General Public License for more details.
00015    
00016    You should have received a copy of the GNU General Public License
00017    along with this program; if not, write to the Free Software
00018    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
00019 */
00020 
00021 #include "includes.h"
00022 
00023 /*
00024  * No prefix means direct username
00025  * @name means netgroup first, then unix group
00026  * &name means netgroup
00027  * +name means unix group
00028  * + and & may be combined
00029  */
00030 
00031 extern userdom_struct current_user_info;
00032 
00033 static BOOL do_group_checks(const char **name, const char **pattern)
00034 {
00035         if ((*name)[0] == '@') {
00036                 *pattern = "&+";
00037                 *name += 1;
00038                 return True;
00039         }
00040 
00041         if (((*name)[0] == '+') && ((*name)[1] == '&')) {
00042                 *pattern = "+&";
00043                 *name += 2;
00044                 return True;
00045         }
00046 
00047         if ((*name)[0] == '+') {
00048                 *pattern = "+";
00049                 *name += 1;
00050                 return True;
00051         }
00052 
00053         if (((*name)[0] == '&') && ((*name)[1] == '+')) {
00054                 *pattern = "&+";
00055                 *name += 2;
00056                 return True;
00057         }
00058 
00059         if ((*name)[0] == '&') {
00060                 *pattern = "&";
00061                 *name += 1;
00062                 return True;
00063         }
00064 
00065         return False;
00066 }
00067 
00068 static BOOL token_contains_name(TALLOC_CTX *mem_ctx,
00069                                 const char *username,
00070                                 const char *sharename,
00071                                 const struct nt_user_token *token,
00072                                 const char *name)
00073 {
00074         const char *prefix;
00075         DOM_SID sid;
00076         enum lsa_SidType type;
00077 
00078         if (username != NULL) {
00079                 name = talloc_sub_basic(mem_ctx, username,
00080                                         current_user_info.domain, name);
00081         }
00082         if (sharename != NULL) {
00083                 name = talloc_string_sub(mem_ctx, name, "%S", sharename);
00084         }
00085 
00086         if (name == NULL) {
00087                 /* This is too security sensitive, better panic than return a
00088                  * result that might be interpreted in a wrong way. */
00089                 smb_panic("substitutions failed\n");
00090         }
00091         
00092         /* check to see is we already have a SID */
00093 
00094         if ( string_to_sid( &sid, name ) ) {
00095                 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name));
00096                 return nt_token_check_sid( &sid, token );
00097         }
00098 
00099         if (!do_group_checks(&name, &prefix)) {
00100                 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL,
00101                                  NULL, NULL, &sid, &type)) {
00102                         DEBUG(5, ("lookup_name %s failed\n", name));
00103                         return False;
00104                 }
00105                 if (type != SID_NAME_USER) {
00106                         DEBUG(5, ("%s is a %s, expected a user\n",
00107                                   name, sid_type_lookup(type)));
00108                         return False;
00109                 }
00110                 return nt_token_check_sid(&sid, token);
00111         }
00112 
00113         for (/* initialized above */ ; *prefix != '\0'; prefix++) {
00114                 if (*prefix == '+') {
00115                         if (!lookup_name_smbconf(mem_ctx, name,
00116                                          LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
00117                                          NULL, NULL, &sid, &type)) {
00118                                 DEBUG(5, ("lookup_name %s failed\n", name));
00119                                 return False;
00120                         }
00121                         if ((type != SID_NAME_DOM_GRP) &&
00122                             (type != SID_NAME_ALIAS) &&
00123                             (type != SID_NAME_WKN_GRP)) {
00124                                 DEBUG(5, ("%s is a %s, expected a group\n",
00125                                           name, sid_type_lookup(type)));
00126                                 return False;
00127                         }
00128                         if (nt_token_check_sid(&sid, token)) {
00129                                 return True;
00130                         }
00131                         continue;
00132                 }
00133                 if (*prefix == '&') {
00134                         if (user_in_netgroup(username, name)) {
00135                                 return True;
00136                         }
00137                         continue;
00138                 }
00139                 smb_panic("got invalid prefix from do_groups_check\n");
00140         }
00141         return False;
00142 }
00143 
00144 /*
00145  * Check whether a user is contained in the list provided.
00146  *
00147  * Please note that the user name and share names passed in here mainly for
00148  * the substitution routines that expand the parameter values, the decision
00149  * whether a user is in the list is done after a lookup_name on the expanded
00150  * parameter value, solely based on comparing the SIDs in token.
00151  *
00152  * The other use is the netgroup check when using @group or &group.
00153  */
00154 
00155 BOOL token_contains_name_in_list(const char *username,
00156                                  const char *sharename,
00157                                  const struct nt_user_token *token,
00158                                  const char **list)
00159 {
00160         TALLOC_CTX *mem_ctx;
00161 
00162         if (list == NULL) {
00163                 return False;
00164         }
00165 
00166         if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
00167                 smb_panic("talloc_new failed\n");
00168         }
00169 
00170         while (*list != NULL) {
00171                 if (token_contains_name(mem_ctx, username, sharename,token, *list)) {
00172                         TALLOC_FREE(mem_ctx);
00173                         return True;
00174                 }
00175                 list += 1;
00176         }
00177 
00178         TALLOC_FREE(mem_ctx);
00179         return False;
00180 }
00181 
00182 /*
00183  * Check whether the user described by "token" has access to share snum.
00184  *
00185  * This looks at "invalid users", "valid users" and "only user/username"
00186  *
00187  * Please note that the user name and share names passed in here mainly for
00188  * the substitution routines that expand the parameter values, the decision
00189  * whether a user is in the list is done after a lookup_name on the expanded
00190  * parameter value, solely based on comparing the SIDs in token.
00191  *
00192  * The other use is the netgroup check when using @group or &group.
00193  */
00194 
00195 BOOL user_ok_token(const char *username, struct nt_user_token *token, int snum)
00196 {
00197         if (lp_invalid_users(snum) != NULL) {
00198                 if (token_contains_name_in_list(username, lp_servicename(snum),
00199                                                 token,
00200                                                 lp_invalid_users(snum))) {
00201                         DEBUG(10, ("User %s in 'invalid users'\n", username));
00202                         return False;
00203                 }
00204         }
00205 
00206         if (lp_valid_users(snum) != NULL) {
00207                 if (!token_contains_name_in_list(username,
00208                                                  lp_servicename(snum), token,
00209                                                  lp_valid_users(snum))) {
00210                         DEBUG(10, ("User %s not in 'valid users'\n",
00211                                    username));
00212                         return False;
00213                 }
00214         }
00215 
00216         if (lp_onlyuser(snum)) {
00217                 const char *list[2];
00218                 list[0] = lp_username(snum);
00219                 list[1] = NULL;
00220                 if ((list[0] == NULL) || (*list[0] == '\0')) {
00221                         DEBUG(0, ("'only user = yes' and no 'username ='\n"));
00222                         return False;
00223                 }
00224                 if (!token_contains_name_in_list(NULL, lp_servicename(snum),
00225                                                  token, list)) {
00226                         DEBUG(10, ("%s != 'username'\n", username));
00227                         return False;
00228                 }
00229         }
00230 
00231         DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
00232                    lp_servicename(snum), username));
00233 
00234         return True;
00235 }
00236 
00237 /*
00238  * Check whether the user described by "token" is restricted to read-only
00239  * access on share snum.
00240  *
00241  * This looks at "invalid users", "valid users" and "only user/username"
00242  *
00243  * Please note that the user name and share names passed in here mainly for
00244  * the substitution routines that expand the parameter values, the decision
00245  * whether a user is in the list is done after a lookup_name on the expanded
00246  * parameter value, solely based on comparing the SIDs in token.
00247  *
00248  * The other use is the netgroup check when using @group or &group.
00249  */
00250 
00251 BOOL is_share_read_only_for_token(const char *username,
00252                                   struct nt_user_token *token, int snum)
00253 {
00254         BOOL result = lp_readonly(snum);
00255 
00256         if (lp_readlist(snum) != NULL) {
00257                 if (token_contains_name_in_list(username,
00258                                                 lp_servicename(snum), token,
00259                                                 lp_readlist(snum))) {
00260                         result = True;
00261                 }
00262         }
00263 
00264         if (lp_writelist(snum) != NULL) {
00265                 if (token_contains_name_in_list(username,
00266                                                 lp_servicename(snum), token,
00267                                                 lp_writelist(snum))) {
00268                         result = False;
00269                 }
00270         }
00271 
00272         DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
00273                   "%s\n", lp_servicename(snum),
00274                   result ? "read-only" : "read-write", username));
00275 
00276         return result;
00277 }

Sambaに対してSat Aug 29 21:23:26 2009に生成されました。  doxygen 1.4.7