関数 | |
static BOOL | do_group_checks (const char **name, const char **pattern) |
static BOOL | token_contains_name (TALLOC_CTX *mem_ctx, const char *username, const char *sharename, const struct nt_user_token *token, const char *name) |
BOOL | token_contains_name_in_list (const char *username, const char *sharename, const struct nt_user_token *token, const char **list) |
BOOL | user_ok_token (const char *username, struct nt_user_token *token, int snum) |
BOOL | is_share_read_only_for_token (const char *username, struct nt_user_token *token, int snum) |
変数 | |
userdom_struct | current_user_info |
static BOOL do_group_checks | ( | const char ** | name, | |
const char ** | pattern | |||
) | [static] |
share_access.c の 33 行で定義されています。
00034 { 00035 if ((*name)[0] == '@') { 00036 *pattern = "&+"; 00037 *name += 1; 00038 return True; 00039 } 00040 00041 if (((*name)[0] == '+') && ((*name)[1] == '&')) { 00042 *pattern = "+&"; 00043 *name += 2; 00044 return True; 00045 } 00046 00047 if ((*name)[0] == '+') { 00048 *pattern = "+"; 00049 *name += 1; 00050 return True; 00051 } 00052 00053 if (((*name)[0] == '&') && ((*name)[1] == '+')) { 00054 *pattern = "&+"; 00055 *name += 2; 00056 return True; 00057 } 00058 00059 if ((*name)[0] == '&') { 00060 *pattern = "&"; 00061 *name += 1; 00062 return True; 00063 } 00064 00065 return False; 00066 }
static BOOL token_contains_name | ( | TALLOC_CTX * | mem_ctx, | |
const char * | username, | |||
const char * | sharename, | |||
const struct nt_user_token * | token, | |||
const char * | name | |||
) | [static] |
share_access.c の 68 行で定義されています。
参照先 current_user_info・do_group_checks()・userdom_struct::domain・lookup_name_smbconf()・nt_token_check_sid()・SID_NAME_ALIAS・SID_NAME_DOM_GRP・SID_NAME_USER・SID_NAME_WKN_GRP・sid_type_lookup()・smb_panic()・string_to_sid()・talloc_string_sub()・talloc_sub_basic()・type・user_in_netgroup().
参照元 token_contains_name_in_list().
00073 { 00074 const char *prefix; 00075 DOM_SID sid; 00076 enum lsa_SidType type; 00077 00078 if (username != NULL) { 00079 name = talloc_sub_basic(mem_ctx, username, 00080 current_user_info.domain, name); 00081 } 00082 if (sharename != NULL) { 00083 name = talloc_string_sub(mem_ctx, name, "%S", sharename); 00084 } 00085 00086 if (name == NULL) { 00087 /* This is too security sensitive, better panic than return a 00088 * result that might be interpreted in a wrong way. */ 00089 smb_panic("substitutions failed\n"); 00090 } 00091 00092 /* check to see is we already have a SID */ 00093 00094 if ( string_to_sid( &sid, name ) ) { 00095 DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name)); 00096 return nt_token_check_sid( &sid, token ); 00097 } 00098 00099 if (!do_group_checks(&name, &prefix)) { 00100 if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL, 00101 NULL, NULL, &sid, &type)) { 00102 DEBUG(5, ("lookup_name %s failed\n", name)); 00103 return False; 00104 } 00105 if (type != SID_NAME_USER) { 00106 DEBUG(5, ("%s is a %s, expected a user\n", 00107 name, sid_type_lookup(type))); 00108 return False; 00109 } 00110 return nt_token_check_sid(&sid, token); 00111 } 00112 00113 for (/* initialized above */ ; *prefix != '\0'; prefix++) { 00114 if (*prefix == '+') { 00115 if (!lookup_name_smbconf(mem_ctx, name, 00116 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP, 00117 NULL, NULL, &sid, &type)) { 00118 DEBUG(5, ("lookup_name %s failed\n", name)); 00119 return False; 00120 } 00121 if ((type != SID_NAME_DOM_GRP) && 00122 (type != SID_NAME_ALIAS) && 00123 (type != SID_NAME_WKN_GRP)) { 00124 DEBUG(5, ("%s is a %s, expected a group\n", 00125 name, sid_type_lookup(type))); 00126 return False; 00127 } 00128 if (nt_token_check_sid(&sid, token)) { 00129 return True; 00130 } 00131 continue; 00132 } 00133 if (*prefix == '&') { 00134 if (user_in_netgroup(username, name)) { 00135 return True; 00136 } 00137 continue; 00138 } 00139 smb_panic("got invalid prefix from do_groups_check\n"); 00140 } 00141 return False; 00142 }
BOOL token_contains_name_in_list | ( | const char * | username, | |
const char * | sharename, | |||
const struct nt_user_token * | token, | |||
const char ** | list | |||
) |
share_access.c の 155 行で定義されています。
参照先 auth_context::mem_ctx・smb_panic()・token_contains_name().
参照元 _spoolss_deleteprinterdriver()・_spoolss_deleteprinterdriverex()・_spoolss_open_printer_ex()・is_share_read_only_for_token()・print_access_check()・user_ok_token().
00159 { 00160 TALLOC_CTX *mem_ctx; 00161 00162 if (list == NULL) { 00163 return False; 00164 } 00165 00166 if ( (mem_ctx = talloc_new(NULL)) == NULL ) { 00167 smb_panic("talloc_new failed\n"); 00168 } 00169 00170 while (*list != NULL) { 00171 if (token_contains_name(mem_ctx, username, sharename,token, *list)) { 00172 TALLOC_FREE(mem_ctx); 00173 return True; 00174 } 00175 list += 1; 00176 } 00177 00178 TALLOC_FREE(mem_ctx); 00179 return False; 00180 }
BOOL user_ok_token | ( | const char * | username, | |
struct nt_user_token * | token, | |||
int | snum | |||
) |
share_access.c の 195 行で定義されています。
参照先 list()・token_contains_name_in_list().
参照元 _spoolss_open_printer_ex()・make_connection_snum().
00196 { 00197 if (lp_invalid_users(snum) != NULL) { 00198 if (token_contains_name_in_list(username, lp_servicename(snum), 00199 token, 00200 lp_invalid_users(snum))) { 00201 DEBUG(10, ("User %s in 'invalid users'\n", username)); 00202 return False; 00203 } 00204 } 00205 00206 if (lp_valid_users(snum) != NULL) { 00207 if (!token_contains_name_in_list(username, 00208 lp_servicename(snum), token, 00209 lp_valid_users(snum))) { 00210 DEBUG(10, ("User %s not in 'valid users'\n", 00211 username)); 00212 return False; 00213 } 00214 } 00215 00216 if (lp_onlyuser(snum)) { 00217 const char *list[2]; 00218 list[0] = lp_username(snum); 00219 list[1] = NULL; 00220 if ((list[0] == NULL) || (*list[0] == '\0')) { 00221 DEBUG(0, ("'only user = yes' and no 'username ='\n")); 00222 return False; 00223 } 00224 if (!token_contains_name_in_list(NULL, lp_servicename(snum), 00225 token, list)) { 00226 DEBUG(10, ("%s != 'username'\n", username)); 00227 return False; 00228 } 00229 } 00230 00231 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n", 00232 lp_servicename(snum), username)); 00233 00234 return True; 00235 }
BOOL is_share_read_only_for_token | ( | const char * | username, | |
struct nt_user_token * | token, | |||
int | snum | |||
) |
share_access.c の 251 行で定義されています。
参照先 result・token_contains_name_in_list().
00253 { 00254 BOOL result = lp_readonly(snum); 00255 00256 if (lp_readlist(snum) != NULL) { 00257 if (token_contains_name_in_list(username, 00258 lp_servicename(snum), token, 00259 lp_readlist(snum))) { 00260 result = True; 00261 } 00262 } 00263 00264 if (lp_writelist(snum) != NULL) { 00265 if (token_contains_name_in_list(username, 00266 lp_servicename(snum), token, 00267 lp_writelist(snum))) { 00268 result = False; 00269 } 00270 } 00271 00272 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user " 00273 "%s\n", lp_servicename(snum), 00274 result ? "read-only" : "read-write", username)); 00275 00276 return result; 00277 }
substitute.c の 29 行で定義されています。