2012-10-19 21:48:20 +02:00
/*
2006-02-03 22:19:41 +00:00
Unix SMB / CIFS implementation .
Check access based on valid users , read list and friends
Copyright ( C ) Volker Lendecke 2005
2012-10-19 21:48:20 +02:00
2006-02-03 22:19:41 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2006-02-03 22:19:41 +00:00
( at your option ) any later version .
2012-10-19 21:48:20 +02:00
2006-02-03 22:19:41 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2012-10-19 21:48:20 +02:00
2006-02-03 22:19:41 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2006-02-03 22:19:41 +00:00
*/
# include "includes.h"
2011-03-22 16:57:01 +01:00
# include "smbd/smbd.h"
2009-05-26 16:38:45 +02:00
# include "smbd/globals.h"
2010-10-12 15:27:50 +11:00
# include "../libcli/security/security.h"
2011-03-22 16:50:02 +01:00
# include "passdb/lookup_sid.h"
2011-03-24 13:46:20 +01:00
# include "auth.h"
2021-11-10 20:18:07 +01:00
# include "source3/lib/substitute.h"
2006-02-03 22:19:41 +00:00
/*
2022-06-03 15:07:18 +02:00
* No prefix means direct username
* @ name means netgroup first , then unix group
* & name means netgroup
* + name means unix group
* + and & may be combined
2006-02-03 22:19:41 +00:00
*/
2007-10-18 17:40:25 -07:00
static bool do_group_checks ( const char * * name , const char * * pattern )
2006-02-03 22:19:41 +00:00
{
if ( ( * name ) [ 0 ] = = ' @ ' ) {
2022-06-03 15:07:18 +02:00
* pattern = " &+ " ;
2006-02-03 22:19:41 +00:00
* name + = 1 ;
return True ;
}
if ( ( ( * name ) [ 0 ] = = ' + ' ) & & ( ( * name ) [ 1 ] = = ' & ' ) ) {
2022-06-03 15:07:18 +02:00
* pattern = " +& " ;
2006-02-03 22:19:41 +00:00
* name + = 2 ;
return True ;
}
if ( ( * name ) [ 0 ] = = ' + ' ) {
* pattern = " + " ;
* name + = 1 ;
return True ;
}
if ( ( ( * name ) [ 0 ] = = ' & ' ) & & ( ( * name ) [ 1 ] = = ' + ' ) ) {
2022-06-03 15:07:18 +02:00
* pattern = " &+ " ;
2006-02-03 22:19:41 +00:00
* name + = 2 ;
return True ;
}
if ( ( * name ) [ 0 ] = = ' & ' ) {
2022-06-03 15:07:18 +02:00
* pattern = " & " ;
2006-02-03 22:19:41 +00:00
* name + = 1 ;
return True ;
}
return False ;
}
2007-10-18 17:40:25 -07:00
static bool token_contains_name ( TALLOC_CTX * mem_ctx ,
2006-02-03 22:19:41 +00:00
const char * username ,
2008-05-11 01:03:45 +02:00
const char * domain ,
2006-02-03 22:19:41 +00:00
const char * sharename ,
2010-08-26 20:04:11 +10:00
const struct security_token * token ,
2006-02-03 22:19:41 +00:00
const char * name )
{
const char * prefix ;
2010-05-21 11:25:01 +10:00
struct dom_sid sid ;
2006-09-08 14:28:06 +00:00
enum lsa_SidType type ;
2006-02-03 22:19:41 +00:00
if ( username ! = NULL ) {
2020-11-11 13:42:06 +01:00
size_t domain_len = domain ! = NULL ? strlen ( domain ) : 0 ;
2020-08-17 14:12:48 +02:00
/* Check if username starts with domain name */
if ( domain_len > 0 ) {
const char * sep = lp_winbind_separator ( ) ;
int cmp = strncasecmp_m ( username , domain , domain_len ) ;
if ( cmp = = 0 & & sep [ 0 ] = = username [ domain_len ] ) {
/* Move after the winbind separator */
domain_len + = 1 ;
} else {
domain_len = 0 ;
}
}
name = talloc_sub_basic ( mem_ctx ,
username + domain_len ,
domain ,
name ) ;
2006-02-03 22:19:41 +00:00
}
if ( sharename ! = NULL ) {
name = talloc_string_sub ( mem_ctx , name , " %S " , sharename ) ;
}
if ( name = = NULL ) {
/* This is too security sensitive, better panic than return a
* result that might be interpreted in a wrong way . */
2007-06-15 21:58:49 +00:00
smb_panic ( " substitutions failed " ) ;
2006-02-03 22:19:41 +00:00
}
2012-10-19 21:48:20 +02:00
2006-03-09 15:51:55 +00:00
if ( string_to_sid ( & sid , name ) ) {
DEBUG ( 5 , ( " token_contains_name: Checking for SID [%s] in token \n " , name ) ) ;
return nt_token_check_sid ( & sid , token ) ;
}
2006-02-03 22:19:41 +00:00
if ( ! do_group_checks ( & name , & prefix ) ) {
2006-08-04 21:07:32 +00:00
if ( ! lookup_name_smbconf ( mem_ctx , name , LOOKUP_NAME_ALL ,
2006-02-03 22:19:41 +00:00
NULL , NULL , & sid , & type ) ) {
DEBUG ( 5 , ( " lookup_name %s failed \n " , name ) ) ;
return False ;
}
if ( type ! = SID_NAME_USER ) {
DEBUG ( 5 , ( " %s is a %s, expected a user \n " ,
name , sid_type_lookup ( type ) ) ) ;
return False ;
}
return nt_token_check_sid ( & sid , token ) ;
}
for ( /* initialized above */ ; * prefix ! = ' \0 ' ; prefix + + ) {
if ( * prefix = = ' + ' ) {
2006-08-04 21:07:32 +00:00
if ( ! lookup_name_smbconf ( mem_ctx , name ,
2006-02-03 22:19:41 +00:00
LOOKUP_NAME_ALL | LOOKUP_NAME_GROUP ,
NULL , NULL , & sid , & type ) ) {
DEBUG ( 5 , ( " lookup_name %s failed \n " , name ) ) ;
return False ;
}
if ( ( type ! = SID_NAME_DOM_GRP ) & &
( type ! = SID_NAME_ALIAS ) & &
( type ! = SID_NAME_WKN_GRP ) ) {
DEBUG ( 5 , ( " %s is a %s, expected a group \n " ,
name , sid_type_lookup ( type ) ) ) ;
return False ;
}
if ( nt_token_check_sid ( & sid , token ) ) {
return True ;
}
continue ;
}
if ( * prefix = = ' & ' ) {
2022-06-03 15:07:18 +02:00
if ( username ) {
if ( user_in_netgroup ( mem_ctx , username , name ) ) {
return True ;
}
}
2006-02-03 22:19:41 +00:00
continue ;
}
2007-06-15 21:58:49 +00:00
smb_panic ( " got invalid prefix from do_groups_check " ) ;
2006-02-03 22:19:41 +00:00
}
return False ;
}
/*
* Check whether a user is contained in the list provided .
*
* Please note that the user name and share names passed in here mainly for
* the substitution routines that expand the parameter values , the decision
* whether a user is in the list is done after a lookup_name on the expanded
* parameter value , solely based on comparing the SIDs in token .
*
* The other use is the netgroup check when using @ group or & group .
*/
2007-10-18 17:40:25 -07:00
bool token_contains_name_in_list ( const char * username ,
2008-05-11 01:03:45 +02:00
const char * domain ,
2006-02-03 22:19:41 +00:00
const char * sharename ,
2010-08-26 20:04:11 +10:00
const struct security_token * token ,
2006-02-03 22:19:41 +00:00
const char * * list )
{
if ( list = = NULL ) {
return False ;
}
while ( * list ! = NULL ) {
2012-10-20 07:20:39 +02:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
bool ret ;
ret = token_contains_name ( frame , username , domain , sharename ,
token , * list ) ;
TALLOC_FREE ( frame ) ;
if ( ret ) {
return true ;
2006-02-03 22:19:41 +00:00
}
list + = 1 ;
}
return False ;
}
/*
* Check whether the user described by " token " has access to share snum .
*
2016-04-06 08:50:27 +03:00
* This looks at " invalid users " and " valid users " .
2006-02-03 22:19:41 +00:00
*
* Please note that the user name and share names passed in here mainly for
* the substitution routines that expand the parameter values , the decision
* whether a user is in the list is done after a lookup_name on the expanded
* parameter value , solely based on comparing the SIDs in token .
*
* The other use is the netgroup check when using @ group or & group .
*/
2008-05-11 01:03:45 +02:00
bool user_ok_token ( const char * username , const char * domain ,
2010-08-26 20:04:11 +10:00
const struct security_token * token , int snum )
2006-02-03 22:19:41 +00:00
{
2019-11-07 11:01:05 +01:00
const struct loadparm_substitution * lp_sub =
loadparm_s3_global_substitution ( ) ;
2006-02-03 22:19:41 +00:00
if ( lp_invalid_users ( snum ) ! = NULL ) {
2008-05-11 01:03:45 +02:00
if ( token_contains_name_in_list ( username , domain ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
2006-02-03 22:19:41 +00:00
token ,
lp_invalid_users ( snum ) ) ) {
DEBUG ( 10 , ( " User %s in 'invalid users' \n " , username ) ) ;
return False ;
}
}
if ( lp_valid_users ( snum ) ! = NULL ) {
2008-05-11 01:03:45 +02:00
if ( ! token_contains_name_in_list ( username , domain ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
2012-07-18 15:07:23 +09:30
token ,
2006-02-03 22:19:41 +00:00
lp_valid_users ( snum ) ) ) {
2006-04-30 14:14:46 +00:00
DEBUG ( 10 , ( " User %s not in 'valid users' \n " ,
username ) ) ;
2006-02-03 22:19:41 +00:00
return False ;
}
}
DEBUG ( 10 , ( " user_ok_token: share %s is ok for unix user %s \n " ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) , username ) ) ;
2006-02-03 22:19:41 +00:00
return True ;
}
/*
* Check whether the user described by " token " is restricted to read - only
* access on share snum .
*
2016-04-06 08:50:27 +03:00
* This looks at " read list " , " write list " and " read only " .
2006-02-03 22:19:41 +00:00
*
* Please note that the user name and share names passed in here mainly for
* the substitution routines that expand the parameter values , the decision
* whether a user is in the list is done after a lookup_name on the expanded
* parameter value , solely based on comparing the SIDs in token .
*
* The other use is the netgroup check when using @ group or & group .
*/
2007-10-18 17:40:25 -07:00
bool is_share_read_only_for_token ( const char * username ,
2008-05-11 01:03:45 +02:00
const char * domain ,
2010-08-26 20:04:11 +10:00
const struct security_token * token ,
2008-11-17 14:13:20 -08:00
connection_struct * conn )
2006-02-03 22:19:41 +00:00
{
2019-11-07 11:01:05 +01:00
const struct loadparm_substitution * lp_sub =
loadparm_s3_global_substitution ( ) ;
2008-11-17 14:13:20 -08:00
int snum = SNUM ( conn ) ;
bool result = conn - > read_only ;
2006-02-03 22:19:41 +00:00
2014-02-04 15:09:10 +13:00
if ( lp_read_list ( snum ) ! = NULL ) {
2008-05-11 01:03:45 +02:00
if ( token_contains_name_in_list ( username , domain ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
2012-07-18 15:07:23 +09:30
token ,
2014-02-04 15:09:10 +13:00
lp_read_list ( snum ) ) ) {
2006-02-03 22:19:41 +00:00
result = True ;
}
}
2014-02-04 15:09:11 +13:00
if ( lp_write_list ( snum ) ! = NULL ) {
2008-05-11 01:03:45 +02:00
if ( token_contains_name_in_list ( username , domain ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
2012-07-18 15:07:23 +09:30
token ,
2014-02-04 15:09:11 +13:00
lp_write_list ( snum ) ) ) {
2006-02-03 22:19:41 +00:00
result = False ;
}
}
DEBUG ( 10 , ( " is_share_read_only_for_user: share %s is %s for unix user "
2019-11-07 11:01:05 +01:00
" %s \n " , lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
2006-02-03 22:19:41 +00:00
result ? " read-only " : " read-write " , username ) ) ;
return result ;
}