mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3-auth Remove seperate guest boolean
Instead, we base our guest calculations on the presence or absense of the authenticated users group in the token, ensuring that we have only one canonical source of this important piece of authorization data Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
This commit is contained in:
parent
9d09b66f41
commit
6622821063
@ -65,7 +65,6 @@ interface auth
|
|||||||
/* These match exactly the values from the
|
/* These match exactly the values from the
|
||||||
* auth_serversupplied_info, but should be changed to
|
* auth_serversupplied_info, but should be changed to
|
||||||
* checks involving just the SIDs */
|
* checks involving just the SIDs */
|
||||||
boolean8 guest;
|
|
||||||
boolean8 system;
|
boolean8 system;
|
||||||
|
|
||||||
[unique,charset(UTF8),string] char *unix_name;
|
[unique,charset(UTF8),string] char *unix_name;
|
||||||
|
@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \
|
|||||||
lib/ldap_escape.o @CHARSET_STATIC@ \
|
lib/ldap_escape.o @CHARSET_STATIC@ \
|
||||||
../libcli/security/secdesc.o ../libcli/security/access_check.o \
|
../libcli/security/secdesc.o ../libcli/security/access_check.o \
|
||||||
../libcli/security/secace.o ../libcli/security/object_tree.o \
|
../libcli/security/secace.o ../libcli/security/object_tree.o \
|
||||||
../libcli/security/sddl.o \
|
../libcli/security/sddl.o ../libcli/security/session.o \
|
||||||
../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
|
../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
|
||||||
lib/fncall.o \
|
lib/fncall.o \
|
||||||
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
|
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
|
||||||
|
@ -504,7 +504,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
|
|||||||
return NT_STATUS_NO_MEMORY;
|
return NT_STATUS_NO_MEMORY;
|
||||||
}
|
}
|
||||||
|
|
||||||
session_info->unix_info->guest = server_info->guest;
|
|
||||||
session_info->unix_info->system = server_info->system;
|
session_info->unix_info->system = server_info->system;
|
||||||
|
|
||||||
if (session_key) {
|
if (session_key) {
|
||||||
@ -993,8 +992,8 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
|
|||||||
/* This element must be provided to convert back to an auth_serversupplied_info */
|
/* This element must be provided to convert back to an auth_serversupplied_info */
|
||||||
SMB_ASSERT(src->unix_info);
|
SMB_ASSERT(src->unix_info);
|
||||||
|
|
||||||
dst->guest = src->unix_info->guest;
|
dst->guest = true;
|
||||||
dst->system = src->unix_info->system;
|
dst->system = false;
|
||||||
|
|
||||||
/* This element must be provided to convert back to an
|
/* This element must be provided to convert back to an
|
||||||
* auth_serversupplied_info. This needs to be from hte
|
* auth_serversupplied_info. This needs to be from hte
|
||||||
|
@ -2400,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
|
|||||||
return NT_STATUS_INVALID_PARAMETER;
|
return NT_STATUS_INVALID_PARAMETER;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (p->session_info->unix_info->guest) {
|
if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
|
||||||
/*
|
/*
|
||||||
* I'm 99% sure this is not the right place to do this,
|
* I'm 99% sure this is not the right place to do this,
|
||||||
* global_sid_Anonymous should probably be put into the token
|
* global_sid_Anonymous should probably be put into the token
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "ntdomain.h"
|
#include "ntdomain.h"
|
||||||
#include "rpc_server/rpc_ncacn_np.h"
|
#include "rpc_server/rpc_ncacn_np.h"
|
||||||
|
#include "../libcli/security/security.h"
|
||||||
|
|
||||||
#undef DBGC_CLASS
|
#undef DBGC_CLASS
|
||||||
#define DBGC_CLASS DBGC_RPC_SRV
|
#define DBGC_CLASS DBGC_RPC_SRV
|
||||||
@ -346,7 +347,7 @@ bool pipe_access_check(struct pipes_struct *p)
|
|||||||
return True;
|
return True;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (p->session_info->unix_info->guest) {
|
if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -5857,7 +5857,7 @@ void api_reply(connection_struct *conn, uint16 vuid,
|
|||||||
if (api_commands[i].auth_user && lp_restrict_anonymous()) {
|
if (api_commands[i].auth_user && lp_restrict_anonymous()) {
|
||||||
user_struct *user = get_valid_user_struct(req->sconn, vuid);
|
user_struct *user = get_valid_user_struct(req->sconn, vuid);
|
||||||
|
|
||||||
if (!user || user->session_info->unix_info->guest) {
|
if (!user || security_session_user_level(user->session_info, NULL) < SECURITY_USER) {
|
||||||
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
|
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -24,6 +24,7 @@
|
|||||||
#include "smbd/globals.h"
|
#include "smbd/globals.h"
|
||||||
#include "../librpc/gen_ndr/netlogon.h"
|
#include "../librpc/gen_ndr/netlogon.h"
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
|
#include "../libcli/security/security.h"
|
||||||
|
|
||||||
/* Fix up prototypes for OSX 10.4, where they're missing */
|
/* Fix up prototypes for OSX 10.4, where they're missing */
|
||||||
#ifndef HAVE_SETNETGRENT_PROTOTYPE
|
#ifndef HAVE_SETNETGRENT_PROTOTYPE
|
||||||
@ -269,6 +270,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
|
|||||||
{
|
{
|
||||||
fstring tmp;
|
fstring tmp;
|
||||||
user_struct *vuser;
|
user_struct *vuser;
|
||||||
|
bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER;
|
||||||
|
|
||||||
vuser = get_partial_auth_user_struct(sconn, vuid);
|
vuser = get_partial_auth_user_struct(sconn, vuid);
|
||||||
if (!vuser) {
|
if (!vuser) {
|
||||||
@ -294,7 +296,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
|
|||||||
vuser->session_info->unix_info->unix_name,
|
vuser->session_info->unix_info->unix_name,
|
||||||
vuser->session_info->unix_info->sanitized_username,
|
vuser->session_info->unix_info->sanitized_username,
|
||||||
vuser->session_info->info->domain_name,
|
vuser->session_info->info->domain_name,
|
||||||
vuser->session_info->unix_info->guest ));
|
guest));
|
||||||
|
|
||||||
DEBUG(3, ("register_existing_vuid: User name: %s\t"
|
DEBUG(3, ("register_existing_vuid: User name: %s\t"
|
||||||
"Real name: %s\n", vuser->session_info->unix_info->unix_name,
|
"Real name: %s\n", vuser->session_info->unix_info->unix_name,
|
||||||
@ -328,13 +330,14 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
|
|||||||
|
|
||||||
vuser->homes_snum = -1;
|
vuser->homes_snum = -1;
|
||||||
|
|
||||||
if (!vuser->session_info->unix_info->guest) {
|
|
||||||
|
if (!guest) {
|
||||||
vuser->homes_snum = register_homes_share(
|
vuser->homes_snum = register_homes_share(
|
||||||
vuser->session_info->unix_info->unix_name);
|
vuser->session_info->unix_info->unix_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (srv_is_signing_negotiated(sconn) &&
|
if (srv_is_signing_negotiated(sconn) &&
|
||||||
!vuser->session_info->unix_info->guest) {
|
!guest) {
|
||||||
/* Try and turn on server signing on the first non-guest
|
/* Try and turn on server signing on the first non-guest
|
||||||
* sessionsetup. */
|
* sessionsetup. */
|
||||||
srv_set_signing(sconn,
|
srv_set_signing(sconn,
|
||||||
|
@ -394,8 +394,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
|
|||||||
* This is the normal security != share case where we have a
|
* This is the normal security != share case where we have a
|
||||||
* valid vuid from the session setup. */
|
* valid vuid from the session setup. */
|
||||||
|
|
||||||
if (vuid_serverinfo->unix_info->guest) {
|
if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
|
||||||
if (!lp_guest_ok(snum)) {
|
if (!lp_guest_ok(snum)) {
|
||||||
DEBUG(2, ("guest user (from session setup) "
|
DEBUG(2, ("guest user (from session setup) "
|
||||||
"not permitted to access this share "
|
"not permitted to access this share "
|
||||||
"(%s)\n", lp_servicename(snum)));
|
"(%s)\n", lp_servicename(snum)));
|
||||||
@ -467,6 +467,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
|
|||||||
|
|
||||||
char *fuser;
|
char *fuser;
|
||||||
struct auth_session_info *forced_serverinfo;
|
struct auth_session_info *forced_serverinfo;
|
||||||
|
bool guest;
|
||||||
|
|
||||||
fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
|
fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
|
||||||
lp_const_servicename(snum));
|
lp_const_servicename(snum));
|
||||||
@ -474,8 +475,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
|
|||||||
return NT_STATUS_NO_MEMORY;
|
return NT_STATUS_NO_MEMORY;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER;
|
||||||
|
|
||||||
status = make_session_info_from_username(
|
status = make_session_info_from_username(
|
||||||
conn, fuser, conn->session_info->unix_info->guest,
|
conn, fuser,
|
||||||
|
guest,
|
||||||
&forced_serverinfo);
|
&forced_serverinfo);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
return status;
|
return status;
|
||||||
|
@ -33,6 +33,7 @@
|
|||||||
#include "session.h"
|
#include "session.h"
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "../lib/tsocket/tsocket.h"
|
#include "../lib/tsocket/tsocket.h"
|
||||||
|
#include "../libcli/security/security.h"
|
||||||
|
|
||||||
/********************************************************************
|
/********************************************************************
|
||||||
called when a session is created
|
called when a session is created
|
||||||
@ -53,7 +54,7 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser)
|
|||||||
|
|
||||||
/* don't register sessions for the guest user - its just too
|
/* don't register sessions for the guest user - its just too
|
||||||
expensive to go through pam session code for browsing etc */
|
expensive to go through pam session code for browsing etc */
|
||||||
if (vuser->session_info->unix_info->guest) {
|
if (security_session_user_level(vuser->session_info, NULL) < SECURITY_USER) {
|
||||||
return True;
|
return True;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -35,6 +35,7 @@
|
|||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "messages.h"
|
#include "messages.h"
|
||||||
#include "smbprofile.h"
|
#include "smbprofile.h"
|
||||||
|
#include "../libcli/security/security.h"
|
||||||
|
|
||||||
/* For split krb5 SPNEGO blobs. */
|
/* For split krb5 SPNEGO blobs. */
|
||||||
struct pending_auth_data {
|
struct pending_auth_data {
|
||||||
@ -441,7 +442,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
|
|||||||
|
|
||||||
SSVAL(req->outbuf, smb_vwv3, 0);
|
SSVAL(req->outbuf, smb_vwv3, 0);
|
||||||
|
|
||||||
if (session_info->unix_info->guest) {
|
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
|
||||||
SSVAL(req->outbuf,smb_vwv2,1);
|
SSVAL(req->outbuf,smb_vwv2,1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -535,7 +536,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
|
|||||||
|
|
||||||
SSVAL(req->outbuf, smb_vwv3, 0);
|
SSVAL(req->outbuf, smb_vwv3, 0);
|
||||||
|
|
||||||
if (session_info->unix_info->guest) {
|
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
|
||||||
SSVAL(req->outbuf,smb_vwv2,1);
|
SSVAL(req->outbuf,smb_vwv2,1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1702,7 +1703,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
|
|||||||
/* perhaps grab OS version here?? */
|
/* perhaps grab OS version here?? */
|
||||||
}
|
}
|
||||||
|
|
||||||
if (session_info->unix_info->guest) {
|
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
|
||||||
SSVAL(req->outbuf,smb_vwv2,1);
|
SSVAL(req->outbuf,smb_vwv2,1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,6 +31,7 @@
|
|||||||
#include "../lib/util/asn1.h"
|
#include "../lib/util/asn1.h"
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "../lib/tsocket/tsocket.h"
|
#include "../lib/tsocket/tsocket.h"
|
||||||
|
#include "../libcli/security/security.h"
|
||||||
|
|
||||||
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
|
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
|
||||||
uint64_t in_session_id,
|
uint64_t in_session_id,
|
||||||
@ -253,7 +254,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
|
|||||||
session->do_signing = true;
|
session->do_signing = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (session->session_info->unix_info->guest) {
|
if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
|
||||||
/* we map anonymous to guest internally */
|
/* we map anonymous to guest internally */
|
||||||
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
|
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
|
||||||
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
|
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
|
||||||
@ -280,7 +281,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
|
|||||||
session->session_info->unix_info->sanitized_username =
|
session->session_info->unix_info->sanitized_username =
|
||||||
talloc_strdup(session->session_info, tmp);
|
talloc_strdup(session->session_info, tmp);
|
||||||
|
|
||||||
if (!session->session_info->unix_info->guest) {
|
if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
|
||||||
session->compat_vuser->homes_snum =
|
session->compat_vuser->homes_snum =
|
||||||
register_homes_share(session->session_info->unix_info->unix_name);
|
register_homes_share(session->session_info->unix_info->unix_name);
|
||||||
}
|
}
|
||||||
@ -460,7 +461,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
|
|||||||
session->do_signing = true;
|
session->do_signing = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (session->session_info->unix_info->guest) {
|
if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
|
||||||
/* we map anonymous to guest internally */
|
/* we map anonymous to guest internally */
|
||||||
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
|
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
|
||||||
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
|
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
|
||||||
@ -491,7 +492,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
|
|||||||
session->session_info->unix_info->sanitized_username = talloc_strdup(
|
session->session_info->unix_info->sanitized_username = talloc_strdup(
|
||||||
session->session_info, tmp);
|
session->session_info, tmp);
|
||||||
|
|
||||||
if (!session->compat_vuser->session_info->unix_info->guest) {
|
if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
|
||||||
session->compat_vuser->homes_snum =
|
session->compat_vuser->homes_snum =
|
||||||
register_homes_share(session->session_info->unix_info->unix_name);
|
register_homes_share(session->session_info->unix_info->unix_name);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user