1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3-auth Remove seperate guest boolean

Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
This commit is contained in:
Andrew Bartlett 2011-07-19 11:57:05 +10:00
parent 9d09b66f41
commit 6622821063
11 changed files with 31 additions and 22 deletions

View File

@ -65,7 +65,6 @@ interface auth
/* These match exactly the values from the /* These match exactly the values from the
* auth_serversupplied_info, but should be changed to * auth_serversupplied_info, but should be changed to
* checks involving just the SIDs */ * checks involving just the SIDs */
boolean8 guest;
boolean8 system; boolean8 system;
[unique,charset(UTF8),string] char *unix_name; [unique,charset(UTF8),string] char *unix_name;

View File

@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \
lib/ldap_escape.o @CHARSET_STATIC@ \ lib/ldap_escape.o @CHARSET_STATIC@ \
../libcli/security/secdesc.o ../libcli/security/access_check.o \ ../libcli/security/secdesc.o ../libcli/security/access_check.o \
../libcli/security/secace.o ../libcli/security/object_tree.o \ ../libcli/security/secace.o ../libcli/security/object_tree.o \
../libcli/security/sddl.o \ ../libcli/security/sddl.o ../libcli/security/session.o \
../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \ ../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
lib/fncall.o \ lib/fncall.o \
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \ libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \

View File

@ -504,7 +504,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
session_info->unix_info->guest = server_info->guest;
session_info->unix_info->system = server_info->system; session_info->unix_info->system = server_info->system;
if (session_key) { if (session_key) {
@ -993,8 +992,8 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
/* This element must be provided to convert back to an auth_serversupplied_info */ /* This element must be provided to convert back to an auth_serversupplied_info */
SMB_ASSERT(src->unix_info); SMB_ASSERT(src->unix_info);
dst->guest = src->unix_info->guest; dst->guest = true;
dst->system = src->unix_info->system; dst->system = false;
/* This element must be provided to convert back to an /* This element must be provided to convert back to an
* auth_serversupplied_info. This needs to be from hte * auth_serversupplied_info. This needs to be from hte

View File

@ -2400,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
return NT_STATUS_INVALID_PARAMETER; return NT_STATUS_INVALID_PARAMETER;
} }
if (p->session_info->unix_info->guest) { if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
/* /*
* I'm 99% sure this is not the right place to do this, * I'm 99% sure this is not the right place to do this,
* global_sid_Anonymous should probably be put into the token * global_sid_Anonymous should probably be put into the token

View File

@ -25,6 +25,7 @@
#include "auth.h" #include "auth.h"
#include "ntdomain.h" #include "ntdomain.h"
#include "rpc_server/rpc_ncacn_np.h" #include "rpc_server/rpc_ncacn_np.h"
#include "../libcli/security/security.h"
#undef DBGC_CLASS #undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV #define DBGC_CLASS DBGC_RPC_SRV
@ -346,7 +347,7 @@ bool pipe_access_check(struct pipes_struct *p)
return True; return True;
} }
if (p->session_info->unix_info->guest) { if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
return False; return False;
} }
} }

View File

@ -5857,7 +5857,7 @@ void api_reply(connection_struct *conn, uint16 vuid,
if (api_commands[i].auth_user && lp_restrict_anonymous()) { if (api_commands[i].auth_user && lp_restrict_anonymous()) {
user_struct *user = get_valid_user_struct(req->sconn, vuid); user_struct *user = get_valid_user_struct(req->sconn, vuid);
if (!user || user->session_info->unix_info->guest) { if (!user || security_session_user_level(user->session_info, NULL) < SECURITY_USER) {
reply_nterror(req, NT_STATUS_ACCESS_DENIED); reply_nterror(req, NT_STATUS_ACCESS_DENIED);
return; return;
} }

View File

@ -24,6 +24,7 @@
#include "smbd/globals.h" #include "smbd/globals.h"
#include "../librpc/gen_ndr/netlogon.h" #include "../librpc/gen_ndr/netlogon.h"
#include "auth.h" #include "auth.h"
#include "../libcli/security/security.h"
/* Fix up prototypes for OSX 10.4, where they're missing */ /* Fix up prototypes for OSX 10.4, where they're missing */
#ifndef HAVE_SETNETGRENT_PROTOTYPE #ifndef HAVE_SETNETGRENT_PROTOTYPE
@ -269,6 +270,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
{ {
fstring tmp; fstring tmp;
user_struct *vuser; user_struct *vuser;
bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER;
vuser = get_partial_auth_user_struct(sconn, vuid); vuser = get_partial_auth_user_struct(sconn, vuid);
if (!vuser) { if (!vuser) {
@ -294,7 +296,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
vuser->session_info->unix_info->unix_name, vuser->session_info->unix_info->unix_name,
vuser->session_info->unix_info->sanitized_username, vuser->session_info->unix_info->sanitized_username,
vuser->session_info->info->domain_name, vuser->session_info->info->domain_name,
vuser->session_info->unix_info->guest )); guest));
DEBUG(3, ("register_existing_vuid: User name: %s\t" DEBUG(3, ("register_existing_vuid: User name: %s\t"
"Real name: %s\n", vuser->session_info->unix_info->unix_name, "Real name: %s\n", vuser->session_info->unix_info->unix_name,
@ -328,13 +330,14 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
vuser->homes_snum = -1; vuser->homes_snum = -1;
if (!vuser->session_info->unix_info->guest) {
if (!guest) {
vuser->homes_snum = register_homes_share( vuser->homes_snum = register_homes_share(
vuser->session_info->unix_info->unix_name); vuser->session_info->unix_info->unix_name);
} }
if (srv_is_signing_negotiated(sconn) && if (srv_is_signing_negotiated(sconn) &&
!vuser->session_info->unix_info->guest) { !guest) {
/* Try and turn on server signing on the first non-guest /* Try and turn on server signing on the first non-guest
* sessionsetup. */ * sessionsetup. */
srv_set_signing(sconn, srv_set_signing(sconn,

View File

@ -394,8 +394,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
* This is the normal security != share case where we have a * This is the normal security != share case where we have a
* valid vuid from the session setup. */ * valid vuid from the session setup. */
if (vuid_serverinfo->unix_info->guest) { if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
if (!lp_guest_ok(snum)) { if (!lp_guest_ok(snum)) {
DEBUG(2, ("guest user (from session setup) " DEBUG(2, ("guest user (from session setup) "
"not permitted to access this share " "not permitted to access this share "
"(%s)\n", lp_servicename(snum))); "(%s)\n", lp_servicename(snum)));
@ -467,6 +467,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
char *fuser; char *fuser;
struct auth_session_info *forced_serverinfo; struct auth_session_info *forced_serverinfo;
bool guest;
fuser = talloc_string_sub(conn, lp_force_user(snum), "%S", fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
lp_const_servicename(snum)); lp_const_servicename(snum));
@ -474,8 +475,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER;
status = make_session_info_from_username( status = make_session_info_from_username(
conn, fuser, conn->session_info->unix_info->guest, conn, fuser,
guest,
&forced_serverinfo); &forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
return status; return status;

View File

@ -33,6 +33,7 @@
#include "session.h" #include "session.h"
#include "auth.h" #include "auth.h"
#include "../lib/tsocket/tsocket.h" #include "../lib/tsocket/tsocket.h"
#include "../libcli/security/security.h"
/******************************************************************** /********************************************************************
called when a session is created called when a session is created
@ -53,7 +54,7 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser)
/* don't register sessions for the guest user - its just too /* don't register sessions for the guest user - its just too
expensive to go through pam session code for browsing etc */ expensive to go through pam session code for browsing etc */
if (vuser->session_info->unix_info->guest) { if (security_session_user_level(vuser->session_info, NULL) < SECURITY_USER) {
return True; return True;
} }

View File

@ -35,6 +35,7 @@
#include "auth.h" #include "auth.h"
#include "messages.h" #include "messages.h"
#include "smbprofile.h" #include "smbprofile.h"
#include "../libcli/security/security.h"
/* For split krb5 SPNEGO blobs. */ /* For split krb5 SPNEGO blobs. */
struct pending_auth_data { struct pending_auth_data {
@ -441,7 +442,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
SSVAL(req->outbuf, smb_vwv3, 0); SSVAL(req->outbuf, smb_vwv3, 0);
if (session_info->unix_info->guest) { if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
SSVAL(req->outbuf,smb_vwv2,1); SSVAL(req->outbuf,smb_vwv2,1);
} }
@ -535,7 +536,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
SSVAL(req->outbuf, smb_vwv3, 0); SSVAL(req->outbuf, smb_vwv3, 0);
if (session_info->unix_info->guest) { if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
SSVAL(req->outbuf,smb_vwv2,1); SSVAL(req->outbuf,smb_vwv2,1);
} }
} }
@ -1702,7 +1703,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
/* perhaps grab OS version here?? */ /* perhaps grab OS version here?? */
} }
if (session_info->unix_info->guest) { if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
SSVAL(req->outbuf,smb_vwv2,1); SSVAL(req->outbuf,smb_vwv2,1);
} }

View File

@ -31,6 +31,7 @@
#include "../lib/util/asn1.h" #include "../lib/util/asn1.h"
#include "auth.h" #include "auth.h"
#include "../lib/tsocket/tsocket.h" #include "../lib/tsocket/tsocket.h"
#include "../libcli/security/security.h"
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req, static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id, uint64_t in_session_id,
@ -253,7 +254,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
session->do_signing = true; session->do_signing = true;
} }
if (session->session_info->unix_info->guest) { if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */ /* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@ -280,7 +281,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
session->session_info->unix_info->sanitized_username = session->session_info->unix_info->sanitized_username =
talloc_strdup(session->session_info, tmp); talloc_strdup(session->session_info, tmp);
if (!session->session_info->unix_info->guest) { if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum = session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name); register_homes_share(session->session_info->unix_info->unix_name);
} }
@ -460,7 +461,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
session->do_signing = true; session->do_signing = true;
} }
if (session->session_info->unix_info->guest) { if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */ /* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@ -491,7 +492,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
session->session_info->unix_info->sanitized_username = talloc_strdup( session->session_info->unix_info->sanitized_username = talloc_strdup(
session->session_info, tmp); session->session_info, tmp);
if (!session->compat_vuser->session_info->unix_info->guest) { if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum = session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name); register_homes_share(session->session_info->unix_info->unix_name);
} }