mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
Replace nt_user_token with server_info in connection_struct
(This used to be commit a3738aef59
)
This commit is contained in:
parent
0c2bf9521e
commit
776caa081b
@ -527,6 +527,7 @@ typedef struct files_struct {
|
||||
|
||||
struct vuid_cache_entry {
|
||||
uint16 vuid;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
bool read_only;
|
||||
bool admin_user;
|
||||
};
|
||||
@ -637,7 +638,6 @@ typedef struct connection_struct {
|
||||
/* This groups info is valid for the user that *opened* the connection */
|
||||
size_t ngroups;
|
||||
gid_t *groups;
|
||||
NT_USER_TOKEN *nt_user_token;
|
||||
|
||||
time_t lastused;
|
||||
time_t lastused_count;
|
||||
|
@ -244,6 +244,7 @@ void conn_clear_vuid_cache(uint16 vuid)
|
||||
|
||||
if (ent->vuid == vuid) {
|
||||
ent->vuid = UID_FIELD_INVALID;
|
||||
TALLOC_FREE(ent->server_info);
|
||||
ent->read_only = False;
|
||||
ent->admin_user = False;
|
||||
}
|
||||
|
@ -725,7 +725,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
|
||||
}
|
||||
|
||||
conn->params->service = snum;
|
||||
conn->nt_user_token = NULL;
|
||||
|
||||
status = create_connection_server_info(
|
||||
conn, snum, vuser ? vuser->server_info : NULL, password,
|
||||
@ -871,32 +870,13 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
|
||||
|
||||
{
|
||||
bool can_write = False;
|
||||
NT_USER_TOKEN *token = conn->nt_user_token ?
|
||||
conn->nt_user_token :
|
||||
(vuser ? vuser->server_info->ptok : NULL);
|
||||
|
||||
/*
|
||||
* I don't believe this can happen. But the
|
||||
* logic above is convoluted enough to confuse
|
||||
* automated checkers, so be sure. JRA.
|
||||
*/
|
||||
|
||||
if (token == NULL) {
|
||||
DEBUG(0,("make_connection: connection to %s "
|
||||
"denied due to missing "
|
||||
"NT token.\n",
|
||||
lp_servicename(snum)));
|
||||
conn_free(conn);
|
||||
*pstatus = NT_STATUS_ACCESS_DENIED;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
can_write = share_access_check(token,
|
||||
lp_servicename(snum),
|
||||
FILE_WRITE_DATA);
|
||||
can_write = share_access_check(conn->server_info->ptok,
|
||||
lp_servicename(snum),
|
||||
FILE_WRITE_DATA);
|
||||
|
||||
if (!can_write) {
|
||||
if (!share_access_check(token,
|
||||
if (!share_access_check(conn->server_info->ptok,
|
||||
lp_servicename(snum),
|
||||
FILE_READ_DATA)) {
|
||||
/* No access, read or write. */
|
||||
|
@ -56,6 +56,9 @@ bool change_to_guest(void)
|
||||
|
||||
/*******************************************************************
|
||||
Check if a username is OK.
|
||||
|
||||
This sets up conn->server_info with a copy related to this vuser that
|
||||
later code can then mess with.
|
||||
********************************************************************/
|
||||
|
||||
static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
|
||||
@ -63,11 +66,11 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
|
||||
unsigned int i;
|
||||
struct vuid_cache_entry *ent = NULL;
|
||||
bool readonly_share;
|
||||
NT_USER_TOKEN *token;
|
||||
|
||||
for (i=0; i<VUID_CACHE_SIZE; i++) {
|
||||
ent = &conn->vuid_cache.array[i];
|
||||
if (ent->vuid == vuser->vuid) {
|
||||
conn->server_info = ent->server_info;
|
||||
conn->read_only = ent->read_only;
|
||||
conn->admin_user = ent->admin_user;
|
||||
return(True);
|
||||
@ -83,11 +86,8 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
|
||||
vuser->server_info->unix_name, vuser->server_info->ptok,
|
||||
SNUM(conn));
|
||||
|
||||
token = conn->nt_user_token ?
|
||||
conn->nt_user_token : vuser->server_info->ptok;
|
||||
|
||||
if (!readonly_share &&
|
||||
!share_access_check(token, lp_servicename(snum),
|
||||
!share_access_check(vuser->server_info->ptok, lp_servicename(snum),
|
||||
FILE_WRITE_DATA)) {
|
||||
/* smb.conf allows r/w, but the security descriptor denies
|
||||
* write. Fall back to looking at readonly. */
|
||||
@ -96,7 +96,7 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
|
||||
"security descriptor\n"));
|
||||
}
|
||||
|
||||
if (!share_access_check(token, lp_servicename(snum),
|
||||
if (!share_access_check(vuser->server_info->ptok, lp_servicename(snum),
|
||||
readonly_share ?
|
||||
FILE_READ_DATA : FILE_WRITE_DATA)) {
|
||||
return False;
|
||||
@ -107,6 +107,14 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
|
||||
conn->vuid_cache.next_entry =
|
||||
(conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
|
||||
|
||||
TALLOC_FREE(ent->server_info);
|
||||
|
||||
ent->server_info = copy_serverinfo(conn, vuser->server_info);
|
||||
if (ent->server_info == NULL) {
|
||||
ent->vuid = UID_FIELD_INVALID;
|
||||
return false;
|
||||
}
|
||||
|
||||
ent->vuid = vuser->vuid;
|
||||
ent->read_only = readonly_share;
|
||||
|
||||
@ -116,6 +124,7 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
|
||||
|
||||
conn->read_only = ent->read_only;
|
||||
conn->admin_user = ent->admin_user;
|
||||
conn->server_info = ent->server_info;
|
||||
|
||||
return(True);
|
||||
}
|
||||
@ -132,8 +141,6 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
|
||||
gid_t gid;
|
||||
uid_t uid;
|
||||
char group_c;
|
||||
bool must_free_token = False;
|
||||
NT_USER_TOKEN *token = NULL;
|
||||
int num_groups = 0;
|
||||
gid_t *group_list = NULL;
|
||||
|
||||
@ -173,18 +180,21 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
|
||||
return False;
|
||||
}
|
||||
|
||||
/*
|
||||
* conn->server_info is now correctly set up with a copy we can mess
|
||||
* with for force_group etc.
|
||||
*/
|
||||
|
||||
if (conn->force_user) /* security = share sets this too */ {
|
||||
uid = conn->uid;
|
||||
gid = conn->gid;
|
||||
group_list = conn->groups;
|
||||
num_groups = conn->ngroups;
|
||||
token = conn->nt_user_token;
|
||||
} else if (vuser) {
|
||||
uid = conn->admin_user ? 0 : vuser->server_info->uid;
|
||||
gid = vuser->server_info->gid;
|
||||
num_groups = vuser->server_info->n_groups;
|
||||
group_list = vuser->server_info->groups;
|
||||
token = vuser->server_info->ptok;
|
||||
gid = conn->server_info->gid;
|
||||
num_groups = conn->server_info->n_groups;
|
||||
group_list = conn->server_info->groups;
|
||||
} else {
|
||||
DEBUG(2,("change_to_user: Invalid vuid used %d in accessing "
|
||||
"share %s.\n",vuid, lp_servicename(snum) ));
|
||||
@ -199,13 +209,6 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
|
||||
|
||||
if((group_c = *lp_force_group(snum))) {
|
||||
|
||||
token = dup_nt_token(talloc_tos(), token);
|
||||
if (token == NULL) {
|
||||
DEBUG(0, ("dup_nt_token failed\n"));
|
||||
return False;
|
||||
}
|
||||
must_free_token = True;
|
||||
|
||||
if(group_c == '+') {
|
||||
|
||||
/*
|
||||
@ -219,13 +222,15 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
|
||||
for (i = 0; i < num_groups; i++) {
|
||||
if (group_list[i] == conn->gid) {
|
||||
gid = conn->gid;
|
||||
gid_to_sid(&token->user_sids[1], gid);
|
||||
gid_to_sid(&conn->server_info->ptok
|
||||
->user_sids[1], gid);
|
||||
break;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
gid = conn->gid;
|
||||
gid_to_sid(&token->user_sids[1], gid);
|
||||
gid_to_sid(&conn->server_info->ptok->user_sids[1],
|
||||
gid);
|
||||
}
|
||||
}
|
||||
|
||||
@ -236,14 +241,7 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
|
||||
current_user.ut.groups = group_list;
|
||||
|
||||
set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
|
||||
token);
|
||||
|
||||
/*
|
||||
* Free the new token (as set_sec_ctx copies it).
|
||||
*/
|
||||
|
||||
if (must_free_token)
|
||||
TALLOC_FREE(token);
|
||||
conn->server_info->ptok);
|
||||
|
||||
current_user.conn = conn;
|
||||
current_user.vuid = vuid;
|
||||
|
Loading…
Reference in New Issue
Block a user