search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Remove duplicate logic
[samba4-gss.git] / source4 / ntvfs / unixuid / vfs_unixuid.c
bloba7729d2b16c3e232fd99182ce54b5cdbafd250cf
1 /*
2 Unix SMB/CIFS implementation.
3
4 A pass-through NTVFS module to setup a security context using unix
5 uid/gid
6
7 Copyright (C) Andrew Tridgell 2004
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/filesys.h"
25 #include "system/passwd.h"
26 #include "auth/auth.h"
27 #include "ntvfs/ntvfs.h"
28 #include "libcli/wbclient/wbclient.h"
29 #define TEVENT_DEPRECATED
30 #include <tevent.h>
31 #include "../lib/util/setid.h"
32
33 NTSTATUS ntvfs_unixuid_init(TALLOC_CTX *);
34
35 struct unixuid_private {
36 struct security_unix_token *last_sec_ctx;
37 struct security_token *last_token;
38 };
39
40
41 /*
42 pull the current security context into a security_unix_token
43 */
44 static struct security_unix_token *save_unix_security(TALLOC_CTX *mem_ctx)
45 {
46 struct security_unix_token *sec = talloc(mem_ctx, struct security_unix_token);
47 if (sec == NULL) {
48 return NULL;
49 }
50 sec->uid = geteuid();
51 sec->gid = getegid();
52 sec->ngroups = getgroups(0, NULL);
53 if (sec->ngroups == -1) {
54 talloc_free(sec);
55 return NULL;
56 }
57 sec->groups = talloc_array(sec, gid_t, sec->ngroups);
58 if (sec->groups == NULL) {
59 talloc_free(sec);
60 return NULL;
61 }
62
63 if (getgroups(sec->ngroups, sec->groups) != sec->ngroups) {
64 talloc_free(sec);
65 return NULL;
66 }
67
68 return sec;
69 }
70
71 /*
72 set the current security context from a security_unix_token
73 */
74 static NTSTATUS set_unix_security(struct security_unix_token *sec)
75 {
76 samba_seteuid(0);
77
78 if (samba_setgroups(sec->ngroups, sec->groups) != 0) {
79 DBG_ERR("*** samba_setgroups failed\n");
80 return NT_STATUS_ACCESS_DENIED;
81 }
82 if (samba_setegid(sec->gid) != 0) {
83 DBG_ERR("*** samba_setegid(%u) failed\n", sec->gid);
84 return NT_STATUS_ACCESS_DENIED;
85 }
86 if (samba_seteuid(sec->uid) != 0) {
87 DBG_ERR("*** samba_seteuid(%u) failed\n", sec->uid);
88 return NT_STATUS_ACCESS_DENIED;
89 }
90 return NT_STATUS_OK;
91 }
92
93 static int unixuid_nesting_level;
94
95 /*
96 called at the start and end of a tevent nesting loop. Needs to save/restore
97 unix security context
98 */
99 static int unixuid_event_nesting_hook(struct tevent_context *ev,
100 void *private_data,
101 uint32_t level,
102 bool begin,
103 void *stack_ptr,
104 const char *location)
105 {
106 struct security_unix_token *sec_ctx;
107
108 if (unixuid_nesting_level == 0) {
109 /* we don't need to do anything unless we are nested
110 inside of a call in this module */
111 return 0;
112 }
113
114 if (begin) {
115 sec_ctx = save_unix_security(ev);
116 if (sec_ctx == NULL) {
117 DEBUG(0,("%s: Failed to save security context\n", location));
118 return -1;
119 }
120 *(struct security_unix_token **)stack_ptr = sec_ctx;
121 if (samba_seteuid(0) != 0 || samba_setegid(0) != 0) {
122 DEBUG(0,("%s: Failed to change to root\n", location));
123 return -1;
124 }
125 } else {
126 /* called when we come out of a nesting level */
127 NTSTATUS status;
128
129 sec_ctx = *(struct security_unix_token **)stack_ptr;
130 if (sec_ctx == NULL) {
131 /* this happens the first time this function
132 is called, as we install the hook while
133 inside an event in unixuid_connect() */
134 return 0;
135 }
136
137 sec_ctx = talloc_get_type_abort(sec_ctx, struct security_unix_token);
138 status = set_unix_security(sec_ctx);
139 talloc_free(sec_ctx);
140 if (!NT_STATUS_IS_OK(status)) {
141 DEBUG(0,("%s: Failed to revert security context (%s)\n",
142 location, nt_errstr(status)));
143 return -1;
144 }
145 }
146
147 return 0;
148 }
149
150
151 /*
152 form a security_unix_token from the current security_token
153 */
154 static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
155 struct ntvfs_request *req,
156 struct security_token *token,
157 struct security_unix_token **sec)
158 {
159 return security_token_to_unix_token(req, token, sec);
160 }
161
162 /*
163 setup our unix security context according to the session authentication info
164 */
165 static NTSTATUS unixuid_setup_security(struct ntvfs_module_context *ntvfs,
166 struct ntvfs_request *req, struct security_unix_token **sec)
167 {
168 struct unixuid_private *priv = ntvfs->private_data;
169 struct security_token *token;
170 struct security_unix_token *newsec;
171 NTSTATUS status;
172
173 /* If we are asked to set up, but have not had a successful
174 * session setup or tree connect, then these may not be filled
175 * in. ACCESS_DENIED is the right error code here */
176 if (req->session_info == NULL || priv == NULL) {
177 return NT_STATUS_ACCESS_DENIED;
178 }
179
180 token = req->session_info->security_token;
181
182 *sec = save_unix_security(ntvfs);
183 if (*sec == NULL) {
184 return NT_STATUS_NO_MEMORY;
185 }
186
187 if (token == priv->last_token) {
188 newsec = priv->last_sec_ctx;
189 } else {
190 status = nt_token_to_unix_security(ntvfs, req, token, &newsec);
191 if (!NT_STATUS_IS_OK(status)) {
192 talloc_free(*sec);
193 return status;
194 }
195 if (priv->last_sec_ctx) {
196 talloc_free(priv->last_sec_ctx);
197 }
198 priv->last_sec_ctx = newsec;
199 priv->last_token = token;
200 talloc_steal(priv, newsec);
201 }
202
203 status = set_unix_security(newsec);
204 if (!NT_STATUS_IS_OK(status)) {
205 talloc_free(*sec);
206 return status;
207 }
208
209 return NT_STATUS_OK;
210 }
211
212 /*
213 this pass through macro operates on request contexts
214 */
215 #define PASS_THRU_REQ(ntvfs, req, op, args) do { \
216 NTSTATUS status2; \
217 struct security_unix_token *sec; \
218 status = unixuid_setup_security(ntvfs, req, &sec); \
219 NT_STATUS_NOT_OK_RETURN(status); \
220 unixuid_nesting_level++; \
221 status = ntvfs_next_##op args; \
222 unixuid_nesting_level--; \
223 status2 = set_unix_security(sec); \
224 talloc_free(sec); \
225 if (!NT_STATUS_IS_OK(status2)) smb_panic("Unable to reset security context"); \
226 } while (0)
227
228
229
230 /*
231 connect to a share - used when a tree_connect operation comes in.
232 */
233 static NTSTATUS unixuid_connect(struct ntvfs_module_context *ntvfs,
234 struct ntvfs_request *req, union smb_tcon *tcon)
235 {
236 struct unixuid_private *priv;
237 NTSTATUS status;
238
239 priv = talloc(ntvfs, struct unixuid_private);
240 if (!priv) {
241 return NT_STATUS_NO_MEMORY;
242 }
243
244 priv->last_sec_ctx = NULL;
245 priv->last_token = NULL;
246 ntvfs->private_data = priv;
247
248 tevent_loop_set_nesting_hook(ntvfs->ctx->event_ctx,
249 unixuid_event_nesting_hook,
250 &unixuid_nesting_level);
251
252 /* we don't use PASS_THRU_REQ here, as the connect operation runs with
253 root privileges. This allows the backends to setup any database
254 links they might need during the connect. */
255 status = ntvfs_next_connect(ntvfs, req, tcon);
256
257 return status;
258 }
259
260 /*
261 disconnect from a share
262 */
263 static NTSTATUS unixuid_disconnect(struct ntvfs_module_context *ntvfs)
264 {
265 struct unixuid_private *priv = ntvfs->private_data;
266 NTSTATUS status;
267
268 talloc_free(priv);
269 ntvfs->private_data = NULL;
270
271 status = ntvfs_next_disconnect(ntvfs);
272
273 return status;
274 }
275
276
277 /*
278 delete a file
279 */
280 static NTSTATUS unixuid_unlink(struct ntvfs_module_context *ntvfs,
281 struct ntvfs_request *req,
282 union smb_unlink *unl)
283 {
284 NTSTATUS status;
285
286 PASS_THRU_REQ(ntvfs, req, unlink, (ntvfs, req, unl));
287
288 return status;
289 }
290
291 /*
292 ioctl interface
293 */
294 static NTSTATUS unixuid_ioctl(struct ntvfs_module_context *ntvfs,
295 struct ntvfs_request *req, union smb_ioctl *io)
296 {
297 NTSTATUS status;
298
299 PASS_THRU_REQ(ntvfs, req, ioctl, (ntvfs, req, io));
300
301 return status;
302 }
303
304 /*
305 check if a directory exists
306 */
307 static NTSTATUS unixuid_chkpath(struct ntvfs_module_context *ntvfs,
308 struct ntvfs_request *req,
309 union smb_chkpath *cp)
310 {
311 NTSTATUS status;
312
313 PASS_THRU_REQ(ntvfs, req, chkpath, (ntvfs, req, cp));
314
315 return status;
316 }
317
318 /*
319 return info on a pathname
320 */
321 static NTSTATUS unixuid_qpathinfo(struct ntvfs_module_context *ntvfs,
322 struct ntvfs_request *req, union smb_fileinfo *info)
323 {
324 NTSTATUS status;
325
326 PASS_THRU_REQ(ntvfs, req, qpathinfo, (ntvfs, req, info));
327
328 return status;
329 }
330
331 /*
332 query info on a open file
333 */
334 static NTSTATUS unixuid_qfileinfo(struct ntvfs_module_context *ntvfs,
335 struct ntvfs_request *req, union smb_fileinfo *info)
336 {
337 NTSTATUS status;
338
339 PASS_THRU_REQ(ntvfs, req, qfileinfo, (ntvfs, req, info));
340
341 return status;
342 }
343
344
345 /*
346 set info on a pathname
347 */
348 static NTSTATUS unixuid_setpathinfo(struct ntvfs_module_context *ntvfs,
349 struct ntvfs_request *req, union smb_setfileinfo *st)
350 {
351 NTSTATUS status;
352
353 PASS_THRU_REQ(ntvfs, req, setpathinfo, (ntvfs, req, st));
354
355 return status;
356 }
357
358 /*
359 open a file
360 */
361 static NTSTATUS unixuid_open(struct ntvfs_module_context *ntvfs,
362 struct ntvfs_request *req, union smb_open *io)
363 {
364 NTSTATUS status;
365
366 PASS_THRU_REQ(ntvfs, req, open, (ntvfs, req, io));
367
368 return status;
369 }
370
371 /*
372 create a directory
373 */
374 static NTSTATUS unixuid_mkdir(struct ntvfs_module_context *ntvfs,
375 struct ntvfs_request *req, union smb_mkdir *md)
376 {
377 NTSTATUS status;
378
379 PASS_THRU_REQ(ntvfs, req, mkdir, (ntvfs, req, md));
380
381 return status;
382 }
383
384 /*
385 remove a directory
386 */
387 static NTSTATUS unixuid_rmdir(struct ntvfs_module_context *ntvfs,
388 struct ntvfs_request *req, struct smb_rmdir *rd)
389 {
390 NTSTATUS status;
391
392 PASS_THRU_REQ(ntvfs, req, rmdir, (ntvfs, req, rd));
393
394 return status;
395 }
396
397 /*
398 rename a set of files
399 */
400 static NTSTATUS unixuid_rename(struct ntvfs_module_context *ntvfs,
401 struct ntvfs_request *req, union smb_rename *ren)
402 {
403 NTSTATUS status;
404
405 PASS_THRU_REQ(ntvfs, req, rename, (ntvfs, req, ren));
406
407 return status;
408 }
409
410 /*
411 copy a set of files
412 */
413 static NTSTATUS unixuid_copy(struct ntvfs_module_context *ntvfs,
414 struct ntvfs_request *req, struct smb_copy *cp)
415 {
416 NTSTATUS status;
417
418 PASS_THRU_REQ(ntvfs, req, copy, (ntvfs, req, cp));
419
420 return status;
421 }
422
423 /*
424 read from a file
425 */
426 static NTSTATUS unixuid_read(struct ntvfs_module_context *ntvfs,
427 struct ntvfs_request *req, union smb_read *rd)
428 {
429 NTSTATUS status;
430
431 PASS_THRU_REQ(ntvfs, req, read, (ntvfs, req, rd));
432
433 return status;
434 }
435
436 /*
437 write to a file
438 */
439 static NTSTATUS unixuid_write(struct ntvfs_module_context *ntvfs,
440 struct ntvfs_request *req, union smb_write *wr)
441 {
442 NTSTATUS status;
443
444 PASS_THRU_REQ(ntvfs, req, write, (ntvfs, req, wr));
445
446 return status;
447 }
448
449 /*
450 seek in a file
451 */
452 static NTSTATUS unixuid_seek(struct ntvfs_module_context *ntvfs,
453 struct ntvfs_request *req,
454 union smb_seek *io)
455 {
456 NTSTATUS status;
457
458 PASS_THRU_REQ(ntvfs, req, seek, (ntvfs, req, io));
459
460 return status;
461 }
462
463 /*
464 flush a file
465 */
466 static NTSTATUS unixuid_flush(struct ntvfs_module_context *ntvfs,
467 struct ntvfs_request *req,
468 union smb_flush *io)
469 {
470 NTSTATUS status;
471
472 PASS_THRU_REQ(ntvfs, req, flush, (ntvfs, req, io));
473
474 return status;
475 }
476
477 /*
478 close a file
479 */
480 static NTSTATUS unixuid_close(struct ntvfs_module_context *ntvfs,
481 struct ntvfs_request *req, union smb_close *io)
482 {
483 NTSTATUS status;
484
485 PASS_THRU_REQ(ntvfs, req, close, (ntvfs, req, io));
486
487 return status;
488 }
489
490 /*
491 exit - closing files
492 */
493 static NTSTATUS unixuid_exit(struct ntvfs_module_context *ntvfs,
494 struct ntvfs_request *req)
495 {
496 NTSTATUS status;
497
498 PASS_THRU_REQ(ntvfs, req, exit, (ntvfs, req));
499
500 return status;
501 }
502
503 /*
504 logoff - closing files
505 */
506 static NTSTATUS unixuid_logoff(struct ntvfs_module_context *ntvfs,
507 struct ntvfs_request *req)
508 {
509 struct unixuid_private *priv = ntvfs->private_data;
510 NTSTATUS status;
511
512 PASS_THRU_REQ(ntvfs, req, logoff, (ntvfs, req));
513
514 priv->last_token = NULL;
515
516 return status;
517 }
518
519 /*
520 async setup
521 */
522 static NTSTATUS unixuid_async_setup(struct ntvfs_module_context *ntvfs,
523 struct ntvfs_request *req,
524 void *private_data)
525 {
526 NTSTATUS status;
527
528 PASS_THRU_REQ(ntvfs, req, async_setup, (ntvfs, req, private_data));
529
530 return status;
531 }
532
533 /*
534 cancel an async request
535 */
536 static NTSTATUS unixuid_cancel(struct ntvfs_module_context *ntvfs,
537 struct ntvfs_request *req)
538 {
539 NTSTATUS status;
540
541 PASS_THRU_REQ(ntvfs, req, cancel, (ntvfs, req));
542
543 return status;
544 }
545
546 /*
547 change notify
548 */
549 static NTSTATUS unixuid_notify(struct ntvfs_module_context *ntvfs,
550 struct ntvfs_request *req, union smb_notify *info)
551 {
552 NTSTATUS status;
553
554 PASS_THRU_REQ(ntvfs, req, notify, (ntvfs, req, info));
555
556 return status;
557 }
558
559 /*
560 lock a byte range
561 */
562 static NTSTATUS unixuid_lock(struct ntvfs_module_context *ntvfs,
563 struct ntvfs_request *req, union smb_lock *lck)
564 {
565 NTSTATUS status;
566
567 PASS_THRU_REQ(ntvfs, req, lock, (ntvfs, req, lck));
568
569 return status;
570 }
571
572 /*
573 set info on a open file
574 */
575 static NTSTATUS unixuid_setfileinfo(struct ntvfs_module_context *ntvfs,
576 struct ntvfs_request *req,
577 union smb_setfileinfo *info)
578 {
579 NTSTATUS status;
580
581 PASS_THRU_REQ(ntvfs, req, setfileinfo, (ntvfs, req, info));
582
583 return status;
584 }
585
586
587 /*
588 return filesystem space info
589 */
590 static NTSTATUS unixuid_fsinfo(struct ntvfs_module_context *ntvfs,
591 struct ntvfs_request *req, union smb_fsinfo *fs)
592 {
593 NTSTATUS status;
594
595 PASS_THRU_REQ(ntvfs, req, fsinfo, (ntvfs, req, fs));
596
597 return status;
598 }
599
600 /*
601 return print queue info
602 */
603 static NTSTATUS unixuid_lpq(struct ntvfs_module_context *ntvfs,
604 struct ntvfs_request *req, union smb_lpq *lpq)
605 {
606 NTSTATUS status;
607
608 PASS_THRU_REQ(ntvfs, req, lpq, (ntvfs, req, lpq));
609
610 return status;
611 }
612
613 /*
614 list files in a directory matching a wildcard pattern
615 */
616 static NTSTATUS unixuid_search_first(struct ntvfs_module_context *ntvfs,
617 struct ntvfs_request *req, union smb_search_first *io,
618 void *search_private,
619 bool (*callback)(void *, const union smb_search_data *))
620 {
621 NTSTATUS status;
622
623 PASS_THRU_REQ(ntvfs, req, search_first, (ntvfs, req, io, search_private, callback));
624
625 return status;
626 }
627
628 /* continue a search */
629 static NTSTATUS unixuid_search_next(struct ntvfs_module_context *ntvfs,
630 struct ntvfs_request *req, union smb_search_next *io,
631 void *search_private,
632 bool (*callback)(void *, const union smb_search_data *))
633 {
634 NTSTATUS status;
635
636 PASS_THRU_REQ(ntvfs, req, search_next, (ntvfs, req, io, search_private, callback));
637
638 return status;
639 }
640
641 /* close a search */
642 static NTSTATUS unixuid_search_close(struct ntvfs_module_context *ntvfs,
643 struct ntvfs_request *req, union smb_search_close *io)
644 {
645 NTSTATUS status;
646
647 PASS_THRU_REQ(ntvfs, req, search_close, (ntvfs, req, io));
648
649 return status;
650 }
651
652 /* SMBtrans - not used on file shares */
653 static NTSTATUS unixuid_trans(struct ntvfs_module_context *ntvfs,
654 struct ntvfs_request *req, struct smb_trans2 *trans2)
655 {
656 NTSTATUS status;
657
658 PASS_THRU_REQ(ntvfs, req, trans, (ntvfs, req, trans2));
659
660 return status;
661 }
662
663 /*
664 initialise the unixuid backend, registering ourselves with the ntvfs subsystem
665 */
666 NTSTATUS ntvfs_unixuid_init(TALLOC_CTX *ctx)
667 {
668 NTSTATUS ret;
669 struct ntvfs_ops ops;
670 NTVFS_CURRENT_CRITICAL_SIZES(vers);
671
672 ZERO_STRUCT(ops);
673
674 /* fill in all the operations */
675 ops.connect_fn = unixuid_connect;
676 ops.disconnect_fn = unixuid_disconnect;
677 ops.unlink_fn = unixuid_unlink;
678 ops.chkpath_fn = unixuid_chkpath;
679 ops.qpathinfo_fn = unixuid_qpathinfo;
680 ops.setpathinfo_fn = unixuid_setpathinfo;
681 ops.open_fn = unixuid_open;
682 ops.mkdir_fn = unixuid_mkdir;
683 ops.rmdir_fn = unixuid_rmdir;
684 ops.rename_fn = unixuid_rename;
685 ops.copy_fn = unixuid_copy;
686 ops.ioctl_fn = unixuid_ioctl;
687 ops.read_fn = unixuid_read;
688 ops.write_fn = unixuid_write;
689 ops.seek_fn = unixuid_seek;
690 ops.flush_fn = unixuid_flush;
691 ops.close_fn = unixuid_close;
692 ops.exit_fn = unixuid_exit;
693 ops.lock_fn = unixuid_lock;
694 ops.setfileinfo_fn = unixuid_setfileinfo;
695 ops.qfileinfo_fn = unixuid_qfileinfo;
696 ops.fsinfo_fn = unixuid_fsinfo;
697 ops.lpq_fn = unixuid_lpq;
698 ops.search_first_fn = unixuid_search_first;
699 ops.search_next_fn = unixuid_search_next;
700 ops.search_close_fn = unixuid_search_close;
701 ops.trans_fn = unixuid_trans;
702 ops.logoff_fn = unixuid_logoff;
703 ops.async_setup_fn = unixuid_async_setup;
704 ops.cancel_fn = unixuid_cancel;
705 ops.notify_fn = unixuid_notify;
706
707 ops.name = "unixuid";
708
709 /* we register under all 3 backend types, as we are not type specific */
710 ops.type = NTVFS_DISK;
711 ret = ntvfs_register(&ops, &vers);
712 if (!NT_STATUS_IS_OK(ret)) goto failed;
713
714 ops.type = NTVFS_PRINT;
715 ret = ntvfs_register(&ops, &vers);
716 if (!NT_STATUS_IS_OK(ret)) goto failed;
717
718 ops.type = NTVFS_IPC;
719 ret = ntvfs_register(&ops, &vers);
720 if (!NT_STATUS_IS_OK(ret)) goto failed;
721
722 failed:
723 return ret;
724 }
GSS-enabled samba4