search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
utils: Fix up 14a533680245
[samba4-gss.git] / source3 / smbd / share_access.c
blobcd38ddd1ed4dc0123000781ecad4eb35aa0bd05c
1 /*
2 Unix SMB/CIFS implementation.
3 Check access based on valid users, read list and friends
4 Copyright (C) Volker Lendecke 2005
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "smbd/smbd.h"
22 #include "smbd/globals.h"
23 #include "../libcli/security/security.h"
24
25 /*
26 * Check whether a user is contained in the list provided.
27 *
28 * Please note that the user name and share names passed in here mainly for
29 * the substitution routines that expand the parameter values, the decision
30 * whether a user is in the list is done after a lookup_name on the expanded
31 * parameter value, solely based on comparing the SIDs in token.
32 *
33 * The other use is the netgroup check when using @group or &group.
34 */
35
36 bool token_contains_name_in_list(const char *username,
37 const char *domain,
38 const char *sharename,
39 const struct security_token *token,
40 const char **list,
41 bool *match)
42 {
43 *match = false;
44 if (list == NULL) {
45 return true;
46 }
47 while (*list != NULL) {
48 TALLOC_CTX *frame = talloc_stackframe();
49 bool ok;
50
51 ok = token_contains_name(frame, username, domain, sharename,
52 token, *list, match);
53 TALLOC_FREE(frame);
54 if (!ok) {
55 return false;
56 }
57 if (*match) {
58 return true;
59 }
60 list += 1;
61 }
62 return true;
63 }
64
65 /*
66 * Check whether the user described by "token" has access to share snum.
67 *
68 * This looks at "invalid users" and "valid users".
69 *
70 * Please note that the user name and share names passed in here mainly for
71 * the substitution routines that expand the parameter values, the decision
72 * whether a user is in the list is done after a lookup_name on the expanded
73 * parameter value, solely based on comparing the SIDs in token.
74 *
75 * The other use is the netgroup check when using @group or &group.
76 */
77
78 bool user_ok_token(const char *username, const char *domain,
79 const struct security_token *token, int snum)
80 {
81 const struct loadparm_substitution *lp_sub =
82 loadparm_s3_global_substitution();
83 bool match;
84 bool ok;
85
86 if (lp_invalid_users(snum) != NULL) {
87 ok = token_contains_name_in_list(username, domain,
88 lp_servicename(talloc_tos(), lp_sub, snum),
89 token,
90 lp_invalid_users(snum),
91 &match);
92 if (!ok) {
93 return false;
94 }
95 if (match) {
96 DEBUG(10, ("User %s in 'invalid users'\n", username));
97 return False;
98 }
99 }
100
101 if (lp_valid_users(snum) != NULL) {
102 ok = token_contains_name_in_list(username, domain,
103 lp_servicename(talloc_tos(), lp_sub, snum),
104 token,
105 lp_valid_users(snum),
106 &match);
107 if (!ok) {
108 return false;
109 }
110 if (!match) {
111 DEBUG(10, ("User %s not in 'valid users'\n",
112 username));
113 return False;
114 }
115 }
116
117 DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
118 lp_servicename(talloc_tos(), lp_sub, snum), username));
119
120 return True;
121 }
122
123 /*
124 * Check whether the user described by "token" is restricted to read-only
125 * access on share snum.
126 *
127 * This looks at "read list", "write list" and "read only".
128 *
129 * Please note that the user name and share names passed in here mainly for
130 * the substitution routines that expand the parameter values, the decision
131 * whether a user is in the list is done after a lookup_name on the expanded
132 * parameter value, solely based on comparing the SIDs in token.
133 *
134 * The other use is the netgroup check when using @group or &group.
135 */
136
137 bool is_share_read_only_for_token(const char *username,
138 const char *domain,
139 const struct security_token *token,
140 connection_struct *conn,
141 bool *_read_only)
142 {
143 const struct loadparm_substitution *lp_sub =
144 loadparm_s3_global_substitution();
145 int snum = SNUM(conn);
146 bool read_only = conn->read_only;
147 bool match;
148 bool ok;
149
150 if (lp_read_list(snum) != NULL) {
151 ok = token_contains_name_in_list(username, domain,
152 lp_servicename(talloc_tos(), lp_sub, snum),
153 token,
154 lp_read_list(snum),
155 &match);
156 if (!ok) {
157 return false;
158 }
159 if (match) {
160 read_only = true;
161 }
162 }
163
164 if (lp_write_list(snum) != NULL) {
165 ok = token_contains_name_in_list(username, domain,
166 lp_servicename(talloc_tos(), lp_sub, snum),
167 token,
168 lp_write_list(snum),
169 &match);
170 if (!ok) {
171 return false;
172 }
173 if (match) {
174 read_only = false;
175 }
176 }
177
178 DEBUG(10,("is_share_read_only_for_user: share %s is %s for unix user "
179 "%s\n", lp_servicename(talloc_tos(), lp_sub, snum),
180 read_only ? "read-only" : "read-write", username));
181
182 *_read_only = read_only;
183 return true;
184 }
GSS-enabled samba4