summaryrefslogtreecommitdiffstats
path: root/source3/smbd/uid.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-08-20 01:54:28 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-08-20 01:54:28 +0000
commit8674440d81f703cb59979426c92ed54de8e5f2ed (patch)
tree033da6bfa721b02c1a087ee478d3593997f30e2a /source3/smbd/uid.c
parent03615599919f94c5ed56e9824343b02f4f3e0b71 (diff)
downloadsamba-8674440d81f703cb59979426c92ed54de8e5f2ed.tar.gz
samba-8674440d81f703cb59979426c92ed54de8e5f2ed.tar.xz
samba-8674440d81f703cb59979426c92ed54de8e5f2ed.zip
Based orginally by work by Kai, this patch moves our NT_TOKEN generation into
our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902)
Diffstat (limited to 'source3/smbd/uid.c')
-rw-r--r--source3/smbd/uid.c38
1 files changed, 20 insertions, 18 deletions
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index c0bacf8f910..6f91065cebc 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -59,18 +59,26 @@ BOOL change_to_guest(void)
static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
{
int i;
- for (i=0;i<conn->uid_cache.entries;i++)
- if (conn->uid_cache.list[i] == vuser->uid)
+ for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++)
+ if (conn->vuid_cache.list[i] == vuser->vuid)
return(True);
+ if ((conn->force_user || conn->force_group)
+ && (conn->vuid != vuser->vuid)) {
+ return False;
+ }
+
if (!user_ok(vuser->user.unix_name,snum))
return(False);
- i = conn->uid_cache.entries % UID_CACHE_SIZE;
- conn->uid_cache.list[i] = vuser->uid;
+ if (!share_access_check(conn, snum, vuser, conn->read_only ? FILE_READ_DATA : FILE_WRITE_DATA)) {
+ return False;
+ }
+
+ i = conn->vuid_cache.entries % VUID_CACHE_SIZE;
+ conn->vuid_cache.list[i] = vuser->vuid;
- if (conn->uid_cache.entries < UID_CACHE_SIZE)
- conn->uid_cache.entries++;
+ conn->vuid_cache.entries++;
return(True);
}
@@ -115,27 +123,21 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid)
snum = SNUM(conn);
- if((vuser != NULL) && !check_user_ok(conn, vuser, snum))
- return False;
-
- if (conn->force_user ||
- conn->admin_user ||
- (lp_security() == SEC_SHARE)) {
+ if (conn->force_user) /* security = share sets this too */ {
uid = conn->uid;
gid = conn->gid;
current_user.groups = conn->groups;
current_user.ngroups = conn->ngroups;
token = conn->nt_user_token;
- } else {
- if (!vuser) {
- DEBUG(2,("change_to_user: Invalid vuid used %d\n",vuid));
- return(False);
- }
+ } else if ((vuser) && check_user_ok(conn, vuser, snum)) {
uid = vuser->uid;
gid = vuser->gid;
current_user.ngroups = vuser->n_groups;
current_user.groups = vuser->groups;
token = vuser->nt_user_token;
+ } else {
+ DEBUG(2,("change_to_user: Invalid vuid used %d or vuid not permitted access to share.\n",vuid));
+ return False;
}
/*
@@ -175,7 +177,7 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid)
if (vuser && vuser->guest)
is_guest = True;
- token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest, NULL);
+ token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest);
must_free_token = True;
}