svn commit: samba r13122 - in trunk/source: param utils

jra at samba.org jra at samba.org
Tue Jan 24 22:02:35 GMT 2006 

Author: jra
Date: 2006-01-24 22:02:33 +0000 (Tue, 24 Jan 2006)
New Revision: 13122

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13122

Log:
Added "usershare owner only" parameter, on by default
to allow only usershares owned by the creating user
(root ignores this). Fix error message in net usershare
to explain what might be wrong if the directory doesn't
exist or access denied.
Jeremy.

Modified:
   trunk/source/param/loadparm.c
   trunk/source/utils/net_usershare.c


Changeset:
Modified: trunk/source/param/loadparm.c
===================================================================
--- trunk/source/param/loadparm.c	2006-01-24 21:26:55 UTC (rev 13121)
+++ trunk/source/param/loadparm.c	2006-01-24 22:02:33 UTC (rev 13122)
@@ -307,6 +307,7 @@
 	BOOL bDeferSharingViolations;
 	BOOL bEnablePrivileges;
 	BOOL bASUSupport;
+	BOOL bUsershareOwnerOnly;
 	int restrict_anonymous;
 	int name_cache_timeout;
 	int client_signing;
@@ -1226,10 +1227,11 @@
 	{"root postexec", P_STRING, P_LOCAL, &sDefault.szRootPostExec, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT}, 
 	{"available", P_BOOL, P_LOCAL, &sDefault.bAvailable, NULL, NULL, FLAG_BASIC | FLAG_ADVANCED | FLAG_SHARE | FLAG_PRINT}, 
 	{"usershare max shares", P_INTEGER, P_GLOBAL, &Globals.iUsershareMaxShares, NULL, NULL, FLAG_ADVANCED},
+	{"usershare owner only", P_BOOL, P_GLOBAL, &Globals.bUsershareOwnerOnly, NULL, NULL, FLAG_ADVANCED}, 
 	{"usershare path", P_STRING, P_GLOBAL, &Globals.szUsersharePath, NULL, NULL, FLAG_ADVANCED},
-	{"usershare template share", P_STRING, P_GLOBAL, &Globals.szUsershareTemplateShare, NULL, NULL, FLAG_ADVANCED},
 	{"usershare prefix allow list", P_LIST, P_GLOBAL, &Globals.szUsersharePrefixAllowList, NULL, NULL, FLAG_ADVANCED}, 
 	{"usershare prefix deny list", P_LIST, P_GLOBAL, &Globals.szUsersharePrefixDenyList, NULL, NULL, FLAG_ADVANCED}, 
+	{"usershare template share", P_STRING, P_GLOBAL, &Globals.szUsershareTemplateShare, NULL, NULL, FLAG_ADVANCED},
 	{"volume", P_STRING, P_LOCAL, &sDefault.volume, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE }, 
 	{"fstype", P_STRING, P_LOCAL, &sDefault.fstype, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, 
 	{"set directory", P_BOOLREV, P_LOCAL, &sDefault.bNo_set_dir, NULL, NULL, FLAG_ADVANCED | FLAG_SHARE}, 
@@ -1655,6 +1657,8 @@
 	string_set(&Globals.szUsersharePath, s);
 	string_set(&Globals.szUsershareTemplateShare, "");
 	Globals.iUsershareMaxShares = 0;
+	/* By default disallow sharing of directories not owned by the sharer. */
+	Globals.bUsershareOwnerOnly = True;
 }
 
 static TALLOC_CTX *lp_talloc;
@@ -1859,6 +1863,7 @@
 
 FN_GLOBAL_LIST(lp_eventlog_list, &Globals.szEventLogs)
 
+FN_GLOBAL_BOOL(lp_usershare_owner_only, &Globals.bUsershareOwnerOnly)
 FN_GLOBAL_BOOL(lp_disable_netbios, &Globals.bDisableNetbios)
 FN_GLOBAL_BOOL(lp_reset_on_zero_vc, &Globals.bResetOnZeroVC)
 FN_GLOBAL_BOOL(lp_ms_add_printer_wizard, &Globals.bMsAddPrinterWizard)
@@ -4394,33 +4399,25 @@
 		return USERSHARE_POSIX_ERR;
 	}
 
+	sys_closedir(dp);
+
 	if (!S_ISDIR(sbuf.st_mode)) {
 		DEBUG(2,("parse_usershare_file: share %s path %s is not a directory.\n",
 			servicename, sharepath ));
-		sys_closedir(dp);
 		return USERSHARE_PATH_NOT_DIRECTORY;
 	}
 
-#if 0
-	/* Owner can always share. */
-	if (sbuf.st_uid == psbuf->st_uid) {
-		sys_closedir(dp);
-		return True;
+	/* Check if sharing is restricted to owner-only. */
+	/* psbuf is the stat of the usershare definition file,
+	   sbuf is the stat of the target directory to be shared. */
+
+	if (lp_usershare_owner_only()) {
+		/* root can share anything. */
+		if ((psbuf->st_uid != 0) && (sbuf.st_uid != psbuf->st_uid)) {
+			return USERSHARE_PATH_NOT_ALLOWED;
+		}
 	}
 
-	/* We could check if the user requesting the share is in the
-	   owning group of the directory. */
-
-	username = uidtoname(psbuf->st_uid);
-	owning_group_name = gidtoname(sbuf.st_gid);
-
-	getgroups_user();
-
-	user_in_group(u_name, g_name);
-#endif
-
-	sys_closedir(dp);
-
 	return USERSHARE_OK;
 }
 

Modified: trunk/source/utils/net_usershare.c
===================================================================
--- trunk/source/utils/net_usershare.c	2006-01-24 21:26:55 UTC (rev 13121)
+++ trunk/source/utils/net_usershare.c	2006-01-24 22:02:33 UTC (rev 13122)
@@ -469,6 +469,7 @@
 	int tmpfd;
 	const char *pacl;
 	size_t to_write;
+	uid_t myeuid = geteuid();
 
 	us_comment = "";
 	arg_acl = "S-1-1-0:R";
@@ -542,6 +543,17 @@
 		return -1;
 	}
 
+	/* If we're not root, check if we're restricted to sharing out directories
+	   that we own only. */
+
+	if ((myeuid != 0) && lp_usershare_owner_only() && (myeuid != sbuf.st_uid)) {
+		d_fprintf(stderr, "net usershare add: cannot share path %s as "
+			"we are restricted to only sharing directories we own.\n",
+			us_path );
+		SAFE_FREE(sharename);
+		return -1;
+	}
+
 	/* No validation needed on comment. Now go through and validate the
 	   acl string. Convert names to SID's as needed. Then run it through
 	   parse_usershare_acl to ensure it's valid. */
@@ -799,8 +811,16 @@
 
 	dp = sys_opendir(lp_usershare_path());
 	if (!dp) {
+		int err = errno;
 		d_fprintf(stderr, "net usershare: cannot open usershare directory %s. Error %s\n",
-			lp_usershare_path(), strerror(errno) );
+			lp_usershare_path(), strerror(err) );
+		if (err == EACCES) {
+			d_fprintf(stderr, "You do not have permission to create a usershare. Ask your "
+				"administrator to grant you permissions to create a share.\n");
+		} else if (err == ENOENT) {
+			d_fprintf(stderr, "Please ask your system administrator to "
+				"enable user sharing.\n");
+		}
 		return -1;
 	}
 	sys_closedir(dp);

More information about the samba-cvs mailing list