[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-3230-gd2b7d9d
Jeremy Allison
jra at samba.org
Thu Dec 4 18:24:02 GMT 2008
The branch, v3-2-test has been updated
via d2b7d9d29feab263bf736a88e5819203cbc8a165 (commit)
from addbddf90a4935f7fda8ed4acbf5a4574d7fc92b (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit d2b7d9d29feab263bf736a88e5819203cbc8a165
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 4 10:23:06 2008 -0800
Fix bug #1254 - write list not working under share-level security
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/smbd/share_access.c | 4 +-
source/smbd/uid.c | 52 +++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 53 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/smbd/share_access.c b/source/smbd/share_access.c
index e89934c..ef898b8 100644
--- a/source/smbd/share_access.c
+++ b/source/smbd/share_access.c
@@ -191,7 +191,7 @@ bool token_contains_name_in_list(const char *username,
* The other use is the netgroup check when using @group or &group.
*/
-bool user_ok_token(const char *username, struct nt_user_token *token, int snum)
+bool user_ok_token(const char *username, const struct nt_user_token *token, int snum)
{
if (lp_invalid_users(snum) != NULL) {
if (token_contains_name_in_list(username, lp_servicename(snum),
@@ -248,7 +248,7 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum)
*/
bool is_share_read_only_for_token(const char *username,
- struct nt_user_token *token,
+ const struct nt_user_token *token,
connection_struct *conn)
{
int snum = SNUM(conn);
diff --git a/source/smbd/uid.c b/source/smbd/uid.c
index 631a37f..5278069 100644
--- a/source/smbd/uid.c
+++ b/source/smbd/uid.c
@@ -141,6 +141,48 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
return(True);
}
+/*******************************************************************
+ Check if a username is OK in share level security.
+********************************************************************/
+
+static bool check_user_ok_sharelevel_security(connection_struct *conn,
+ const char *unix_name,
+ int snum)
+{
+ NT_USER_TOKEN *token = conn->nt_user_token;
+
+ if (!user_ok_token(unix_name, token, snum)) {
+ return false;
+ }
+
+ conn->read_only = is_share_read_only_for_token(unix_name,
+ token,
+ conn);
+
+ if (!conn->read_only &&
+ !share_access_check(token, lp_servicename(snum),
+ FILE_WRITE_DATA)) {
+ /* smb.conf allows r/w, but the security descriptor denies
+ * write. Fall back to looking at readonly. */
+ conn->read_only = true;
+ DEBUG(5,("falling back to read-only access-evaluation due to "
+ "security descriptor\n"));
+ }
+
+ if (!share_access_check(token, lp_servicename(snum),
+ conn->read_only ?
+ FILE_READ_DATA : FILE_WRITE_DATA)) {
+ return false;
+ }
+
+ conn->admin_user = token_contains_name_in_list(
+ unix_name, NULL, token,
+ lp_admin_users(SNUM(conn)));
+
+ return true;
+}
+
+
/****************************************************************************
Become the user of a connection number without changing the security context
stack, but modify the current_user entries.
@@ -148,6 +190,7 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
bool change_to_user(connection_struct *conn, uint16 vuid)
{
+ enum security_types sec = (enum security_types)lp_security();
user_struct *vuser = get_valid_user_struct(vuid);
int snum;
gid_t gid;
@@ -170,7 +213,7 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
* SMB's - this hurts performance - Badly.
*/
- if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
+ if((sec == SEC_SHARE) && (current_user.conn == conn) &&
(current_user.ut.uid == conn->uid)) {
DEBUG(4,("change_to_user: Skipping user change - already "
"user\n"));
@@ -191,6 +234,13 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
vuser->user.smb_name, vuser->user.unix_name, vuid,
lp_servicename(snum)));
return False;
+ } else if ((sec == SEC_SHARE) && !check_user_ok_sharelevel_security(conn,
+ conn->user, snum)) {
+ DEBUG(2,("change_to_user: unix user %s "
+ "not permitted access to share %s.\n",
+ conn->user,
+ lp_servicename(snum)));
+ return false;
}
if (conn->force_user) /* security = share sets this too */ {
--
Samba Shared Repository
More information about the samba-cvs
mailing list