[SCM] Samba Shared Repository - branch v3-3-test updated - release-3-2-0pre2-2845-g1025f68

Volker Lendecke vlendec at samba.org
Sat Jun 14 18:26:02 GMT 2008


The branch, v3-3-test has been updated
       via  1025f687910ce40283c7344ed67ebd5bf31217b7 (commit)
       via  68944ea1ea7a0a63b08cbfc703f5ee29d2627696 (commit)
       via  45662b5e8b3c7bc39cb33c5d7deb7e9a91f30a8b (commit)
       via  b14e59bfdbfb62494002e22d0665c4d420484245 (commit)
       via  5c916549f002d5e4e06f24d396a2bdca73d384c7 (commit)
      from  a42d7e1146e7469062ead2c8f22f549a48154e03 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test


- Log -----------------------------------------------------------------
commit 1025f687910ce40283c7344ed67ebd5bf31217b7
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Jun 14 16:59:07 2008 +0200

    Move connection-specific vuid cache clear to uid.c

commit 68944ea1ea7a0a63b08cbfc703f5ee29d2627696
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Jun 14 16:55:02 2008 +0200

    Slight refactoring for check_user_ok: It only needs vuid and server_info

commit 45662b5e8b3c7bc39cb33c5d7deb7e9a91f30a8b
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Jun 14 16:46:25 2008 +0200

    Group the access checks together in check_user_ok()

commit b14e59bfdbfb62494002e22d0665c4d420484245
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Jun 14 16:43:03 2008 +0200

    Consistently use snum in check_user_ok
    
    Most already used it, these two still used SNUM(conn), where the only caller of
    this routine (change_to_user) had set snum = SNUM(conn).

commit 5c916549f002d5e4e06f24d396a2bdca73d384c7
Author: Volker Lendecke <vl at samba.org>
Date:   Sat Jun 14 16:35:22 2008 +0200

    Compare the pointer "vuser" to NULL, not 0

-----------------------------------------------------------------------

Summary of changes:
 source/smbd/conn.c     |   17 +----------
 source/smbd/password.c |    2 +-
 source/smbd/uid.c      |   68 +++++++++++++++++++++++++++++++----------------
 3 files changed, 48 insertions(+), 39 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/smbd/conn.c b/source/smbd/conn.c
index 5c75ed7..1a67ac9 100644
--- a/source/smbd/conn.c
+++ b/source/smbd/conn.c
@@ -225,28 +225,15 @@ bool conn_idle_all(time_t t)
  Clear a vuid out of the validity cache, and as the 'owner' of a connection.
 ****************************************************************************/
 
-void conn_clear_vuid_cache(uint16 vuid)
+void conn_clear_vuid_caches(uint16_t vuid)
 {
 	connection_struct *conn;
-	unsigned int i;
 
 	for (conn=Connections;conn;conn=conn->next) {
 		if (conn->vuid == vuid) {
 			conn->vuid = UID_FIELD_INVALID;
 		}
-
-		for (i=0; i<VUID_CACHE_SIZE; i++) {
-			struct vuid_cache_entry *ent;
-
-			ent = &conn->vuid_cache.array[i];
-
-			if (ent->vuid == vuid) {
-				ent->vuid = UID_FIELD_INVALID;
-				TALLOC_FREE(ent->server_info);
-				ent->read_only = False;
-				ent->admin_user = False;
-			}
-		}
+		conn_clear_vuid_cache(conn, vuid);
 	}
 }
 
diff --git a/source/smbd/password.c b/source/smbd/password.c
index 673a1a0..ebc7235 100644
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -127,7 +127,7 @@ void invalidate_vuid(uint16 vuid)
 
 	/* clear the vuid from the 'cache' on each connection, and
 	   from the vuid 'owner' of connections */
-	conn_clear_vuid_cache(vuid);
+	conn_clear_vuid_caches(vuid);
 
 	TALLOC_FREE(vuser);
 	num_validated_vuids--;
diff --git a/source/smbd/uid.c b/source/smbd/uid.c
index b0f8cb2..2bc5595 100644
--- a/source/smbd/uid.c
+++ b/source/smbd/uid.c
@@ -61,15 +61,18 @@ bool change_to_guest(void)
  later code can then mess with.
 ********************************************************************/
 
-static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
+static bool check_user_ok(connection_struct *conn, uint16_t vuid,
+			  struct auth_serversupplied_info *server_info,
+			  int snum)
 {
 	unsigned int i;
 	struct vuid_cache_entry *ent = NULL;
 	bool readonly_share;
+	bool admin_user;
 
 	for (i=0; i<VUID_CACHE_SIZE; i++) {
 		ent = &conn->vuid_cache.array[i];
-		if (ent->vuid == vuser->vuid) {
+		if (ent->vuid == vuid) {
 			conn->server_info = ent->server_info;
 			conn->read_only = ent->read_only;
 			conn->admin_user = ent->admin_user;
@@ -77,20 +80,18 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
 		}
 	}
 
-	if (!user_ok_token(vuser->server_info->unix_name,
-			   pdb_get_domain(vuser->server_info->sam_account),
-			   vuser->server_info->ptok,
-			   snum))
+	if (!user_ok_token(server_info->unix_name,
+			   pdb_get_domain(server_info->sam_account),
+			   server_info->ptok, snum))
 		return(False);
 
 	readonly_share = is_share_read_only_for_token(
-		vuser->server_info->unix_name,
-		pdb_get_domain(vuser->server_info->sam_account),
-		vuser->server_info->ptok,
-		SNUM(conn));
+		server_info->unix_name,
+		pdb_get_domain(server_info->sam_account),
+		server_info->ptok, snum);
 
 	if (!readonly_share &&
-	    !share_access_check(vuser->server_info->ptok, lp_servicename(snum),
+	    !share_access_check(server_info->ptok, lp_servicename(snum),
 				FILE_WRITE_DATA)) {
 		/* smb.conf allows r/w, but the security descriptor denies
 		 * write. Fall back to looking at readonly. */
@@ -99,12 +100,17 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
 			 "security descriptor\n"));
 	}
 
-	if (!share_access_check(vuser->server_info->ptok, lp_servicename(snum),
+	if (!share_access_check(server_info->ptok, lp_servicename(snum),
 				readonly_share ?
 				FILE_READ_DATA : FILE_WRITE_DATA)) {
 		return False;
 	}
 
+	admin_user = token_contains_name_in_list(
+		server_info->unix_name,
+		pdb_get_domain(server_info->sam_account),
+		NULL, server_info->ptok, lp_admin_users(snum));
+
 	ent = &conn->vuid_cache.array[conn->vuid_cache.next_entry];
 
 	conn->vuid_cache.next_entry =
@@ -118,22 +124,16 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
 	 */
 
 	ent->server_info = copy_serverinfo(
-		conn,
-		conn->force_user ? conn->server_info : vuser->server_info);
+		conn, conn->force_user ? conn->server_info : server_info);
 
 	if (ent->server_info == NULL) {
 		ent->vuid = UID_FIELD_INVALID;
 		return false;
 	}
 
-	ent->vuid = vuser->vuid;
+	ent->vuid = vuid;
 	ent->read_only = readonly_share;
-
-	ent->admin_user = token_contains_name_in_list(
-		vuser->server_info->unix_name,
-		pdb_get_domain(vuser->server_info->sam_account),
-		NULL, vuser->server_info->ptok,
-		lp_admin_users(SNUM(conn)));
+	ent->admin_user = admin_user;
 
 	conn->read_only = ent->read_only;
 	conn->admin_user = ent->admin_user;
@@ -143,6 +143,28 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
 }
 
 /****************************************************************************
+ Clear a vuid out of the connection's vuid cache
+****************************************************************************/
+
+void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid)
+{
+	int i;
+
+	for (i=0; i<VUID_CACHE_SIZE; i++) {
+		struct vuid_cache_entry *ent;
+
+		ent = &conn->vuid_cache.array[i];
+
+		if (ent->vuid == vuid) {
+			ent->vuid = UID_FIELD_INVALID;
+			TALLOC_FREE(ent->server_info);
+			ent->read_only = False;
+			ent->admin_user = False;
+		}
+	}
+}
+
+/****************************************************************************
  Become the user of a connection number without changing the security context
  stack, but modify the current_user entries.
 ****************************************************************************/
@@ -175,7 +197,7 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
 			 "user\n"));
 		return(True);
 	} else if ((current_user.conn == conn) && 
-		   (vuser != 0) && (current_user.vuid == vuid) && 
+		   (vuser != NULL) && (current_user.vuid == vuid) &&
 		   (current_user.ut.uid == vuser->server_info->uid)) {
 		DEBUG(4,("change_to_user: Skipping user change - already "
 			 "user\n"));
@@ -184,7 +206,7 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
 
 	snum = SNUM(conn);
 
-	if ((vuser) && !check_user_ok(conn, vuser, snum)) {
+	if ((vuser) && !check_user_ok(conn, vuid, vuser->server_info, snum)) {
 		DEBUG(2,("change_to_user: SMB user %s (unix user %s, vuid %d) "
 			 "not permitted access to share %s.\n",
 			 vuser->server_info->sanitized_username,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list