[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Sun Aug 22 06:29:08 MDT 2010 

The branch, master has been updated
       via  de95124... s3: Move check_access to cgi.c, its only user
       via  70c5bed... s3: Replace calls to check_access by allow_access
      from  bc69a9d... Avoid use of Samba DTD, which requires net access.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit de951249356a3705fc2a3c51575134415ac0ea05
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 18 16:50:26 2010 +0200

    s3: Move check_access to cgi.c, its only user

commit 70c5bed4b2ca4660e8a06cee6d4e813744cc7be8
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 18 16:48:20 2010 +0200

    s3: Replace calls to check_access by allow_access
    
    We already have both the name and address of the client stored now

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h             |    1 -
 source3/lib/access.c                |   85 ++---------------------------------
 source3/rpc_server/srv_spoolss_nt.c |    4 +-
 source3/smbd/process.c              |   10 +++--
 source3/smbd/service.c              |    9 ++--
 source3/web/cgi.c                   |   81 +++++++++++++++++++++++++++++++++
 6 files changed, 98 insertions(+), 92 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index a389966..50309a9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -351,7 +351,6 @@ bool allow_access(const char **deny_list,
 		const char **allow_list,
 		const char *cname,
 		const char *caddr);
-bool check_access(int sock, const char **allow_list, const char **deny_list);
 
 /* The following definitions come from passdb/account_pol.c  */
 
diff --git a/source3/lib/access.c b/source3/lib/access.c
index 9808218..1293dc0 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -328,88 +328,11 @@ bool allow_access(const char **deny_list,
 
 	ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
 
+	DEBUG(ret ? 3 : 0,
+	      ("%s connection from %s (%s)\n",
+	       ret ? "Allowed" : "Denied", nc_cname, nc_caddr));
+
 	SAFE_FREE(nc_cname);
 	SAFE_FREE(nc_caddr);
 	return ret;
 }
-
-/* return true if the char* contains ip addrs only.  Used to avoid
-name lookup calls */
-
-static bool only_ipaddrs_in_list(const char **list)
-{
-	bool only_ip = true;
-
-	if (!list) {
-		return true;
-	}
-
-	for (; *list ; list++) {
-		/* factor out the special strings */
-		if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
-		    strequal(*list, "EXCEPT")) {
-			continue;
-		}
-
-		if (!is_ipaddress(*list)) {
-			/*
-			 * If we failed, make sure that it was not because
-			 * the token was a network/netmask pair. Only
-			 * network/netmask pairs have a '/' in them.
-			 */
-			if ((strchr_m(*list, '/')) == NULL) {
-				only_ip = false;
-				DEBUG(3,("only_ipaddrs_in_list: list has "
-					"non-ip address (%s)\n",
-					*list));
-				break;
-			}
-		}
-	}
-
-	return only_ip;
-}
-
-/* return true if access should be allowed to a service for a socket */
-bool check_access(int sock, const char **allow_list, const char **deny_list)
-{
-	bool ret = false;
-	bool only_ip = false;
-	char addr[INET6_ADDRSTRLEN];
-
-	if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
-		return true;
-	}
-
-	/* Bypass name resolution calls if the lists
-	 * only contain IP addrs */
-	if (only_ipaddrs_in_list(allow_list) &&
-	    only_ipaddrs_in_list(deny_list)) {
-		only_ip = true;
-		DEBUG (3, ("check_access: no hostnames "
-			   "in host allow/deny list.\n"));
-		ret = allow_access(deny_list,
-				   allow_list,
-				   "",
-				   get_peer_addr(sock,addr,sizeof(addr)));
-	} else {
-		DEBUG (3, ("check_access: hostnames in "
-			   "host allow/deny list.\n"));
-		ret = allow_access(deny_list,
-				   allow_list,
-				   get_peer_name(sock,true),
-				   get_peer_addr(sock,addr,sizeof(addr)));
-	}
-
-	if (ret) {
-		DEBUG(2,("Allowed connection from %s (%s)\n",
-			 only_ip ? "" : get_peer_name(sock,true),
-			 get_peer_addr(sock,addr,sizeof(addr))));
-	} else {
-		DEBUG(0,("Denied connection from %s (%s)\n",
-			 only_ip ? "" : get_peer_name(sock,true),
-			 get_peer_addr(sock,addr,sizeof(addr))));
-	}
-
-	return(ret);
-}
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 46e47f5..287c720 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1642,8 +1642,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
 
 		/* check smb.conf parameters and the the sec_desc */
 
-		if ( !check_access(smbd_server_fd(), lp_hostsallow(snum),
-				   lp_hostsdeny(snum)) ) {
+		if (!allow_access(lp_hostsdeny(snum), lp_hostsallow(snum),
+				  p->client_id->name, p->client_id->addr)) {
 			DEBUG(3, ("access DENIED (hosts allow/deny) for printer open\n"));
 			ZERO_STRUCTP(r->out.handle);
 			return WERR_ACCESS_DENIED;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index d6acc82..126b6b7 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1554,8 +1554,9 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
 	/* does this protocol need to be run as guest? */
 	if ((flags & AS_GUEST)
 	    && (!change_to_guest() ||
-		!check_access(sconn->sock, lp_hostsallow(-1),
-			      lp_hostsdeny(-1)))) {
+		!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
+			      sconn->client_id.name,
+			      sconn->client_id.addr))) {
 		reply_nterror(req, NT_STATUS_ACCESS_DENIED);
 		return conn;
 	}
@@ -2982,8 +2983,9 @@ void smbd_process(struct smbd_server_connection *sconn)
 	 * the hosts allow list.
 	 */
 
-	if (!check_access(sconn->sock, lp_hostsallow(-1),
-			  lp_hostsdeny(-1))) {
+	if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
+			  sconn->client_id.name,
+			  sconn->client_id.addr)) {
 		/*
 		 * send a negative session response "not listening on calling
 		 * name"
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index ef74b39..d395572 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -424,11 +424,12 @@ int find_service(fstring service)
  This function modifies dev, ecode.
 ****************************************************************************/
 
-static NTSTATUS share_sanity_checks(int server_sock, int snum, fstring dev)
+static NTSTATUS share_sanity_checks(struct client_address *client_id, int snum,
+				    fstring dev)
 {
 	if (!lp_snum_ok(snum) || 
-	    !check_access(server_sock,
-			  lp_hostsallow(snum), lp_hostsdeny(snum))) {    
+	    !allow_access(lp_hostsdeny(snum), lp_hostsallow(snum),
+			  client_id->name, client_id->addr)) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -658,7 +659,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
 
 	fstrcpy(dev, pdev);
 
-	*pstatus = share_sanity_checks(sconn->sock, snum, dev);
+	*pstatus = share_sanity_checks(&sconn->client_id, snum, dev);
 	if (NT_STATUS_IS_ERR(*pstatus)) {
 		goto err_root_exit;
 	}
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 3d7b32c..9c9a365 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -506,6 +506,87 @@ static void cgi_download(char *file)
 
 
 
+/* return true if the char* contains ip addrs only.  Used to avoid
+name lookup calls */
+
+static bool only_ipaddrs_in_list(const char **list)
+{
+	bool only_ip = true;
+
+	if (!list) {
+		return true;
+	}
+
+	for (; *list ; list++) {
+		/* factor out the special strings */
+		if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
+		    strequal(*list, "EXCEPT")) {
+			continue;
+		}
+
+		if (!is_ipaddress(*list)) {
+			/*
+			 * If we failed, make sure that it was not because
+			 * the token was a network/netmask pair. Only
+			 * network/netmask pairs have a '/' in them.
+			 */
+			if ((strchr_m(*list, '/')) == NULL) {
+				only_ip = false;
+				DEBUG(3,("only_ipaddrs_in_list: list has "
+					"non-ip address (%s)\n",
+					*list));
+				break;
+			}
+		}
+	}
+
+	return only_ip;
+}
+
+/* return true if access should be allowed to a service for a socket */
+static bool check_access(int sock, const char **allow_list,
+			 const char **deny_list)
+{
+	bool ret = false;
+	bool only_ip = false;
+	char addr[INET6_ADDRSTRLEN];
+
+	if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
+		return true;
+	}
+
+	/* Bypass name resolution calls if the lists
+	 * only contain IP addrs */
+	if (only_ipaddrs_in_list(allow_list) &&
+	    only_ipaddrs_in_list(deny_list)) {
+		only_ip = true;
+		DEBUG (3, ("check_access: no hostnames "
+			   "in host allow/deny list.\n"));
+		ret = allow_access(deny_list,
+				   allow_list,
+				   "",
+				   get_peer_addr(sock,addr,sizeof(addr)));
+	} else {
+		DEBUG (3, ("check_access: hostnames in "
+			   "host allow/deny list.\n"));
+		ret = allow_access(deny_list,
+				   allow_list,
+				   get_peer_name(sock,true),
+				   get_peer_addr(sock,addr,sizeof(addr)));
+	}
+
+	if (ret) {
+		DEBUG(2,("Allowed connection from %s (%s)\n",
+			 only_ip ? "" : get_peer_name(sock,true),
+			 get_peer_addr(sock,addr,sizeof(addr))));
+	} else {
+		DEBUG(0,("Denied connection from %s (%s)\n",
+			 only_ip ? "" : get_peer_name(sock,true),
+			 get_peer_addr(sock,addr,sizeof(addr))));
+	}
+
+	return(ret);
+}
 
 /**
  * @brief Setup the CGI framework.


-- 
Samba Shared Repository

More information about the samba-cvs mailing list