static bool check_user_ok(connection_struct *conn,
uint16_t vuid,
const struct auth_serversupplied_info *session_info,
int snum)
{
bool valid_vuid = (vuid != UID_FIELD_INVALID);
unsigned int i;
bool readonly_share;
bool admin_user;
if (valid_vuid) {
struct vuid_cache_entry *ent;
for (i=0; i<VUID_CACHE_SIZE; i++) {
ent = &conn->vuid_cache.array[i];
if (ent->vuid == vuid) {
free_conn_session_info_if_unused(conn);
conn->session_info = ent->session_info;
conn->read_only = ent->read_only;
return(True);
}
}
}
if (!user_ok_token(session_info->unix_name,
session_info->info3->base.domain.string,
session_info->security_token, snum))
return(False);
readonly_share = is_share_read_only_for_token(
session_info->unix_name,
session_info->info3->base.domain.string,
session_info->security_token,
conn);
if (!readonly_share &&
!share_access_check(session_info->security_token,
lp_servicename(snum), FILE_WRITE_DATA,
NULL)) {
/* smb.conf allows r/w, but the security descriptor denies
* write. Fall back to looking at readonly. */
readonly_share = True;
DEBUG(5,("falling back to read-only access-evaluation due to "
"security descriptor\n"));
}
if (!share_access_check(session_info->security_token,
lp_servicename(snum),
readonly_share ?
FILE_READ_DATA : FILE_WRITE_DATA,
NULL)) {
return False;
}
admin_user = token_contains_name_in_list(
session_info->unix_name,
session_info->info3->base.domain.string,
NULL, session_info->security_token, lp_admin_users(snum));
if (valid_vuid) {
struct vuid_cache_entry *ent =
&conn->vuid_cache.array[conn->vuid_cache.next_entry];
conn->vuid_cache.next_entry =
(conn->vuid_cache.next_entry + 1) % VUID_CACHE_SIZE;
TALLOC_FREE(ent->session_info);
/*
* If force_user was set, all session_info's are based on the same
* username-based faked one.
*/
ent->session_info = copy_serverinfo(
conn, conn->force_user ? conn->session_info : session_info);
if (ent->session_info == NULL) {
ent->vuid = UID_FIELD_INVALID;
return false;
}
ent->vuid = vuid;
ent->read_only = readonly_share;
free_conn_session_info_if_unused(conn);
conn->session_info = ent->session_info;
}
conn->read_only = readonly_share;
if (admin_user) {
DEBUG(2,("check_user_ok: user %s is an admin user. "
"Setting uid as %d\n",
conn->session_info->unix_name,
sec_initial_uid() ));
conn->session_info->utok.uid = sec_initial_uid();
}
return(True);
}
static bool check_user_ok(connection_struct *conn,
uint64_t vuid,
const struct auth_session_info *session_info,
int snum)
{
unsigned int i;
bool readonly_share = false;
bool admin_user = false;
struct vuid_cache_entry *ent = NULL;
uint32_t share_access = 0;
NTSTATUS status;
for (i=0; i<VUID_CACHE_SIZE; i++) {
ent = &conn->vuid_cache->array[i];
if (ent->vuid == vuid) {
if (vuid == UID_FIELD_INVALID) {
/*
* Slow path, we don't care
* about the array traversal.
*/
continue;
}
free_conn_session_info_if_unused(conn);
conn->session_info = ent->session_info;
conn->read_only = ent->read_only;
conn->share_access = ent->share_access;
return(True);
}
}
status = check_user_share_access(conn,
session_info,
&share_access,
&readonly_share);
if (!NT_STATUS_IS_OK(status)) {
return false;
}
admin_user = token_contains_name_in_list(
session_info->unix_info->unix_name,
session_info->info->domain_name,
NULL, session_info->security_token, lp_admin_users(snum));
ent = &conn->vuid_cache->array[conn->vuid_cache->next_entry];
conn->vuid_cache->next_entry =
(conn->vuid_cache->next_entry + 1) % VUID_CACHE_SIZE;
TALLOC_FREE(ent->session_info);
/*
* If force_user was set, all session_info's are based on the same
* username-based faked one.
*/
ent->session_info = copy_session_info(
conn, conn->force_user ? conn->session_info : session_info);
if (ent->session_info == NULL) {
ent->vuid = UID_FIELD_INVALID;
return false;
}
/*
* It's actually OK to call check_user_ok() with
* vuid == UID_FIELD_INVALID as called from change_to_user_by_session().
* All this will do is throw away one entry in the cache.
*/
ent->vuid = vuid;
ent->read_only = readonly_share;
ent->share_access = share_access;
free_conn_session_info_if_unused(conn);
conn->session_info = ent->session_info;
if (vuid == UID_FIELD_INVALID) {
/*
* Not strictly needed, just make it really
* clear this entry is actually an unused one.
*/
ent->read_only = false;
ent->share_access = 0;
ent->session_info = NULL;
}
conn->read_only = readonly_share;
conn->share_access = share_access;
if (admin_user) {
DEBUG(2,("check_user_ok: user %s is an admin user. "
"Setting uid as %d\n",
conn->session_info->unix_info->unix_name,
sec_initial_uid() ));
conn->session_info->unix_token->uid = sec_initial_uid();
}
return(True);
}
