BOOL authorise_login(int snum, fstring user, DATA_BLOB password, BOOL *guest) { BOOL ok = False; #ifdef DEBUG_PASSWORD DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n", user,password.data)); #endif *guest = False; /* there are several possibilities: 1) login as the given user with given password 2) login as a previously registered username with the given password 3) login as a session list username with the given password 4) login as a previously validated user/password pair 5) login as the "user ="******"user ="******""); if (!user_list) return(False); for (auser=strtok(user_list,LIST_SEP); !ok && auser; auser = strtok(NULL,LIST_SEP)) { fstring user2; fstrcpy(user2,auser); if (!user_ok(user2,snum, NULL, 0)) continue; if (password_ok(user2,password)) { ok = True; fstrcpy(user,user2); DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \ and given password ok\n", user)); } } SAFE_FREE(user_list); }
static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) { unsigned int i; struct vuid_cache_entry *ent = NULL; BOOL readonly_share; for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) { if (conn->vuid_cache.array[i].vuid == vuser->vuid) { ent = &conn->vuid_cache.array[i]; conn->read_only = ent->read_only; conn->admin_user = ent->admin_user; return(True); } } if (!user_ok(vuser->user.unix_name,snum, vuser->groups, vuser->n_groups)) return(False); readonly_share = is_share_read_only_for_user(conn, vuser); if (!readonly_share && !share_access_check(conn, snum, vuser, FILE_WRITE_DATA)) { /* smb.conf allows r/w, but the security descriptor denies * write. Fall back to looking at readonly. */ readonly_share = True; } if (!share_access_check(conn, snum, vuser, readonly_share ? FILE_READ_DATA : FILE_WRITE_DATA)) { return False; } i = conn->vuid_cache.entries % VUID_CACHE_SIZE; if (conn->vuid_cache.entries < VUID_CACHE_SIZE) conn->vuid_cache.entries++; ent = &conn->vuid_cache.array[i]; ent->vuid = vuser->vuid; ent->read_only = readonly_share; if (user_in_list(vuser->user.unix_name ,lp_admin_users(conn->service), vuser->groups, vuser->n_groups)) { ent->admin_user = True; } else { ent->admin_user = False; } conn->read_only = ent->read_only; conn->admin_user = ent->admin_user; return(True); }
static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum) { int i; for (i=0;i<conn->uid_cache.entries;i++) if (conn->uid_cache.list[i] == vuser->uid) return(True); if (!user_ok(vuser->user.unix_name,snum)) return(False); i = conn->uid_cache.entries % UID_CACHE_SIZE; conn->uid_cache.list[i] = vuser->uid; if (conn->uid_cache.entries < UID_CACHE_SIZE) conn->uid_cache.entries++; return(True); }
/**************************************************************************** check for authority to login to a service with a given username/password ****************************************************************************/ BOOL authorise_login(int snum,char *user,char *password, int pwlen, BOOL *guest,BOOL *force,uint16 vuid) { BOOL ok = False; *guest = False; #if DEBUG_PASSWORD DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password)); #endif /* there are several possibilities: 1) login as the given user with given password 2) login as a previously registered username with the given password 3) login as a session list username with the given password 4) login as a previously validated user/password pair 5) login as the "user ="******"user ="******"ACCEPTED: given username password ok\n")); } /* check for a previously registered guest username */ if (!ok && (vuser != 0) && vuser->guest) { if (user_ok(vuser->name,snum) && password_ok(vuser->name, password, pwlen, NULL)) { pstrcpy(user, vuser->name); vuser->guest = False; DEBUG(3,("ACCEPTED: given password with registered user %s\n", user)); ok = True; } } /* now check the list of session users */ if (!ok) { char *auser; char *user_list = strdup(session_users); if (!user_list) return(False); for (auser=strtok(user_list,LIST_SEP); !ok && auser; auser = strtok(NULL,LIST_SEP)) { fstring user2; fstrcpy(user2,auser); if (!user_ok(user2,snum)) continue; if (password_ok(user2,password, pwlen, NULL)) { ok = True; pstrcpy(user,user2); DEBUG(3,("ACCEPTED: session list username and given password ok\n")); } } free(user_list); } /* check for a previously validated username/password pair */ if (!ok && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) && (vuser != 0) && !vuser->guest && user_ok(vuser->name,snum)) { pstrcpy(user,vuser->name); *guest = False; DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n")); ok = True; } /* check for a rhosts entry */ if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) { ok = True; DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n")); } /* check the user= fields and the given password */ if (!ok && lp_username(snum)) { char *auser; pstring user_list; StrnCpy(user_list,lp_username(snum),sizeof(pstring)); string_sub(user_list,"%S",lp_servicename(snum)); for (auser=strtok(user_list,LIST_SEP); auser && !ok; auser = strtok(NULL,LIST_SEP)) { if (*auser == '@') { auser = validate_group(auser+1,password,pwlen,snum); if (auser) { ok = True; pstrcpy(user,auser); DEBUG(3,("ACCEPTED: group username and given password ok\n")); } } else { fstring user2; fstrcpy(user2,auser); if (user_ok(user2,snum) && password_ok(user2,password,pwlen,NULL)) { ok = True; pstrcpy(user,user2); DEBUG(3,("ACCEPTED: user list username and given password ok\n")); } } } } } /* not guest only */ /* check for a normal guest connection */ if (!ok && GUEST_OK(snum)) { fstring guestname; StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1); if (Get_Pwnam(guestname,True)) { pstrcpy(user,guestname); ok = True; DEBUG(3,("ACCEPTED: guest account and guest ok\n")); } else DEBUG(0,("Invalid guest account %s??\n",guestname)); *guest = True; *force = True; } if (ok && !user_ok(user,snum)) { DEBUG(0,("rejected invalid user %s\n",user)); ok = False; } return(ok); }
BOOL authorise_login(int snum, fstring user, DATA_BLOB password, BOOL *guest) { BOOL ok = False; #ifdef DEBUG_PASSWORD DEBUG(100,("authorise_login: checking authorisation on " "user=%s pass=%s\n", user,password.data)); #endif *guest = False; /* there are several possibilities: 1) login as the given user with given password 2) login as a previously registered username with the given password 3) login as a session list username with the given password 4) login as a previously validated user/password pair 5) login as the "user ="******"user ="******""); if (!user_list) return(False); for (auser=strtok(user_list,LIST_SEP); !ok && auser; auser = strtok(NULL,LIST_SEP)) { fstring user2; fstrcpy(user2,auser); if (!user_ok(user2,snum)) continue; if (password_ok(user2,password)) { ok = True; fstrcpy(user,user2); DEBUG(3,("authorise_login: ACCEPTED: session " "list username (%s) and given " "password ok\n", user)); } } SAFE_FREE(user_list); } /* check the user= fields and the given password */ if (!ok && lp_username(snum)) { char *auser; pstring user_list; pstrcpy(user_list,lp_username(snum)); pstring_sub(user_list,"%S",lp_servicename(snum)); for (auser=strtok(user_list,LIST_SEP); auser && !ok; auser = strtok(NULL,LIST_SEP)) { if (*auser == '@') { auser = validate_group(auser+1,password,snum); if (auser) { ok = True; fstrcpy(user,auser); DEBUG(3,("authorise_login: ACCEPTED: " "group username and given " "password ok (%s)\n", user)); } } else { fstring user2; fstrcpy(user2,auser); if (user_ok(user2,snum) && password_ok(user2,password)) { ok = True; fstrcpy(user,user2); DEBUG(3,("authorise_login: ACCEPTED: " "user list username and " "given password ok (%s)\n", user)); } } } } /* check for a normal guest connection */ if (!ok && GUEST_OK(snum)) { fstring guestname; fstrcpy(guestname,lp_guestaccount()); if (Get_Pwnam(guestname)) { fstrcpy(user,guestname); ok = True; DEBUG(3,("authorise_login: ACCEPTED: guest account " "and guest ok (%s)\n", user)); } else { DEBUG(0,("authorise_login: Invalid guest account " "%s??\n",guestname)); } *guest = True; } if (ok && !user_ok(user, snum)) { DEBUG(0,("authorise_login: rejected invalid user %s\n",user)); ok = False; } return(ok); }
static char *validate_group(char *group, DATA_BLOB password,int snum) { #ifdef HAVE_NETGROUP { char *host, *user, *domain; setnetgrent(group); while (getnetgrent(&host, &user, &domain)) { if (user) { if (user_ok(user, snum) && password_ok(user,password)) { endnetgrent(); return(user); } } } endnetgrent(); } #endif #ifdef HAVE_GETGRENT { struct group *gptr; setgrent(); while ((gptr = (struct group *)getgrent())) { if (strequal(gptr->gr_name,group)) break; } /* * As user_ok can recurse doing a getgrent(), we must * copy the member list into a pstring on the stack before * use. Bug pointed out by [email protected]. */ if (gptr) { pstring member_list; char *member; size_t copied_len = 0; int i; *member_list = '\0'; member = member_list; for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) { size_t member_len = strlen(gptr->gr_mem[i])+1; if(copied_len+member_len < sizeof(pstring)) { DEBUG(10,("validate_group: = gr_mem = " "%s\n", gptr->gr_mem[i])); safe_strcpy(member, gptr->gr_mem[i], sizeof(pstring) - copied_len - 1); copied_len += member_len; member += copied_len; } else { *member = '\0'; } } endgrent(); member = member_list; while (*member) { static fstring name; fstrcpy(name,member); if (user_ok(name,snum) && password_ok(name,password)) { endgrent(); return(&name[0]); } DEBUG(10,("validate_group = member = %s\n", member)); member += strlen(member) + 1; } } else { endgrent(); return NULL; } } #endif return(NULL); }
static char *validate_group(char *group, DATA_BLOB password,int snum) { #ifdef HAVE_NETGROUP { char *host, *user, *domain; setnetgrent(group); while (getnetgrent(&host, &user, &domain)) { if (user) { if (user_ok(user, snum) && password_ok(user,password)) { endnetgrent(); return(user); } } } endnetgrent(); } #endif #ifdef HAVE_GETGRENT { struct group *gptr; setgrent(); while ((gptr = (struct group *)getgrent())) { if (strequal(gptr->gr_name,group)) break; } /* * As user_ok can recurse doing a getgrent(), we must * copy the member list onto the heap before * use. Bug pointed out by [email protected]. */ if (gptr) { char *member_list = NULL; size_t list_len = 0; char *member; int i; for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) { list_len += strlen(gptr->gr_mem[i])+1; } list_len++; member_list = (char *)SMB_MALLOC(list_len); if (!member_list) { endgrent(); return NULL; } *member_list = '\0'; member = member_list; for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) { size_t member_len = strlen(gptr->gr_mem[i])+1; DEBUG(10,("validate_group: = gr_mem = " "%s\n", gptr->gr_mem[i])); safe_strcpy(member, gptr->gr_mem[i], list_len - (member-member_list)); member += member_len; } endgrent(); member = member_list; while (*member) { if (user_ok(member,snum) && password_ok(member,password)) { char *name = talloc_strdup(talloc_tos(), member); SAFE_FREE(member_list); return name; } DEBUG(10,("validate_group = member = %s\n", member)); member += strlen(member) + 1; } SAFE_FREE(member_list); } else { endgrent(); return NULL; } } #endif return(NULL); }
/**************************************************************************** validate a group username entry. Return the username or NULL ****************************************************************************/ static char *validate_group(char *group,char *password,int pwlen,int snum) { #ifdef NETGROUP { char *host, *user, *domain; setnetgrent(group); while (getnetgrent(&host, &user, &domain)) { if (user) { if (user_ok(user, snum) && password_ok(user,password,pwlen,NULL)) { endnetgrent(); return(user); } } } endnetgrent(); } #endif #if HAVE_GETGRNAM { struct group *gptr = (struct group *)getgrnam(group); char **member; if (gptr) { member = gptr->gr_mem; while (member && *member) { static fstring name; fstrcpy(name,*member); if (user_ok(name,snum) && password_ok(name,password,pwlen,NULL)) return(&name[0]); member++; } #ifdef GROUP_CHECK_PWENT { struct passwd *pwd; static fstring tm; setpwent (); while (pwd = getpwent ()) { if (*(pwd->pw_passwd) && pwd->pw_gid == gptr->gr_gid) { /* This Entry have PASSWORD and same GID then check pwd */ if (password_ok(NULL, password, pwlen, pwd)) { fstrcpy(tm, pwd->pw_name); endpwent (); return tm; } } } endpwent (); } #endif /* GROUP_CHECK_PWENT */ } } #endif return(NULL); }