void get_status_mod()
{
uint8_t iModNum, i;
tl_api_status_mod_t stModStatus;
if(sizeof(iModNum) == tl_mgmt_get(get_client_fd(), (uint8_t*)(&iModNum), sizeof(iModNum) ))
{
tl_log_info("\t%d modules in the system:", iModNum);
for(i=0; i<iModNum; i++)
if(sizeof(stModStatus) ==
tl_mgmt_get(get_client_fd(), (uint8_t*)(&stModStatus), sizeof(stModStatus) ))
print_status_mod(&stModStatus);
}
}
void get_status()
{
tl_api_status_t stStatus;
if(sizeof(stStatus) == tl_mgmt_get(get_client_fd(), (uint8_t*)(&stStatus), sizeof(stStatus)))
{
tl_log_info("\tSystem name: %s", stStatus.szCrossName);
tl_log_info("\t%d devices: %d OK, %d Failed",
stStatus.iDeviceNumber, stStatus.iDeviceOk, stStatus.iDeviceError);
tl_log_info("\tCritical errors %d, warnings %d", stStatus.iCritError ,stStatus.iWarning );
tl_log_info("\tWatchdog interval %d msec", stStatus.iWdInterval);
tl_log_info("\tDead Count %d", stStatus.iDeadCount);
tl_log_info("\tCommunication port: %s", stStatus.szComPort);
tl_log_info("\tCommunication timeout %d msec", stStatus.iCommTimeout);
tl_log_info("\tLoaded program: %s",
(0==stStatus.szProgLoaded[0]?"None":stStatus.szProgLoaded));
if(0 != stStatus.szProgLoaded[0])
tl_log_info("\tProgram is in state %s, executed %d times",
tl_programstate2string(stStatus.iProgState), stStatus.iProgLoop);
tl_log_info("\tDebug flags: 0x%X", stStatus.iDebugFlags);
tl_log_info("\tLog destination: %s",
(TL_LOG2NULL==stStatus.iLogDest?"none":
(TL_LOG2CONSOLE==stStatus.iLogDest?"console":
(TL_LOG2SYSLOG==stStatus.iLogDest?"syslog":"uknown"))));
tl_log_info("\tLine conflicts %d", stStatus.iLineErrors);
tl_log_info("\tSystem Uptime: %ds", stStatus.stUpTime.tv_sec);
}
}
void get_status_prog()
{
uint8_t iProgNum, i, j;
tl_api_status_prog_t stProgram;
tl_api_status_instr_t stInstruction;
if(sizeof(iProgNum) == tl_mgmt_get(get_client_fd(), (uint8_t*)(&iProgNum), sizeof(iProgNum) ))
{
tl_log_info("\t%d programs are loaded:", iProgNum);
for(i=0; i<iProgNum; i++)
{
if(sizeof(stProgram) ==
tl_mgmt_get(get_client_fd(), (uint8_t*)(&stProgram), sizeof(stProgram) ))
{
print_status_program(&stProgram);
tl_log_info(" INIT stage:");
for(j=0; j<stProgram.iInstrCount; j++)
{
if(sizeof(stInstruction) ==
tl_mgmt_get(get_client_fd(), (uint8_t*)(&stInstruction), sizeof(stInstruction) ))
{
if(j == stProgram.iLoopStep)
tl_log_info(" LOOP stage:");
if(j == stProgram.iExitStep)
tl_log_info(" EXIT stage:");
switch(stInstruction.stInstruction.iType)
{
case TL_INSTR_DELAY:
tl_log_info("\t %d. Delay %d ms",
j+1, stInstruction.stInstruction.u.iDelay);
break;
case TL_INSTR_CMD:
print_cmd_instruction(j+1, &stInstruction);
break;
default:
tl_log_info("\t %d. Unkown %d",
j+1, stInstruction.stInstruction.iType);
break;
}
}
}
}
}
}
}
static int do_cmus_save(for_each_ti_cb for_each_ti, const char *filename, save_tracks_cb save_tracks)
{
int fd, rc;
if (strcmp(filename, "-") == 0) {
if (get_client_fd() == -1) {
error_msg("saving to stdout works only remotely");
return 0;
}
fd = dup(get_client_fd());
} else
fd = open(filename, O_CREAT | O_WRONLY | O_TRUNC, 0666);
if (fd == -1)
return -1;
rc = for_each_ti(save_tracks, &fd);
close(fd);
return rc;
}
void process_status(char *szArgument, char *szValue)
{
uint8_t *pArg = NULL;
uint32_t iArgLen = 0;
uint8_t iCommand;
if(0 == strncmp(szArgument, "help", strlen("help")))
{
print_help_status();
fflush(stdout);
return;
}else if(0 == strncmp(szArgument, "system", strlen("help")))
{
iCommand = TL_API_GET_STATUS;
}else if(0 == strncmp(szArgument, "module", strlen("modules")))
{
iCommand = TL_API_GET_STATUS_MOD;
if(szValue)
{
pArg = (uint8_t*)szValue;
iArgLen = strlen(szValue) + 1;
}
}else if(0 == strncmp(szArgument, "program", strlen("program")))
{
iCommand = TL_API_GET_STATUS_PROG;
}else
{
tl_log_info("Uknown status arguments %s,%s, Usage:", szArgument, szValue);
print_help_status();
fflush(stdout);
return;
}
if(OK == tl_mgmt_send(get_client_fd(), iCommand, pArg, iArgLen))
{
switch(iCommand)
{
case TL_API_GET_STATUS:
get_status();
return;
case TL_API_GET_STATUS_MOD:
get_status_mod();
return;
case TL_API_GET_STATUS_PROG:
get_status_prog();
return;
default:
break;
}
}
}
void hf_msg(t_env *env, char *str, int fd)
{
char *usr;
int fdr;
str = str + 5;
usr = get_first_word(str);
str = str + ft_strlen(usr) + 1;
fdr = get_client_fd(usr, env->users_list);
if (fdr == -1)
add_to_queue(env, "There is no such user", fd);
else
{
add_to_queue(env, str, fdr);
}
free(usr);
}
void process_program(char *szArgument, char *szValue)
{
tl_api_program_t stProgram;
if(0 == strncmp(szArgument, "help", strlen("help")))
{
print_help_program();
fflush(stdout);
return;
}else if(0 == strncmp(szArgument, "replace", strlen("replace")))
{
stProgram.iType = TL_PROGRAM_REPLACE;
strncpy(stProgram.szProgName, szValue, 128); stProgram.szProgName[127]=0;
}else
{
tl_log_info("Uknown status arguments %s,%s, Usage:", szArgument, szValue);
print_help_status();
fflush(stdout);
return;
}
tl_mgmt_send(get_client_fd(), TL_API_SET_PROGRAM, (uint8_t*)&stProgram, sizeof(stProgram) );
}
connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
int snum, user_struct *vuser,
DATA_BLOB password,
const char *pdev,
NTSTATUS *pstatus)
{
connection_struct *conn;
struct smb_filename *smb_fname_cpath = NULL;
fstring dev;
int ret;
char addr[INET6_ADDRSTRLEN];
bool on_err_call_dis_hook = false;
NTSTATUS status;
fstrcpy(dev, pdev);
if (NT_STATUS_IS_ERR(*pstatus = share_sanity_checks(snum, dev))) {
return NULL;
}
conn = conn_new(sconn);
if (!conn) {
DEBUG(0,("Couldn't find free connection.\n"));
*pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
conn->params->service = snum;
status = create_connection_server_info(sconn,
conn, snum, vuser ? vuser->server_info : NULL, password,
&conn->server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("create_connection_server_info failed: %s\n",
nt_errstr(status)));
*pstatus = status;
conn_free(conn);
return NULL;
}
if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
conn->force_user = true;
}
add_session_user(sconn, conn->server_info->unix_name);
safe_strcpy(conn->client_address,
client_addr(get_client_fd(),addr,sizeof(addr)),
sizeof(conn->client_address)-1);
conn->num_files_open = 0;
conn->lastused = conn->lastused_count = time(NULL);
conn->used = True;
conn->printer = (strncmp(dev,"LPT",3) == 0);
conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
/* Case options for the share. */
if (lp_casesensitive(snum) == Auto) {
/* We will be setting this per packet. Set to be case
* insensitive for now. */
conn->case_sensitive = False;
} else {
conn->case_sensitive = (bool)lp_casesensitive(snum);
}
conn->case_preserve = lp_preservecase(snum);
conn->short_case_preserve = lp_shortpreservecase(snum);
conn->encrypt_level = lp_smb_encrypt(snum);
conn->veto_list = NULL;
conn->hide_list = NULL;
conn->veto_oplock_list = NULL;
conn->aio_write_behind_list = NULL;
conn->read_only = lp_readonly(SNUM(conn));
conn->admin_user = False;
if (*lp_force_user(snum)) {
/*
* Replace conn->server_info with a completely faked up one
* from the username we are forced into :-)
*/
char *fuser;
struct auth_serversupplied_info *forced_serverinfo;
fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
lp_servicename(snum));
if (fuser == NULL) {
conn_free(conn);
*pstatus = NT_STATUS_NO_MEMORY;
return NULL;
}
status = make_serverinfo_from_username(
conn, fuser, conn->server_info->guest,
&forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) {
conn_free(conn);
*pstatus = status;
return NULL;
}
TALLOC_FREE(conn->server_info);
conn->server_info = forced_serverinfo;
conn->force_user = True;
DEBUG(3,("Forced user %s\n", fuser));
}
/*
* If force group is true, then override
* any groupid stored for the connecting user.
*/
if (*lp_force_group(snum)) {
status = find_forced_group(
conn->force_user, snum, conn->server_info->unix_name,
&conn->server_info->ptok->user_sids[1],
&conn->server_info->utok.gid);
if (!NT_STATUS_IS_OK(status)) {
conn_free(conn);
*pstatus = status;
return NULL;
}
/*
* We need to cache this gid, to use within
* change_to_user() separately from the conn->server_info
* struct. We only use conn->server_info directly if
* "force_user" was set.
*/
conn->force_group_gid = conn->server_info->utok.gid;
}
conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
{
char *s = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
conn->server_info->unix_name,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
lp_pathname(snum));
if (!s) {
conn_free(conn);
*pstatus = NT_STATUS_NO_MEMORY;
return NULL;
}
if (!set_conn_connectpath(conn,s)) {
TALLOC_FREE(s);
conn_free(conn);
*pstatus = NT_STATUS_NO_MEMORY;
return NULL;
}
DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
lp_servicename(snum)));
TALLOC_FREE(s);
}
/*
* New code to check if there's a share security descripter
* added from NT server manager. This is done after the
* smb.conf checks are done as we need a uid and token. JRA.
*
*/
{
bool can_write = False;
can_write = share_access_check(conn->server_info->ptok,
lp_servicename(snum),
FILE_WRITE_DATA);
if (!can_write) {
if (!share_access_check(conn->server_info->ptok,
lp_servicename(snum),
FILE_READ_DATA)) {
/* No access, read or write. */
DEBUG(0,("make_connection: connection to %s "
"denied due to security "
"descriptor.\n",
lp_servicename(snum)));
conn_free(conn);
*pstatus = NT_STATUS_ACCESS_DENIED;
return NULL;
} else {
conn->read_only = True;
}
}
}
/* Initialise VFS function pointers */
if (!smbd_vfs_init(conn)) {
DEBUG(0, ("vfs_init failed for service %s\n",
lp_servicename(snum)));
conn_free(conn);
*pstatus = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
/*
* If widelinks are disallowed we need to canonicalise the connect
* path here to ensure we don't have any symlinks in the
* connectpath. We will be checking all paths on this connection are
* below this directory. We must do this after the VFS init as we
* depend on the realpath() pointer in the vfs table. JRA.
*/
if (!lp_widelinks(snum)) {
if (!canonicalize_connect_path(conn)) {
DEBUG(0, ("canonicalize_connect_path failed "
"for service %s, path %s\n",
lp_servicename(snum),
conn->connectpath));
conn_free(conn);
*pstatus = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
}
if ((!conn->printer) && (!conn->ipc)) {
conn->notify_ctx = notify_init(conn, server_id_self(),
smbd_messaging_context(),
smbd_event_context(),
conn);
}
/* ROOT Activities: */
/*
* Enforce the max connections parameter.
*/
if ((lp_max_connections(snum) > 0)
&& (count_current_connections(lp_servicename(SNUM(conn)), True) >=
lp_max_connections(snum))) {
DEBUG(1, ("Max connections (%d) exceeded for %s\n",
lp_max_connections(snum), lp_servicename(snum)));
conn_free(conn);
*pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
/*
* Get us an entry in the connections db
*/
if (!claim_connection(conn, lp_servicename(snum), 0)) {
DEBUG(1, ("Could not store connections entry\n"));
conn_free(conn);
*pstatus = NT_STATUS_INTERNAL_DB_ERROR;
return NULL;
}
/* Preexecs are done here as they might make the dir we are to ChDir
* to below */
/* execute any "root preexec = " line */
if (*lp_rootpreexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
conn->server_info->unix_name,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
lp_rootpreexec(snum));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
if (ret != 0 && lp_rootpreexec_close(snum)) {
DEBUG(1,("root preexec gave %d - failing "
"connection\n", ret));
yield_connection(conn, lp_servicename(snum));
conn_free(conn);
*pstatus = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
/* USER Activites: */
if (!change_to_user(conn, conn->vuid)) {
/* No point continuing if they fail the basic checks */
DEBUG(0,("Can't become connected user!\n"));
yield_connection(conn, lp_servicename(snum));
conn_free(conn);
*pstatus = NT_STATUS_LOGON_FAILURE;
return NULL;
}
/* Remember that a different vuid can connect later without these
* checks... */
/* Preexecs are done here as they might make the dir we are to ChDir
* to below */
/* execute any "preexec = " line */
if (*lp_preexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)),
conn->server_info->unix_name,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
lp_preexec(snum));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
if (ret != 0 && lp_preexec_close(snum)) {
DEBUG(1,("preexec gave %d - failing connection\n",
ret));
*pstatus = NT_STATUS_ACCESS_DENIED;
goto err_root_exit;
}
}
#ifdef WITH_FAKE_KASERVER
if (lp_afs_share(snum)) {
afs_login(conn);
}
#endif
/* Add veto/hide lists */
if (!IS_IPC(conn) && !IS_PRINT(conn)) {
set_namearray( &conn->veto_list, lp_veto_files(snum));
set_namearray( &conn->hide_list, lp_hide_files(snum));
set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
set_namearray( &conn->aio_write_behind_list,
lp_aio_write_behind(snum));
}
/* Invoke VFS make connection hook - do this before the VFS_STAT call
to allow any filesystems needing user credentials to initialize
themselves. */
if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
conn->server_info->unix_name) < 0) {
DEBUG(0,("make_connection: VFS make connection failed!\n"));
*pstatus = NT_STATUS_UNSUCCESSFUL;
goto err_root_exit;
}
/* Any error exit after here needs to call the disconnect hook. */
on_err_call_dis_hook = true;
status = create_synthetic_smb_fname(talloc_tos(), conn->connectpath,
NULL, NULL, &smb_fname_cpath);
if (!NT_STATUS_IS_OK(status)) {
*pstatus = status;
goto err_root_exit;
}
/* win2000 does not check the permissions on the directory
during the tree connect, instead relying on permission
check during individual operations. To match this behaviour
I have disabled this chdir check (tridge) */
/* the alternative is just to check the directory exists */
if ((ret = SMB_VFS_STAT(conn, smb_fname_cpath)) != 0 ||
!S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
if (ret == 0 && !S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
DEBUG(0,("'%s' is not a directory, when connecting to "
"[%s]\n", conn->connectpath,
lp_servicename(snum)));
} else {
DEBUG(0,("'%s' does not exist or permission denied "
"when connecting to [%s] Error was %s\n",
conn->connectpath, lp_servicename(snum),
strerror(errno) ));
}
*pstatus = NT_STATUS_BAD_NETWORK_NAME;
goto err_root_exit;
}
string_set(&conn->origpath,conn->connectpath);
#if SOFTLINK_OPTIMISATION
/* resolve any soft links early if possible */
if (vfs_ChDir(conn,conn->connectpath) == 0) {
TALLOC_CTX *ctx = talloc_tos();
char *s = vfs_GetWd(ctx,s);
if (!s) {
*status = map_nt_error_from_unix(errno);
goto err_root_exit;
}
if (!set_conn_connectpath(conn,s)) {
*status = NT_STATUS_NO_MEMORY;
goto err_root_exit;
}
vfs_ChDir(conn,conn->connectpath);
}
#endif
if (lp_unix_extensions() && lp_widelinks(snum)) {
DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
"These parameters are incompatible. "
"Disabling wide links for this share.\n",
lp_servicename(snum) ));
lp_do_parameter(snum, "wide links", "False");
}
/* Figure out the characteristics of the underlying filesystem. This
* assumes that all the filesystem mounted withing a share path have
* the same characteristics, which is likely but not guaranteed.
*/
conn->fs_capabilities = SMB_VFS_FS_CAPABILITIES(conn, &conn->ts_res);
/*
* Print out the 'connected as' stuff here as we need
* to know the effective uid and gid we will be using
* (at least initially).
*/
if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
dbgtext( "%s (%s) ", get_remote_machine_name(),
conn->client_address );
dbgtext( "%s", srv_is_signing_active(smbd_server_conn) ? "signed " : "");
dbgtext( "connect to service %s ", lp_servicename(snum) );
dbgtext( "initially as user %s ",
conn->server_info->unix_name );
dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
dbgtext( "(pid %d)\n", (int)sys_getpid() );
}
/* we've finished with the user stuff - go back to root */
change_to_root_user();
return(conn);
err_root_exit:
TALLOC_FREE(smb_fname_cpath);
change_to_root_user();
if (on_err_call_dis_hook) {
/* Call VFS disconnect hook */
SMB_VFS_DISCONNECT(conn);
}
yield_connection(conn, lp_servicename(snum));
conn_free(conn);
return NULL;
}
connection_struct *make_connection(struct smbd_server_connection *sconn,
const char *service_in, DATA_BLOB password,
const char *pdev, uint16 vuid,
NTSTATUS *status)
{
uid_t euid;
user_struct *vuser = NULL;
fstring service;
fstring dev;
int snum = -1;
char addr[INET6_ADDRSTRLEN];
fstrcpy(dev, pdev);
/* This must ONLY BE CALLED AS ROOT. As it exits this function as
* root. */
if (!non_root_mode() && (euid = geteuid()) != 0) {
DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
"(%u)\n", (unsigned int)euid ));
smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
}
if (conn_num_open(sconn) > 2047) {
*status = NT_STATUS_INSUFF_SERVER_RESOURCES;
return NULL;
}
if(lp_security() != SEC_SHARE) {
vuser = get_valid_user_struct(sconn, vuid);
if (!vuser) {
DEBUG(1,("make_connection: refusing to connect with "
"no session setup\n"));
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
/* Logic to try and connect to the correct [homes] share, preferably
without too many getpwnam() lookups. This is particulary nasty for
winbind usernames, where the share name isn't the same as unix
username.
The snum of the homes share is stored on the vuser at session setup
time.
*/
if (strequal(service_in,HOMES_NAME)) {
if(lp_security() != SEC_SHARE) {
DATA_BLOB no_pw = data_blob_null;
if (vuser->homes_snum == -1) {
DEBUG(2, ("[homes] share not available for "
"this user because it was not found "
"or created at session setup "
"time\n"));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
DEBUG(5, ("making a connection to [homes] service "
"created at session setup time\n"));
return make_connection_snum(sconn,
vuser->homes_snum,
vuser, no_pw,
dev, status);
} else {
/* Security = share. Try with
* current_user_info.smb_name as the username. */
if (*current_user_info.smb_name) {
fstring unix_username;
fstrcpy(unix_username,
current_user_info.smb_name);
map_username(sconn, unix_username);
snum = find_service(unix_username);
}
if (snum != -1) {
DEBUG(5, ("making a connection to 'homes' "
"service %s based on "
"security=share\n", service_in));
return make_connection_snum(sconn,
snum, NULL,
password,
dev, status);
}
}
} else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
&& strequal(service_in,
lp_servicename(vuser->homes_snum))) {
DATA_BLOB no_pw = data_blob_null;
DEBUG(5, ("making a connection to 'homes' service [%s] "
"created at session setup time\n", service_in));
return make_connection_snum(sconn,
vuser->homes_snum,
vuser, no_pw,
dev, status);
}
fstrcpy(service, service_in);
strlower_m(service);
snum = find_service(service);
if (snum < 0) {
if (strequal(service,"IPC$") ||
(lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
DEBUG(3,("refusing IPC connection to %s\n", service));
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
DEBUG(3,("%s (%s) couldn't find service %s\n",
get_remote_machine_name(),
client_addr(get_client_fd(),addr,sizeof(addr)),
service));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
/* Handle non-Dfs clients attempting connections to msdfs proxy */
if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
DEBUG(3, ("refusing connection to dfs proxy share '%s' "
"(pointing to %s)\n",
service, lp_msdfs_proxy(snum)));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
DEBUG(5, ("making a connection to 'normal' service %s\n", service));
return make_connection_snum(sconn, snum, vuser,
password,
dev, status);
}
static connection_struct *make_connection_snum(int snum, user_struct *vuser,
DATA_BLOB password,
const char *pdev,
NTSTATUS *status)
{
struct passwd *pass = NULL;
bool guest = False;
connection_struct *conn;
SMB_STRUCT_STAT st;
fstring user;
fstring dev;
int ret;
char addr[INET6_ADDRSTRLEN];
bool on_err_call_dis_hook = false;
*user = 0;
fstrcpy(dev, pdev);
SET_STAT_INVALID(st);
if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
return NULL;
}
conn = conn_new();
if (!conn) {
DEBUG(0,("Couldn't find free connection.\n"));
*status = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
conn->params->service = snum;
conn->nt_user_token = NULL;
if (lp_guest_only(snum)) {
const char *guestname = lp_guestaccount();
NTSTATUS status2;
char *found_username = NULL;
guest = True;
pass = getpwnam_alloc(talloc_tos(), guestname);
if (!pass) {
DEBUG(0,("make_connection_snum: Invalid guest "
"account %s??\n",guestname));
conn_free(conn);
*status = NT_STATUS_NO_SUCH_USER;
return NULL;
}
status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
&conn->uid, &conn->gid,
&found_username,
&conn->nt_user_token);
if (!NT_STATUS_IS_OK(status2)) {
TALLOC_FREE(pass);
conn_free(conn);
*status = status2;
return NULL;
}
fstrcpy(user, found_username);
string_set(&conn->user,user);
conn->force_user = True;
TALLOC_FREE(found_username);
TALLOC_FREE(pass);
DEBUG(3,("Guest only user %s\n",user));
} else if (vuser) {
if (vuser->guest) {
if (!lp_guest_ok(snum)) {
DEBUG(2, ("guest user (from session setup) "
"not permitted to access this share "
"(%s)\n", lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
} else {
if (!user_ok_token(vuser->user.unix_name,
vuser->nt_user_token, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
"(%s)\n", vuser->user.unix_name,
lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
conn->vuid = vuser->vuid;
conn->uid = vuser->uid;
conn->gid = vuser->gid;
string_set(&conn->user,vuser->user.unix_name);
fstrcpy(user,vuser->user.unix_name);
guest = vuser->guest;
} else if (lp_security() == SEC_SHARE) {
NTSTATUS status2;
char *found_username = NULL;
/* add it as a possible user name if we
are in share mode security */
add_session_user(lp_servicename(snum));
/* shall we let them in? */
if (!authorise_login(snum,user,password,&guest)) {
DEBUG( 2, ( "Invalid username/password for [%s]\n",
lp_servicename(snum)) );
conn_free(conn);
*status = NT_STATUS_WRONG_PASSWORD;
return NULL;
}
pass = Get_Pwnam_alloc(talloc_tos(), user);
status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
&conn->uid, &conn->gid,
&found_username,
&conn->nt_user_token);
TALLOC_FREE(pass);
if (!NT_STATUS_IS_OK(status2)) {
conn_free(conn);
*status = status2;
return NULL;
}
fstrcpy(user, found_username);
string_set(&conn->user,user);
TALLOC_FREE(found_username);
conn->force_user = True;
} else {
DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
add_session_user(user);
safe_strcpy(conn->client_address,
client_addr(get_client_fd(),addr,sizeof(addr)),
sizeof(conn->client_address)-1);
conn->num_files_open = 0;
conn->lastused = conn->lastused_count = time(NULL);
conn->used = True;
conn->printer = (strncmp(dev,"LPT",3) == 0);
conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
conn->dirptr = NULL;
/* Case options for the share. */
if (lp_casesensitive(snum) == Auto) {
/* We will be setting this per packet. Set to be case
* insensitive for now. */
conn->case_sensitive = False;
} else {
conn->case_sensitive = (bool)lp_casesensitive(snum);
}
conn->case_preserve = lp_preservecase(snum);
conn->short_case_preserve = lp_shortpreservecase(snum);
conn->encrypt_level = lp_smb_encrypt(snum);
conn->veto_list = NULL;
conn->hide_list = NULL;
conn->veto_oplock_list = NULL;
conn->aio_write_behind_list = NULL;
string_set(&conn->dirpath,"");
string_set(&conn->user,user);
conn->read_only = lp_readonly(SNUM(conn));
conn->admin_user = False;
/*
* If force user is true, then store the given userid and the gid of
* the user we're forcing.
* For auxiliary groups see below.
*/
if (*lp_force_user(snum)) {
NTSTATUS status2;
status2 = find_forced_user(conn,
(vuser != NULL) && vuser->guest,
user);
if (!NT_STATUS_IS_OK(status2)) {
conn_free(conn);
*status = status2;
return NULL;
}
string_set(&conn->user,user);
conn->force_user = True;
DEBUG(3,("Forced user %s\n",user));
}
/*
* If force group is true, then override
* any groupid stored for the connecting user.
*/
if (*lp_force_group(snum)) {
NTSTATUS status2;
DOM_SID group_sid;
status2 = find_forced_group(conn->force_user,
snum, user,
&group_sid, &conn->gid);
if (!NT_STATUS_IS_OK(status2)) {
conn_free(conn);
*status = status2;
return NULL;
}
if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
/* Not force user and not security=share, but force
* group. vuser has a token to copy */
conn->nt_user_token = dup_nt_token(
NULL, vuser->nt_user_token);
if (conn->nt_user_token == NULL) {
DEBUG(0, ("dup_nt_token failed\n"));
conn_free(conn);
*status = NT_STATUS_NO_MEMORY;
return NULL;
}
}
/* If conn->nt_user_token is still NULL, we have
* security=share. This means ignore the SID, as we had no
* vuser to copy from */
if (conn->nt_user_token != NULL) {
/* Overwrite the primary group sid */
sid_copy(&conn->nt_user_token->user_sids[1],
&group_sid);
}
conn->force_group = True;
}
if (conn->nt_user_token != NULL) {
size_t i;
/* We have a share-specific token from force [user|group].
* This means we have to create the list of unix groups from
* the list of sids. */
conn->ngroups = 0;
conn->groups = NULL;
for (i=0; i<conn->nt_user_token->num_sids; i++) {
gid_t gid;
DOM_SID *sid = &conn->nt_user_token->user_sids[i];
if (!sid_to_gid(sid, &gid)) {
DEBUG(10, ("Could not convert SID %s to gid, "
"ignoring it\n",
sid_string_dbg(sid)));
continue;
}
if (!add_gid_to_array_unique(conn->mem_ctx, gid, &conn->groups,
&conn->ngroups)) {
DEBUG(0, ("add_gid_to_array_unique failed\n"));
conn_free(conn);
*status = NT_STATUS_NO_MEMORY;
return NULL;
}
}
}
{
char *s = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)), conn->user,
conn->connectpath, conn->gid,
get_current_username(),
current_user_info.domain,
lp_pathname(snum));
if (!s) {
conn_free(conn);
*status = NT_STATUS_NO_MEMORY;
return NULL;
}
if (!set_conn_connectpath(conn,s)) {
TALLOC_FREE(s);
conn_free(conn);
*status = NT_STATUS_NO_MEMORY;
return NULL;
}
DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
lp_servicename(snum)));
TALLOC_FREE(s);
}
/*
* New code to check if there's a share security descripter
* added from NT server manager. This is done after the
* smb.conf checks are done as we need a uid and token. JRA.
*
*/
{
bool can_write = False;
NT_USER_TOKEN *token = conn->nt_user_token ?
conn->nt_user_token :
(vuser ? vuser->nt_user_token : NULL);
/*
* I don't believe this can happen. But the
* logic above is convoluted enough to confuse
* automated checkers, so be sure. JRA.
*/
if (token == NULL) {
DEBUG(0,("make_connection: connection to %s "
"denied due to missing "
"NT token.\n",
lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
can_write = share_access_check(token,
lp_servicename(snum),
FILE_WRITE_DATA);
if (!can_write) {
if (!share_access_check(token,
lp_servicename(snum),
FILE_READ_DATA)) {
/* No access, read or write. */
DEBUG(0,("make_connection: connection to %s "
"denied due to security "
"descriptor.\n",
lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
} else {
conn->read_only = True;
}
}
}
/* Initialise VFS function pointers */
if (!smbd_vfs_init(conn)) {
DEBUG(0, ("vfs_init failed for service %s\n",
lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
/*
* If widelinks are disallowed we need to canonicalise the connect
* path here to ensure we don't have any symlinks in the
* connectpath. We will be checking all paths on this connection are
* below this directory. We must do this after the VFS init as we
* depend on the realpath() pointer in the vfs table. JRA.
*/
if (!lp_widelinks(snum)) {
if (!canonicalize_connect_path(conn)) {
DEBUG(0, ("canonicalize_connect_path failed "
"for service %s, path %s\n",
lp_servicename(snum),
conn->connectpath));
conn_free(conn);
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
}
if ((!conn->printer) && (!conn->ipc)) {
conn->notify_ctx = notify_init(conn->mem_ctx, server_id_self(),
smbd_messaging_context(),
smbd_event_context(),
conn);
}
/* ROOT Activities: */
/*
* Enforce the max connections parameter.
*/
if ((lp_max_connections(snum) > 0)
&& (count_current_connections(lp_servicename(SNUM(conn)), True) >=
lp_max_connections(snum))) {
DEBUG(1, ("Max connections (%d) exceeded for %s\n",
lp_max_connections(snum), lp_servicename(snum)));
conn_free(conn);
*status = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
/*
* Get us an entry in the connections db
*/
if (!claim_connection(conn, lp_servicename(snum), 0)) {
DEBUG(1, ("Could not store connections entry\n"));
conn_free(conn);
*status = NT_STATUS_INTERNAL_DB_ERROR;
return NULL;
}
/* Preexecs are done here as they might make the dir we are to ChDir
* to below */
/* execute any "root preexec = " line */
if (*lp_rootpreexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)), conn->user,
conn->connectpath, conn->gid,
get_current_username(),
current_user_info.domain,
lp_rootpreexec(snum));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
if (ret != 0 && lp_rootpreexec_close(snum)) {
DEBUG(1,("root preexec gave %d - failing "
"connection\n", ret));
yield_connection(conn, lp_servicename(snum));
conn_free(conn);
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
}
/* USER Activites: */
if (!change_to_user(conn, conn->vuid)) {
/* No point continuing if they fail the basic checks */
DEBUG(0,("Can't become connected user!\n"));
yield_connection(conn, lp_servicename(snum));
conn_free(conn);
*status = NT_STATUS_LOGON_FAILURE;
return NULL;
}
/* Remember that a different vuid can connect later without these
* checks... */
/* Preexecs are done here as they might make the dir we are to ChDir
* to below */
/* execute any "preexec = " line */
if (*lp_preexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
lp_servicename(SNUM(conn)), conn->user,
conn->connectpath, conn->gid,
get_current_username(),
current_user_info.domain,
lp_preexec(snum));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
if (ret != 0 && lp_preexec_close(snum)) {
DEBUG(1,("preexec gave %d - failing connection\n",
ret));
*status = NT_STATUS_ACCESS_DENIED;
goto err_root_exit;
}
}
#ifdef WITH_FAKE_KASERVER
if (lp_afs_share(snum)) {
afs_login(conn);
}
#endif
/* Add veto/hide lists */
if (!IS_IPC(conn) && !IS_PRINT(conn)) {
set_namearray( &conn->veto_list, lp_veto_files(snum));
set_namearray( &conn->hide_list, lp_hide_files(snum));
set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
set_namearray( &conn->aio_write_behind_list,
lp_aio_write_behind(snum));
}
/* Invoke VFS make connection hook - do this before the VFS_STAT call
to allow any filesystems needing user credentials to initialize
themselves. */
if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
DEBUG(0,("make_connection: VFS make connection failed!\n"));
*status = NT_STATUS_UNSUCCESSFUL;
goto err_root_exit;
}
/* Any error exit after here needs to call the disconnect hook. */
on_err_call_dis_hook = true;
/* win2000 does not check the permissions on the directory
during the tree connect, instead relying on permission
check during individual operations. To match this behaviour
I have disabled this chdir check (tridge) */
/* the alternative is just to check the directory exists */
if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
!S_ISDIR(st.st_mode)) {
if (ret == 0 && !S_ISDIR(st.st_mode)) {
DEBUG(0,("'%s' is not a directory, when connecting to "
"[%s]\n", conn->connectpath,
lp_servicename(snum)));
} else {
DEBUG(0,("'%s' does not exist or permission denied "
"when connecting to [%s] Error was %s\n",
conn->connectpath, lp_servicename(snum),
strerror(errno) ));
}
*status = NT_STATUS_BAD_NETWORK_NAME;
goto err_root_exit;
}
string_set(&conn->origpath,conn->connectpath);
#if SOFTLINK_OPTIMISATION
/* resolve any soft links early if possible */
if (vfs_ChDir(conn,conn->connectpath) == 0) {
TALLOC_CTX *ctx = talloc_tos();
char *s = vfs_GetWd(ctx,s);
if (!s) {
*status = map_nt_error_from_unix(errno);
goto err_root_exit;
}
if (!set_conn_connectpath(conn,s)) {
*status = NT_STATUS_NO_MEMORY;
goto err_root_exit;
}
vfs_ChDir(conn,conn->connectpath);
}
#endif
/* Figure out the characteristics of the underlying filesystem. This
* assumes that all the filesystem mounted withing a share path have
* the same characteristics, which is likely but not guaranteed.
*/
conn->fs_capabilities = SMB_VFS_FS_CAPABILITIES(conn);
/*
* Print out the 'connected as' stuff here as we need
* to know the effective uid and gid we will be using
* (at least initially).
*/
if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
dbgtext( "%s (%s) ", get_remote_machine_name(),
conn->client_address );
dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
dbgtext( "connect to service %s ", lp_servicename(snum) );
dbgtext( "initially as user %s ", user );
dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
dbgtext( "(pid %d)\n", (int)sys_getpid() );
}
/* we've finished with the user stuff - go back to root */
change_to_root_user();
return(conn);
err_root_exit:
change_to_root_user();
if (on_err_call_dis_hook) {
/* Call VFS disconnect hook */
SMB_VFS_DISCONNECT(conn);
}
yield_connection(conn, lp_servicename(snum));
conn_free(conn);
return NULL;
}
