BOOL user_in_list(const char *user,const char **list) { if (!list || !*list) return False; DEBUG(10,("user_in_list: checking user %s in list\n", user)); while (*list) { DEBUG(10,("user_in_list: checking user |%s| against |%s|\n", user, *list)); /* * Check raw username. */ if (strequal(user, *list)) return(True); /* * Now check to see if any combination * of UNIX and netgroups has been specified. */ if(**list == '@') { /* * Old behaviour. Check netgroup list * followed by UNIX list. */ if(user_in_netgroup(user, *list +1)) return True; if(user_in_group(user, *list +1)) return True; } else if (**list == '+') { if((*(*list +1)) == '&') { /* * Search UNIX list followed by netgroup. */ if(user_in_group(user, *list +2)) return True; if(user_in_netgroup(user, *list +2)) return True; } else { /* * Just search UNIX list. */ if(user_in_group(user, *list +1)) return True; } } else if (**list == '&') { if(*(*list +1) == '+') { /* * Search netgroup list followed by UNIX list. */ if(user_in_netgroup(user, *list +2)) return True; if(user_in_group(user, *list +2)) return True; } else { /* * Just search netgroup list. */ if(user_in_netgroup(user, *list +1)) return True; } } list++; } return(False); }
static bool token_contains_name(TALLOC_CTX *mem_ctx, const char *username, const char *domain, const char *sharename, const struct nt_user_token *token, const char *name) { const char *prefix; DOM_SID sid; enum lsa_SidType type; struct smbd_server_connection *sconn = smbd_server_conn; if (username != NULL) { name = talloc_sub_basic(mem_ctx, username, domain, name); } if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); } if (name == NULL) { /* This is too security sensitive, better panic than return a * result that might be interpreted in a wrong way. */ smb_panic("substitutions failed"); } /* check to see is we already have a SID */ if ( string_to_sid( &sid, name ) ) { DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name)); return nt_token_check_sid( &sid, token ); } if (!do_group_checks(&name, &prefix)) { if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL, NULL, NULL, &sid, &type)) { DEBUG(5, ("lookup_name %s failed\n", name)); return False; } if (type != SID_NAME_USER) { DEBUG(5, ("%s is a %s, expected a user\n", name, sid_type_lookup(type))); return False; } return nt_token_check_sid(&sid, token); } for (/* initialized above */ ; *prefix != '\0'; prefix++) { if (*prefix == '+') { if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP, NULL, NULL, &sid, &type)) { DEBUG(5, ("lookup_name %s failed\n", name)); return False; } if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) { DEBUG(5, ("%s is a %s, expected a group\n", name, sid_type_lookup(type))); return False; } if (nt_token_check_sid(&sid, token)) { return True; } continue; } if (*prefix == '&') { if (username) { if (user_in_netgroup(sconn, username, name)) { return True; } } continue; } smb_panic("got invalid prefix from do_groups_check"); } return False; }