diff options
author | Jeremy Allison <jra@samba.org> | 2016-11-10 20:33:17 -0800 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2016-11-16 16:35:12 +0100 |
commit | d333c56700c17ff819aa784879081d847f00903c (patch) | |
tree | 22d8855861cc4e40fea6d248b30f37136df8da1c | |
parent | 584daf551348815342442f5b3a0d3b8f9484c5bd (diff) | |
download | samba-d333c56700c17ff819aa784879081d847f00903c.tar.gz |
source4: Change to use lib/util/access functions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12419
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 16:35:12 CET 2016 on sn-devel-144
-rw-r--r-- | source4/dsdb/common/util.c | 3 | ||||
-rw-r--r-- | source4/lib/socket/access.c | 237 | ||||
-rw-r--r-- | source4/lib/socket/socket.h | 3 | ||||
-rw-r--r-- | source4/lib/socket/wscript_build | 2 |
4 files changed, 5 insertions, 240 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index d1396e4fd5c..8f74b45a84e 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -46,6 +46,7 @@ #include "librpc/gen_ndr/irpc.h" #include "libds/common/flag_mapping.h" #include "../lib/util/util_runcmd.h" +#include "lib/util/access.h" /* search the sam for the specified attributes in a specific domain, filter on @@ -1869,7 +1870,7 @@ const char *samdb_client_site_name(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, allow_list[0] = l_subnet_name; - if (socket_allow_access(mem_ctx, NULL, allow_list, "", ip_address)) { + if (allow_access_nolog(NULL, allow_list, "", ip_address)) { sites_dn = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[i], "siteObject"); diff --git a/source4/lib/socket/access.c b/source4/lib/socket/access.c index adc8105ca9d..c019fd64d26 100644 --- a/source4/lib/socket/access.c +++ b/source4/lib/socket/access.c @@ -33,241 +33,8 @@ #include "includes.h" #include "system/network.h" #include "lib/socket/socket.h" -#include "system/locale.h" #include "lib/util/util_net.h" - -#define FAIL (-1) -#define ALLONES ((uint32_t)0xFFFFFFFF) - -/* masked_match - match address against netnumber/netmask */ -static bool masked_match(TALLOC_CTX *mem_ctx, const char *tok, const char *slash, const char *s) -{ - uint32_t net; - uint32_t mask; - uint32_t addr; - char *tok_cpy; - - if ((addr = interpret_addr(s)) == INADDR_NONE) - return false; - - tok_cpy = talloc_strdup(mem_ctx, tok); - tok_cpy[PTR_DIFF(slash,tok)] = '\0'; - net = interpret_addr(tok_cpy); - talloc_free(tok_cpy); - - if (strlen(slash + 1) > 2) { - mask = interpret_addr(slash + 1); - } else { - mask = (uint32_t)((ALLONES >> atoi(slash + 1)) ^ ALLONES); - /* convert to network byte order */ - mask = htonl(mask); - } - - if (net == INADDR_NONE || mask == INADDR_NONE) { - DEBUG(0,("access: bad net/mask access control: %s\n", tok)); - return false; - } - - return (addr & mask) == (net & mask); -} - -/* string_match - match string against token */ -static bool string_match(TALLOC_CTX *mem_ctx, const char *tok,const char *s, char *invalid_char) -{ - size_t tok_len; - size_t str_len; - const char *cut; - - *invalid_char = '\0'; - - /* Return true if a token has the magic value "ALL". Return - * FAIL if the token is "FAIL". If the token starts with a "." - * (domain name), return true if it matches the last fields of - * the string. If the token has the magic value "LOCAL", - * return true if the string does not contain a "." - * character. If the token ends on a "." (network number), - * return true if it matches the first fields of the - * string. If the token begins with a "@" (netgroup name), - * return true if the string is a (host) member of the - * netgroup. Return true if the token fully matches the - * string. If the token is a netnumber/netmask pair, return - * true if the address is a member of the specified subnet. - */ - - if (tok[0] == '.') { /* domain: match last fields */ - if ((str_len = strlen(s)) > (tok_len = strlen(tok)) - && strcasecmp(tok, s + str_len - tok_len)==0) { - return true; - } - } else if (tok[0] == '@') { /* netgroup: look it up */ - DEBUG(0,("access: netgroup support is not available\n")); - return false; - } else if (strcmp(tok, "ALL")==0) { /* all: match any */ - return true; - } else if (strcmp(tok, "FAIL")==0) { /* fail: match any */ - return FAIL; - } else if (strcmp(tok, "LOCAL")==0) { /* local: no dots */ - if (strchr(s, '.') == 0 && strcasecmp(s, "unknown") != 0) { - return true; - } - } else if (strcasecmp(tok, s)==0) { /* match host name or address */ - return true; - } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { /* network */ - if (strncmp(tok, s, tok_len) == 0) - return true; - } else if ((cut = strchr(tok, '/')) != 0) { /* netnumber/netmask */ - if (isdigit((int)s[0]) && masked_match(mem_ctx, tok, cut, s)) - return true; - } else if (strchr(tok, '*') != 0) { - *invalid_char = '*'; - } else if (strchr(tok, '?') != 0) { - *invalid_char = '?'; - } - return false; -} - -struct client_addr { - const char *cname; - const char *caddr; -}; - -/* client_match - match host name and address against token */ -static bool client_match(TALLOC_CTX *mem_ctx, const char *tok, struct client_addr *client) -{ - bool match; - char invalid_char = '\0'; - - /* - * Try to match the address first. If that fails, try to match the host - * name if available. - */ - - if ((match = string_match(mem_ctx, tok, client->caddr, &invalid_char)) == 0) { - if(invalid_char) - DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ -token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); - - if (client->cname[0] != 0) - match = string_match(mem_ctx, tok, client->cname, &invalid_char); - - if(invalid_char) - DEBUG(0,("client_match: address match failing due to invalid character '%c' found in \ -token '%s' in an allow/deny hosts line.\n", invalid_char, tok )); - } - - return (match); -} - -/* list_match - match an item against a list of tokens with exceptions */ -static bool list_match(TALLOC_CTX *mem_ctx, const char **list, struct client_addr *client) -{ - bool match = false; - - if (!list) - return false; - - /* - * Process tokens one at a time. We have exhausted all possible matches - * when we reach an "EXCEPT" token or the end of the list. If we do find - * a match, look for an "EXCEPT" list and recurse to determine whether - * the match is affected by any exceptions. - */ - - for (; *list ; list++) { - if (strcmp(*list, "EXCEPT")==0) /* EXCEPT: give up */ - break; - if ((match = client_match(mem_ctx, *list, client))) /* true or FAIL */ - break; - } - - /* Process exceptions to true or FAIL matches. */ - if (match != false) { - while (*list && strcmp(*list, "EXCEPT")!=0) - list++; - - for (; *list; list++) { - if (client_match(mem_ctx, *list, client)) /* Exception Found */ - return false; - } - } - - return match; -} - -/* return true if access should be allowed */ -static bool allow_access_internal(TALLOC_CTX *mem_ctx, - const char **deny_list,const char **allow_list, - const char *cname, const char *caddr) -{ - struct client_addr client; - - client.cname = cname; - client.caddr = caddr; - - /* if it is loopback then always allow unless specifically denied */ - if (strcmp(caddr, "127.0.0.1") == 0) { - /* - * If 127.0.0.1 matches both allow and deny then allow. - * Patch from Steve Langasek vorlon@netexpress.net. - */ - if (deny_list && - list_match(mem_ctx, deny_list, &client) && - (!allow_list || - !list_match(mem_ctx, allow_list, &client))) { - return false; - } - return true; - } - - /* if theres no deny list and no allow list then allow access */ - if ((!deny_list || *deny_list == 0) && - (!allow_list || *allow_list == 0)) { - return true; - } - - /* if there is an allow list but no deny list then allow only hosts - on the allow list */ - if (!deny_list || *deny_list == 0) - return list_match(mem_ctx, allow_list, &client); - - /* if theres a deny list but no allow list then allow - all hosts not on the deny list */ - if (!allow_list || *allow_list == 0) - return !list_match(mem_ctx, deny_list, &client); - - /* if there are both types of list then allow all hosts on the - allow list */ - if (list_match(mem_ctx, allow_list, &client)) - return true; - - /* if there are both types of list and it's not on the allow then - allow it if its not on the deny */ - if (list_match(mem_ctx, deny_list, &client)) - return false; - - return true; -} - -/* return true if access should be allowed */ -bool socket_allow_access(TALLOC_CTX *mem_ctx, - const char **deny_list, const char **allow_list, - const char *cname, const char *caddr) -{ - bool ret; - char *nc_cname = talloc_strdup(mem_ctx, cname); - char *nc_caddr = talloc_strdup(mem_ctx, caddr); - - if (!nc_cname || !nc_caddr) { - return false; - } - - ret = allow_access_internal(mem_ctx, deny_list, allow_list, nc_cname, nc_caddr); - - talloc_free(nc_cname); - talloc_free(nc_caddr); - - return ret; -} +#include "lib/util/access.h" /* return true if the char* contains ip addrs only. Used to avoid gethostbyaddr() calls */ @@ -346,7 +113,7 @@ bool socket_check_access(struct socket_context *sock, return false; } - ret = socket_allow_access(mem_ctx, deny_list, allow_list, name, addr->addr); + ret = allow_access(deny_list, allow_list, name, addr->addr); if (ret) { DEBUG(2,("socket_check_access: Allowed connection to '%s' from %s (%s)\n", diff --git a/source4/lib/socket/socket.h b/source4/lib/socket/socket.h index 403a723edbf..50a20d90911 100644 --- a/source4/lib/socket/socket.h +++ b/source4/lib/socket/socket.h @@ -183,9 +183,6 @@ _PUBLIC_ void socket_address_set_port(struct socket_address *a, struct socket_address *socket_address_copy(TALLOC_CTX *mem_ctx, const struct socket_address *oaddr); const struct socket_ops *socket_getops_byname(const char *name, enum socket_type type); -bool socket_allow_access(TALLOC_CTX *mem_ctx, - const char **deny_list, const char **allow_list, - const char *cname, const char *caddr); bool socket_check_access(struct socket_context *sock, const char *service_name, const char **allow_list, const char **deny_list); diff --git a/source4/lib/socket/wscript_build b/source4/lib/socket/wscript_build index 1cb89c610db..e2438247d2e 100644 --- a/source4/lib/socket/wscript_build +++ b/source4/lib/socket/wscript_build @@ -24,6 +24,6 @@ bld.SAMBA_MODULE('socket_unix', bld.SAMBA_SUBSYSTEM('samba_socket', source='socket.c access.c connect_multi.c connect.c', public_deps='talloc LIBTSOCKET', - deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix' + deps='cli_composite LIBCLI_RESOLVE socket_ip socket_unix access' ) |