The branch, master has been updated
via de95124... s3: Move check_access to cgi.c, its only user
via 70c5bed... s3: Replace calls to check_access by allow_access
from bc69a9d... Avoid use of Samba DTD, which requires net access.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit de951249356a3705fc2a3c51575134415ac0ea05
Author: Volker Lendecke <[email protected]>
Date: Wed Aug 18 16:50:26 2010 +0200
s3: Move check_access to cgi.c, its only user
commit 70c5bed4b2ca4660e8a06cee6d4e813744cc7be8
Author: Volker Lendecke <[email protected]>
Date: Wed Aug 18 16:48:20 2010 +0200
s3: Replace calls to check_access by allow_access
We already have both the name and address of the client stored now
-----------------------------------------------------------------------
Summary of changes:
source3/include/proto.h | 1 -
source3/lib/access.c | 85 ++---------------------------------
source3/rpc_server/srv_spoolss_nt.c | 4 +-
source3/smbd/process.c | 10 +++--
source3/smbd/service.c | 9 ++--
source3/web/cgi.c | 81 +++++++++++++++++++++++++++++++++
6 files changed, 98 insertions(+), 92 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/proto.h b/source3/include/proto.h
index a389966..50309a9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -351,7 +351,6 @@ bool allow_access(const char **deny_list,
const char **allow_list,
const char *cname,
const char *caddr);
-bool check_access(int sock, const char **allow_list, const char **deny_list);
/* The following definitions come from passdb/account_pol.c */
diff --git a/source3/lib/access.c b/source3/lib/access.c
index 9808218..1293dc0 100644
--- a/source3/lib/access.c
+++ b/source3/lib/access.c
@@ -328,88 +328,11 @@ bool allow_access(const char **deny_list,
ret = allow_access_internal(deny_list, allow_list, nc_cname, nc_caddr);
+ DEBUG(ret ? 3 : 0,
+ ("%s connection from %s (%s)\n",
+ ret ? "Allowed" : "Denied", nc_cname, nc_caddr));
+
SAFE_FREE(nc_cname);
SAFE_FREE(nc_caddr);
return ret;
}
-
-/* return true if the char* contains ip addrs only. Used to avoid
-name lookup calls */
-
-static bool only_ipaddrs_in_list(const char **list)
-{
- bool only_ip = true;
-
- if (!list) {
- return true;
- }
-
- for (; *list ; list++) {
- /* factor out the special strings */
- if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
- strequal(*list, "EXCEPT")) {
- continue;
- }
-
- if (!is_ipaddress(*list)) {
- /*
- * If we failed, make sure that it was not because
- * the token was a network/netmask pair. Only
- * network/netmask pairs have a '/' in them.
- */
- if ((strchr_m(*list, '/')) == NULL) {
- only_ip = false;
- DEBUG(3,("only_ipaddrs_in_list: list has "
- "non-ip address (%s)\n",
- *list));
- break;
- }
- }
- }
-
- return only_ip;
-}
-
-/* return true if access should be allowed to a service for a socket */
-bool check_access(int sock, const char **allow_list, const char **deny_list)
-{
- bool ret = false;
- bool only_ip = false;
- char addr[INET6_ADDRSTRLEN];
-
- if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
- return true;
- }
-
- /* Bypass name resolution calls if the lists
- * only contain IP addrs */
- if (only_ipaddrs_in_list(allow_list) &&
- only_ipaddrs_in_list(deny_list)) {
- only_ip = true;
- DEBUG (3, ("check_access: no hostnames "
- "in host allow/deny list.\n"));
- ret = allow_access(deny_list,
- allow_list,
- "",
- get_peer_addr(sock,addr,sizeof(addr)));
- } else {
- DEBUG (3, ("check_access: hostnames in "
- "host allow/deny list.\n"));
- ret = allow_access(deny_list,
- allow_list,
- get_peer_name(sock,true),
- get_peer_addr(sock,addr,sizeof(addr)));
- }
-
- if (ret) {
- DEBUG(2,("Allowed connection from %s (%s)\n",
- only_ip ? "" : get_peer_name(sock,true),
- get_peer_addr(sock,addr,sizeof(addr))));
- } else {
- DEBUG(0,("Denied connection from %s (%s)\n",
- only_ip ? "" : get_peer_name(sock,true),
- get_peer_addr(sock,addr,sizeof(addr))));
- }
-
- return(ret);
-}
diff --git a/source3/rpc_server/srv_spoolss_nt.c
b/source3/rpc_server/srv_spoolss_nt.c
index 46e47f5..287c720 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1642,8 +1642,8 @@ WERROR _spoolss_OpenPrinterEx(struct pipes_struct *p,
/* check smb.conf parameters and the the sec_desc */
- if ( !check_access(smbd_server_fd(), lp_hostsallow(snum),
- lp_hostsdeny(snum)) ) {
+ if (!allow_access(lp_hostsdeny(snum), lp_hostsallow(snum),
+ p->client_id->name, p->client_id->addr)) {
DEBUG(3, ("access DENIED (hosts allow/deny) for printer
open\n"));
ZERO_STRUCTP(r->out.handle);
return WERR_ACCESS_DENIED;
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index d6acc82..126b6b7 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1554,8 +1554,9 @@ static connection_struct *switch_message(uint8 type,
struct smb_request *req, in
/* does this protocol need to be run as guest? */
if ((flags & AS_GUEST)
&& (!change_to_guest() ||
- !check_access(sconn->sock, lp_hostsallow(-1),
- lp_hostsdeny(-1)))) {
+ !allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
+ sconn->client_id.name,
+ sconn->client_id.addr))) {
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
return conn;
}
@@ -2982,8 +2983,9 @@ void smbd_process(struct smbd_server_connection *sconn)
* the hosts allow list.
*/
- if (!check_access(sconn->sock, lp_hostsallow(-1),
- lp_hostsdeny(-1))) {
+ if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
+ sconn->client_id.name,
+ sconn->client_id.addr)) {
/*
* send a negative session response "not listening on calling
* name"
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index ef74b39..d395572 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -424,11 +424,12 @@ int find_service(fstring service)
This function modifies dev, ecode.
****************************************************************************/
-static NTSTATUS share_sanity_checks(int server_sock, int snum, fstring dev)
+static NTSTATUS share_sanity_checks(struct client_address *client_id, int snum,
+ fstring dev)
{
if (!lp_snum_ok(snum) ||
- !check_access(server_sock,
- lp_hostsallow(snum), lp_hostsdeny(snum))) {
+ !allow_access(lp_hostsdeny(snum), lp_hostsallow(snum),
+ client_id->name, client_id->addr)) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -658,7 +659,7 @@ connection_struct *make_connection_snum(struct
smbd_server_connection *sconn,
fstrcpy(dev, pdev);
- *pstatus = share_sanity_checks(sconn->sock, snum, dev);
+ *pstatus = share_sanity_checks(&sconn->client_id, snum, dev);
if (NT_STATUS_IS_ERR(*pstatus)) {
goto err_root_exit;
}
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 3d7b32c..9c9a365 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -506,6 +506,87 @@ static void cgi_download(char *file)
+/* return true if the char* contains ip addrs only. Used to avoid
+name lookup calls */
+
+static bool only_ipaddrs_in_list(const char **list)
+{
+ bool only_ip = true;
+
+ if (!list) {
+ return true;
+ }
+
+ for (; *list ; list++) {
+ /* factor out the special strings */
+ if (strequal(*list, "ALL") || strequal(*list, "FAIL") ||
+ strequal(*list, "EXCEPT")) {
+ continue;
+ }
+
+ if (!is_ipaddress(*list)) {
+ /*
+ * If we failed, make sure that it was not because
+ * the token was a network/netmask pair. Only
+ * network/netmask pairs have a '/' in them.
+ */
+ if ((strchr_m(*list, '/')) == NULL) {
+ only_ip = false;
+ DEBUG(3,("only_ipaddrs_in_list: list has "
+ "non-ip address (%s)\n",
+ *list));
+ break;
+ }
+ }
+ }
+
+ return only_ip;
+}
+
+/* return true if access should be allowed to a service for a socket */
+static bool check_access(int sock, const char **allow_list,
+ const char **deny_list)
+{
+ bool ret = false;
+ bool only_ip = false;
+ char addr[INET6_ADDRSTRLEN];
+
+ if ((!deny_list || *deny_list==0) && (!allow_list || *allow_list==0)) {
+ return true;
+ }
+
+ /* Bypass name resolution calls if the lists
+ * only contain IP addrs */
+ if (only_ipaddrs_in_list(allow_list) &&
+ only_ipaddrs_in_list(deny_list)) {
+ only_ip = true;
+ DEBUG (3, ("check_access: no hostnames "
+ "in host allow/deny list.\n"));
+ ret = allow_access(deny_list,
+ allow_list,
+ "",
+ get_peer_addr(sock,addr,sizeof(addr)));
+ } else {
+ DEBUG (3, ("check_access: hostnames in "
+ "host allow/deny list.\n"));
+ ret = allow_access(deny_list,
+ allow_list,
+ get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr)));
+ }
+
+ if (ret) {
+ DEBUG(2,("Allowed connection from %s (%s)\n",
+ only_ip ? "" : get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr))));
+ } else {
+ DEBUG(0,("Denied connection from %s (%s)\n",
+ only_ip ? "" : get_peer_name(sock,true),
+ get_peer_addr(sock,addr,sizeof(addr))));
+ }
+
+ return(ret);
+}
/**
* @brief Setup the CGI framework.
--
Samba Shared Repository
