samba-force-group.patch

   1 diff --git a/source/include/smb.h b/source/include/smb.h
   2 index a98d151..56d9461 100644
   3 --- a/source/include/smb.h
   4 +++ b/source/include/smb.h
   5 @@ -597,6 +597,12 @@ typedef struct connection_struct {
   6          */
   7         struct auth_serversupplied_info *server_info;
   8
   9 +       /*
  10 +        * If the "force group" parameter is set, this is the primary gid that
  11 +        * may be used in the users token, depending on the vuid using this tid.
  12 +        */
  13 +       gid_t force_group_gid;
  14 +
  15         char client_address[INET6_ADDRSTRLEN]; /* String version of client IP address. */
  16
  17         uint16 vuid; /* vuid of user who *opened* this connection, or UID_FIELD_INVALID */
  18 diff --git a/source/smbd/conn.c b/source/smbd/conn.c
  19 index 7f34d2b..a6eafcf 100644
  20 --- a/source/smbd/conn.c
  21 +++ b/source/smbd/conn.c
  22 @@ -145,6 +145,7 @@ find_again:
  23                 return NULL;
  24         }
  25         conn->cnum = i;
  26 +       conn->force_group_gid = (gid_t)-1;
  27
  28         bitmap_set(bmap, i);
  29
  30 diff --git a/source/smbd/service.c b/source/smbd/service.c
  31 index c39584a..5e75fce 100644
  32 --- a/source/smbd/service.c
  33 +++ b/source/smbd/service.c
  34 @@ -834,6 +834,14 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
  35                         *pstatus = status;
  36                         return NULL;
  37                 }
  38 +
  39 +               /*
  40 +                * We need to cache this gid, to use within
  41 +                * change_to_user() separately from the conn->server_info
  42 +                * struct. We only use conn->server_info directly if
  43 +                * "force_user" was set.
  44 +                */
  45 +               conn->force_group_gid = conn->server_info->utok.gid;
  46         }
  47
  48         conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
  49 diff --git a/source/smbd/uid.c b/source/smbd/uid.c
  50 index 119a155..02f8cc9 100644
  51 --- a/source/smbd/uid.c
  52 +++ b/source/smbd/uid.c
  53 @@ -256,6 +256,8 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
  54
  55         if((group_c = *lp_force_group(snum))) {
  56
  57 +               SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
  58 +
  59                 if(group_c == '+') {
  60
  61                         /*
  62 @@ -268,15 +270,18 @@ bool change_to_user(connection_struct *conn, uint16 vuid)
  63                         int i;
  64                         for (i = 0; i < num_groups; i++) {
  65                                 if (group_list[i]
  66 -                                   == conn->server_info->utok.gid) {
  67 -                                       gid = conn->server_info->utok.gid;
  68 +                                   == conn->force_group_gid) {
  69 +                                       conn->server_info->utok.gid =
  70 +                                               conn->force_group_gid;
  71 +                                       gid = conn->force_group_gid;
  72                                         gid_to_sid(&conn->server_info->ptok
  73                                                    ->user_sids[1], gid);
  74                                         break;
  75                                 }
  76                         }
  77                 } else {
  78 -                       gid = conn->server_info->utok.gid;
  79 +                       conn->server_info->utok.gid = conn->force_group_gid;
  80 +                       gid = conn->force_group_gid;
  81                         gid_to_sid(&conn->server_info->ptok->user_sids[1],
  82                                    gid);
  83                 }