From: Andrew Bartlett Date: Fri, 20 Aug 2010 02:15:15 +0000 (+1000) Subject: s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid X-Git-Url: http://git.samba.org/samba.git/?p=kai%2Fsamba.git;a=commitdiff_plain;h=6cf29b3e4f3880882eb7df45dbcfaf7bd2b8d9f4 s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett --- diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 5594542155a..b8b35d2c2bf 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -470,7 +470,7 @@ interface security typedef [public] struct { uint32 num_sids; - [size_is(num_sids)] dom_sid *sids[*]; + [size_is(num_sids)] dom_sid sids[*]; udlong privilege_mask; } security_token; diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 4712702e467..bec22c16005 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -48,11 +48,11 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx, ptoken = security_token_initialise(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(ptoken); - ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5); + ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 5); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid); - ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid); + ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid; + ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid; ptoken->privilege_mask = 0; /* @@ -60,15 +60,19 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx, * The only difference between guest and "anonymous" * is the addition of Authenticated_Users. */ - ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]); - ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]); + + if (!dom_sid_parse(SID_WORLD, &ptoken->sids[2])) { + return NT_STATUS_INTERNAL_ERROR; + } + if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[3])) { + return NT_STATUS_INTERNAL_ERROR; + } ptoken->num_sids = 4; if (is_authenticated) { - ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]); + if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[4])) { + return NT_STATUS_INTERNAL_ERROR; + } ptoken->num_sids++; } @@ -77,13 +81,13 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx, for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) { + if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) { break; } } if (check_sid_idx == ptoken->num_sids) { - ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]); + ptoken->sids[ptoken->num_sids++] = *groupSIDs[i]; } } diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 55d252b1005..826884f8118 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -710,7 +710,7 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx, } /* if we are adding/deleting ourselves, check for self membership */ ret = dsdb_find_dn_by_sid(ldb, mem_ctx, - acl_user_token(module)->sids[PRIMARY_USER_SID_INDEX], + &acl_user_token(module)->sids[PRIMARY_USER_SID_INDEX], &user_dn); if (ret != LDB_SUCCESS) { return ret; diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index c1da400b8d0..56fb272e2a5 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -181,7 +181,7 @@ static int construct_token_groups(struct ldb_module *module, for (i = 1; i < session_info->security_token->num_sids; i++) { ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", - session_info->security_token->sids[i]); + &session_info->security_token->sids[i]); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 3e5a94673f7..0949b83b433 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -392,7 +392,7 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms for (i = 0; i < session_info->security_token->num_sids; i++) { if (samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", - session_info->security_token->sids[i]) != 0) { + &session_info->security_token->sids[i]) != 0) { goto failed; } } diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 0a2d5c3c7cb..ddcd0d2d125 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -159,17 +159,17 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken->privilege_mask = 0; - ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6 /* over-allocate */); + ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); ptoken->num_sids = 1; - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid); + ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid; if (!dom_sid_equal(user_sid, group_sid)) { - ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid); + ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid; ptoken->num_sids++; } @@ -180,38 +180,37 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, */ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 2); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + if (!dom_sid_parse(SID_WORLD, &ptoken->sids[ptoken->num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } ptoken->num_sids++; - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[ptoken->num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } ptoken->num_sids++; - - } if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[ptoken->num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } ptoken->num_sids++; } if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_ENTERPRISE_DCS); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + if (!dom_sid_parse(SID_NT_ENTERPRISE_DCS, &ptoken->sids[ptoken->num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } ptoken->num_sids++; } @@ -220,19 +219,17 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) { + if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) { break; } } if (check_sid_idx == ptoken->num_sids) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[ptoken->num_sids] = talloc_reference(ptoken->sids, groupSIDs[i]); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + ptoken->sids[ptoken->num_sids] = *groupSIDs[i]; ptoken->num_sids++; - } } diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index 38e5a338312..fd74133e2fd 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -119,7 +119,7 @@ NTSTATUS samdb_privilege_setup(struct tevent_context *ev_ctx, for (i=0;inum_sids;i++) { status = samdb_privilege_setup_sid(pdb, mem_ctx, - token, token->sids[i]); + token, &token->sids[i]); if (!NT_STATUS_IS_OK(status)) { talloc_free(mem_ctx); return status; diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 36ddb65bb09..7148428e46e 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -224,11 +224,11 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, DEBUG(3, ("Changing password of %s\\%s (%s)\n", session_info->server_info->domain_name, session_info->server_info->account_name, - dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX]))); + dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]))); /* Performs the password change */ status = samdb_set_password_sid(samdb, mem_ctx, - session_info->security_token->sids[PRIMARY_USER_SID_INDEX], + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX], password, NULL, NULL, oldLmHash, oldNtHash, /* this is a user password change */ &reject_reason, @@ -382,7 +382,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", session_info->server_info->domain_name, session_info->server_info->account_name, - dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), + dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), set_password_on_princ)); ret = ldb_transaction_start(samdb); if (ret != LDB_SUCCESS) { diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c index e566ca4e0fd..87fde9dbd78 100644 --- a/source4/lib/policy/gp_ldap.c +++ b/source4/lib/policy/gp_ldap.c @@ -443,7 +443,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c mem_ctx = talloc_new(gp_ctx); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); - sid = dom_sid_string(mem_ctx, token->sids[PRIMARY_USER_SID_INDEX]); + sid = dom_sid_string(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX]); /* Find the user DN and objectclass via the sid from the security token */ rv = ldb_search(gp_ctx->ldb_ctx, diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c index cb52d6502e2..ad6a599969d 100644 --- a/source4/libcli/security/create_descriptor.c +++ b/source4/libcli/security/create_descriptor.c @@ -367,7 +367,7 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx, if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) { new_owner = parent_sd->owner_sid; } else if (!default_owner) { - new_owner = token->sids[PRIMARY_USER_SID_INDEX]; + new_owner = &token->sids[PRIMARY_USER_SID_INDEX]; } else { new_owner = default_owner; new_sd->type |= SEC_DESC_OWNER_DEFAULTED; @@ -379,11 +379,11 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx, if (!creator_sd || !creator_sd->group_sid){ if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) { new_group = parent_sd->group_sid; - } else if (!default_group && token->sids[PRIMARY_GROUP_SID_INDEX]) { - new_group = token->sids[PRIMARY_GROUP_SID_INDEX]; + } else if (!default_group && token->num_sids > PRIMARY_GROUP_SID_INDEX) { + new_group = &token->sids[PRIMARY_GROUP_SID_INDEX]; } else if (!default_group) { /* This will happen only for anonymous, which has no other groups */ - new_group = token->sids[PRIMARY_USER_SID_INDEX]; + new_group = &token->sids[PRIMARY_USER_SID_INDEX]; } else { new_group = default_group; new_sd->type |= SEC_DESC_GROUP_DEFAULTED; diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index f9be977a26b..e5ea5985650 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -65,7 +65,7 @@ void security_token_debug(int dbg_lev, const struct security_token *token) (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) { DEBUGADD(dbg_lev, (" SID[%3lu]: %s\n", (unsigned long)i, - dom_sid_string(mem_ctx, token->sids[i]))); + dom_sid_string(mem_ctx, &token->sids[i]))); } security_token_debug_privileges(dbg_lev, token); @@ -77,7 +77,7 @@ void security_token_debug(int dbg_lev, const struct security_token *token) bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid) { - if (token->sids && dom_sid_equal(token->sids[PRIMARY_USER_SID_INDEX], sid)) { + if (token->sids && dom_sid_equal(&token->sids[PRIMARY_USER_SID_INDEX], sid)) { return true; } return false; @@ -109,7 +109,7 @@ bool security_token_has_sid(const struct security_token *token, const struct dom { int i; for (i = 0; i < token->num_sids; i++) { - if (dom_sid_equal(token->sids[i], sid)) { + if (dom_sid_equal(&token->sids[i], sid)) { return true; } } diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c index d36ae157453..c37b46e627c 100644 --- a/source4/ntvfs/unixuid/vfs_unixuid.c +++ b/source4/ntvfs/unixuid/vfs_unixuid.c @@ -190,7 +190,7 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs, for (i=0;inum_sids;i++) { ZERO_STRUCT(ids[i].xid); - ids[i].sid = token->sids[i]; + ids[i].sid = &token->sids[i]; ids[i].status = ID_UNKNOWN; } diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index 8648d5dafad..7a1ccd90a4c 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -1019,7 +1019,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ return werr; } - user_sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; /* for non-administrator replications, check that they have diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index 08d49baf2b8..e911838637b 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -215,11 +215,11 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA /* check that they are using an DSA objectGUID that they own */ ret = dsdb_validate_dsa_guid(b_state->sam_ctx, &req->dest_dsa_guid, - dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); + &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n", dom_sid_string(mem_ctx, - dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), + &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), GUID_string(mem_ctx, &req->dest_dsa_guid))); return WERR_DS_DRA_ACCESS_DENIED; } diff --git a/source4/rpc_server/handles.c b/source4/rpc_server/handles.c index 495d42ab4a8..e70510c8759 100644 --- a/source4/rpc_server/handles.c +++ b/source4/rpc_server/handles.c @@ -44,7 +44,7 @@ _PUBLIC_ struct dcesrv_handle *dcesrv_handle_new(struct dcesrv_connection_contex struct dcesrv_handle *h; struct dom_sid *sid; - sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + sid = &context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; h = talloc(context->assoc_group, struct dcesrv_handle); if (!h) { @@ -80,7 +80,7 @@ _PUBLIC_ struct dcesrv_handle *dcesrv_handle_fetch( struct dcesrv_handle *h; struct dom_sid *sid; - sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + sid = &context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; if (policy_handle_empty(p)) { /* TODO: we should probably return a NULL handle here */ diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 371419fa700..9c9ad4590bb 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -338,7 +338,7 @@ static NTSTATUS dcesrv_lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TAL DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY); - sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; + sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; if (h->wire_handle.handle_type == LSA_HANDLE_POLICY) { status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid, 0); diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 7d4349ff525..0d3e2cfb0dc 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -617,7 +617,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, for (i=0; isecurity_token->num_sids; i++) { struct security_token *token = session_info->security_token; const char *sidstr = dom_sid_string(session_info, - token->sids[i]); + &token->sids[i]); grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr); }