source3/auth/token_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Authentication utility functions
   4  *  Copyright (C) Andrew Tridgell 1992-1998
   5  *  Copyright (C) Andrew Bartlett 2001
   6  *  Copyright (C) Jeremy Allison 2000-2001
   7  *  Copyright (C) Rafal Szczesniak 2002
   8  *  Copyright (C) Volker Lendecke 2006
   9  *  Copyright (C) Michael Adam 2007
  10  *
  11  *  This program is free software; you can redistribute it and/or modify
  12  *  it under the terms of the GNU General Public License as published by
  13  *  the Free Software Foundation; either version 3 of the License, or
  14  *  (at your option) any later version.
  15  *
  16  *  This program is distributed in the hope that it will be useful,
  17  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  18  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19  *  GNU General Public License for more details.
  20  *
  21  *  You should have received a copy of the GNU General Public License
  22  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  23  */
  24
  25 /* functions moved from auth/auth_util.c to minimize linker deps */
  26
  27 #include "includes.h"
  28
  29 /****************************************************************************
  30  Check for a SID in an NT_USER_TOKEN
  31 ****************************************************************************/
  32
  33 bool nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token )
  34 {
  35         int i;
  36
  37         if ( !sid || !token )
  38                 return False;
  39
  40         for ( i=0; i<token->num_sids; i++ ) {
  41                 if ( sid_equal( sid, &token->user_sids[i] ) )
  42                         return True;
  43         }
  44
  45         return False;
  46 }
  47
  48 bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
  49 {
  50         DOM_SID domain_sid;
  51
  52         /* if we are a domain member, the get the domain SID, else for
  53            a DC or standalone server, use our own SID */
  54
  55         if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
  56                 if ( !secrets_fetch_domain_sid( lp_workgroup(),
  57                                                 &domain_sid ) ) {
  58                         DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
  59                                  "SID for domain [%s]\n", lp_workgroup()));
  60                         return False;
  61                 }
  62         }
  63         else
  64                 sid_copy( &domain_sid, get_global_sam_sid() );
  65
  66         sid_append_rid( &domain_sid, rid );
  67
  68         return nt_token_check_sid( &domain_sid, token );\
  69 }
  70
  71 /******************************************************************************
  72  Create a token for the root user to be used internally by smbd.
  73  This is similar to running under the context of the LOCAL_SYSTEM account
  74  in Windows.  This is a read-only token.  Do not modify it or free() it.
  75  Create a copy if your need to change it.
  76 ******************************************************************************/
  77
  78 NT_USER_TOKEN *get_root_nt_token( void )
  79 {
  80         struct nt_user_token *token = NULL;
  81         DOM_SID u_sid, g_sid;
  82         struct passwd *pw;
  83         void *cache_data;
  84
  85         cache_data = memcache_lookup_talloc(
  86                 NULL, SINGLETON_CACHE_TALLOC,
  87                 data_blob_string_const("root_nt_token"));
  88
  89         if (cache_data != NULL) {
  90                 return talloc_get_type_abort(
  91                         cache_data, struct nt_user_token);
  92         }
  93
  94         if ( !(pw = sys_getpwnam( "root" )) ) {
  95                 DEBUG(0,("get_root_nt_token: getpwnam(\"root\") failed!\n"));
  96                 return NULL;
  97         }
  98
  99         /* get the user and primary group SIDs; although the
 100            BUILTIN\Administrators SId is really the one that matters here */
 101
 102         uid_to_sid(&u_sid, pw->pw_uid);
 103         gid_to_sid(&g_sid, pw->pw_gid);
 104
 105         token = create_local_nt_token(NULL, &u_sid, False,
 106                                       1, &global_sid_Builtin_Administrators);
 107
 108         token->privileges = se_disk_operators;
 109
 110         memcache_add_talloc(
 111                 NULL, SINGLETON_CACHE_TALLOC,
 112                 data_blob_string_const("root_nt_token"), token);
 113
 114         return token;
 115 }
 116
 117
 118 /*
 119  * Add alias SIDs from memberships within the partially created token SID list
 120  */
 121
 122 NTSTATUS add_aliases(const DOM_SID *domain_sid,
 123                      struct nt_user_token *token)
 124 {
 125         uint32 *aliases;
 126         size_t i, num_aliases;
 127         NTSTATUS status;
 128         TALLOC_CTX *tmp_ctx;
 129
 130         if (!(tmp_ctx = talloc_init("add_aliases"))) {
 131                 return NT_STATUS_NO_MEMORY;
 132         }
 133
 134         aliases = NULL;
 135         num_aliases = 0;
 136
 137         status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
 138                                             token->user_sids,
 139                                             token->num_sids,
 140                                             &aliases, &num_aliases);
 141
 142         if (!NT_STATUS_IS_OK(status)) {
 143                 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
 144                            nt_errstr(status)));
 145                 goto done;
 146         }
 147
 148         for (i=0; i<num_aliases; i++) {
 149                 DOM_SID alias_sid;
 150                 sid_compose(&alias_sid, domain_sid, aliases[i]);
 151                 status = add_sid_to_array_unique(token, &alias_sid,
 152                                                  &token->user_sids,
 153                                                  &token->num_sids);
 154                 if (!NT_STATUS_IS_OK(status)) {
 155                         DEBUG(0, ("add_sid_to_array failed\n"));
 156                         goto done;
 157                 }
 158         }
 159
 160 done:
 161         TALLOC_FREE(tmp_ctx);
 162         return NT_STATUS_OK;
 163 }
 164
 165 /*******************************************************************
 166 *******************************************************************/
 167
 168 static NTSTATUS add_builtin_administrators(struct nt_user_token *token,
 169                                            const DOM_SID *dom_sid)
 170 {
 171         DOM_SID domadm;
 172         NTSTATUS status;
 173
 174         /* nothing to do if we aren't in a domain */
 175
 176         if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
 177                 return NT_STATUS_OK;
 178         }
 179
 180         /* Find the Domain Admins SID */
 181
 182         if ( IS_DC ) {
 183                 sid_copy( &domadm, get_global_sam_sid() );
 184         } else {
 185                 sid_copy(&domadm, dom_sid);
 186         }
 187         sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
 188
 189         /* Add Administrators if the user beloongs to Domain Admins */
 190
 191         if ( nt_token_check_sid( &domadm, token ) ) {
 192                 status = add_sid_to_array(token,
 193                                           &global_sid_Builtin_Administrators,
 194                                           &token->user_sids, &token->num_sids);
 195         if (!NT_STATUS_IS_OK(status)) {
 196                         return status;
 197                 }
 198         }
 199
 200         return NT_STATUS_OK;
 201 }
 202
 203 /**
 204  * Create the requested BUILTIN if it doesn't already exist.  This requires
 205  * winbindd to be running.
 206  *
 207  * @param[in] rid BUILTIN rid to create
 208  * @return Normal NTSTATUS return.
 209  */
 210 static NTSTATUS create_builtin(uint32 rid)
 211 {
 212         NTSTATUS status = NT_STATUS_OK;
 213         DOM_SID sid;
 214         gid_t gid;
 215
 216         if (!sid_compose(&sid, &global_sid_Builtin, rid)) {
 217                 return NT_STATUS_NO_SUCH_ALIAS;
 218         }
 219
 220         if (!sid_to_gid(&sid, &gid)) {
 221                 if (!lp_winbind_nested_groups() || !winbind_ping()) {
 222                         return NT_STATUS_PROTOCOL_UNREACHABLE;
 223                 }
 224                 status = pdb_create_builtin_alias(rid);
 225         }
 226         return status;
 227 }
 228
 229 /**
 230  * Add sid as a member of builtin_sid.
 231  *
 232  * @param[in] builtin_sid       An existing builtin group.
 233  * @param[in] dom_sid           sid to add as a member of builtin_sid.
 234  * @return Normal NTSTATUS return
 235  */
 236 static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid,
 237                                    const DOM_SID *dom_sid)
 238 {
 239         NTSTATUS status = NT_STATUS_OK;
 240
 241         if (!dom_sid || !builtin_sid) {
 242                 return NT_STATUS_INVALID_PARAMETER;
 243         }
 244
 245         status = pdb_add_aliasmem(builtin_sid, dom_sid);
 246
 247         if (NT_STATUS_EQUAL(status, NT_STATUS_MEMBER_IN_ALIAS)) {
 248                 DEBUG(5, ("add_sid_to_builtin %s is already a member of %s\n",
 249                           sid_string_dbg(dom_sid),
 250                           sid_string_dbg(builtin_sid)));
 251                 return NT_STATUS_OK;
 252         }
 253
 254         if (!NT_STATUS_IS_OK(status)) {
 255                 DEBUG(4, ("add_sid_to_builtin %s could not be added to %s: "
 256                           "%s\n", sid_string_dbg(dom_sid),
 257                           sid_string_dbg(builtin_sid), nt_errstr(status)));
 258         }
 259         return status;
 260 }
 261
 262 /*******************************************************************
 263 *******************************************************************/
 264
 265 NTSTATUS create_builtin_users(const DOM_SID *dom_sid)
 266 {
 267         NTSTATUS status;
 268         DOM_SID dom_users;
 269
 270         status = create_builtin(BUILTIN_ALIAS_RID_USERS);
 271         if ( !NT_STATUS_IS_OK(status) ) {
 272                 DEBUG(5,("create_builtin_users: Failed to create Users\n"));
 273                 return status;
 274         }
 275
 276         /* add domain users */
 277         if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
 278                 && sid_compose(&dom_users, dom_sid, DOMAIN_GROUP_RID_USERS))
 279         {
 280                 status = add_sid_to_builtin(&global_sid_Builtin_Users,
 281                                             &dom_users);
 282         }
 283
 284         return status;
 285 }
 286
 287 /*******************************************************************
 288 *******************************************************************/
 289
 290 NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid)
 291 {
 292         NTSTATUS status;
 293         DOM_SID dom_admins, root_sid;
 294         enum lsa_SidType type;
 295         TALLOC_CTX *ctx;
 296         bool ret;
 297
 298         status = create_builtin(BUILTIN_ALIAS_RID_ADMINS);
 299         if ( !NT_STATUS_IS_OK(status) ) {
 300                 DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n"));
 301                 return status;
 302         }
 303
 304         /* add domain admins */
 305         if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
 306                 && sid_compose(&dom_admins, dom_sid, DOMAIN_GROUP_RID_ADMINS))
 307         {
 308                 status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
 309                                             &dom_admins);
 310                 if (!NT_STATUS_IS_OK(status)) {
 311                         return status;
 312                 }
 313         }
 314
 315         /* add root */
 316         if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) {
 317                 return NT_STATUS_NO_MEMORY;
 318         }
 319         ret = lookup_domain_name(ctx, get_global_sam_name(), "root",
 320                                  LOOKUP_NAME_DOMAIN,
 321                                  NULL, NULL, &root_sid, &type);
 322         TALLOC_FREE( ctx );
 323
 324         if ( ret ) {
 325                 status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
 326                                             &root_sid);
 327         }
 328
 329         return status;
 330 }
 331
 332
 333 /*******************************************************************
 334  Create a NT token for the user, expanding local aliases
 335 *******************************************************************/
 336
 337 struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 338                                             const DOM_SID *user_sid,
 339                                             bool is_guest,
 340                                             int num_groupsids,
 341                                             const DOM_SID *groupsids)
 342 {
 343         struct nt_user_token *result = NULL;
 344         int i;
 345         NTSTATUS status;
 346         gid_t gid;
 347         DOM_SID dom_sid;
 348
 349         DEBUG(10, ("Create local NT token for %s\n",
 350                    sid_string_dbg(user_sid)));
 351
 352         if (!(result = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
 353                 DEBUG(0, ("talloc failed\n"));
 354                 return NULL;
 355         }
 356
 357         /* Add the user and primary group sid */
 358
 359         status = add_sid_to_array(result, user_sid,
 360                                   &result->user_sids, &result->num_sids);
 361         if (!NT_STATUS_IS_OK(status)) {
 362                 return NULL;
 363         }
 364
 365         /* For guest, num_groupsids may be zero. */
 366         if (num_groupsids) {
 367                 status = add_sid_to_array(result, &groupsids[0],
 368                                           &result->user_sids,
 369                                           &result->num_sids);
 370                 if (!NT_STATUS_IS_OK(status)) {
 371                         return NULL;
 372                 }
 373         }
 374
 375         /* Add in BUILTIN sids */
 376
 377         status = add_sid_to_array(result, &global_sid_World,
 378                                   &result->user_sids, &result->num_sids);
 379         if (!NT_STATUS_IS_OK(status)) {
 380                 return NULL;
 381         }
 382         status = add_sid_to_array(result, &global_sid_Network,
 383                                   &result->user_sids, &result->num_sids);
 384         if (!NT_STATUS_IS_OK(status)) {
 385                 return NULL;
 386         }
 387
 388         if (is_guest) {
 389                 status = add_sid_to_array(result, &global_sid_Builtin_Guests,
 390                                           &result->user_sids,
 391                                           &result->num_sids);
 392                 if (!NT_STATUS_IS_OK(status)) {
 393                         return NULL;
 394                 }
 395         } else {
 396                 status = add_sid_to_array(result,
 397                                           &global_sid_Authenticated_Users,
 398                                           &result->user_sids,
 399                                           &result->num_sids);
 400                 if (!NT_STATUS_IS_OK(status)) {
 401                         return NULL;
 402                 }
 403         }
 404
 405         /* Now the SIDs we got from authentication. These are the ones from
 406          * the info3 struct or from the pdb_enum_group_memberships, depending
 407          * on who authenticated the user.
 408          * Note that we start the for loop at "1" here, we already added the
 409          * first group sid as primary above. */
 410
 411         for (i=1; i<num_groupsids; i++) {
 412                 status = add_sid_to_array_unique(result, &groupsids[i],
 413                                                  &result->user_sids,
 414                                                  &result->num_sids);
 415                 if (!NT_STATUS_IS_OK(status)) {
 416                         return NULL;
 417                 }
 418         }
 419
 420         /* Deal with the BUILTIN\Administrators group.  If the SID can
 421            be resolved then assume that the add_aliasmem( S-1-5-32 )
 422            handled it. */
 423
 424         if (!sid_to_gid(&global_sid_Builtin_Administrators, &gid)) {
 425
 426                 become_root();
 427                 if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
 428                         status = NT_STATUS_OK;
 429                         DEBUG(3, ("Failed to fetch domain sid for %s\n",
 430                                   lp_workgroup()));
 431                 } else {
 432                         status = create_builtin_administrators(&dom_sid);
 433                 }
 434                 unbecome_root();
 435
 436                 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
 437                         /* Add BUILTIN\Administrators directly to token. */
 438                         status = add_builtin_administrators(result, &dom_sid);
 439                         if ( !NT_STATUS_IS_OK(status) ) {
 440                                 DEBUG(3, ("Failed to check for local "
 441                                           "Administrators membership (%s)\n",
 442                                           nt_errstr(status)));
 443                         }
 444                 } else if (!NT_STATUS_IS_OK(status)) {
 445                         DEBUG(2, ("WARNING: Failed to create "
 446                                   "BUILTIN\\Administrators group!  Can "
 447                                   "Winbind allocate gids?\n"));
 448                 }
 449         }
 450
 451         /* Deal with the BUILTIN\Users group.  If the SID can
 452            be resolved then assume that the add_aliasmem( S-1-5-32 )
 453            handled it. */
 454
 455         if (!sid_to_gid(&global_sid_Builtin_Users, &gid)) {
 456
 457                 become_root();
 458                 if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
 459                         status = NT_STATUS_OK;
 460                         DEBUG(3, ("Failed to fetch domain sid for %s\n",
 461                                   lp_workgroup()));
 462                 } else {
 463                         status = create_builtin_users(&dom_sid);
 464                 }
 465                 unbecome_root();
 466
 467                 if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
 468                     !NT_STATUS_IS_OK(status))
 469                 {
 470                         DEBUG(2, ("WARNING: Failed to create BUILTIN\\Users group! "
 471                                   "Can Winbind allocate gids?\n"));
 472                 }
 473         }
 474
 475         /* Deal with local groups */
 476
 477         if (lp_winbind_nested_groups()) {
 478
 479                 become_root();
 480
 481                 /* Now add the aliases. First the one from our local SAM */
 482
 483                 status = add_aliases(get_global_sam_sid(), result);
 484
 485                 if (!NT_STATUS_IS_OK(status)) {
 486                         unbecome_root();
 487                         TALLOC_FREE(result);
 488                         return NULL;
 489                 }
 490
 491                 /* Finally the builtin ones */
 492
 493                 status = add_aliases(&global_sid_Builtin, result);
 494
 495                 if (!NT_STATUS_IS_OK(status)) {
 496                         unbecome_root();
 497                         TALLOC_FREE(result);
 498                         return NULL;
 499                 }
 500
 501                 unbecome_root();
 502         }
 503
 504
 505         get_privileges_for_sids(&result->privileges, result->user_sids,
 506                                 result->num_sids);
 507         return result;
 508 }
 509
 510 /****************************************************************************
 511  prints a NT_USER_TOKEN to debug output.
 512 ****************************************************************************/
 513
 514 void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
 515 {
 516         size_t     i;
 517
 518         if (!token) {
 519                 DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
 520                 return;
 521         }
 522
 523         DEBUGC(dbg_class, dbg_lev,
 524                ("NT user token of user %s\n",
 525                 sid_string_dbg(&token->user_sids[0]) ));
 526         DEBUGADDC(dbg_class, dbg_lev,
 527                   ("contains %lu SIDs\n", (unsigned long)token->num_sids));
 528         for (i = 0; i < token->num_sids; i++)
 529                 DEBUGADDC(dbg_class, dbg_lev,
 530                           ("SID[%3lu]: %s\n", (unsigned long)i,
 531                            sid_string_dbg(&token->user_sids[i])));
 532
 533         dump_se_priv( dbg_class, dbg_lev, &token->privileges );
 534 }
 535
 536 /****************************************************************************
 537  prints a UNIX 'token' to debug output.
 538 ****************************************************************************/
 539
 540 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
 541                            int n_groups, gid_t *groups)
 542 {
 543         int     i;
 544         DEBUGC(dbg_class, dbg_lev,
 545                ("UNIX token of user %ld\n", (long int)uid));
 546
 547         DEBUGADDC(dbg_class, dbg_lev,
 548                   ("Primary group is %ld and contains %i supplementary "
 549                    "groups\n", (long int)gid, n_groups));
 550         for (i = 0; i < n_groups; i++)
 551                 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
 552                         (long int)groups[i]));
 553 }
 554
 555 /* END */