This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
/*
- * Some useful sids
+ * Some useful sids, more well known sids can be found at
+ * http://support.microsoft.com/kb/243330/EN-US/
*/
{ 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
const DOM_SID global_sid_Authenticated_Users = /* All authenticated rids */
{ 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+#if 0
+/* for documentation */
+const DOM_SID global_sid_Restriced = /* Restriced Code */
+{ 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+#endif
const DOM_SID global_sid_Network = /* Network rids */
{ 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
{ 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}};
const DOM_SID global_sid_Builtin_Replicator = /* Builtin replicator */
{ 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Builtin_PreWin2kAccess = /* Builtin pre win2k access */
+{ 1, 2, {0,0,0,0,0,5}, {32,554,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Unix_Users = /* Unmapped Unix users */
+{ 1, 1, {0,0,0,0,0,22}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+const DOM_SID global_sid_Unix_Groups = /* Unmapped Unix groups */
+{ 1, 1, {0,0,0,0,0,22}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+/* Unused, left here for documentary purposes */
+#if 0
#define SECURITY_NULL_SID_AUTHORITY 0
#define SECURITY_WORLD_SID_AUTHORITY 1
#define SECURITY_LOCAL_SID_AUTHORITY 2
#define SECURITY_CREATOR_SID_AUTHORITY 3
#define SECURITY_NT_AUTHORITY 5
+#endif
/*
* An NT compatible anonymous token.
****************************************************************************/
static const struct {
- enum SID_NAME_USE sid_type;
+ enum lsa_SidType sid_type;
const char *string;
} sid_name_type[] = {
{SID_NAME_USER, "User"},
{SID_NAME_UNKNOWN, "UNKNOWN"},
{SID_NAME_COMPUTER, "Computer"},
- {(enum SID_NAME_USE)0, NULL}
+ {(enum lsa_SidType)0, NULL}
};
const char *sid_type_lookup(uint32 sid_type)
return global_myname();
}
-/**************************************************************************
- Splits a name of format \DOMAIN\name or name into its two components.
- Sets the DOMAIN name to global_myname() if it has not been specified.
-***************************************************************************/
+/*****************************************************************
+ Convert a SID to an ascii string.
+*****************************************************************/
-void split_domain_name(const char *fullname, char *domain, char *name)
+char *sid_to_fstring(fstring sidstr_out, const DOM_SID *sid)
{
- pstring full_name;
- const char *sep;
- char *p;
-
- sep = lp_winbind_separator();
-
- *domain = *name = '\0';
-
- if (fullname[0] == sep[0] || fullname[0] == '\\')
- fullname++;
-
- pstrcpy(full_name, fullname);
- p = strchr_m(full_name+1, '\\');
- if (!p) p = strchr_m(full_name+1, sep[0]);
-
- if (p != NULL) {
- *p = 0;
- fstrcpy(domain, full_name);
- fstrcpy(name, p+1);
- } else {
- fstrcpy(domain, get_global_sam_name());
- fstrcpy(name, full_name);
- }
-
- DEBUG(10,("split_domain_name:name '%s' split into domain :'%s' and user :'%s'\n",
- fullname, domain, name));
+ char *str = sid_string_talloc(talloc_tos(), sid);
+ fstrcpy(sidstr_out, str);
+ TALLOC_FREE(str);
+ return sidstr_out;
}
-/****************************************************************************
- Test if a SID is wellknown and resolvable.
-****************************************************************************/
-
-BOOL resolvable_wellknown_sid(DOM_SID *sid)
-{
- uint32 ia = (sid->id_auth[5]) +
- (sid->id_auth[4] << 8 ) +
- (sid->id_auth[3] << 16) +
- (sid->id_auth[2] << 24);
+/*****************************************************************
+ Essentially a renamed dom_sid_string from librpc/ndr with a
+ panic if it didn't work
- if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1)
- return False;
+ This introduces a dependency on librpc/ndr/sid.o which can easily
+ be turned around if necessary
+*****************************************************************/
- return (ia == SECURITY_WORLD_SID_AUTHORITY ||
- ia == SECURITY_CREATOR_SID_AUTHORITY);
+char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid)
+{
+ char *result = dom_sid_string(mem_ctx, sid);
+ SMB_ASSERT(result != NULL);
+ return result;
}
/*****************************************************************
- Convert a SID to an ascii string.
+ Useful function for debug lines.
*****************************************************************/
-char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
+char *sid_string_dbg(const DOM_SID *sid)
{
- char subauth[16];
- int i;
- uint32 ia;
-
- if (!sid) {
- fstrcpy(sidstr_out, "(NULL SID)");
- return sidstr_out;
- }
-
- /*
- * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
- * in a range of 2^48.
- */
- ia = (sid->id_auth[5]) +
- (sid->id_auth[4] << 8 ) +
- (sid->id_auth[3] << 16) +
- (sid->id_auth[2] << 24);
-
- slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
-
- for (i = 0; i < sid->num_auths; i++) {
- slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
- fstrcat(sidstr_out, subauth);
- }
-
- return sidstr_out;
+ return sid_string_talloc(debug_ctx(), sid);
}
/*****************************************************************
- Useful function for debug lines.
-*****************************************************************/
+ Use with care!
+*****************************************************************/
-const char *sid_string_static(const DOM_SID *sid)
+char *sid_string_tos(const DOM_SID *sid)
{
- static fstring sid_str;
- sid_to_string(sid_str, sid);
- return sid_str;
+ return sid_string_talloc(talloc_tos(), sid);
}
/*****************************************************************
Convert a string to a SID. Returns True on success, False on fail.
*****************************************************************/
-BOOL string_to_sid(DOM_SID *sidout, const char *sidstr)
+bool string_to_sid(DOM_SID *sidout, const char *sidstr)
{
const char *p;
char *q;
uint32 conv;
if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') {
- DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
+ DEBUG(3,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
return False;
}
p = sidstr + 2;
conv = (uint32) strtoul(p, &q, 10);
if (!q || (*q != '-')) {
- DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
+ DEBUG(3,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
return False;
}
sidout->sid_rev_num = (uint8) conv;
Add a rid to the end of a sid
*****************************************************************/
-BOOL sid_append_rid(DOM_SID *sid, uint32 rid)
+bool sid_append_rid(DOM_SID *sid, uint32 rid)
{
if (sid->num_auths < MAXSUBAUTHS) {
sid->sub_auths[sid->num_auths++] = rid;
return False;
}
-BOOL sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid)
+bool sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid)
{
sid_copy(dst, domain_sid);
return sid_append_rid(dst, rid);
Removes the last rid from the end of a sid
*****************************************************************/
-BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
+bool sid_split_rid(DOM_SID *sid, uint32 *rid)
{
if (sid->num_auths > 0) {
sid->num_auths--;
Return the last rid from the end of a sid
*****************************************************************/
-BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid)
+bool sid_peek_rid(const DOM_SID *sid, uint32 *rid)
{
if (!sid || !rid)
return False;
and check the sid against the exp_dom_sid
*****************************************************************/
-BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid)
+bool sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid)
{
if (!exp_dom_sid || !sid || !rid)
return False;
Write a sid out into on-the-wire format.
*****************************************************************/
-BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
+bool sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
{
size_t i;
- if (len < sid_size(sid))
+ if (len < ndr_size_dom_sid(sid, 0))
return False;
SCVAL(outbuf,0,sid->sid_rev_num);
Parse a on-the-wire SID to a DOM_SID.
*****************************************************************/
-BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
+bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
{
int i;
if (len < 8)
Compare two sids.
*****************************************************************/
-BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
+bool sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
{
return sid_compare(sid1, sid2) == 0;
}
-/*****************************************************************
- Check if the SID is the builtin SID (S-1-5-32).
-*****************************************************************/
-
-BOOL sid_check_is_builtin(const DOM_SID *sid)
-{
- return sid_equal(sid, &global_sid_Builtin);
-}
-
-/*****************************************************************
- Check if the SID is one of the builtin SIDs (S-1-5-32-a).
-*****************************************************************/
-
-BOOL sid_check_is_in_builtin(const DOM_SID *sid)
-{
- DOM_SID dom_sid;
- uint32 rid;
-
- sid_copy(&dom_sid, sid);
- sid_split_rid(&dom_sid, &rid);
-
- return sid_equal(&dom_sid, &global_sid_Builtin);
-}
-
-/*****************************************************************
- Calculates size of a sid.
-*****************************************************************/
-
-size_t sid_size(const DOM_SID *sid)
-{
- if (sid == NULL)
- return 0;
-
- return sid->num_auths * sizeof(uint32) + 8;
-}
-
/*****************************************************************
Returns true if SID is internal (and non-mappable).
*****************************************************************/
-BOOL non_mappable_sid(DOM_SID *sid)
+bool non_mappable_sid(DOM_SID *sid)
{
DOM_SID dom;
uint32 rid;
char *sid_binstring(const DOM_SID *sid)
{
char *buf, *s;
- int len = sid_size(sid);
- buf = SMB_MALLOC(len);
+ int len = ndr_size_dom_sid(sid, 0);
+ buf = (char *)SMB_MALLOC(len);
+ if (!buf)
+ return NULL;
+ sid_linearize(buf, len, sid);
+ s = binary_string_rfc2254(buf, len);
+ free(buf);
+ return s;
+}
+
+/*****************************************************************
+ Return the binary string representation of a DOM_SID.
+ Caller must free.
+*****************************************************************/
+
+char *sid_binstring_hex(const DOM_SID *sid)
+{
+ char *buf, *s;
+ int len = ndr_size_dom_sid(sid, 0);
+ buf = (char *)SMB_MALLOC(len);
if (!buf)
return NULL;
sid_linearize(buf, len, sid);
Add SID to an array SIDs
********************************************************************/
-void add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
+bool add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
DOM_SID **sids, size_t *num)
{
- if (mem_ctx != NULL)
- *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID,
+ *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID,
(*num)+1);
- else
- *sids = SMB_REALLOC_ARRAY(*sids, DOM_SID, (*num)+1);
-
- if (*sids == NULL)
- return;
+ if (*sids == NULL) {
+ *num = 0;
+ return False;
+ }
sid_copy(&((*sids)[*num]), sid);
*num += 1;
- return;
+ return True;
}
Add SID to an array SIDs ensuring that it is not already there
********************************************************************/
-void add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
+bool add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
DOM_SID **sids, size_t *num_sids)
{
size_t i;
for (i=0; i<(*num_sids); i++) {
if (sid_compare(sid, &(*sids)[i]) == 0)
- return;
+ return True;
}
- add_sid_to_array(mem_ctx, sid, sids, num_sids);
+ return add_sid_to_array(mem_ctx, sid, sids, num_sids);
}
/********************************************************************
return;
}
+
+bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
+ uint32 rid, uint32 **pp_rids, size_t *p_num)
+{
+ size_t i;
+
+ for (i=0; i<*p_num; i++) {
+ if ((*pp_rids)[i] == rid)
+ return True;
+ }
+
+ *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1);
+
+ if (*pp_rids == NULL) {
+ *p_num = 0;
+ return False;
+ }
+
+ (*pp_rids)[*p_num] = rid;
+ *p_num += 1;
+ return True;
+}
+
+bool is_null_sid(const DOM_SID *sid)
+{
+ static const DOM_SID null_sid = {0};
+ return sid_equal(sid, &null_sid);
+}
+
+NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
+ const NET_USER_INFO_3 *info3,
+ DOM_SID **user_sids,
+ size_t *num_user_sids,
+ bool include_user_group_rid)
+{
+ DOM_SID sid;
+ DOM_SID *sid_array = NULL;
+ size_t num_sids = 0;
+ int i;
+
+ if (include_user_group_rid) {
+
+ if (!sid_compose(&sid, &(info3->dom_sid.sid),
+ info3->user_rid)
+ || !add_sid_to_array(mem_ctx, &sid,
+ &sid_array, &num_sids)) {
+ DEBUG(3,("could not add user SID from rid 0x%x\n",
+ info3->user_rid));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!sid_compose(&sid, &(info3->dom_sid.sid),
+ info3->group_rid)
+ || !add_sid_to_array(mem_ctx, &sid,
+ &sid_array, &num_sids)) {
+ DEBUG(3,("could not append additional group rid 0x%x\n",
+ info3->group_rid));
+
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ for (i = 0; i < info3->num_groups2; i++) {
+ if (!sid_compose(&sid, &(info3->dom_sid.sid),
+ info3->gids[i].g_rid)
+ || !add_sid_to_array(mem_ctx, &sid,
+ &sid_array, &num_sids)) {
+ DEBUG(3,("could not append additional group rid 0x%x\n",
+ info3->gids[i].g_rid));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ /* Copy 'other' sids. We need to do sid filtering here to
+ prevent possible elevation of privileges. See:
+
+ http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
+ */
+
+ for (i = 0; i < info3->num_other_sids; i++) {
+ if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
+ &sid_array, &num_sids)) {
+ DEBUG(3, ("could not add SID to array: %s\n",
+ sid_string_dbg(&info3->other_sids[i].sid)));
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *user_sids = sid_array;
+ *num_user_sids = num_sids;
+
+ return NT_STATUS_OK;
+}
git.samba.org / jra / samba / .git / blobdiff