source3/sam/gums_helper.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    GUMS backends helper functions
   4    Copyright (C) Simo Sorce 2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 2 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program; if not, write to the Free Software
  18    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  19 */
  20
  21 #include "includes.h"
  22
  23 extern DOM_SID global_sid_World;
  24 extern DOM_SID global_sid_Builtin;
  25 extern DOM_SID global_sid_Builtin_Administrators;
  26 extern DOM_SID global_sid_Builtin_Power_Users;
  27 extern DOM_SID global_sid_Builtin_Account_Operators;
  28 extern DOM_SID global_sid_Builtin_Server_Operators;
  29 extern DOM_SID global_sid_Builtin_Print_Operators;
  30 extern DOM_SID global_sid_Builtin_Backup_Operators;
  31 extern DOM_SID global_sid_Builtin_Replicator;
  32 extern DOM_SID global_sid_Builtin_Users;
  33 extern DOM_SID global_sid_Builtin_Guests;
  34
  35
  36 /* defines */
  37
  38 #define ALLOC_CHECK(str, ptr, err, label) do { if ((ptr) == NULL) { DEBUG(0, ("%s: out of memory!\n", str)); err = NT_STATUS_NO_MEMORY; goto label; } } while(0)
  39 #define NTSTATUS_CHECK(err, label, str1, str2) do { if (NT_STATUS_IS_ERR(err)) { DEBUG(0, ("%s: %s\n", str1, str2)); } } while(0)
  40
  41 /****************************************************************************
  42  Check if a user is a mapped group.
  43
  44    This function will check if the group SID is mapped onto a
  45    system managed gid or onto a winbind manged sid.
  46    In the first case it will be threated like a mapped group
  47    and the backend should take the member list with a getgrgid
  48    and ignore any user that have been possibly set into the group
  49    object.
  50
  51    In the second case, the group is a fully SAM managed group
  52    served back to the system through winbind. In this case the
  53    members of a Local group are "unrolled" to cope with the fact
  54    that unix cannot contain groups inside groups.
  55    The backend MUST never call any getgr* / getpw* function or
  56    loops with winbind may happen.
  57  ****************************************************************************/
  58
  59 #if 0
  60 NTSTATUS is_mapped_group(BOOL *mapped, const DOM_SID *sid)
  61 {
  62         NTSTATUS result;
  63         gid_t id;
  64
  65         /* look if mapping exist, do not make idmap alloc an uid if SID is not found */
  66         result = idmap_get_gid_from_sid(&id, sid, False);
  67         if (NT_STATUS_IS_OK(result)) {
  68                 *mapped = gid_is_in_winbind_range(id);
  69         } else {
  70                 *mapped = False;
  71         }
  72
  73         return result;
  74 }
  75 #endif
  76
  77 #define ALIAS_DEFAULT_SACL_SA_RIGHTS    0x01050013
  78 #define ALIAS_DEFAULT_DACL_SA_RIGHTS \
  79                 (READ_CONTROL_ACCESS            | \
  80                 SA_RIGHT_ALIAS_LOOKUP_INFO      | \
  81                 SA_RIGHT_ALIAS_GET_MEMBERS)     /* 0x0002000c */
  82
  83 #define ALIAS_DEFAULT_SACL_SEC_ACE_FLAG (SEC_ACE_FLAG_FAILED_ACCESS | SEC_ACE_FLAG_SUCCESSFUL_ACCESS) /* 0xc0 */
  84
  85
  86 NTSTATUS create_builtin_alias_default_sec_desc(SEC_DESC **sec_desc, TALLOC_CTX *ctx)
  87 {
  88         DOM_SID *world = &global_sid_World;
  89         DOM_SID *admins = &global_sid_Builtin_Administrators;
  90         SEC_ACCESS sa;
  91         SEC_ACE sacl_ace;
  92         SEC_ACE dacl_aces[2];
  93         SEC_ACL *sacl = NULL;
  94         SEC_ACL *dacl = NULL;
  95         size_t psize;
  96
  97         init_sec_access(&sa, ALIAS_DEFAULT_SACL_SA_RIGHTS);
  98         init_sec_ace(&sacl_ace, world, SEC_ACE_TYPE_SYSTEM_AUDIT, sa, ALIAS_DEFAULT_SACL_SEC_ACE_FLAG);
  99
 100         sacl = make_sec_acl(ctx, NT4_ACL_REVISION, 1, &sacl_ace);
 101         if (!sacl) {
 102                 DEBUG(0, ("build_init_sec_desc: Failed to make SEC_ACL.\n"));
 103                 return NT_STATUS_NO_MEMORY;
 104         }
 105
 106         init_sec_access(&sa, ALIAS_DEFAULT_DACL_SA_RIGHTS);
 107         init_sec_ace(&(dacl_aces[0]), world, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
 108         init_sec_access(&sa, SA_RIGHT_ALIAS_ALL_ACCESS);
 109         init_sec_ace(&(dacl_aces[1]), admins, SEC_ACE_TYPE_ACCESS_ALLOWED, sa, 0);
 110
 111         dacl = make_sec_acl(ctx, NT4_ACL_REVISION, 2, dacl_aces);
 112         if (!sacl) {
 113                 DEBUG(0, ("build_init_sec_desc: Failed to make SEC_ACL.\n"));
 114                 return NT_STATUS_NO_MEMORY;
 115         }
 116
 117         *sec_desc = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, admins, admins, sacl, dacl, &psize);
 118         if (!(*sec_desc)) {
 119                 DEBUG(0,("get_share_security: Failed to make SEC_DESC.\n"));
 120                 return NT_STATUS_NO_MEMORY;
 121         }
 122
 123         return NT_STATUS_OK;
 124 }
 125
 126 NTSTATUS sec_desc_add_ace_to_dacl(SEC_DESC *sec_desc, TALLOC_CTX *ctx, DOM_SID *sid, uint32 mask)
 127 {
 128         NTSTATUS result;
 129         SEC_ACE *new_aces;
 130         unsigned num_aces;
 131         int i;
 132
 133         num_aces = sec_desc->dacl->num_aces + 1;
 134         result = sec_ace_add_sid(ctx, &new_aces, sec_desc->dacl->ace, &num_aces, sid, mask);
 135         if (NT_STATUS_IS_OK(result)) {
 136                 sec_desc->dacl->ace = new_aces;
 137                 sec_desc->dacl->num_aces = num_aces;
 138                 sec_desc->dacl->size = SEC_ACL_HEADER_SIZE;
 139                 for (i = 0; i < num_aces; i++) {
 140                         sec_desc->dacl->size += sec_desc->dacl->ace[i].size;
 141                 }
 142         }
 143         return result;
 144 }
 145
 146 NTSTATUS gums_make_domain(DOM_SID *sid, const char *name, const char *description)
 147 {
 148         NTSTATUS ret;
 149         GUMS_OBJECT *go;
 150         GUMS_FUNCTIONS *fns;
 151
 152         if (!NT_STATUS_IS_OK(ret = get_gums_fns(&fns)))
 153                 return ret;
 154
 155         if (!NT_STATUS_IS_OK(ret = gums_create_object(&go, GUMS_OBJ_DOMAIN)))
 156                 return ret;
 157
 158         ret = gums_set_object_sid(go, sid);
 159         NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set sid!");
 160
 161         ret = gums_set_object_name(go, name);
 162         NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set name!");
 163
 164         if (description) {
 165                 ret = gums_set_object_description(go, description);
 166                 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set description!");
 167         }
 168
 169         /* make security descriptor * /
 170         ret = create_builtin_alias_default_sec_desc(&((*go).sec_desc), (*go).mem_ctx);
 171         NTSTATUS_CHECK(ret, error, "gums_init_backend", "create_builtin_alias_default_sec_desc");
 172         */
 173
 174         ret = fns->set_object(go);
 175
 176         gums_destroy_object(&go);
 177         return ret;
 178 }
 179
 180 NTSTATUS gums_make_alias(DOM_SID *sid, const char *name, const char *description)
 181 {
 182         NTSTATUS ret;
 183         GUMS_OBJECT *go;
 184         GUMS_FUNCTIONS *fns;
 185
 186         if (!NT_STATUS_IS_OK(ret = get_gums_fns(&fns)))
 187                 return ret;
 188
 189         if (!NT_STATUS_IS_OK(ret = gums_create_object(&go, GUMS_OBJ_ALIAS)))
 190                 return ret;
 191
 192         ret = gums_set_object_sid(go, sid);
 193         NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set sid!");
 194
 195         ret = gums_set_object_name(go, name);
 196         NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set name!");
 197
 198         if (description) {
 199                 ret = gums_set_object_description(go, description);
 200                 NTSTATUS_CHECK(ret, done, "gums_make_alias", "unable to set description!");
 201         }
 202
 203         /* make security descriptor * /
 204         ret = create_builtin_alias_default_sec_desc(&((*go).sec_desc), (*go).mem_ctx);
 205         NTSTATUS_CHECK(ret, error, "gums_init_backend", "create_builtin_alias_default_sec_desc");
 206         */
 207
 208         ret = fns->set_object(go);
 209
 210         gums_destroy_object(&go);
 211         return ret;
 212 }
 213
 214 NTSTATUS gums_init_domain(DOM_SID *sid, const char *name)
 215 {
 216         NTSTATUS ret;
 217
 218         /* Add the weelknown Builtin Domain */
 219         if (!NT_STATUS_IS_OK(ret = gums_make_domain(
 220                                         sid,
 221                                         name,
 222                                         NULL
 223                                         ))) {
 224                 return ret;
 225         }
 226
 227         /* Add default users and groups */
 228         /* Administrator
 229            Guest
 230            Domain Administrators
 231            Domain Users
 232            Domain Guests
 233         */
 234
 235         return ret;
 236 }
 237
 238 NTSTATUS gums_init_builtin_domain(void)
 239 {
 240         NTSTATUS ret;
 241
 242         generate_wellknown_sids();
 243
 244         /* Add the weelknown Builtin Domain */
 245         if (!NT_STATUS_IS_OK(ret = gums_make_domain(
 246                                         &global_sid_Builtin,
 247                                         "BUILTIN",
 248                                         "Builtin Domain"
 249                                         ))) {
 250                 return ret;
 251         }
 252
 253         /* Add the well known Builtin Local Groups */
 254
 255         /* Administrators */
 256         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 257                                         &global_sid_Builtin_Administrators,
 258                                         "Administrators",
 259                                         "Members can fully administer the computer/domain"
 260                                         ))) {
 261                 return ret;
 262         }
 263         /* Administrator privilege set */
 264         /* From BDC join trace:
 265                 SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege,
 266                 SeSystemtimePrivilege, SeShutdownPrivilege,
 267                 SeRemoteShutdownPrivilege, SeTakeOwnershipPrivilege,
 268                 SeDebugPrivilege, SeSystemEnvironmentPrivilege,
 269                 SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege,
 270                 SeIncreaseBasePriorityPrivilege, SeLocalDriverPrivilege,
 271                 SeCreatePagefilePrivilege, SeIncreaseQuotaPrivilege
 272          */
 273
 274         /* Power Users */
 275         /* Domain Controllers Does NOT have Power Users (?) */
 276         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 277                                         &global_sid_Builtin_Power_Users,
 278                                         "Power Users",
 279                                         "Power Users"
 280                                         ))) {
 281                 return ret;
 282         }
 283
 284         /* Power Users privilege set */
 285         /* (?) */
 286
 287         /* Account Operators */
 288         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 289                                         &global_sid_Builtin_Account_Operators,
 290                                         "Account Operators",
 291                                         "Members can administer domain user and group accounts"
 292                                         ))) {
 293                 return ret;
 294         }
 295
 296         /* make privilege set */
 297         /* From BDC join trace:
 298                 SeShutdownPrivilege
 299          */
 300
 301         /* Server Operators */
 302         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 303                                         &global_sid_Builtin_Server_Operators,
 304                                         "Server Operators",
 305                                         "Members can administer domain servers"
 306                                         ))) {
 307                 return ret;
 308         }
 309
 310         /* make privilege set */
 311         /* From BDC join trace:
 312                 SeBackupPrivilege, SeRestorePrivilege, SeSystemtimePrivilege,
 313                 SeShutdownPrivilege, SeRemoteShutdownPrivilege
 314          */
 315
 316         /* Print Operators */
 317         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 318                                         &global_sid_Builtin_Print_Operators,
 319                                         "Print Operators",
 320                                         "Members can administer domain printers"
 321                                         ))) {
 322                 return ret;
 323         }
 324
 325         /* make privilege set */
 326         /* From BDC join trace:
 327                 SeShutdownPrivilege
 328          */
 329
 330         /* Backup Operators */
 331         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 332                                         &global_sid_Builtin_Backup_Operators,
 333                                         "Backup Operators",
 334                                          "Members can bypass file security to backup files"
 335                                         ))) {
 336                 return ret;
 337         }
 338
 339         /* make privilege set */
 340         /* From BDC join trace:
 341                 SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege
 342          */
 343
 344         /* Replicator */
 345         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 346                                         &global_sid_Builtin_Replicator,
 347                                         "Replicator",
 348                                         "Supports file replication in a domain"
 349                                         ))) {
 350                 return ret;
 351         }
 352
 353         /* make privilege set */
 354         /* From BDC join trace:
 355                 SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege
 356          */
 357
 358         /* Users */
 359         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 360                                         &global_sid_Builtin_Users,
 361                                         "Users",
 362                                         "Ordinary users"
 363                                         ))) {
 364                 return ret;
 365         }
 366
 367         /* Users specific ACEs * /
 368         sec_desc_add_ace_to_dacl(go->sec_desc, go->mem_ctx, &global_sid_Builtin_Account_Operators, ALIAS_DEFAULT_DACL_SA_RIGHTS);
 369         sec_desc_add_ace_to_dacl(go->sec_desc, go->mem_ctx, &global_sid_Builtin_Power_Users, ALIAS_DEFAULT_DACL_SA_RIGHTS);
 370         */
 371
 372         /* Guests */
 373         if (!NT_STATUS_IS_OK(ret = gums_make_alias(
 374                                         &global_sid_Builtin_Guests,
 375                                         "Guests",
 376                                         "Users granted guest access to the computer/domain"
 377                                         ))) {
 378                 return ret;
 379         }
 380
 381         return ret;
 382 }
 383