source3/lib/util_sid.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Samba utility functions
   4    Copyright (C) Andrew Tridgell                1992-1998
   5    Copyright (C) Luke Kenneth Caseson Leighton  1998-1999
   6    Copyright (C) Jeremy Allison                 1999
   7    Copyright (C) Stefan (metze) Metzmacher      2002
   8    Copyright (C) Simo Sorce                     2002
   9    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2005
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 #include "includes.h"
  26
  27 /*
  28  * Some useful sids
  29  */
  30
  31
  32 const DOM_SID global_sid_World_Domain =               /* Everyone domain */
  33 { 1, 0, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  34 const DOM_SID global_sid_World =                      /* Everyone */
  35 { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  36 const DOM_SID global_sid_Creator_Owner_Domain =       /* Creator Owner domain */
  37 { 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  38 const DOM_SID global_sid_NT_Authority =                 /* NT Authority */
  39 { 1, 0, {0,0,0,0,0,5}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  40 const DOM_SID global_sid_System =                       /* System */
  41 { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  42 const DOM_SID global_sid_NULL =                         /* NULL sid */
  43 { 1, 1, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  44 const DOM_SID global_sid_Authenticated_Users =  /* All authenticated rids */
  45 { 1, 1, {0,0,0,0,0,5}, {11,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  46 const DOM_SID global_sid_Network =                      /* Network rids */
  47 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  48
  49 const DOM_SID global_sid_Creator_Owner =                /* Creator Owner */
  50 { 1, 1, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  51 const DOM_SID global_sid_Creator_Group =                /* Creator Group */
  52 { 1, 1, {0,0,0,0,0,3}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  53 const DOM_SID global_sid_Anonymous =                    /* Anonymous login */
  54 { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  55
  56 const DOM_SID global_sid_Builtin =                      /* Local well-known domain */
  57 { 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  58 const DOM_SID global_sid_Builtin_Administrators =       /* Builtin administrators */
  59 { 1, 2, {0,0,0,0,0,5}, {32,544,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  60 const DOM_SID global_sid_Builtin_Users =                /* Builtin users */
  61 { 1, 2, {0,0,0,0,0,5}, {32,545,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  62 const DOM_SID global_sid_Builtin_Guests =               /* Builtin guest users */
  63 { 1, 2, {0,0,0,0,0,5}, {32,546,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  64 const DOM_SID global_sid_Builtin_Power_Users =  /* Builtin power users */
  65 { 1, 2, {0,0,0,0,0,5}, {32,547,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  66 const DOM_SID global_sid_Builtin_Account_Operators =    /* Builtin account operators */
  67 { 1, 2, {0,0,0,0,0,5}, {32,548,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  68 const DOM_SID global_sid_Builtin_Server_Operators =     /* Builtin server operators */
  69 { 1, 2, {0,0,0,0,0,5}, {32,549,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  70 const DOM_SID global_sid_Builtin_Print_Operators =      /* Builtin print operators */
  71 { 1, 2, {0,0,0,0,0,5}, {32,550,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  72 const DOM_SID global_sid_Builtin_Backup_Operators =     /* Builtin backup operators */
  73 { 1, 2, {0,0,0,0,0,5}, {32,551,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  74 const DOM_SID global_sid_Builtin_Replicator =           /* Builtin replicator */
  75 { 1, 2, {0,0,0,0,0,5}, {32,552,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  76 const DOM_SID global_sid_Builtin_PreWin2kAccess =       /* Builtin pre win2k access */
  77 { 1, 2, {0,0,0,0,0,5}, {32,554,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  78
  79 const DOM_SID global_sid_Unix_Users =                   /* Unmapped Unix users */
  80 { 1, 1, {0,0,0,0,0,22}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  81 const DOM_SID global_sid_Unix_Groups =                  /* Unmapped Unix groups */
  82 { 1, 1, {0,0,0,0,0,22}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
  83
  84 /* Unused, left here for documentary purposes */
  85 #if 0
  86 #define SECURITY_NULL_SID_AUTHORITY    0
  87 #define SECURITY_WORLD_SID_AUTHORITY   1
  88 #define SECURITY_LOCAL_SID_AUTHORITY   2
  89 #define SECURITY_CREATOR_SID_AUTHORITY 3
  90 #define SECURITY_NT_AUTHORITY          5
  91 #endif
  92
  93 /*
  94  * An NT compatible anonymous token.
  95  */
  96
  97 static DOM_SID anon_sid_array[3] =
  98 { { 1, 1, {0,0,0,0,0,1}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
  99   { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}},
 100   { 1, 1, {0,0,0,0,0,5}, {7,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
 101 NT_USER_TOKEN anonymous_token = { 3, anon_sid_array, SE_NONE };
 102
 103 static DOM_SID system_sid_array[1] =
 104 { { 1, 1, {0,0,0,0,0,5}, {18,0,0,0,0,0,0,0,0,0,0,0,0,0,0}} };
 105 NT_USER_TOKEN system_token = { 1, system_sid_array, SE_ALL_PRIVS };
 106
 107 /****************************************************************************
 108  Lookup string names for SID types.
 109 ****************************************************************************/
 110
 111 static const struct {
 112         enum lsa_SidType sid_type;
 113         const char *string;
 114 } sid_name_type[] = {
 115         {SID_NAME_USER, "User"},
 116         {SID_NAME_DOM_GRP, "Domain Group"},
 117         {SID_NAME_DOMAIN, "Domain"},
 118         {SID_NAME_ALIAS, "Local Group"},
 119         {SID_NAME_WKN_GRP, "Well-known Group"},
 120         {SID_NAME_DELETED, "Deleted Account"},
 121         {SID_NAME_INVALID, "Invalid Account"},
 122         {SID_NAME_UNKNOWN, "UNKNOWN"},
 123         {SID_NAME_COMPUTER, "Computer"},
 124
 125         {(enum lsa_SidType)0, NULL}
 126 };
 127
 128 const char *sid_type_lookup(uint32 sid_type)
 129 {
 130         int i = 0;
 131
 132         /* Look through list */
 133         while(sid_name_type[i].sid_type != 0) {
 134                 if (sid_name_type[i].sid_type == sid_type)
 135                         return sid_name_type[i].string;
 136                 i++;
 137         }
 138
 139         /* Default return */
 140         return "SID *TYPE* is INVALID";
 141 }
 142
 143 /**************************************************************************
 144  Create the SYSTEM token.
 145 ***************************************************************************/
 146
 147 NT_USER_TOKEN *get_system_token(void)
 148 {
 149         return &system_token;
 150 }
 151
 152 /******************************************************************
 153  get the default domain/netbios name to be used when dealing
 154  with our passdb list of accounts
 155 ******************************************************************/
 156
 157 const char *get_global_sam_name(void)
 158 {
 159         if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
 160                 return lp_workgroup();
 161         }
 162         return global_myname();
 163 }
 164
 165 /*****************************************************************
 166  Convert a SID to an ascii string.
 167 *****************************************************************/
 168
 169 char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
 170 {
 171         char subauth[16];
 172         int i;
 173         uint32 ia;
 174
 175         if (!sid) {
 176                 fstrcpy(sidstr_out, "(NULL SID)");
 177                 return sidstr_out;
 178         }
 179
 180         /*
 181          * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32
 182          * in a range of 2^48.
 183          */
 184         ia = (sid->id_auth[5]) +
 185                 (sid->id_auth[4] << 8 ) +
 186                 (sid->id_auth[3] << 16) +
 187                 (sid->id_auth[2] << 24);
 188
 189         slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
 190
 191         for (i = 0; i < sid->num_auths; i++) {
 192                 slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
 193                 fstrcat(sidstr_out, subauth);
 194         }
 195
 196         return sidstr_out;
 197 }
 198
 199 /*****************************************************************
 200  Useful function for debug lines.
 201 *****************************************************************/
 202
 203 const char *sid_string_static(const DOM_SID *sid)
 204 {
 205         static fstring sid_str;
 206         sid_to_string(sid_str, sid);
 207         return sid_str;
 208 }
 209
 210 char *sid_string_tos(const DOM_SID *sid)
 211 {
 212         fstring sid_str;
 213         sid_to_string(sid_str, sid);
 214         return talloc_strdup(talloc_tos(), sid_str);
 215 }
 216
 217 /*****************************************************************
 218  Convert a string to a SID. Returns True on success, False on fail.
 219 *****************************************************************/
 220
 221 BOOL string_to_sid(DOM_SID *sidout, const char *sidstr)
 222 {
 223         const char *p;
 224         char *q;
 225         /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
 226         uint32 conv;
 227
 228         if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') {
 229                 DEBUG(3,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr));
 230                 return False;
 231         }
 232
 233         ZERO_STRUCTP(sidout);
 234
 235         /* Get the revision number. */
 236         p = sidstr + 2;
 237         conv = (uint32) strtoul(p, &q, 10);
 238         if (!q || (*q != '-')) {
 239                 DEBUG(3,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
 240                 return False;
 241         }
 242         sidout->sid_rev_num = (uint8) conv;
 243         q++;
 244
 245         /* get identauth */
 246         conv = (uint32) strtoul(q, &q, 10);
 247         if (!q || (*q != '-')) {
 248                 DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr));
 249                 return False;
 250         }
 251         /* identauth in decimal should be <  2^32 */
 252         /* NOTE - the conv value is in big-endian format. */
 253         sidout->id_auth[0] = 0;
 254         sidout->id_auth[1] = 0;
 255         sidout->id_auth[2] = (conv & 0xff000000) >> 24;
 256         sidout->id_auth[3] = (conv & 0x00ff0000) >> 16;
 257         sidout->id_auth[4] = (conv & 0x0000ff00) >> 8;
 258         sidout->id_auth[5] = (conv & 0x000000ff);
 259
 260         q++;
 261         sidout->num_auths = 0;
 262
 263         for(conv = (uint32) strtoul(q, &q, 10);
 264             q && (*q =='-' || *q =='\0') && (sidout->num_auths < MAXSUBAUTHS);
 265             conv = (uint32) strtoul(q, &q, 10)) {
 266                 sid_append_rid(sidout, conv);
 267                 if (*q == '\0')
 268                         break;
 269                 q++;
 270         }
 271
 272         return True;
 273 }
 274
 275 DOM_SID *string_sid_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
 276 {
 277         DOM_SID *result = TALLOC_P(mem_ctx, DOM_SID);
 278
 279         if (result == NULL)
 280                 return NULL;
 281
 282         if (!string_to_sid(result, sidstr))
 283                 return NULL;
 284
 285         return result;
 286 }
 287
 288 /*****************************************************************
 289  Add a rid to the end of a sid
 290 *****************************************************************/
 291
 292 BOOL sid_append_rid(DOM_SID *sid, uint32 rid)
 293 {
 294         if (sid->num_auths < MAXSUBAUTHS) {
 295                 sid->sub_auths[sid->num_auths++] = rid;
 296                 return True;
 297         }
 298         return False;
 299 }
 300
 301 BOOL sid_compose(DOM_SID *dst, const DOM_SID *domain_sid, uint32 rid)
 302 {
 303         sid_copy(dst, domain_sid);
 304         return sid_append_rid(dst, rid);
 305 }
 306
 307 /*****************************************************************
 308  Removes the last rid from the end of a sid
 309 *****************************************************************/
 310
 311 BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
 312 {
 313         if (sid->num_auths > 0) {
 314                 sid->num_auths--;
 315                 *rid = sid->sub_auths[sid->num_auths];
 316                 return True;
 317         }
 318         return False;
 319 }
 320
 321 /*****************************************************************
 322  Return the last rid from the end of a sid
 323 *****************************************************************/
 324
 325 BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid)
 326 {
 327         if (!sid || !rid)
 328                 return False;
 329
 330         if (sid->num_auths > 0) {
 331                 *rid = sid->sub_auths[sid->num_auths - 1];
 332                 return True;
 333         }
 334         return False;
 335 }
 336
 337 /*****************************************************************
 338  Return the last rid from the end of a sid
 339  and check the sid against the exp_dom_sid
 340 *****************************************************************/
 341
 342 BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid)
 343 {
 344         if (!exp_dom_sid || !sid || !rid)
 345                 return False;
 346
 347         if (sid->num_auths != (exp_dom_sid->num_auths+1)) {
 348                 return False;
 349         }
 350
 351         if (sid_compare_domain(exp_dom_sid, sid)!=0){
 352                 *rid=(-1);
 353                 return False;
 354         }
 355
 356         return sid_peek_rid(sid, rid);
 357 }
 358
 359 /*****************************************************************
 360  Copies a sid
 361 *****************************************************************/
 362
 363 void sid_copy(DOM_SID *dst, const DOM_SID *src)
 364 {
 365         int i;
 366
 367         ZERO_STRUCTP(dst);
 368
 369         dst->sid_rev_num = src->sid_rev_num;
 370         dst->num_auths = src->num_auths;
 371
 372         memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
 373
 374         for (i = 0; i < src->num_auths; i++)
 375                 dst->sub_auths[i] = src->sub_auths[i];
 376 }
 377
 378 /*****************************************************************
 379  Write a sid out into on-the-wire format.
 380 *****************************************************************/
 381
 382 BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid)
 383 {
 384         size_t i;
 385
 386         if (len < sid_size(sid))
 387                 return False;
 388
 389         SCVAL(outbuf,0,sid->sid_rev_num);
 390         SCVAL(outbuf,1,sid->num_auths);
 391         memcpy(&outbuf[2], sid->id_auth, 6);
 392         for(i = 0; i < sid->num_auths; i++)
 393                 SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]);
 394
 395         return True;
 396 }
 397
 398 /*****************************************************************
 399  Parse a on-the-wire SID to a DOM_SID.
 400 *****************************************************************/
 401
 402 BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
 403 {
 404         int i;
 405         if (len < 8)
 406                 return False;
 407
 408         ZERO_STRUCTP(sid);
 409
 410         sid->sid_rev_num = CVAL(inbuf, 0);
 411         sid->num_auths = CVAL(inbuf, 1);
 412         memcpy(sid->id_auth, inbuf+2, 6);
 413         if (len < 8 + sid->num_auths*4)
 414                 return False;
 415         for (i=0;i<sid->num_auths;i++)
 416                 sid->sub_auths[i] = IVAL(inbuf, 8+i*4);
 417         return True;
 418 }
 419
 420 /*****************************************************************
 421  Compare the auth portion of two sids.
 422 *****************************************************************/
 423
 424 static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2)
 425 {
 426         int i;
 427
 428         if (sid1 == sid2)
 429                 return 0;
 430         if (!sid1)
 431                 return -1;
 432         if (!sid2)
 433                 return 1;
 434
 435         if (sid1->sid_rev_num != sid2->sid_rev_num)
 436                 return sid1->sid_rev_num - sid2->sid_rev_num;
 437
 438         for (i = 0; i < 6; i++)
 439                 if (sid1->id_auth[i] != sid2->id_auth[i])
 440                         return sid1->id_auth[i] - sid2->id_auth[i];
 441
 442         return 0;
 443 }
 444
 445 /*****************************************************************
 446  Compare two sids.
 447 *****************************************************************/
 448
 449 int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2)
 450 {
 451         int i;
 452
 453         if (sid1 == sid2)
 454                 return 0;
 455         if (!sid1)
 456                 return -1;
 457         if (!sid2)
 458                 return 1;
 459
 460         /* Compare most likely different rids, first: i.e start at end */
 461         if (sid1->num_auths != sid2->num_auths)
 462                 return sid1->num_auths - sid2->num_auths;
 463
 464         for (i = sid1->num_auths-1; i >= 0; --i)
 465                 if (sid1->sub_auths[i] != sid2->sub_auths[i])
 466                         return sid1->sub_auths[i] - sid2->sub_auths[i];
 467
 468         return sid_compare_auth(sid1, sid2);
 469 }
 470
 471 /*****************************************************************
 472  See if 2 SIDs are in the same domain
 473  this just compares the leading sub-auths
 474 *****************************************************************/
 475
 476 int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2)
 477 {
 478         int n, i;
 479
 480         n = MIN(sid1->num_auths, sid2->num_auths);
 481
 482         for (i = n-1; i >= 0; --i)
 483                 if (sid1->sub_auths[i] != sid2->sub_auths[i])
 484                         return sid1->sub_auths[i] - sid2->sub_auths[i];
 485
 486         return sid_compare_auth(sid1, sid2);
 487 }
 488
 489 /*****************************************************************
 490  Compare two sids.
 491 *****************************************************************/
 492
 493 BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2)
 494 {
 495         return sid_compare(sid1, sid2) == 0;
 496 }
 497
 498 /*****************************************************************
 499  Calculates size of a sid.
 500 *****************************************************************/
 501
 502 size_t sid_size(const DOM_SID *sid)
 503 {
 504         if (sid == NULL)
 505                 return 0;
 506
 507         return sid->num_auths * sizeof(uint32) + 8;
 508 }
 509
 510 /*****************************************************************
 511  Returns true if SID is internal (and non-mappable).
 512 *****************************************************************/
 513
 514 BOOL non_mappable_sid(DOM_SID *sid)
 515 {
 516         DOM_SID dom;
 517         uint32 rid;
 518
 519         sid_copy(&dom, sid);
 520         sid_split_rid(&dom, &rid);
 521
 522         if (sid_equal(&dom, &global_sid_Builtin))
 523                 return True;
 524
 525         if (sid_equal(&dom, &global_sid_NT_Authority))
 526                 return True;
 527
 528         return False;
 529 }
 530
 531 /*****************************************************************
 532  Return the binary string representation of a DOM_SID.
 533  Caller must free.
 534 *****************************************************************/
 535
 536 char *sid_binstring(const DOM_SID *sid)
 537 {
 538         char *buf, *s;
 539         int len = sid_size(sid);
 540         buf = (char *)SMB_MALLOC(len);
 541         if (!buf)
 542                 return NULL;
 543         sid_linearize(buf, len, sid);
 544         s = binary_string_rfc2254(buf, len);
 545         free(buf);
 546         return s;
 547 }
 548
 549 /*****************************************************************
 550  Return the binary string representation of a DOM_SID.
 551  Caller must free.
 552 *****************************************************************/
 553
 554 char *sid_binstring_hex(const DOM_SID *sid)
 555 {
 556         char *buf, *s;
 557         int len = sid_size(sid);
 558         buf = (char *)SMB_MALLOC(len);
 559         if (!buf)
 560                 return NULL;
 561         sid_linearize(buf, len, sid);
 562         s = binary_string(buf, len);
 563         free(buf);
 564         return s;
 565 }
 566
 567 /*******************************************************************
 568  Tallocs a duplicate SID.
 569 ********************************************************************/
 570
 571 DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src)
 572 {
 573         DOM_SID *dst;
 574
 575         if(!src)
 576                 return NULL;
 577
 578         if((dst = TALLOC_ZERO_P(ctx, DOM_SID)) != NULL) {
 579                 sid_copy( dst, src);
 580         }
 581
 582         return dst;
 583 }
 584
 585 /********************************************************************
 586  Add SID to an array SIDs
 587 ********************************************************************/
 588
 589 BOOL add_sid_to_array(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
 590                       DOM_SID **sids, size_t *num)
 591 {
 592         *sids = TALLOC_REALLOC_ARRAY(mem_ctx, *sids, DOM_SID,
 593                                              (*num)+1);
 594         if (*sids == NULL) {
 595                 *num = 0;
 596                 return False;
 597         }
 598
 599         sid_copy(&((*sids)[*num]), sid);
 600         *num += 1;
 601
 602         return True;
 603 }
 604
 605
 606 /********************************************************************
 607  Add SID to an array SIDs ensuring that it is not already there
 608 ********************************************************************/
 609
 610 BOOL add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
 611                              DOM_SID **sids, size_t *num_sids)
 612 {
 613         size_t i;
 614
 615         for (i=0; i<(*num_sids); i++) {
 616                 if (sid_compare(sid, &(*sids)[i]) == 0)
 617                         return True;
 618         }
 619
 620         return add_sid_to_array(mem_ctx, sid, sids, num_sids);
 621 }
 622
 623 /********************************************************************
 624  Remove SID from an array
 625 ********************************************************************/
 626
 627 void del_sid_from_array(const DOM_SID *sid, DOM_SID **sids, size_t *num)
 628 {
 629         DOM_SID *sid_list = *sids;
 630         size_t i;
 631
 632         for ( i=0; i<*num; i++ ) {
 633
 634                 /* if we find the SID, then decrement the count
 635                    and break out of the loop */
 636
 637                 if ( sid_equal(sid, &sid_list[i]) ) {
 638                         *num -= 1;
 639                         break;
 640                 }
 641         }
 642
 643         /* This loop will copy the remainder of the array
 644            if i < num of sids ni the array */
 645
 646         for ( ; i<*num; i++ )
 647                 sid_copy( &sid_list[i], &sid_list[i+1] );
 648
 649         return;
 650 }
 651
 652 BOOL add_rid_to_array_unique(TALLOC_CTX *mem_ctx,
 653                                     uint32 rid, uint32 **pp_rids, size_t *p_num)
 654 {
 655         size_t i;
 656
 657         for (i=0; i<*p_num; i++) {
 658                 if ((*pp_rids)[i] == rid)
 659                         return True;
 660         }
 661
 662         *pp_rids = TALLOC_REALLOC_ARRAY(mem_ctx, *pp_rids, uint32, *p_num+1);
 663
 664         if (*pp_rids == NULL) {
 665                 *p_num = 0;
 666                 return False;
 667         }
 668
 669         (*pp_rids)[*p_num] = rid;
 670         *p_num += 1;
 671         return True;
 672 }
 673
 674 BOOL is_null_sid(const DOM_SID *sid)
 675 {
 676         static const DOM_SID null_sid = {0};
 677         return sid_equal(sid, &null_sid);
 678 }
 679
 680 NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
 681                               const NET_USER_INFO_3 *info3,
 682                               DOM_SID **user_sids,
 683                               size_t *num_user_sids,
 684                               BOOL include_user_group_rid)
 685 {
 686         DOM_SID sid;
 687         DOM_SID *sid_array = NULL;
 688         size_t num_sids = 0;
 689         int i;
 690
 691         if (include_user_group_rid) {
 692
 693                 if (!sid_compose(&sid, &(info3->dom_sid.sid),
 694                                  info3->user_rid)
 695                     || !add_sid_to_array(mem_ctx, &sid,
 696                                          &sid_array, &num_sids)) {
 697                         DEBUG(3,("could not add user SID from rid 0x%x\n",
 698                                  info3->user_rid));
 699                         return NT_STATUS_INVALID_PARAMETER;
 700                 }
 701
 702                 if (!sid_compose(&sid, &(info3->dom_sid.sid),
 703                                  info3->group_rid)
 704                     || !add_sid_to_array(mem_ctx, &sid,
 705                                          &sid_array, &num_sids)) {
 706                         DEBUG(3,("could not append additional group rid 0x%x\n",
 707                                  info3->group_rid));
 708
 709                         return NT_STATUS_INVALID_PARAMETER;
 710                 }
 711         }
 712
 713         for (i = 0; i < info3->num_groups2; i++) {
 714                 if (!sid_compose(&sid, &(info3->dom_sid.sid),
 715                                  info3->gids[i].g_rid)
 716                     || !add_sid_to_array(mem_ctx, &sid,
 717                                          &sid_array, &num_sids)) {
 718                         DEBUG(3,("could not append additional group rid 0x%x\n",
 719                                  info3->gids[i].g_rid));
 720                         return NT_STATUS_INVALID_PARAMETER;
 721                 }
 722         }
 723
 724         /* Copy 'other' sids.  We need to do sid filtering here to
 725            prevent possible elevation of privileges.  See:
 726
 727            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
 728          */
 729
 730         for (i = 0; i < info3->num_other_sids; i++) {
 731                 if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
 732                                       &sid_array, &num_sids)) {
 733                         DEBUG(3, ("could not add SID to array: %s\n",
 734                                   sid_string_static(&info3->other_sids[i].sid)));
 735                         return NT_STATUS_NO_MEMORY;
 736                 }
 737         }
 738
 739         *user_sids = sid_array;
 740         *num_user_sids = num_sids;
 741
 742         return NT_STATUS_OK;
 743 }