1998-11-05 19:51:34 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
1998-11-05 19:51:34 +03:00
Samba utility functions
2002-07-15 14:35:28 +04:00
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Luke Kenneth Caseson Leighton 1998 - 1999
Copyright ( C ) Jeremy Allison 1999
Copyright ( C ) Stefan ( metze ) Metzmacher 2002
2002-10-18 23:46:32 +04:00
Copyright ( C ) Simo Sorce 2002
2005-10-20 19:09:41 +04:00
Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2005
2010-01-23 15:33:10 +03:00
1998-11-05 19:51:34 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
1998-11-05 19:51:34 +03:00
( at your option ) any later version .
2010-01-23 15:33:10 +03:00
1998-11-05 19:51:34 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-01-23 15:33:10 +03:00
1998-11-05 19:51:34 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
1998-11-05 19:51:34 +03:00
*/
# include "includes.h"
2010-05-28 04:19:32 +04:00
# include "../librpc/gen_ndr/ndr_security.h"
2010-08-05 17:14:04 +04:00
# include "../librpc/gen_ndr/netlogon.h"
2010-06-03 02:09:26 +04:00
# include "../libcli/security/dom_sid.h"
1998-11-05 19:51:34 +03:00
1999-12-13 16:27:58 +03:00
/*
2007-10-08 17:31:08 +04:00
* Some useful sids , more well known sids can be found at
* http : //support.microsoft.com/kb/243330/EN-US/
1999-12-13 16:27:58 +03:00
*/
2005-04-09 15:46:40 +04:00
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_World_Domain = /* Everyone domain */
2005-04-09 15:46:40 +04:00
{ 1 , 0 , { 0 , 0 , 0 , 0 , 0 , 1 } , { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_World = /* Everyone */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 1 } , { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Creator_Owner_Domain = /* Creator Owner domain */
2005-04-09 15:46:40 +04:00
{ 1 , 0 , { 0 , 0 , 0 , 0 , 0 , 3 } , { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_NT_Authority = /* NT Authority */
2005-04-09 15:46:40 +04:00
{ 1 , 0 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_System = /* System */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 18 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_NULL = /* NULL sid */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 0 } , { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Authenticated_Users = /* All authenticated rids */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 11 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2007-10-08 17:31:08 +04:00
#if 0
/* for documentation */
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Restriced = /* Restriced Code */
2007-10-08 17:31:08 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 12 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
# endif
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Network = /* Network rids */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 2 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Creator_Owner = /* Creator Owner */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 3 } , { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Creator_Group = /* Creator Group */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 3 } , { 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Anonymous = /* Anonymous login */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 7 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin = /* Local well-known domain */
2005-04-09 15:46:40 +04:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Administrators = /* Builtin administrators */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 544 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Users = /* Builtin users */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 545 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Guests = /* Builtin guest users */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 546 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Power_Users = /* Builtin power users */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 547 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Account_Operators = /* Builtin account operators */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 548 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Server_Operators = /* Builtin server operators */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 549 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Print_Operators = /* Builtin print operators */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 550 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Backup_Operators = /* Builtin backup operators */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 551 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_Replicator = /* Builtin replicator */
2005-04-09 15:46:40 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 552 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Builtin_PreWin2kAccess = /* Builtin pre win2k access */
2006-04-26 00:14:46 +04:00
{ 1 , 2 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 32 , 554 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2002-10-18 23:46:32 +04:00
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Unix_Users = /* Unmapped Unix users */
2006-02-04 01:19:41 +03:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 22 } , { 1 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2010-05-21 05:25:01 +04:00
const struct dom_sid global_sid_Unix_Groups = /* Unmapped Unix groups */
2006-02-04 01:19:41 +03:00
{ 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 22 } , { 2 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } ;
2005-12-03 21:34:13 +03:00
/* Unused, left here for documentary purposes */
#if 0
2002-10-18 23:46:32 +04:00
# define SECURITY_NULL_SID_AUTHORITY 0
# define SECURITY_WORLD_SID_AUTHORITY 1
# define SECURITY_LOCAL_SID_AUTHORITY 2
# define SECURITY_CREATOR_SID_AUTHORITY 3
# define SECURITY_NT_AUTHORITY 5
2005-12-03 21:34:13 +03:00
# endif
2002-09-25 19:19:00 +04:00
2010-05-21 05:25:01 +04:00
static struct dom_sid system_sid_array [ 1 ] =
2005-04-09 15:46:40 +04:00
{ { 1 , 1 , { 0 , 0 , 0 , 0 , 0 , 5 } , { 18 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 } } } ;
2010-09-04 02:37:21 +04:00
static const struct security_token system_token = {
. num_sids = ARRAY_SIZE ( system_sid_array ) ,
. sids = system_sid_array ,
. privilege_mask = SE_ALL_PRIVS
} ;
2002-10-01 22:26:00 +04:00
2002-07-15 14:35:28 +04:00
/****************************************************************************
Lookup string names for SID types .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-01-03 11:28:12 +03:00
static const struct {
2006-09-08 18:28:06 +04:00
enum lsa_SidType sid_type ;
2003-01-03 11:28:12 +03:00
const char * string ;
2002-07-15 14:35:28 +04:00
} sid_name_type [ ] = {
2002-10-18 23:46:32 +04:00
{ SID_NAME_USER , " User " } ,
{ SID_NAME_DOM_GRP , " Domain Group " } ,
{ SID_NAME_DOMAIN , " Domain " } ,
{ SID_NAME_ALIAS , " Local Group " } ,
{ SID_NAME_WKN_GRP , " Well-known Group " } ,
{ SID_NAME_DELETED , " Deleted Account " } ,
{ SID_NAME_INVALID , " Invalid Account " } ,
2002-07-15 14:35:28 +04:00
{ SID_NAME_UNKNOWN , " UNKNOWN " } ,
2003-04-14 06:26:41 +04:00
{ SID_NAME_COMPUTER , " Computer " } ,
2002-07-15 14:35:28 +04:00
2006-09-08 18:28:06 +04:00
{ ( enum lsa_SidType ) 0 , NULL }
2002-07-15 14:35:28 +04:00
} ;
const char * sid_type_lookup ( uint32 sid_type )
2001-05-03 06:50:11 +04:00
{
int i = 0 ;
2002-07-15 14:35:28 +04:00
/* Look through list */
while ( sid_name_type [ i ] . sid_type ! = 0 ) {
if ( sid_name_type [ i ] . sid_type = = sid_type )
return sid_name_type [ i ] . string ;
2001-05-03 06:50:11 +04:00
i + + ;
}
2002-07-15 14:35:28 +04:00
/* Default return */
return " SID *TYPE* is INVALID " ;
2001-05-03 06:50:11 +04:00
}
2002-10-23 05:22:32 +04:00
/**************************************************************************
Create the SYSTEM token .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-09-04 02:37:21 +04:00
const struct security_token * get_system_token ( void )
2002-10-01 22:26:00 +04:00
{
return & system_token ;
1999-12-13 16:27:58 +03:00
}
1998-11-05 19:51:34 +03:00
/*****************************************************************
Convert a SID to an ascii string .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_to_fstring ( fstring sidstr_out , const struct dom_sid * sid )
1998-11-05 19:51:34 +03:00
{
2007-12-16 00:33:52 +03:00
char * str = sid_string_talloc ( talloc_tos ( ) , sid ) ;
fstrcpy ( sidstr_out , str ) ;
TALLOC_FREE ( str ) ;
2002-10-18 23:46:32 +04:00
return sidstr_out ;
1998-11-05 19:51:34 +03:00
}
2007-12-16 00:33:52 +03:00
/*****************************************************************
2010-06-17 23:28:54 +04:00
Essentially a renamed dom_sid_string from
. . / libcli / security / dom_sid . c with a panic if it didn ' t work .
2007-12-16 00:33:52 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_string_talloc ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid )
2007-09-09 00:30:51 +04:00
{
2007-12-16 00:33:52 +03:00
char * result = dom_sid_string ( mem_ctx , sid ) ;
2007-12-15 21:00:42 +03:00
SMB_ASSERT ( result ! = NULL ) ;
return result ;
}
2007-12-16 00:08:09 +03:00
/*****************************************************************
Useful function for debug lines .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_string_dbg ( const struct dom_sid * sid )
2007-12-15 23:06:20 +03:00
{
2009-11-03 12:59:18 +03:00
return sid_string_talloc ( talloc_tos ( ) , sid ) ;
2007-12-15 23:06:20 +03:00
}
2007-12-16 00:08:09 +03:00
/*****************************************************************
Use with care !
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_string_tos ( const struct dom_sid * sid )
2007-12-15 21:00:42 +03:00
{
return sid_string_talloc ( talloc_tos ( ) , sid ) ;
2007-09-09 00:30:51 +04:00
}
1998-11-05 19:51:34 +03:00
/*****************************************************************
Convert a string to a SID . Returns True on success , False on fail .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-01-23 15:33:10 +03:00
2010-05-21 05:25:01 +04:00
bool string_to_sid ( struct dom_sid * sidout , const char * sidstr )
1998-11-05 19:51:34 +03:00
{
2010-01-25 14:41:48 +03:00
const char * p ;
char * q ;
/* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
uint32 conv ;
if ( ( sidstr [ 0 ] ! = ' S ' & & sidstr [ 0 ] ! = ' s ' ) | | sidstr [ 1 ] ! = ' - ' ) {
2010-02-20 23:32:07 +03:00
goto format_error ;
2002-10-23 05:22:32 +04:00
}
2010-01-25 14:41:48 +03:00
ZERO_STRUCTP ( sidout ) ;
/* Get the revision number. */
p = sidstr + 2 ;
2010-02-20 23:32:07 +03:00
if ( ! isdigit ( * p ) ) {
goto format_error ;
}
2010-01-25 14:41:48 +03:00
conv = ( uint32 ) strtoul ( p , & q , 10 ) ;
if ( ! q | | ( * q ! = ' - ' ) ) {
2010-02-20 23:32:07 +03:00
goto format_error ;
2010-01-25 14:41:48 +03:00
}
sidout - > sid_rev_num = ( uint8 ) conv ;
q + + ;
2010-02-20 23:32:07 +03:00
if ( ! isdigit ( * q ) ) {
goto format_error ;
}
2010-01-25 14:41:48 +03:00
/* get identauth */
conv = ( uint32 ) strtoul ( q , & q , 10 ) ;
if ( ! q | | ( * q ! = ' - ' ) ) {
2010-02-20 23:32:07 +03:00
goto format_error ;
2010-01-25 14:41:48 +03:00
}
/* identauth in decimal should be < 2^32 */
/* NOTE - the conv value is in big-endian format. */
sidout - > id_auth [ 0 ] = 0 ;
sidout - > id_auth [ 1 ] = 0 ;
sidout - > id_auth [ 2 ] = ( conv & 0xff000000 ) > > 24 ;
sidout - > id_auth [ 3 ] = ( conv & 0x00ff0000 ) > > 16 ;
sidout - > id_auth [ 4 ] = ( conv & 0x0000ff00 ) > > 8 ;
sidout - > id_auth [ 5 ] = ( conv & 0x000000ff ) ;
q + + ;
sidout - > num_auths = 0 ;
2010-02-20 23:32:07 +03:00
while ( true ) {
char * end ;
if ( ! isdigit ( * q ) ) {
goto format_error ;
}
conv = strtoul ( q , & end , 10 ) ;
if ( end = = q ) {
goto format_error ;
}
if ( ! sid_append_rid ( sidout , conv ) ) {
DEBUG ( 3 , ( " Too many sid auths in %s \n " , sidstr ) ) ;
return false ;
}
q = end ;
if ( * q = = ' \0 ' ) {
2010-01-25 14:41:48 +03:00
break ;
2010-02-20 23:32:07 +03:00
}
if ( * q ! = ' - ' ) {
goto format_error ;
}
q + = 1 ;
2010-01-25 14:41:48 +03:00
}
2010-02-20 23:32:07 +03:00
return true ;
2010-01-25 14:41:48 +03:00
2010-02-20 23:32:07 +03:00
format_error :
DEBUG ( 3 , ( " string_to_sid: SID %s is not in a valid format \n " , sidstr ) ) ;
return false ;
1998-11-05 19:51:34 +03:00
}
/*****************************************************************
1999-12-13 16:27:58 +03:00
Add a rid to the end of a sid
1998-11-05 19:51:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2010-05-21 05:25:01 +04:00
bool sid_append_rid ( struct dom_sid * sid , uint32 rid )
1998-11-05 19:51:34 +03:00
{
1999-12-13 16:27:58 +03:00
if ( sid - > num_auths < MAXSUBAUTHS ) {
1998-11-05 19:51:34 +03:00
sid - > sub_auths [ sid - > num_auths + + ] = rid ;
return True ;
}
return False ;
}
2010-05-21 05:25:01 +04:00
bool sid_compose ( struct dom_sid * dst , const struct dom_sid * domain_sid , uint32 rid )
2005-06-09 02:10:34 +04:00
{
sid_copy ( dst , domain_sid ) ;
return sid_append_rid ( dst , rid ) ;
}
1998-11-05 19:51:34 +03:00
/*****************************************************************
1999-12-13 16:27:58 +03:00
Removes the last rid from the end of a sid
1998-11-05 19:51:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
1999-12-13 16:27:58 +03:00
2010-05-21 05:25:01 +04:00
bool sid_split_rid ( struct dom_sid * sid , uint32 * rid )
1998-11-05 19:51:34 +03:00
{
1999-12-13 16:27:58 +03:00
if ( sid - > num_auths > 0 ) {
1998-11-05 19:51:34 +03:00
sid - > num_auths - - ;
1999-12-13 16:27:58 +03:00
* rid = sid - > sub_auths [ sid - > num_auths ] ;
1998-11-05 19:51:34 +03:00
return True ;
}
return False ;
}
2001-05-10 04:48:06 +04:00
/*****************************************************************
Return the last rid from the end of a sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
bool sid_peek_rid ( const struct dom_sid * sid , uint32 * rid )
2001-05-10 04:48:06 +04:00
{
2002-07-15 14:35:28 +04:00
if ( ! sid | | ! rid )
return False ;
2010-01-23 15:33:10 +03:00
2001-05-10 04:48:06 +04:00
if ( sid - > num_auths > 0 ) {
* rid = sid - > sub_auths [ sid - > num_auths - 1 ] ;
return True ;
}
return False ;
}
2002-07-15 14:35:28 +04:00
/*****************************************************************
Return the last rid from the end of a sid
and check the sid against the exp_dom_sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
bool sid_peek_check_rid ( const struct dom_sid * exp_dom_sid , const struct dom_sid * sid , uint32 * rid )
2002-07-15 14:35:28 +04:00
{
if ( ! exp_dom_sid | | ! sid | | ! rid )
return False ;
2010-01-23 15:33:10 +03:00
2003-05-09 13:33:51 +04:00
if ( sid - > num_auths ! = ( exp_dom_sid - > num_auths + 1 ) ) {
return False ;
}
2002-07-15 14:35:28 +04:00
if ( sid_compare_domain ( exp_dom_sid , sid ) ! = 0 ) {
* rid = ( - 1 ) ;
return False ;
}
2010-01-23 15:33:10 +03:00
2002-07-15 14:35:28 +04:00
return sid_peek_rid ( sid , rid ) ;
}
1998-11-05 19:51:34 +03:00
/*****************************************************************
1999-12-13 16:27:58 +03:00
Copies a sid
1998-11-05 19:51:34 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
void sid_copy ( struct dom_sid * dst , const struct dom_sid * src )
1998-11-29 23:03:33 +03:00
{
int i ;
2002-07-15 14:35:28 +04:00
ZERO_STRUCTP ( dst ) ;
2000-06-24 04:15:08 +04:00
1999-12-13 16:27:58 +03:00
dst - > sid_rev_num = src - > sid_rev_num ;
dst - > num_auths = src - > num_auths ;
1998-11-29 23:03:33 +03:00
1999-12-13 16:27:58 +03:00
memcpy ( & dst - > id_auth [ 0 ] , & src - > id_auth [ 0 ] , sizeof ( src - > id_auth ) ) ;
1998-11-29 23:03:33 +03:00
1999-12-13 16:27:58 +03:00
for ( i = 0 ; i < src - > num_auths ; i + + )
dst - > sub_auths [ i ] = src - > sub_auths [ i ] ;
1998-11-29 23:03:33 +03:00
}
1999-12-13 16:27:58 +03:00
/*****************************************************************
Write a sid out into on - the - wire format .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
bool sid_linearize ( char * outbuf , size_t len , const struct dom_sid * sid )
1999-11-20 22:43:37 +03:00
{
1999-12-13 16:27:58 +03:00
size_t i ;
1999-11-20 22:43:37 +03:00
2010-05-10 02:42:06 +04:00
if ( len < ndr_size_dom_sid ( sid , 0 ) )
1999-11-20 22:43:37 +03:00
return False ;
1999-12-13 16:27:58 +03:00
SCVAL ( outbuf , 0 , sid - > sid_rev_num ) ;
SCVAL ( outbuf , 1 , sid - > num_auths ) ;
memcpy ( & outbuf [ 2 ] , sid - > id_auth , 6 ) ;
for ( i = 0 ; i < sid - > num_auths ; i + + )
SIVAL ( outbuf , 8 + ( i * 4 ) , sid - > sub_auths [ i ] ) ;
1999-11-20 22:43:37 +03:00
return True ;
1999-12-13 16:27:58 +03:00
}
1999-11-20 22:43:37 +03:00
2001-12-03 09:04:18 +03:00
/*****************************************************************
2010-05-21 05:25:01 +04:00
Parse a on - the - wire SID to a struct dom_sid .
2001-12-03 09:04:18 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
bool sid_parse ( const char * inbuf , size_t len , struct dom_sid * sid )
2001-12-03 09:04:18 +03:00
{
int i ;
2002-10-23 05:22:32 +04:00
if ( len < 8 )
return False ;
2002-08-17 21:00:51 +04:00
ZERO_STRUCTP ( sid ) ;
2001-12-03 09:04:18 +03:00
sid - > sid_rev_num = CVAL ( inbuf , 0 ) ;
sid - > num_auths = CVAL ( inbuf , 1 ) ;
memcpy ( sid - > id_auth , inbuf + 2 , 6 ) ;
2002-10-23 05:22:32 +04:00
if ( len < 8 + sid - > num_auths * 4 )
return False ;
for ( i = 0 ; i < sid - > num_auths ; i + + )
2001-12-03 09:04:18 +03:00
sid - > sub_auths [ i ] = IVAL ( inbuf , 8 + i * 4 ) ;
return True ;
}
1999-12-13 16:27:58 +03:00
/*****************************************************************
2001-12-19 11:37:03 +03:00
Compare the auth portion of two sids .
1999-12-13 16:27:58 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
static int sid_compare_auth ( const struct dom_sid * sid1 , const struct dom_sid * sid2 )
1999-11-20 22:43:37 +03:00
{
1999-12-13 16:27:58 +03:00
int i ;
1999-11-20 22:43:37 +03:00
2002-10-23 05:22:32 +04:00
if ( sid1 = = sid2 )
return 0 ;
if ( ! sid1 )
return - 1 ;
if ( ! sid2 )
return 1 ;
2000-07-26 00:26:50 +04:00
1999-12-13 16:27:58 +03:00
if ( sid1 - > sid_rev_num ! = sid2 - > sid_rev_num )
2001-02-23 10:20:11 +03:00
return sid1 - > sid_rev_num - sid2 - > sid_rev_num ;
1999-11-20 22:43:37 +03:00
1999-12-13 16:27:58 +03:00
for ( i = 0 ; i < 6 ; i + + )
if ( sid1 - > id_auth [ i ] ! = sid2 - > id_auth [ i ] )
2001-02-23 10:20:11 +03:00
return sid1 - > id_auth [ i ] - sid2 - > id_auth [ i ] ;
1999-11-20 22:43:37 +03:00
2001-02-23 10:20:11 +03:00
return 0 ;
}
/*****************************************************************
Compare two sids .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
int sid_compare ( const struct dom_sid * sid1 , const struct dom_sid * sid2 )
2001-12-03 14:11:14 +03:00
{
int i ;
2001-02-23 10:20:11 +03:00
2002-10-23 05:22:32 +04:00
if ( sid1 = = sid2 )
return 0 ;
if ( ! sid1 )
return - 1 ;
if ( ! sid2 )
return 1 ;
2001-12-03 14:11:14 +03:00
2002-10-23 05:22:32 +04:00
/* Compare most likely different rids, first: i.e start at end */
2001-12-03 14:11:14 +03:00
if ( sid1 - > num_auths ! = sid2 - > num_auths )
return sid1 - > num_auths - sid2 - > num_auths ;
for ( i = sid1 - > num_auths - 1 ; i > = 0 ; - - i )
if ( sid1 - > sub_auths [ i ] ! = sid2 - > sub_auths [ i ] )
return sid1 - > sub_auths [ i ] - sid2 - > sub_auths [ i ] ;
2001-12-19 11:37:03 +03:00
return sid_compare_auth ( sid1 , sid2 ) ;
2001-12-03 14:11:14 +03:00
}
2001-12-19 11:37:03 +03:00
/*****************************************************************
2002-10-23 05:22:32 +04:00
See if 2 SIDs are in the same domain
this just compares the leading sub - auths
2001-12-19 11:37:03 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
int sid_compare_domain ( const struct dom_sid * sid1 , const struct dom_sid * sid2 )
2001-12-19 11:37:03 +03:00
{
int n , i ;
n = MIN ( sid1 - > num_auths , sid2 - > num_auths ) ;
for ( i = n - 1 ; i > = 0 ; - - i )
if ( sid1 - > sub_auths [ i ] ! = sid2 - > sub_auths [ i ] )
return sid1 - > sub_auths [ i ] - sid2 - > sub_auths [ i ] ;
return sid_compare_auth ( sid1 , sid2 ) ;
}
2001-12-03 14:11:14 +03:00
/*****************************************************************
Compare two sids .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
bool sid_equal ( const struct dom_sid * sid1 , const struct dom_sid * sid2 )
2001-02-23 10:20:11 +03:00
{
return sid_compare ( sid1 , sid2 ) = = 0 ;
1999-12-13 16:27:58 +03:00
}
1999-11-20 22:43:37 +03:00
2001-09-22 10:45:24 +04:00
/*****************************************************************
Returns true if SID is internal ( and non - mappable ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
bool non_mappable_sid ( struct dom_sid * sid )
2001-09-22 10:45:24 +04:00
{
2010-05-21 05:25:01 +04:00
struct dom_sid dom ;
2001-09-22 10:45:24 +04:00
uint32 rid ;
sid_copy ( & dom , sid ) ;
sid_split_rid ( & dom , & rid ) ;
if ( sid_equal ( & dom , & global_sid_Builtin ) )
return True ;
if ( sid_equal ( & dom , & global_sid_NT_Authority ) )
return True ;
return False ;
}
2001-12-10 03:39:01 +03:00
2002-10-23 05:22:32 +04:00
/*****************************************************************
2010-05-21 05:25:01 +04:00
Return the binary string representation of a struct dom_sid .
2002-10-23 05:22:32 +04:00
Caller must free .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_binstring ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid )
2006-04-28 18:44:43 +04:00
{
2009-05-28 13:18:22 +04:00
uint8_t * buf ;
char * s ;
2010-05-10 02:42:06 +04:00
int len = ndr_size_dom_sid ( sid , 0 ) ;
2009-05-28 13:18:22 +04:00
buf = talloc_array ( mem_ctx , uint8_t , len ) ;
if ( ! buf ) {
2006-04-28 18:44:43 +04:00
return NULL ;
2009-05-28 13:18:22 +04:00
}
sid_linearize ( ( char * ) buf , len , sid ) ;
s = binary_string_rfc2254 ( mem_ctx , buf , len ) ;
TALLOC_FREE ( buf ) ;
2006-04-28 18:44:43 +04:00
return s ;
}
/*****************************************************************
2010-05-21 05:25:01 +04:00
Return the binary string representation of a struct dom_sid .
2006-04-28 18:44:43 +04:00
Caller must free .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_binstring_hex ( const struct dom_sid * sid )
2001-12-10 03:39:01 +03:00
{
char * buf , * s ;
2010-05-10 02:42:06 +04:00
int len = ndr_size_dom_sid ( sid , 0 ) ;
2006-07-30 20:36:56 +04:00
buf = ( char * ) SMB_MALLOC ( len ) ;
2002-10-23 05:22:32 +04:00
if ( ! buf )
return NULL ;
2001-12-10 03:39:01 +03:00
sid_linearize ( buf , len , sid ) ;
s = binary_string ( buf , len ) ;
free ( buf ) ;
return s ;
}
2003-04-23 15:54:56 +04:00
/*******************************************************************
Tallocs a duplicate SID .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-12-30 13:30:13 +03:00
struct dom_sid * sid_dup_talloc ( TALLOC_CTX * ctx , const struct dom_sid * src )
2003-04-23 15:54:56 +04:00
{
2009-12-30 13:30:13 +03:00
struct dom_sid * dst ;
if ( src = = NULL ) {
2003-04-23 15:54:56 +04:00
return NULL ;
}
2009-12-30 13:30:13 +03:00
dst = talloc_zero ( ctx , struct dom_sid ) ;
if ( dst = = NULL ) {
return NULL ;
}
sid_copy ( dst , src ) ;
2003-04-23 15:54:56 +04:00
return dst ;
}
2005-01-13 21:20:37 +03:00
/********************************************************************
Add SID to an array SIDs
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
NTSTATUS add_sid_to_array ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid ,
2010-08-26 14:54:13 +04:00
struct dom_sid * * sids , uint32_t * num )
2005-01-13 21:20:37 +03:00
{
2010-05-21 05:25:01 +04:00
* sids = TALLOC_REALLOC_ARRAY ( mem_ctx , * sids , struct dom_sid ,
2005-03-27 20:33:04 +04:00
( * num ) + 1 ) ;
r13915: Fixed a very interesting class of realloc() bugs found by Coverity.
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.
The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :
tmp = realloc(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :
p = realloc(p, size)
if (!p) {
return error;
}
which will leak the memory pointed to by p on realloc fail.
This commit (hopefully) fixes all these cases by moving to
a standard idiom of :
p = SMB_REALLOC(p, size)
if (!p) {
return error;
}
Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.
For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :
tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).
It remains to be seen what this will do to our Coverity bug count :-).
Jeremy.
(This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2006-03-07 09:31:04 +03:00
if ( * sids = = NULL ) {
2006-12-09 05:58:18 +03:00
* num = 0 ;
2008-01-09 02:11:31 +03:00
return NT_STATUS_NO_MEMORY ;
r13915: Fixed a very interesting class of realloc() bugs found by Coverity.
realloc can return NULL in one of two cases - (1) the realloc failed,
(2) realloc succeeded but the new size requested was zero, in which
case this is identical to a free() call.
The error paths dealing with these two cases should be different,
but mostly weren't. Secondly the standard idiom for dealing with
realloc when you know the new size is non-zero is the following :
tmp = realloc(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
However, there were *many* *many* places in Samba where we were
using the old (broken) idiom of :
p = realloc(p, size)
if (!p) {
return error;
}
which will leak the memory pointed to by p on realloc fail.
This commit (hopefully) fixes all these cases by moving to
a standard idiom of :
p = SMB_REALLOC(p, size)
if (!p) {
return error;
}
Where if the realloc returns null due to the realloc failing
or size == 0 we *guarentee* that the storage pointed to by p
has been freed. This allows me to remove a lot of code that
was dealing with the standard (more verbose) method that required
a tmp pointer. This is almost always what you want. When a
realloc fails you never usually want the old memory, you
want to free it and get into your error processing asap.
For the 11 remaining cases where we really do need to keep the
old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR,
which can be used as follows :
tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size);
if (!tmp) {
SAFE_FREE(p);
return error;
} else {
p = tmp;
}
SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the
pointer p, even on size == 0 or realloc fail. All this is
done by a hidden extra argument to Realloc(), BOOL free_old_on_error
which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR
macros (and their array counterparts).
It remains to be seen what this will do to our Coverity bug count :-).
Jeremy.
(This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2006-03-07 09:31:04 +03:00
}
2005-01-13 21:20:37 +03:00
sid_copy ( & ( ( * sids ) [ * num ] ) , sid ) ;
* num + = 1 ;
2008-01-09 02:11:31 +03:00
return NT_STATUS_OK ;
2005-01-13 21:20:37 +03:00
}
/********************************************************************
Add SID to an array SIDs ensuring that it is not already there
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
NTSTATUS add_sid_to_array_unique ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid ,
2010-08-26 14:54:13 +04:00
struct dom_sid * * sids , uint32_t * num_sids )
2005-01-13 21:20:37 +03:00
{
2005-10-18 07:24:00 +04:00
size_t i ;
2005-01-13 21:20:37 +03:00
for ( i = 0 ; i < ( * num_sids ) ; i + + ) {
if ( sid_compare ( sid , & ( * sids ) [ i ] ) = = 0 )
2008-01-09 02:11:31 +03:00
return NT_STATUS_OK ;
2005-01-13 21:20:37 +03:00
}
2006-12-09 05:58:18 +03:00
return add_sid_to_array ( mem_ctx , sid , sids , num_sids ) ;
2005-01-13 21:20:37 +03:00
}
/********************************************************************
Remove SID from an array
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
void del_sid_from_array ( const struct dom_sid * sid , struct dom_sid * * sids , size_t * num )
2005-01-13 21:20:37 +03:00
{
2010-05-21 05:25:01 +04:00
struct dom_sid * sid_list = * sids ;
2005-10-18 07:24:00 +04:00
size_t i ;
2005-01-13 21:20:37 +03:00
for ( i = 0 ; i < * num ; i + + ) {
/* if we find the SID, then decrement the count
and break out of the loop */
if ( sid_equal ( sid , & sid_list [ i ] ) ) {
* num - = 1 ;
break ;
}
}
/* This loop will copy the remainder of the array
if i < num of sids ni the array */
for ( ; i < * num ; i + + )
sid_copy ( & sid_list [ i ] , & sid_list [ i + 1 ] ) ;
2010-01-23 15:33:10 +03:00
2005-01-13 21:20:37 +03:00
return ;
}
2006-01-19 03:03:07 +03:00
2007-10-19 04:40:25 +04:00
bool add_rid_to_array_unique ( TALLOC_CTX * mem_ctx ,
2006-06-19 20:25:19 +04:00
uint32 rid , uint32 * * pp_rids , size_t * p_num )
{
size_t i ;
for ( i = 0 ; i < * p_num ; i + + ) {
if ( ( * pp_rids ) [ i ] = = rid )
2006-12-09 05:58:18 +03:00
return True ;
2006-06-19 20:25:19 +04:00
}
2010-01-23 15:33:10 +03:00
2006-06-19 20:25:19 +04:00
* pp_rids = TALLOC_REALLOC_ARRAY ( mem_ctx , * pp_rids , uint32 , * p_num + 1 ) ;
2006-12-09 05:58:18 +03:00
if ( * pp_rids = = NULL ) {
* p_num = 0 ;
return False ;
}
2006-06-19 20:25:19 +04:00
( * pp_rids ) [ * p_num ] = rid ;
* p_num + = 1 ;
2006-12-09 05:58:18 +03:00
return True ;
2006-06-19 20:25:19 +04:00
}
2010-05-21 05:25:01 +04:00
bool is_null_sid ( const struct dom_sid * sid )
2006-01-19 03:03:07 +03:00
{
2010-05-21 05:25:01 +04:00
static const struct dom_sid null_sid = { 0 } ;
2006-01-19 03:03:07 +03:00
return sid_equal ( sid , & null_sid ) ;
}
2007-07-17 15:47:17 +04:00
2010-08-26 16:08:22 +04:00
bool is_sid_in_token ( const struct security_token * token , const struct dom_sid * sid )
2008-10-22 05:05:48 +04:00
{
int i ;
for ( i = 0 ; i < token - > num_sids ; i + + ) {
2010-08-31 03:32:52 +04:00
if ( sid_compare ( sid , & token - > sids [ i ] ) = = 0 )
2008-10-22 05:05:48 +04:00
return true ;
}
return false ;
}
2007-07-17 15:47:17 +04:00
NTSTATUS sid_array_from_info3 ( TALLOC_CTX * mem_ctx ,
2008-02-16 20:51:01 +03:00
const struct netr_SamInfo3 * info3 ,
2010-05-21 05:25:01 +04:00
struct dom_sid * * user_sids ,
2010-08-26 14:54:13 +04:00
uint32_t * num_user_sids ,
2008-04-04 04:53:40 +04:00
bool include_user_group_rid ,
bool skip_ressource_groups )
2007-07-17 15:47:17 +04:00
{
2008-01-09 02:11:31 +03:00
NTSTATUS status ;
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
struct dom_sid * sid_array = NULL ;
2010-08-26 14:54:13 +04:00
uint32_t num_sids = 0 ;
2007-07-17 15:47:17 +04:00
int i ;
if ( include_user_group_rid ) {
2008-08-16 02:28:23 +04:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid , info3 - > base . rid ) ) {
2008-01-09 02:11:31 +03:00
DEBUG ( 3 , ( " could not compose user SID from rid 0x%x \n " ,
2008-02-16 20:51:01 +03:00
info3 - > base . rid ) ) ;
2007-07-17 15:47:17 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-01-09 02:11:31 +03:00
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append user SID from rid 0x%x \n " ,
2008-02-16 20:51:01 +03:00
info3 - > base . rid ) ) ;
2008-01-09 02:11:31 +03:00
return status ;
}
2008-08-16 02:28:23 +04:00
}
2007-07-17 15:47:17 +04:00
2008-08-16 02:28:23 +04:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid , info3 - > base . primary_gid ) ) {
DEBUG ( 3 , ( " could not compose group SID from rid 0x%x \n " ,
info3 - > base . primary_gid ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append group SID from rid 0x%x \n " ,
info3 - > base . rid ) ) ;
return status ;
2007-07-17 15:47:17 +04:00
}
2008-02-16 20:51:01 +03:00
for ( i = 0 ; i < info3 - > base . groups . count ; i + + ) {
2008-08-16 02:28:23 +04:00
/* Don't add the primary group sid twice. */
if ( info3 - > base . primary_gid = = info3 - > base . groups . rids [ i ] . rid ) {
continue ;
}
2008-02-16 20:51:01 +03:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid ,
2008-08-16 02:28:23 +04:00
info3 - > base . groups . rids [ i ] . rid ) ) {
2008-01-09 02:11:31 +03:00
DEBUG ( 3 , ( " could not compose SID from additional group "
2008-02-16 20:51:01 +03:00
" rid 0x%x \n " , info3 - > base . groups . rids [ i ] . rid ) ) ;
2007-07-17 15:47:17 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-01-09 02:11:31 +03:00
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append SID from additional group "
2008-02-16 20:51:01 +03:00
" rid 0x%x \n " , info3 - > base . groups . rids [ i ] . rid ) ) ;
2008-01-09 02:11:31 +03:00
return status ;
}
2007-07-17 15:47:17 +04:00
}
/* Copy 'other' sids. We need to do sid filtering here to
prevent possible elevation of privileges . See :
http : //www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
*/
2008-02-16 20:51:01 +03:00
for ( i = 0 ; i < info3 - > sidcount ; i + + ) {
2008-04-04 04:53:40 +04:00
if ( skip_ressource_groups & &
( info3 - > sids [ i ] . attributes & SE_GROUP_RESOURCE ) ) {
continue ;
}
2008-02-16 20:51:01 +03:00
status = add_sid_to_array ( mem_ctx , info3 - > sids [ i ] . sid ,
2008-01-09 02:11:31 +03:00
& sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-07-17 15:47:17 +04:00
DEBUG ( 3 , ( " could not add SID to array: %s \n " ,
2008-02-16 20:51:01 +03:00
sid_string_dbg ( info3 - > sids [ i ] . sid ) ) ) ;
2008-01-09 02:11:31 +03:00
return status ;
2007-07-17 15:47:17 +04:00
}
}
* user_sids = sid_array ;
* num_user_sids = num_sids ;
return NT_STATUS_OK ;
}
