2010-09-17 06:59:24 +04:00
/*
2004-05-28 17:23:30 +04:00
Unix SMB / CIFS implementation .
2009-07-15 15:25:04 +04:00
security descriptor utility functions
2004-05-28 17:23:30 +04:00
Copyright ( C ) Andrew Tridgell 2004
2010-09-17 06:59:24 +04:00
Copyright ( C ) Andrew Bartlett 2010
2005-01-09 15:55:25 +03:00
Copyright ( C ) Stefan Metzmacher 2005
2010-09-17 06:59:24 +04:00
2004-05-28 17:23:30 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2004-05-28 17:23:30 +04:00
( at your option ) any later version .
2010-09-17 06:59:24 +04:00
2004-05-28 17:23:30 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-09-17 06:59:24 +04:00
2004-05-28 17:23:30 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-05-28 17:23:30 +04:00
*/
2023-03-03 20:41:33 +03:00
# include "replace.h"
2023-09-14 13:09:50 +03:00
# include <talloc.h>
# include "lib/util/talloc_stack.h"
2023-03-03 20:41:33 +03:00
# include "lib/util/debug.h"
2023-04-18 12:31:16 +03:00
# include "lib/util/fault.h"
2010-09-17 06:59:24 +04:00
# include "libcli/security/security_token.h"
# include "libcli/security/dom_sid.h"
# include "libcli/security/privileges.h"
2023-09-15 08:31:44 +03:00
# include "librpc/gen_ndr/ndr_security.h"
2023-08-30 13:39:00 +03:00
# include "lib/util/talloc_stack.h"
2004-05-28 17:23:30 +04:00
/*
2004-12-11 08:41:19 +03:00
return a blank security token
2004-05-28 17:23:30 +04:00
*/
2023-09-14 13:09:50 +03:00
struct security_token * security_token_initialise ( TALLOC_CTX * mem_ctx ,
enum claims_evaluation_control evaluate_claims )
2004-05-28 17:23:30 +04:00
{
2020-08-24 23:31:01 +03:00
struct security_token * st = talloc_zero (
mem_ctx , struct security_token ) ;
2023-09-14 13:09:50 +03:00
st - > evaluate_claims = evaluate_claims ;
2004-11-17 17:35:29 +03:00
return st ;
}
2004-12-30 23:34:20 +03:00
2023-09-15 08:31:44 +03:00
/****************************************************************************
Duplicate a SID token .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2023-09-15 01:08:01 +03:00
struct security_token * security_token_duplicate ( TALLOC_CTX * mem_ctx , const struct security_token * src )
2023-09-15 08:31:44 +03:00
{
TALLOC_CTX * frame = NULL ;
struct security_token * dst = NULL ;
DATA_BLOB blob ;
enum ndr_err_code ndr_err ;
if ( src = = NULL ) {
return NULL ;
}
frame = talloc_stackframe ( ) ;
ndr_err = ndr_push_struct_blob (
& blob ,
frame ,
src ,
( ndr_push_flags_fn_t ) ndr_push_security_token ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
DBG_ERR ( " Failed to duplicate security_token ndr_push_security_token failed: %s \n " ,
ndr_errstr ( ndr_err ) ) ;
TALLOC_FREE ( frame ) ;
return NULL ;
}
dst = talloc_zero ( mem_ctx , struct security_token ) ;
if ( dst = = NULL ) {
DBG_ERR ( " talloc failed \n " ) ;
TALLOC_FREE ( frame ) ;
return NULL ;
}
ndr_err = ndr_pull_struct_blob (
& blob ,
dst ,
dst ,
( ndr_pull_flags_fn_t ) ndr_pull_security_token ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
DBG_ERR ( " Failed to duplicate security_token ndr_pull_security_token "
" failed: %s \n " ,
ndr_errstr ( ndr_err ) ) ;
TALLOC_FREE ( dst ) ;
TALLOC_FREE ( frame ) ;
return NULL ;
}
TALLOC_FREE ( frame ) ;
return dst ;
}
2004-12-30 23:34:20 +03:00
/****************************************************************************
prints a struct security_token to debug output .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-09-17 09:23:19 +04:00
void security_token_debug ( int dbg_class , int dbg_lev , const struct security_token * token )
2004-12-30 23:34:20 +03:00
{
2023-08-30 13:46:18 +03:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
char * sids = NULL ;
2023-08-30 13:39:00 +03:00
char * privs = NULL ;
2010-09-09 22:31:38 +04:00
uint32_t i ;
2004-12-30 23:34:20 +03:00
if ( ! token ) {
2010-09-17 09:23:19 +04:00
DEBUGC ( dbg_class , dbg_lev , ( " Security token: (NULL) \n " ) ) ;
2023-08-30 13:46:18 +03:00
TALLOC_FREE ( frame ) ;
2004-12-30 23:34:20 +03:00
return ;
}
2023-08-30 13:46:18 +03:00
sids = talloc_asprintf ( frame ,
" Security token SIDs (% " PRIu32 " ): \n " ,
token - > num_sids ) ;
2004-12-30 23:34:20 +03:00
for ( i = 0 ; i < token - > num_sids ; i + + ) {
2018-11-24 15:16:56 +03:00
struct dom_sid_buf sidbuf ;
2023-08-30 13:46:18 +03:00
talloc_asprintf_addbuf (
& sids ,
" SID[%3 " PRIu32 " ]: %s \n " ,
i ,
dom_sid_str_buf ( & token - > sids [ i ] , & sidbuf ) ) ;
2004-12-30 23:34:20 +03:00
}
2023-08-30 13:46:18 +03:00
privs = security_token_debug_privileges ( frame , token ) ;
DEBUGC ( dbg_class ,
dbg_lev ,
( " %s%s " , sids ? sids : " (NULL) " , privs ? privs : " (NULL) " ) ) ;
TALLOC_FREE ( frame ) ;
2004-12-30 23:34:20 +03:00
}
2005-10-07 15:31:45 +04:00
/* These really should be cheaper... */
2007-10-07 02:28:14 +04:00
bool security_token_is_sid ( const struct security_token * token , const struct dom_sid * sid )
2005-10-07 15:31:45 +04:00
{
2023-04-18 12:30:26 +03:00
bool ret ;
2020-01-21 13:56:18 +03:00
if ( token - > sids = = NULL ) {
return false ;
}
2023-04-18 12:30:26 +03:00
ret = dom_sid_equal ( & token - > sids [ PRIMARY_USER_SID_INDEX ] , sid ) ;
return ret ;
2005-10-07 15:31:45 +04:00
}
2010-09-17 06:59:24 +04:00
bool security_token_is_system ( const struct security_token * token )
2006-01-07 00:20:09 +03:00
{
2010-09-21 01:14:38 +04:00
return security_token_is_sid ( token , & global_sid_System ) ;
2006-01-07 00:20:09 +03:00
}
2010-09-17 06:59:24 +04:00
bool security_token_is_anonymous ( const struct security_token * token )
2006-03-31 15:05:33 +04:00
{
2010-09-21 01:14:38 +04:00
return security_token_is_sid ( token , & global_sid_Anonymous ) ;
2006-03-31 15:05:33 +04:00
}
2007-10-07 02:28:14 +04:00
bool security_token_has_sid ( const struct security_token * token , const struct dom_sid * sid )
2006-01-07 00:20:09 +03:00
{
2010-09-09 22:31:38 +04:00
uint32_t i ;
2006-01-07 00:20:09 +03:00
for ( i = 0 ; i < token - > num_sids ; i + + ) {
2010-08-20 06:15:15 +04:00
if ( dom_sid_equal ( & token - > sids [ i ] , sid ) ) {
2007-10-07 02:28:14 +04:00
return true ;
2006-01-07 00:20:09 +03:00
}
}
2007-10-07 02:28:14 +04:00
return false ;
2006-01-07 00:20:09 +03:00
}
2023-04-18 12:31:16 +03:00
size_t security_token_count_flag_sids ( const struct security_token * token ,
const struct dom_sid * prefix_sid ,
size_t num_flags ,
const struct dom_sid * * _flag_sid )
{
const size_t num_auths_expected = prefix_sid - > num_auths + num_flags ;
const struct dom_sid * found = NULL ;
size_t num = 0 ;
uint32_t i ;
SMB_ASSERT ( num_auths_expected < = ARRAY_SIZE ( prefix_sid - > sub_auths ) ) ;
for ( i = 0 ; i < token - > num_sids ; i + + ) {
const struct dom_sid * sid = & token - > sids [ i ] ;
int cmp ;
2023-08-01 06:48:21 +03:00
if ( sid - > num_auths ! = num_auths_expected ) {
2023-04-18 12:31:16 +03:00
continue ;
}
cmp = dom_sid_compare_domain ( sid , prefix_sid ) ;
if ( cmp ! = 0 ) {
continue ;
}
num + = 1 ;
found = sid ;
}
if ( ( num = = 1 ) & & ( _flag_sid ! = NULL ) ) {
* _flag_sid = found ;
}
return num ;
}
2016-04-20 17:29:42 +03:00
bool security_token_has_builtin_guests ( const struct security_token * token )
{
return security_token_has_sid ( token , & global_sid_Builtin_Guests ) ;
}
2007-10-07 02:28:14 +04:00
bool security_token_has_builtin_administrators ( const struct security_token * token )
2006-03-31 15:05:33 +04:00
{
2010-09-21 01:14:38 +04:00
return security_token_has_sid ( token , & global_sid_Builtin_Administrators ) ;
2006-03-31 15:05:33 +04:00
}
2007-10-07 02:28:14 +04:00
bool security_token_has_nt_authenticated_users ( const struct security_token * token )
2006-03-31 15:05:33 +04:00
{
2010-09-21 01:14:38 +04:00
return security_token_has_sid ( token , & global_sid_Authenticated_Users ) ;
2006-03-31 15:05:33 +04:00
}
2008-03-20 04:12:10 +03:00
2009-09-16 06:25:45 +04:00
bool security_token_has_enterprise_dcs ( const struct security_token * token )
{
2010-09-21 01:14:38 +04:00
return security_token_has_sid ( token , & global_sid_Enterprise_DCs ) ;
2009-09-16 06:25:45 +04:00
}