sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-03 13:47:25 +03:00
Code
samba-mirror/libcli/security/security_token.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

229 lines
5.8 KiB
C
Raw Normal View History

libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
/*
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
Unix SMB/CIFS implementation.
Fix typo
2009-07-15 13:25:04 +02:00
security descriptor utility functions
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
Copyright (C) Andrew Tridgell 2004
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
Copyright (C) Andrew Bartlett 2010
r4620: - add interface functions to the auth subsystem so that callers doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2005-01-09 12:55:25 +00:00
Copyright (C) Stefan Metzmacher 2005
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 02:07:03 +00:00
the Free Software Foundation; either version 3 of the License, or
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
(at your option) any later version.
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 02:07:03 +00:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
*/
libcli/security: Avoid includes.h Don't rebuild libcli/security when not necessary Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-03 18:41:33 +01:00
#include "replace.h"
libcli/security: Pass in claims evaluation state when building any security token Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-14 22:09:50 +12:00
#include <talloc.h>
#include "lib/util/talloc_stack.h"
libcli/security: Avoid includes.h Don't rebuild libcli/security when not necessary Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-03 18:41:33 +01:00
#include "lib/util/debug.h"
libcli: Add security_token_count_flag_sids() To be used in a few places when checking special-case Samba SIDs. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-18 11:31:16 +02:00
#include "lib/util/fault.h"
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
#include "libcli/security/security_token.h"
#include "libcli/security/dom_sid.h"
#include "libcli/security/privileges.h"
libcli/security: Move dup_nt_token() to libcli/security Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-15 17:31:44 +12:00
#include "librpc/gen_ndr/ndr_security.h"
libcli: Convert security_token_debug_privileges() to talloc_asprintf Reduces the number of DEBUGADD calls which leads to messed debug logs between processes. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:39:00 +02:00
#include "lib/util/talloc_stack.h"
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
/*
r4147: converted from NT_USER_TOKEN to struct security_token this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
2004-12-11 05:41:19 +00:00
return a blank security token
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
*/
libcli/security: Pass in claims evaluation state when building any security token Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-14 22:09:50 +12:00
struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
enum claims_evaluation_control evaluate_claims)
r937: - added a simple QuerySecurity implementation in samr server - moved some sec desc defines into misc.idl - fixed pw_len field in UserInfo26 - made some pipes available on TCP - added netr_DsrEnumerateDomainTrusts() to netlogon - added templates for remaining netlogon IDL calls (from ethereal) - added a unistr_noterm vs unistr error detector in ndr basic decoder - added torture test for netr_DsrEnumerateDomainTrusts() (This used to be commit ae5a5113fb83640dcb9ae4642c1b9eaf28487956)
2004-05-28 13:23:30 +00:00
{
libcli: Don't leave a pointer uninitialized Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-24 22:31:01 +02:00
struct security_token *st = talloc_zero(
mem_ctx, struct security_token);
libcli/security: Pass in claims evaluation state when building any security token Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-14 22:09:50 +12:00
st->evaluate_claims = evaluate_claims;
r3810: create a LIB_SECURITY subsystem - move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596)
2004-11-17 14:35:29 +00:00
return st;
}
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
libcli/security: Move dup_nt_token() to libcli/security Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-15 17:31:44 +12:00
/****************************************************************************
Duplicate a SID token.
****************************************************************************/
libcli/security: Rename dup_nt_token() -> security_token_duplicate() Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-15 10:08:01 +12:00
struct security_token *security_token_duplicate(TALLOC_CTX *mem_ctx, const struct security_token *src)
libcli/security: Move dup_nt_token() to libcli/security Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-15 17:31:44 +12:00
{
TALLOC_CTX *frame = NULL;
struct security_token *dst = NULL;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
if (src == NULL) {
return NULL;
}
frame = talloc_stackframe();
ndr_err = ndr_push_struct_blob(
&blob,
frame,
src,
(ndr_push_flags_fn_t)ndr_push_security_token);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("Failed to duplicate security_token ndr_push_security_token failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(frame);
return NULL;
}
dst = talloc_zero(mem_ctx, struct security_token);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(frame);
return NULL;
}
ndr_err = ndr_pull_struct_blob(
&blob,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_security_token);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("Failed to duplicate security_token ndr_pull_security_token "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
TALLOC_FREE(frame);
return NULL;
}
TALLOC_FREE(frame);
return dst;
}
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
/****************************************************************************
prints a struct security_token to debug output.
****************************************************************************/
libcli/security Add debug class to security_token_debug() et al This will allow it to replace functions in source3 that use debug classes. Andrew Bartlett
2010-09-17 15:23:19 +10:00
void security_token_debug(int dbg_class, int dbg_lev, const struct security_token *token)
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
{
libcli: Make security_token_debug() use just one DEBUG statement This avoids messing up the debug logs when multiple processes are writing into the same file. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:46:18 +02:00
TALLOC_CTX *frame = talloc_stackframe();
char *sids = NULL;
libcli: Convert security_token_debug_privileges() to talloc_asprintf Reduces the number of DEBUGADD calls which leads to messed debug logs between processes. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:39:00 +02:00
char *privs = NULL;
s4:libcli/security/*.c - fix some wrong typed counters According to "librpc/gen_ndr/security.h" they need to be "uint32_t".
2010-09-09 20:31:38 +02:00
uint32_t i;
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
if (!token) {
libcli/security Add debug class to security_token_debug() et al This will allow it to replace functions in source3 that use debug classes. Andrew Bartlett
2010-09-17 15:23:19 +10:00
DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
libcli: Make security_token_debug() use just one DEBUG statement This avoids messing up the debug logs when multiple processes are writing into the same file. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:46:18 +02:00
TALLOC_FREE(frame);
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
return;
}
libcli: Make security_token_debug() use just one DEBUG statement This avoids messing up the debug logs when multiple processes are writing into the same file. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:46:18 +02:00
sids = talloc_asprintf(frame,
"Security token SIDs (%" PRIu32 "):\n",
token->num_sids);
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
for (i = 0; i < token->num_sids; i++) {
libcli: Use dom_sid_str_buf Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-24 13:16:56 +01:00
struct dom_sid_buf sidbuf;
libcli: Make security_token_debug() use just one DEBUG statement This avoids messing up the debug logs when multiple processes are writing into the same file. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:46:18 +02:00
talloc_asprintf_addbuf(
&sids,
" SID[%3" PRIu32 "]: %s\n",
i,
dom_sid_str_buf(&token->sids[i], &sidbuf));
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
}
libcli: Make security_token_debug() use just one DEBUG statement This avoids messing up the debug logs when multiple processes are writing into the same file. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-30 12:46:18 +02:00
privs = security_token_debug_privileges(frame, token);
DEBUGC(dbg_class,
dbg_lev,
("%s%s", sids ? sids : "(NULL)", privs ? privs : "(NULL)"));
TALLOC_FREE(frame);
r4419: move security_token stuff to the libcli/security/ and debug privileges metze (This used to be commit c981808ed4cfa63c7ba7c4f9190b6b14f74bab40)
2004-12-30 20:34:20 +00:00
}
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
/* These really should be cheaper... */
r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9)
2007-10-06 22:28:14 +00:00
bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
{
libcli: Simplify security_token_is_sid() Avoid an explicit if-statement. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-04-18 11:30:26 +02:00
bool ret;
libcli: simplify an if condition Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2020-01-21 11:56:18 +01:00
if (token->sids == NULL) {
return false;
}
libcli: Simplify security_token_is_sid() Avoid an explicit if-statement. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-04-18 11:30:26 +02:00
ret = dom_sid_equal(&token->sids[PRIMARY_USER_SID_INDEX], sid);
return ret;
r10810: This adds the hooks required to communicate the current user from the authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2005-10-07 11:31:45 +00:00
}
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
bool security_token_is_system(const struct security_token *token)
r12747: Add a couple more token tests, used by the kludge ACL module. Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2006-01-06 21:20:09 +00:00
{
libcli/security Use static SIDs rather than parsing from strings This should make the security_token_is_*() calls a little faster. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-21 07:14:38 +10:00
return security_token_is_sid(token, &global_sid_System);
r12747: Add a couple more token tests, used by the kludge ACL module. Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2006-01-06 21:20:09 +00:00
}
libcli/security Move most of security_token.c to common code. The source4-specific session_info functions have been left in session.c Andrew Bartlett
2010-09-17 12:59:24 +10:00
bool security_token_is_anonymous(const struct security_token *token)
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
{
libcli/security Use static SIDs rather than parsing from strings This should make the security_token_is_*() calls a little faster. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-21 07:14:38 +10:00
return security_token_is_sid(token, &global_sid_Anonymous);
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
}
r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9)
2007-10-06 22:28:14 +00:00
bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
r12747: Add a couple more token tests, used by the kludge ACL module. Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2006-01-06 21:20:09 +00:00
{
s4:libcli/security/*.c - fix some wrong typed counters According to "librpc/gen_ndr/security.h" they need to be "uint32_t".
2010-09-09 20:31:38 +02:00
uint32_t i;
r12747: Add a couple more token tests, used by the kludge ACL module. Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2006-01-06 21:20:09 +00:00
for (i = 0; i < token->num_sids; i++) {
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 12:15:15 +10:00
if (dom_sid_equal(&token->sids[i], sid)) {
r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9)
2007-10-06 22:28:14 +00:00
return true;
r12747: Add a couple more token tests, used by the kludge ACL module. Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2006-01-06 21:20:09 +00:00
}
}
r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9)
2007-10-06 22:28:14 +00:00
return false;
r12747: Add a couple more token tests, used by the kludge ACL module. Andrew Bartlett (This used to be commit 10eadf48124d61f2eb586fb277a66aa4b9e6cad3)
2006-01-06 21:20:09 +00:00
}
libcli: Add security_token_count_flag_sids() To be used in a few places when checking special-case Samba SIDs. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-18 11:31:16 +02:00
size_t security_token_count_flag_sids(const struct security_token *token,
const struct dom_sid *prefix_sid,
size_t num_flags,
const struct dom_sid **_flag_sid)
{
const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
const struct dom_sid *found = NULL;
size_t num = 0;
uint32_t i;
SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
for (i = 0; i < token->num_sids; i++) {
const struct dom_sid *sid = &token->sids[i];
int cmp;
libcli/security: Remove unnecessary cast Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-01 15:48:21 +12:00
if (sid->num_auths != num_auths_expected) {
libcli: Add security_token_count_flag_sids() To be used in a few places when checking special-case Samba SIDs. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-18 11:31:16 +02:00
continue;
}
cmp = dom_sid_compare_domain(sid, prefix_sid);
if (cmp != 0) {
continue;
}
num += 1;
found = sid;
}
if ((num == 1) && (_flag_sid != NULL)) {
*_flag_sid = found;
}
return num;
}
libcli/security: implement SECURITY_GUEST SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-20 16:29:42 +02:00
bool security_token_has_builtin_guests(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Guests);
}
r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9)
2007-10-06 22:28:14 +00:00
bool security_token_has_builtin_administrators(const struct security_token *token)
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
{
libcli/security Use static SIDs rather than parsing from strings This should make the security_token_is_*() calls a little faster. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-21 07:14:38 +10:00
return security_token_has_sid(token, &global_sid_Builtin_Administrators);
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
}
r25554: Convert last instances of BOOL, True and False to the standard types. (This used to be commit 566aa14139510788548a874e9213d91317f83ca9)
2007-10-06 22:28:14 +00:00
bool security_token_has_nt_authenticated_users(const struct security_token *token)
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
{
libcli/security Use static SIDs rather than parsing from strings This should make the security_token_is_*() calls a little faster. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-21 07:14:38 +10:00
return security_token_has_sid(token, &global_sid_Authenticated_Users);
r14840: - rename some functions - stack specific functions on top of generic ones metze (This used to be commit e391f3c98aae600c5f64d5975dd55567a09c3100)
2006-03-31 11:05:33 +00:00
}
More kludge ACLs! Rather than killing off the nasty 'kludge ACLs' stuff, this patch extends it, to ensure that LSA secrets and the registry are also protected. Andrew Bartlett (This used to be commit 2f2b110fb870132099bad1d4c16ed8962affb3ce)
2008-03-20 12:12:10 +11:00
s4-security: added a new security level SECURITY_DOMAIN_CONTROLLER This will be used as a simple way to lock down DRS replication to administrators and domain controllers
2009-09-15 19:25:45 -07:00
bool security_token_has_enterprise_dcs(const struct security_token *token)
{
libcli/security Use static SIDs rather than parsing from strings This should make the security_token_is_*() calls a little faster. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-21 07:14:38 +10:00
return security_token_has_sid(token, &global_sid_Enterprise_DCs);
s4-security: added a new security level SECURITY_DOMAIN_CONTROLLER This will be used as a simple way to lock down DRS replication to administrators and domain controllers
2009-09-15 19:25:45 -07:00
}
Copy Permalink