2003-10-06 05:24:48 +04:00
/*
Unix SMB / CIFS implementation .
Privileges handling functions
2005-02-18 01:46:41 +03:00
Copyright ( C ) Jean François Micouleau 1998 - 2001
2003-10-06 05:24:48 +04:00
Copyright ( C ) Simo Sorce 2002 - 2003
2005-03-10 21:50:47 +03:00
Copyright ( C ) Gerald ( Jerry ) Carter 2005
2007-06-14 15:29:35 +04:00
Copyright ( C ) Michael Adam 2007
2009-05-16 03:21:08 +04:00
2003-10-06 05:24:48 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-10-06 05:24:48 +04:00
( at your option ) any later version .
2009-05-16 03:21:08 +04:00
2003-10-06 05:24:48 +04:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-05-16 03:21:08 +04:00
2003-10-06 05:24:48 +04:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-10-06 05:24:48 +04:00
*/
2009-05-16 03:21:08 +04:00
2003-10-06 05:24:48 +04:00
# include "includes.h"
2011-03-25 13:56:52 +03:00
# include "lib/privileges.h"
2011-07-07 19:42:08 +04:00
# include "dbwrap/dbwrap.h"
2010-09-04 03:23:12 +04:00
# include "libcli/security/privileges_private.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2011-03-22 18:50:02 +03:00
# include "passdb.h"
2020-08-07 21:17:34 +03:00
# include "lib/util/string_wrappers.h"
2003-10-06 05:24:48 +04:00
2005-01-13 21:20:37 +03:00
# define PRIVPREFIX "PRIV_"
2003-10-06 05:24:48 +04:00
2005-03-22 18:39:24 +03:00
typedef struct {
2010-08-26 14:54:13 +04:00
uint32_t count ;
2010-05-21 05:25:01 +04:00
struct dom_sid * list ;
2005-03-22 18:39:24 +03:00
} SID_LIST ;
typedef struct {
2007-09-09 00:30:51 +04:00
TALLOC_CTX * mem_ctx ;
2010-08-26 02:49:28 +04:00
uint64_t privilege ;
2005-01-13 21:20:37 +03:00
SID_LIST sids ;
} PRIV_SID_LIST ;
2003-10-06 05:24:48 +04:00
2010-09-03 10:33:41 +04:00
/*
interpret an old style SE_PRIV structure
*/
static uint64_t map_old_SE_PRIV ( unsigned char * dptr )
{
uint32_t * old_masks = ( uint32_t * ) dptr ;
/*
* the old privileges code only ever used up to 0x800 , except
* for a special case of ' SE_ALL_PRIVS ' which was 0xFFFFFFFF
*/
if ( old_masks [ 0 ] = = 0xFFFFFFFF ) {
/* they set all privileges */
return SE_ALL_PRIVS ;
}
/* the old code used the machine byte order, but we don't know
* the byte order of the machine that wrote it . However we can
* tell what byte order it was by taking advantage of the fact
* that it only ever use up to 0x800
*/
if ( dptr [ 0 ] | | dptr [ 1 ] ) {
/* it was little endian */
return IVAL ( dptr , 0 ) ;
}
/* it was either zero or big-endian */
return RIVAL ( dptr , 0 ) ;
}
2003-12-04 07:31:29 +03:00
2010-08-26 02:49:28 +04:00
static bool get_privileges ( const struct dom_sid * sid , uint64_t * mask )
2005-01-13 21:20:37 +03:00
{
2008-03-28 14:09:56 +03:00
struct db_context * db = get_account_pol_db ( ) ;
2018-11-02 22:48:07 +03:00
struct dom_sid_buf tmp ;
fstring keystr ;
2007-03-27 13:59:32 +04:00
TDB_DATA data ;
2011-08-24 15:08:13 +04:00
NTSTATUS status ;
2005-01-17 23:27:29 +03:00
/* Fail if the admin has not enable privileges */
2009-05-16 03:21:08 +04:00
2005-01-17 23:27:29 +03:00
if ( ! lp_enable_privileges ( ) ) {
return False ;
}
2009-05-16 03:21:08 +04:00
2008-03-28 14:09:56 +03:00
if ( db = = NULL )
2005-01-15 05:20:30 +03:00
return False ;
2003-12-04 07:31:29 +03:00
2005-01-17 18:23:11 +03:00
/* PRIV_<SID> (NULL terminated) as the key */
2009-05-16 03:21:08 +04:00
2018-11-02 22:48:07 +03:00
fstr_sprintf ( keystr , " %s%s " , PRIVPREFIX , dom_sid_str_buf ( sid , & tmp ) ) ;
2003-10-06 05:24:48 +04:00
2011-08-24 15:08:13 +04:00
status = dbwrap_fetch_bystring ( db , talloc_tos ( ) , keystr , & data ) ;
2009-05-16 03:21:08 +04:00
2011-08-24 15:08:13 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2011-03-08 19:47:36 +03:00
DEBUG ( 4 , ( " get_privileges: No privileges assigned to SID "
2018-12-13 23:21:57 +03:00
" [%s] \n " , tmp . buf ) ) ;
2005-01-15 05:20:30 +03:00
return False ;
2005-01-13 21:20:37 +03:00
}
2009-05-16 03:21:08 +04:00
2010-08-26 04:35:45 +04:00
if ( data . dsize = = 4 * 4 ) {
2010-09-03 10:33:41 +04:00
/* it's an old style SE_PRIV structure. */
* mask = map_old_SE_PRIV ( data . dptr ) ;
} else {
if ( data . dsize ! = sizeof ( uint64_t ) ) {
DEBUG ( 3 , ( " get_privileges: Invalid privileges record assigned to SID "
2018-12-13 23:21:57 +03:00
" [%s] \n " , tmp . buf ) ) ;
2010-09-03 10:33:41 +04:00
return False ;
}
2010-08-26 04:35:45 +04:00
2010-09-03 10:33:41 +04:00
* mask = BVAL ( data . dptr , 0 ) ;
2010-08-26 04:35:45 +04:00
}
2008-03-28 14:09:56 +03:00
TALLOC_FREE ( data . dptr ) ;
2005-02-21 14:21:11 +03:00
2005-01-15 05:20:30 +03:00
return True ;
2003-10-06 05:24:48 +04:00
}
2005-01-13 21:20:37 +03:00
/***************************************************************************
Store the privilege mask ( set ) for a given SID
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2003-10-06 05:24:48 +04:00
2010-09-03 14:30:16 +04:00
static bool set_privileges ( const struct dom_sid * sid , uint64_t mask )
2005-01-13 21:20:37 +03:00
{
2008-03-28 14:09:56 +03:00
struct db_context * db = get_account_pol_db ( ) ;
2010-08-26 04:35:45 +04:00
uint8_t privbuf [ 8 ] ;
2018-11-02 22:48:07 +03:00
struct dom_sid_buf tmp ;
fstring keystr ;
2021-10-05 22:40:45 +03:00
TDB_DATA data = { . dptr = privbuf , . dsize = sizeof ( privbuf ) , } ;
2009-05-16 03:21:08 +04:00
2005-01-26 02:32:19 +03:00
if ( ! lp_enable_privileges ( ) )
return False ;
2008-03-28 14:09:56 +03:00
if ( db = = NULL )
2005-01-13 21:20:37 +03:00
return False ;
2003-10-06 05:24:48 +04:00
2005-09-23 19:23:16 +04:00
if ( ! sid | | ( sid - > num_auths = = 0 ) ) {
DEBUG ( 0 , ( " set_privileges: Refusing to store empty SID! \n " ) ) ;
return False ;
}
2005-01-17 18:23:11 +03:00
/* PRIV_<SID> (NULL terminated) as the key */
2009-05-16 03:21:08 +04:00
2018-11-02 22:48:07 +03:00
fstr_sprintf ( keystr , " %s%s " , PRIVPREFIX , dom_sid_str_buf ( sid , & tmp ) ) ;
2009-05-16 03:21:08 +04:00
2010-08-26 04:35:45 +04:00
/* This writes the 64 bit bitmask out in little endian format */
2010-09-03 14:30:16 +04:00
SBVAL ( privbuf , 0 , mask ) ;
2009-05-16 03:21:08 +04:00
2008-03-28 14:09:56 +03:00
return NT_STATUS_IS_OK ( dbwrap_store_bystring ( db , keystr , data ,
TDB_REPLACE ) ) ;
2003-10-06 05:24:48 +04:00
}
2005-01-13 21:20:37 +03:00
/*********************************************************************
2007-08-15 00:11:47 +04:00
get a list of all privileges for all sids in the list
2005-01-13 21:20:37 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-08-26 02:49:28 +04:00
bool get_privileges_for_sids ( uint64_t * privileges , struct dom_sid * slist , int scount )
2003-10-06 05:24:48 +04:00
{
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2005-01-13 21:20:37 +03:00
int i ;
2007-10-19 04:40:25 +04:00
bool found = False ;
2005-01-17 18:23:11 +03:00
2010-08-30 07:14:40 +04:00
* privileges = 0 ;
2009-05-16 03:21:08 +04:00
2005-01-13 21:20:37 +03:00
for ( i = 0 ; i < scount ; i + + ) {
2018-12-13 23:22:27 +03:00
struct dom_sid_buf buf ;
2005-01-13 21:20:37 +03:00
/* don't add unless we actually have a privilege assigned */
2003-10-06 05:24:48 +04:00
2005-01-17 18:23:11 +03:00
if ( ! get_privileges ( & slist [ i ] , & mask ) )
2005-01-13 21:20:37 +03:00
continue ;
2005-01-15 05:20:30 +03:00
2021-10-05 22:31:41 +03:00
DBG_INFO ( " sid = %s \n Privilege set: 0x% " PRIx64 " \n " ,
2018-12-13 23:22:27 +03:00
dom_sid_str_buf ( & slist [ i ] , & buf ) ,
2021-10-05 22:31:41 +03:00
mask ) ;
2009-05-16 03:21:08 +04:00
2010-08-30 07:14:40 +04:00
* privileges | = mask ;
2005-01-17 18:23:11 +03:00
found = True ;
2005-01-13 21:20:37 +03:00
}
2005-01-17 18:23:11 +03:00
return found ;
2003-10-06 05:24:48 +04:00
}
2010-08-30 09:38:18 +04:00
NTSTATUS get_privileges_for_sid_as_set ( TALLOC_CTX * mem_ctx , PRIVILEGE_SET * * privileges , struct dom_sid * sid )
{
uint64_t mask ;
if ( ! get_privileges ( sid , & mask ) ) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND ;
}
* privileges = talloc_zero ( mem_ctx , PRIVILEGE_SET ) ;
if ( ! * privileges ) {
return NT_STATUS_NO_MEMORY ;
}
if ( ! se_priv_to_privilege_set ( * privileges , mask ) ) {
return NT_STATUS_NO_MEMORY ;
}
return NT_STATUS_OK ;
}
2005-01-13 21:20:37 +03:00
/*********************************************************************
2008-03-28 14:09:56 +03:00
traversal functions for privilege_enumerate_accounts
2005-01-13 21:20:37 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-03-28 14:09:56 +03:00
static int priv_traverse_fn ( struct db_record * rec , void * state )
2003-10-06 05:24:48 +04:00
{
2006-07-31 08:30:55 +04:00
PRIV_SID_LIST * priv = ( PRIV_SID_LIST * ) state ;
2005-01-13 21:20:37 +03:00
int prefixlen = strlen ( PRIVPREFIX ) ;
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
2005-01-13 21:20:37 +03:00
fstring sid_string ;
2011-08-17 13:24:09 +04:00
TDB_DATA key ;
key = dbwrap_record_get_key ( rec ) ;
2009-05-16 03:21:08 +04:00
2005-01-13 21:20:37 +03:00
/* check we have a PRIV_+SID entry */
2003-10-06 05:24:48 +04:00
2011-08-17 13:24:09 +04:00
if ( strncmp ( ( char * ) key . dptr , PRIVPREFIX , prefixlen ) ! = 0 )
2005-01-13 21:20:37 +03:00
return 0 ;
2009-05-16 03:21:08 +04:00
2005-01-13 21:20:37 +03:00
/* check to see if we are looking for a particular privilege */
2003-10-06 05:24:48 +04:00
2011-08-17 13:24:09 +04:00
fstrcpy ( sid_string , ( char * ) & ( key . dptr [ strlen ( PRIVPREFIX ) ] ) ) ;
2010-08-30 07:24:43 +04:00
if ( priv - > privilege ! = 0 ) {
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2011-08-17 13:24:09 +04:00
TDB_DATA value ;
value = dbwrap_record_get_value ( rec ) ;
2009-05-16 03:21:08 +04:00
2011-08-17 13:24:09 +04:00
if ( value . dsize = = 4 * 4 ) {
mask = map_old_SE_PRIV ( value . dptr ) ;
2010-09-03 10:33:41 +04:00
} else {
2011-08-17 13:24:09 +04:00
if ( value . dsize ! = sizeof ( uint64_t ) ) {
2010-09-03 10:33:41 +04:00
DEBUG ( 3 , ( " get_privileges: Invalid privileges record assigned to SID "
" [%s] \n " , sid_string ) ) ;
return 0 ;
}
2011-08-17 13:24:09 +04:00
mask = BVAL ( value . dptr , 0 ) ;
2010-08-30 07:24:43 +04:00
}
2009-05-16 03:21:08 +04:00
/* if the SID does not have the specified privilege
2005-01-13 21:20:37 +03:00
then just return */
2009-05-16 03:21:08 +04:00
2010-08-30 07:24:43 +04:00
if ( ( mask & priv - > privilege ) = = 0 ) {
2005-01-13 21:20:37 +03:00
return 0 ;
2010-08-30 07:24:43 +04:00
}
2005-01-13 21:20:37 +03:00
}
2009-05-16 03:21:08 +04:00
2005-09-23 19:23:16 +04:00
/* this is a last ditch safety check to preventing returning
and invalid SID ( i ' ve somehow run into this on development branches ) */
if ( strcmp ( " S-0-0 " , sid_string ) = = 0 )
return 0 ;
2005-01-13 21:20:37 +03:00
if ( ! string_to_sid ( & sid , sid_string ) ) {
2021-10-05 22:44:53 +03:00
DBG_WARNING ( " Could not convert SID [%s] \n " , sid_string ) ;
2005-01-13 21:20:37 +03:00
return 0 ;
2003-10-06 05:24:48 +04:00
}
2008-01-09 02:11:31 +03:00
if ( ! NT_STATUS_IS_OK ( add_sid_to_array ( priv - > mem_ctx , & sid ,
& priv - > sids . list ,
& priv - > sids . count ) ) )
{
2006-12-09 05:58:18 +03:00
return 0 ;
}
2009-05-16 03:21:08 +04:00
2005-01-13 21:20:37 +03:00
return 0 ;
2003-10-06 05:24:48 +04:00
}
2005-01-13 21:20:37 +03:00
/*********************************************************************
2015-07-27 00:02:57 +03:00
Retrieve list of privileged SIDs ( for _lsa_enumerate_accounts ( )
2005-01-13 21:20:37 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
NTSTATUS privilege_enumerate_accounts ( struct dom_sid * * sids , int * num_sids )
2003-10-06 05:24:48 +04:00
{
2008-03-28 14:09:56 +03:00
struct db_context * db = get_account_pol_db ( ) ;
2005-01-13 21:20:37 +03:00
PRIV_SID_LIST priv ;
2011-08-17 13:24:09 +04:00
NTSTATUS status ;
2009-05-16 03:21:08 +04:00
2008-03-28 14:09:56 +03:00
if ( db = = NULL ) {
2006-06-20 05:32:50 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
2005-01-13 21:20:37 +03:00
ZERO_STRUCT ( priv ) ;
2005-01-17 18:23:11 +03:00
2011-08-17 13:24:09 +04:00
status = dbwrap_traverse_read ( db , priv_traverse_fn , & priv , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2003-10-06 05:24:48 +04:00
2005-01-13 21:20:37 +03:00
/* give the memory away; caller will free */
2009-05-16 03:21:08 +04:00
2005-01-13 21:20:37 +03:00
* sids = priv . sids . list ;
* num_sids = priv . sids . count ;
2003-10-06 05:24:48 +04:00
2005-01-13 21:20:37 +03:00
return NT_STATUS_OK ;
}
2007-09-09 00:30:51 +04:00
/*********************************************************************
Retrieve list of SIDs granted a particular privilege
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-08-30 08:17:02 +04:00
NTSTATUS privilege_enum_sids ( enum sec_privilege privilege , TALLOC_CTX * mem_ctx ,
2010-05-21 05:25:01 +04:00
struct dom_sid * * sids , int * num_sids )
2007-09-09 00:30:51 +04:00
{
2008-03-28 14:09:56 +03:00
struct db_context * db = get_account_pol_db ( ) ;
2007-09-09 00:30:51 +04:00
PRIV_SID_LIST priv ;
2011-08-17 13:24:09 +04:00
NTSTATUS status ;
2007-09-09 00:30:51 +04:00
2008-03-28 14:09:56 +03:00
if ( db = = NULL ) {
2007-09-09 00:30:51 +04:00
return NT_STATUS_ACCESS_DENIED ;
}
ZERO_STRUCT ( priv ) ;
2010-08-30 08:17:02 +04:00
priv . privilege = sec_privilege_mask ( privilege ) ;
2007-09-09 00:30:51 +04:00
priv . mem_ctx = mem_ctx ;
2011-08-17 13:24:09 +04:00
status = dbwrap_traverse_read ( db , priv_traverse_fn , & priv , NULL ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2007-09-09 00:30:51 +04:00
/* give the memory away; caller will free */
* sids = priv . sids . list ;
* num_sids = priv . sids . count ;
return NT_STATUS_OK ;
}
2005-01-13 21:20:37 +03:00
/***************************************************************************
Add privilege to sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-08-30 09:27:40 +04:00
static bool grant_privilege_bitmap ( const struct dom_sid * sid , const uint64_t priv_mask )
2005-01-13 21:20:37 +03:00
{
2023-12-18 23:40:46 +03:00
uint64_t old_mask = 0 , new_mask = 0 ;
2018-12-13 23:22:27 +03:00
struct dom_sid_buf buf ;
2009-05-16 03:21:08 +04:00
2023-12-18 23:40:46 +03:00
if ( get_privileges ( sid , & old_mask ) ) {
2010-08-30 06:59:38 +04:00
new_mask = old_mask ;
2023-12-18 23:40:46 +03:00
}
2005-01-17 18:23:11 +03:00
2010-08-30 06:59:38 +04:00
new_mask | = priv_mask ;
2005-01-13 21:20:37 +03:00
2023-12-18 23:39:47 +03:00
DBG_DEBUG ( " %s \n "
" original privilege mask: 0x% " PRIx64 " \n "
" new privilege mask: 0x% " PRIx64 " \n " ,
dom_sid_str_buf ( sid , & buf ) ,
old_mask ,
new_mask ) ;
2009-05-16 03:21:08 +04:00
2010-09-03 14:30:16 +04:00
return set_privileges ( sid , new_mask ) ;
2005-01-13 21:20:37 +03:00
}
2005-01-15 05:20:30 +03:00
/*********************************************************************
Add a privilege based on its name
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-09-03 14:30:50 +04:00
bool grant_privilege_by_name ( const struct dom_sid * sid , const char * name )
2005-01-15 05:20:30 +03:00
{
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2005-01-15 05:20:30 +03:00
2007-06-14 15:29:35 +04:00
if ( ! se_priv_from_name ( name , & mask ) ) {
DEBUG ( 3 , ( " grant_privilege_by_name: "
" No Such Privilege Found (%s) \n " , name ) ) ;
return False ;
}
2005-01-15 05:20:30 +03:00
2010-08-30 09:27:40 +04:00
return grant_privilege_bitmap ( sid , mask ) ;
}
/***************************************************************************
Grant a privilege set ( list of LUID values ) from a sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
bool grant_privilege_set ( const struct dom_sid * sid , struct lsa_PrivilegeSet * set )
{
uint64_t privilege_mask ;
if ( ! privilege_set_to_se_priv ( & privilege_mask , set ) ) {
return false ;
}
return grant_privilege_bitmap ( sid , privilege_mask ) ;
2005-01-15 05:20:30 +03:00
}
2005-01-13 21:20:37 +03:00
/***************************************************************************
Remove privilege from sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-08-30 09:27:40 +04:00
static bool revoke_privilege_bitmap ( const struct dom_sid * sid , const uint64_t priv_mask )
2005-01-13 21:20:37 +03:00
{
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2018-12-13 23:22:27 +03:00
struct dom_sid_buf buf ;
2009-05-16 03:21:08 +04:00
2005-01-17 18:23:11 +03:00
/* if the user has no privileges, then we can't revoke any */
2009-05-16 03:21:08 +04:00
2005-01-17 18:23:11 +03:00
if ( ! get_privileges ( sid , & mask ) )
return True ;
2009-05-16 03:21:08 +04:00
2018-12-13 23:22:27 +03:00
DEBUG ( 10 , ( " revoke_privilege: %s \n " , dom_sid_str_buf ( sid , & buf ) ) ) ;
2009-05-16 03:21:08 +04:00
2010-08-27 04:04:05 +04:00
DEBUGADD ( 10 , ( " original privilege mask: 0x%llx \n " , ( unsigned long long ) mask ) ) ;
2005-01-13 21:20:37 +03:00
2010-08-30 06:44:08 +04:00
mask & = ~ priv_mask ;
2009-05-16 03:21:08 +04:00
2010-08-27 04:04:05 +04:00
DEBUGADD ( 10 , ( " new privilege mask: 0x%llx \n " , ( unsigned long long ) mask ) ) ;
2009-05-16 03:21:08 +04:00
2010-09-03 14:30:16 +04:00
return set_privileges ( sid , mask ) ;
2005-01-17 18:23:11 +03:00
}
2010-08-30 09:27:40 +04:00
/***************************************************************************
Remove a privilege set ( list of LUID values ) from a sid
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
bool revoke_privilege_set ( const struct dom_sid * sid , struct lsa_PrivilegeSet * set )
{
uint64_t privilege_mask ;
if ( ! privilege_set_to_se_priv ( & privilege_mask , set ) ) {
return false ;
}
return revoke_privilege_bitmap ( sid , privilege_mask ) ;
}
2005-01-17 18:23:11 +03:00
/*********************************************************************
Revoke all privileges
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-09-03 14:30:50 +04:00
bool revoke_all_privileges ( const struct dom_sid * sid )
2005-01-17 18:23:11 +03:00
{
2010-08-30 09:27:40 +04:00
return revoke_privilege_bitmap ( sid , SE_ALL_PRIVS ) ;
2005-01-13 21:20:37 +03:00
}
2005-01-15 05:20:30 +03:00
/*********************************************************************
Add a privilege based on its name
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-09-03 14:30:50 +04:00
bool revoke_privilege_by_name ( const struct dom_sid * sid , const char * name )
2005-01-15 05:20:30 +03:00
{
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2005-01-15 05:20:30 +03:00
2007-06-14 15:29:35 +04:00
if ( ! se_priv_from_name ( name , & mask ) ) {
DEBUG ( 3 , ( " revoke_privilege_by_name: "
" No Such Privilege Found (%s) \n " , name ) ) ;
return False ;
}
2005-01-15 05:20:30 +03:00
2010-08-30 09:27:40 +04:00
return revoke_privilege_bitmap ( sid , mask ) ;
2005-01-15 05:20:30 +03:00
}
2005-01-13 21:20:37 +03:00
/***************************************************************************
Retrieve the SIDs assigned to a given privilege
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
NTSTATUS privilege_create_account ( const struct dom_sid * sid )
2005-01-13 21:20:37 +03:00
{
2010-08-30 09:27:40 +04:00
return ( grant_privilege_bitmap ( sid , 0 ) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL ) ;
2005-01-13 21:20:37 +03:00
}
2009-05-16 03:22:28 +04:00
/***************************************************************************
Delete a privileged account
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
NTSTATUS privilege_delete_account ( const struct dom_sid * sid )
{
struct db_context * db = get_account_pol_db ( ) ;
2018-11-02 22:48:07 +03:00
struct dom_sid_buf tmp ;
fstring keystr ;
2009-05-16 03:22:28 +04:00
if ( ! lp_enable_privileges ( ) ) {
return NT_STATUS_OK ;
}
if ( ! db ) {
return NT_STATUS_INVALID_HANDLE ;
}
if ( ! sid | | ( sid - > num_auths = = 0 ) ) {
return NT_STATUS_INVALID_SID ;
}
/* PRIV_<SID> (NULL terminated) as the key */
2018-11-02 22:48:07 +03:00
fstr_sprintf ( keystr , " %s%s " , PRIVPREFIX , dom_sid_str_buf ( sid , & tmp ) ) ;
2009-05-16 03:22:28 +04:00
return dbwrap_delete_bystring ( db , keystr ) ;
}
2005-01-18 21:29:28 +03:00
/*******************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
bool is_privileged_sid ( const struct dom_sid * sid )
2005-01-18 21:29:28 +03:00
{
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2009-05-16 03:21:08 +04:00
2005-01-18 21:29:28 +03:00
return get_privileges ( sid , & mask ) ;
}
2006-03-15 08:50:52 +03:00
/*******************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
bool grant_all_privileges ( const struct dom_sid * sid )
2006-03-15 08:50:52 +03:00
{
2010-08-26 02:49:28 +04:00
uint64_t mask ;
2006-03-15 08:50:52 +03:00
2010-09-04 03:16:23 +04:00
se_priv_put_all_privileges ( & mask ) ;
2009-05-16 03:21:08 +04:00
2010-08-30 09:27:40 +04:00
return grant_privilege_bitmap ( sid , mask ) ;
2006-03-15 08:50:52 +03:00
}