1998-11-05 16:51:34 +00:00
/*
2002-01-30 06:08:46 +00:00
Unix SMB / CIFS implementation .
1998-11-05 16:51:34 +00:00
Samba utility functions
2002-07-15 10:35:28 +00:00
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Luke Kenneth Caseson Leighton 1998 - 1999
Copyright ( C ) Jeremy Allison 1999
Copyright ( C ) Stefan ( metze ) Metzmacher 2002
2002-10-18 19:46:32 +00:00
Copyright ( C ) Simo Sorce 2002
2005-10-20 15:09:41 +00:00
Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2005
2010-01-23 13:33:10 +01:00
1998-11-05 16:51:34 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
1998-11-05 16:51:34 +00:00
( at your option ) any later version .
2010-01-23 13:33:10 +01:00
1998-11-05 16:51:34 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-01-23 13:33:10 +01:00
1998-11-05 16:51:34 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
1998-11-05 16:51:34 +00:00
*/
# include "includes.h"
2010-05-28 02:19:32 +02:00
# include "../librpc/gen_ndr/ndr_security.h"
2010-08-05 15:14:04 +02:00
# include "../librpc/gen_ndr/netlogon.h"
2010-09-18 12:55:31 +10:00
# include "../libcli/security/security.h"
2020-08-07 11:17:34 -07:00
# include "lib/util/string_wrappers.h"
2021-09-18 08:30:07 +02:00
# include "source3/lib/util_specialsids.h"
1998-11-05 16:51:34 +00:00
1999-12-13 13:27:58 +00:00
1998-11-05 16:51:34 +00:00
/*****************************************************************
Convert a SID to an ascii string .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 11:25:01 +10:00
char * sid_to_fstring ( fstring sidstr_out , const struct dom_sid * sid )
1998-11-05 16:51:34 +00:00
{
2018-10-26 08:25:14 +02:00
struct dom_sid_buf buf ;
fstrcpy ( sidstr_out , dom_sid_str_buf ( sid , & buf ) ) ;
2002-10-18 19:46:32 +00:00
return sidstr_out ;
1998-11-05 16:51:34 +00:00
}
1999-12-13 13:27:58 +00:00
/*****************************************************************
Write a sid out into on - the - wire format .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 01:22:32 +00:00
2015-08-26 10:52:44 +02:00
bool sid_linearize ( uint8_t * outbuf , size_t len , const struct dom_sid * sid )
1999-11-20 19:43:37 +00:00
{
2021-09-18 08:51:59 +02:00
struct ndr_push ndr = {
. data = outbuf , . alloc_size = len , . fixed_buf_size = true ,
} ;
enum ndr_err_code ndr_err ;
1999-11-20 19:43:37 +00:00
2021-09-18 08:51:59 +02:00
ndr_err = ndr_push_dom_sid ( & ndr , NDR_SCALARS | NDR_BUFFERS , sid ) ;
return NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ;
1999-12-13 13:27:58 +00:00
}
1999-11-20 19:43:37 +00:00
2001-09-22 06:45:24 +00:00
/*****************************************************************
Returns true if SID is internal ( and non - mappable ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 11:25:01 +10:00
bool non_mappable_sid ( struct dom_sid * sid )
2001-09-22 06:45:24 +00:00
{
2010-05-21 11:25:01 +10:00
struct dom_sid dom ;
2001-09-22 06:45:24 +00:00
sid_copy ( & dom , sid ) ;
2011-03-10 16:19:17 +01:00
sid_split_rid ( & dom , NULL ) ;
2001-09-22 06:45:24 +00:00
2010-08-26 15:48:50 +02:00
if ( dom_sid_equal ( & dom , & global_sid_Builtin ) )
2001-09-22 06:45:24 +00:00
return True ;
2010-08-26 15:48:50 +02:00
if ( dom_sid_equal ( & dom , & global_sid_NT_Authority ) )
2001-09-22 06:45:24 +00:00
return True ;
return False ;
}
2001-12-10 00:39:01 +00:00
2002-10-23 01:22:32 +00:00
/*****************************************************************
2010-05-21 11:25:01 +10:00
Return the binary string representation of a struct dom_sid .
2002-10-23 01:22:32 +00:00
Caller must free .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2015-05-08 10:06:23 +00:00
char * sid_binstring_hex_talloc ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid )
2001-12-10 00:39:01 +00:00
{
2010-05-10 00:42:06 +02:00
int len = ndr_size_dom_sid ( sid , 0 ) ;
2015-08-26 10:52:44 +02:00
uint8_t buf [ len ] ;
2001-12-10 00:39:01 +00:00
sid_linearize ( buf , len , sid ) ;
2015-08-26 10:52:44 +02:00
return hex_encode_talloc ( mem_ctx , buf , len ) ;
2001-12-10 00:39:01 +00:00
}
2007-07-17 11:47:17 +00:00
NTSTATUS sid_array_from_info3 ( TALLOC_CTX * mem_ctx ,
2008-02-16 18:51:01 +01:00
const struct netr_SamInfo3 * info3 ,
2010-05-21 11:25:01 +10:00
struct dom_sid * * user_sids ,
2010-08-26 20:54:13 +10:00
uint32_t * num_user_sids ,
2012-07-20 17:12:09 -07:00
bool include_user_group_rid )
2007-07-17 11:47:17 +00:00
{
2008-01-09 00:11:31 +01:00
NTSTATUS status ;
2010-05-21 11:25:01 +10:00
struct dom_sid sid ;
struct dom_sid * sid_array = NULL ;
2010-08-26 20:54:13 +10:00
uint32_t num_sids = 0 ;
2018-11-20 13:38:05 +01:00
uint32_t i ;
2007-07-17 11:47:17 +00:00
if ( include_user_group_rid ) {
2008-08-15 15:28:23 -07:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid , info3 - > base . rid ) ) {
2008-01-09 00:11:31 +01:00
DEBUG ( 3 , ( " could not compose user SID from rid 0x%x \n " ,
2008-02-16 18:51:01 +01:00
info3 - > base . rid ) ) ;
2007-07-17 11:47:17 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-01-09 00:11:31 +01:00
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append user SID from rid 0x%x \n " ,
2008-02-16 18:51:01 +01:00
info3 - > base . rid ) ) ;
2008-01-09 00:11:31 +01:00
return status ;
}
2008-08-15 15:28:23 -07:00
}
2007-07-17 11:47:17 +00:00
2008-08-15 15:28:23 -07:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid , info3 - > base . primary_gid ) ) {
DEBUG ( 3 , ( " could not compose group SID from rid 0x%x \n " ,
info3 - > base . primary_gid ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append group SID from rid 0x%x \n " ,
info3 - > base . rid ) ) ;
return status ;
2007-07-17 11:47:17 +00:00
}
2008-02-16 18:51:01 +01:00
for ( i = 0 ; i < info3 - > base . groups . count ; i + + ) {
2008-08-15 15:28:23 -07:00
/* Don't add the primary group sid twice. */
2008-02-16 18:51:01 +01:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid ,
2008-08-15 15:28:23 -07:00
info3 - > base . groups . rids [ i ] . rid ) ) {
2008-01-09 00:11:31 +01:00
DEBUG ( 3 , ( " could not compose SID from additional group "
2008-02-16 18:51:01 +01:00
" rid 0x%x \n " , info3 - > base . groups . rids [ i ] . rid ) ) ;
2007-07-17 11:47:17 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-01-09 00:11:31 +01:00
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append SID from additional group "
2008-02-16 18:51:01 +01:00
" rid 0x%x \n " , info3 - > base . groups . rids [ i ] . rid ) ) ;
2008-01-09 00:11:31 +01:00
return status ;
}
2007-07-17 11:47:17 +00:00
}
/* Copy 'other' sids. We need to do sid filtering here to
prevent possible elevation of privileges . See :
http : //www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
*/
2008-02-16 18:51:01 +01:00
for ( i = 0 ; i < info3 - > sidcount ; i + + ) {
2016-01-15 14:43:48 +01:00
if ( sid_check_is_in_asserted_identity ( info3 - > sids [ i ] . sid ) ) {
continue ;
}
2008-02-16 18:51:01 +01:00
status = add_sid_to_array ( mem_ctx , info3 - > sids [ i ] . sid ,
2008-01-09 00:11:31 +01:00
& sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2018-12-13 21:22:27 +01:00
struct dom_sid_buf buf ;
2007-07-17 11:47:17 +00:00
DEBUG ( 3 , ( " could not add SID to array: %s \n " ,
2018-12-13 21:22:27 +01:00
dom_sid_str_buf ( info3 - > sids [ i ] . sid , & buf ) ) ) ;
2008-01-09 00:11:31 +01:00
return status ;
2007-07-17 11:47:17 +00:00
}
}
* user_sids = sid_array ;
* num_user_sids = num_sids ;
return NT_STATUS_OK ;
}
2023-04-18 12:09:45 +02:00
bool security_token_find_npa_flags ( const struct security_token * token ,
uint32_t * _flags )
{
const struct dom_sid * npa_flags_sid = NULL ;
size_t num_npa_sids ;
num_npa_sids =
security_token_count_flag_sids ( token ,
& global_sid_Samba_NPA_Flags ,
1 ,
& npa_flags_sid ) ;
if ( num_npa_sids ! = 1 ) {
return false ;
}
sid_peek_rid ( npa_flags_sid , _flags ) ;
return true ;
}
2023-04-18 14:32:20 +02:00
void security_token_del_npa_flags ( struct security_token * token )
{
const struct dom_sid * npa_flags_sid = NULL ;
size_t num_npa_sids ;
num_npa_sids =
security_token_count_flag_sids ( token ,
& global_sid_Samba_NPA_Flags ,
1 ,
& npa_flags_sid ) ;
SMB_ASSERT ( num_npa_sids = = 1 ) ;
del_sid_from_array ( npa_flags_sid , & token - > sids , & token - > num_sids ) ;
}