1998-11-05 19:51:34 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
1998-11-05 19:51:34 +03:00
Samba utility functions
2002-07-15 14:35:28 +04:00
Copyright ( C ) Andrew Tridgell 1992 - 1998
Copyright ( C ) Luke Kenneth Caseson Leighton 1998 - 1999
Copyright ( C ) Jeremy Allison 1999
Copyright ( C ) Stefan ( metze ) Metzmacher 2002
2002-10-18 23:46:32 +04:00
Copyright ( C ) Simo Sorce 2002
2005-10-20 19:09:41 +04:00
Copyright ( C ) Jim McDonough < jmcd @ us . ibm . com > 2005
2010-01-23 15:33:10 +03:00
1998-11-05 19:51:34 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
1998-11-05 19:51:34 +03:00
( at your option ) any later version .
2010-01-23 15:33:10 +03:00
1998-11-05 19:51:34 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-01-23 15:33:10 +03:00
1998-11-05 19:51:34 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
1998-11-05 19:51:34 +03:00
*/
# include "includes.h"
2010-05-28 04:19:32 +04:00
# include "../librpc/gen_ndr/ndr_security.h"
2010-08-05 17:14:04 +04:00
# include "../librpc/gen_ndr/netlogon.h"
2010-09-18 06:55:31 +04:00
# include "../libcli/security/security.h"
1998-11-05 19:51:34 +03:00
1999-12-13 16:27:58 +03:00
1998-11-05 19:51:34 +03:00
/*****************************************************************
Convert a SID to an ascii string .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_to_fstring ( fstring sidstr_out , const struct dom_sid * sid )
1998-11-05 19:51:34 +03:00
{
2007-12-16 00:33:52 +03:00
char * str = sid_string_talloc ( talloc_tos ( ) , sid ) ;
fstrcpy ( sidstr_out , str ) ;
TALLOC_FREE ( str ) ;
2002-10-18 23:46:32 +04:00
return sidstr_out ;
1998-11-05 19:51:34 +03:00
}
2007-12-16 00:33:52 +03:00
/*****************************************************************
2010-06-17 23:28:54 +04:00
Essentially a renamed dom_sid_string from
. . / libcli / security / dom_sid . c with a panic if it didn ' t work .
2007-12-16 00:33:52 +03:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_string_talloc ( TALLOC_CTX * mem_ctx , const struct dom_sid * sid )
2007-09-09 00:30:51 +04:00
{
2007-12-16 00:33:52 +03:00
char * result = dom_sid_string ( mem_ctx , sid ) ;
2007-12-15 21:00:42 +03:00
SMB_ASSERT ( result ! = NULL ) ;
return result ;
}
2007-12-16 00:08:09 +03:00
/*****************************************************************
Useful function for debug lines .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_string_dbg ( const struct dom_sid * sid )
2007-12-15 23:06:20 +03:00
{
2009-11-03 12:59:18 +03:00
return sid_string_talloc ( talloc_tos ( ) , sid ) ;
2007-12-15 23:06:20 +03:00
}
2007-12-16 00:08:09 +03:00
/*****************************************************************
Use with care !
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_string_tos ( const struct dom_sid * sid )
2007-12-15 21:00:42 +03:00
{
return sid_string_talloc ( talloc_tos ( ) , sid ) ;
2007-09-09 00:30:51 +04:00
}
1999-12-13 16:27:58 +03:00
/*****************************************************************
Write a sid out into on - the - wire format .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2002-10-23 05:22:32 +04:00
2010-05-21 05:25:01 +04:00
bool sid_linearize ( char * outbuf , size_t len , const struct dom_sid * sid )
1999-11-20 22:43:37 +03:00
{
1999-12-13 16:27:58 +03:00
size_t i ;
1999-11-20 22:43:37 +03:00
2010-05-10 02:42:06 +04:00
if ( len < ndr_size_dom_sid ( sid , 0 ) )
1999-11-20 22:43:37 +03:00
return False ;
1999-12-13 16:27:58 +03:00
SCVAL ( outbuf , 0 , sid - > sid_rev_num ) ;
SCVAL ( outbuf , 1 , sid - > num_auths ) ;
memcpy ( & outbuf [ 2 ] , sid - > id_auth , 6 ) ;
for ( i = 0 ; i < sid - > num_auths ; i + + )
SIVAL ( outbuf , 8 + ( i * 4 ) , sid - > sub_auths [ i ] ) ;
1999-11-20 22:43:37 +03:00
return True ;
1999-12-13 16:27:58 +03:00
}
1999-11-20 22:43:37 +03:00
2001-09-22 10:45:24 +04:00
/*****************************************************************
Returns true if SID is internal ( and non - mappable ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
bool non_mappable_sid ( struct dom_sid * sid )
2001-09-22 10:45:24 +04:00
{
2010-05-21 05:25:01 +04:00
struct dom_sid dom ;
2001-09-22 10:45:24 +04:00
uint32 rid ;
sid_copy ( & dom , sid ) ;
sid_split_rid ( & dom , & rid ) ;
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( & dom , & global_sid_Builtin ) )
2001-09-22 10:45:24 +04:00
return True ;
2010-08-26 17:48:50 +04:00
if ( dom_sid_equal ( & dom , & global_sid_NT_Authority ) )
2001-09-22 10:45:24 +04:00
return True ;
return False ;
}
2001-12-10 03:39:01 +03:00
2002-10-23 05:22:32 +04:00
/*****************************************************************
2010-05-21 05:25:01 +04:00
Return the binary string representation of a struct dom_sid .
2002-10-23 05:22:32 +04:00
Caller must free .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2010-05-21 05:25:01 +04:00
char * sid_binstring_hex ( const struct dom_sid * sid )
2001-12-10 03:39:01 +03:00
{
char * buf , * s ;
2010-05-10 02:42:06 +04:00
int len = ndr_size_dom_sid ( sid , 0 ) ;
2006-07-30 20:36:56 +04:00
buf = ( char * ) SMB_MALLOC ( len ) ;
2002-10-23 05:22:32 +04:00
if ( ! buf )
return NULL ;
2001-12-10 03:39:01 +03:00
sid_linearize ( buf , len , sid ) ;
s = binary_string ( buf , len ) ;
free ( buf ) ;
return s ;
}
2007-07-17 15:47:17 +04:00
NTSTATUS sid_array_from_info3 ( TALLOC_CTX * mem_ctx ,
2008-02-16 20:51:01 +03:00
const struct netr_SamInfo3 * info3 ,
2010-05-21 05:25:01 +04:00
struct dom_sid * * user_sids ,
2010-08-26 14:54:13 +04:00
uint32_t * num_user_sids ,
2008-04-04 04:53:40 +04:00
bool include_user_group_rid ,
bool skip_ressource_groups )
2007-07-17 15:47:17 +04:00
{
2008-01-09 02:11:31 +03:00
NTSTATUS status ;
2010-05-21 05:25:01 +04:00
struct dom_sid sid ;
struct dom_sid * sid_array = NULL ;
2010-08-26 14:54:13 +04:00
uint32_t num_sids = 0 ;
2007-07-17 15:47:17 +04:00
int i ;
if ( include_user_group_rid ) {
2008-08-16 02:28:23 +04:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid , info3 - > base . rid ) ) {
2008-01-09 02:11:31 +03:00
DEBUG ( 3 , ( " could not compose user SID from rid 0x%x \n " ,
2008-02-16 20:51:01 +03:00
info3 - > base . rid ) ) ;
2007-07-17 15:47:17 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-01-09 02:11:31 +03:00
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append user SID from rid 0x%x \n " ,
2008-02-16 20:51:01 +03:00
info3 - > base . rid ) ) ;
2008-01-09 02:11:31 +03:00
return status ;
}
2008-08-16 02:28:23 +04:00
}
2007-07-17 15:47:17 +04:00
2008-08-16 02:28:23 +04:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid , info3 - > base . primary_gid ) ) {
DEBUG ( 3 , ( " could not compose group SID from rid 0x%x \n " ,
info3 - > base . primary_gid ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append group SID from rid 0x%x \n " ,
info3 - > base . rid ) ) ;
return status ;
2007-07-17 15:47:17 +04:00
}
2008-02-16 20:51:01 +03:00
for ( i = 0 ; i < info3 - > base . groups . count ; i + + ) {
2008-08-16 02:28:23 +04:00
/* Don't add the primary group sid twice. */
if ( info3 - > base . primary_gid = = info3 - > base . groups . rids [ i ] . rid ) {
continue ;
}
2008-02-16 20:51:01 +03:00
if ( ! sid_compose ( & sid , info3 - > base . domain_sid ,
2008-08-16 02:28:23 +04:00
info3 - > base . groups . rids [ i ] . rid ) ) {
2008-01-09 02:11:31 +03:00
DEBUG ( 3 , ( " could not compose SID from additional group "
2008-02-16 20:51:01 +03:00
" rid 0x%x \n " , info3 - > base . groups . rids [ i ] . rid ) ) ;
2007-07-17 15:47:17 +04:00
return NT_STATUS_INVALID_PARAMETER ;
}
2008-01-09 02:11:31 +03:00
status = add_sid_to_array ( mem_ctx , & sid , & sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 3 , ( " could not append SID from additional group "
2008-02-16 20:51:01 +03:00
" rid 0x%x \n " , info3 - > base . groups . rids [ i ] . rid ) ) ;
2008-01-09 02:11:31 +03:00
return status ;
}
2007-07-17 15:47:17 +04:00
}
/* Copy 'other' sids. We need to do sid filtering here to
prevent possible elevation of privileges . See :
http : //www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
*/
2008-02-16 20:51:01 +03:00
for ( i = 0 ; i < info3 - > sidcount ; i + + ) {
2008-04-04 04:53:40 +04:00
if ( skip_ressource_groups & &
( info3 - > sids [ i ] . attributes & SE_GROUP_RESOURCE ) ) {
continue ;
}
2008-02-16 20:51:01 +03:00
status = add_sid_to_array ( mem_ctx , info3 - > sids [ i ] . sid ,
2008-01-09 02:11:31 +03:00
& sid_array , & num_sids ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2007-07-17 15:47:17 +04:00
DEBUG ( 3 , ( " could not add SID to array: %s \n " ,
2008-02-16 20:51:01 +03:00
sid_string_dbg ( info3 - > sids [ i ] . sid ) ) ) ;
2008-01-09 02:11:31 +03:00
return status ;
2007-07-17 15:47:17 +04:00
}
}
* user_sids = sid_array ;
* num_user_sids = num_sids ;
return NT_STATUS_OK ;
}