sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
f56496b114
samba-mirror/source3/lib/util_nttoken.c

134 lines
3.7 KiB
C
Raw Normal View History

r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
/*
* Unix SMB/CIFS implementation.
* Authentication utility functions
* Copyright (C) Andrew Tridgell 1992-1998
* Copyright (C) Andrew Bartlett 2001
* Copyright (C) Jeremy Allison 2000-2001
* Copyright (C) Rafal Szczesniak 2002
* Copyright (C) Volker Lendecke 2006
* Copyright (C) Michael Adam 2007
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
* Copyright (C) Guenther Deschner 2007
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-07-09 23:25:36 +04:00
* the Free Software Foundation; either version 3 of the License, or
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227)
2007-07-10 09:23:25 +04:00
* along with this program; if not, see <http://www.gnu.org/licenses/>.
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
*/
/* function(s) moved from auth/auth_util.c to minimize linker deps */
#include "includes.h"
libcli/security Provide a common, top level libcli/security/security.h This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12 08:27:50 +04:00
#include "../libcli/security/security.h"
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
/****************************************************************************
Duplicate a SID token.
****************************************************************************/
s3:auth Remove NT_USER_TOKEN The all UPPER case typedef is no longer the preferred Samba style and this makes it easier to see that this is the IDL-derivied structure Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 16:08:22 +04:00
struct security_token *dup_nt_token(TALLOC_CTX *mem_ctx, const struct security_token *ptoken)
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
{
s3:auth Remove NT_USER_TOKEN The all UPPER case typedef is no longer the preferred Samba style and this makes it easier to see that this is the IDL-derivied structure Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 16:08:22 +04:00
struct security_token *token;
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
if (!ptoken)
return NULL;
s3-talloc Change TALLOC_ZERO_P() to talloc_zero() Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_P isn't standard talloc.
2011-06-07 05:44:43 +04:00
token = talloc_zero(mem_ctx, struct security_token);
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
if (token == NULL) {
DEBUG(0, ("talloc failed\n"));
return NULL;
}
s3-auth Rename NT_USER_TOKEN user_sids -> sids This is closer to the struct security_token from security.idl
2010-08-31 03:32:52 +04:00
if (ptoken->sids && ptoken->num_sids) {
token->sids = (struct dom_sid *)talloc_memdup(
token, ptoken->sids, sizeof(struct dom_sid) * ptoken->num_sids );
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
s3-auth Rename NT_USER_TOKEN user_sids -> sids This is closer to the struct security_token from security.idl
2010-08-31 03:32:52 +04:00
if (token->sids == NULL) {
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
DEBUG(0, ("talloc_memdup failed\n"));
TALLOC_FREE(token);
return NULL;
}
token->num_sids = ptoken->num_sids;
}
s3-privs Directly manipulate the privileges bitmap. There is no longer any reason to go via the se_ functions to manipulate this bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-30 07:14:40 +04:00
token->privilege_mask = ptoken->privilege_mask;
s3-util_nttoken.c Also copy the rights_mask when copying a security_token These are unused in source3/ code at the moment, but it would be unfortunate if that were to change, and this function not be updated. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-17 10:23:53 +04:00
token->rights_mask = ptoken->rights_mask;
r23485: This checkin consists mostly of refactorings in preparation of the activation of global registry options in loadparm.c, mainly to extract functionality from net_conf.c to be made availabel elsewhere and to minimize linker dependencies. In detail: * move functions registry_push/pull_value from lib/util_reg.c to new file lib/util_reg_api.c * create a fake user token consisting of builtin administrators sid and se_disk_operators privilege by hand instead of using get_root_nt_token() to minimize linker deps for bin/net. + new function registry_create_admin_token() in new lib/util_reg_smbconf.c + move dup_nt_token from auth/token_util.c to new file lib/util_nttoken.c + adapt net_conf.c and Makefile.in accordingly. * split lib/profiles.c into two parts: new file lib/profiles_basic.c takes all the low level mask manipulation and format conversion functions (se_priv, privset, luid). the privs array is completely hidden from profiles.c by adding some access-functions. some mask-functions are not static anymore. Generally, SID- and LUID-related stuff that has more dependencies is kept in lib/profiles.c * Move initialization of regdb from net_conf.c into a function registry_init_regdb() in lib/util_reg_smbconf.c. Michael (This used to be commit efd3e2bfb756ac5c4df7984791c67e7ae20a582e)
2007-06-14 15:29:35 +04:00
return token;
}
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
/****************************************************************************
merge NT tokens
****************************************************************************/
NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
s3-auth Change struct nt_user_token -> struct security_token This common structure is defined in security.idl Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 14:04:11 +04:00
const struct security_token *token_1,
const struct security_token *token_2,
struct security_token **token_out)
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
{
s3-auth Change struct nt_user_token -> struct security_token This common structure is defined in security.idl Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 14:04:11 +04:00
struct security_token *token = NULL;
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
NTSTATUS status;
int i;
if (!token_1 || !token_2 || !token_out) {
return NT_STATUS_INVALID_PARAMETER;
}
s3-talloc Change TALLOC_ZERO_P() to talloc_zero() Using the standard macro makes it easier to move code into common, as TALLOC_ZERO_P isn't standard talloc.
2011-06-07 05:44:43 +04:00
token = talloc_zero(mem_ctx, struct security_token);
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
NT_STATUS_HAVE_NO_MEMORY(token);
for (i=0; i < token_1->num_sids; i++) {
status = add_sid_to_array_unique(mem_ctx,
s3-auth Rename NT_USER_TOKEN user_sids -> sids This is closer to the struct security_token from security.idl
2010-08-31 03:32:52 +04:00
&token_1->sids[i],
&token->sids,
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
&token->num_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(token);
return status;
}
}
for (i=0; i < token_2->num_sids; i++) {
status = add_sid_to_array_unique(mem_ctx,
s3-auth Rename NT_USER_TOKEN user_sids -> sids This is closer to the struct security_token from security.idl
2010-08-31 03:32:52 +04:00
&token_2->sids[i],
&token->sids,
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
&token->num_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(token);
return status;
}
}
s3-privs Directly manipulate the privileges bitmap. There is no longer any reason to go via the se_ functions to manipulate this bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-30 07:14:40 +04:00
token->privilege_mask |= token_1->privilege_mask;
token->privilege_mask |= token_2->privilege_mask;
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
s3-util_nttoken.c Also copy the rights_mask when copying a security_token These are unused in source3/ code at the moment, but it would be unfortunate if that were to change, and this function not be updated. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-17 10:23:53 +04:00
token->rights_mask |= token_1->rights_mask;
token->rights_mask |= token_2->rights_mask;
Add gp_get_machine_token(). Guenther (This used to be commit 2f1bc7ddad97b9137ae4cce696bf4e08f9b7ca20)
2008-02-29 20:23:53 +03:00
*token_out = token;
return NT_STATUS_OK;
}
Move secace.c to top-level.
2009-03-01 19:59:30 +03:00
/*******************************************************************
s3-secdesc: remove "typedef struct security_ace SEC_ACE". Guenther
2010-05-18 05:25:38 +04:00
Check if this struct security_ace has a SID in common with the token.
Move secace.c to top-level.
2009-03-01 19:59:30 +03:00
********************************************************************/
s3:auth Remove NT_USER_TOKEN The all UPPER case typedef is no longer the preferred Samba style and this makes it easier to see that this is the IDL-derivied structure Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-08-26 16:08:22 +04:00
bool token_sid_in_ace(const struct security_token *token, const struct security_ace *ace)
Move secace.c to top-level.
2009-03-01 19:59:30 +03:00
{
size_t i;
for (i = 0; i < token->num_sids; i++) {
s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions. Guenther
2010-08-26 17:48:50 +04:00
if (dom_sid_equal(&ace->trustee, &token->sids[i]))
Move secace.c to top-level.
2009-03-01 19:59:30 +03:00
return true;
}
return false;
}
Copy Permalink