2024-12-27 03:21:53 +03:00 · 0001-01-01 00:00:00 +00:00 · 0001-01-01 00:00:00 +00:00 · 597c461009
commit 597c461009
parent 5a2f1edb58
2 changed files with 137 additions and 63 deletions
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@ -5,6 +5,7 @@
   Copyright (C) Luke Kenneth Caseson Leighton 	1998-1999
   Copyright (C) Jeremy Allison  		1999
   Copyright (C) Stefan (metze) Metzmacher 	2002
+   Copyright (C) Simo Sorce 			2002
      
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@ -37,16 +38,28 @@ DOM_SID global_sid_NT_Authority;    		/* NT Authority */
 DOM_SID global_sid_System;    		/* System */
 DOM_SID global_sid_NULL;            		/* NULL sid */
 DOM_SID global_sid_Authenticated_Users;		/* All authenticated rids */
-DOM_SID global_sid_Network;					/* Network rids */
+DOM_SID global_sid_Network;			/* Network rids */

-static DOM_SID global_sid_Creator_Owner;    		/* Creator Owner */
-static DOM_SID global_sid_Creator_Group;              /* Creator Group */
-static DOM_SID global_sid_Anonymous;				/* Anonymous login */
+static DOM_SID global_sid_Creator_Owner;	/* Creator Owner */
+static DOM_SID global_sid_Creator_Group;	/* Creator Group */
+static DOM_SID global_sid_Anonymous;		/* Anonymous login */

-DOM_SID global_sid_Builtin; 				/* Local well-known domain */
-DOM_SID global_sid_Builtin_Administrators;
-DOM_SID global_sid_Builtin_Users;
-DOM_SID global_sid_Builtin_Guests;			/* Builtin guest users */
+DOM_SID global_sid_Builtin; 			/* Local well-known domain */
+DOM_SID global_sid_Builtin_Administrators;	/* Builtin administrators */
+DOM_SID global_sid_Builtin_Users;		/* Builtin users */
+DOM_SID global_sid_Builtin_Guests;		/* Builtin guest users */
+DOM_SID global_sid_Builtin_Power_Users;		/* Builtin power users */
+DOM_SID global_sid_Builtin_Account_Operators;	/* Builtin account operators */
+DOM_SID global_sid_Builtin_Server_Operators;	/* Builtin server operators */
+DOM_SID global_sid_Builtin_Print_Operators;	/* Builtin print operators */
+DOM_SID global_sid_Builtin_Backup_Operators;	/* Builtin backup operators */
+DOM_SID global_sid_Builtin_Replicator;		/* Builtin replicator */
+
+#define SECURITY_NULL_SID_AUTHORITY    0
+#define SECURITY_WORLD_SID_AUTHORITY   1
+#define SECURITY_LOCAL_SID_AUTHORITY   2
+#define SECURITY_CREATOR_SID_AUTHORITY 3
+#define SECURITY_NT_AUTHORITY          5

 /*
 * An NT compatible anonymous token.
@ -55,14 +68,14 @@ DOM_SID global_sid_Builtin_Guests;			/* Builtin guest users */
 static DOM_SID anon_sid_array[3];

 NT_USER_TOKEN anonymous_token = {
-    3,
-    anon_sid_array
+	3,
+	anon_sid_array
 };

 static DOM_SID system_sid_array[4];
 NT_USER_TOKEN system_token = {
-    1,
-    system_sid_array
+	1,
+	system_sid_array
 };

 /****************************************************************************
@ -73,13 +86,13 @@ const static struct {
 	enum SID_NAME_USE sid_type;
 	char *string;
 } sid_name_type[] = {
-	{SID_NAME_USER, "user"},
-	{SID_NAME_DOM_GRP, "domain group"},
-	{SID_NAME_DOMAIN, "domain"},
-	{SID_NAME_ALIAS, "local group"},
-	{SID_NAME_WKN_GRP, "well-known group"},
-	{SID_NAME_DELETED, "deleted account"},
-	{SID_NAME_INVALID, "invalid account"},
+	{SID_NAME_USER, "User"},
+	{SID_NAME_DOM_GRP, "Domain Group"},
+	{SID_NAME_DOMAIN, "Domain"},
+	{SID_NAME_ALIAS, "Local Group"},
+	{SID_NAME_WKN_GRP, "Well-known Group"},
+	{SID_NAME_DELETED, "Deleted Account"},
+	{SID_NAME_INVALID, "Invalid Account"},
 	{SID_NAME_UNKNOWN, "UNKNOWN"},

 	{SID_NAME_USE_NONE, NULL}
@ -98,10 +111,8 @@ const char *sid_type_lookup(uint32 sid_type)

 	/* Default return */
 	return "SID *TYPE* is INVALID";
-	
 }

-
 /****************************************************************************
 Creates some useful well known sids
 ****************************************************************************/
@ -109,24 +120,40 @@ const char *sid_type_lookup(uint32 sid_type)
 void generate_wellknown_sids(void)
 {
 	static BOOL initialised = False;
+
 	if (initialised) 
 		return;

+	/* SECURITY_NULL_SID_AUTHORITY */
+	string_to_sid(&global_sid_NULL, "S-1-0-0");
+
+	/* SECURITY_WORLD_SID_AUTHORITY */
+	string_to_sid(&global_sid_World_Domain, "S-1-1");
+	string_to_sid(&global_sid_World, "S-1-1-0");
+
+	/* SECURITY_CREATOR_SID_AUTHORITY */
+	string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3");
+	string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
+	string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
+
+	/* SECURITY_NT_AUTHORITY */
+	string_to_sid(&global_sid_NT_Authority, "S-1-5");
+	string_to_sid(&global_sid_Network, "S-1-5-2");
+	string_to_sid(&global_sid_Anonymous, "S-1-5-7");
+	string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
+	string_to_sid(&global_sid_System, "S-1-5-18");
+
+	/* SECURITY_BUILTIN_DOMAIN_RID */
 	string_to_sid(&global_sid_Builtin, "S-1-5-32");
 	string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
 	string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
 	string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
-	string_to_sid(&global_sid_World_Domain, "S-1-1");
-	string_to_sid(&global_sid_World, "S-1-1-0");
-	string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3");
-	string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
-	string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
-	string_to_sid(&global_sid_NT_Authority, "S-1-5");
-	string_to_sid(&global_sid_System, "S-1-5-18");
-	string_to_sid(&global_sid_NULL, "S-1-0-0");
-	string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
-	string_to_sid(&global_sid_Network, "S-1-5-2");
-	string_to_sid(&global_sid_Anonymous, "S-1-5-7");
+	string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547");
+	string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548");
+	string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549");
+	string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550");
+	string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551");
+	string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552");

 	/* Create the anon token. */
 	sid_copy( &anonymous_token.user_sids[0], &global_sid_World);
@ -179,40 +206,59 @@ void split_domain_name(const char *fullname, char *domain, char *name)
 			fullname, domain, name));
 }

+/****************************************************************************
+ Test if a SID is wellknown and resolvable.
+****************************************************************************/
+
+BOOL resolvable_wellknown_sid(DOM_SID *sid)
+{
+	uint32 ia = (sid->id_auth[5]) +
+			(sid->id_auth[4] << 8 ) +
+			(sid->id_auth[3] << 16) +
+			(sid->id_auth[2] << 24);
+
+	if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1)
+		return False;
+
+	return (ia == SECURITY_WORLD_SID_AUTHORITY ||
+		ia == SECURITY_CREATOR_SID_AUTHORITY);
+}
+
 /*****************************************************************
 Convert a SID to an ascii string.
 *****************************************************************/

 char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
 {
-  char subauth[16];
-  int i;
-  uint32 ia;
+	char subauth[16];
+	int i;
+	uint32 ia;
  
-  if (!sid) {
-	  fstrcpy(sidstr_out, "(NULL SID)");
-	  return sidstr_out;
-  }
+	if (!sid) {
+		fstrcpy(sidstr_out, "(NULL SID)");
+		return sidstr_out;
+	}

-  /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
-  ia = (sid->id_auth[5]) +
-	  (sid->id_auth[4] << 8 ) +
-	  (sid->id_auth[3] << 16) +
-	  (sid->id_auth[2] << 24);
+	/* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
+	ia = (sid->id_auth[5]) +
+		(sid->id_auth[4] << 8 ) +
+		(sid->id_auth[3] << 16) +
+		(sid->id_auth[2] << 24);

-  slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
+	slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);

-  for (i = 0; i < sid->num_auths; i++) {
-    slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
-    fstrcat(sidstr_out, subauth);
-  }
+	for (i = 0; i < sid->num_auths; i++) {
+		slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
+		fstrcat(sidstr_out, subauth);
+	}

-  return sidstr_out;
+	return sidstr_out;
 }

-/*
-  useful function for debug lines
-*/
+/*****************************************************************
+ Useful function for debug lines.
+*****************************************************************/  
+
 const char *sid_string_static(const DOM_SID *sid)
 {
 	static fstring sid_str;
--- a/source/passdb/util_sam_sid.c
+++ b/source/passdb/util_sam_sid.c
@ -54,7 +54,8 @@ static known_sid_users everyone_users[] = {
 	{0, (enum SID_NAME_USE)0, NULL}};

 static known_sid_users creator_owner_users[] = {
-	{ 0, SID_NAME_ALIAS, "Creator Owner" },
+	{ 0, SID_NAME_WKN_GRP, "Creator Owner" },
+	{ 1, SID_NAME_WKN_GRP, "Creator Group" },
 	{0, (enum SID_NAME_USE)0, NULL}};

 static known_sid_users nt_authority_users[] = {
@ -80,11 +81,10 @@ static known_sid_users builtin_groups[] = {
 	{ BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" },
 	{  0, (enum SID_NAME_USE)0, NULL}};

-
-
 /**************************************************************************
- quick init function
- *************************************************************************/
+ Quick init function.
+*************************************************************************/
+
 static void init_sid_name_map (void)
 {
 	int i = 0;
@ -105,8 +105,7 @@ static void init_sid_name_map (void)
 		sid_name_map[i].name = global_myname;
 		sid_name_map[i].known_users = NULL;
 		i++;
-	}
-	else {
+	} else {
 		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myname;
 		sid_name_map[i].known_users = NULL;
@ -133,8 +132,7 @@ static void init_sid_name_map (void)
 	sid_name_map[i].known_users = &nt_authority_users[0];
 	i++;
 		
-
-	/* end of array */
+	/* End of array. */
 	sid_name_map[i].sid = NULL;
 	sid_name_map[i].name = NULL;
 	sid_name_map[i].known_users = NULL;
@ -142,7 +140,6 @@ static void init_sid_name_map (void)
 	sid_name_map_initialized = True;
 		
 	return;
-
 }

 /**************************************************************************
@ -257,6 +254,7 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
 /*****************************************************************
 Check if the SID is our domain SID (S-1-5-21-x-y-z).
 *****************************************************************/  
+
 BOOL sid_check_is_domain(const DOM_SID *sid)
 {
 	return sid_equal(sid, get_global_sam_sid());
@ -265,6 +263,7 @@ BOOL sid_check_is_domain(const DOM_SID *sid)
 /*****************************************************************
 Check if the SID is our domain SID (S-1-5-21-x-y-z).
 *****************************************************************/  
+
 BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
 {
 	DOM_SID dom_sid;
@ -276,3 +275,32 @@ BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
 	return sid_equal(&dom_sid, get_global_sam_sid());
 }

+/**************************************************************************
+ Try and map a name to one of the well known SIDs.
+***************************************************************************/
+
+BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name)
+{
+	int i, j;
+
+	if (!sid_name_map_initialized)
+		init_sid_name_map();
+
+	for (i=0; sid_name_map[i].sid != NULL; i++) {
+		known_sid_users *users = sid_name_map[i].known_users;
+
+		if (users == NULL)
+			continue;
+
+		for (j=0; users[j].known_user_name != NULL; j++) {
+			if (strequal(users[j].known_user_name, name) == 0) {
+				sid_copy(sid, sid_name_map[i].sid);
+				sid_append_rid(sid, users[j].rid);
+				*use = users[j].sid_name_use;
+				return True;
+			}
+		}
+	}
+
+	return False;
+}