From 597c4610090d711fd30c1ffacc97212cf399a264 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 18 Oct 2002 19:46:32 +0000 Subject: [PATCH] Start to merge the new ACL mapping code from Andreas Gruenbacher . Jeremy. --- source/lib/util_sid.c | 152 +++++++++++++++++++++++------------ source/passdb/util_sam_sid.c | 48 ++++++++--- 2 files changed, 137 insertions(+), 63 deletions(-) diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c index 1439471f64b..f01479f1cc9 100644 --- a/source/lib/util_sid.c +++ b/source/lib/util_sid.c @@ -5,6 +5,7 @@ Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 Copyright (C) Jeremy Allison 1999 Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Simo Sorce 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,16 +38,28 @@ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_System; /* System */ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ -DOM_SID global_sid_Network; /* Network rids */ +DOM_SID global_sid_Network; /* Network rids */ -static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -static DOM_SID global_sid_Creator_Group; /* Creator Group */ -static DOM_SID global_sid_Anonymous; /* Anonymous login */ +static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +static DOM_SID global_sid_Creator_Group; /* Creator Group */ +static DOM_SID global_sid_Anonymous; /* Anonymous login */ -DOM_SID global_sid_Builtin; /* Local well-known domain */ -DOM_SID global_sid_Builtin_Administrators; -DOM_SID global_sid_Builtin_Users; -DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Builtin; /* Local well-known domain */ +DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */ +DOM_SID global_sid_Builtin_Users; /* Builtin users */ +DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */ +DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */ +DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */ +DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */ +DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ +DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ + +#define SECURITY_NULL_SID_AUTHORITY 0 +#define SECURITY_WORLD_SID_AUTHORITY 1 +#define SECURITY_LOCAL_SID_AUTHORITY 2 +#define SECURITY_CREATOR_SID_AUTHORITY 3 +#define SECURITY_NT_AUTHORITY 5 /* * An NT compatible anonymous token. @@ -55,14 +68,14 @@ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ static DOM_SID anon_sid_array[3]; NT_USER_TOKEN anonymous_token = { - 3, - anon_sid_array + 3, + anon_sid_array }; static DOM_SID system_sid_array[4]; NT_USER_TOKEN system_token = { - 1, - system_sid_array + 1, + system_sid_array }; /**************************************************************************** @@ -73,13 +86,13 @@ const static struct { enum SID_NAME_USE sid_type; char *string; } sid_name_type[] = { - {SID_NAME_USER, "user"}, - {SID_NAME_DOM_GRP, "domain group"}, - {SID_NAME_DOMAIN, "domain"}, - {SID_NAME_ALIAS, "local group"}, - {SID_NAME_WKN_GRP, "well-known group"}, - {SID_NAME_DELETED, "deleted account"}, - {SID_NAME_INVALID, "invalid account"}, + {SID_NAME_USER, "User"}, + {SID_NAME_DOM_GRP, "Domain Group"}, + {SID_NAME_DOMAIN, "Domain"}, + {SID_NAME_ALIAS, "Local Group"}, + {SID_NAME_WKN_GRP, "Well-known Group"}, + {SID_NAME_DELETED, "Deleted Account"}, + {SID_NAME_INVALID, "Invalid Account"}, {SID_NAME_UNKNOWN, "UNKNOWN"}, {SID_NAME_USE_NONE, NULL} @@ -98,10 +111,8 @@ const char *sid_type_lookup(uint32 sid_type) /* Default return */ return "SID *TYPE* is INVALID"; - } - /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -109,24 +120,40 @@ const char *sid_type_lookup(uint32 sid_type) void generate_wellknown_sids(void) { static BOOL initialised = False; + if (initialised) return; + /* SECURITY_NULL_SID_AUTHORITY */ + string_to_sid(&global_sid_NULL, "S-1-0-0"); + + /* SECURITY_WORLD_SID_AUTHORITY */ + string_to_sid(&global_sid_World_Domain, "S-1-1"); + string_to_sid(&global_sid_World, "S-1-1-0"); + + /* SECURITY_CREATOR_SID_AUTHORITY */ + string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); + string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); + string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); + + /* SECURITY_NT_AUTHORITY */ + string_to_sid(&global_sid_NT_Authority, "S-1-5"); + string_to_sid(&global_sid_Network, "S-1-5-2"); + string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); + string_to_sid(&global_sid_System, "S-1-5-18"); + + /* SECURITY_BUILTIN_DOMAIN_RID */ string_to_sid(&global_sid_Builtin, "S-1-5-32"); string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); - string_to_sid(&global_sid_World_Domain, "S-1-1"); - string_to_sid(&global_sid_World, "S-1-1-0"); - string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); - string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); - string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); - string_to_sid(&global_sid_NT_Authority, "S-1-5"); - string_to_sid(&global_sid_System, "S-1-5-18"); - string_to_sid(&global_sid_NULL, "S-1-0-0"); - string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); - string_to_sid(&global_sid_Network, "S-1-5-2"); - string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547"); + string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548"); + string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549"); + string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550"); + string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551"); + string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552"); /* Create the anon token. */ sid_copy( &anonymous_token.user_sids[0], &global_sid_World); @@ -179,40 +206,59 @@ void split_domain_name(const char *fullname, char *domain, char *name) fullname, domain, name)); } +/**************************************************************************** + Test if a SID is wellknown and resolvable. +****************************************************************************/ + +BOOL resolvable_wellknown_sid(DOM_SID *sid) +{ + uint32 ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1) + return False; + + return (ia == SECURITY_WORLD_SID_AUTHORITY || + ia == SECURITY_CREATOR_SID_AUTHORITY); +} + /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) { - char subauth[16]; - int i; - uint32 ia; + char subauth[16]; + int i; + uint32 ia; - if (!sid) { - fstrcpy(sidstr_out, "(NULL SID)"); - return sidstr_out; - } + if (!sid) { + fstrcpy(sidstr_out, "(NULL SID)"); + return sidstr_out; + } - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); - slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); + slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); - for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); - fstrcat(sidstr_out, subauth); - } + for (i = 0; i < sid->num_auths; i++) { + slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); + fstrcat(sidstr_out, subauth); + } - return sidstr_out; + return sidstr_out; } -/* - useful function for debug lines -*/ +/***************************************************************** + Useful function for debug lines. +*****************************************************************/ + const char *sid_string_static(const DOM_SID *sid) { static fstring sid_str; diff --git a/source/passdb/util_sam_sid.c b/source/passdb/util_sam_sid.c index 6ec1e48ab3a..60998003f6e 100644 --- a/source/passdb/util_sam_sid.c +++ b/source/passdb/util_sam_sid.c @@ -54,7 +54,8 @@ static known_sid_users everyone_users[] = { {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users creator_owner_users[] = { - { 0, SID_NAME_ALIAS, "Creator Owner" }, + { 0, SID_NAME_WKN_GRP, "Creator Owner" }, + { 1, SID_NAME_WKN_GRP, "Creator Group" }, {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users nt_authority_users[] = { @@ -80,11 +81,10 @@ static known_sid_users builtin_groups[] = { { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" }, { 0, (enum SID_NAME_USE)0, NULL}}; - - /************************************************************************** - quick init function - *************************************************************************/ + Quick init function. +*************************************************************************/ + static void init_sid_name_map (void) { int i = 0; @@ -105,8 +105,7 @@ static void init_sid_name_map (void) sid_name_map[i].name = global_myname; sid_name_map[i].known_users = NULL; i++; - } - else { + } else { sid_name_map[i].sid = get_global_sam_sid(); sid_name_map[i].name = global_myname; sid_name_map[i].known_users = NULL; @@ -133,8 +132,7 @@ static void init_sid_name_map (void) sid_name_map[i].known_users = &nt_authority_users[0]; i++; - - /* end of array */ + /* End of array. */ sid_name_map[i].sid = NULL; sid_name_map[i].name = NULL; sid_name_map[i].known_users = NULL; @@ -142,7 +140,6 @@ static void init_sid_name_map (void) sid_name_map_initialized = True; return; - } /************************************************************************** @@ -257,6 +254,7 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) /***************************************************************** Check if the SID is our domain SID (S-1-5-21-x-y-z). *****************************************************************/ + BOOL sid_check_is_domain(const DOM_SID *sid) { return sid_equal(sid, get_global_sam_sid()); @@ -265,6 +263,7 @@ BOOL sid_check_is_domain(const DOM_SID *sid) /***************************************************************** Check if the SID is our domain SID (S-1-5-21-x-y-z). *****************************************************************/ + BOOL sid_check_is_in_our_domain(const DOM_SID *sid) { DOM_SID dom_sid; @@ -276,3 +275,32 @@ BOOL sid_check_is_in_our_domain(const DOM_SID *sid) return sid_equal(&dom_sid, get_global_sam_sid()); } +/************************************************************************** + Try and map a name to one of the well known SIDs. +***************************************************************************/ + +BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name) +{ + int i, j; + + if (!sid_name_map_initialized) + init_sid_name_map(); + + for (i=0; sid_name_map[i].sid != NULL; i++) { + known_sid_users *users = sid_name_map[i].known_users; + + if (users == NULL) + continue; + + for (j=0; users[j].known_user_name != NULL; j++) { + if (strequal(users[j].known_user_name, name) == 0) { + sid_copy(sid, sid_name_map[i].sid); + sid_append_rid(sid, users[j].rid); + *use = users[j].sid_name_use; + return True; + } + } + } + + return False; +}