Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : security descriptor utility functions
5 :
6 : Copyright (C) Andrew Tridgell 2004
7 : Copyright (C) Andrew Bartlett 2010
8 : Copyright (C) Stefan Metzmacher 2005
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "replace.h"
25 : #include <talloc.h>
26 : #include "lib/util/talloc_stack.h"
27 : #include "lib/util/debug.h"
28 : #include "lib/util/fault.h"
29 : #include "libcli/security/security_token.h"
30 : #include "libcli/security/dom_sid.h"
31 : #include "libcli/security/privileges.h"
32 : #include "librpc/gen_ndr/ndr_security.h"
33 : #include "lib/util/talloc_stack.h"
34 :
35 : /*
36 : return a blank security token
37 : */
38 122382 : struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
39 : enum claims_evaluation_control evaluate_claims)
40 : {
41 122382 : struct security_token *st = talloc_zero(
42 : mem_ctx, struct security_token);
43 122382 : st->evaluate_claims = evaluate_claims;
44 :
45 122382 : return st;
46 : }
47 :
48 : /****************************************************************************
49 : Duplicate a SID token.
50 : ****************************************************************************/
51 :
52 8626573 : struct security_token *security_token_duplicate(TALLOC_CTX *mem_ctx, const struct security_token *src)
53 : {
54 8626573 : TALLOC_CTX *frame = NULL;
55 8626573 : struct security_token *dst = NULL;
56 9776 : DATA_BLOB blob;
57 9776 : enum ndr_err_code ndr_err;
58 :
59 8626573 : if (src == NULL) {
60 1417046 : return NULL;
61 : }
62 :
63 7206222 : frame = talloc_stackframe();
64 :
65 7206222 : ndr_err = ndr_push_struct_blob(
66 : &blob,
67 : frame,
68 : src,
69 : (ndr_push_flags_fn_t)ndr_push_security_token);
70 7206222 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
71 0 : DBG_ERR("Failed to duplicate security_token ndr_push_security_token failed: %s\n",
72 : ndr_errstr(ndr_err));
73 0 : TALLOC_FREE(frame);
74 0 : return NULL;
75 : }
76 :
77 7206222 : dst = talloc_zero(mem_ctx, struct security_token);
78 7206222 : if (dst == NULL) {
79 0 : DBG_ERR("talloc failed\n");
80 0 : TALLOC_FREE(frame);
81 0 : return NULL;
82 : }
83 :
84 7206222 : ndr_err = ndr_pull_struct_blob(
85 : &blob,
86 : dst,
87 : dst,
88 : (ndr_pull_flags_fn_t)ndr_pull_security_token);
89 :
90 7206222 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
91 0 : DBG_ERR("Failed to duplicate security_token ndr_pull_security_token "
92 : "failed: %s\n",
93 : ndr_errstr(ndr_err));
94 0 : TALLOC_FREE(dst);
95 0 : TALLOC_FREE(frame);
96 0 : return NULL;
97 : }
98 :
99 7206222 : TALLOC_FREE(frame);
100 7199751 : return dst;
101 : }
102 :
103 : /****************************************************************************
104 : prints a struct security_token to debug output.
105 : ****************************************************************************/
106 5552805 : void security_token_debug(int dbg_class, int dbg_lev, const struct security_token *token)
107 : {
108 5552805 : TALLOC_CTX *frame = talloc_stackframe();
109 5552805 : char *sids = NULL;
110 5552805 : char *privs = NULL;
111 22180 : uint32_t i;
112 :
113 5552805 : if (!token) {
114 4702669 : DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
115 4702669 : TALLOC_FREE(frame);
116 4702669 : return;
117 : }
118 :
119 1700272 : sids = talloc_asprintf(frame,
120 : "Security token SIDs (%" PRIu32 "):\n",
121 850136 : token->num_sids);
122 5885532 : for (i = 0; i < token->num_sids; i++) {
123 48201 : struct dom_sid_buf sidbuf;
124 5035396 : talloc_asprintf_addbuf(
125 : &sids,
126 : " SID[%3" PRIu32 "]: %s\n",
127 : i,
128 5035396 : dom_sid_str_buf(&token->sids[i], &sidbuf));
129 : }
130 :
131 850136 : privs = security_token_debug_privileges(frame, token);
132 :
133 850136 : DEBUGC(dbg_class,
134 : dbg_lev,
135 : ("%s%s", sids ? sids : "(NULL)", privs ? privs : "(NULL)"));
136 :
137 850136 : TALLOC_FREE(frame);
138 : }
139 :
140 : /* These really should be cheaper... */
141 :
142 114684938 : bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
143 : {
144 7114562 : bool ret;
145 :
146 114684938 : if (token->sids == NULL) {
147 0 : return false;
148 : }
149 114684935 : ret = dom_sid_equal(&token->sids[PRIMARY_USER_SID_INDEX], sid);
150 114684935 : return ret;
151 : }
152 :
153 84731363 : bool security_token_is_system(const struct security_token *token)
154 : {
155 84731363 : return security_token_is_sid(token, &global_sid_System);
156 : }
157 :
158 29943104 : bool security_token_is_anonymous(const struct security_token *token)
159 : {
160 29943104 : return security_token_is_sid(token, &global_sid_Anonymous);
161 : }
162 :
163 121361950 : bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
164 : {
165 7343682 : uint32_t i;
166 1206214166 : for (i = 0; i < token->num_sids; i++) {
167 1157963093 : if (dom_sid_equal(&token->sids[i], sid)) {
168 68156283 : return true;
169 : }
170 : }
171 45861985 : return false;
172 : }
173 :
174 174395 : size_t security_token_count_flag_sids(const struct security_token *token,
175 : const struct dom_sid *prefix_sid,
176 : size_t num_flags,
177 : const struct dom_sid **_flag_sid)
178 : {
179 174395 : const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
180 174395 : const struct dom_sid *found = NULL;
181 174395 : size_t num = 0;
182 692 : uint32_t i;
183 :
184 174395 : SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
185 :
186 1015836 : for (i = 0; i < token->num_sids; i++) {
187 841441 : const struct dom_sid *sid = &token->sids[i];
188 8630 : int cmp;
189 :
190 841441 : if (sid->num_auths != num_auths_expected) {
191 443703 : continue;
192 : }
193 :
194 397738 : cmp = dom_sid_compare_domain(sid, prefix_sid);
195 397738 : if (cmp != 0) {
196 273736 : continue;
197 : }
198 :
199 124002 : num += 1;
200 124002 : found = sid;
201 : }
202 :
203 174395 : if ((num == 1) && (_flag_sid != NULL)) {
204 124002 : *_flag_sid = found;
205 : }
206 :
207 174395 : return num;
208 : }
209 :
210 27715042 : bool security_token_has_builtin_guests(const struct security_token *token)
211 : {
212 27715042 : return security_token_has_sid(token, &global_sid_Builtin_Guests);
213 : }
214 :
215 27905713 : bool security_token_has_builtin_administrators(const struct security_token *token)
216 : {
217 27905713 : return security_token_has_sid(token, &global_sid_Builtin_Administrators);
218 : }
219 :
220 27715145 : bool security_token_has_nt_authenticated_users(const struct security_token *token)
221 : {
222 27715145 : return security_token_has_sid(token, &global_sid_Authenticated_Users);
223 : }
224 :
225 653435 : bool security_token_has_enterprise_dcs(const struct security_token *token)
226 : {
227 653435 : return security_token_has_sid(token, &global_sid_Enterprise_DCs);
228 : }
|
