Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : security descriptor utility functions
5 :
6 : Copyright (C) Andrew Tridgell 2004
7 : Copyright (C) Andrew Bartlett 2010
8 : Copyright (C) Stefan Metzmacher 2005
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "replace.h"
25 : #include <talloc.h>
26 : #include "lib/util/talloc_stack.h"
27 : #include "lib/util/debug.h"
28 : #include "lib/util/fault.h"
29 : #include "libcli/security/security_token.h"
30 : #include "libcli/security/dom_sid.h"
31 : #include "libcli/security/privileges.h"
32 : #include "librpc/gen_ndr/ndr_security.h"
33 : #include "lib/util/talloc_stack.h"
34 :
35 : /*
36 : return a blank security token
37 : */
38 121900 : struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
39 : enum claims_evaluation_control evaluate_claims)
40 : {
41 121900 : struct security_token *st = talloc_zero(
42 : mem_ctx, struct security_token);
43 121900 : st->evaluate_claims = evaluate_claims;
44 :
45 121900 : return st;
46 : }
47 :
48 : /****************************************************************************
49 : Duplicate a SID token.
50 : ****************************************************************************/
51 :
52 8463279 : struct security_token *security_token_duplicate(TALLOC_CTX *mem_ctx, const struct security_token *src)
53 : {
54 8463279 : TALLOC_CTX *frame = NULL;
55 8463279 : struct security_token *dst = NULL;
56 9738 : DATA_BLOB blob;
57 9738 : enum ndr_err_code ndr_err;
58 :
59 8463279 : if (src == NULL) {
60 1414992 : return NULL;
61 : }
62 :
63 7044982 : frame = talloc_stackframe();
64 :
65 7044982 : ndr_err = ndr_push_struct_blob(
66 : &blob,
67 : frame,
68 : src,
69 : (ndr_push_flags_fn_t)ndr_push_security_token);
70 7044982 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
71 0 : DBG_ERR("Failed to duplicate security_token ndr_push_security_token failed: %s\n",
72 : ndr_errstr(ndr_err));
73 0 : TALLOC_FREE(frame);
74 0 : return NULL;
75 : }
76 :
77 7044982 : dst = talloc_zero(mem_ctx, struct security_token);
78 7044982 : if (dst == NULL) {
79 0 : DBG_ERR("talloc failed\n");
80 0 : TALLOC_FREE(frame);
81 0 : return NULL;
82 : }
83 :
84 7044982 : ndr_err = ndr_pull_struct_blob(
85 : &blob,
86 : dst,
87 : dst,
88 : (ndr_pull_flags_fn_t)ndr_pull_security_token);
89 :
90 7044982 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
91 0 : DBG_ERR("Failed to duplicate security_token ndr_pull_security_token "
92 : "failed: %s\n",
93 : ndr_errstr(ndr_err));
94 0 : TALLOC_FREE(dst);
95 0 : TALLOC_FREE(frame);
96 0 : return NULL;
97 : }
98 :
99 7044982 : TALLOC_FREE(frame);
100 7038549 : return dst;
101 : }
102 :
103 : /****************************************************************************
104 : prints a struct security_token to debug output.
105 : ****************************************************************************/
106 5412226 : void security_token_debug(int dbg_class, int dbg_lev, const struct security_token *token)
107 : {
108 5412226 : TALLOC_CTX *frame = talloc_stackframe();
109 5412226 : char *sids = NULL;
110 5412226 : char *privs = NULL;
111 22142 : uint32_t i;
112 :
113 5412226 : if (!token) {
114 4562245 : DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
115 4562245 : TALLOC_FREE(frame);
116 4562245 : return;
117 : }
118 :
119 1699962 : sids = talloc_asprintf(frame,
120 : "Security token SIDs (%" PRIu32 "):\n",
121 849981 : token->num_sids);
122 6167584 : for (i = 0; i < token->num_sids; i++) {
123 48201 : struct dom_sid_buf sidbuf;
124 5317603 : talloc_asprintf_addbuf(
125 : &sids,
126 : " SID[%3" PRIu32 "]: %s\n",
127 : i,
128 5317603 : dom_sid_str_buf(&token->sids[i], &sidbuf));
129 : }
130 :
131 849981 : privs = security_token_debug_privileges(frame, token);
132 :
133 849981 : DEBUGC(dbg_class,
134 : dbg_lev,
135 : ("%s%s", sids ? sids : "(NULL)", privs ? privs : "(NULL)"));
136 :
137 849981 : TALLOC_FREE(frame);
138 : }
139 :
140 : /* These really should be cheaper... */
141 :
142 114904837 : bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
143 : {
144 7096558 : bool ret;
145 :
146 114904837 : if (token->sids == NULL) {
147 0 : return false;
148 : }
149 114904834 : ret = dom_sid_equal(&token->sids[PRIMARY_USER_SID_INDEX], sid);
150 114904834 : return ret;
151 : }
152 :
153 84974684 : bool security_token_is_system(const struct security_token *token)
154 : {
155 84974684 : return security_token_is_sid(token, &global_sid_System);
156 : }
157 :
158 29919682 : bool security_token_is_anonymous(const struct security_token *token)
159 : {
160 29919682 : return security_token_is_sid(token, &global_sid_Anonymous);
161 : }
162 :
163 121038314 : bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
164 : {
165 7324016 : uint32_t i;
166 1204914225 : for (i = 0; i < token->num_sids; i++) {
167 1156672577 : if (dom_sid_equal(&token->sids[i], sid)) {
168 67855180 : return true;
169 : }
170 : }
171 45859118 : return false;
172 : }
173 :
174 174387 : size_t security_token_count_flag_sids(const struct security_token *token,
175 : const struct dom_sid *prefix_sid,
176 : size_t num_flags,
177 : const struct dom_sid **_flag_sid)
178 : {
179 174387 : const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
180 174387 : const struct dom_sid *found = NULL;
181 174387 : size_t num = 0;
182 692 : uint32_t i;
183 :
184 174387 : SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
185 :
186 1036744 : for (i = 0; i < token->num_sids; i++) {
187 862357 : const struct dom_sid *sid = &token->sids[i];
188 8630 : int cmp;
189 :
190 862357 : if (sid->num_auths != num_auths_expected) {
191 443757 : continue;
192 : }
193 :
194 418600 : cmp = dom_sid_compare_domain(sid, prefix_sid);
195 418600 : if (cmp != 0) {
196 294602 : continue;
197 : }
198 :
199 123998 : num += 1;
200 123998 : found = sid;
201 : }
202 :
203 174387 : if ((num == 1) && (_flag_sid != NULL)) {
204 123998 : *_flag_sid = found;
205 : }
206 :
207 174387 : return num;
208 : }
209 :
210 27695319 : bool security_token_has_builtin_guests(const struct security_token *token)
211 : {
212 27695319 : return security_token_has_sid(token, &global_sid_Builtin_Guests);
213 : }
214 :
215 27885908 : bool security_token_has_builtin_administrators(const struct security_token *token)
216 : {
217 27885908 : return security_token_has_sid(token, &global_sid_Builtin_Administrators);
218 : }
219 :
220 27695422 : bool security_token_has_nt_authenticated_users(const struct security_token *token)
221 : {
222 27695422 : return security_token_has_sid(token, &global_sid_Authenticated_Users);
223 : }
224 :
225 653023 : bool security_token_has_enterprise_dcs(const struct security_token *token)
226 : {
227 653023 : return security_token_has_sid(token, &global_sid_Enterprise_DCs);
228 : }
|