Line data Source code
1 : /* 2 : Unix SMB/CIFS implementation. 3 : 4 : manipulate privilege records in samdb 5 : 6 : Copyright (C) Andrew Tridgell 2004 7 : 8 : This program is free software; you can redistribute it and/or modify 9 : it under the terms of the GNU General Public License as published by 10 : the Free Software Foundation; either version 3 of the License, or 11 : (at your option) any later version. 12 : 13 : This program is distributed in the hope that it will be useful, 14 : but WITHOUT ANY WARRANTY; without even the implied warranty of 15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 : GNU General Public License for more details. 17 : 18 : You should have received a copy of the GNU General Public License 19 : along with this program. If not, see <http://www.gnu.org/licenses/>. 20 : */ 21 : 22 : #include "includes.h" 23 : #include "libcli/ldap/ldap_ndr.h" 24 : #include "dsdb/samdb/samdb.h" 25 : #include "auth/auth.h" 26 : #include "libcli/security/security.h" 27 : #include "../lib/util/util_ldb.h" 28 : #include "param/param.h" 29 : #include "ldb_wrap.h" 30 : 31 : /* connect to the privilege database */ 32 47314 : struct ldb_context *privilege_connect(TALLOC_CTX *mem_ctx, 33 : struct loadparm_context *lp_ctx) 34 : { 35 47314 : return ldb_wrap_connect(mem_ctx, NULL, lp_ctx, "privilege.ldb", 36 : NULL, NULL, 0); 37 : } 38 : 39 : /* 40 : add privilege bits for one sid to a security_token 41 : */ 42 580649 : static NTSTATUS samdb_privilege_setup_sid(struct ldb_context *pdb, TALLOC_CTX *mem_ctx, 43 : struct security_token *token, 44 : const struct dom_sid *sid) 45 : { 46 580649 : const char * const attrs[] = { "privilege", NULL }; 47 580649 : struct ldb_message **res = NULL; 48 13950 : struct ldb_message_element *el; 49 13950 : unsigned int i; 50 13950 : int ret; 51 13950 : char *sidstr; 52 : 53 580649 : sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); 54 580649 : NT_STATUS_HAVE_NO_MEMORY(sidstr); 55 : 56 580649 : ret = gendb_search(pdb, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr); 57 580649 : talloc_free(sidstr); 58 580649 : if (ret != 1) { 59 : /* not an error to not match */ 60 504990 : return NT_STATUS_OK; 61 : } 62 : 63 75659 : el = ldb_msg_find_element(res[0], "privilege"); 64 75659 : if (el == NULL) { 65 0 : return NT_STATUS_OK; 66 : } 67 : 68 939841 : for (i=0;i<el->num_values;i++) { 69 864182 : const char *priv_str = (const char *)el->values[i].data; 70 864182 : enum sec_privilege privilege = sec_privilege_id(priv_str); 71 864182 : if (privilege == SEC_PRIV_INVALID) { 72 140463 : uint32_t right_bit = sec_right_bit(priv_str); 73 140463 : security_token_set_right_bit(token, right_bit); 74 140463 : if (right_bit == 0) { 75 0 : DEBUG(1,("Unknown privilege '%s' in samdb\n", 76 : priv_str)); 77 : } 78 140463 : continue; 79 : } 80 723719 : security_token_set_privilege(token, privilege); 81 : } 82 : 83 75659 : return NT_STATUS_OK; 84 : } 85 : 86 : /* 87 : setup the privilege mask for this security token based on our 88 : local SAM 89 : */ 90 43956 : NTSTATUS samdb_privilege_setup(struct loadparm_context *lp_ctx, struct security_token *token) 91 : { 92 1041 : struct ldb_context *pdb; 93 1041 : TALLOC_CTX *mem_ctx; 94 1041 : unsigned int i; 95 1041 : NTSTATUS status; 96 : 97 : /* Shortcuts to prevent recursion and avoid lookups */ 98 43956 : if (token->sids == NULL) { 99 0 : token->privilege_mask = 0; 100 0 : return NT_STATUS_OK; 101 : } 102 : 103 43956 : if (security_token_is_system(token)) { 104 0 : token->privilege_mask = ~0; 105 0 : return NT_STATUS_OK; 106 : } 107 : 108 43956 : if (security_token_is_anonymous(token)) { 109 458 : token->privilege_mask = 0; 110 458 : return NT_STATUS_OK; 111 : } 112 : 113 43498 : mem_ctx = talloc_new(token); 114 43498 : pdb = privilege_connect(mem_ctx, lp_ctx); 115 43498 : if (pdb == NULL) { 116 0 : talloc_free(mem_ctx); 117 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION; 118 : } 119 : 120 43498 : token->privilege_mask = 0; 121 : 122 624147 : for (i=0;i<token->num_sids;i++) { 123 580649 : status = samdb_privilege_setup_sid(pdb, mem_ctx, 124 580649 : token, &token->sids[i]); 125 580649 : if (!NT_STATUS_IS_OK(status)) { 126 0 : talloc_free(mem_ctx); 127 0 : return status; 128 : } 129 : } 130 : 131 43498 : talloc_free(mem_ctx); 132 : 133 43498 : return NT_STATUS_OK; 134 : }