LCOV - code coverage report
Current view: top level - source4/dsdb/samdb - samdb_privilege.c (source / functions) Hit Total Coverage
Test: coverage report for support-claim-type-attributes 6b5c566e Lines: 47 57 82.5 %
Date: 2023-11-21 12:31:41 Functions: 3 3 100.0 %

          Line data    Source code
       1             : /* 
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    manipulate privilege records in samdb
       5             : 
       6             :    Copyright (C) Andrew Tridgell 2004
       7             :    
       8             :    This program is free software; you can redistribute it and/or modify
       9             :    it under the terms of the GNU General Public License as published by
      10             :    the Free Software Foundation; either version 3 of the License, or
      11             :    (at your option) any later version.
      12             :    
      13             :    This program is distributed in the hope that it will be useful,
      14             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :    GNU General Public License for more details.
      17             :    
      18             :    You should have received a copy of the GNU General Public License
      19             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      20             : */
      21             : 
      22             : #include "includes.h"
      23             : #include "libcli/ldap/ldap_ndr.h"
      24             : #include "dsdb/samdb/samdb.h"
      25             : #include "auth/auth.h"
      26             : #include "libcli/security/security.h"
      27             : #include "../lib/util/util_ldb.h"
      28             : #include "param/param.h"
      29             : #include "ldb_wrap.h"
      30             : 
      31             : /* connect to the privilege database */
      32       47314 : struct ldb_context *privilege_connect(TALLOC_CTX *mem_ctx, 
      33             :                                       struct loadparm_context *lp_ctx)
      34             : {
      35       47314 :         return ldb_wrap_connect(mem_ctx, NULL, lp_ctx, "privilege.ldb",
      36             :                                 NULL, NULL, 0);
      37             : }
      38             : 
      39             : /*
      40             :   add privilege bits for one sid to a security_token
      41             : */
      42      580649 : static NTSTATUS samdb_privilege_setup_sid(struct ldb_context *pdb, TALLOC_CTX *mem_ctx,
      43             :                                           struct security_token *token,
      44             :                                           const struct dom_sid *sid)
      45             : {
      46      580649 :         const char * const attrs[] = { "privilege", NULL };
      47      580649 :         struct ldb_message **res = NULL;
      48       13950 :         struct ldb_message_element *el;
      49       13950 :         unsigned int i;
      50       13950 :         int ret;
      51       13950 :         char *sidstr;
      52             : 
      53      580649 :         sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
      54      580649 :         NT_STATUS_HAVE_NO_MEMORY(sidstr);
      55             : 
      56      580649 :         ret = gendb_search(pdb, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr);
      57      580649 :         talloc_free(sidstr);
      58      580649 :         if (ret != 1) {
      59             :                 /* not an error to not match */
      60      504990 :                 return NT_STATUS_OK;
      61             :         }
      62             : 
      63       75659 :         el = ldb_msg_find_element(res[0], "privilege");
      64       75659 :         if (el == NULL) {
      65           0 :                 return NT_STATUS_OK;
      66             :         }
      67             : 
      68      939841 :         for (i=0;i<el->num_values;i++) {
      69      864182 :                 const char *priv_str = (const char *)el->values[i].data;
      70      864182 :                 enum sec_privilege privilege = sec_privilege_id(priv_str);
      71      864182 :                 if (privilege == SEC_PRIV_INVALID) {
      72      140463 :                         uint32_t right_bit = sec_right_bit(priv_str);
      73      140463 :                         security_token_set_right_bit(token, right_bit);
      74      140463 :                         if (right_bit == 0) {
      75           0 :                                 DEBUG(1,("Unknown privilege '%s' in samdb\n",
      76             :                                          priv_str));
      77             :                         }
      78      140463 :                         continue;
      79             :                 }
      80      723719 :                 security_token_set_privilege(token, privilege);
      81             :         }
      82             : 
      83       75659 :         return NT_STATUS_OK;
      84             : }
      85             : 
      86             : /*
      87             :   setup the privilege mask for this security token based on our
      88             :   local SAM
      89             : */
      90       43956 : NTSTATUS samdb_privilege_setup(struct loadparm_context *lp_ctx, struct security_token *token)
      91             : {
      92        1041 :         struct ldb_context *pdb;
      93        1041 :         TALLOC_CTX *mem_ctx;
      94        1041 :         unsigned int i;
      95        1041 :         NTSTATUS status;
      96             : 
      97             :         /* Shortcuts to prevent recursion and avoid lookups */
      98       43956 :         if (token->sids == NULL) {
      99           0 :                 token->privilege_mask = 0;
     100           0 :                 return NT_STATUS_OK;
     101             :         }
     102             : 
     103       43956 :         if (security_token_is_system(token)) {
     104           0 :                 token->privilege_mask = ~0;
     105           0 :                 return NT_STATUS_OK;
     106             :         }
     107             : 
     108       43956 :         if (security_token_is_anonymous(token)) {
     109         458 :                 token->privilege_mask = 0;
     110         458 :                 return NT_STATUS_OK;
     111             :         }
     112             : 
     113       43498 :         mem_ctx = talloc_new(token);
     114       43498 :         pdb = privilege_connect(mem_ctx, lp_ctx);
     115       43498 :         if (pdb == NULL) {
     116           0 :                 talloc_free(mem_ctx);
     117           0 :                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
     118             :         }
     119             : 
     120       43498 :         token->privilege_mask = 0;
     121             :         
     122      624147 :         for (i=0;i<token->num_sids;i++) {
     123      580649 :                 status = samdb_privilege_setup_sid(pdb, mem_ctx,
     124      580649 :                                                    token, &token->sids[i]);
     125      580649 :                 if (!NT_STATUS_IS_OK(status)) {
     126           0 :                         talloc_free(mem_ctx);
     127           0 :                         return status;
     128             :                 }
     129             :         }
     130             : 
     131       43498 :         talloc_free(mem_ctx);
     132             : 
     133       43498 :         return NT_STATUS_OK;    
     134             : }

Generated by: LCOV version 1.14