diff options
author | Jeremy Allison <jra@samba.org> | 2002-10-18 19:46:28 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2002-10-18 19:46:28 +0000 |
commit | e13dd2f3025a557bbd71765a684005562591843d (patch) | |
tree | 7f36802b8b2baffd502f56f89b686417857a45b8 /source3 | |
parent | 0fc3596a95dc54c27cbb3edf6ebb264e646299af (diff) | |
download | samba-e13dd2f3025a557bbd71765a684005562591843d.tar.gz samba-e13dd2f3025a557bbd71765a684005562591843d.tar.bz2 samba-e13dd2f3025a557bbd71765a684005562591843d.zip |
Start to merge the new ACL mapping code from Andreas Gruenbacher <agruen@suse.de>.
Jeremy.
(This used to be commit f6103f866a5e698ab55fdab1444a14e3d8da16bb)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/lib/util_sid.c | 106 | ||||
-rw-r--r-- | source3/passdb/util_sam_sid.c | 48 |
2 files changed, 106 insertions, 48 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index c5b4a143ea..f01479f1cc 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -55,6 +55,11 @@ DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */ DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ +#define SECURITY_NULL_SID_AUTHORITY 0 +#define SECURITY_WORLD_SID_AUTHORITY 1 +#define SECURITY_LOCAL_SID_AUTHORITY 2 +#define SECURITY_CREATOR_SID_AUTHORITY 3 +#define SECURITY_NT_AUTHORITY 5 /* * An NT compatible anonymous token. @@ -63,14 +68,14 @@ DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ static DOM_SID anon_sid_array[3]; NT_USER_TOKEN anonymous_token = { - 3, - anon_sid_array + 3, + anon_sid_array }; static DOM_SID system_sid_array[4]; NT_USER_TOKEN system_token = { - 1, - system_sid_array + 1, + system_sid_array }; /**************************************************************************** @@ -81,13 +86,13 @@ const static struct { enum SID_NAME_USE sid_type; char *string; } sid_name_type[] = { - {SID_NAME_USER, "user"}, - {SID_NAME_DOM_GRP, "domain group"}, - {SID_NAME_DOMAIN, "domain"}, - {SID_NAME_ALIAS, "local group"}, - {SID_NAME_WKN_GRP, "well-known group"}, - {SID_NAME_DELETED, "deleted account"}, - {SID_NAME_INVALID, "invalid account"}, + {SID_NAME_USER, "User"}, + {SID_NAME_DOM_GRP, "Domain Group"}, + {SID_NAME_DOMAIN, "Domain"}, + {SID_NAME_ALIAS, "Local Group"}, + {SID_NAME_WKN_GRP, "Well-known Group"}, + {SID_NAME_DELETED, "Deleted Account"}, + {SID_NAME_INVALID, "Invalid Account"}, {SID_NAME_UNKNOWN, "UNKNOWN"}, {SID_NAME_USE_NONE, NULL} @@ -106,10 +111,8 @@ const char *sid_type_lookup(uint32 sid_type) /* Default return */ return "SID *TYPE* is INVALID"; - } - /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -117,22 +120,30 @@ const char *sid_type_lookup(uint32 sid_type) void generate_wellknown_sids(void) { static BOOL initialised = False; + if (initialised) return; + /* SECURITY_NULL_SID_AUTHORITY */ + string_to_sid(&global_sid_NULL, "S-1-0-0"); + + /* SECURITY_WORLD_SID_AUTHORITY */ string_to_sid(&global_sid_World_Domain, "S-1-1"); string_to_sid(&global_sid_World, "S-1-1-0"); + + /* SECURITY_CREATOR_SID_AUTHORITY */ string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); + + /* SECURITY_NT_AUTHORITY */ string_to_sid(&global_sid_NT_Authority, "S-1-5"); - string_to_sid(&global_sid_System, "S-1-5-18"); - string_to_sid(&global_sid_NULL, "S-1-0-0"); - string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); string_to_sid(&global_sid_Network, "S-1-5-2"); string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); + string_to_sid(&global_sid_System, "S-1-5-18"); - /* create well known builtin SIDs */ + /* SECURITY_BUILTIN_DOMAIN_RID */ string_to_sid(&global_sid_Builtin, "S-1-5-32"); string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); @@ -195,40 +206,59 @@ void split_domain_name(const char *fullname, char *domain, char *name) fullname, domain, name)); } +/**************************************************************************** + Test if a SID is wellknown and resolvable. +****************************************************************************/ + +BOOL resolvable_wellknown_sid(DOM_SID *sid) +{ + uint32 ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); + + if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1) + return False; + + return (ia == SECURITY_WORLD_SID_AUTHORITY || + ia == SECURITY_CREATOR_SID_AUTHORITY); +} + /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) { - char subauth[16]; - int i; - uint32 ia; + char subauth[16]; + int i; + uint32 ia; - if (!sid) { - fstrcpy(sidstr_out, "(NULL SID)"); - return sidstr_out; - } + if (!sid) { + fstrcpy(sidstr_out, "(NULL SID)"); + return sidstr_out; + } - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); + /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ + ia = (sid->id_auth[5]) + + (sid->id_auth[4] << 8 ) + + (sid->id_auth[3] << 16) + + (sid->id_auth[2] << 24); - slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); + slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); - for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); - fstrcat(sidstr_out, subauth); - } + for (i = 0; i < sid->num_auths; i++) { + slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); + fstrcat(sidstr_out, subauth); + } - return sidstr_out; + return sidstr_out; } -/* - useful function for debug lines -*/ +/***************************************************************** + Useful function for debug lines. +*****************************************************************/ + const char *sid_string_static(const DOM_SID *sid) { static fstring sid_str; diff --git a/source3/passdb/util_sam_sid.c b/source3/passdb/util_sam_sid.c index 6ec1e48ab3..60998003f6 100644 --- a/source3/passdb/util_sam_sid.c +++ b/source3/passdb/util_sam_sid.c @@ -54,7 +54,8 @@ static known_sid_users everyone_users[] = { {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users creator_owner_users[] = { - { 0, SID_NAME_ALIAS, "Creator Owner" }, + { 0, SID_NAME_WKN_GRP, "Creator Owner" }, + { 1, SID_NAME_WKN_GRP, "Creator Group" }, {0, (enum SID_NAME_USE)0, NULL}}; static known_sid_users nt_authority_users[] = { @@ -80,11 +81,10 @@ static known_sid_users builtin_groups[] = { { BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" }, { 0, (enum SID_NAME_USE)0, NULL}}; - - /************************************************************************** - quick init function - *************************************************************************/ + Quick init function. +*************************************************************************/ + static void init_sid_name_map (void) { int i = 0; @@ -105,8 +105,7 @@ static void init_sid_name_map (void) sid_name_map[i].name = global_myname; sid_name_map[i].known_users = NULL; i++; - } - else { + } else { sid_name_map[i].sid = get_global_sam_sid(); sid_name_map[i].name = global_myname; sid_name_map[i].known_users = NULL; @@ -133,8 +132,7 @@ static void init_sid_name_map (void) sid_name_map[i].known_users = &nt_authority_users[0]; i++; - - /* end of array */ + /* End of array. */ sid_name_map[i].sid = NULL; sid_name_map[i].name = NULL; sid_name_map[i].known_users = NULL; @@ -142,7 +140,6 @@ static void init_sid_name_map (void) sid_name_map_initialized = True; return; - } /************************************************************************** @@ -257,6 +254,7 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) /***************************************************************** Check if the SID is our domain SID (S-1-5-21-x-y-z). *****************************************************************/ + BOOL sid_check_is_domain(const DOM_SID *sid) { return sid_equal(sid, get_global_sam_sid()); @@ -265,6 +263,7 @@ BOOL sid_check_is_domain(const DOM_SID *sid) /***************************************************************** Check if the SID is our domain SID (S-1-5-21-x-y-z). *****************************************************************/ + BOOL sid_check_is_in_our_domain(const DOM_SID *sid) { DOM_SID dom_sid; @@ -276,3 +275,32 @@ BOOL sid_check_is_in_our_domain(const DOM_SID *sid) return sid_equal(&dom_sid, get_global_sam_sid()); } +/************************************************************************** + Try and map a name to one of the well known SIDs. +***************************************************************************/ + +BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name) +{ + int i, j; + + if (!sid_name_map_initialized) + init_sid_name_map(); + + for (i=0; sid_name_map[i].sid != NULL; i++) { + known_sid_users *users = sid_name_map[i].known_users; + + if (users == NULL) + continue; + + for (j=0; users[j].known_user_name != NULL; j++) { + if (strequal(users[j].known_user_name, name) == 0) { + sid_copy(sid, sid_name_map[i].sid); + sid_append_rid(sid, users[j].rid); + *use = users[j].sid_name_use; + return True; + } + } + } + + return False; +} |