summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2002-10-18 19:46:32 +0000
committerJeremy Allison <jra@samba.org>2002-10-18 19:46:32 +0000
commite9cc37b0bb26a67e80868cf53d2db08361d182dd (patch)
treec9a74737b3d2efd766a706482424df3ed6eeea7f /source3
parent67b3799bf4a1eb55b0c0ded50aeb460a5722a76b (diff)
downloadsamba-e9cc37b0bb26a67e80868cf53d2db08361d182dd.tar.gz
samba-e9cc37b0bb26a67e80868cf53d2db08361d182dd.tar.bz2
samba-e9cc37b0bb26a67e80868cf53d2db08361d182dd.zip
Start to merge the new ACL mapping code from Andreas Gruenbacher <agruen@suse.de>.
Jeremy. (This used to be commit 597c4610090d711fd30c1ffacc97212cf399a264)
Diffstat (limited to 'source3')
-rw-r--r--source3/lib/util_sid.c148
-rw-r--r--source3/passdb/util_sam_sid.c48
2 files changed, 135 insertions, 61 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 1439471f64..f01479f1cc 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -5,6 +5,7 @@
Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
Copyright (C) Jeremy Allison 1999
Copyright (C) Stefan (metze) Metzmacher 2002
+ Copyright (C) Simo Sorce 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -37,16 +38,28 @@ DOM_SID global_sid_NT_Authority; /* NT Authority */
DOM_SID global_sid_System; /* System */
DOM_SID global_sid_NULL; /* NULL sid */
DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
-DOM_SID global_sid_Network; /* Network rids */
-
-static DOM_SID global_sid_Creator_Owner; /* Creator Owner */
-static DOM_SID global_sid_Creator_Group; /* Creator Group */
-static DOM_SID global_sid_Anonymous; /* Anonymous login */
-
-DOM_SID global_sid_Builtin; /* Local well-known domain */
-DOM_SID global_sid_Builtin_Administrators;
-DOM_SID global_sid_Builtin_Users;
-DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
+DOM_SID global_sid_Network; /* Network rids */
+
+static DOM_SID global_sid_Creator_Owner; /* Creator Owner */
+static DOM_SID global_sid_Creator_Group; /* Creator Group */
+static DOM_SID global_sid_Anonymous; /* Anonymous login */
+
+DOM_SID global_sid_Builtin; /* Local well-known domain */
+DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */
+DOM_SID global_sid_Builtin_Users; /* Builtin users */
+DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
+DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */
+DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */
+DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */
+DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */
+DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */
+DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */
+
+#define SECURITY_NULL_SID_AUTHORITY 0
+#define SECURITY_WORLD_SID_AUTHORITY 1
+#define SECURITY_LOCAL_SID_AUTHORITY 2
+#define SECURITY_CREATOR_SID_AUTHORITY 3
+#define SECURITY_NT_AUTHORITY 5
/*
* An NT compatible anonymous token.
@@ -55,14 +68,14 @@ DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
static DOM_SID anon_sid_array[3];
NT_USER_TOKEN anonymous_token = {
- 3,
- anon_sid_array
+ 3,
+ anon_sid_array
};
static DOM_SID system_sid_array[4];
NT_USER_TOKEN system_token = {
- 1,
- system_sid_array
+ 1,
+ system_sid_array
};
/****************************************************************************
@@ -73,13 +86,13 @@ const static struct {
enum SID_NAME_USE sid_type;
char *string;
} sid_name_type[] = {
- {SID_NAME_USER, "user"},
- {SID_NAME_DOM_GRP, "domain group"},
- {SID_NAME_DOMAIN, "domain"},
- {SID_NAME_ALIAS, "local group"},
- {SID_NAME_WKN_GRP, "well-known group"},
- {SID_NAME_DELETED, "deleted account"},
- {SID_NAME_INVALID, "invalid account"},
+ {SID_NAME_USER, "User"},
+ {SID_NAME_DOM_GRP, "Domain Group"},
+ {SID_NAME_DOMAIN, "Domain"},
+ {SID_NAME_ALIAS, "Local Group"},
+ {SID_NAME_WKN_GRP, "Well-known Group"},
+ {SID_NAME_DELETED, "Deleted Account"},
+ {SID_NAME_INVALID, "Invalid Account"},
{SID_NAME_UNKNOWN, "UNKNOWN"},
{SID_NAME_USE_NONE, NULL}
@@ -98,10 +111,8 @@ const char *sid_type_lookup(uint32 sid_type)
/* Default return */
return "SID *TYPE* is INVALID";
-
}
-
/****************************************************************************
Creates some useful well known sids
****************************************************************************/
@@ -109,24 +120,40 @@ const char *sid_type_lookup(uint32 sid_type)
void generate_wellknown_sids(void)
{
static BOOL initialised = False;
+
if (initialised)
return;
- string_to_sid(&global_sid_Builtin, "S-1-5-32");
- string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
- string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
- string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
+ /* SECURITY_NULL_SID_AUTHORITY */
+ string_to_sid(&global_sid_NULL, "S-1-0-0");
+
+ /* SECURITY_WORLD_SID_AUTHORITY */
string_to_sid(&global_sid_World_Domain, "S-1-1");
string_to_sid(&global_sid_World, "S-1-1-0");
+
+ /* SECURITY_CREATOR_SID_AUTHORITY */
string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3");
string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
+
+ /* SECURITY_NT_AUTHORITY */
string_to_sid(&global_sid_NT_Authority, "S-1-5");
- string_to_sid(&global_sid_System, "S-1-5-18");
- string_to_sid(&global_sid_NULL, "S-1-0-0");
- string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
string_to_sid(&global_sid_Network, "S-1-5-2");
string_to_sid(&global_sid_Anonymous, "S-1-5-7");
+ string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
+ string_to_sid(&global_sid_System, "S-1-5-18");
+
+ /* SECURITY_BUILTIN_DOMAIN_RID */
+ string_to_sid(&global_sid_Builtin, "S-1-5-32");
+ string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
+ string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
+ string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
+ string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547");
+ string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548");
+ string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549");
+ string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550");
+ string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551");
+ string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552");
/* Create the anon token. */
sid_copy( &anonymous_token.user_sids[0], &global_sid_World);
@@ -179,40 +206,59 @@ void split_domain_name(const char *fullname, char *domain, char *name)
fullname, domain, name));
}
+/****************************************************************************
+ Test if a SID is wellknown and resolvable.
+****************************************************************************/
+
+BOOL resolvable_wellknown_sid(DOM_SID *sid)
+{
+ uint32 ia = (sid->id_auth[5]) +
+ (sid->id_auth[4] << 8 ) +
+ (sid->id_auth[3] << 16) +
+ (sid->id_auth[2] << 24);
+
+ if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1)
+ return False;
+
+ return (ia == SECURITY_WORLD_SID_AUTHORITY ||
+ ia == SECURITY_CREATOR_SID_AUTHORITY);
+}
+
/*****************************************************************
Convert a SID to an ascii string.
*****************************************************************/
char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
{
- char subauth[16];
- int i;
- uint32 ia;
+ char subauth[16];
+ int i;
+ uint32 ia;
- if (!sid) {
- fstrcpy(sidstr_out, "(NULL SID)");
- return sidstr_out;
- }
+ if (!sid) {
+ fstrcpy(sidstr_out, "(NULL SID)");
+ return sidstr_out;
+ }
- /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
- ia = (sid->id_auth[5]) +
- (sid->id_auth[4] << 8 ) +
- (sid->id_auth[3] << 16) +
- (sid->id_auth[2] << 24);
+ /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
+ ia = (sid->id_auth[5]) +
+ (sid->id_auth[4] << 8 ) +
+ (sid->id_auth[3] << 16) +
+ (sid->id_auth[2] << 24);
- slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
+ slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
- for (i = 0; i < sid->num_auths; i++) {
- slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
- fstrcat(sidstr_out, subauth);
- }
+ for (i = 0; i < sid->num_auths; i++) {
+ slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
+ fstrcat(sidstr_out, subauth);
+ }
- return sidstr_out;
+ return sidstr_out;
}
-/*
- useful function for debug lines
-*/
+/*****************************************************************
+ Useful function for debug lines.
+*****************************************************************/
+
const char *sid_string_static(const DOM_SID *sid)
{
static fstring sid_str;
diff --git a/source3/passdb/util_sam_sid.c b/source3/passdb/util_sam_sid.c
index 6ec1e48ab3..60998003f6 100644
--- a/source3/passdb/util_sam_sid.c
+++ b/source3/passdb/util_sam_sid.c
@@ -54,7 +54,8 @@ static known_sid_users everyone_users[] = {
{0, (enum SID_NAME_USE)0, NULL}};
static known_sid_users creator_owner_users[] = {
- { 0, SID_NAME_ALIAS, "Creator Owner" },
+ { 0, SID_NAME_WKN_GRP, "Creator Owner" },
+ { 1, SID_NAME_WKN_GRP, "Creator Group" },
{0, (enum SID_NAME_USE)0, NULL}};
static known_sid_users nt_authority_users[] = {
@@ -80,11 +81,10 @@ static known_sid_users builtin_groups[] = {
{ BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" },
{ 0, (enum SID_NAME_USE)0, NULL}};
-
-
/**************************************************************************
- quick init function
- *************************************************************************/
+ Quick init function.
+*************************************************************************/
+
static void init_sid_name_map (void)
{
int i = 0;
@@ -105,8 +105,7 @@ static void init_sid_name_map (void)
sid_name_map[i].name = global_myname;
sid_name_map[i].known_users = NULL;
i++;
- }
- else {
+ } else {
sid_name_map[i].sid = get_global_sam_sid();
sid_name_map[i].name = global_myname;
sid_name_map[i].known_users = NULL;
@@ -133,8 +132,7 @@ static void init_sid_name_map (void)
sid_name_map[i].known_users = &nt_authority_users[0];
i++;
-
- /* end of array */
+ /* End of array. */
sid_name_map[i].sid = NULL;
sid_name_map[i].name = NULL;
sid_name_map[i].known_users = NULL;
@@ -142,7 +140,6 @@ static void init_sid_name_map (void)
sid_name_map_initialized = True;
return;
-
}
/**************************************************************************
@@ -257,6 +254,7 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
/*****************************************************************
Check if the SID is our domain SID (S-1-5-21-x-y-z).
*****************************************************************/
+
BOOL sid_check_is_domain(const DOM_SID *sid)
{
return sid_equal(sid, get_global_sam_sid());
@@ -265,6 +263,7 @@ BOOL sid_check_is_domain(const DOM_SID *sid)
/*****************************************************************
Check if the SID is our domain SID (S-1-5-21-x-y-z).
*****************************************************************/
+
BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
{
DOM_SID dom_sid;
@@ -276,3 +275,32 @@ BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
return sid_equal(&dom_sid, get_global_sam_sid());
}
+/**************************************************************************
+ Try and map a name to one of the well known SIDs.
+***************************************************************************/
+
+BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name)
+{
+ int i, j;
+
+ if (!sid_name_map_initialized)
+ init_sid_name_map();
+
+ for (i=0; sid_name_map[i].sid != NULL; i++) {
+ known_sid_users *users = sid_name_map[i].known_users;
+
+ if (users == NULL)
+ continue;
+
+ for (j=0; users[j].known_user_name != NULL; j++) {
+ if (strequal(users[j].known_user_name, name) == 0) {
+ sid_copy(sid, sid_name_map[i].sid);
+ sid_append_rid(sid, users[j].rid);
+ *use = users[j].sid_name_use;
+ return True;
+ }
+ }
+ }
+
+ return False;
+}