diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-01-20 23:39:37 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-01-20 23:44:05 +0100 |
commit | fbe6d155bf177c610ee549cc534650b0f0700e8a (patch) | |
tree | 58d82c2cadfc460ad8cf6a7e9b3ec6c162234ec7 /source4/dsdb | |
parent | cce5231b4d4ee9d4918004586bda9d499596d3d4 (diff) | |
download | samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.tar.gz samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.tar.bz2 samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.zip |
s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/common/util_groups.c | 13 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/operational.c | 4 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 53 |
3 files changed, 29 insertions, 41 deletions
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index d41305577c..b5aecbafe9 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -27,14 +27,14 @@ #include "dsdb/common/util.h" /* This function tests if a SID structure "sids" contains the SID "sid" */ -static bool sids_contains_sid(const struct dom_sid **sids, +static bool sids_contains_sid(const struct dom_sid *sids, const unsigned int num_sids, const struct dom_sid *sid) { unsigned int i; for (i = 0; i < num_sids; i++) { - if (dom_sid_equal(sids[i], sid)) + if (dom_sid_equal(&sids[i], sid)) return true; } return false; @@ -56,7 +56,7 @@ static bool sids_contains_sid(const struct dom_sid **sids, */ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, struct ldb_val *dn_val, const bool only_childs, const char *filter, - TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids, + TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids, unsigned int *num_res_sids) { const char * const attrs[] = { "memberOf", NULL }; @@ -114,7 +114,7 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, DSDB_SEARCH_SHOW_EXTENDED_DN); } else { /* This is an O(n^2) linear search */ - already_there = sids_contains_sid((const struct dom_sid**) *res_sids, + already_there = sids_contains_sid(*res_sids, *num_res_sids, &sid); if (already_there) { talloc_free(tmp_ctx); @@ -148,10 +148,9 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, /* We only apply this test once we know the SID matches the filter */ if (!only_childs) { *res_sids = talloc_realloc(res_sids_ctx, *res_sids, - struct dom_sid *, *num_res_sids + 1); + struct dom_sid, *num_res_sids + 1); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx); - (*res_sids)[*num_res_sids] = dom_sid_dup(*res_sids, &sid); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE((*res_sids)[*num_res_sids], tmp_ctx); + (*res_sids)[*num_res_sids] = sid; ++(*num_res_sids); } diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index ae61089198..1df56e8fe0 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -149,7 +149,7 @@ static int construct_token_groups(struct ldb_module *module, const char *account_sid_string; const char *account_sid_dn; DATA_BLOB account_sid_blob; - struct dom_sid **groupSIDs = NULL; + struct dom_sid *groupSIDs = NULL; unsigned int num_groupSIDs = 0; struct dom_sid *domain_sid; @@ -254,7 +254,7 @@ static int construct_token_groups(struct ldb_module *module, } for (i=0; i < num_groupSIDs; i++) { - ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]); + ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]); if (ret) { talloc_free(tmp_ctx); return ret; diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 11913fbbce..53be12cd52 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -144,10 +144,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, ****************************************************************************/ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, - struct dom_sid *user_sid, - struct dom_sid *group_sid, - unsigned int n_groupSIDs, - struct dom_sid **groupSIDs, + unsigned int num_sids, + struct dom_sid *sids, uint32_t session_info_flags, struct security_token **token) { @@ -158,22 +156,32 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken = security_token_initialise(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(ptoken); - ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */); + ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->num_sids = 1; + ptoken->num_sids = 0; - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + for (i = 0; i < num_sids; i++) { + size_t check_sid_idx; + for (check_sid_idx = 0; + check_sid_idx < ptoken->num_sids; + check_sid_idx++) { + if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) { + break; + } + } - ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid; - if (!dom_sid_equal(user_sid, group_sid)) { - ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid; - ptoken->num_sids++; + if (check_sid_idx == ptoken->num_sids) { + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->sids[ptoken->num_sids] = sids[i]; + ptoken->num_sids++; + } } /* - * Finally add the "standard" SIDs. + * Finally add the "standard" sids. * The only difference between guest and "anonymous" * is the addition of Authenticated_Users. */ @@ -203,25 +211,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken->num_sids++; } - for (i = 0; i < n_groupSIDs; i++) { - size_t check_sid_idx; - for (check_sid_idx = 1; - check_sid_idx < ptoken->num_sids; - check_sid_idx++) { - if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) { - break; - } - } - - if (check_sid_idx == ptoken->num_sids) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - ptoken->sids[ptoken->num_sids] = *groupSIDs[i]; - ptoken->num_sids++; - } - } - /* The caller may have requested simple privilages, for example if there isn't a local DB */ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { /* Shortcuts to prevent recursion and avoid lookups */ |