summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/util_seaccess.c33
-rw-r--r--source3/lib/util_sid.c53
2 files changed, 45 insertions, 41 deletions
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 9aa2be4d2d..87d0f3bb68 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -26,36 +26,8 @@
extern int DEBUGLEVEL;
-/* Everyone = S-1-1-0 */
-
-static DOM_SID everyone_sid = {
- 1, /* sid_rev_num */
- 1, /* num_auths */
- { 0, 0, 0, 0, 0, 1}, /* id_auth[6] */
- { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* sub_auth[15] */
-};
-
-/*
- * Guest token used when there is no NT_USER_TOKEN available.
- */
-
-/* Guest = S-1-5-32-546 */
-
-static DOM_SID guest_sid = {
- 1, /* sid_rev_num */
- 2, /* num_auths */
- { 0, 0, 0, 0, 0, 5}, /* id_auth[6] */
- { 32, 546, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* sub_auth[15] */
-};
-
-static NT_USER_TOKEN guest_token = {
- 1,
- &guest_sid
-};
-
/**********************************************************************************
Check if this ACE has a SID in common with the token.
- The SID "Everyone" always matches.
**********************************************************************************/
static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace)
@@ -63,8 +35,6 @@ static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace)
size_t i;
for (i = 0; i < token->num_sids; i++) {
- if (sid_equal(&ace->sid, &everyone_sid))
- return True;
if (sid_equal(&ace->sid, &token->user_sids[i]))
return True;
}
@@ -200,10 +170,11 @@ static BOOL get_max_access( SEC_ACL *acl, NT_USER_TOKEN *token, uint32 *granted,
BOOL se_access_check(SEC_DESC *sd, struct current_user *user,
uint32 acc_desired, uint32 *acc_granted, uint32 *status)
{
+ extern NT_USER_TOKEN anonymous_token;
size_t i;
SEC_ACL *acl;
fstring sid_str;
- NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &guest_token;
+ NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token;
uint32 tmp_acc_desired = acc_desired;
if (!status || !acc_granted)
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 80254318c4..94144bbbd1 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -33,14 +33,17 @@ extern fstring global_myworkgroup;
* Some useful sids
*/
-DOM_SID global_sid_Builtin; /* local well-known domain */
-DOM_SID global_sid_World_Domain; /* everyone */
-DOM_SID global_sid_World; /* everyone */
-DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */
-DOM_SID global_sid_Creator_Owner; /* Creator Owner */
-DOM_SID global_sid_NT_Authority; /* NT Authority */
-DOM_SID global_sid_NULL; /* NULL sid */
-DOM_SID global_sid_Builtin_Guests;
+DOM_SID global_sid_Builtin; /* Local well-known domain */
+DOM_SID global_sid_World_Domain; /* Everyone domain */
+DOM_SID global_sid_World; /* Everyone */
+DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */
+DOM_SID global_sid_Creator_Owner; /* Creator Owner */
+DOM_SID global_sid_NT_Authority; /* NT Authority */
+DOM_SID global_sid_NULL; /* NULL sid */
+DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */
+DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */
+DOM_SID global_sid_Network; /* Network rids */
+DOM_SID global_sid_Anonymous; /* Anonymous login */
const DOM_SID *global_sid_everyone = &global_sid_World;
@@ -51,12 +54,15 @@ typedef struct _known_sid_users {
} known_sid_users;
/* static known_sid_users no_users[] = {{0, 0, NULL}}; */
+
static known_sid_users everyone_users[] = {
{ 0, SID_NAME_WKN_GRP, "Everyone" },
{0, (enum SID_NAME_USE)0, NULL}};
+
static known_sid_users creator_owner_users[] = {
{ 0, SID_NAME_ALIAS, "Creator Owner" },
{0, (enum SID_NAME_USE)0, NULL}};
+
static known_sid_users nt_authority_users[] = {
{ 1, SID_NAME_ALIAS, "Dialup" },
{ 2, SID_NAME_ALIAS, "Network"},
@@ -70,6 +76,10 @@ static known_sid_users nt_authority_users[] = {
{ 18, SID_NAME_ALIAS, "SYSTEM"},
{ 0, (enum SID_NAME_USE)0, NULL}};
+static known_sid_users builtin_users[] = {
+ { DOMAIN_USER_RID_ADMIN, SID_NAME_USER, "Administrator" },
+ { 0, (enum SID_NAME_USE)0, NULL}};
+
static struct sid_name_map_info
{
DOM_SID *sid;
@@ -81,12 +91,24 @@ sid_name_map[] =
{ &global_sam_sid, global_myname, NULL},
{ &global_sam_sid, global_myworkgroup, NULL},
{ &global_sid_Builtin, "BUILTIN", NULL},
+ { &global_sid_Builtin, "", &builtin_users[0]},
{ &global_sid_World_Domain, "", &everyone_users[0] },
{ &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] },
{ &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] },
{ NULL, NULL, NULL}
};
+/*
+ * An NT compatible anonymous token.
+ */
+
+static DOM_SID anon_sid_array[3];
+
+NT_USER_TOKEN anonymous_token = {
+ 3,
+ anon_sid_array
+};
+
/****************************************************************************
Creates some useful well known sids
****************************************************************************/
@@ -101,6 +123,14 @@ void generate_wellknown_sids(void)
string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
string_to_sid(&global_sid_NT_Authority, "S-1-5");
string_to_sid(&global_sid_NULL, "S-1-0-0");
+ string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
+ string_to_sid(&global_sid_Network, "S-1-5-2");
+ string_to_sid(&global_sid_Anonymous, "S-1-5-7");
+
+ /* Create the anon token. */
+ sid_copy( &anonymous_token.user_sids[0], &global_sid_World);
+ sid_copy( &anonymous_token.user_sids[1], &global_sid_Network);
+ sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous);
}
/**************************************************************************
@@ -210,15 +240,18 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
void split_domain_name(const char *fullname, char *domain, char *name)
{
pstring full_name;
- char *p;
+ char *p, *sep;
+
+ sep = lp_winbind_separator();
*domain = *name = '\0';
- if (fullname[0] == '\\')
+ if (fullname[0] == sep[0] || fullname[0] == '\\')
fullname++;
pstrcpy(full_name, fullname);
p = strchr(full_name+1, '\\');
+ if (!p) p = strchr(full_name+1, sep[0]);
if (p != NULL) {
*p = 0;