diff options
Diffstat (limited to 'source4/lib')
-rw-r--r-- | source4/lib/username.c | 46 | ||||
-rw-r--r-- | source4/lib/util_getent.c | 22 | ||||
-rw-r--r-- | source4/lib/util_sid.c | 400 |
3 files changed, 81 insertions, 387 deletions
diff --git a/source4/lib/username.c b/source4/lib/username.c index 2d6cd651c5..3af9dbd027 100644 --- a/source4/lib/username.c +++ b/source4/lib/username.c @@ -26,16 +26,6 @@ static struct passwd *uname_string_combinations(char *s, struct passwd * (*fn) ( static struct passwd *uname_string_combinations2(char *s, int offset, struct passwd * (*fn) (const char *), int N); /***************************************************************** - Check if a user or group name is local (this is a *local* name for - *local* people, there's nothing for you here...). -*****************************************************************/ - -static BOOL name_is_local(const char *name) -{ - return !(strchr_m(name, *lp_winbind_separator())); -} - -/***************************************************************** Splits passed user or group name to domain and user/group name parts Returns True if name was splitted and False otherwise. *****************************************************************/ @@ -398,42 +388,6 @@ BOOL user_in_list(const char *user,const char **list, gid_t *groups, size_t n_gr if(user_in_group_list(user, *list +2, groups, n_groups)) return True; } - } else if (!name_is_local(*list)) { - /* - * If user name did not match and token is not - * a unix group and the token has a winbind separator in the - * name then see if it is a Windows group. - */ - - DOM_SID g_sid; - enum SID_NAME_USE name_type; - BOOL winbind_answered = False; - BOOL ret; - fstring groupname, domain; - - /* Parse a string of the form DOMAIN/user into a domain and a user */ - - char *p = strchr(*list,*lp_winbind_separator()); - - DEBUG(10,("user_in_list: checking if user |%s| is in winbind group |%s|\n", user, *list)); - - if (p) { - fstrcpy(groupname, p+1); - fstrcpy(domain, *list); - domain[PTR_DIFF(p, *list)] = 0; - - /* Check to see if name is a Windows group */ - if (winbind_lookup_name(domain, groupname, &g_sid, &name_type) && name_type == SID_NAME_DOM_GRP) { - - /* Check if user name is in the Windows group */ - ret = user_in_winbind_group_list(user, *list, &winbind_answered); - - if (winbind_answered && ret == True) { - DEBUG(10,("user_in_list: user |%s| is in winbind group |%s|\n", user, *list)); - return ret; - } - } - } } list++; diff --git a/source4/lib/util_getent.c b/source4/lib/util_getent.c index 32641dbf83..599e4bb917 100644 --- a/source4/lib/util_getent.c +++ b/source4/lib/util_getent.c @@ -249,29 +249,7 @@ struct sys_userlist *get_users_in_group(const char *gname) { struct sys_userlist *list_head = NULL; struct group *gptr; - fstring domain; - fstring groupname; - DOM_SID sid; - enum SID_NAME_USE name_type; - /* No point using winbind if we can't split it in the - first place */ - if (split_domain_and_name(gname, domain, groupname)) { - - /* - * If we're doing this via winbindd, don't do the - * entire group list enumeration as we know this is - * pointless (and slow). - */ - - if (winbind_lookup_name(domain, groupname, &sid, &name_type) - && name_type == SID_NAME_DOM_GRP) { - if ((gptr = (struct group *)getgrnam(gname)) == NULL) - return NULL; - return add_members_to_userlist(list_head, gptr); - } - } - #if !defined(BROKEN_GETGRNAM) if ((gptr = (struct group *)getgrnam(gname)) == NULL) return NULL; diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c index 44bb4cebb1..505555fe7e 100644 --- a/source4/lib/util_sid.c +++ b/source4/lib/util_sid.c @@ -28,29 +28,29 @@ * Some useful sids */ -DOM_SID global_sid_World_Domain; /* Everyone domain */ -DOM_SID global_sid_World; /* Everyone */ -DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ -DOM_SID global_sid_NT_Authority; /* NT Authority */ -DOM_SID global_sid_System; /* System */ -DOM_SID global_sid_NULL; /* NULL sid */ -DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ -DOM_SID global_sid_Network; /* Network rids */ - -DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -DOM_SID global_sid_Creator_Group; /* Creator Group */ -DOM_SID global_sid_Anonymous; /* Anonymous login */ - -DOM_SID global_sid_Builtin; /* Local well-known domain */ -DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */ -DOM_SID global_sid_Builtin_Users; /* Builtin users */ -DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ -DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */ -DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */ -DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */ -DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */ -DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ -DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ +struct dom_sid *global_sid_World_Domain; /* Everyone domain */ +struct dom_sid *global_sid_World; /* Everyone */ +struct dom_sid *global_sid_Creator_Owner_Domain; /* Creator Owner domain */ +struct dom_sid *global_sid_NT_Authority; /* NT Authority */ +struct dom_sid *global_sid_System; /* System */ +struct dom_sid *global_sid_NULL; /* NULL sid */ +struct dom_sid *global_sid_Authenticated_Users; /* All authenticated rids */ +struct dom_sid *global_sid_Network; /* Network rids */ + +struct dom_sid *global_sid_Creator_Owner; /* Creator Owner */ +struct dom_sid *global_sid_Creator_Group; /* Creator Group */ +struct dom_sid *global_sid_Anonymous; /* Anonymous login */ + +struct dom_sid *global_sid_Builtin; /* Local well-known domain */ +struct dom_sid *global_sid_Builtin_Administrators; /* Builtin administrators */ +struct dom_sid *global_sid_Builtin_Users; /* Builtin users */ +struct dom_sid *global_sid_Builtin_Guests; /* Builtin guest users */ +struct dom_sid *global_sid_Builtin_Power_Users; /* Builtin power users */ +struct dom_sid *global_sid_Builtin_Account_Operators; /* Builtin account operators */ +struct dom_sid *global_sid_Builtin_Server_Operators; /* Builtin server operators */ +struct dom_sid *global_sid_Builtin_Print_Operators; /* Builtin print operators */ +struct dom_sid *global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ +struct dom_sid *global_sid_Builtin_Replicator; /* Builtin replicator */ #define SECURITY_NULL_SID_AUTHORITY 0 #define SECURITY_WORLD_SID_AUTHORITY 1 @@ -58,23 +58,6 @@ DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ #define SECURITY_CREATOR_SID_AUTHORITY 3 #define SECURITY_NT_AUTHORITY 5 -/* - * An NT compatible anonymous token. - */ - -static DOM_SID anon_sid_array[3]; - -NT_USER_TOKEN anonymous_token = { - 3, - anon_sid_array -}; - -static DOM_SID system_sid_array[4]; -NT_USER_TOKEN system_token = { - 1, - system_sid_array -}; - /**************************************************************************** Lookup string names for SID types. ****************************************************************************/ @@ -117,60 +100,47 @@ const char *sid_type_lookup(uint32 sid_type) void generate_wellknown_sids(void) { static BOOL initialised = False; + static TALLOC_CTX *mem_ctx; if (initialised) return; + mem_ctx = talloc_init("Well known groups, global static context"); + if (!mem_ctx) + return; + /* SECURITY_NULL_SID_AUTHORITY */ - string_to_sid(&global_sid_NULL, "S-1-0-0"); + global_sid_NULL = dom_sid_parse_talloc(mem_ctx, "S-1-0-0"); /* SECURITY_WORLD_SID_AUTHORITY */ - string_to_sid(&global_sid_World_Domain, "S-1-1"); - string_to_sid(&global_sid_World, "S-1-1-0"); + global_sid_World_Domain = dom_sid_parse_talloc(mem_ctx, "S-1-1"); + global_sid_World = dom_sid_parse_talloc(mem_ctx, "S-1-1-0"); /* SECURITY_CREATOR_SID_AUTHORITY */ - string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); - string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); - string_to_sid(&global_sid_Creator_Group, "S-1-3-1"); + global_sid_Creator_Owner_Domain = dom_sid_parse_talloc(mem_ctx, "S-1-3"); + global_sid_Creator_Owner = dom_sid_parse_talloc(mem_ctx, "S-1-3-0"); + global_sid_Creator_Group = dom_sid_parse_talloc(mem_ctx, "S-1-3-1"); /* SECURITY_NT_AUTHORITY */ - string_to_sid(&global_sid_NT_Authority, "S-1-5"); - string_to_sid(&global_sid_Network, "S-1-5-2"); - string_to_sid(&global_sid_Anonymous, "S-1-5-7"); - string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); - string_to_sid(&global_sid_System, "S-1-5-18"); + global_sid_NT_Authority = dom_sid_parse_talloc(mem_ctx, "S-1-5"); + global_sid_Network = dom_sid_parse_talloc(mem_ctx, "S-1-5-2"); + global_sid_Anonymous = dom_sid_parse_talloc(mem_ctx, "S-1-5-7"); + global_sid_Authenticated_Users = dom_sid_parse_talloc(mem_ctx, "S-1-5-11"); + global_sid_System = dom_sid_parse_talloc(mem_ctx, "S-1-5-18"); /* SECURITY_BUILTIN_DOMAIN_RID */ - string_to_sid(&global_sid_Builtin, "S-1-5-32"); - string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); - string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); - string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); - string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547"); - string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548"); - string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549"); - string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550"); - string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551"); - string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552"); - - /* Create the anon token. */ - sid_copy( &anonymous_token.user_sids[0], &global_sid_World); - sid_copy( &anonymous_token.user_sids[1], &global_sid_Network); - sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous); - - /* Create the system token. */ - sid_copy( &system_token.user_sids[0], &global_sid_System); - - initialised = True; -} + global_sid_Builtin = dom_sid_parse_talloc(mem_ctx, "S-1-5-32"); + global_sid_Builtin_Administrators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-544"); + global_sid_Builtin_Users = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-545"); + global_sid_Builtin_Guests = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-546"); + global_sid_Builtin_Power_Users = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-547"); + global_sid_Builtin_Account_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-548"); + global_sid_Builtin_Server_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-549"); + global_sid_Builtin_Print_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-550"); + global_sid_Builtin_Backup_Operators = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-551"); + global_sid_Builtin_Replicator = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-552"); -/************************************************************************** - Create the SYSTEM token. -***************************************************************************/ - -NT_USER_TOKEN *get_system_token(void) -{ - generate_wellknown_sids(); /* The token is initialised here */ - return &system_token; + initialised = True; } /************************************************************************** @@ -208,153 +178,31 @@ void split_domain_name(const char *fullname, char *domain, char *name) fullname, domain, name)); } -/**************************************************************************** - Test if a SID is wellknown and resolvable. -****************************************************************************/ - -BOOL resolvable_wellknown_sid(DOM_SID *sid) -{ - uint32 ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); - - if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1) - return False; - - return (ia == SECURITY_WORLD_SID_AUTHORITY || - ia == SECURITY_CREATOR_SID_AUTHORITY); -} - /***************************************************************** Convert a SID to an ascii string. *****************************************************************/ -char *sid_to_string(fstring sidstr_out, const DOM_SID *sid) +char *sid_to_string(fstring sidstr_out, const struct dom_sid *sid) { - char subauth[16]; - int i; - uint32 ia; - - if (!sid) { - fstrcpy(sidstr_out, "(NULL SID)"); - return sidstr_out; - } - - /* - * BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 - * in a range of 2^48. - */ - ia = (sid->id_auth[5]) + - (sid->id_auth[4] << 8 ) + - (sid->id_auth[3] << 16) + - (sid->id_auth[2] << 24); - - slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia); - - for (i = 0; i < sid->num_auths; i++) { - slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]); - fstrcat(sidstr_out, subauth); + char *tmp_string; + TALLOC_CTX *mem_ctx; + if (!(mem_ctx = talloc_init("sid_to_string temp context"))) { + return NULL; } + tmp_string = dom_sid_string(mem_ctx, sid); + if (!tmp_string) + return NULL; + + fstrcpy(sidstr_out, tmp_string); return sidstr_out; } /***************************************************************** - Useful function for debug lines. -*****************************************************************/ - -const char *sid_string_talloc(TALLOC_CTX *mem_ctx, const DOM_SID *sid) -{ - fstring tempSid; - sid_to_string(tempSid, sid); - return talloc_strdup(mem_ctx, tempSid); -} - -/***************************************************************** - Convert a string to a SID. Returns True on success, False on fail. -*****************************************************************/ - -BOOL string_to_sid(DOM_SID *sidout, const char *sidstr) -{ - pstring tok; - char *q; - const char *p; - /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */ - uint32 ia; - - if (StrnCaseCmp( sidstr, "S-", 2)) { - DEBUG(0,("string_to_sid: Sid %s does not start with 'S-'.\n", sidstr)); - return False; - } - - memset((char *)sidout, '\0', sizeof(DOM_SID)); - - p = q = strdup(sidstr + 2); - if (p == NULL) { - DEBUG(0, ("string_to_sid: out of memory!\n")); - return False; - } - - if (!next_token(&p, tok, "-", sizeof(tok))) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(q); - return False; - } - - /* Get the revision number. */ - sidout->sid_rev_num = (uint8)strtoul(tok, NULL, 10); - - if (!next_token(&p, tok, "-", sizeof(tok))) { - DEBUG(0,("string_to_sid: Sid %s is not in a valid format.\n", sidstr)); - SAFE_FREE(q); - return False; - } - - /* identauth in decimal should be < 2^32 */ - ia = (uint32)strtoul(tok, NULL, 10); - - /* NOTE - the ia value is in big-endian format. */ - sidout->id_auth[0] = 0; - sidout->id_auth[1] = 0; - sidout->id_auth[2] = (ia & 0xff000000) >> 24; - sidout->id_auth[3] = (ia & 0x00ff0000) >> 16; - sidout->id_auth[4] = (ia & 0x0000ff00) >> 8; - sidout->id_auth[5] = (ia & 0x000000ff); - - sidout->num_auths = 0; - - while(next_token(&p, tok, "-", sizeof(tok)) && - sidout->num_auths < MAXSUBAUTHS) { - /* - * NOTE - the subauths are in native machine-endian format. They - * are converted to little-endian when linearized onto the wire. - */ - sid_append_rid(sidout, (uint32)strtoul(tok, NULL, 10)); - } - - SAFE_FREE(q); - return True; -} - -/***************************************************************** - Add a rid to the end of a sid -*****************************************************************/ - -BOOL sid_append_rid(DOM_SID *sid, uint32 rid) -{ - if (sid->num_auths < MAXSUBAUTHS) { - sid->sub_auths[sid->num_auths++] = rid; - return True; - } - return False; -} - -/***************************************************************** Removes the last rid from the end of a sid *****************************************************************/ -BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) +BOOL sid_split_rid(struct dom_sid *sid, uint32 *rid) { if (sid->num_auths > 0) { sid->num_auths--; @@ -368,7 +216,7 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid) Return the last rid from the end of a sid *****************************************************************/ -BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid) +BOOL sid_peek_rid(const struct dom_sid *sid, uint32 *rid) { if (!sid || !rid) return False; @@ -385,7 +233,7 @@ BOOL sid_peek_rid(const DOM_SID *sid, uint32 *rid) and check the sid against the exp_dom_sid *****************************************************************/ -BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 *rid) +BOOL sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid *sid, uint32 *rid) { if (!exp_dom_sid || !sid || !rid) return False; @@ -400,71 +248,10 @@ BOOL sid_peek_check_rid(const DOM_SID *exp_dom_sid, const DOM_SID *sid, uint32 * } /***************************************************************** - Copies a sid -*****************************************************************/ - -void sid_copy(DOM_SID *dst, const DOM_SID *src) -{ - int i; - - ZERO_STRUCTP(dst); - - dst->sid_rev_num = src->sid_rev_num; - dst->num_auths = src->num_auths; - - memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth)); - - for (i = 0; i < src->num_auths; i++) - dst->sub_auths[i] = src->sub_auths[i]; -} - -/***************************************************************** - Write a sid out into on-the-wire format. -*****************************************************************/ - -BOOL sid_linearize(char *outbuf, size_t len, const DOM_SID *sid) -{ - size_t i; - - if (len < sid_size(sid)) - return False; - - SCVAL(outbuf,0,sid->sid_rev_num); - SCVAL(outbuf,1,sid->num_auths); - memcpy(&outbuf[2], sid->id_auth, 6); - for(i = 0; i < sid->num_auths; i++) - SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]); - - return True; -} - -/***************************************************************** - Parse a on-the-wire SID to a DOM_SID. -*****************************************************************/ - -BOOL sid_parse(const char *inbuf, size_t len, DOM_SID *sid) -{ - int i; - if (len < 8) - return False; - - ZERO_STRUCTP(sid); - - sid->sid_rev_num = CVAL(inbuf, 0); - sid->num_auths = CVAL(inbuf, 1); - memcpy(sid->id_auth, inbuf+2, 6); - if (len < 8 + sid->num_auths*4) - return False; - for (i=0;i<sid->num_auths;i++) - sid->sub_auths[i] = IVAL(inbuf, 8+i*4); - return True; -} - -/***************************************************************** Compare the auth portion of two sids. *****************************************************************/ -static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) +static int sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2) { int i; @@ -489,7 +276,7 @@ static int sid_compare_auth(const DOM_SID *sid1, const DOM_SID *sid2) Compare two sids. *****************************************************************/ -int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) +int sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2) { int i; @@ -516,7 +303,7 @@ int sid_compare(const DOM_SID *sid1, const DOM_SID *sid2) this just compares the leading sub-auths *****************************************************************/ -int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) +int sid_compare_domain(const struct dom_sid *sid1, const struct dom_sid *sid2) { int n, i; @@ -533,40 +320,36 @@ int sid_compare_domain(const DOM_SID *sid1, const DOM_SID *sid2) Compare two sids. *****************************************************************/ -BOOL sid_equal(const DOM_SID *sid1, const DOM_SID *sid2) +BOOL sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) { return sid_compare(sid1, sid2) == 0; } - /***************************************************************** - Check if the SID is the builtin SID (S-1-5-32). + Write a sid out into on-the-wire format. *****************************************************************/ -BOOL sid_check_is_builtin(const DOM_SID *sid) +BOOL sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid) { - return sid_equal(sid, &global_sid_Builtin); -} + size_t i; -/***************************************************************** - Check if the SID is one of the builtin SIDs (S-1-5-32-a). -*****************************************************************/ + if (len < sid_size(sid)) + return False; -BOOL sid_check_is_in_builtin(const DOM_SID *sid) -{ - DOM_SID dom_sid; - uint32 rid; + SCVAL(outbuf,0,sid->sid_rev_num); + SCVAL(outbuf,1,sid->num_auths); + memcpy(&outbuf[2], sid->id_auth, 6); + for(i = 0; i < sid->num_auths; i++) + SIVAL(outbuf, 8 + (i*4), sid->sub_auths[i]); - sid_copy(&dom_sid, sid); - sid_split_rid(&dom_sid, &rid); - - return sid_equal(&dom_sid, &global_sid_Builtin); + return True; } + /***************************************************************** Calculates size of a sid. *****************************************************************/ -size_t sid_size(const DOM_SID *sid) +size_t sid_size(const struct dom_sid *sid) { if (sid == NULL) return 0; @@ -575,32 +358,11 @@ size_t sid_size(const DOM_SID *sid) } /***************************************************************** - Returns true if SID is internal (and non-mappable). -*****************************************************************/ - -BOOL non_mappable_sid(DOM_SID *sid) -{ - DOM_SID dom; - uint32 rid; - - sid_copy(&dom, sid); - sid_split_rid(&dom, &rid); - - if (sid_equal(&dom, &global_sid_Builtin)) - return True; - - if (sid_equal(&dom, &global_sid_NT_Authority)) - return True; - - return False; -} - -/***************************************************************** Return the binary string representation of a DOM_SID. Caller must free. *****************************************************************/ -char *sid_binstring(const DOM_SID *sid) +char *sid_binstring(const struct dom_sid *sid) { char *buf, *s; int len = sid_size(sid); |