diff options
Diffstat (limited to 'source4')
-rw-r--r-- | source4/include/secrets.h | 22 | ||||
-rw-r--r-- | source4/lib/genparser.c | 775 | ||||
-rw-r--r-- | source4/lib/genparser_samba.c | 200 | ||||
-rw-r--r-- | source4/lib/tdb/tdbutil.c | 62 | ||||
-rw-r--r-- | source4/lib/util_seaccess.c | 490 | ||||
-rw-r--r-- | source4/lib/util_sid.c | 2 | ||||
-rw-r--r-- | source4/passdb/secrets.c | 369 |
7 files changed, 2 insertions, 1918 deletions
diff --git a/source4/include/secrets.h b/source4/include/secrets.h index 183b29d7a8..ae881c7cb9 100644 --- a/source4/include/secrets.h +++ b/source4/include/secrets.h @@ -54,26 +54,4 @@ struct machine_acct_pass { time_t mod_time; }; -/* - * storage structure for trusted domain - */ -struct trusted_dom_pass { - size_t uni_name_len; - smb_ucs2_t uni_name[32]; /* unicode domain name */ - size_t pass_len; - fstring pass; /* trust relationship's password */ - time_t mod_time; - DOM_SID domain_sid; /* remote domain's sid */ -}; - -/* - * trusted domain entry/entries returned by secrets_get_trusted_domains - * (used in _lsa_enum_trust_dom call) - */ -typedef struct trustdom { - smb_ucs2_t *name; - DOM_SID sid; -} TRUSTDOM; - - #endif /* _SECRETS_H */ diff --git a/source4/lib/genparser.c b/source4/lib/genparser.c deleted file mode 100644 index 0f5d26620b..0000000000 --- a/source4/lib/genparser.c +++ /dev/null @@ -1,775 +0,0 @@ -/* - Copyright (C) Andrew Tridgell <genstruct@tridgell.net> 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* - automatic marshalling/unmarshalling system for C structures -*/ - -#include "includes.h" - -/* encode a buffer of bytes into a escaped string */ -static char *encode_bytes(TALLOC_CTX *mem_ctx, const char *ptr, unsigned len) -{ - const char *hexdig = "0123456789abcdef"; - char *ret, *p; - unsigned i; - ret = talloc(mem_ctx, len*3 + 1); /* worst case size */ - if (!ret) return NULL; - for (p=ret,i=0;i<len;i++) { - if (isalnum(ptr[i]) || isspace(ptr[i]) || - (ispunct(ptr[i]) && !strchr("\\{}", ptr[i]))) { - *p++ = ptr[i]; - } else { - unsigned char c = *(const unsigned char *)(ptr+i); - if (c == 0 && all_zero(ptr+i, len-i)) break; - p[0] = '\\'; - p[1] = hexdig[c>>4]; - p[2] = hexdig[c&0xF]; - p += 3; - } - } - - *p = 0; - - return ret; -} - -/* decode an escaped string from encode_bytes() into a buffer */ -static char *decode_bytes(TALLOC_CTX *mem_ctx, const char *s, unsigned *len) -{ - char *ret, *p; - unsigned i; - int slen = strlen(s) + 1; - - ret = talloc(mem_ctx, slen); /* worst case length */ - if (!ret) - return NULL; - memset(ret, 0, slen); - - if (*s == '{') s++; - - for (p=ret,i=0;s[i];i++) { - if (s[i] == '}') { - break; - } else if (s[i] == '\\') { - unsigned v; - if (sscanf(&s[i+1], "%02x", &v) != 1 || v > 255) { - return NULL; - } - *(unsigned char *)p = v; - p++; - i += 2; - } else { - *p++ = s[i]; - } - } - *p = 0; - - (*len) = (unsigned)(p - ret); - - return ret; -} - -/* the add*() functions deal with adding things to a struct - parse_string */ - -/* allocate more space if needed */ -static int addgen_alloc(TALLOC_CTX *mem_ctx, struct parse_string *p, int n) -{ - if (p->length + n <= p->allocated) return 0; - p->allocated = p->length + n + 200; - p->s = talloc_realloc(mem_ctx, p->s, p->allocated); - if (!p->s) { - errno = ENOMEM; - return -1; - } - return 0; -} - -/* add a character to the buffer */ -static int addchar(TALLOC_CTX *mem_ctx, struct parse_string *p, char c) -{ - if (addgen_alloc(mem_ctx, p, 2) != 0) { - return -1; - } - p->s[p->length++] = c; - p->s[p->length] = 0; - return 0; -} - -/* add a string to the buffer */ -int addstr(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *s) -{ - int len = strlen(s); - if (addgen_alloc(mem_ctx, p, len+1) != 0) { - return -1; - } - memcpy(p->s + p->length, s, len+1); - p->length += len; - return 0; -} - -/* add a string to the buffer with a tab prefix */ -static int addtabbed(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *s, unsigned indent) -{ - int len = strlen(s); - if (addgen_alloc(mem_ctx, p, indent+len+1) != 0) { - return -1; - } - while (indent--) { - p->s[p->length++] = '\t'; - } - memcpy(p->s + p->length, s, len+1); - p->length += len; - return 0; -} - -/* note! this can only be used for results up to 60 chars wide! */ -int addshort(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *fmt, ...) -{ - char buf[60]; - int n; - va_list ap; - va_start(ap, fmt); - n = vsnprintf(buf, sizeof(buf), fmt, ap); - va_end(ap); - if (addgen_alloc(mem_ctx, p, n + 1) != 0) { - return -1; - } - if (n != 0) { - memcpy(p->s + p->length, buf, n); - } - p->length += n; - p->s[p->length] = 0; - return 0; -} - -/* - this is here to make it easier for people to write dump functions - for their own types - */ -int gen_addgen(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *fmt, ...) -{ - char *buf = NULL; - int n; - va_list ap; - va_start(ap, fmt); - n = vasprintf(&buf, fmt, ap); - va_end(ap); - if (addgen_alloc(mem_ctx, p, n + 1) != 0) { - if (buf) free(buf); - return -1; - } - if (n != 0) { - memcpy(p->s + p->length, buf, n); - } - p->length += n; - p->s[p->length] = 0; - if (buf) free(buf); - return 0; -} - -/* dump a enumerated type */ -int gen_dump_enum(TALLOC_CTX *mem_ctx, - const struct enum_struct *einfo, - struct parse_string *p, - const char *ptr, - unsigned indent) -{ - unsigned v = *(const unsigned *)ptr; - int i; - for (i=0;einfo[i].name;i++) { - if (v == einfo[i].value) { - addstr(mem_ctx, p, einfo[i].name); - return 0; - } - } - /* hmm, maybe we should just fail? */ - return gen_dump_unsigned(mem_ctx, p, ptr, indent); -} - -/* dump a single non-array element, hanlding struct and enum */ -static int gen_dump_one(TALLOC_CTX *mem_ctx, - struct parse_string *p, - const struct parse_struct *pinfo, - const char *ptr, - unsigned indent) -{ - if (pinfo->dump_fn == gen_dump_char && pinfo->ptr_count == 1) { - char *s = encode_bytes(mem_ctx, ptr, strlen(ptr)); - if (addchar(mem_ctx, p,'{') || - addstr(mem_ctx, p, s) || - addstr(mem_ctx, p, "}")) { - return -1; - } - return 0; - } - - return pinfo->dump_fn(mem_ctx, p, ptr, indent); -} - -/* handle dumping of an array of arbitrary type */ -static int gen_dump_array(TALLOC_CTX *mem_ctx, - struct parse_string *p, - const struct parse_struct *pinfo, - const char *ptr, - int array_len, - int indent) -{ - int i, count=0; - - /* special handling of fixed length strings */ - if (array_len != 0 && - pinfo->ptr_count == 0 && - pinfo->dump_fn == gen_dump_char) { - char *s = encode_bytes(mem_ctx, ptr, array_len); - if (!s) return -1; - if (addtabbed(mem_ctx, p, pinfo->name, indent) || - addstr(mem_ctx, p, " = {") || - addstr(mem_ctx, p, s) || - addstr(mem_ctx, p, "}\n")) { - return -1; - } - free(s); - return 0; - } - - for (i=0;i<array_len;i++) { - const char *p2 = ptr; - unsigned size = pinfo->size; - - /* generic pointer dereference */ - if (pinfo->ptr_count) { - p2 = *(const char **)ptr; - size = sizeof(void *); - } - - if ((count || pinfo->ptr_count) && - !(pinfo->flags & FLAG_ALWAYS) && - all_zero(ptr, size)) { - ptr += size; - continue; - } - if (count == 0) { - if (addtabbed(mem_ctx, p, pinfo->name, indent) || - addshort(mem_ctx, p, " = %u:", i)) { - return -1; - } - } else { - if (addshort(mem_ctx, p, ", %u:", i) != 0) { - return -1; - } - } - if (gen_dump_one(mem_ctx, p, pinfo, p2, indent) != 0) { - return -1; - } - ptr += size; - count++; - } - if (count) { - return addstr(mem_ctx, p, "\n"); - } - return 0; -} - -/* find a variable by name in a loaded structure and return its value - as an integer. Used to support dynamic arrays */ -static int find_var(const struct parse_struct *pinfo, - const char *data, - const char *var) -{ - int i; - const char *ptr; - - /* this allows for constant lengths */ - if (isdigit(*var)) { - return atoi(var); - } - - for (i=0;pinfo[i].name;i++) { - if (strcmp(pinfo[i].name, var) == 0) break; - } - if (!pinfo[i].name) return -1; - - ptr = data + pinfo[i].offset; - - switch (pinfo[i].size) { - case sizeof(int): - return *(const int *)ptr; - case sizeof(char): - return *(const char *)ptr; - } - - return -1; -} - - -int gen_dump_struct(TALLOC_CTX *mem_ctx, - const struct parse_struct *pinfo, - struct parse_string *p, - const char *ptr, - unsigned indent) -{ - char *s = gen_dump(mem_ctx, pinfo, ptr, indent+1); - if (!s) return -1; - if (addstr(mem_ctx, p, "{\n") || - addstr(mem_ctx, p, s) || - addtabbed(mem_ctx, p, "}", indent)) { - return -1; - } - return 0; -} - -static int gen_dump_string(TALLOC_CTX *mem_ctx, - struct parse_string *p, - const struct parse_struct *pinfo, - const char *data, - unsigned indent) -{ - const char *ptr = *(const char **)data; - char *s = encode_bytes(mem_ctx, ptr, strlen(ptr)); - if (addtabbed(mem_ctx, p, pinfo->name, indent) || - addstr(mem_ctx, p, " = ") || - addchar(mem_ctx, p, '{') || - addstr(mem_ctx, p, s) || - addstr(mem_ctx, p, "}\n")) { - return -1; - } - return 0; -} - -/* - find the length of a nullterm array -*/ -static int len_nullterm(const char *ptr, int size, int array_len) -{ - int len; - - if (size == 1) { - len = strnlen(ptr, array_len); - } else { - for (len=0; len < array_len; len++) { - if (all_zero(ptr+len*size, size)) break; - } - } - - if (len == 0) len = 1; - - return len; -} - - -/* the generic dump routine. Scans the parse information for this structure - and processes it recursively */ -char *gen_dump(TALLOC_CTX *mem_ctx, - const struct parse_struct *pinfo, - const char *data, - unsigned indent) -{ - struct parse_string p; - int i; - - p.length = 0; - p.allocated = 0; - p.s = NULL; - - if (addstr(mem_ctx, &p, "") != 0) { - return NULL; - } - - for (i=0;pinfo[i].name;i++) { - const char *ptr = data + pinfo[i].offset; - unsigned size = pinfo[i].size; - - if (pinfo[i].ptr_count) { - size = sizeof(void *); - } - - /* special handling for array types */ - if (pinfo[i].array_len) { - unsigned len = pinfo[i].array_len; - if (pinfo[i].flags & FLAG_NULLTERM) { - len = len_nullterm(ptr, size, len); - } - if (gen_dump_array(mem_ctx, &p, &pinfo[i], ptr, - len, indent)) { - goto failed; - } - continue; - } - - /* and dynamically sized arrays */ - if (pinfo[i].dynamic_len) { - int len = find_var(pinfo, data, pinfo[i].dynamic_len); - struct parse_struct p2 = pinfo[i]; - if (len < 0) { - goto failed; - } - if (len > 0) { - if (pinfo[i].flags & FLAG_NULLTERM) { - len = len_nullterm(*(const char **)ptr, - pinfo[i].size, len); - } - p2.ptr_count--; - p2.dynamic_len = NULL; - if (gen_dump_array(mem_ctx, &p, &p2, - *(const char **)ptr, - len, indent) != 0) { - goto failed; - } - } - continue; - } - - /* don't dump zero elements */ - if (!(pinfo[i].flags & FLAG_ALWAYS) && all_zero(ptr, size)) continue; - - /* assume char* is a null terminated string */ - if (pinfo[i].size == 1 && pinfo[i].ptr_count == 1 && - pinfo[i].dump_fn == gen_dump_char) { - if (gen_dump_string(mem_ctx, &p, &pinfo[i], ptr, indent) != 0) { - goto failed; - } - continue; - } - - /* generic pointer dereference */ - if (pinfo[i].ptr_count) { - ptr = *(const char **)ptr; - } - - if (addtabbed(mem_ctx, &p, pinfo[i].name, indent) || - addstr(mem_ctx, &p, " = ") || - gen_dump_one(mem_ctx, &p, &pinfo[i], ptr, indent) || - addstr(mem_ctx, &p, "\n")) { - goto failed; - } - } - return p.s; - -failed: - return NULL; -} - -/* search for a character in a string, skipping over sections within - matching braces */ -static char *match_braces(char *s, char c) -{ - int depth = 0; - while (*s) { - switch (*s) { - case '}': - depth--; - break; - case '{': - depth++; - break; - } - if (depth == 0 && *s == c) { - return s; - } - s++; - } - return s; -} - -/* parse routine for enumerated types */ -int gen_parse_enum(TALLOC_CTX *mem_ctx, - const struct enum_struct *einfo, - char *ptr, - const char *str) -{ - unsigned v; - int i; - - if (isdigit(*str)) { - if (sscanf(str, "%u", &v) != 1) { - errno = EINVAL; - return -1; - } - *(unsigned *)ptr = v; - return 0; - } - - for (i=0;einfo[i].name;i++) { - if (strcmp(einfo[i].name, str) == 0) { - *(unsigned *)ptr = einfo[i].value; - return 0; - } - } - - /* unknown enum value?? */ - return -1; -} - - -/* parse all base types */ -static int gen_parse_base(TALLOC_CTX *mem_ctx, - const struct parse_struct *pinfo, - char *ptr, - const char *str) -{ - if (pinfo->parse_fn == gen_parse_char && pinfo->ptr_count==1) { - unsigned len; - char *s = decode_bytes(mem_ctx, str, &len); - if (!s) return -1; - *(char **)ptr = s; - return 0; - } - - if (pinfo->ptr_count) { - unsigned size = pinfo->ptr_count>1?sizeof(void *):pinfo->size; - struct parse_struct p2 = *pinfo; - *(void **)ptr = talloc(mem_ctx, size); - if (! *(void **)ptr) { - return -1; - } - memset(*(void **)ptr, 0, size); - ptr = *(char **)ptr; - p2.ptr_count--; - return gen_parse_base(mem_ctx, &p2, ptr, str); - } - - return pinfo->parse_fn(mem_ctx, ptr, str); -} - -/* parse a generic array */ -static int gen_parse_array(TALLOC_CTX *mem_ctx, - const struct parse_struct *pinfo, - char *ptr, - const char *str, - int array_len) -{ - char *p, *p2; - unsigned size = pinfo->size; - - /* special handling of fixed length strings */ - if (array_len != 0 && - pinfo->ptr_count == 0 && - pinfo->dump_fn == gen_dump_char) { - unsigned len = 0; - char *s = decode_bytes(mem_ctx, str, &len); - if (!s || (len > array_len)) return -1; - memset(ptr, 0, array_len); - memcpy(ptr, s, len); - return 0; - } - - if (pinfo->ptr_count) { - size = sizeof(void *); - } - - while (*str) { - unsigned idx; - int done; - - idx = atoi(str); - p = strchr(str,':'); - if (!p) break; - p++; - p2 = match_braces(p, ','); - done = (*p2 != ','); - *p2 = 0; - - if (*p == '{') { - p++; - p[strlen(p)-1] = 0; - } - - if (gen_parse_base(mem_ctx, pinfo, ptr + idx*size, p) != 0) { - return -1; - } - - if (done) break; - str = p2+1; - } - - return 0; -} - -/* parse one element, hanlding dynamic and static arrays */ -static int gen_parse_one(TALLOC_CTX *mem_ctx, - const struct parse_struct *pinfo, - const char *name, - char *data, - const char *str) -{ - int i; - for (i=0;pinfo[i].name;i++) { - if (strcmp(pinfo[i].name, name) == 0) { - break; - } - } - if (pinfo[i].name == NULL) { - return 0; - } - - if (pinfo[i].array_len) { - return gen_parse_array(mem_ctx, &pinfo[i], - data+pinfo[i].offset, - str, pinfo[i].array_len); - } - - if (pinfo[i].dynamic_len) { - int len = find_var(pinfo, data, pinfo[i].dynamic_len); - if (len < 0) { - errno = EINVAL; - return -1; - } - if (len > 0) { - struct parse_struct p2 = pinfo[i]; - char *ptr; - unsigned size = pinfo[i].ptr_count>1?sizeof(void*):pinfo[i].size; - ptr = talloc(mem_ctx, len*size); - if (!ptr) { - errno = ENOMEM; - return -1; - } - memset(ptr, 0, len*size); - *((char **)(data + pinfo[i].offset)) = ptr; - p2.ptr_count--; - p2.dynamic_len = NULL; - return gen_parse_array(mem_ctx, &p2, ptr, str, len); - } - return 0; - } - - return gen_parse_base(mem_ctx, &pinfo[i], data + pinfo[i].offset, str); -} - -int gen_parse_struct(TALLOC_CTX * mem_ctx, const struct parse_struct *pinfo, char *ptr, const char *str) -{ - return gen_parse(mem_ctx, pinfo, ptr, str); -} - -/* the main parse routine */ -int gen_parse(TALLOC_CTX *mem_ctx, const struct parse_struct *pinfo, char *data, const char *s) -{ - char *str, *s0; - - s0 = strdup(s); - str = s0; - - while (*str) { - char *p; - char *name; - char *value; - - /* skip leading whitespace */ - while (isspace(*str)) str++; - - p = strchr(str, '='); - if (!p) break; - value = p+1; - while (p > str && isspace(*(p-1))) { - p--; - } - - *p = 0; - name = str; - - while (isspace(*value)) value++; - - if (*value == '{') { - str = match_braces(value, '}'); - value++; - } else { - str = match_braces(value, '\n'); - } - - *str++ = 0; - - if (gen_parse_one(mem_ctx, pinfo, name, data, value) != 0) { - free(s0); - return -1; - } - } - - free(s0); - return 0; -} - - - -/* for convenience supply some standard dumpers and parsers here */ - -int gen_parse_char(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(unsigned char *)ptr = atoi(str); - return 0; -} - -int gen_parse_int(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(int *)ptr = atoi(str); - return 0; -} - -int gen_parse_unsigned(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(unsigned *)ptr = strtoul(str, NULL, 10); - return 0; -} - -int gen_parse_time_t(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(time_t *)ptr = strtoul(str, NULL, 10); - return 0; -} - -int gen_parse_double(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(double *)ptr = atof(str); - return 0; -} - -int gen_parse_float(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(float *)ptr = atof(str); - return 0; -} - -int gen_dump_char(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", *(unsigned char *)(ptr)); -} - -int gen_dump_int(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%d", *(int *)(ptr)); -} - -int gen_dump_unsigned(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", *(unsigned *)(ptr)); -} - -int gen_dump_time_t(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", *(time_t *)(ptr)); -} - -int gen_dump_double(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%lg", *(double *)(ptr)); -} - -int gen_dump_float(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%g", *(float *)(ptr)); -} diff --git a/source4/lib/genparser_samba.c b/source4/lib/genparser_samba.c deleted file mode 100644 index bece587747..0000000000 --- a/source4/lib/genparser_samba.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - Copyright (C) Andrew Tridgell <genstruct@tridgell.net> 2002 - Copyright (C) Simo Sorce <idra@samba.org> 2002 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#include "includes.h" -#include "genparser_samba.h" - -/* PARSE functions */ - -int gen_parse_uint8(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(uint8 *)ptr = atoi(str); - return 0; -} - -int gen_parse_uint16(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(uint16 *)ptr = atoi(str); - return 0; -} - -int gen_parse_uint32(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - *(uint32 *)ptr = strtoul(str, NULL, 10); - return 0; -} - -int gen_parse_NTTIME(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - if(sscanf(str, "%u,%u", &(((NTTIME *)(ptr))->high), &(((NTTIME *)(ptr))->low)) != 2) { - errno = EINVAL; - return -1; - } - return 0; -} - -int gen_parse_DOM_SID(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - if(!string_to_sid((DOM_SID *)ptr, str)) return -1; - return 0; -} - -int gen_parse_SEC_ACCESS(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - ((SEC_ACCESS *)ptr)->mask = strtoul(str, NULL, 10); - return 0; -} - -int gen_parse_GUID(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - int info[GUID_SIZE]; - int i; - char *sc; - char *p; - char *m; - - m = strdup(str); - if (!m) return -1; - sc = m; - - memset(info, 0, sizeof(info)); - for (i = 0; i < GUID_SIZE; i++) { - p = strchr(sc, ','); - if (p != NULL) p = '\0'; - info[i] = atoi(sc); - if (p != NULL) sc = p + 1; - } - free(m); - - for (i = 0; i < GUID_SIZE; i++) { - ((GUID *)ptr)->info[i] = info[i]; - } - - return 0; -} - -int gen_parse_SEC_ACE(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - return gen_parse_struct(mem_ctx, pinfo_security_ace_info, ptr, str); -} - -int gen_parse_SEC_ACL(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - return gen_parse_struct(mem_ctx, pinfo_security_acl_info, ptr, str); -} - -int gen_parse_SEC_DESC(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - return gen_parse_struct(mem_ctx, pinfo_security_descriptor_info, ptr, str); -} - -int gen_parse_LUID_ATTR(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - return gen_parse_struct(mem_ctx, pinfo_luid_attr_info, ptr, str); -} - -int gen_parse_LUID(TALLOC_CTX *mem_ctx, char *ptr, const char *str) -{ - if(sscanf(str, "%u,%u", &(((LUID *)(ptr))->high), &(((LUID *)(ptr))->low)) != 2) { - errno = EINVAL; - return -1; - } - return 0; -} - - - -/* DUMP functions */ - -int gen_dump_uint8(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", *(uint8 *)(ptr)); -} - -int gen_dump_uint16(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", *(uint16 *)(ptr)); -} - -int gen_dump_uint32(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", *(uint32 *)(ptr)); -} - -int gen_dump_NTTIME(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - uint32 low, high; - - high = ((NTTIME *)(ptr))->high; - low = ((NTTIME *)(ptr))->low; - return addshort(mem_ctx, p, "%u,%u", high, low); -} - -int gen_dump_DOM_SID(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - fstring sidstr; - - sid_to_string(sidstr, (DOM_SID *)ptr); - return addstr(mem_ctx, p, sidstr); -} - -int gen_dump_SEC_ACCESS(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return addshort(mem_ctx, p, "%u", ((SEC_ACCESS *)ptr)->mask); -} - -int gen_dump_GUID(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - int i, r; - - for (i = 0; i < (GUID_SIZE - 1); i++) { - if (!(r = addshort(mem_ctx, p, "%d,", ((GUID *)ptr)->info[i]))) return r; - } - return addshort(mem_ctx, p, "%d", ((GUID *)ptr)->info[i]); -} - -int gen_dump_SEC_ACE(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return gen_dump_struct(mem_ctx, pinfo_security_ace_info, p, ptr, indent); -} - -int gen_dump_SEC_ACL(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return gen_dump_struct(mem_ctx, pinfo_security_acl_info, p, ptr, indent); -} - -int gen_dump_SEC_DESC(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return gen_dump_struct(mem_ctx, pinfo_security_descriptor_info, p, ptr, indent); -} - -int gen_dump_LUID_ATTR(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - return gen_dump_struct(mem_ctx, pinfo_luid_attr_info, p, ptr, indent); -} - -int gen_dump_LUID(TALLOC_CTX *mem_ctx, struct parse_string *p, const char *ptr, unsigned indent) -{ - uint32 low, high; - - high = ((LUID *)(ptr))->high; - low = ((LUID *)(ptr))->low; - return addshort(mem_ctx, p, "%u,%u", high, low); -} - diff --git a/source4/lib/tdb/tdbutil.c b/source4/lib/tdb/tdbutil.c index f0fa048bb6..62841ddfc2 100644 --- a/source4/lib/tdb/tdbutil.c +++ b/source4/lib/tdb/tdbutil.c @@ -621,68 +621,6 @@ int tdb_unpack(TDB_CONTEXT *tdb, char *buf, int bufsize, const char *fmt, ...) return -1; } - -/** - * Pack SID passed by pointer - * - * @param pack_buf pointer to buffer which is to be filled with packed data - * @param bufsize size of packing buffer - * @param sid pointer to sid to be packed - * - * @return length of the packed representation of the whole structure - **/ -size_t tdb_sid_pack(TDB_CONTEXT *tdb, char* pack_buf, int bufsize, DOM_SID* sid) -{ - int idx; - size_t len = 0; - - if (!sid || !pack_buf) return -1; - - len += tdb_pack(tdb, pack_buf + len, bufsize - len, "bb", sid->sid_rev_num, - sid->num_auths); - - for (idx = 0; idx < 6; idx++) { - len += tdb_pack(tdb, pack_buf + len, bufsize - len, "b", sid->id_auth[idx]); - } - - for (idx = 0; idx < MAXSUBAUTHS; idx++) { - len += tdb_pack(tdb, pack_buf + len, bufsize - len, "d", sid->sub_auths[idx]); - } - - return len; -} - - -/** - * Unpack SID into a pointer - * - * @param pack_buf pointer to buffer with packed representation - * @param bufsize size of the buffer - * @param sid pointer to sid structure to be filled with unpacked data - * - * @return size of structure unpacked from buffer - **/ -size_t tdb_sid_unpack(TDB_CONTEXT *tdb, char* pack_buf, int bufsize, DOM_SID* sid) -{ - int idx, len = 0; - - if (!sid || !pack_buf) return -1; - - len += tdb_unpack(tdb, pack_buf + len, bufsize - len, "bb", - &sid->sid_rev_num, &sid->num_auths); - - for (idx = 0; idx < 6; idx++) { - len += tdb_unpack(tdb, pack_buf + len, bufsize - len, "b", &sid->id_auth[idx]); - } - - for (idx = 0; idx < MAXSUBAUTHS; idx++) { - len += tdb_unpack(tdb, pack_buf + len, bufsize - len, "d", &sid->sub_auths[idx]); - } - - return len; -} - - /**************************************************************************** Print out debug messages. ****************************************************************************/ diff --git a/source4/lib/util_seaccess.c b/source4/lib/util_seaccess.c deleted file mode 100644 index 9d56a0d850..0000000000 --- a/source4/lib/util_seaccess.c +++ /dev/null @@ -1,490 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Copyright (C) Luke Kenneth Casson Leighton 1996-2000. - Copyright (C) Tim Potter 2000. - Copyright (C) Re-written by Jeremy Allison 2000. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -*/ - -#error SAMBA4 clean up -#error this file should be (re)moved -#error and all unused stuff should go - -#include "includes.h" - -extern DOM_SID global_sid_Builtin; - -/********************************************************************************** - Check if this ACE has a SID in common with the token. -**********************************************************************************/ - -static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace) -{ - size_t i; - - for (i = 0; i < token->num_sids; i++) { - if (sid_equal(&ace->trustee, &token->user_sids[i])) - return True; - } - - return False; -} - -/********************************************************************************* - Check an ACE against a SID. We return the remaining needed permission - bits not yet granted. Zero means permission allowed (no more needed bits). -**********************************************************************************/ - -static uint32 check_ace(SEC_ACE *ace, const NT_USER_TOKEN *token, uint32 acc_desired, - NTSTATUS *status) -{ - uint32 mask = ace->info.mask; - - /* - * Inherit only is ignored. - */ - - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - return acc_desired; - } - - /* - * If this ACE has no SID in common with the token, - * ignore it as it cannot be used to make an access - * determination. - */ - - if (!token_sid_in_ace( token, ace)) - return acc_desired; - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - /* - * This is explicitly allowed. - * Remove the bits from the remaining - * access required. Return the remaining - * bits needed. - */ - acc_desired &= ~mask; - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - /* - * This is explicitly denied. - * If any bits match terminate here, - * we are denied. - */ - if (acc_desired & mask) { - *status = NT_STATUS_ACCESS_DENIED; - return 0xFFFFFFFF; - } - break; - case SEC_ACE_TYPE_SYSTEM_ALARM: - case SEC_ACE_TYPE_SYSTEM_AUDIT: - *status = NT_STATUS_NOT_IMPLEMENTED; - return 0xFFFFFFFF; - default: - *status = NT_STATUS_INVALID_PARAMETER; - return 0xFFFFFFFF; - } - - return acc_desired; -} - -/********************************************************************************* - Maximum access was requested. Calculate the max possible. Fail if it doesn't - include other bits requested. -**********************************************************************************/ - -static BOOL get_max_access( SEC_ACL *the_acl, const NT_USER_TOKEN *token, uint32 *granted, - uint32 desired, - NTSTATUS *status) -{ - uint32 acc_denied = 0; - uint32 acc_granted = 0; - size_t i; - - for ( i = 0 ; i < the_acl->num_aces; i++) { - SEC_ACE *ace = &the_acl->ace[i]; - uint32 mask = ace->info.mask; - - if (!token_sid_in_ace( token, ace)) - continue; - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - acc_granted |= (mask & ~acc_denied); - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - acc_denied |= (mask & ~acc_granted); - break; - case SEC_ACE_TYPE_SYSTEM_ALARM: - case SEC_ACE_TYPE_SYSTEM_AUDIT: - *status = NT_STATUS_NOT_IMPLEMENTED; - *granted = 0; - return False; - default: - *status = NT_STATUS_INVALID_PARAMETER; - *granted = 0; - return False; - } - } - - /* - * If we were granted no access, or we desired bits that we - * didn't get, then deny. - */ - - if ((acc_granted == 0) || ((acc_granted & desired) != desired)) { - *status = NT_STATUS_ACCESS_DENIED; - *granted = 0; - return False; - } - - /* - * Return the access we did get. - */ - - *granted = acc_granted; - *status = NT_STATUS_OK; - return True; -} - -/* Map generic access rights to object specific rights. This technique is - used to give meaning to assigning read, write, execute and all access to - objects. Each type of object has its own mapping of generic to object - specific access rights. */ - -void se_map_generic(uint32 *access_mask, struct generic_mapping *mapping) -{ - uint32 old_mask = *access_mask; - - if (*access_mask & GENERIC_READ_ACCESS) { - *access_mask &= ~GENERIC_READ_ACCESS; - *access_mask |= mapping->generic_read; - } - - if (*access_mask & GENERIC_WRITE_ACCESS) { - *access_mask &= ~GENERIC_WRITE_ACCESS; - *access_mask |= mapping->generic_write; - } - - if (*access_mask & GENERIC_EXECUTE_ACCESS) { - *access_mask &= ~GENERIC_EXECUTE_ACCESS; - *access_mask |= mapping->generic_execute; - } - - if (*access_mask & GENERIC_ALL_ACCESS) { - *access_mask &= ~GENERIC_ALL_ACCESS; - *access_mask |= mapping->generic_all; - } - - if (old_mask != *access_mask) { - DEBUG(10, ("se_map_generic(): mapped mask 0x%08x to 0x%08x\n", - old_mask, *access_mask)); - } -} - -/* Map standard access rights to object specific rights. This technique is - used to give meaning to assigning read, write, execute and all access to - objects. Each type of object has its own mapping of standard to object - specific access rights. */ - -void se_map_standard(uint32 *access_mask, struct standard_mapping *mapping) -{ - uint32 old_mask = *access_mask; - - if (*access_mask & READ_CONTROL_ACCESS) { - *access_mask &= ~READ_CONTROL_ACCESS; - *access_mask |= mapping->std_read; - } - - if (*access_mask & (DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS)) { - *access_mask &= ~(DELETE_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS); - *access_mask |= mapping->std_all; - } - - if (old_mask != *access_mask) { - DEBUG(10, ("se_map_standard(): mapped mask 0x%08x to 0x%08x\n", - old_mask, *access_mask)); - } -} - -/***************************************************************************** - Check access rights of a user against a security descriptor. Look at - each ACE in the security descriptor until an access denied ACE denies - any of the desired rights to the user or any of the users groups, or one - or more ACEs explicitly grant all requested access rights. See - "Access-Checking" document in MSDN. -*****************************************************************************/ - -BOOL se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token, - uint32 acc_desired, uint32 *acc_granted, - NTSTATUS *status) -{ - extern NT_USER_TOKEN anonymous_token; - size_t i; - SEC_ACL *the_acl; - fstring sid_str; - uint32 tmp_acc_desired = acc_desired; - - if (!status || !acc_granted) - return False; - - if (!token) - token = &anonymous_token; - - *status = NT_STATUS_OK; - *acc_granted = 0; - - DEBUG(10,("se_access_check: requested access 0x%08x, for NT token with %u entries and first sid %s.\n", - (unsigned int)acc_desired, (unsigned int)token->num_sids, - sid_to_string(sid_str, &token->user_sids[0]))); - - /* - * No security descriptor or security descriptor with no DACL - * present allows all access. - */ - - /* ACL must have something in it */ - - if (!sd || (sd && (!(sd->type & SEC_DESC_DACL_PRESENT) || sd->dacl == NULL))) { - *status = NT_STATUS_OK; - *acc_granted = acc_desired; - DEBUG(5, ("se_access_check: no sd or blank DACL, access allowed\n")); - return True; - } - - /* The user sid is the first in the token */ - if (DEBUGLVL(3)) { - DEBUG(3, ("se_access_check: user sid is %s\n", sid_to_string(sid_str, &token->user_sids[PRIMARY_USER_SID_INDEX]) )); - - for (i = 1; i < token->num_sids; i++) { - DEBUGADD(3, ("se_access_check: also %s\n", - sid_to_string(sid_str, &token->user_sids[i]))); - } - } - - /* Is the token the owner of the SID ? */ - - if (sd->owner_sid) { - for (i = 0; i < token->num_sids; i++) { - if (sid_equal(&token->user_sids[i], sd->owner_sid)) { - /* - * The owner always has SEC_RIGHTS_WRITE_DAC & READ_CONTROL. - */ - if (tmp_acc_desired & WRITE_DAC_ACCESS) - tmp_acc_desired &= ~WRITE_DAC_ACCESS; - if (tmp_acc_desired & READ_CONTROL_ACCESS) - tmp_acc_desired &= ~READ_CONTROL_ACCESS; - } - } - } - - the_acl = sd->dacl; - - if (tmp_acc_desired & MAXIMUM_ALLOWED_ACCESS) { - tmp_acc_desired &= ~MAXIMUM_ALLOWED_ACCESS; - return get_max_access( the_acl, token, acc_granted, tmp_acc_desired, - status); - } - - for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) { - SEC_ACE *ace = &the_acl->ace[i]; - - DEBUGADD(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n", - (unsigned int)i, ace->type, ace->flags, - sid_to_string(sid_str, &ace->trustee), - (unsigned int) ace->info.mask, - (unsigned int)tmp_acc_desired )); - - tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status); - if (NT_STATUS_V(*status)) { - *acc_granted = 0; - DEBUG(5,("se_access_check: ACE %u denied with status %s.\n", (unsigned int)i, nt_errstr(*status))); - return False; - } - } - - /* - * If there are no more desired permissions left then - * access was allowed. - */ - - if (tmp_acc_desired == 0) { - *acc_granted = acc_desired; - *status = NT_STATUS_OK; - DEBUG(5,("se_access_check: access (%x) granted.\n", (unsigned int)acc_desired )); - return True; - } - - *acc_granted = 0; - *status = NT_STATUS_ACCESS_DENIED; - DEBUG(5,("se_access_check: access (%x) denied.\n", (unsigned int)acc_desired )); - return False; -} - -/* Create a child security descriptor using another security descriptor as - the parent container. This child object can either be a container or - non-container object. */ - -SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, - BOOL child_container) -{ - SEC_DESC_BUF *sdb; - SEC_DESC *sd; - SEC_ACL *new_dacl, *the_acl; - SEC_ACE *new_ace_list = NULL; - unsigned int new_ace_list_ndx = 0, i; - size_t size; - - /* Currently we only process the dacl when creating the child. The - sacl should also be processed but this is left out as sacls are - not implemented in Samba at the moment.*/ - - the_acl = parent_ctr->dacl; - - if (!(new_ace_list = talloc(ctx, sizeof(SEC_ACE) * the_acl->num_aces))) - return NULL; - - for (i = 0; the_acl && i < the_acl->num_aces; i++) { - SEC_ACE *ace = &the_acl->ace[i]; - SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx]; - uint8 new_flags = 0; - BOOL inherit = False; - fstring sid_str; - - /* The OBJECT_INHERIT_ACE flag causes the ACE to be - inherited by non-container children objects. Container - children objects will inherit it as an INHERIT_ONLY - ACE. */ - - if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) { - - if (!child_container) { - new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT; - } else { - new_flags |= SEC_ACE_FLAG_INHERIT_ONLY; - } - - inherit = True; - } - - /* The CONAINER_INHERIT_ACE flag means all child container - objects will inherit and use the ACE. */ - - if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) { - if (!child_container) { - inherit = False; - } else { - new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT; - } - } - - /* The INHERIT_ONLY_ACE is not used by the se_access_check() - function for the parent container, but is inherited by - all child objects as a normal ACE. */ - - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - /* Move along, nothing to see here */ - } - - /* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE - is inherited by child objects but not grandchildren - objects. We clear the object inherit and container - inherit flags in the inherited ACE. */ - - if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) { - new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT | - SEC_ACE_FLAG_CONTAINER_INHERIT); - } - - /* Add ACE to ACE list */ - - if (!inherit) - continue; - - init_sec_access(&new_ace->info, ace->info.mask); - init_sec_ace(new_ace, &ace->trustee, ace->type, - new_ace->info, new_flags); - - sid_to_string(sid_str, &ace->trustee); - - DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x " - " inherited as %s:%d/0x%02x/0x%08x\n", sid_str, - ace->type, ace->flags, ace->info.mask, - sid_str, new_ace->type, new_ace->flags, - new_ace->info.mask)); - - new_ace_list_ndx++; - } - - /* Create child security descriptor to return */ - - new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list); - - /* Use the existing user and group sids. I don't think this is - correct. Perhaps the user and group should be passed in as - parameters by the caller? */ - - sd = make_sec_desc(ctx, SEC_DESC_REVISION, - parent_ctr->owner_sid, - parent_ctr->grp_sid, - parent_ctr->sacl, - new_dacl, &size); - - sdb = make_sec_desc_buf(ctx, size, sd); - - return sdb; -} - -/******************************************************************* - samr_make_sam_obj_sd - ********************************************************************/ - -NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) -{ - extern DOM_SID global_sid_World; - DOM_SID adm_sid; - DOM_SID act_sid; - - SEC_ACE ace[3]; - SEC_ACCESS mask; - - SEC_ACL *psa = NULL; - - sid_copy(&adm_sid, &global_sid_Builtin); - sid_append_rid(&adm_sid, BUILTIN_ALIAS_RID_ADMINS); - - sid_copy(&act_sid, &global_sid_Builtin); - sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); - - /*basic access for every one*/ - init_sec_access(&mask, GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ); - init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GENERIC_RIGHTS_SAM_ALL_ACCESS); - init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); - - if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) == NULL) - return NT_STATUS_NO_MEMORY; - - if ((*psd = make_sec_desc(ctx, SEC_DESC_REVISION, NULL, NULL, NULL, psa, sd_size)) == NULL) - return NT_STATUS_NO_MEMORY; - - return NT_STATUS_OK; -} diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c index 5ce72a6f51..56f5abd611 100644 --- a/source4/lib/util_sid.c +++ b/source4/lib/util_sid.c @@ -289,7 +289,7 @@ size_t sid_size(const struct dom_sid *sid) } /***************************************************************** - Return the binary string representation of a DOM_SID. + Return the binary string representation of a struct dom_sid. Caller must free. *****************************************************************/ diff --git a/source4/passdb/secrets.c b/source4/passdb/secrets.c index c400caaaa4..8d66572acd 100644 --- a/source4/passdb/secrets.c +++ b/source4/passdb/secrets.c @@ -52,7 +52,7 @@ BOOL secrets_init(void) /* read a entry from the secrets database - the caller must free the result if size is non-null then the size of the entry is put in there */ -void *secrets_fetch(const char *key, size_t *size) +static void *secrets_fetch(const char *key, size_t *size) { TDB_DATA kbuf, dbuf; secrets_init(); @@ -67,338 +67,6 @@ void *secrets_fetch(const char *key, size_t *size) return dbuf.dptr; } -/* store a secrets entry - */ -BOOL secrets_store(const char *key, const void *data, size_t size) -{ - TDB_DATA kbuf, dbuf; - int ret; - - secrets_init(); - if (!tdb) - return False; - kbuf.dptr = strdup(key); - kbuf.dsize = strlen(key); - dbuf.dptr = memdup(data, size); - dbuf.dsize = size; - - ret = tdb_store(tdb, kbuf, dbuf, TDB_REPLACE); - - free(kbuf.dptr); - free(dbuf.dptr); - - return ret == 0; -} - - -/* delete a secets database entry - */ -BOOL secrets_delete(const char *key) -{ - TDB_DATA kbuf; - int ret; - - secrets_init(); - if (!tdb) - return False; - kbuf.dptr = strdup(key); - kbuf.dsize = strlen(key); - ret = tdb_delete(tdb, kbuf); - free(kbuf.dptr); - return ret == 0; -} - -BOOL secrets_store_domain_sid(const char *domain, const DOM_SID *sid) -{ - fstring key; - - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_SID, domain); - strupper(key); - return secrets_store(key, sid, sizeof(DOM_SID)); -} - -BOOL secrets_fetch_domain_sid(const char *domain, DOM_SID *sid) -{ - DOM_SID *dyn_sid; - fstring key; - size_t size; - - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_SID, domain); - strupper(key); - dyn_sid = (DOM_SID *)secrets_fetch(key, &size); - - if (dyn_sid == NULL) - return False; - - if (size != sizeof(DOM_SID)) - { - SAFE_FREE(dyn_sid); - return False; - } - - *sid = *dyn_sid; - SAFE_FREE(dyn_sid); - return True; -} - -BOOL secrets_store_domain_guid(const char *domain, struct GUID *guid) -{ - const char *s; - fstring key; - TALLOC_CTX *mem_ctx; - BOOL ret; - - mem_ctx = talloc_init("secrets_store_domain_guid"); - if (!mem_ctx) { - return False; - } - - s = GUID_string(mem_ctx, guid); - if (!s) { - talloc_destroy(mem_ctx); - return False; - } - - - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); - strupper(key); - ret = secrets_store(key, s, strlen(s)+1); - - talloc_destroy(mem_ctx); - return ret; -} - -BOOL secrets_fetch_domain_guid(const char *domain, struct GUID *guid) -{ - char *dyn_guid; - fstring key; - size_t size; - struct GUID new_guid; - NTSTATUS status; - - slprintf(key, sizeof(key)-1, "%s/%s", SECRETS_DOMAIN_GUID, domain); - strupper(key); - dyn_guid = secrets_fetch(key, &size); - - DEBUG(6,("key is %s, size is %d\n", key, (int)size)); - - if ((NULL == dyn_guid) && (ROLE_DOMAIN_PDC == lp_server_role())) { - uuid_generate_random(&new_guid); - if (!secrets_store_domain_guid(domain, &new_guid)) - return False; - dyn_guid = secrets_fetch(key, &size); - if (dyn_guid == NULL) - return False; - } - - status = GUID_from_string(dyn_guid, guid); - SAFE_FREE(dyn_guid); - - if (!NT_STATUS_IS_OK(status)) { - return False; - } - - return True; -} - -/** - * Form a key for fetching the machine trust account password - * - * @param domain domain name - * - * @return stored password's key - **/ -const char *trust_keystr(const char *domain) -{ - static fstring keystr; - - slprintf(keystr,sizeof(keystr)-1,"%s/%s", - SECRETS_MACHINE_ACCT_PASS, domain); - strupper(keystr); - - return keystr; -} - -/** - * Form a key for fetching a trusted domain password - * - * @param domain trusted domain name - * - * @return stored password's key - **/ -char *trustdom_keystr(const char *domain) -{ - static char* keystr; - - asprintf(&keystr, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS, domain); - strupper(keystr); - - return keystr; -} - -/************************************************************************ - Lock the trust password entry. -************************************************************************/ - -BOOL secrets_lock_trust_account_password(const char *domain, BOOL dolock) -{ - if (!tdb) - return False; - - if (dolock) - return (tdb_lock_bystring(tdb, trust_keystr(domain),0) == 0); - else - tdb_unlock_bystring(tdb, trust_keystr(domain)); - return True; -} - -/************************************************************************ - Routine to get the trust account password for a domain. - The user of this function must have locked the trust password file using - the above call. -************************************************************************/ - -BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], - time_t *pass_last_set_time) -{ - struct machine_acct_pass *pass; - char *plaintext; - size_t size; - - plaintext = secrets_fetch_machine_password(); - if (plaintext) { - /* we have an ADS password - use that */ - DEBUG(4,("Using ADS machine password\n")); - E_md4hash(plaintext, ret_pwd); - SAFE_FREE(plaintext); - pass_last_set_time = 0; - return True; - } - - if (!(pass = secrets_fetch(trust_keystr(domain), &size))) { - DEBUG(5, ("secrets_fetch failed!\n")); - return False; - } - - if (size != sizeof(*pass)) { - DEBUG(0, ("secrets were of incorrect size!\n")); - return False; - } - - if (pass_last_set_time) *pass_last_set_time = pass->mod_time; - memcpy(ret_pwd, pass->hash, 16); - SAFE_FREE(pass); - return True; -} - -/************************************************************************ - Routine to get account password to trusted domain -************************************************************************/ - -BOOL secrets_fetch_trusted_domain_password(const char *domain, char** pwd, - DOM_SID *sid, time_t *pass_last_set_time) -{ - struct trusted_dom_pass *pass; - size_t size; - - /* fetching trusted domain password structure */ - if (!(pass = secrets_fetch(trustdom_keystr(domain), &size))) { - DEBUG(5, ("secrets_fetch failed!\n")); - return False; - } - - if (size != sizeof(*pass)) { - DEBUG(0, ("secrets were of incorrect size!\n")); - return False; - } - - /* the trust's password */ - if (pwd) { - *pwd = strdup(pass->pass); - if (!*pwd) { - return False; - } - } - - /* last change time */ - if (pass_last_set_time) *pass_last_set_time = pass->mod_time; - - /* domain sid */ - memcpy(&sid, &(pass->domain_sid), sizeof(sid)); - - SAFE_FREE(pass); - - return True; -} - -/************************************************************************ - Routine to set the trust account password for a domain. -************************************************************************/ - -BOOL secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16]) -{ - struct machine_acct_pass pass; - - pass.mod_time = time(NULL); - memcpy(pass.hash, new_pwd, 16); - - return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass)); -} - -/** - * Routine to set the password for trusted domain - * - * @param domain remote domain name - * @param pwd plain text password of trust relationship - * @param sid remote domain sid - * - * @return true if succeeded - **/ - -BOOL secrets_store_trusted_domain_password(const char* domain, smb_ucs2_t *uni_dom_name, - size_t uni_name_len, const char* pwd, - DOM_SID sid) -{ - struct trusted_dom_pass pass; - ZERO_STRUCT(pass); - - /* unicode domain name and its length */ - if (!uni_dom_name) - return False; - - strncpy_w(pass.uni_name, uni_dom_name, sizeof(pass.uni_name) - 1); - pass.uni_name_len = uni_name_len; - - /* last change time */ - pass.mod_time = time(NULL); - - /* password of the trust */ - pass.pass_len = strlen(pwd); - fstrcpy(pass.pass, pwd); - - /* domain sid */ - memcpy(&(pass.domain_sid), &sid, sizeof(sid)); - - return secrets_store(trustdom_keystr(domain), (void *)&pass, sizeof(pass)); -} - -/************************************************************************ - Routine to set the plaintext machine account password for a realm -the password is assumed to be a null terminated ascii string -************************************************************************/ - -BOOL secrets_store_machine_password(const char *pass) -{ - char *key; - BOOL ret; - asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup()); - strupper(key); - ret = secrets_store(key, pass, strlen(pass)+1); - free(key); - return ret; -} - - /************************************************************************ Routine to fetch the plaintext machine account password for a realm the password is assumed to be a null terminated ascii string @@ -416,41 +84,6 @@ char *secrets_fetch_machine_password(void) -/************************************************************************ - Routine to delete the machine trust account password file for a domain. -************************************************************************/ - -BOOL trust_password_delete(const char *domain) -{ - return secrets_delete(trust_keystr(domain)); -} - -/************************************************************************ - Routine to delete the password for trusted domain -************************************************************************/ - -BOOL trusted_domain_password_delete(const char *domain) -{ - return secrets_delete(trustdom_keystr(domain)); -} - - -BOOL secrets_store_ldap_pw(const char* dn, char* pw) -{ - char *key = NULL; - BOOL ret; - - if (asprintf(&key, "%s/%s", SECRETS_LDAP_BIND_PW, dn) < 0) { - DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n")); - return False; - } - - ret = secrets_store(key, pw, strlen(pw)+1); - - SAFE_FREE(key); - return ret; -} - /******************************************************************************* Lock the secrets tdb based on a string - this is used as a primitive form of mutex between smbd instances. |