From 276364e2a4cee00f4521845347a0b0a371f6b0e6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Dec 2000 02:36:14 +0000 Subject: Removed the special casing of SIDs in se_access_check. This is now done (correctly) when the NT_USER_TOKEN is *created*. Jeremy. (This used to be commit 27d72ed1cf8ece2bede812341279ba5a7262ace4) --- source3/lib/util_seaccess.c | 33 ++-------------------------- source3/lib/util_sid.c | 53 ++++++++++++++++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 41 deletions(-) (limited to 'source3/lib') diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 9aa2be4d2d..87d0f3bb68 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -26,36 +26,8 @@ extern int DEBUGLEVEL; -/* Everyone = S-1-1-0 */ - -static DOM_SID everyone_sid = { - 1, /* sid_rev_num */ - 1, /* num_auths */ - { 0, 0, 0, 0, 0, 1}, /* id_auth[6] */ - { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* sub_auth[15] */ -}; - -/* - * Guest token used when there is no NT_USER_TOKEN available. - */ - -/* Guest = S-1-5-32-546 */ - -static DOM_SID guest_sid = { - 1, /* sid_rev_num */ - 2, /* num_auths */ - { 0, 0, 0, 0, 0, 5}, /* id_auth[6] */ - { 32, 546, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} /* sub_auth[15] */ -}; - -static NT_USER_TOKEN guest_token = { - 1, - &guest_sid -}; - /********************************************************************************** Check if this ACE has a SID in common with the token. - The SID "Everyone" always matches. **********************************************************************************/ static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace) @@ -63,8 +35,6 @@ static BOOL token_sid_in_ace( NT_USER_TOKEN *token, SEC_ACE *ace) size_t i; for (i = 0; i < token->num_sids; i++) { - if (sid_equal(&ace->sid, &everyone_sid)) - return True; if (sid_equal(&ace->sid, &token->user_sids[i])) return True; } @@ -200,10 +170,11 @@ static BOOL get_max_access( SEC_ACL *acl, NT_USER_TOKEN *token, uint32 *granted, BOOL se_access_check(SEC_DESC *sd, struct current_user *user, uint32 acc_desired, uint32 *acc_granted, uint32 *status) { + extern NT_USER_TOKEN anonymous_token; size_t i; SEC_ACL *acl; fstring sid_str; - NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &guest_token; + NT_USER_TOKEN *token = user->nt_user_token ? user->nt_user_token : &anonymous_token; uint32 tmp_acc_desired = acc_desired; if (!status || !acc_granted) diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 80254318c4..94144bbbd1 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -33,14 +33,17 @@ extern fstring global_myworkgroup; * Some useful sids */ -DOM_SID global_sid_Builtin; /* local well-known domain */ -DOM_SID global_sid_World_Domain; /* everyone */ -DOM_SID global_sid_World; /* everyone */ -DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner */ -DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -DOM_SID global_sid_NT_Authority; /* NT Authority */ -DOM_SID global_sid_NULL; /* NULL sid */ -DOM_SID global_sid_Builtin_Guests; +DOM_SID global_sid_Builtin; /* Local well-known domain */ +DOM_SID global_sid_World_Domain; /* Everyone domain */ +DOM_SID global_sid_World; /* Everyone */ +DOM_SID global_sid_Creator_Owner_Domain; /* Creator Owner domain */ +DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +DOM_SID global_sid_NT_Authority; /* NT Authority */ +DOM_SID global_sid_NULL; /* NULL sid */ +DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ +DOM_SID global_sid_Network; /* Network rids */ +DOM_SID global_sid_Anonymous; /* Anonymous login */ const DOM_SID *global_sid_everyone = &global_sid_World; @@ -51,12 +54,15 @@ typedef struct _known_sid_users { } known_sid_users; /* static known_sid_users no_users[] = {{0, 0, NULL}}; */ + static known_sid_users everyone_users[] = { { 0, SID_NAME_WKN_GRP, "Everyone" }, {0, (enum SID_NAME_USE)0, NULL}}; + static known_sid_users creator_owner_users[] = { { 0, SID_NAME_ALIAS, "Creator Owner" }, {0, (enum SID_NAME_USE)0, NULL}}; + static known_sid_users nt_authority_users[] = { { 1, SID_NAME_ALIAS, "Dialup" }, { 2, SID_NAME_ALIAS, "Network"}, @@ -70,6 +76,10 @@ static known_sid_users nt_authority_users[] = { { 18, SID_NAME_ALIAS, "SYSTEM"}, { 0, (enum SID_NAME_USE)0, NULL}}; +static known_sid_users builtin_users[] = { + { DOMAIN_USER_RID_ADMIN, SID_NAME_USER, "Administrator" }, + { 0, (enum SID_NAME_USE)0, NULL}}; + static struct sid_name_map_info { DOM_SID *sid; @@ -81,12 +91,24 @@ sid_name_map[] = { &global_sam_sid, global_myname, NULL}, { &global_sam_sid, global_myworkgroup, NULL}, { &global_sid_Builtin, "BUILTIN", NULL}, + { &global_sid_Builtin, "", &builtin_users[0]}, { &global_sid_World_Domain, "", &everyone_users[0] }, { &global_sid_Creator_Owner_Domain, "", &creator_owner_users[0] }, { &global_sid_NT_Authority, "NT Authority", &nt_authority_users[0] }, { NULL, NULL, NULL} }; +/* + * An NT compatible anonymous token. + */ + +static DOM_SID anon_sid_array[3]; + +NT_USER_TOKEN anonymous_token = { + 3, + anon_sid_array +}; + /**************************************************************************** Creates some useful well known sids ****************************************************************************/ @@ -101,6 +123,14 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Creator_Owner, "S-1-3-0"); string_to_sid(&global_sid_NT_Authority, "S-1-5"); string_to_sid(&global_sid_NULL, "S-1-0-0"); + string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11"); + string_to_sid(&global_sid_Network, "S-1-5-2"); + string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + + /* Create the anon token. */ + sid_copy( &anonymous_token.user_sids[0], &global_sid_World); + sid_copy( &anonymous_token.user_sids[1], &global_sid_Network); + sid_copy( &anonymous_token.user_sids[2], &global_sid_Anonymous); } /************************************************************************** @@ -210,15 +240,18 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain) void split_domain_name(const char *fullname, char *domain, char *name) { pstring full_name; - char *p; + char *p, *sep; + + sep = lp_winbind_separator(); *domain = *name = '\0'; - if (fullname[0] == '\\') + if (fullname[0] == sep[0] || fullname[0] == '\\') fullname++; pstrcpy(full_name, fullname); p = strchr(full_name+1, '\\'); + if (!p) p = strchr(full_name+1, sep[0]); if (p != NULL) { *p = 0; -- cgit