libcli/security/security_token.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    security descriptor utility functions
   5
   6    Copyright (C) Andrew Tridgell                2004
   7    Copyright (C) Andrew Bartlett                2010
   8    Copyright (C) Stefan Metzmacher              2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "replace.h"
  25 #include <talloc.h>
  26 #include "lib/util/talloc_stack.h"
  27 #include "lib/util/debug.h"
  28 #include "lib/util/fault.h"
  29 #include "libcli/security/security_token.h"
  30 #include "libcli/security/dom_sid.h"
  31 #include "libcli/security/privileges.h"
  32 #include "librpc/gen_ndr/ndr_security.h"
  33 #include "lib/util/talloc_stack.h"
  34
  35 /*
  36   return a blank security token
  37 */
  38 struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
  39                                                  enum claims_evaluation_control evaluate_claims)
  40 {
  41         struct security_token *st = talloc_zero(
  42                 mem_ctx, struct security_token);
  43         st->evaluate_claims = evaluate_claims;
  44
  45         return st;
  46 }
  47
  48 /****************************************************************************
  49  Duplicate a SID token.
  50 ****************************************************************************/
  51
  52 struct security_token *security_token_duplicate(TALLOC_CTX *mem_ctx, const struct security_token *src)
  53 {
  54         TALLOC_CTX *frame = NULL;
  55         struct security_token *dst = NULL;
  56         DATA_BLOB blob;
  57         enum ndr_err_code ndr_err;
  58
  59         if (src == NULL) {
  60                 return NULL;
  61         }
  62
  63         frame = talloc_stackframe();
  64
  65         ndr_err = ndr_push_struct_blob(
  66                 &blob,
  67                 frame,
  68                 src,
  69                 (ndr_push_flags_fn_t)ndr_push_security_token);
  70         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  71                 DBG_ERR("Failed to duplicate security_token ndr_push_security_token failed: %s\n",
  72                         ndr_errstr(ndr_err));
  73                 TALLOC_FREE(frame);
  74                 return NULL;
  75         }
  76
  77         dst = talloc_zero(mem_ctx, struct security_token);
  78         if (dst == NULL) {
  79                 DBG_ERR("talloc failed\n");
  80                 TALLOC_FREE(frame);
  81                 return NULL;
  82         }
  83
  84         ndr_err = ndr_pull_struct_blob(
  85                 &blob,
  86                 dst,
  87                 dst,
  88                 (ndr_pull_flags_fn_t)ndr_pull_security_token);
  89
  90         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  91                 DBG_ERR("Failed to duplicate security_token ndr_pull_security_token "
  92                         "failed: %s\n",
  93                         ndr_errstr(ndr_err));
  94                 TALLOC_FREE(dst);
  95                 TALLOC_FREE(frame);
  96                 return NULL;
  97         }
  98
  99         TALLOC_FREE(frame);
 100         return dst;
 101 }
 102
 103 /****************************************************************************
 104  prints a struct security_token to debug output.
 105 ****************************************************************************/
 106 void security_token_debug(int dbg_class, int dbg_lev, const struct security_token *token)
 107 {
 108         TALLOC_CTX *frame = talloc_stackframe();
 109         char *sids = NULL;
 110         char *privs = NULL;
 111         uint32_t i;
 112
 113         if (!token) {
 114                 DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
 115                 TALLOC_FREE(frame);
 116                 return;
 117         }
 118
 119         sids = talloc_asprintf(frame,
 120                                "Security token SIDs (%" PRIu32 "):\n",
 121                                token->num_sids);
 122         for (i = 0; i < token->num_sids; i++) {
 123                 struct dom_sid_buf sidbuf;
 124                 talloc_asprintf_addbuf(
 125                         &sids,
 126                         "  SID[%3" PRIu32 "]: %s\n",
 127                         i,
 128                         dom_sid_str_buf(&token->sids[i], &sidbuf));
 129         }
 130
 131         privs = security_token_debug_privileges(frame, token);
 132
 133         DEBUGC(dbg_class,
 134                dbg_lev,
 135                ("%s%s", sids ? sids : "(NULL)", privs ? privs : "(NULL)"));
 136
 137         TALLOC_FREE(frame);
 138 }
 139
 140 /* These really should be cheaper... */
 141
 142 bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
 143 {
 144         bool ret;
 145
 146         if (token->sids == NULL) {
 147                 return false;
 148         }
 149         ret = dom_sid_equal(&token->sids[PRIMARY_USER_SID_INDEX], sid);
 150         return ret;
 151 }
 152
 153 bool security_token_is_system(const struct security_token *token)
 154 {
 155         return security_token_is_sid(token, &global_sid_System);
 156 }
 157
 158 bool security_token_is_anonymous(const struct security_token *token)
 159 {
 160         return security_token_is_sid(token, &global_sid_Anonymous);
 161 }
 162
 163 bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
 164 {
 165         uint32_t i;
 166         for (i = 0; i < token->num_sids; i++) {
 167                 if (dom_sid_equal(&token->sids[i], sid)) {
 168                         return true;
 169                 }
 170         }
 171         return false;
 172 }
 173
 174 size_t security_token_count_flag_sids(const struct security_token *token,
 175                                       const struct dom_sid *prefix_sid,
 176                                       size_t num_flags,
 177                                       const struct dom_sid **_flag_sid)
 178 {
 179         const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
 180         const struct dom_sid *found = NULL;
 181         size_t num = 0;
 182         uint32_t i;
 183
 184         SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
 185
 186         for (i = 0; i < token->num_sids; i++) {
 187                 const struct dom_sid *sid = &token->sids[i];
 188                 int cmp;
 189
 190                 if (sid->num_auths != num_auths_expected) {
 191                         continue;
 192                 }
 193
 194                 cmp = dom_sid_compare_domain(sid, prefix_sid);
 195                 if (cmp != 0) {
 196                         continue;
 197                 }
 198
 199                 num += 1;
 200                 found = sid;
 201         }
 202
 203         if ((num == 1) && (_flag_sid != NULL)) {
 204                 *_flag_sid = found;
 205         }
 206
 207         return num;
 208 }
 209
 210 bool security_token_has_builtin_guests(const struct security_token *token)
 211 {
 212         return security_token_has_sid(token, &global_sid_Builtin_Guests);
 213 }
 214
 215 bool security_token_has_builtin_administrators(const struct security_token *token)
 216 {
 217         return security_token_has_sid(token, &global_sid_Builtin_Administrators);
 218 }
 219
 220 bool security_token_has_nt_authenticated_users(const struct security_token *token)
 221 {
 222         return security_token_has_sid(token, &global_sid_Authenticated_Users);
 223 }
 224
 225 bool security_token_has_enterprise_dcs(const struct security_token *token)
 226 {
 227         return security_token_has_sid(token, &global_sid_Enterprise_DCs);
 228 }