2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Stefan (metze) Metzmacher 2002-2004
6 Copyright (C) Andrew Tridgell 1992-2004
7 Copyright (C) Jeremy Allison 1999
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/util/data_blob.h"
25 #include "system/locale.h"
26 #include "lib/util/debug.h"
27 #include "lib/util/util.h"
28 #include "librpc/gen_ndr/security.h"
30 #include "lib/util/smb_strtox.h"
32 /*****************************************************************
33 Compare the auth portion of two sids.
34 *****************************************************************/
36 int dom_sid_compare_auth(const struct dom_sid
*sid1
,
37 const struct dom_sid
*sid2
)
48 if (sid1
->sid_rev_num
!= sid2
->sid_rev_num
)
49 return sid1
->sid_rev_num
- sid2
->sid_rev_num
;
51 for (i
= 0; i
< 6; i
++)
52 if (sid1
->id_auth
[i
] != sid2
->id_auth
[i
])
53 return sid1
->id_auth
[i
] - sid2
->id_auth
[i
];
58 /*****************************************************************
60 *****************************************************************/
62 int dom_sid_compare(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
73 /* Compare most likely different rids, first: i.e start at end */
74 if (sid1
->num_auths
!= sid2
->num_auths
)
75 return sid1
->num_auths
- sid2
->num_auths
;
77 for (i
= sid1
->num_auths
-1; i
>= 0; --i
)
78 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
79 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
81 return dom_sid_compare_auth(sid1
, sid2
);
84 /*****************************************************************
86 *****************************************************************/
88 bool dom_sid_equal(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
90 return dom_sid_compare(sid1
, sid2
) == 0;
93 /*****************************************************************
94 Add a rid to the end of a sid
95 *****************************************************************/
97 bool sid_append_rid(struct dom_sid
*sid
, uint32_t rid
)
99 if (sid
->num_auths
< ARRAY_SIZE(sid
->sub_auths
)) {
100 sid
->sub_auths
[sid
->num_auths
++] = rid
;
107 See if 2 SIDs are in the same domain
108 this just compares the leading sub-auths
110 int dom_sid_compare_domain(const struct dom_sid
*sid1
,
111 const struct dom_sid
*sid2
)
115 n
= MIN(sid1
->num_auths
, sid2
->num_auths
);
117 for (i
= n
-1; i
>= 0; --i
)
118 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
119 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
121 return dom_sid_compare_auth(sid1
, sid2
);
124 /*****************************************************************
125 Convert a string to a SID. Returns True on success, False on fail.
126 Return the first character not parsed in endp.
127 *****************************************************************/
128 #define AUTHORITY_MASK (~(0xffffffffffffULL))
130 bool dom_sid_parse_endp(const char *sidstr
,struct dom_sid
*sidout
,
139 ZERO_STRUCTP(sidout
);
141 if ((sidstr
[0] != 'S' && sidstr
[0] != 's') || sidstr
[1] != '-') {
145 /* Get the revision number. */
148 if (!isdigit((unsigned char)*p
)) {
152 conv
= smb_strtoul(p
, &q
, 10, &error
, SMB_STR_STANDARD
);
153 if (error
!= 0 || (*q
!= '-') || conv
> UINT8_MAX
|| q
- p
> 4) {
156 sidout
->sid_rev_num
= (uint8_t) conv
;
159 if (!isdigit((unsigned char)*q
)) {
162 while (q
[0] == '0' && isdigit((unsigned char)q
[1])) {
164 * strtoull will think this is octal, which is not how SIDs
165 * work! So let's walk along until there are no leading zeros
166 * (or a single zero).
172 conv
= smb_strtoull(q
, &end
, 0, &error
, SMB_STR_STANDARD
);
173 if (conv
& AUTHORITY_MASK
|| error
!= 0) {
176 if (conv
>= (1ULL << 48) || end
- q
> 15) {
178 * This identauth looks like a big number, but resolves to a
179 * small number after rounding.
184 /* NOTE - the conv value is in big-endian format. */
185 sidout
->id_auth
[0] = (conv
& 0xff0000000000ULL
) >> 40;
186 sidout
->id_auth
[1] = (conv
& 0x00ff00000000ULL
) >> 32;
187 sidout
->id_auth
[2] = (conv
& 0x0000ff000000ULL
) >> 24;
188 sidout
->id_auth
[3] = (conv
& 0x000000ff0000ULL
) >> 16;
189 sidout
->id_auth
[4] = (conv
& 0x00000000ff00ULL
) >> 8;
190 sidout
->id_auth
[5] = (conv
& 0x0000000000ffULL
);
192 sidout
->num_auths
= 0;
195 /* Just id_auth, no subauths */
202 if (!isdigit((unsigned char)*q
)) {
205 while (q
[0] == '0' && isdigit((unsigned char)q
[1])) {
207 * strtoull will think this is octal, which is not how
208 * SIDs work! So let's walk along until there are no
209 * leading zeros (or a single zero).
213 conv
= smb_strtoull(q
, &end
, 0, &error
, SMB_STR_STANDARD
);
214 if (conv
> UINT32_MAX
|| error
!= 0 || end
- q
> 12) {
216 * This sub-auth is greater than 4294967295,
217 * and hence invalid. Windows will treat it as
218 * 4294967295, while we prefer to refuse (old
219 * versions of Samba will wrap, arriving at
220 * another number altogether).
222 DBG_NOTICE("bad sub-auth in %s\n", sidstr
);
226 if (!sid_append_rid(sidout
, conv
)) {
227 DEBUG(3, ("Too many sid auths in %s\n", sidstr
));
244 DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr
));
248 bool string_to_sid(struct dom_sid
*sidout
, const char *sidstr
)
250 return dom_sid_parse(sidstr
, sidout
);
253 bool dom_sid_parse(const char *sidstr
, struct dom_sid
*ret
)
255 return dom_sid_parse_endp(sidstr
, ret
, NULL
);
259 convert a string to a dom_sid, returning a talloc'd dom_sid
261 struct dom_sid
*dom_sid_parse_talloc(TALLOC_CTX
*mem_ctx
, const char *sidstr
)
264 ret
= talloc(mem_ctx
, struct dom_sid
);
268 if (!dom_sid_parse(sidstr
, ret
)) {
277 convert a string to a dom_sid, returning a talloc'd dom_sid
279 struct dom_sid
*dom_sid_parse_length(TALLOC_CTX
*mem_ctx
, const DATA_BLOB
*sid
)
281 char p
[sid
->length
+1];
282 memcpy(p
, sid
->data
, sid
->length
);
283 p
[sid
->length
] = '\0';
284 return dom_sid_parse_talloc(mem_ctx
, p
);
288 copy a dom_sid structure
290 struct dom_sid
*dom_sid_dup(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*dom_sid
)
298 ret
= talloc(mem_ctx
, struct dom_sid
);
302 sid_copy(ret
, dom_sid
);
308 add a rid to a domain dom_sid to make a full dom_sid. This function
309 returns a new sid in the supplied memory context
311 struct dom_sid
*dom_sid_add_rid(TALLOC_CTX
*mem_ctx
,
312 const struct dom_sid
*domain_sid
,
317 sid
= dom_sid_dup(mem_ctx
, domain_sid
);
318 if (!sid
) return NULL
;
320 if (!sid_append_rid(sid
, rid
)) {
329 Split up a SID into its domain and RID part
331 NTSTATUS
dom_sid_split_rid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
332 struct dom_sid
**domain
, uint32_t *rid
)
334 if (sid
->num_auths
== 0) {
335 return NT_STATUS_INVALID_PARAMETER
;
339 if (!(*domain
= dom_sid_dup(mem_ctx
, sid
))) {
340 return NT_STATUS_NO_MEMORY
;
343 (*domain
)->num_auths
-= 1;
347 *rid
= sid
->sub_auths
[sid
->num_auths
- 1];
354 return true if the 2nd sid is in the domain given by the first sid
356 bool dom_sid_in_domain(const struct dom_sid
*domain_sid
,
357 const struct dom_sid
*sid
)
361 if (!domain_sid
|| !sid
) {
365 if (sid
->num_auths
< 2) {
369 if (domain_sid
->num_auths
!= (sid
->num_auths
- 1)) {
373 for (i
= domain_sid
->num_auths
-1; i
>= 0; --i
) {
374 if (domain_sid
->sub_auths
[i
] != sid
->sub_auths
[i
]) {
379 return dom_sid_compare_auth(domain_sid
, sid
) == 0;
382 bool dom_sid_has_account_domain(const struct dom_sid
*sid
)
388 if (sid
->sid_rev_num
!= 1) {
391 if (sid
->num_auths
!= 5) {
394 if (sid
->id_auth
[5] != 5) {
397 if (sid
->id_auth
[4] != 0) {
400 if (sid
->id_auth
[3] != 0) {
403 if (sid
->id_auth
[2] != 0) {
406 if (sid
->id_auth
[1] != 0) {
409 if (sid
->id_auth
[0] != 0) {
412 if (sid
->sub_auths
[0] != 21) {
419 bool dom_sid_is_valid_account_domain(const struct dom_sid
*sid
)
422 * We expect S-1-5-21-9-8-7, but we don't
423 * allow S-1-5-21-0-0-0 as this is used
424 * for claims and compound identities.
426 * With this structure:
429 * uint8_t sid_rev_num;
430 * int8_t num_auths; [range(0,15)]
431 * uint8_t id_auth[6];
432 * uint32_t sub_auths[15];
435 * S-1-5-21-9-8-7 looks like this:
436 * {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}};
442 if (sid
->sid_rev_num
!= 1) {
445 if (sid
->num_auths
!= 4) {
448 if (sid
->id_auth
[5] != 5) {
451 if (sid
->id_auth
[4] != 0) {
454 if (sid
->id_auth
[3] != 0) {
457 if (sid
->id_auth
[2] != 0) {
460 if (sid
->id_auth
[1] != 0) {
463 if (sid
->id_auth
[0] != 0) {
466 if (sid
->sub_auths
[0] != 21) {
469 if (sid
->sub_auths
[1] == 0) {
472 if (sid
->sub_auths
[2] == 0) {
475 if (sid
->sub_auths
[3] == 0) {
483 Convert a dom_sid to a string, printing into a buffer. Return the
484 string length. If it overflows, return the string length that would
485 result (buflen needs to be +1 for the terminating 0).
487 static int dom_sid_string_buf(const struct dom_sid
*sid
, char *buf
, int buflen
)
493 return strlcpy(buf
, "(NULL SID)", buflen
);
496 ia
= ((uint64_t)sid
->id_auth
[5]) +
497 ((uint64_t)sid
->id_auth
[4] << 8 ) +
498 ((uint64_t)sid
->id_auth
[3] << 16) +
499 ((uint64_t)sid
->id_auth
[2] << 24) +
500 ((uint64_t)sid
->id_auth
[1] << 32) +
501 ((uint64_t)sid
->id_auth
[0] << 40);
503 ret
= snprintf(buf
, buflen
, "S-%"PRIu8
"-", sid
->sid_rev_num
);
509 if (ia
>= UINT32_MAX
) {
510 ret
= snprintf(buf
+ofs
, MAX(buflen
-ofs
, 0), "0x%"PRIx64
, ia
);
512 ret
= snprintf(buf
+ofs
, MAX(buflen
-ofs
, 0), "%"PRIu64
, ia
);
519 for (i
= 0; i
< sid
->num_auths
; i
++) {
534 convert a dom_sid to a string
536 char *dom_sid_string(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
)
538 char buf
[DOM_SID_STR_BUFLEN
];
542 len
= dom_sid_string_buf(sid
, buf
, sizeof(buf
));
544 if ((len
< 0) || (len
+1 > sizeof(buf
))) {
545 return talloc_strdup(mem_ctx
, "(SID ERR)");
549 * Avoid calling strlen (via talloc_strdup), we already have
552 result
= (char *)talloc_memdup(mem_ctx
, buf
, len
+1);
553 if (result
== NULL
) {
558 * beautify the talloc_report output
560 talloc_set_name_const(result
, result
);
564 char *dom_sid_str_buf(const struct dom_sid
*sid
, struct dom_sid_buf
*dst
)
567 ret
= dom_sid_string_buf(sid
, dst
->buf
, sizeof(dst
->buf
));
568 if ((ret
< 0) || (ret
>= sizeof(dst
->buf
))) {
569 strlcpy(dst
->buf
, "(INVALID SID)", sizeof(dst
->buf
));