2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Stefan (metze) Metzmacher 2002-2004
6 Copyright (C) Andrew Tridgell 1992-2004
7 Copyright (C) Jeremy Allison 1999
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/util/data_blob.h"
25 #include "system/locale.h"
26 #include "lib/util/debug.h"
27 #include "lib/util/util.h"
28 #include "librpc/gen_ndr/security.h"
30 #include "lib/util/smb_strtox.h"
32 /*****************************************************************
33 Compare the auth portion of two sids.
34 *****************************************************************/
36 int dom_sid_compare_auth(const struct dom_sid
*sid1
,
37 const struct dom_sid
*sid2
)
48 if (sid1
->sid_rev_num
!= sid2
->sid_rev_num
)
49 return sid1
->sid_rev_num
- sid2
->sid_rev_num
;
51 for (i
= 0; i
< 6; i
++)
52 if (sid1
->id_auth
[i
] != sid2
->id_auth
[i
])
53 return sid1
->id_auth
[i
] - sid2
->id_auth
[i
];
58 /*****************************************************************
60 *****************************************************************/
62 int dom_sid_compare(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
73 /* Compare most likely different rids, first: i.e start at end */
74 if (sid1
->num_auths
!= sid2
->num_auths
)
75 return sid1
->num_auths
- sid2
->num_auths
;
77 for (i
= sid1
->num_auths
-1; i
>= 0; --i
) {
78 if (sid1
->sub_auths
[i
] < sid2
->sub_auths
[i
]) {
81 if (sid1
->sub_auths
[i
] > sid2
->sub_auths
[i
]) {
86 return dom_sid_compare_auth(sid1
, sid2
);
89 /*****************************************************************
91 *****************************************************************/
93 bool dom_sid_equal(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
95 return dom_sid_compare(sid1
, sid2
) == 0;
98 /*****************************************************************
99 Add a rid to the end of a sid
100 *****************************************************************/
102 bool sid_append_rid(struct dom_sid
*sid
, uint32_t rid
)
104 if (sid
->num_auths
< ARRAY_SIZE(sid
->sub_auths
)) {
105 sid
->sub_auths
[sid
->num_auths
++] = rid
;
112 See if 2 SIDs are in the same domain
113 this just compares the leading sub-auths
115 int dom_sid_compare_domain(const struct dom_sid
*sid1
,
116 const struct dom_sid
*sid2
)
120 n
= MIN(sid1
->num_auths
, sid2
->num_auths
);
122 for (i
= n
-1; i
>= 0; --i
) {
123 if (sid1
->sub_auths
[i
] < sid2
->sub_auths
[i
]) {
126 if (sid1
->sub_auths
[i
] > sid2
->sub_auths
[i
]) {
131 return dom_sid_compare_auth(sid1
, sid2
);
134 /*****************************************************************
135 Convert a string to a SID. Returns True on success, False on fail.
136 Return the first character not parsed in endp.
137 *****************************************************************/
138 #define AUTHORITY_MASK (~(0xffffffffffffULL))
140 bool dom_sid_parse_endp(const char *sidstr
,struct dom_sid
*sidout
,
149 *sidout
= (struct dom_sid
) {};
151 if ((sidstr
[0] != 'S' && sidstr
[0] != 's') || sidstr
[1] != '-') {
155 /* Get the revision number. */
158 if (!isdigit((unsigned char)*p
)) {
162 conv
= smb_strtoul(p
, &q
, 10, &error
, SMB_STR_STANDARD
);
163 if (error
!= 0 || (*q
!= '-') || conv
> UINT8_MAX
|| q
- p
> 4) {
166 sidout
->sid_rev_num
= (uint8_t) conv
;
169 if (!isdigit((unsigned char)*q
)) {
172 while (q
[0] == '0' && isdigit((unsigned char)q
[1])) {
174 * strtoull will think this is octal, which is not how SIDs
175 * work! So let's walk along until there are no leading zeros
176 * (or a single zero).
182 conv
= smb_strtoull(q
, &end
, 0, &error
, SMB_STR_STANDARD
);
183 if (conv
& AUTHORITY_MASK
|| error
!= 0) {
186 if (conv
>= (1ULL << 48) || end
- q
> 15) {
188 * This identauth looks like a big number, but resolves to a
189 * small number after rounding.
194 /* NOTE - the conv value is in big-endian format. */
195 sidout
->id_auth
[0] = (conv
& 0xff0000000000ULL
) >> 40;
196 sidout
->id_auth
[1] = (conv
& 0x00ff00000000ULL
) >> 32;
197 sidout
->id_auth
[2] = (conv
& 0x0000ff000000ULL
) >> 24;
198 sidout
->id_auth
[3] = (conv
& 0x000000ff0000ULL
) >> 16;
199 sidout
->id_auth
[4] = (conv
& 0x00000000ff00ULL
) >> 8;
200 sidout
->id_auth
[5] = (conv
& 0x0000000000ffULL
);
202 sidout
->num_auths
= 0;
205 /* Just id_auth, no subauths */
212 if (!isdigit((unsigned char)*q
)) {
215 while (q
[0] == '0' && isdigit((unsigned char)q
[1])) {
217 * strtoull will think this is octal, which is not how
218 * SIDs work! So let's walk along until there are no
219 * leading zeros (or a single zero).
223 conv
= smb_strtoull(q
, &end
, 0, &error
, SMB_STR_STANDARD
);
224 if (conv
> UINT32_MAX
|| error
!= 0 || end
- q
> 12) {
226 * This sub-auth is greater than 4294967295,
227 * and hence invalid. Windows will treat it as
228 * 4294967295, while we prefer to refuse (old
229 * versions of Samba will wrap, arriving at
230 * another number altogether).
232 DBG_NOTICE("bad sub-auth in %s\n", sidstr
);
236 if (!sid_append_rid(sidout
, conv
)) {
237 DEBUG(3, ("Too many sid auths in %s\n", sidstr
));
254 DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr
));
258 bool string_to_sid(struct dom_sid
*sidout
, const char *sidstr
)
260 return dom_sid_parse(sidstr
, sidout
);
263 bool dom_sid_parse(const char *sidstr
, struct dom_sid
*ret
)
265 return dom_sid_parse_endp(sidstr
, ret
, NULL
);
269 convert a string to a dom_sid, returning a talloc'd dom_sid
271 struct dom_sid
*dom_sid_parse_talloc(TALLOC_CTX
*mem_ctx
, const char *sidstr
)
274 ret
= talloc(mem_ctx
, struct dom_sid
);
278 if (!dom_sid_parse(sidstr
, ret
)) {
287 convert a string to a dom_sid, returning a talloc'd dom_sid
289 struct dom_sid
*dom_sid_parse_length(TALLOC_CTX
*mem_ctx
, const DATA_BLOB
*sid
)
291 char p
[sid
->length
+1];
292 memcpy(p
, sid
->data
, sid
->length
);
293 p
[sid
->length
] = '\0';
294 return dom_sid_parse_talloc(mem_ctx
, p
);
298 copy a dom_sid structure
300 struct dom_sid
*dom_sid_dup(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*dom_sid
)
308 ret
= talloc(mem_ctx
, struct dom_sid
);
312 sid_copy(ret
, dom_sid
);
318 add a rid to a domain dom_sid to make a full dom_sid. This function
319 returns a new sid in the supplied memory context
321 struct dom_sid
*dom_sid_add_rid(TALLOC_CTX
*mem_ctx
,
322 const struct dom_sid
*domain_sid
,
327 sid
= dom_sid_dup(mem_ctx
, domain_sid
);
328 if (!sid
) return NULL
;
330 if (!sid_append_rid(sid
, rid
)) {
339 Split up a SID into its domain and RID part
341 NTSTATUS
dom_sid_split_rid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
342 struct dom_sid
**domain
, uint32_t *rid
)
344 if (sid
->num_auths
== 0) {
345 return NT_STATUS_INVALID_PARAMETER
;
349 if (!(*domain
= dom_sid_dup(mem_ctx
, sid
))) {
350 return NT_STATUS_NO_MEMORY
;
353 (*domain
)->num_auths
-= 1;
357 *rid
= sid
->sub_auths
[sid
->num_auths
- 1];
364 return true if the 2nd sid is in the domain given by the first sid
366 bool dom_sid_in_domain(const struct dom_sid
*domain_sid
,
367 const struct dom_sid
*sid
)
371 if (!domain_sid
|| !sid
) {
375 if (sid
->num_auths
< 2) {
379 if (domain_sid
->num_auths
!= (sid
->num_auths
- 1)) {
383 for (i
= domain_sid
->num_auths
-1; i
>= 0; --i
) {
384 if (domain_sid
->sub_auths
[i
] != sid
->sub_auths
[i
]) {
389 return dom_sid_compare_auth(domain_sid
, sid
) == 0;
392 bool dom_sid_has_account_domain(const struct dom_sid
*sid
)
398 if (sid
->sid_rev_num
!= 1) {
401 if (sid
->num_auths
!= 5) {
404 if (sid
->id_auth
[5] != 5) {
407 if (sid
->id_auth
[4] != 0) {
410 if (sid
->id_auth
[3] != 0) {
413 if (sid
->id_auth
[2] != 0) {
416 if (sid
->id_auth
[1] != 0) {
419 if (sid
->id_auth
[0] != 0) {
422 if (sid
->sub_auths
[0] != 21) {
429 bool dom_sid_is_valid_account_domain(const struct dom_sid
*sid
)
432 * We expect S-1-5-21-9-8-7, but we don't
433 * allow S-1-5-21-0-0-0 as this is used
434 * for claims and compound identities.
436 * With this structure:
439 * uint8_t sid_rev_num;
440 * int8_t num_auths; [range(0,15)]
441 * uint8_t id_auth[6];
442 * uint32_t sub_auths[15];
445 * S-1-5-21-9-8-7 looks like this:
446 * {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}};
452 if (sid
->sid_rev_num
!= 1) {
455 if (sid
->num_auths
!= 4) {
458 if (sid
->id_auth
[5] != 5) {
461 if (sid
->id_auth
[4] != 0) {
464 if (sid
->id_auth
[3] != 0) {
467 if (sid
->id_auth
[2] != 0) {
470 if (sid
->id_auth
[1] != 0) {
473 if (sid
->id_auth
[0] != 0) {
476 if (sid
->sub_auths
[0] != 21) {
479 if (sid
->sub_auths
[1] == 0) {
482 if (sid
->sub_auths
[2] == 0) {
485 if (sid
->sub_auths
[3] == 0) {
493 Convert a dom_sid to a string, printing into a buffer. Return the
494 string length. If it overflows, return the string length that would
495 result (buflen needs to be +1 for the terminating 0).
497 static int dom_sid_string_buf(const struct dom_sid
*sid
, char *buf
, int buflen
)
503 return strlcpy(buf
, "(NULL SID)", buflen
);
506 ia
= ((uint64_t)sid
->id_auth
[5]) +
507 ((uint64_t)sid
->id_auth
[4] << 8 ) +
508 ((uint64_t)sid
->id_auth
[3] << 16) +
509 ((uint64_t)sid
->id_auth
[2] << 24) +
510 ((uint64_t)sid
->id_auth
[1] << 32) +
511 ((uint64_t)sid
->id_auth
[0] << 40);
513 ret
= snprintf(buf
, buflen
, "S-%"PRIu8
"-", sid
->sid_rev_num
);
519 if (ia
>= UINT32_MAX
) {
520 ret
= snprintf(buf
+ofs
, MAX(buflen
-ofs
, 0), "0x%"PRIx64
, ia
);
522 ret
= snprintf(buf
+ofs
, MAX(buflen
-ofs
, 0), "%"PRIu64
, ia
);
529 for (i
= 0; i
< sid
->num_auths
; i
++) {
544 convert a dom_sid to a string
546 char *dom_sid_string(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
)
548 char buf
[DOM_SID_STR_BUFLEN
];
552 len
= dom_sid_string_buf(sid
, buf
, sizeof(buf
));
554 if ((len
< 0) || (len
+1 > sizeof(buf
))) {
555 return talloc_strdup(mem_ctx
, "(SID ERR)");
559 * Avoid calling strlen (via talloc_strdup), we already have
562 result
= (char *)talloc_memdup(mem_ctx
, buf
, len
+1);
563 if (result
== NULL
) {
568 * beautify the talloc_report output
570 talloc_set_name_const(result
, result
);
574 char *dom_sid_str_buf(const struct dom_sid
*sid
, struct dom_sid_buf
*dst
)
577 ret
= dom_sid_string_buf(sid
, dst
->buf
, sizeof(dst
->buf
));
578 if ((ret
< 0) || (ret
>= sizeof(dst
->buf
))) {
579 strlcpy(dst
->buf
, "(INVALID SID)", sizeof(dst
->buf
));