libcli/security/security_token.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    security descriptor utility functions
   5
   6    Copyright (C) Andrew Tridgell                2004
   7    Copyright (C) Andrew Bartlett                2010
   8    Copyright (C) Stefan Metzmacher              2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "replace.h"
  25 #include <talloc.h>
  26 #include "lib/util/talloc_stack.h"
  27 #include "lib/util/debug.h"
  28 #include "lib/util/fault.h"
  29 #include "libcli/security/security_token.h"
  30 #include "libcli/security/dom_sid.h"
  31 #include "libcli/security/privileges.h"
  32 #include "librpc/gen_ndr/ndr_security.h"
  33
  34 /*
  35   return a blank security token
  36 */
  37 struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
  38                                                  enum claims_evaluation_control evaluate_claims)
  39 {
  40         struct security_token *st = talloc_zero(
  41                 mem_ctx, struct security_token);
  42         st->evaluate_claims = evaluate_claims;
  43
  44         return st;
  45 }
  46
  47 /****************************************************************************
  48  Duplicate a SID token.
  49 ****************************************************************************/
  50
  51 struct security_token *security_token_duplicate(TALLOC_CTX *mem_ctx, const struct security_token *src)
  52 {
  53         TALLOC_CTX *frame = NULL;
  54         struct security_token *dst = NULL;
  55         DATA_BLOB blob;
  56         enum ndr_err_code ndr_err;
  57
  58         if (src == NULL) {
  59                 return NULL;
  60         }
  61
  62         frame = talloc_stackframe();
  63
  64         ndr_err = ndr_push_struct_blob(
  65                 &blob,
  66                 frame,
  67                 src,
  68                 (ndr_push_flags_fn_t)ndr_push_security_token);
  69         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  70                 DBG_ERR("Failed to duplicate security_token ndr_push_security_token failed: %s\n",
  71                         ndr_errstr(ndr_err));
  72                 TALLOC_FREE(frame);
  73                 return NULL;
  74         }
  75
  76         dst = talloc_zero(mem_ctx, struct security_token);
  77         if (dst == NULL) {
  78                 DBG_ERR("talloc failed\n");
  79                 TALLOC_FREE(frame);
  80                 return NULL;
  81         }
  82
  83         ndr_err = ndr_pull_struct_blob(
  84                 &blob,
  85                 dst,
  86                 dst,
  87                 (ndr_pull_flags_fn_t)ndr_pull_security_token);
  88
  89         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  90                 DBG_ERR("Failed to duplicate security_token ndr_pull_security_token "
  91                         "failed: %s\n",
  92                         ndr_errstr(ndr_err));
  93                 TALLOC_FREE(dst);
  94                 TALLOC_FREE(frame);
  95                 return NULL;
  96         }
  97
  98         TALLOC_FREE(frame);
  99         return dst;
 100 }
 101
 102 /****************************************************************************
 103  prints a struct security_token to debug output.
 104 ****************************************************************************/
 105 void security_token_debug(int dbg_class, int dbg_lev, const struct security_token *token)
 106 {
 107         uint32_t i;
 108
 109         if (!token) {
 110                 DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
 111                 return;
 112         }
 113
 114         DEBUGC(dbg_class, dbg_lev, ("Security token SIDs (%"PRIu32"):\n",
 115                                        token->num_sids));
 116         for (i = 0; i < token->num_sids; i++) {
 117                 struct dom_sid_buf sidbuf;
 118                 DEBUGADDC(dbg_class,
 119                           dbg_lev,
 120                           ("  SID[%3"PRIu32"]: %s\n", i,
 121                            dom_sid_str_buf(&token->sids[i], &sidbuf)));
 122         }
 123
 124         security_token_debug_privileges(dbg_class, dbg_lev, token);
 125 }
 126
 127 /* These really should be cheaper... */
 128
 129 bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
 130 {
 131         bool ret;
 132
 133         if (token->sids == NULL) {
 134                 return false;
 135         }
 136         ret = dom_sid_equal(&token->sids[PRIMARY_USER_SID_INDEX], sid);
 137         return ret;
 138 }
 139
 140 bool security_token_is_system(const struct security_token *token)
 141 {
 142         return security_token_is_sid(token, &global_sid_System);
 143 }
 144
 145 bool security_token_is_anonymous(const struct security_token *token)
 146 {
 147         return security_token_is_sid(token, &global_sid_Anonymous);
 148 }
 149
 150 bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
 151 {
 152         uint32_t i;
 153         for (i = 0; i < token->num_sids; i++) {
 154                 if (dom_sid_equal(&token->sids[i], sid)) {
 155                         return true;
 156                 }
 157         }
 158         return false;
 159 }
 160
 161 size_t security_token_count_flag_sids(const struct security_token *token,
 162                                       const struct dom_sid *prefix_sid,
 163                                       size_t num_flags,
 164                                       const struct dom_sid **_flag_sid)
 165 {
 166         const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
 167         const struct dom_sid *found = NULL;
 168         size_t num = 0;
 169         uint32_t i;
 170
 171         SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
 172
 173         for (i = 0; i < token->num_sids; i++) {
 174                 const struct dom_sid *sid = &token->sids[i];
 175                 int cmp;
 176
 177                 if (sid->num_auths != num_auths_expected) {
 178                         continue;
 179                 }
 180
 181                 cmp = dom_sid_compare_domain(sid, prefix_sid);
 182                 if (cmp != 0) {
 183                         continue;
 184                 }
 185
 186                 num += 1;
 187                 found = sid;
 188         }
 189
 190         if ((num == 1) && (_flag_sid != NULL)) {
 191                 *_flag_sid = found;
 192         }
 193
 194         return num;
 195 }
 196
 197 bool security_token_has_builtin_guests(const struct security_token *token)
 198 {
 199         return security_token_has_sid(token, &global_sid_Builtin_Guests);
 200 }
 201
 202 bool security_token_has_builtin_administrators(const struct security_token *token)
 203 {
 204         return security_token_has_sid(token, &global_sid_Builtin_Administrators);
 205 }
 206
 207 bool security_token_has_nt_authenticated_users(const struct security_token *token)
 208 {
 209         return security_token_has_sid(token, &global_sid_Authenticated_Users);
 210 }
 211
 212 bool security_token_has_enterprise_dcs(const struct security_token *token)
 213 {
 214         return security_token_has_sid(token, &global_sid_Enterprise_DCs);
 215 }