search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
[Samba/bb.git] / source / lib / privileges.c
blob2f063073544118f9567299f4299d5a70d5fe6127
1 /*
2 Unix SMB/CIFS implementation.
3 Privileges handling functions
4 Copyright (C) Jean François Micouleau 1998-2001
5 Copyright (C) Simo Sorce 2002-2003
6 Copyright (C) Gerald (Jerry) Carter 2005
7 Copyright (C) Michael Adam 2007
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23
24 #include "includes.h"
25
26 #define PRIVPREFIX "PRIV_"
27
28 typedef struct {
29 size_t count;
30 DOM_SID *list;
31 } SID_LIST;
32
33 typedef struct {
34 SE_PRIV privilege;
35 SID_LIST sids;
36 } PRIV_SID_LIST;
37
38
39 static BOOL get_privileges( const DOM_SID *sid, SE_PRIV *mask )
40 {
41 TDB_CONTEXT *tdb = get_account_pol_tdb();
42 fstring keystr;
43 TDB_DATA data;
44
45 /* Fail if the admin has not enable privileges */
46
47 if ( !lp_enable_privileges() ) {
48 return False;
49 }
50
51 if ( !tdb )
52 return False;
53
54 /* PRIV_<SID> (NULL terminated) as the key */
55
56 fstr_sprintf( keystr, "%s%s", PRIVPREFIX, sid_string_static(sid) );
57
58 data = tdb_fetch_bystring( tdb, keystr );
59
60 if ( !data.dptr ) {
61 DEBUG(3,("get_privileges: No privileges assigned to SID [%s]\n",
62 sid_string_static(sid)));
63 return False;
64 }
65
66 SMB_ASSERT( data.dsize == sizeof( SE_PRIV ) );
67
68 se_priv_copy( mask, (SE_PRIV*)data.dptr );
69 SAFE_FREE(data.dptr);
70
71 return True;
72 }
73
74 /***************************************************************************
75 Store the privilege mask (set) for a given SID
76 ****************************************************************************/
77
78 static BOOL set_privileges( const DOM_SID *sid, SE_PRIV *mask )
79 {
80 TDB_CONTEXT *tdb = get_account_pol_tdb();
81 fstring keystr;
82 TDB_DATA data;
83
84 if ( !lp_enable_privileges() )
85 return False;
86
87 if ( !tdb )
88 return False;
89
90 if ( !sid || (sid->num_auths == 0) ) {
91 DEBUG(0,("set_privileges: Refusing to store empty SID!\n"));
92 return False;
93 }
94
95 /* PRIV_<SID> (NULL terminated) as the key */
96
97 fstr_sprintf( keystr, "%s%s", PRIVPREFIX, sid_string_static(sid) );
98
99 /* no packing. static size structure, just write it out */
100
101 data.dptr = (uint8 *)mask;
102 data.dsize = sizeof(SE_PRIV);
103
104 return ( tdb_store_bystring(tdb, keystr, data, TDB_REPLACE) != -1 );
105 }
106
107 /*********************************************************************
108 get a list of all privleges for all sids the in list
109 *********************************************************************/
110
111 BOOL get_privileges_for_sids(SE_PRIV *privileges, DOM_SID *slist, int scount)
112 {
113 SE_PRIV mask;
114 int i;
115 BOOL found = False;
116
117 se_priv_copy( privileges, &se_priv_none );
118
119 for ( i=0; i<scount; i++ ) {
120 /* don't add unless we actually have a privilege assigned */
121
122 if ( !get_privileges( &slist[i], &mask ) )
123 continue;
124
125 DEBUG(5,("get_privileges_for_sids: sid = %s\nPrivilege set:\n",
126 sid_string_static(&slist[i])));
127 dump_se_priv( DBGC_ALL, 5, &mask );
128
129 se_priv_add( privileges, &mask );
130 found = True;
131 }
132
133 return found;
134 }
135
136
137 /*********************************************************************
138 travseral functions for privilege_enumerate_accounts
139 *********************************************************************/
140
141 static int priv_traverse_fn(TDB_CONTEXT *t, TDB_DATA key, TDB_DATA data, void *state)
142 {
143 PRIV_SID_LIST *priv = (PRIV_SID_LIST *)state;
144 int prefixlen = strlen(PRIVPREFIX);
145 DOM_SID sid;
146 fstring sid_string;
147
148 /* easy check first */
149
150 if ( data.dsize != sizeof(SE_PRIV) )
151 return 0;
152
153 /* check we have a PRIV_+SID entry */
154
155 if ( strncmp((const char *)key.dptr, PRIVPREFIX, prefixlen) != 0)
156 return 0;
157
158 /* check to see if we are looking for a particular privilege */
159
160 if ( !se_priv_equal(&priv->privilege, &se_priv_none) ) {
161 SE_PRIV mask;
162
163 se_priv_copy( &mask, (SE_PRIV*)data.dptr );
164
165 /* if the SID does not have the specified privilege
166 then just return */
167
168 if ( !is_privilege_assigned( &mask, &priv->privilege) )
169 return 0;
170 }
171
172 fstrcpy( sid_string, (const char *)&key.dptr[strlen(PRIVPREFIX)] );
173
174 /* this is a last ditch safety check to preventing returning
175 and invalid SID (i've somehow run into this on development branches) */
176
177 if ( strcmp( "S-0-0", sid_string ) == 0 )
178 return 0;
179
180 if ( !string_to_sid(&sid, sid_string) ) {
181 DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
182 sid_string));
183 return 0;
184 }
185
186 if (!add_sid_to_array( NULL, &sid, &priv->sids.list, &priv->sids.count )) {
187 return 0;
188 }
189
190 return 0;
191 }
192
193 /*********************************************************************
194 Retreive list of privileged SIDs (for _lsa_enumerate_accounts()
195 *********************************************************************/
196
197 NTSTATUS privilege_enumerate_accounts(DOM_SID **sids, int *num_sids)
198 {
199 TDB_CONTEXT *tdb = get_account_pol_tdb();
200 PRIV_SID_LIST priv;
201
202 if (!tdb) {
203 return NT_STATUS_ACCESS_DENIED;
204 }
205
206 ZERO_STRUCT(priv);
207
208 se_priv_copy( &priv.privilege, &se_priv_none );
209
210 tdb_traverse( tdb, priv_traverse_fn, &priv);
211
212 /* give the memory away; caller will free */
213
214 *sids = priv.sids.list;
215 *num_sids = priv.sids.count;
216
217 return NT_STATUS_OK;
218 }
219
220 /***************************************************************************
221 Add privilege to sid
222 ****************************************************************************/
223
224 BOOL grant_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask)
225 {
226 SE_PRIV old_mask, new_mask;
227
228 ZERO_STRUCT( old_mask );
229 ZERO_STRUCT( new_mask );
230
231 if ( get_privileges( sid, &old_mask ) )
232 se_priv_copy( &new_mask, &old_mask );
233 else
234 se_priv_copy( &new_mask, &se_priv_none );
235
236 se_priv_add( &new_mask, priv_mask );
237
238 DEBUG(10,("grant_privilege: %s\n", sid_string_static(sid)));
239
240 DEBUGADD( 10, ("original privilege mask:\n"));
241 dump_se_priv( DBGC_ALL, 10, &old_mask );
242
243 DEBUGADD( 10, ("new privilege mask:\n"));
244 dump_se_priv( DBGC_ALL, 10, &new_mask );
245
246 return set_privileges( sid, &new_mask );
247 }
248
249 /*********************************************************************
250 Add a privilege based on its name
251 *********************************************************************/
252
253 BOOL grant_privilege_by_name(DOM_SID *sid, const char *name)
254 {
255 SE_PRIV mask;
256
257 if (! se_priv_from_name(name, &mask)) {
258 DEBUG(3, ("grant_privilege_by_name: "
259 "No Such Privilege Found (%s)\n", name));
260 return False;
261 }
262
263 return grant_privilege( sid, &mask );
264 }
265
266 /***************************************************************************
267 Remove privilege from sid
268 ****************************************************************************/
269
270 BOOL revoke_privilege(const DOM_SID *sid, const SE_PRIV *priv_mask)
271 {
272 SE_PRIV mask;
273
274 /* if the user has no privileges, then we can't revoke any */
275
276 if ( !get_privileges( sid, &mask ) )
277 return True;
278
279 DEBUG(10,("revoke_privilege: %s\n", sid_string_static(sid)));
280
281 DEBUGADD( 10, ("original privilege mask:\n"));
282 dump_se_priv( DBGC_ALL, 10, &mask );
283
284 se_priv_remove( &mask, priv_mask );
285
286 DEBUGADD( 10, ("new privilege mask:\n"));
287 dump_se_priv( DBGC_ALL, 10, &mask );
288
289 return set_privileges( sid, &mask );
290 }
291
292 /*********************************************************************
293 Revoke all privileges
294 *********************************************************************/
295
296 BOOL revoke_all_privileges( DOM_SID *sid )
297 {
298 return revoke_privilege( sid, &se_priv_all );
299 }
300
301 /*********************************************************************
302 Add a privilege based on its name
303 *********************************************************************/
304
305 BOOL revoke_privilege_by_name(DOM_SID *sid, const char *name)
306 {
307 SE_PRIV mask;
308
309 if (! se_priv_from_name(name, &mask)) {
310 DEBUG(3, ("revoke_privilege_by_name: "
311 "No Such Privilege Found (%s)\n", name));
312 return False;
313 }
314
315 return revoke_privilege(sid, &mask);
316
317 }
318
319 /***************************************************************************
320 Retrieve the SIDs assigned to a given privilege
321 ****************************************************************************/
322
323 NTSTATUS privilege_create_account(const DOM_SID *sid )
324 {
325 return ( grant_privilege(sid, &se_priv_none) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
326 }
327
328 /****************************************************************************
329 initialise a privilege list and set the talloc context
330 ****************************************************************************/
331
332 NTSTATUS privilege_set_init(PRIVILEGE_SET *priv_set)
333 {
334 TALLOC_CTX *mem_ctx;
335
336 ZERO_STRUCTP( priv_set );
337
338 mem_ctx = talloc_init("privilege set");
339 if ( !mem_ctx ) {
340 DEBUG(0,("privilege_set_init: failed to initialize talloc ctx!\n"));
341 return NT_STATUS_NO_MEMORY;
342 }
343
344 priv_set->mem_ctx = mem_ctx;
345
346 return NT_STATUS_OK;
347 }
348
349 /****************************************************************************
350 initialise a privilege list and with someone else's talloc context
351 ****************************************************************************/
352
353 NTSTATUS privilege_set_init_by_ctx(TALLOC_CTX *mem_ctx, PRIVILEGE_SET *priv_set)
354 {
355 ZERO_STRUCTP( priv_set );
356
357 priv_set->mem_ctx = mem_ctx;
358 priv_set->ext_ctx = True;
359
360 return NT_STATUS_OK;
361 }
362
363 /****************************************************************************
364 Free all memory used by a PRIVILEGE_SET
365 ****************************************************************************/
366
367 void privilege_set_free(PRIVILEGE_SET *priv_set)
368 {
369 if ( !priv_set )
370 return;
371
372 if ( !( priv_set->ext_ctx ) )
373 talloc_destroy( priv_set->mem_ctx );
374
375 ZERO_STRUCTP( priv_set );
376 }
377
378 /****************************************************************************
379 duplicate alloc luid_attr
380 ****************************************************************************/
381
382 NTSTATUS dup_luid_attr(TALLOC_CTX *mem_ctx, LUID_ATTR **new_la, LUID_ATTR *old_la, int count)
383 {
384 int i;
385
386 if ( !old_la )
387 return NT_STATUS_OK;
388
389 if (count) {
390 *new_la = TALLOC_ARRAY(mem_ctx, LUID_ATTR, count);
391 if ( !*new_la ) {
392 DEBUG(0,("dup_luid_attr: failed to alloc new LUID_ATTR array [%d]\n", count));
393 return NT_STATUS_NO_MEMORY;
394 }
395 } else {
396 *new_la = NULL;
397 }
398
399 for (i=0; i<count; i++) {
400 (*new_la)[i].luid.high = old_la[i].luid.high;
401 (*new_la)[i].luid.low = old_la[i].luid.low;
402 (*new_la)[i].attr = old_la[i].attr;
403 }
404
405 return NT_STATUS_OK;
406 }
407
408 /*******************************************************************
409 *******************************************************************/
410
411 BOOL is_privileged_sid( const DOM_SID *sid )
412 {
413 SE_PRIV mask;
414
415 return get_privileges( sid, &mask );
416 }
417
418 /*******************************************************************
419 *******************************************************************/
420
421 BOOL grant_all_privileges( const DOM_SID *sid )
422 {
423 SE_PRIV mask;
424
425 if (!se_priv_put_all_privileges(&mask)) {
426 return False;
427 }
428
429 return grant_privilege( sid, &mask );
430 }