source4/libcli/security/security_token.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    security descriptror utility functions
   5
   6    Copyright (C) Andrew Tridgell                2004
   7    Copyright (C) Stefan Metzmacher              2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "libcli/security/security.h"
  25 #include "auth/session.h"
  26
  27 /*
  28   return a blank security token
  29 */
  30 struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
  31 {
  32         struct security_token *st;
  33
  34         st = talloc(mem_ctx, struct security_token);
  35         if (!st) {
  36                 return NULL;
  37         }
  38
  39         st->user_sid = NULL;
  40         st->group_sid = NULL;
  41         st->num_sids = 0;
  42         st->sids = NULL;
  43         st->privilege_mask = 0;
  44
  45         return st;
  46 }
  47
  48 /****************************************************************************
  49  prints a struct security_token to debug output.
  50 ****************************************************************************/
  51 void security_token_debug(int dbg_lev, const struct security_token *token)
  52 {
  53         TALLOC_CTX *mem_ctx;
  54         int i;
  55
  56         if (!token) {
  57                 DEBUG(dbg_lev, ("Security token: (NULL)\n"));
  58                 return;
  59         }
  60
  61         mem_ctx = talloc_init("security_token_debug()");
  62         if (!mem_ctx) {
  63                 return;
  64         }
  65
  66         DEBUG(dbg_lev, ("Security token of user %s\n",
  67                                     dom_sid_string(mem_ctx, token->user_sid) ));
  68         DEBUGADD(dbg_lev, (" SIDs (%lu):\n",
  69                                        (unsigned long)token->num_sids));
  70         for (i = 0; i < token->num_sids; i++) {
  71                 DEBUGADD(dbg_lev, ("  SID[%3lu]: %s\n", (unsigned long)i,
  72                            dom_sid_string(mem_ctx, token->sids[i])));
  73         }
  74
  75         security_token_debug_privileges(dbg_lev, token);
  76
  77         talloc_free(mem_ctx);
  78 }
  79
  80 /* These really should be cheaper... */
  81
  82 bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
  83 {
  84         if (dom_sid_equal(token->user_sid, sid)) {
  85                 return true;
  86         }
  87         return false;
  88 }
  89
  90 bool security_token_is_sid_string(const struct security_token *token, const char *sid_string)
  91 {
  92         bool ret;
  93         struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
  94         if (!sid) return false;
  95
  96         ret = security_token_is_sid(token, sid);
  97
  98         talloc_free(sid);
  99         return ret;
 100 }
 101
 102 bool security_token_is_system(const struct security_token *token)
 103 {
 104         return security_token_is_sid_string(token, SID_NT_SYSTEM);
 105 }
 106
 107 bool security_token_is_anonymous(const struct security_token *token)
 108 {
 109         return security_token_is_sid_string(token, SID_NT_ANONYMOUS);
 110 }
 111
 112 bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid)
 113 {
 114         int i;
 115         for (i = 0; i < token->num_sids; i++) {
 116                 if (dom_sid_equal(token->sids[i], sid)) {
 117                         return true;
 118                 }
 119         }
 120         return false;
 121 }
 122
 123 bool security_token_has_sid_string(const struct security_token *token, const char *sid_string)
 124 {
 125         bool ret;
 126         struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string);
 127         if (!sid) return false;
 128
 129         ret = security_token_has_sid(token, sid);
 130
 131         talloc_free(sid);
 132         return ret;
 133 }
 134
 135 bool security_token_has_builtin_administrators(const struct security_token *token)
 136 {
 137         return security_token_has_sid_string(token, SID_BUILTIN_ADMINISTRATORS);
 138 }
 139
 140 bool security_token_has_nt_authenticated_users(const struct security_token *token)
 141 {
 142         return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS);
 143 }
 144
 145 enum security_user_level security_session_user_level(struct auth_session_info *session_info)
 146 {
 147         if (!session_info) {
 148                 return SECURITY_ANONYMOUS;
 149         }
 150
 151         if (security_token_is_system(session_info->security_token)) {
 152                 return SECURITY_SYSTEM;
 153         }
 154
 155         if (security_token_is_anonymous(session_info->security_token)) {
 156                 return SECURITY_ANONYMOUS;
 157         }
 158
 159         if (security_token_has_builtin_administrators(session_info->security_token)) {
 160                 return SECURITY_ADMINISTRATOR;
 161         }
 162
 163         if (security_token_has_nt_authenticated_users(session_info->security_token)) {
 164                 return SECURITY_USER;
 165         }
 166
 167         return SECURITY_ANONYMOUS;
 168 }
 169