2 Unix SMB/CIFS implementation.
3 Samba utility functions
5 Copyright (C) Stefan (metze) Metzmacher 2002-2004
6 Copyright (C) Andrew Tridgell 1992-2004
7 Copyright (C) Jeremy Allison 1999
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "librpc/gen_ndr/security.h"
27 /*****************************************************************
28 Compare the auth portion of two sids.
29 *****************************************************************/
31 int dom_sid_compare_auth(const struct dom_sid
*sid1
,
32 const struct dom_sid
*sid2
)
43 if (sid1
->sid_rev_num
!= sid2
->sid_rev_num
)
44 return sid1
->sid_rev_num
- sid2
->sid_rev_num
;
46 for (i
= 0; i
< 6; i
++)
47 if (sid1
->id_auth
[i
] != sid2
->id_auth
[i
])
48 return sid1
->id_auth
[i
] - sid2
->id_auth
[i
];
53 /*****************************************************************
55 *****************************************************************/
57 int dom_sid_compare(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
68 /* Compare most likely different rids, first: i.e start at end */
69 if (sid1
->num_auths
!= sid2
->num_auths
)
70 return sid1
->num_auths
- sid2
->num_auths
;
72 for (i
= sid1
->num_auths
-1; i
>= 0; --i
)
73 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
74 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
76 return dom_sid_compare_auth(sid1
, sid2
);
79 /*****************************************************************
81 *****************************************************************/
83 bool dom_sid_equal(const struct dom_sid
*sid1
, const struct dom_sid
*sid2
)
85 return dom_sid_compare(sid1
, sid2
) == 0;
88 /*****************************************************************
89 Add a rid to the end of a sid
90 *****************************************************************/
92 bool sid_append_rid(struct dom_sid
*sid
, uint32_t rid
)
94 if (sid
->num_auths
< ARRAY_SIZE(sid
->sub_auths
)) {
95 sid
->sub_auths
[sid
->num_auths
++] = rid
;
102 See if 2 SIDs are in the same domain
103 this just compares the leading sub-auths
105 int dom_sid_compare_domain(const struct dom_sid
*sid1
,
106 const struct dom_sid
*sid2
)
110 n
= MIN(sid1
->num_auths
, sid2
->num_auths
);
112 for (i
= n
-1; i
>= 0; --i
)
113 if (sid1
->sub_auths
[i
] != sid2
->sub_auths
[i
])
114 return sid1
->sub_auths
[i
] - sid2
->sub_auths
[i
];
116 return dom_sid_compare_auth(sid1
, sid2
);
119 /*****************************************************************
120 Convert a string to a SID. Returns True on success, False on fail.
121 *****************************************************************/
123 bool string_to_sid(struct dom_sid
*sidout
, const char *sidstr
)
127 /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
130 ZERO_STRUCTP(sidout
);
132 if ((sidstr
[0] != 'S' && sidstr
[0] != 's') || sidstr
[1] != '-') {
136 /* Get the revision number. */
143 conv
= (uint32_t) strtoul(p
, &q
, 10);
144 if (!q
|| (*q
!= '-')) {
147 sidout
->sid_rev_num
= (uint8_t) conv
;
155 conv
= (uint32_t) strtoul(q
, &q
, 10);
160 /* identauth in decimal should be < 2^32 */
161 /* NOTE - the conv value is in big-endian format. */
162 sidout
->id_auth
[0] = 0;
163 sidout
->id_auth
[1] = 0;
164 sidout
->id_auth
[2] = (conv
& 0xff000000) >> 24;
165 sidout
->id_auth
[3] = (conv
& 0x00ff0000) >> 16;
166 sidout
->id_auth
[4] = (conv
& 0x0000ff00) >> 8;
167 sidout
->id_auth
[5] = (conv
& 0x000000ff);
169 sidout
->num_auths
= 0;
171 /* Just id_auth, no subauths */
184 conv
= strtoul(q
, &end
, 10);
189 if (!sid_append_rid(sidout
, conv
)) {
190 DEBUG(3, ("Too many sid auths in %s\n", sidstr
));
203 DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr
));
207 bool dom_sid_parse(const char *sidstr
, struct dom_sid
*ret
)
209 return string_to_sid(ret
, sidstr
);
213 convert a string to a dom_sid, returning a talloc'd dom_sid
215 struct dom_sid
*dom_sid_parse_talloc(TALLOC_CTX
*mem_ctx
, const char *sidstr
)
218 ret
= talloc(mem_ctx
, struct dom_sid
);
222 if (!dom_sid_parse(sidstr
, ret
)) {
231 convert a string to a dom_sid, returning a talloc'd dom_sid
233 struct dom_sid
*dom_sid_parse_length(TALLOC_CTX
*mem_ctx
, const DATA_BLOB
*sid
)
236 char *p
= talloc_strndup(mem_ctx
, (char *)sid
->data
, sid
->length
);
240 ret
= dom_sid_parse_talloc(mem_ctx
, p
);
246 copy a dom_sid structure
248 struct dom_sid
*dom_sid_dup(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*dom_sid
)
257 ret
= talloc(mem_ctx
, struct dom_sid
);
262 ret
->sid_rev_num
= dom_sid
->sid_rev_num
;
263 ret
->id_auth
[0] = dom_sid
->id_auth
[0];
264 ret
->id_auth
[1] = dom_sid
->id_auth
[1];
265 ret
->id_auth
[2] = dom_sid
->id_auth
[2];
266 ret
->id_auth
[3] = dom_sid
->id_auth
[3];
267 ret
->id_auth
[4] = dom_sid
->id_auth
[4];
268 ret
->id_auth
[5] = dom_sid
->id_auth
[5];
269 ret
->num_auths
= dom_sid
->num_auths
;
271 for (i
=0;i
<dom_sid
->num_auths
;i
++) {
272 ret
->sub_auths
[i
] = dom_sid
->sub_auths
[i
];
279 add a rid to a domain dom_sid to make a full dom_sid. This function
280 returns a new sid in the supplied memory context
282 struct dom_sid
*dom_sid_add_rid(TALLOC_CTX
*mem_ctx
,
283 const struct dom_sid
*domain_sid
,
288 sid
= dom_sid_dup(mem_ctx
, domain_sid
);
289 if (!sid
) return NULL
;
291 if (!sid_append_rid(sid
, rid
)) {
300 Split up a SID into its domain and RID part
302 NTSTATUS
dom_sid_split_rid(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
,
303 struct dom_sid
**domain
, uint32_t *rid
)
305 if (sid
->num_auths
== 0) {
306 return NT_STATUS_INVALID_PARAMETER
;
310 if (!(*domain
= dom_sid_dup(mem_ctx
, sid
))) {
311 return NT_STATUS_NO_MEMORY
;
314 (*domain
)->num_auths
-= 1;
318 *rid
= sid
->sub_auths
[sid
->num_auths
- 1];
325 return true if the 2nd sid is in the domain given by the first sid
327 bool dom_sid_in_domain(const struct dom_sid
*domain_sid
,
328 const struct dom_sid
*sid
)
332 if (!domain_sid
|| !sid
) {
336 if (domain_sid
->num_auths
> sid
->num_auths
) {
340 for (i
= domain_sid
->num_auths
-1; i
>= 0; --i
) {
341 if (domain_sid
->sub_auths
[i
] != sid
->sub_auths
[i
]) {
346 return dom_sid_compare_auth(domain_sid
, sid
) == 0;
350 convert a dom_sid to a string
352 char *dom_sid_string(TALLOC_CTX
*mem_ctx
, const struct dom_sid
*sid
)
359 return talloc_strdup(mem_ctx
, "(NULL SID)");
362 maxlen
= sid
->num_auths
* 11 + 25;
363 ret
= talloc_array(mem_ctx
, char, maxlen
);
364 if (!ret
) return talloc_strdup(mem_ctx
, "(SID ERR)");
366 ia
= (sid
->id_auth
[5]) +
367 (sid
->id_auth
[4] << 8 ) +
368 (sid
->id_auth
[3] << 16) +
369 (sid
->id_auth
[2] << 24);
371 ofs
= snprintf(ret
, maxlen
, "S-%u-%lu",
372 (unsigned int)sid
->sid_rev_num
, (unsigned long)ia
);
374 for (i
= 0; i
< sid
->num_auths
; i
++) {
375 ofs
+= snprintf(ret
+ ofs
, maxlen
- ofs
, "-%lu",
376 (unsigned long)sid
->sub_auths
[i
]);