2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1997,
5 * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
6 * Copyright (C) Jeremy Allison 2001.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 3 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "../librpc/gen_ndr/ndr_lsa.h"
24 #include "../librpc/gen_ndr/ndr_samr.h"
27 #include "rpc_server/rpc_ncacn_np.h"
30 #define DBGC_CLASS DBGC_RPC_SRV
33 * Handle database - stored per pipe.
36 struct dcesrv_handle
{
37 struct dcesrv_handle
*prev
, *next
;
38 struct policy_handle wire_handle
;
39 uint32_t access_granted
;
44 struct dcesrv_handle
*handles
; /* List of pipe handles. */
45 size_t count
; /* Current number of handles. */
46 size_t pipe_ref_count
; /* Number of pipe handles referring
50 /* This is the max handles across all instances of a pipe name. */
52 #define MAX_OPEN_POLS 2048
55 /****************************************************************************
56 Hack as handles need to be persisant over lsa pipe closes so long as a samr
58 ****************************************************************************/
60 static bool is_samr_lsa_pipe(const struct ndr_syntax_id
*syntax
)
62 return (ndr_syntax_id_equal(syntax
, &ndr_table_samr
.syntax_id
)
63 || ndr_syntax_id_equal(syntax
, &ndr_table_lsarpc
.syntax_id
));
66 size_t num_pipe_handles(struct pipes_struct
*p
)
68 if (p
->pipe_handles
== NULL
) {
71 return p
->pipe_handles
->count
;
74 /****************************************************************************
75 Initialise a policy handle list on a pipe. Handle list is shared between all
76 pipes of the same name.
77 ****************************************************************************/
79 bool init_pipe_handles(struct pipes_struct
*p
, const struct ndr_syntax_id
*syntax
)
81 struct pipes_struct
*plist
;
82 struct handle_list
*hl
;
84 for (plist
= get_first_internal_pipe();
86 plist
= get_next_internal_pipe(plist
)) {
87 struct pipe_rpc_fns
*p_ctx
;
90 for (p_ctx
= plist
->contexts
;
92 p_ctx
= p_ctx
->next
) {
93 if (ndr_syntax_id_equal(syntax
, &p_ctx
->syntax
)) {
97 if (is_samr_lsa_pipe(&p_ctx
->syntax
)
98 && is_samr_lsa_pipe(syntax
)) {
100 * samr and lsa share a handle space (same process
114 hl
= plist
->pipe_handles
;
120 * First open, we have to create the handle list
122 hl
= talloc_zero(NULL
, struct handle_list
);
127 DEBUG(10,("init_pipe_handle_list: created handle list for "
129 get_pipe_name_from_syntax(talloc_tos(), syntax
)));
133 * One more pipe is using this list.
136 hl
->pipe_ref_count
++;
139 * Point this pipe at this list.
142 p
->pipe_handles
= hl
;
144 DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
145 "pipe %s\n", (unsigned long)p
->pipe_handles
->pipe_ref_count
,
146 get_pipe_name_from_syntax(talloc_tos(), syntax
)));
151 /****************************************************************************
152 find first available policy slot. creates a policy handle for you.
154 If "data_ptr" is given, this must be a talloc'ed object, create_policy_hnd
155 talloc_moves this into the handle. If the policy_hnd is closed,
156 data_ptr is TALLOC_FREE()'ed
157 ****************************************************************************/
159 static struct dcesrv_handle
*create_rpc_handle_internal(struct pipes_struct
*p
,
160 struct policy_handle
*hnd
, void *data_ptr
)
162 struct dcesrv_handle
*rpc_hnd
;
163 static uint32 pol_hnd_low
= 0;
164 static uint32 pol_hnd_high
= 0;
165 time_t t
= time(NULL
);
167 if (p
->pipe_handles
->count
> MAX_OPEN_POLS
) {
168 DEBUG(0,("create_policy_hnd: ERROR: too many handles (%d) on this pipe.\n",
169 (int)p
->pipe_handles
->count
));
173 rpc_hnd
= talloc_zero(p
->pipe_handles
, struct dcesrv_handle
);
175 DEBUG(0,("create_policy_hnd: ERROR: out of memory!\n"));
179 if (data_ptr
!= NULL
) {
180 rpc_hnd
->data
= talloc_move(rpc_hnd
, &data_ptr
);
184 if (pol_hnd_low
== 0) {
188 /* first bit must be null */
189 SIVAL(&rpc_hnd
->wire_handle
.handle_type
, 0 , 0);
191 /* second bit is incrementing */
192 SIVAL(&rpc_hnd
->wire_handle
.uuid
.time_low
, 0 , pol_hnd_low
);
193 SSVAL(&rpc_hnd
->wire_handle
.uuid
.time_mid
, 0 , pol_hnd_high
);
194 SSVAL(&rpc_hnd
->wire_handle
.uuid
.time_hi_and_version
, 0, (pol_hnd_high
>> 16));
196 /* split the current time into two 16 bit values */
198 /* something random */
199 SSVAL(rpc_hnd
->wire_handle
.uuid
.clock_seq
, 0, (t
>> 16));
200 /* something random */
201 SSVAL(rpc_hnd
->wire_handle
.uuid
.node
, 0, t
);
202 /* something more random */
203 SIVAL(rpc_hnd
->wire_handle
.uuid
.node
, 2, sys_getpid());
205 DLIST_ADD(p
->pipe_handles
->handles
, rpc_hnd
);
206 p
->pipe_handles
->count
++;
208 *hnd
= rpc_hnd
->wire_handle
;
210 DEBUG(4, ("Opened policy hnd[%d] ", (int)p
->pipe_handles
->count
));
211 dump_data(4, (uint8_t *)hnd
, sizeof(*hnd
));
216 bool create_policy_hnd(struct pipes_struct
*p
, struct policy_handle
*hnd
,
219 struct dcesrv_handle
*rpc_hnd
;
221 rpc_hnd
= create_rpc_handle_internal(p
, hnd
, data_ptr
);
222 if (rpc_hnd
== NULL
) {
228 /****************************************************************************
229 find policy by handle - internal version.
230 ****************************************************************************/
232 static struct dcesrv_handle
*find_policy_by_hnd_internal(struct pipes_struct
*p
,
233 const struct policy_handle
*hnd
, void **data_p
)
235 struct dcesrv_handle
*h
;
243 for (h
= p
->pipe_handles
->handles
; h
!= NULL
; h
= h
->next
) {
244 if (memcmp(&h
->wire_handle
, hnd
, sizeof(*hnd
)) == 0) {
245 DEBUG(4,("Found policy hnd[%u] ", count
));
246 dump_data(4, (const uint8
*)hnd
, sizeof(*hnd
));
255 DEBUG(4,("Policy not found: "));
256 dump_data(4, (const uint8_t *)hnd
, sizeof(*hnd
));
258 p
->bad_handle_fault_state
= true;
263 /****************************************************************************
264 find policy by handle
265 ****************************************************************************/
267 bool find_policy_by_hnd(struct pipes_struct
*p
, const struct policy_handle
*hnd
,
270 struct dcesrv_handle
*rpc_hnd
;
272 rpc_hnd
= find_policy_by_hnd_internal(p
, hnd
, data_p
);
273 if (rpc_hnd
== NULL
) {
279 /****************************************************************************
281 ****************************************************************************/
283 bool close_policy_hnd(struct pipes_struct
*p
, struct policy_handle
*hnd
)
285 struct dcesrv_handle
*rpc_hnd
;
287 rpc_hnd
= find_policy_by_hnd_internal(p
, hnd
, NULL
);
289 if (rpc_hnd
== NULL
) {
290 DEBUG(3, ("Error closing policy (policy not found)\n"));
294 DEBUG(3,("Closed policy\n"));
296 p
->pipe_handles
->count
--;
298 DLIST_REMOVE(p
->pipe_handles
->handles
, rpc_hnd
);
299 TALLOC_FREE(rpc_hnd
);
304 /****************************************************************************
305 Close a pipe - free the handle set if it was the last pipe reference.
306 ****************************************************************************/
308 void close_policy_by_pipe(struct pipes_struct
*p
)
310 p
->pipe_handles
->pipe_ref_count
--;
312 if (p
->pipe_handles
->pipe_ref_count
== 0) {
314 * Last pipe open on this list - free the list.
316 TALLOC_FREE(p
->pipe_handles
);
318 DEBUG(10,("close_policy_by_pipe: deleted handle list for "
320 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
324 /*******************************************************************
325 Shall we allow access to this rpc? Currently this function
326 implements the 'restrict anonymous' setting by denying access to
327 anonymous users if the restrict anonymous level is > 0. Further work
328 will be checking a security descriptor to determine whether a user
329 token has enough access to access the pipe.
330 ********************************************************************/
332 bool pipe_access_check(struct pipes_struct
*p
)
334 /* Don't let anonymous users access this RPC if restrict
337 if (lp_restrict_anonymous() > 0) {
339 /* schannel, so we must be ok */
341 (p
->auth
.auth_type
== DCERPC_AUTH_TYPE_SCHANNEL
)) {
345 if (p
->session_info
->guest
) {
353 void *_policy_handle_create(struct pipes_struct
*p
, struct policy_handle
*hnd
,
354 uint32_t access_granted
, size_t data_size
,
355 const char *type
, NTSTATUS
*pstatus
)
357 struct dcesrv_handle
*rpc_hnd
;
360 if (p
->pipe_handles
->count
> MAX_OPEN_POLS
) {
361 DEBUG(0, ("policy_handle_create: ERROR: too many handles (%d) "
362 "on pipe %s.\n", (int)p
->pipe_handles
->count
,
363 get_pipe_name_from_syntax(talloc_tos(), &p
->syntax
)));
364 *pstatus
= NT_STATUS_INSUFFICIENT_RESOURCES
;
368 data
= talloc_size(talloc_tos(), data_size
);
370 *pstatus
= NT_STATUS_NO_MEMORY
;
373 talloc_set_name_const(data
, type
);
375 rpc_hnd
= create_rpc_handle_internal(p
, hnd
, data
);
376 if (rpc_hnd
== NULL
) {
378 *pstatus
= NT_STATUS_NO_MEMORY
;
381 rpc_hnd
->access_granted
= access_granted
;
382 *pstatus
= NT_STATUS_OK
;
386 void *_policy_handle_find(struct pipes_struct
*p
,
387 const struct policy_handle
*hnd
,
388 uint32_t access_required
,
389 uint32_t *paccess_granted
,
390 const char *name
, const char *location
,
393 struct dcesrv_handle
*rpc_hnd
;
396 rpc_hnd
= find_policy_by_hnd_internal(p
, hnd
, &data
);
397 if (rpc_hnd
== NULL
) {
398 *pstatus
= NT_STATUS_INVALID_HANDLE
;
401 if (strcmp(name
, talloc_get_name(data
)) != 0) {
402 DEBUG(10, ("expected %s, got %s\n", name
,
403 talloc_get_name(data
)));
404 *pstatus
= NT_STATUS_INVALID_HANDLE
;
407 if ((access_required
& rpc_hnd
->access_granted
) != access_required
) {
408 if (geteuid() == sec_initial_uid()) {
409 DEBUG(4, ("%s: ACCESS should be DENIED (granted: "
410 "%#010x; required: %#010x)\n", location
,
411 rpc_hnd
->access_granted
, access_required
));
412 DEBUGADD(4,("but overwritten by euid == 0\n"));
415 DEBUG(2,("%s: ACCESS DENIED (granted: %#010x; required: "
416 "%#010x)\n", location
, rpc_hnd
->access_granted
,
418 *pstatus
= NT_STATUS_ACCESS_DENIED
;
423 DEBUG(10, ("found handle of type %s\n", talloc_get_name(data
)));
424 if (paccess_granted
!= NULL
) {
425 *paccess_granted
= rpc_hnd
->access_granted
;
427 *pstatus
= NT_STATUS_OK
;