search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Improve update and listing code
[samba4-gss.git] / libcli / security / dom_sid.c
blob04ac6e4cf539eeb492d599c3968b4b7a0e7048a7
1 /*
2 Unix SMB/CIFS implementation.
3 Samba utility functions
4
5 Copyright (C) Stefan (metze) Metzmacher 2002-2004
6 Copyright (C) Andrew Tridgell 1992-2004
7 Copyright (C) Jeremy Allison 1999
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "replace.h"
24 #include "lib/util/data_blob.h"
25 #include "system/locale.h"
26 #include "lib/util/debug.h"
27 #include "lib/util/util.h"
28 #include "librpc/gen_ndr/security.h"
29 #include "dom_sid.h"
30 #include "lib/util/smb_strtox.h"
31 #include "lib/util/tsort.h"
32
33 /*****************************************************************
34 Compare the auth portion of two sids.
35 *****************************************************************/
36
37 int dom_sid_compare_auth(const struct dom_sid *sid1,
38 const struct dom_sid *sid2)
39 {
40 int i;
41
42 if (sid1 == sid2) {
43 return 0;
44 }
45
46 if (sid1 == NULL) {
47 return -1;
48 }
49
50 if (sid2 == NULL) {
51 return 1;
52 }
53
54 if (sid1->sid_rev_num != sid2->sid_rev_num) {
55 return NUMERIC_CMP(sid1->sid_rev_num, sid2->sid_rev_num);
56 }
57
58 for (i = 0; i < 6; i++) {
59 if (sid1->id_auth[i] != sid2->id_auth[i]) {
60 return NUMERIC_CMP(sid1->id_auth[i], sid2->id_auth[i]);
61 }
62 }
63
64 return 0;
65 }
66
67 /*****************************************************************
68 Compare two sids.
69 *****************************************************************/
70
71 int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2)
72 {
73 int i;
74
75 if (sid1 == sid2) {
76 return 0;
77 }
78
79 if (sid1 == NULL) {
80 return -1;
81 }
82
83 if (sid2 == NULL) {
84 return 1;
85 }
86
87 /* Compare most likely different rids, first: i.e start at end */
88 if (sid1->num_auths != sid2->num_auths) {
89 return NUMERIC_CMP(sid1->num_auths, sid2->num_auths);
90 }
91 for (i = sid1->num_auths-1; i >= 0; --i) {
92 if (sid1->sub_auths[i] < sid2->sub_auths[i]) {
93 return -1;
94 }
95 if (sid1->sub_auths[i] > sid2->sub_auths[i]) {
96 return 1;
97 }
98 }
99
100 return dom_sid_compare_auth(sid1, sid2);
101 }
102
103 /*****************************************************************
104 Compare two sids.
105 *****************************************************************/
106
107 bool dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)
108 {
109 return dom_sid_compare(sid1, sid2) == 0;
110 }
111
112 /*****************************************************************
113 Add a rid to the end of a sid
114 *****************************************************************/
115
116 bool sid_append_rid(struct dom_sid *sid, uint32_t rid)
117 {
118 if (sid->num_auths < ARRAY_SIZE(sid->sub_auths)) {
119 sid->sub_auths[sid->num_auths++] = rid;
120 return true;
121 }
122 return false;
123 }
124
125 /*
126 See if 2 SIDs are in the same domain
127 this just compares the leading sub-auths
128 */
129 int dom_sid_compare_domain(const struct dom_sid *sid1,
130 const struct dom_sid *sid2)
131 {
132 int n, i;
133
134 n = MIN(sid1->num_auths, sid2->num_auths);
135
136 for (i = n-1; i >= 0; --i) {
137 if (sid1->sub_auths[i] < sid2->sub_auths[i]) {
138 return -1;
139 }
140 if (sid1->sub_auths[i] > sid2->sub_auths[i]) {
141 return 1;
142 }
143 }
144
145 return dom_sid_compare_auth(sid1, sid2);
146 }
147
148 /*****************************************************************
149 Convert a string to a SID. Returns True on success, False on fail.
150 Return the first character not parsed in endp.
151 *****************************************************************/
152 #define AUTHORITY_MASK (~(0xffffffffffffULL))
153
154 bool dom_sid_parse_endp(const char *sidstr,struct dom_sid *sidout,
155 const char **endp)
156 {
157 const char *p;
158 char *q = NULL;
159 char *end = NULL;
160 uint64_t conv;
161 int error = 0;
162
163 *sidout = (struct dom_sid) {};
164
165 if ((sidstr[0] != 'S' && sidstr[0] != 's') || sidstr[1] != '-') {
166 goto format_error;
167 }
168
169 /* Get the revision number. */
170 p = sidstr + 2;
171
172 if (!isdigit((unsigned char)*p)) {
173 goto format_error;
174 }
175
176 conv = smb_strtoul(p, &q, 10, &error, SMB_STR_STANDARD);
177 if (error != 0 || (*q != '-') || conv > UINT8_MAX || q - p > 4) {
178 goto format_error;
179 }
180 sidout->sid_rev_num = (uint8_t) conv;
181 q++;
182
183 if (!isdigit((unsigned char)*q)) {
184 goto format_error;
185 }
186 while (q[0] == '0' && isdigit((unsigned char)q[1])) {
187 /*
188 * strtoull will think this is octal, which is not how SIDs
189 * work! So let's walk along until there are no leading zeros
190 * (or a single zero).
191 */
192 q++;
193 }
194
195 /* get identauth */
196 conv = smb_strtoull(q, &end, 0, &error, SMB_STR_STANDARD);
197 if (conv & AUTHORITY_MASK || error != 0) {
198 goto format_error;
199 }
200 if (conv >= (1ULL << 48) || end - q > 15) {
201 /*
202 * This identauth looks like a big number, but resolves to a
203 * small number after rounding.
204 */
205 goto format_error;
206 }
207
208 /* NOTE - the conv value is in big-endian format. */
209 sidout->id_auth[0] = (conv & 0xff0000000000ULL) >> 40;
210 sidout->id_auth[1] = (conv & 0x00ff00000000ULL) >> 32;
211 sidout->id_auth[2] = (conv & 0x0000ff000000ULL) >> 24;
212 sidout->id_auth[3] = (conv & 0x000000ff0000ULL) >> 16;
213 sidout->id_auth[4] = (conv & 0x00000000ff00ULL) >> 8;
214 sidout->id_auth[5] = (conv & 0x0000000000ffULL);
215
216 sidout->num_auths = 0;
217 q = end;
218 if (*q != '-') {
219 /* Just id_auth, no subauths */
220 goto done;
221 }
222
223 q++;
224
225 while (true) {
226 if (!isdigit((unsigned char)*q)) {
227 goto format_error;
228 }
229 while (q[0] == '0' && isdigit((unsigned char)q[1])) {
230 /*
231 * strtoull will think this is octal, which is not how
232 * SIDs work! So let's walk along until there are no
233 * leading zeros (or a single zero).
234 */
235 q++;
236 }
237 conv = smb_strtoull(q, &end, 0, &error, SMB_STR_STANDARD);
238 if (conv > UINT32_MAX || error != 0 || end - q > 12) {
239 /*
240 * This sub-auth is greater than 4294967295,
241 * and hence invalid. Windows will treat it as
242 * 4294967295, while we prefer to refuse (old
243 * versions of Samba will wrap, arriving at
244 * another number altogether).
245 */
246 DBG_NOTICE("bad sub-auth in %s\n", sidstr);
247 goto format_error;
248 }
249
250 if (!sid_append_rid(sidout, conv)) {
251 DEBUG(3, ("Too many sid auths in %s\n", sidstr));
252 return false;
253 }
254
255 q = end;
256 if (*q != '-') {
257 break;
258 }
259 q += 1;
260 }
261 done:
262 if (endp != NULL) {
263 *endp = q;
264 }
265 return true;
266
267 format_error:
268 DEBUG(3, ("string_to_sid: SID %s is not in a valid format\n", sidstr));
269 return false;
270 }
271
272 bool string_to_sid(struct dom_sid *sidout, const char *sidstr)
273 {
274 return dom_sid_parse(sidstr, sidout);
275 }
276
277 bool dom_sid_parse(const char *sidstr, struct dom_sid *ret)
278 {
279 return dom_sid_parse_endp(sidstr, ret, NULL);
280 }
281
282 /*
283 convert a string to a dom_sid, returning a talloc'd dom_sid
284 */
285 struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
286 {
287 struct dom_sid *ret;
288 ret = talloc(mem_ctx, struct dom_sid);
289 if (!ret) {
290 return NULL;
291 }
292 if (!dom_sid_parse(sidstr, ret)) {
293 talloc_free(ret);
294 return NULL;
295 }
296
297 return ret;
298 }
299
300 /*
301 convert a string to a dom_sid, returning a talloc'd dom_sid
302 */
303 struct dom_sid *dom_sid_parse_length(TALLOC_CTX *mem_ctx, const DATA_BLOB *sid)
304 {
305 char p[sid->length+1];
306 memcpy(p, sid->data, sid->length);
307 p[sid->length] = '\0';
308 return dom_sid_parse_talloc(mem_ctx, p);
309 }
310
311 /*
312 copy a dom_sid structure
313 */
314 struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid)
315 {
316 struct dom_sid *ret;
317
318 if (!dom_sid) {
319 return NULL;
320 }
321
322 ret = talloc(mem_ctx, struct dom_sid);
323 if (!ret) {
324 return NULL;
325 }
326 sid_copy(ret, dom_sid);
327
328 return ret;
329 }
330
331 /*
332 add a rid to a domain dom_sid to make a full dom_sid. This function
333 returns a new sid in the supplied memory context
334 */
335 struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx,
336 const struct dom_sid *domain_sid,
337 uint32_t rid)
338 {
339 struct dom_sid *sid;
340
341 sid = dom_sid_dup(mem_ctx, domain_sid);
342 if (!sid) return NULL;
343
344 if (!sid_append_rid(sid, rid)) {
345 talloc_free(sid);
346 return NULL;
347 }
348
349 return sid;
350 }
351
352 /*
353 Split up a SID into its domain and RID part
354 */
355 NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
356 struct dom_sid **domain, uint32_t *rid)
357 {
358 if (sid->num_auths == 0) {
359 return NT_STATUS_INVALID_PARAMETER;
360 }
361
362 if (domain) {
363 if (!(*domain = dom_sid_dup(mem_ctx, sid))) {
364 return NT_STATUS_NO_MEMORY;
365 }
366
367 (*domain)->num_auths -= 1;
368 }
369
370 if (rid) {
371 *rid = sid->sub_auths[sid->num_auths - 1];
372 }
373
374 return NT_STATUS_OK;
375 }
376
377 /*
378 return true if the 2nd sid is in the domain given by the first sid
379 */
380 bool dom_sid_in_domain(const struct dom_sid *domain_sid,
381 const struct dom_sid *sid)
382 {
383 int i;
384
385 if (!domain_sid || !sid) {
386 return false;
387 }
388
389 if (sid->num_auths < 2) {
390 return false;
391 }
392
393 if (domain_sid->num_auths != (sid->num_auths - 1)) {
394 return false;
395 }
396
397 for (i = domain_sid->num_auths-1; i >= 0; --i) {
398 if (domain_sid->sub_auths[i] != sid->sub_auths[i]) {
399 return false;
400 }
401 }
402
403 return dom_sid_compare_auth(domain_sid, sid) == 0;
404 }
405
406 bool dom_sid_has_account_domain(const struct dom_sid *sid)
407 {
408 if (sid == NULL) {
409 return false;
410 }
411
412 if (sid->sid_rev_num != 1) {
413 return false;
414 }
415 if (sid->num_auths != 5) {
416 return false;
417 }
418 if (sid->id_auth[5] != 5) {
419 return false;
420 }
421 if (sid->id_auth[4] != 0) {
422 return false;
423 }
424 if (sid->id_auth[3] != 0) {
425 return false;
426 }
427 if (sid->id_auth[2] != 0) {
428 return false;
429 }
430 if (sid->id_auth[1] != 0) {
431 return false;
432 }
433 if (sid->id_auth[0] != 0) {
434 return false;
435 }
436 if (sid->sub_auths[0] != 21) {
437 return false;
438 }
439
440 return true;
441 }
442
443 bool dom_sid_is_valid_account_domain(const struct dom_sid *sid)
444 {
445 /*
446 * We expect S-1-5-21-9-8-7, but we don't
447 * allow S-1-5-21-0-0-0 as this is used
448 * for claims and compound identities.
449 *
450 * With this structure:
451 *
452 * struct dom_sid {
453 * uint8_t sid_rev_num;
454 * int8_t num_auths; [range(0,15)]
455 * uint8_t id_auth[6];
456 * uint32_t sub_auths[15];
457 * }
458 *
459 * S-1-5-21-9-8-7 looks like this:
460 * {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}};
461 */
462 if (sid == NULL) {
463 return false;
464 }
465
466 if (sid->sid_rev_num != 1) {
467 return false;
468 }
469 if (sid->num_auths != 4) {
470 return false;
471 }
472 if (sid->id_auth[5] != 5) {
473 return false;
474 }
475 if (sid->id_auth[4] != 0) {
476 return false;
477 }
478 if (sid->id_auth[3] != 0) {
479 return false;
480 }
481 if (sid->id_auth[2] != 0) {
482 return false;
483 }
484 if (sid->id_auth[1] != 0) {
485 return false;
486 }
487 if (sid->id_auth[0] != 0) {
488 return false;
489 }
490 if (sid->sub_auths[0] != 21) {
491 return false;
492 }
493 if (sid->sub_auths[1] == 0) {
494 return false;
495 }
496 if (sid->sub_auths[2] == 0) {
497 return false;
498 }
499 if (sid->sub_auths[3] == 0) {
500 return false;
501 }
502
503 return true;
504 }
505
506 /*
507 Convert a dom_sid to a string, printing into a buffer. Return the
508 string length. If it overflows, return the string length that would
509 result (buflen needs to be +1 for the terminating 0).
510 */
511 static int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen)
512 {
513 int i, ofs, ret;
514 uint64_t ia;
515
516 if (!sid) {
517 return strlcpy(buf, "(NULL SID)", buflen);
518 }
519
520 ia = ((uint64_t)sid->id_auth[5]) +
521 ((uint64_t)sid->id_auth[4] << 8 ) +
522 ((uint64_t)sid->id_auth[3] << 16) +
523 ((uint64_t)sid->id_auth[2] << 24) +
524 ((uint64_t)sid->id_auth[1] << 32) +
525 ((uint64_t)sid->id_auth[0] << 40);
526
527 ret = snprintf(buf, buflen, "S-%"PRIu8"-", sid->sid_rev_num);
528 if (ret < 0) {
529 return ret;
530 }
531 ofs = ret;
532
533 if (ia >= UINT32_MAX) {
534 ret = snprintf(buf+ofs, MAX(buflen-ofs, 0), "0x%"PRIx64, ia);
535 } else {
536 ret = snprintf(buf+ofs, MAX(buflen-ofs, 0), "%"PRIu64, ia);
537 }
538 if (ret < 0) {
539 return ret;
540 }
541 ofs += ret;
542
543 for (i = 0; i < sid->num_auths; i++) {
544 ret = snprintf(
545 buf+ofs,
546 MAX(buflen-ofs, 0),
547 "-%"PRIu32,
548 sid->sub_auths[i]);
549 if (ret < 0) {
550 return ret;
551 }
552 ofs += ret;
553 }
554 return ofs;
555 }
556
557 /*
558 convert a dom_sid to a string
559 */
560 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid)
561 {
562 char buf[DOM_SID_STR_BUFLEN];
563 char *result;
564 int len;
565
566 len = dom_sid_string_buf(sid, buf, sizeof(buf));
567
568 if ((len < 0) || (len+1 > sizeof(buf))) {
569 return talloc_strdup(mem_ctx, "(SID ERR)");
570 }
571
572 /*
573 * Avoid calling strlen (via talloc_strdup), we already have
574 * the length
575 */
576 result = (char *)talloc_memdup(mem_ctx, buf, len+1);
577 if (result == NULL) {
578 return NULL;
579 }
580
581 /*
582 * beautify the talloc_report output
583 */
584 talloc_set_name_const(result, result);
585 return result;
586 }
587
588 char *dom_sid_str_buf(const struct dom_sid *sid, struct dom_sid_buf *dst)
589 {
590 int ret;
591 ret = dom_sid_string_buf(sid, dst->buf, sizeof(dst->buf));
592 if ((ret < 0) || (ret >= sizeof(dst->buf))) {
593 strlcpy(dst->buf, "(INVALID SID)", sizeof(dst->buf));
594 }
595 return dst->buf;
596 }
GSS-enabled samba4