usr/src/uts/common/smbsrv/smb_sid.h

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25
  26 #ifndef _SMB_SID_H
  27 #define _SMB_SID_H
  28
  29 /*
  30  * Security Identifier (SID) interface definition.
  31  */
  32 #include <smbsrv/wintypes.h>
  33
  34 #ifdef __cplusplus
  35 extern "C" {
  36 #endif
  37
  38 /*
  39  * Predefined global user RIDs.
  40  */
  41 #define DOMAIN_USER_RID_ADMIN           (0x000001F4L)   /* 500 */
  42 #define DOMAIN_USER_RID_GUEST           (0x000001F5L)   /* 501 */
  43 #define DOMAIN_USER_RID_KRBTGT          (0x000001F6L)   /* 502 */
  44
  45 /*
  46  * Predefined global group RIDs.
  47  */
  48 #define DOMAIN_GROUP_RID_ADMINS         (0x00000200L)   /* 512 */
  49 #define DOMAIN_GROUP_RID_USERS          (0x00000201L)   /* 513 */
  50 #define DOMAIN_GROUP_RID_GUESTS         (0x00000202L)   /* 514 */
  51 #define DOMAIN_GROUP_RID_COMPUTERS      (0x00000203L)   /* 515 */
  52 #define DOMAIN_GROUP_RID_CONTROLLERS    (0x00000204L)   /* 516 */
  53 #define DOMAIN_GROUP_RID_CERT_ADMINS    (0x00000205L)   /* 517 */
  54 #define DOMAIN_GROUP_RID_SCHEMA_ADMINS  (0x00000206L)   /* 518 */
  55 #define DOMAIN_GROUP_RID_EP_ADMINS      (0x00000207L)   /* 519 */
  56 #define DOMAIN_GROUP_RID_GP_CREATOR     (0x00000208L)   /* 520 */
  57
  58
  59 /*
  60  * Predefined local alias RIDs.
  61  */
  62 #define DOMAIN_ALIAS_RID_ADMINS         (0x00000220L)   /* 544 */
  63 #define DOMAIN_ALIAS_RID_USERS          (0x00000221L)
  64 #define DOMAIN_ALIAS_RID_GUESTS         (0x00000222L)
  65 #define DOMAIN_ALIAS_RID_POWER_USERS    (0x00000223L)
  66 #define DOMAIN_ALIAS_RID_ACCOUNT_OPS    (0x00000224L)
  67 #define DOMAIN_ALIAS_RID_SYSTEM_OPS     (0x00000225L)
  68 #define DOMAIN_ALIAS_RID_PRINT_OPS      (0x00000226L)
  69 #define DOMAIN_ALIAS_RID_BACKUP_OPS     (0x00000227L)
  70 #define DOMAIN_ALIAS_RID_REPLICATOR     (0x00000228L)
  71
  72
  73 /*
  74  * Universal and NT well-known SIDs
  75  */
  76 #define NT_NULL_AUTH_SIDSTR                     "S-1-0"
  77 #define NT_NULL_SIDSTR                          "S-1-0-0"
  78 #define NT_WORLD_AUTH_SIDSTR                    "S-1-1"
  79 #define NT_WORLD_SIDSTR                         "S-1-1-0"
  80 #define NT_LOCAL_AUTH_SIDSTR                    "S-1-2"
  81 #define NT_LOCAL_SIDSTR                         "S-1-2-0"
  82 #define NT_CREATOR_AUTH_SIDSTR                  "S-1-3"
  83 #define NT_CREATOR_OWNER_ID_SIDSTR              "S-1-3-0"
  84 #define NT_CREATOR_GROUP_ID_SIDSTR              "S-1-3-1"
  85 #define NT_CREATOR_OWNER_SERVER_ID_SIDSTR       "S-1-3-2"
  86 #define NT_CREATOR_GROUP_SERVER_ID_SIDSTR       "S-1-3-3"
  87 #define NT_OWNER_RIGHTS_SIDSTR                  "S-1-3-4"
  88 #define NT_GROUP_RIGHTS_SIDSTR                  "S-1-3-5"
  89 #define NT_NON_UNIQUE_IDS_SIDSTR                "S-1-4"
  90 #define NT_AUTHORITY_SIDSTR                     "S-1-5"
  91 #define NT_DIALUP_SIDSTR                        "S-1-5-1"
  92 #define NT_NETWORK_SIDSTR                       "S-1-5-2"
  93 #define NT_BATCH_SIDSTR                         "S-1-5-3"
  94 #define NT_INTERACTIVE_SIDSTR                   "S-1-5-4"
  95 #define NT_LOGON_SESSION_SIDSTR                 "S-1-5-5"
  96 #define NT_SERVICE_SIDSTR                       "S-1-5-6"
  97 #define NT_ANONYMOUS_LOGON_SIDSTR               "S-1-5-7"
  98 #define NT_PROXY_SIDSTR                         "S-1-5-8"
  99 #define NT_SERVER_LOGON_SIDSTR                  "S-1-5-9"
 100 #define NT_SELF_SIDSTR                          "S-1-5-10"
 101 #define NT_AUTHENTICATED_USER_SIDSTR            "S-1-5-11"
 102 #define NT_RESTRICTED_CODE_SIDSTR               "S-1-5-12"
 103 #define NT_TERMINAL_SERVER_SIDSTR               "S-1-5-13"
 104 #define NT_LOCAL_SYSTEM_SIDSTR                  "S-1-5-18"
 105 #define NT_NON_UNIQUE_SIDSTR                    "S-1-5-21"
 106 #define NT_BUILTIN_DOMAIN_SIDSTR                "S-1-5-32"
 107 #define NT_BUILTIN_CURRENT_OWNER_SIDSTR         "S-1-5-32-766"
 108 #define NT_BUILTIN_CURRENT_GROUP_SIDSTR         "S-1-5-32-767"
 109
 110
 111 /*
 112  * SID type indicators (SID_NAME_USE).
 113  */
 114 #define SidTypeNull                     0
 115 #define SidTypeUser                     1
 116 #define SidTypeGroup                    2
 117 #define SidTypeDomain                   3
 118 #define SidTypeAlias                    4
 119 #define SidTypeWellKnownGroup           5
 120 #define SidTypeDeletedAccount           6
 121 #define SidTypeInvalid                  7
 122 #define SidTypeUnknown                  8
 123 #define SidTypeComputer                 9
 124 #define SidTypeLabel                    10
 125
 126
 127 /*
 128  * Identifier authorities for various domains.
 129  */
 130 #define NT_SID_NULL_AUTH                0
 131 #define NT_SID_WORLD_AUTH               1
 132 #define NT_SID_LOCAL_AUTH               2
 133 #define NT_SID_CREATOR_AUTH             3
 134 #define NT_SID_NON_UNIQUE_AUTH          4
 135 #define NT_SID_NT_AUTH                  5
 136
 137
 138 #define NT_SECURITY_NULL_AUTH           {0, 0, 0, 0, 0, 0}
 139 #define NT_SECURITY_WORLD_AUTH          {0, 0, 0, 0, 0, 1}
 140 #define NT_SECURITY_LOCAL_AUTH          {0, 0, 0, 0, 0, 2}
 141 #define NT_SECURITY_CREATOR_AUTH        {0, 0, 0, 0, 0, 3}
 142 #define NT_SECURITY_NON_UNIQUE_AUTH     {0, 0, 0, 0, 0, 4}
 143 #define NT_SECURITY_NT_AUTH             {0, 0, 0, 0, 0, 5}
 144 #define NT_SECURITY_UNIX_AUTH           {0, 0, 0, 0, 0, 99}
 145
 146
 147 #define SECURITY_NULL_RID                       (0x00000000L)
 148 #define SECURITY_WORLD_RID                      (0x00000000L)
 149 #define SECURITY_LOCAL_RID                      (0X00000000L)
 150
 151 #define SECURITY_CREATOR_OWNER_RID              (0x00000000L)
 152 #define SECURITY_CREATOR_GROUP_RID              (0x00000001L)
 153 #define SECURITY_CREATOR_OWNER_SERVER_RID       (0x00000002L)
 154 #define SECURITY_CREATOR_GROUP_SERVER_RID       (0x00000003L)
 155 #define SECURITY_OWNER_RIGHTS_RID               (0x00000004L)
 156 #define SECURITY_GROUP_RIGHTS_RID               (0x00000005L)
 157 #define SECURITY_CURRENT_OWNER_RID              (0x000002FEL)
 158 #define SECURITY_CURRENT_GROUP_RID              (0x000002FFL)
 159
 160 #define SECURITY_DIALUP_RID                     (0x00000001L)
 161 #define SECURITY_NETWORK_RID                    (0x00000002L)
 162 #define SECURITY_BATCH_RID                      (0x00000003L)
 163 #define SECURITY_INTERACTIVE_RID                (0x00000004L)
 164 #define SECURITY_LOGON_IDS_RID                  (0x00000005L)
 165 #define SECURITY_LOGON_IDS_RID_COUNT            (3L)
 166 #define SECURITY_SERVICE_RID                    (0x00000006L)
 167 #define SECURITY_ANONYMOUS_LOGON_RID            (0x00000007L)
 168 #define SECURITY_PROXY_RID                      (0x00000008L)
 169 #define SECURITY_ENTERPRISE_CONTROLLERS_RID     (0x00000009L)
 170 #define SECURITY_SERVER_LOGON_RID       SECURITY_ENTERPRISE_CONTROLLERS_RID
 171 #define SECURITY_PRINCIPAL_SELF_RID             (0x0000000AL)
 172 #define SECURITY_AUTHENTICATED_USER_RID         (0x0000000BL)
 173 #define SECURITY_RESTRICTED_CODE_RID            (0x0000000CL)
 174
 175 #define SECURITY_LOCAL_SYSTEM_RID               (0x00000012L)
 176 #define SECURITY_NT_NON_UNIQUE                  (0x00000015L)
 177 #define SECURITY_BUILTIN_DOMAIN_RID             (0x00000020L)
 178
 179
 180 #define NT_SID_NON_UNIQUE_SUBAUTH 21
 181
 182
 183 /*
 184  * Common definition for a SID.
 185  */
 186 #define NT_SID_REVISION         1
 187 #define NT_SID_AUTH_MAX         6
 188 #define NT_SID_SUBAUTH_MAX      15
 189
 190
 191 /*
 192  * Security Identifier (SID)
 193  *
 194  * The security identifier (SID) uniquely identifies a user, group or
 195  * a domain. It consists of a revision number, the identifier authority,
 196  * and a list of sub-authorities. The revision number is currently 1.
 197  * The identifier authority identifies which system issued the SID. The
 198  * sub-authorities of a domain SID uniquely identify a domain. A user
 199  * or group SID consists of a domain SID with the user or group id
 200  * appended. The user or group id (also known as a relative id (RID)
 201  * uniquely identifies a user within a domain. A user or group SID
 202  * uniquely identifies a user or group across all domains. The SidType
 203  * values identify the various types of SID.
 204  *
 205  *      1   1   1   1   1   1
 206  *      5   4   3   2   1   0   9   8   7   6   5   4   3   2   1   0
 207  *   +---------------------------------------------------------------+
 208  *   |      SubAuthorityCount        |Reserved1 (SBZ)|   Revision    |
 209  *   +---------------------------------------------------------------+
 210  *   |                   IdentifierAuthority[0]                      |
 211  *   +---------------------------------------------------------------+
 212  *   |                   IdentifierAuthority[1]                      |
 213  *   +---------------------------------------------------------------+
 214  *   |                   IdentifierAuthority[2]                      |
 215  *   +---------------------------------------------------------------+
 216  *   |                                                               |
 217  *   +- -  -  -  -  -  -  -  SubAuthority[]  -  -  -  -  -  -  -  - -+
 218  *   |                                                               |
 219  *   +---------------------------------------------------------------+
 220  *
 221  */
 222 /*
 223  * Note: NT defines the Identifier Authority as a separate
 224  * structure (SID_IDENTIFIER_AUTHORITY) containing a literal
 225  * definition of a 6 byte vector but the effect is the same
 226  * as defining it as a member value.
 227  * See also: smb_sid_xdr()
 228  */
 229 typedef struct smb_sid {
 230         uint8_t sid_revision;
 231         uint8_t sid_subauthcnt;
 232         uint8_t sid_authority[NT_SID_AUTH_MAX];
 233         uint32_t sid_subauth[ANY_SIZE_ARRAY];
 234 } smb_sid_t;
 235
 236 #define SMB_MAX_SID_SIZE        ((2 * sizeof (uint8_t)) + \
 237         (NT_SID_AUTH_MAX * sizeof (uint8_t)) + \
 238         (NT_SID_SUBAUTH_MAX * sizeof (uint32_t)))
 239
 240 /*
 241  * Estimated number of sid_subauth is SECURITY_LOGON_IDS_RID_COUNT
 242  * plus the DOMAIN_RID and the RID.
 243  */
 244 #define SMB_EST_SID_SIZE        ((2 * sizeof (uint8_t)) + \
 245         (NT_SID_AUTH_MAX * sizeof (uint8_t)) + \
 246         ((2 + SECURITY_LOGON_IDS_RID_COUNT) * sizeof (uint32_t)))
 247
 248 /*
 249  * Only group attributes are defined. No user attributes defined.
 250  */
 251 #define SE_GROUP_MANDATORY              0x00000001
 252 #define SE_GROUP_ENABLED_BY_DEFAULT     0x00000002
 253 #define SE_GROUP_ENABLED                0x00000004
 254 #define SE_GROUP_OWNER                  0x00000008
 255 #define SE_GROUP_USE_FOR_DENY_ONLY      0x00000010
 256 #define SE_GROUP_LOGON_ID               0xC0000000
 257
 258 /*
 259  * smb_id_t consists of both the Windows security identifier
 260  * and its corresponding POSIX/ephemeral ID.
 261  * See also: smb_id_xdr()
 262  */
 263 typedef struct smb_id {
 264         uint32_t        i_attrs;
 265         smb_sid_t       *i_sid;
 266         uid_t           i_id;
 267 } smb_id_t;
 268
 269 /*
 270  * Array of smb_id_t
 271  * See also: smb_ids_xdr()
 272  */
 273 typedef struct smb_ids {
 274         uint32_t        i_cnt;
 275         smb_id_t        *i_ids;
 276 } smb_ids_t;
 277
 278 /*
 279  * The maximum size of a SID in string format
 280  */
 281 #define SMB_SID_STRSZ           256
 282
 283 boolean_t smb_sid_isvalid(smb_sid_t *);
 284 int smb_sid_len(smb_sid_t *);
 285 smb_sid_t *smb_sid_dup(smb_sid_t *);
 286 smb_sid_t *smb_sid_splice(smb_sid_t *, uint32_t);
 287 int smb_sid_getrid(smb_sid_t *, uint32_t *);
 288 smb_sid_t *smb_sid_split(smb_sid_t *, uint32_t *);
 289 boolean_t smb_sid_cmp(smb_sid_t *, smb_sid_t *);
 290 boolean_t smb_sid_islocal(smb_sid_t *);
 291 boolean_t smb_sid_indomain(smb_sid_t *, smb_sid_t *);
 292 void smb_sid_free(smb_sid_t *);
 293 int smb_sid_splitstr(char *, uint32_t *);
 294 void smb_sid_tostr(const smb_sid_t *, char *);
 295 smb_sid_t *smb_sid_fromstr(const char *);
 296 char *smb_sid_type2str(uint16_t);
 297
 298 void smb_ids_free(smb_ids_t *);
 299
 300 #ifdef __cplusplus
 301 }
 302 #endif
 303
 304
 305 #endif /* _SMB_SID_H */