1/* 2 Unix SMB/CIFS implementation. 3 4 manipulate privilege records in samdb 5 6 Copyright (C) Andrew Tridgell 2004 7 8 This program is free software; you can redistribute it and/or modify 9 it under the terms of the GNU General Public License as published by 10 the Free Software Foundation; either version 3 of the License, or 11 (at your option) any later version. 12 13 This program is distributed in the hope that it will be useful, 14 but WITHOUT ANY WARRANTY; without even the implied warranty of 15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 GNU General Public License for more details. 17 18 You should have received a copy of the GNU General Public License 19 along with this program. If not, see <http://www.gnu.org/licenses/>. 20*/ 21 22#include "includes.h" 23#include "libcli/ldap/ldap_ndr.h" 24#include "dsdb/samdb/samdb.h" 25#include "auth/auth.h" 26#include "libcli/security/security.h" 27#include "../lib/util/util_ldb.h" 28#include "param/param.h" 29 30/* 31 add privilege bits for one sid to a security_token 32*/ 33static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx, 34 struct security_token *token, 35 const struct dom_sid *sid) 36{ 37 const char * const attrs[] = { "privilege", NULL }; 38 struct ldb_message **res = NULL; 39 struct ldb_message_element *el; 40 int ret, i; 41 char *sidstr; 42 43 sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); 44 NT_STATUS_HAVE_NO_MEMORY(sidstr); 45 46 ret = gendb_search(samctx, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr); 47 talloc_free(sidstr); 48 if (ret != 1) { 49 /* not an error to not match */ 50 return NT_STATUS_OK; 51 } 52 53 el = ldb_msg_find_element(res[0], "privilege"); 54 if (el == NULL) { 55 return NT_STATUS_OK; 56 } 57 58 for (i=0;i<el->num_values;i++) { 59 const char *priv_str = (const char *)el->values[i].data; 60 enum sec_privilege privilege = sec_privilege_id(priv_str); 61 if (privilege == -1) { 62 DEBUG(1,("Unknown privilege '%s' in samdb\n", 63 priv_str)); 64 continue; 65 } 66 security_token_set_privilege(token, privilege); 67 } 68 69 return NT_STATUS_OK; 70} 71 72/* 73 setup the privilege mask for this security token based on our 74 local SAM 75*/ 76NTSTATUS samdb_privilege_setup(struct tevent_context *ev_ctx, 77 struct loadparm_context *lp_ctx, struct security_token *token) 78{ 79 void *samctx; 80 TALLOC_CTX *mem_ctx; 81 int i; 82 NTSTATUS status; 83 84 /* Shortcuts to prevent recursion and avoid lookups */ 85 if (token->user_sid == NULL) { 86 token->privilege_mask = 0; 87 return NT_STATUS_OK; 88 } 89 90 if (security_token_is_system(token)) { 91 token->privilege_mask = ~0; 92 return NT_STATUS_OK; 93 } 94 95 if (security_token_is_anonymous(token)) { 96 token->privilege_mask = 0; 97 return NT_STATUS_OK; 98 } 99 100 mem_ctx = talloc_new(token); 101 samctx = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(mem_ctx, lp_ctx)); 102 if (samctx == NULL) { 103 talloc_free(mem_ctx); 104 return NT_STATUS_INTERNAL_DB_CORRUPTION; 105 } 106 107 token->privilege_mask = 0; 108 109 for (i=0;i<token->num_sids;i++) { 110 status = samdb_privilege_setup_sid(samctx, mem_ctx, 111 token, token->sids[i]); 112 if (!NT_STATUS_IS_OK(status)) { 113 talloc_free(mem_ctx); 114 return status; 115 } 116 } 117 118 talloc_free(mem_ctx); 119 120 return NT_STATUS_OK; 121} 122