1/* 2 Unix SMB/CIFS implementation. 3 4 security descriptor utility functions 5 6 Copyright (C) Andrew Tridgell 2004 7 Copyright (C) Stefan Metzmacher 2005 8 9 This program is free software; you can redistribute it and/or modify 10 it under the terms of the GNU General Public License as published by 11 the Free Software Foundation; either version 3 of the License, or 12 (at your option) any later version. 13 14 This program is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 GNU General Public License for more details. 18 19 You should have received a copy of the GNU General Public License 20 along with this program. If not, see <http://www.gnu.org/licenses/>. 21*/ 22 23#include "includes.h" 24#include "libcli/security/security.h" 25#include "auth/session.h" 26 27/* 28 return a blank security token 29*/ 30struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx) 31{ 32 struct security_token *st; 33 34 st = talloc(mem_ctx, struct security_token); 35 if (!st) { 36 return NULL; 37 } 38 39 st->user_sid = NULL; 40 st->group_sid = NULL; 41 st->num_sids = 0; 42 st->sids = NULL; 43 st->privilege_mask = 0; 44 45 return st; 46} 47 48/**************************************************************************** 49 prints a struct security_token to debug output. 50****************************************************************************/ 51void security_token_debug(int dbg_lev, const struct security_token *token) 52{ 53 TALLOC_CTX *mem_ctx; 54 int i; 55 56 if (!token) { 57 DEBUG(dbg_lev, ("Security token: (NULL)\n")); 58 return; 59 } 60 61 mem_ctx = talloc_init("security_token_debug()"); 62 if (!mem_ctx) { 63 return; 64 } 65 66 DEBUG(dbg_lev, ("Security token of user %s\n", 67 dom_sid_string(mem_ctx, token->user_sid) )); 68 DEBUGADD(dbg_lev, (" SIDs (%lu):\n", 69 (unsigned long)token->num_sids)); 70 for (i = 0; i < token->num_sids; i++) { 71 DEBUGADD(dbg_lev, (" SID[%3lu]: %s\n", (unsigned long)i, 72 dom_sid_string(mem_ctx, token->sids[i]))); 73 } 74 75 security_token_debug_privileges(dbg_lev, token); 76 77 talloc_free(mem_ctx); 78} 79 80/* These really should be cheaper... */ 81 82bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid) 83{ 84 if (dom_sid_equal(token->user_sid, sid)) { 85 return true; 86 } 87 return false; 88} 89 90bool security_token_is_sid_string(const struct security_token *token, const char *sid_string) 91{ 92 bool ret; 93 struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string); 94 if (!sid) return false; 95 96 ret = security_token_is_sid(token, sid); 97 98 talloc_free(sid); 99 return ret; 100} 101 102bool security_token_is_system(const struct security_token *token) 103{ 104 return security_token_is_sid_string(token, SID_NT_SYSTEM); 105} 106 107bool security_token_is_anonymous(const struct security_token *token) 108{ 109 return security_token_is_sid_string(token, SID_NT_ANONYMOUS); 110} 111 112bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid) 113{ 114 int i; 115 for (i = 0; i < token->num_sids; i++) { 116 if (dom_sid_equal(token->sids[i], sid)) { 117 return true; 118 } 119 } 120 return false; 121} 122 123bool security_token_has_sid_string(const struct security_token *token, const char *sid_string) 124{ 125 bool ret; 126 struct dom_sid *sid = dom_sid_parse_talloc(NULL, sid_string); 127 if (!sid) return false; 128 129 ret = security_token_has_sid(token, sid); 130 131 talloc_free(sid); 132 return ret; 133} 134 135bool security_token_has_builtin_administrators(const struct security_token *token) 136{ 137 return security_token_has_sid_string(token, SID_BUILTIN_ADMINISTRATORS); 138} 139 140bool security_token_has_nt_authenticated_users(const struct security_token *token) 141{ 142 return security_token_has_sid_string(token, SID_NT_AUTHENTICATED_USERS); 143} 144 145bool security_token_has_enterprise_dcs(const struct security_token *token) 146{ 147 return security_token_has_sid_string(token, SID_NT_ENTERPRISE_DCS); 148} 149 150enum security_user_level security_session_user_level(struct auth_session_info *session_info) 151{ 152 if (!session_info) { 153 return SECURITY_ANONYMOUS; 154 } 155 156 if (security_token_is_system(session_info->security_token)) { 157 return SECURITY_SYSTEM; 158 } 159 160 if (security_token_is_anonymous(session_info->security_token)) { 161 return SECURITY_ANONYMOUS; 162 } 163 164 if (security_token_has_builtin_administrators(session_info->security_token)) { 165 return SECURITY_ADMINISTRATOR; 166 } 167 168 if (security_token_has_enterprise_dcs(session_info->security_token)) { 169 return SECURITY_DOMAIN_CONTROLLER; 170 } 171 172 if (security_token_has_nt_authenticated_users(session_info->security_token)) { 173 return SECURITY_USER; 174 } 175 176 return SECURITY_ANONYMOUS; 177} 178 179