Line data Source code
1 : /* 2 : Unix SMB/CIFS implementation. 3 : 4 : manipulate privilege records in samdb 5 : 6 : Copyright (C) Andrew Tridgell 2004 7 : 8 : This program is free software; you can redistribute it and/or modify 9 : it under the terms of the GNU General Public License as published by 10 : the Free Software Foundation; either version 3 of the License, or 11 : (at your option) any later version. 12 : 13 : This program is distributed in the hope that it will be useful, 14 : but WITHOUT ANY WARRANTY; without even the implied warranty of 15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 : GNU General Public License for more details. 17 : 18 : You should have received a copy of the GNU General Public License 19 : along with this program. If not, see <http://www.gnu.org/licenses/>. 20 : */ 21 : 22 : #include "includes.h" 23 : #include "libcli/ldap/ldap_ndr.h" 24 : #include "dsdb/samdb/samdb.h" 25 : #include "auth/auth.h" 26 : #include "libcli/security/security.h" 27 : #include "../lib/util/util_ldb.h" 28 : #include "param/param.h" 29 : #include "ldb_wrap.h" 30 : 31 : /* connect to the privilege database */ 32 47208 : struct ldb_context *privilege_connect(TALLOC_CTX *mem_ctx, 33 : struct loadparm_context *lp_ctx) 34 : { 35 47208 : return ldb_wrap_connect(mem_ctx, NULL, lp_ctx, "privilege.ldb", 36 : NULL, NULL, 0); 37 : } 38 : 39 : /* 40 : add privilege bits for one sid to a security_token 41 : */ 42 582127 : static NTSTATUS samdb_privilege_setup_sid(struct ldb_context *pdb, TALLOC_CTX *mem_ctx, 43 : struct security_token *token, 44 : const struct dom_sid *sid) 45 : { 46 582127 : const char * const attrs[] = { "privilege", NULL }; 47 582127 : struct ldb_message **res = NULL; 48 14153 : struct ldb_message_element *el; 49 14153 : unsigned int i; 50 14153 : int ret; 51 14153 : char *sidstr; 52 : 53 582127 : sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid); 54 582127 : NT_STATUS_HAVE_NO_MEMORY(sidstr); 55 : 56 582127 : ret = gendb_search(pdb, mem_ctx, NULL, &res, attrs, "objectSid=%s", sidstr); 57 582127 : talloc_free(sidstr); 58 582127 : if (ret != 1) { 59 : /* not an error to not match */ 60 506122 : return NT_STATUS_OK; 61 : } 62 : 63 76005 : el = ldb_msg_find_element(res[0], "privilege"); 64 76005 : if (el == NULL) { 65 0 : return NT_STATUS_OK; 66 : } 67 : 68 945983 : for (i=0;i<el->num_values;i++) { 69 869978 : const char *priv_str = (const char *)el->values[i].data; 70 869978 : enum sec_privilege privilege = sec_privilege_id(priv_str); 71 869978 : if (privilege == SEC_PRIV_INVALID) { 72 141273 : uint32_t right_bit = sec_right_bit(priv_str); 73 141273 : security_token_set_right_bit(token, right_bit); 74 141273 : if (right_bit == 0) { 75 0 : DEBUG(1,("Unknown privilege '%s' in samdb\n", 76 : priv_str)); 77 : } 78 141273 : continue; 79 : } 80 728705 : security_token_set_privilege(token, privilege); 81 : } 82 : 83 76005 : return NT_STATUS_OK; 84 : } 85 : 86 : /* 87 : setup the privilege mask for this security token based on our 88 : local SAM 89 : */ 90 44235 : NTSTATUS samdb_privilege_setup(struct loadparm_context *lp_ctx, struct security_token *token) 91 : { 92 1065 : struct ldb_context *pdb; 93 1065 : TALLOC_CTX *mem_ctx; 94 1065 : unsigned int i; 95 1065 : NTSTATUS status; 96 : 97 : /* Shortcuts to prevent recursion and avoid lookups */ 98 44235 : if (token->sids == NULL) { 99 0 : token->privilege_mask = 0; 100 0 : return NT_STATUS_OK; 101 : } 102 : 103 44235 : if (security_token_is_system(token)) { 104 0 : token->privilege_mask = ~0; 105 0 : return NT_STATUS_OK; 106 : } 107 : 108 44235 : if (security_token_is_anonymous(token)) { 109 622 : token->privilege_mask = 0; 110 622 : return NT_STATUS_OK; 111 : } 112 : 113 43613 : mem_ctx = talloc_new(token); 114 43613 : pdb = privilege_connect(mem_ctx, lp_ctx); 115 43613 : if (pdb == NULL) { 116 0 : talloc_free(mem_ctx); 117 0 : return NT_STATUS_INTERNAL_DB_CORRUPTION; 118 : } 119 : 120 43613 : token->privilege_mask = 0; 121 : 122 625740 : for (i=0;i<token->num_sids;i++) { 123 582127 : status = samdb_privilege_setup_sid(pdb, mem_ctx, 124 582127 : token, &token->sids[i]); 125 582127 : if (!NT_STATUS_IS_OK(status)) { 126 0 : talloc_free(mem_ctx); 127 0 : return status; 128 : } 129 : } 130 : 131 43613 : talloc_free(mem_ctx); 132 : 133 43613 : return NT_STATUS_OK; 134 : }