static struct dom_sid *get_default_ag(TALLOC_CTX *mem_ctx, struct ldb_dn *dn, struct security_token *token, struct ldb_context *ldb) { TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); const struct dom_sid *domain_sid = samdb_domain_sid(ldb); struct dom_sid *da_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS); struct dom_sid *ea_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS); struct dom_sid *sa_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_SCHEMA_ADMINS); struct dom_sid *dag_sid; struct ldb_dn *nc_root; int ret; ret = dsdb_find_nc_root(ldb, tmp_ctx, dn, &nc_root); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return NULL; } if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) { if (security_token_has_sid(token, sa_sid)) { dag_sid = dom_sid_dup(mem_ctx, sa_sid); } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_is_system(token)) { dag_sid = dom_sid_dup(mem_ctx, sa_sid); } else { dag_sid = NULL; } } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) { if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_is_system(token)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else { dag_sid = NULL; } } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) { if (security_token_has_sid(token, da_sid)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else if (security_token_has_sid(token, ea_sid)) { dag_sid = dom_sid_dup(mem_ctx, ea_sid); } else if (security_token_is_system(token)) { dag_sid = dom_sid_dup(mem_ctx, da_sid); } else { dag_sid = NULL; } } else { dag_sid = NULL; } talloc_free(tmp_ctx); return dag_sid; }
enum security_user_level security_session_user_level(struct auth_session_info *session_info) { if (!session_info) { return SECURITY_ANONYMOUS; } if (security_token_is_system(session_info->security_token)) { return SECURITY_SYSTEM; } if (security_token_is_anonymous(session_info->security_token)) { return SECURITY_ANONYMOUS; } if (security_token_has_builtin_administrators(session_info->security_token)) { return SECURITY_ADMINISTRATOR; } if (security_token_has_enterprise_dcs(session_info->security_token)) { return SECURITY_DOMAIN_CONTROLLER; } if (security_token_has_nt_authenticated_users(session_info->security_token)) { return SECURITY_USER; } return SECURITY_ANONYMOUS; }
/* Fill in the auth_user_info_unix and auth_unix_token elements in a struct session_info */ NTSTATUS auth_session_info_fill_unix( struct wbc_context *wbc_ctx, struct loadparm_context *lp_ctx, struct auth_session_info *session_info) { char *su; size_t len; NTSTATUS status = security_token_to_unix_token(session_info, wbc_ctx, session_info->security_token, &session_info->unix_token); if (!NT_STATUS_IS_OK(status)) { return status; } session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info); session_info->unix_info->system = security_token_is_system(session_info->security_token); session_info->unix_info->unix_name = talloc_asprintf(session_info->unix_info, "%s%s%s", session_info->info->domain_name, lpcfg_winbind_separator(lp_ctx), session_info->info->account_name); NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info->unix_name); len = strlen(session_info->info->account_name) + 1; session_info->unix_info->sanitized_username = su = talloc_array(session_info->unix_info, char, len); NT_STATUS_HAVE_NO_MEMORY(su); alpha_strcpy(su, session_info->info->account_name, ". _-$", len); return NT_STATUS_OK; }
static enum user_is what_is_user(struct ldb_module *module) { struct auth_session_info *session_info = ldb_get_opaque(module->ldb, "sessionInfo"); if (!session_info) { return ANONYMOUS; } if (security_token_is_system(session_info->security_token)) { return SYSTEM; } if (security_token_is_anonymous(session_info->security_token)) { return ANONYMOUS; } if (security_token_has_builtin_administrators(session_info->security_token)) { return ADMINISTRATOR; } if (security_token_has_nt_authenticated_users(session_info->security_token)) { return USER; } return ANONYMOUS; }
static bool is_priviledged_pipe(struct auth_session_info *info) { /* If the user is not root, or has the system token, fail */ if ((info->unix_token->uid != sec_initial_uid()) && !security_token_is_system(info->security_token)) { return false; } return true; }
/* setup the privilege mask for this security token based on our local SAM */ NTSTATUS samdb_privilege_setup(struct tevent_context *ev_ctx, struct loadparm_context *lp_ctx, struct security_token *token) { void *samctx; TALLOC_CTX *mem_ctx; int i; NTSTATUS status; /* Shortcuts to prevent recursion and avoid lookups */ if (token->user_sid == NULL) { token->privilege_mask = 0; return NT_STATUS_OK; } if (security_token_is_system(token)) { token->privilege_mask = ~0; return NT_STATUS_OK; } if (security_token_is_anonymous(token)) { token->privilege_mask = 0; return NT_STATUS_OK; } mem_ctx = talloc_new(token); samctx = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(mem_ctx, lp_ctx)); if (samctx == NULL) { talloc_free(mem_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } token->privilege_mask = 0; for (i=0;i<token->num_sids;i++) { status = samdb_privilege_setup_sid(samctx, mem_ctx, token, token->sids[i]); if (!NT_STATUS_IS_OK(status)) { talloc_free(mem_ctx); return status; } } talloc_free(mem_ctx); return NT_STATUS_OK; }
enum security_user_level security_session_user_level(struct auth_session_info *session_info, const struct dom_sid *domain_sid) { if (!session_info) { return SECURITY_ANONYMOUS; } if (security_token_is_system(session_info->security_token)) { return SECURITY_SYSTEM; } if (security_token_is_anonymous(session_info->security_token)) { return SECURITY_ANONYMOUS; } if (security_token_has_builtin_administrators(session_info->security_token)) { return SECURITY_ADMINISTRATOR; } if (domain_sid) { struct dom_sid *rodc_dcs; rodc_dcs = dom_sid_add_rid(session_info, domain_sid, DOMAIN_RID_READONLY_DCS); if (security_token_has_sid(session_info->security_token, rodc_dcs)) { talloc_free(rodc_dcs); return SECURITY_RO_DOMAIN_CONTROLLER; } talloc_free(rodc_dcs); } if (security_token_has_enterprise_dcs(session_info->security_token)) { return SECURITY_DOMAIN_CONTROLLER; } if (security_token_has_nt_authenticated_users(session_info->security_token)) { return SECURITY_USER; } return SECURITY_ANONYMOUS; }
NTSTATUS access_check_object( struct security_descriptor *psd, struct security_token *token, enum sec_privilege needed_priv_1, enum sec_privilege needed_priv_2, uint32 rights_mask, uint32 des_access, uint32 *acc_granted, const char *debug ) { NTSTATUS status = NT_STATUS_ACCESS_DENIED; uint32 saved_mask = 0; bool priv_granted = false; bool is_system = false; bool is_root = false; /* Check if we are are the system token */ if (security_token_is_system(token) && security_token_system_privilege(token)) { is_system = true; } /* Check if we are root */ if (root_mode()) { is_root = true; } /* Check if we are root */ /* check privileges; certain SAM access bits should be overridden by privileges (mostly having to do with creating/modifying/deleting users and groups) */ if ((needed_priv_1 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_1)) || (needed_priv_2 != SEC_PRIV_INVALID && security_token_has_privilege(token, needed_priv_2))) { priv_granted = true; saved_mask = (des_access & rights_mask); des_access &= ~saved_mask; DEBUG(4,("access_check_object: user rights access mask [0x%x]\n", rights_mask)); } /* check the security descriptor first */ status = se_access_check(psd, token, des_access, acc_granted); if (NT_STATUS_IS_OK(status)) { goto done; } if (is_system || is_root) { DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); DEBUGADD(4,("but overritten by %s\n", is_root ? "euid == initial uid" : "system token")); priv_granted = true; *acc_granted = des_access; status = NT_STATUS_OK; goto done; } done: if (priv_granted) { /* add in any bits saved during the privilege check (only matters if status is ok) */ *acc_granted |= rights_mask; } DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", des_access, *acc_granted)); return status; }