static ephemeral_zsd_t *
get_ephemeral_zsd(zone_t *zone)
{
ephemeral_zsd_t *eph_zsd;
eph_zsd = zone_getspecific(ephemeral_zone_key, zone);
if (eph_zsd != NULL) {
return (eph_zsd);
}
mutex_enter(&ephemeral_zone_mutex);
eph_zsd = zone_getspecific(ephemeral_zone_key, zone);
if (eph_zsd == NULL) {
eph_zsd = kmem_zalloc(sizeof (ephemeral_zsd_t), KM_SLEEP);
eph_zsd->min_uid = MAXUID;
eph_zsd->last_uid = IDMAP_WK__MAX_UID;
eph_zsd->min_gid = MAXUID;
eph_zsd->last_gid = IDMAP_WK__MAX_GID;
mutex_init(&eph_zsd->eph_lock, NULL, MUTEX_DEFAULT, NULL);
/*
* nobody is used to map SID containing CRs.
*/
eph_zsd->eph_nobody = crdup(zone->zone_kcred);
(void) crsetugid(eph_zsd->eph_nobody, UID_NOBODY, GID_NOBODY);
CR_FLAGS(eph_zsd->eph_nobody) = 0;
eph_zsd->eph_nobody->cr_zone = zone;
(void) zone_setspecific(ephemeral_zone_key, zone, eph_zsd);
}
mutex_exit(&ephemeral_zone_mutex);
return (eph_zsd);
}
/*
* Allocate a Solaris cred and initialize it based on the access token.
*
* If the user can be mapped to a non-ephemeral ID, the cred gid is set
* to the Solaris user's primary group.
*
* If the mapped UID is ephemeral, or the primary group could not be
* obtained, the cred gid is set to whatever Solaris group is mapped
* to the token's primary group.
*/
cred_t *
smb_cred_create(smb_token_t *token)
{
ksid_t ksid;
ksidlist_t *ksidlist = NULL;
smb_posix_grps_t *posix_grps;
cred_t *cr;
gid_t gid;
ASSERT(token);
ASSERT(token->tkn_posix_grps);
posix_grps = token->tkn_posix_grps;
cr = crget();
ASSERT(cr != NULL);
if (!IDMAP_ID_IS_EPHEMERAL(token->tkn_user.i_id) &&
(posix_grps->pg_ngrps != 0)) {
gid = posix_grps->pg_grps[0];
} else {
gid = token->tkn_primary_grp.i_id;
}
if (crsetugid(cr, token->tkn_user.i_id, gid) != 0) {
crfree(cr);
return (NULL);
}
if (crsetgroups(cr, posix_grps->pg_ngrps, posix_grps->pg_grps) != 0) {
crfree(cr);
return (NULL);
}
smb_cred_set_sid(&token->tkn_user, &ksid);
crsetsid(cr, &ksid, KSID_USER);
smb_cred_set_sid(&token->tkn_primary_grp, &ksid);
crsetsid(cr, &ksid, KSID_GROUP);
smb_cred_set_sid(&token->tkn_owner, &ksid);
crsetsid(cr, &ksid, KSID_OWNER);
ksidlist = smb_cred_set_sidlist(&token->tkn_win_grps);
crsetsidlist(cr, ksidlist);
/*
* In the AD world, "take ownership privilege" is very much
* like having Unix "root" privileges. It's normally given
* to members of the "Administrators" group, which normally
* includes the the local Administrator (like root) and when
* joined to a domain, "Domain Admins".
*/
if (smb_token_query_privilege(token, SE_TAKE_OWNERSHIP_LUID)) {
(void) crsetpriv(cr,
PRIV_FILE_CHOWN,
PRIV_FILE_DAC_READ,
PRIV_FILE_DAC_SEARCH,
PRIV_FILE_DAC_WRITE,
PRIV_FILE_OWNER,
NULL);
}
return (cr);
}
