source3/auth/token_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Authentication utility functions
   4  *  Copyright (C) Andrew Tridgell 1992-1998
   5  *  Copyright (C) Andrew Bartlett 2001
   6  *  Copyright (C) Jeremy Allison 2000-2001
   7  *  Copyright (C) Rafal Szczesniak 2002
   8  *  Copyright (C) Volker Lendecke 2006
   9  *  Copyright (C) Michael Adam 2007
  10  *
  11  *  This program is free software; you can redistribute it and/or modify
  12  *  it under the terms of the GNU General Public License as published by
  13  *  the Free Software Foundation; either version 3 of the License, or
  14  *  (at your option) any later version.
  15  *
  16  *  This program is distributed in the hope that it will be useful,
  17  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  18  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19  *  GNU General Public License for more details.
  20  *
  21  *  You should have received a copy of the GNU General Public License
  22  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  23  */
  24
  25 /* functions moved from auth/auth_util.c to minimize linker deps */
  26
  27 #include "includes.h"
  28
  29 /****************************************************************************
  30  Check for a SID in an NT_USER_TOKEN
  31 ****************************************************************************/
  32
  33 bool nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token )
  34 {
  35         int i;
  36
  37         if ( !sid || !token )
  38                 return False;
  39
  40         for ( i=0; i<token->num_sids; i++ ) {
  41                 if ( sid_equal( sid, &token->user_sids[i] ) )
  42                         return True;
  43         }
  44
  45         return False;
  46 }
  47
  48 bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
  49 {
  50         DOM_SID domain_sid;
  51
  52         /* if we are a domain member, the get the domain SID, else for
  53            a DC or standalone server, use our own SID */
  54
  55         if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
  56                 if ( !secrets_fetch_domain_sid( lp_workgroup(),
  57                                                 &domain_sid ) ) {
  58                         DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
  59                                  "SID for domain [%s]\n", lp_workgroup()));
  60                         return False;
  61                 }
  62         }
  63         else
  64                 sid_copy( &domain_sid, get_global_sam_sid() );
  65
  66         sid_append_rid( &domain_sid, rid );
  67
  68         return nt_token_check_sid( &domain_sid, token );\
  69 }
  70
  71 /******************************************************************************
  72  Create a token for the root user to be used internally by smbd.
  73  This is similar to running under the context of the LOCAL_SYSTEM account
  74  in Windows.  This is a read-only token.  Do not modify it or free() it.
  75  Create a copy if your need to change it.
  76 ******************************************************************************/
  77
  78 NT_USER_TOKEN *get_root_nt_token( void )
  79 {
  80         struct nt_user_token *token = NULL;
  81         DOM_SID u_sid, g_sid;
  82         struct passwd *pw;
  83         void *cache_data;
  84
  85         cache_data = memcache_lookup_talloc(
  86                 NULL, SINGLETON_CACHE_TALLOC,
  87                 data_blob_string_const("root_nt_token"));
  88
  89         if (cache_data != NULL) {
  90                 return talloc_get_type_abort(
  91                         cache_data, struct nt_user_token);
  92         }
  93
  94         if ( !(pw = sys_getpwnam( "root" )) ) {
  95                 DEBUG(0,("get_root_nt_token: getpwnam(\"root\") failed!\n"));
  96                 return NULL;
  97         }
  98
  99         /* get the user and primary group SIDs; although the
 100            BUILTIN\Administrators SId is really the one that matters here */
 101
 102         uid_to_sid(&u_sid, pw->pw_uid);
 103         gid_to_sid(&g_sid, pw->pw_gid);
 104
 105         token = create_local_nt_token(NULL, &u_sid, False,
 106                                       1, &global_sid_Builtin_Administrators);
 107
 108         token->privileges = se_disk_operators;
 109
 110         memcache_add_talloc(
 111                 NULL, SINGLETON_CACHE_TALLOC,
 112                 data_blob_string_const("root_nt_token"), token);
 113
 114         return token;
 115 }
 116
 117
 118 /*
 119  * Add alias SIDs from memberships within the partially created token SID list
 120  */
 121
 122 NTSTATUS add_aliases(const DOM_SID *domain_sid,
 123                      struct nt_user_token *token)
 124 {
 125         uint32 *aliases;
 126         size_t i, num_aliases;
 127         NTSTATUS status;
 128         TALLOC_CTX *tmp_ctx;
 129
 130         if (!(tmp_ctx = talloc_init("add_aliases"))) {
 131                 return NT_STATUS_NO_MEMORY;
 132         }
 133
 134         aliases = NULL;
 135         num_aliases = 0;
 136
 137         status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
 138                                             token->user_sids,
 139                                             token->num_sids,
 140                                             &aliases, &num_aliases);
 141
 142         if (!NT_STATUS_IS_OK(status)) {
 143                 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
 144                            nt_errstr(status)));
 145                 goto done;
 146         }
 147
 148         for (i=0; i<num_aliases; i++) {
 149                 DOM_SID alias_sid;
 150                 sid_compose(&alias_sid, domain_sid, aliases[i]);
 151                 status = add_sid_to_array_unique(token, &alias_sid,
 152                                                  &token->user_sids,
 153                                                  &token->num_sids);
 154                 if (!NT_STATUS_IS_OK(status)) {
 155                         DEBUG(0, ("add_sid_to_array failed\n"));
 156                         goto done;
 157                 }
 158         }
 159
 160 done:
 161         TALLOC_FREE(tmp_ctx);
 162         return NT_STATUS_OK;
 163 }
 164
 165 /*******************************************************************
 166 *******************************************************************/
 167
 168 static NTSTATUS add_builtin_administrators( struct nt_user_token *token )
 169 {
 170         DOM_SID domadm;
 171         NTSTATUS status;
 172
 173         /* nothing to do if we aren't in a domain */
 174
 175         if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
 176                 return NT_STATUS_OK;
 177         }
 178
 179         /* Find the Domain Admins SID */
 180
 181         if ( IS_DC ) {
 182                 sid_copy( &domadm, get_global_sam_sid() );
 183         } else {
 184                 if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
 185                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 186         }
 187         sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
 188
 189         /* Add Administrators if the user beloongs to Domain Admins */
 190
 191         if ( nt_token_check_sid( &domadm, token ) ) {
 192                 status = add_sid_to_array(token,
 193                                           &global_sid_Builtin_Administrators,
 194                                           &token->user_sids, &token->num_sids);
 195         if (!NT_STATUS_IS_OK(status)) {
 196                         return status;
 197                 }
 198         }
 199
 200         return NT_STATUS_OK;
 201 }
 202
 203 /**
 204  * Create the requested BUILTIN if it doesn't already exist.  This requires
 205  * winbindd to be running.
 206  *
 207  * @param[in] rid BUILTIN rid to create
 208  * @return Normal NTSTATUS return.
 209  */
 210 static NTSTATUS create_builtin(uint32 rid)
 211 {
 212         NTSTATUS status = NT_STATUS_OK;
 213         DOM_SID sid;
 214         gid_t gid;
 215
 216         if (!sid_compose(&sid, &global_sid_Builtin, rid)) {
 217                 return NT_STATUS_NO_SUCH_ALIAS;
 218         }
 219
 220         if (!sid_to_gid(&sid, &gid)) {
 221                 if (!lp_winbind_nested_groups() || !winbind_ping()) {
 222                         return NT_STATUS_PROTOCOL_UNREACHABLE;
 223                 }
 224                 status = pdb_create_builtin_alias(rid);
 225         }
 226         return status;
 227 }
 228
 229 /**
 230  * Add sid as a member of builtin_sid.
 231  *
 232  * @param[in] builtin_sid       An existing builtin group.
 233  * @param[in] dom_sid           sid to add as a member of builtin_sid.
 234  * @return Normal NTSTATUS return
 235  */
 236 static NTSTATUS add_sid_to_builtin(const DOM_SID *builtin_sid,
 237                                    const DOM_SID *dom_sid)
 238 {
 239         NTSTATUS status = NT_STATUS_OK;
 240
 241         if (!dom_sid || !builtin_sid) {
 242                 return NT_STATUS_INVALID_PARAMETER;
 243         }
 244
 245         status = pdb_add_aliasmem(builtin_sid, dom_sid);
 246
 247         if (NT_STATUS_EQUAL(status, NT_STATUS_MEMBER_IN_ALIAS)) {
 248                 DEBUG(5, ("add_sid_to_builtin %s is already a member of %s\n",
 249                           sid_string_dbg(dom_sid),
 250                           sid_string_dbg(builtin_sid)));
 251                 return NT_STATUS_OK;
 252         }
 253
 254         if (!NT_STATUS_IS_OK(status)) {
 255                 DEBUG(3, ("add_sid_to_builtin %s could not be added to %s: "
 256                           "%s\n", sid_string_dbg(dom_sid),
 257                           sid_string_dbg(builtin_sid), nt_errstr(status)));
 258         }
 259         return status;
 260 }
 261
 262 /*******************************************************************
 263 *******************************************************************/
 264
 265 static NTSTATUS create_builtin_users( void )
 266 {
 267         NTSTATUS status;
 268         DOM_SID dom_users;
 269
 270         status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS );
 271         if ( !NT_STATUS_IS_OK(status) ) {
 272                 DEBUG(5,("create_builtin_users: Failed to create Users\n"));
 273                 return status;
 274         }
 275
 276         /* add domain users */
 277         if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
 278                 && secrets_fetch_domain_sid(lp_workgroup(), &dom_users))
 279         {
 280                 sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS );
 281                 status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users);
 282                 if ( !NT_STATUS_IS_OK(status) ) {
 283                         DEBUG(4,("create_builtin_administrators: Failed to add Domain Users to"
 284                                 " Users\n"));
 285                         return status;
 286                 }
 287         }
 288
 289         return NT_STATUS_OK;
 290 }
 291
 292 /*******************************************************************
 293 *******************************************************************/
 294
 295 static NTSTATUS create_builtin_administrators( void )
 296 {
 297         NTSTATUS status;
 298         DOM_SID dom_admins, root_sid;
 299         fstring root_name;
 300         enum lsa_SidType type;
 301         TALLOC_CTX *ctx;
 302         bool ret;
 303
 304         status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS );
 305         if ( !NT_STATUS_IS_OK(status) ) {
 306                 DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n"));
 307                 return status;
 308         }
 309
 310         /* add domain admins */
 311         if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
 312                 && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))
 313         {
 314                 sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
 315                 status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins );
 316                 if ( !NT_STATUS_IS_OK(status) ) {
 317                         DEBUG(4,("create_builtin_administrators: Failed to add Domain Admins"
 318                                 " Administrators\n"));
 319                         return status;
 320                 }
 321         }
 322
 323         /* add root */
 324         if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) {
 325                 return NT_STATUS_NO_MEMORY;
 326         }
 327         fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
 328         ret = lookup_name(ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL,
 329                           &root_sid, &type);
 330         TALLOC_FREE( ctx );
 331
 332         if ( ret ) {
 333                 status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid );
 334                 if ( !NT_STATUS_IS_OK(status) ) {
 335                         DEBUG(4,("create_builtin_administrators: Failed to add root"
 336                                 " Administrators\n"));
 337                         return status;
 338                 }
 339         }
 340
 341         return NT_STATUS_OK;
 342 }
 343
 344
 345 /*******************************************************************
 346  Create a NT token for the user, expanding local aliases
 347 *******************************************************************/
 348
 349 struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 350                                             const DOM_SID *user_sid,
 351                                             bool is_guest,
 352                                             int num_groupsids,
 353                                             const DOM_SID *groupsids)
 354 {
 355         struct nt_user_token *result = NULL;
 356         int i;
 357         NTSTATUS status;
 358         gid_t gid;
 359
 360         DEBUG(10, ("Create local NT token for %s\n",
 361                    sid_string_dbg(user_sid)));
 362
 363         if (!(result = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
 364                 DEBUG(0, ("talloc failed\n"));
 365                 return NULL;
 366         }
 367
 368         /* Add the user and primary group sid */
 369
 370         status = add_sid_to_array(result, user_sid,
 371                                   &result->user_sids, &result->num_sids);
 372         if (!NT_STATUS_IS_OK(status)) {
 373                 return NULL;
 374         }
 375
 376         /* For guest, num_groupsids may be zero. */
 377         if (num_groupsids) {
 378                 status = add_sid_to_array(result, &groupsids[0],
 379                                           &result->user_sids,
 380                                           &result->num_sids);
 381                 if (!NT_STATUS_IS_OK(status)) {
 382                         return NULL;
 383                 }
 384         }
 385
 386         /* Add in BUILTIN sids */
 387
 388         status = add_sid_to_array(result, &global_sid_World,
 389                                   &result->user_sids, &result->num_sids);
 390         if (!NT_STATUS_IS_OK(status)) {
 391                 return NULL;
 392         }
 393         status = add_sid_to_array(result, &global_sid_Network,
 394                                   &result->user_sids, &result->num_sids);
 395         if (!NT_STATUS_IS_OK(status)) {
 396                 return NULL;
 397         }
 398
 399         if (is_guest) {
 400                 status = add_sid_to_array(result, &global_sid_Builtin_Guests,
 401                                           &result->user_sids,
 402                                           &result->num_sids);
 403                 if (!NT_STATUS_IS_OK(status)) {
 404                         return NULL;
 405                 }
 406         } else {
 407                 status = add_sid_to_array(result,
 408                                           &global_sid_Authenticated_Users,
 409                                           &result->user_sids,
 410                                           &result->num_sids);
 411                 if (!NT_STATUS_IS_OK(status)) {
 412                         return NULL;
 413                 }
 414         }
 415
 416         /* Now the SIDs we got from authentication. These are the ones from
 417          * the info3 struct or from the pdb_enum_group_memberships, depending
 418          * on who authenticated the user.
 419          * Note that we start the for loop at "1" here, we already added the
 420          * first group sid as primary above. */
 421
 422         for (i=1; i<num_groupsids; i++) {
 423                 status = add_sid_to_array_unique(result, &groupsids[i],
 424                                                  &result->user_sids,
 425                                                  &result->num_sids);
 426                 if (!NT_STATUS_IS_OK(status)) {
 427                         return NULL;
 428                 }
 429         }
 430
 431         /* Deal with the BUILTIN\Administrators group.  If the SID can
 432            be resolved then assume that the add_aliasmem( S-1-5-32 )
 433            handled it. */
 434
 435         if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
 436                 /* We can only create a mapping if winbind is running
 437                    and the nested group functionality has been enabled */
 438
 439                 if ( lp_winbind_nested_groups() && winbind_ping() ) {
 440                         become_root();
 441                         status = create_builtin_administrators( );
 442                         if ( !NT_STATUS_IS_OK(status) ) {
 443                                 DEBUG(2,("WARNING: Failed to create BUILTIN\\Administrators "
 444                                          "group!  Can Winbind allocate gids?\n"));
 445                                 /* don't fail, just log the message */
 446                         }
 447                         unbecome_root();
 448                 }
 449                 else {
 450                         status = add_builtin_administrators( result );
 451                         if ( !NT_STATUS_IS_OK(status) ) {
 452                                 /* just log a complaint but do not fail */
 453                                 DEBUG(3,("create_local_nt_token: failed to check for local Administrators"
 454                                         " membership (%s)\n", nt_errstr(status)));
 455                         }
 456                 }
 457         }
 458
 459         /* Deal with the BUILTIN\Users group.  If the SID can
 460            be resolved then assume that the add_aliasmem( S-1-5-32 )
 461            handled it. */
 462
 463         if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) {
 464                 /* We can only create a mapping if winbind is running
 465                    and the nested group functionality has been enabled */
 466
 467                 if ( lp_winbind_nested_groups() && winbind_ping() ) {
 468                         become_root();
 469                         status = create_builtin_users( );
 470                         if ( !NT_STATUS_IS_OK(status) ) {
 471                                 DEBUG(2,("WARNING: Failed to create BUILTIN\\Users group! "
 472                                          "Can Winbind allocate gids?\n"));
 473                                 /* don't fail, just log the message */
 474                         }
 475                         unbecome_root();
 476                 }
 477         }
 478
 479         /* Deal with local groups */
 480
 481         if (lp_winbind_nested_groups()) {
 482
 483                 become_root();
 484
 485                 /* Now add the aliases. First the one from our local SAM */
 486
 487                 status = add_aliases(get_global_sam_sid(), result);
 488
 489                 if (!NT_STATUS_IS_OK(status)) {
 490                         unbecome_root();
 491                         TALLOC_FREE(result);
 492                         return NULL;
 493                 }
 494
 495                 /* Finally the builtin ones */
 496
 497                 status = add_aliases(&global_sid_Builtin, result);
 498
 499                 if (!NT_STATUS_IS_OK(status)) {
 500                         unbecome_root();
 501                         TALLOC_FREE(result);
 502                         return NULL;
 503                 }
 504
 505                 unbecome_root();
 506         }
 507
 508
 509         get_privileges_for_sids(&result->privileges, result->user_sids,
 510                                 result->num_sids);
 511         return result;
 512 }
 513
 514 /****************************************************************************
 515  prints a NT_USER_TOKEN to debug output.
 516 ****************************************************************************/
 517
 518 void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
 519 {
 520         size_t     i;
 521
 522         if (!token) {
 523                 DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
 524                 return;
 525         }
 526
 527         DEBUGC(dbg_class, dbg_lev,
 528                ("NT user token of user %s\n",
 529                 sid_string_dbg(&token->user_sids[0]) ));
 530         DEBUGADDC(dbg_class, dbg_lev,
 531                   ("contains %lu SIDs\n", (unsigned long)token->num_sids));
 532         for (i = 0; i < token->num_sids; i++)
 533                 DEBUGADDC(dbg_class, dbg_lev,
 534                           ("SID[%3lu]: %s\n", (unsigned long)i,
 535                            sid_string_dbg(&token->user_sids[i])));
 536
 537         dump_se_priv( dbg_class, dbg_lev, &token->privileges );
 538 }
 539
 540 /****************************************************************************
 541  prints a UNIX 'token' to debug output.
 542 ****************************************************************************/
 543
 544 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
 545                            int n_groups, gid_t *groups)
 546 {
 547         int     i;
 548         DEBUGC(dbg_class, dbg_lev,
 549                ("UNIX token of user %ld\n", (long int)uid));
 550
 551         DEBUGADDC(dbg_class, dbg_lev,
 552                   ("Primary group is %ld and contains %i supplementary "
 553                    "groups\n", (long int)gid, n_groups));
 554         for (i = 0; i < n_groups; i++)
 555                 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
 556                         (long int)groups[i]));
 557 }
 558
 559 /* END */