diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-08-14 13:30:51 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-08-18 09:50:38 +1000 |
| commit | 7c6ca95bec5141707d4f19e802062731d6789cc5 (patch) | |
| tree | d6ee504cf0f98ff62b5bac6b19a869f8378c3757 | |
| parent | 60086dcf9a58525d400b39e9464847d73cbce6d2 (diff) | |
| download | samba-7c6ca95bec5141707d4f19e802062731d6789cc5.tar.gz | |
s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
| -rw-r--r-- | librpc/idl/security.idl | 2 | ||||
| -rw-r--r-- | source4/auth/system_session.c | 15 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 4 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 6 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb_privilege.c | 2 | ||||
| -rw-r--r-- | source4/kdc/kpasswdd.c | 6 | ||||
| -rw-r--r-- | source4/lib/policy/gp_ldap.c | 2 | ||||
| -rw-r--r-- | source4/libcli/security/create_descriptor.c | 7 | ||||
| -rw-r--r-- | source4/libcli/security/security_token.c | 8 | ||||
| -rw-r--r-- | source4/rpc_server/drsuapi/getncchanges.c | 2 | ||||
| -rw-r--r-- | source4/rpc_server/drsuapi/updaterefs.c | 4 | ||||
| -rw-r--r-- | source4/rpc_server/handles.c | 6 | ||||
| -rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 2 |
13 files changed, 29 insertions, 37 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 369579cb7cf..68ed485a82a 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -467,8 +467,6 @@ interface security } sec_desc_buf; typedef [public] struct { - dom_sid *user_sid; - dom_sid *group_sid; uint32 num_sids; [size_is(num_sids)] dom_sid *sids[*]; udlong privilege_mask; diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 386f066de49..08ddb68f5da 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -51,13 +51,10 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx, ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->user_sid = talloc_reference(ptoken, user_sid); - ptoken->group_sid = talloc_reference(ptoken, group_sid); + ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid); + ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid); ptoken->privilege_mask = 0; - ptoken->sids[0] = ptoken->user_sid; - ptoken->sids[1] = ptoken->group_sid; - /* * Finally add the "standard" SIDs. * The only difference between guest and "anonymous" @@ -93,7 +90,7 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx, *token = ptoken; /* Shortcuts to prevent recursion and avoid lookups */ - if (ptoken->user_sid == NULL) { + if (ptoken->sids == NULL) { ptoken->privilege_mask = 0; return NT_STATUS_OK; } @@ -337,12 +334,10 @@ static NTSTATUS create_admin_token(TALLOC_CTX *mem_ctx, ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 3); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->user_sid = talloc_reference(ptoken, user_sid); - ptoken->group_sid = talloc_reference(ptoken, group_sid); ptoken->privilege_mask = 0; + ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid); + ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid); - ptoken->sids[0] = ptoken->user_sid; - ptoken->sids[1] = ptoken->group_sid; ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]); ptoken->num_sids = 3; diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 9965e5374b2..55d252b1005 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -709,7 +709,9 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx, return LDB_SUCCESS; } /* if we are adding/deleting ourselves, check for self membership */ - ret = dsdb_find_dn_by_sid(ldb, mem_ctx, acl_user_token(module)->user_sid, &user_dn); + ret = dsdb_find_dn_by_sid(ldb, mem_ctx, + acl_user_token(module)->sids[PRIMARY_USER_SID_INDEX], + &user_dn); if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 2b4e9a1438e..2d64cc1b85b 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -157,8 +157,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken = security_token_initialise(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(ptoken); - ptoken->user_sid = talloc_reference(ptoken, user_sid); - ptoken->group_sid = talloc_reference(ptoken, group_sid); ptoken->privilege_mask = 0; ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6 /* over-allocate */); @@ -169,8 +167,8 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[0] = ptoken->user_sid; - ptoken->sids[1] = ptoken->group_sid; + ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid); + ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid); ptoken->num_sids++; /* diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index f05b7e2a186..38e5a338312 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -93,7 +93,7 @@ NTSTATUS samdb_privilege_setup(struct tevent_context *ev_ctx, NTSTATUS status; /* Shortcuts to prevent recursion and avoid lookups */ - if (token->user_sid == NULL) { + if (token->sids == NULL) { token->privilege_mask = 0; return NT_STATUS_OK; } diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index e08a5149b96..36ddb65bb09 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -224,11 +224,11 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, DEBUG(3, ("Changing password of %s\\%s (%s)\n", session_info->server_info->domain_name, session_info->server_info->account_name, - dom_sid_string(mem_ctx, session_info->security_token->user_sid))); + dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX]))); /* Performs the password change */ status = samdb_set_password_sid(samdb, mem_ctx, - session_info->security_token->user_sid, + session_info->security_token->sids[PRIMARY_USER_SID_INDEX], password, NULL, NULL, oldLmHash, oldNtHash, /* this is a user password change */ &reject_reason, @@ -382,7 +382,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", session_info->server_info->domain_name, session_info->server_info->account_name, - dom_sid_string(mem_ctx, session_info->security_token->user_sid), + dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), set_password_on_princ)); ret = ldb_transaction_start(samdb); if (ret != LDB_SUCCESS) { diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c index 9a66f4f6ac4..e566ca4e0fd 100644 --- a/source4/lib/policy/gp_ldap.c +++ b/source4/lib/policy/gp_ldap.c @@ -443,7 +443,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c mem_ctx = talloc_new(gp_ctx); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); - sid = dom_sid_string(mem_ctx, token->user_sid); + sid = dom_sid_string(mem_ctx, token->sids[PRIMARY_USER_SID_INDEX]); /* Find the user DN and objectclass via the sid from the security token */ rv = ldb_search(gp_ctx->ldb_ctx, diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c index d64de2fe226..cb52d6502e2 100644 --- a/source4/libcli/security/create_descriptor.c +++ b/source4/libcli/security/create_descriptor.c @@ -367,7 +367,7 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx, if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) { new_owner = parent_sd->owner_sid; } else if (!default_owner) { - new_owner = token->user_sid; + new_owner = token->sids[PRIMARY_USER_SID_INDEX]; } else { new_owner = default_owner; new_sd->type |= SEC_DESC_OWNER_DEFAULTED; @@ -379,8 +379,11 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx, if (!creator_sd || !creator_sd->group_sid){ if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) { new_group = parent_sd->group_sid; + } else if (!default_group && token->sids[PRIMARY_GROUP_SID_INDEX]) { + new_group = token->sids[PRIMARY_GROUP_SID_INDEX]; } else if (!default_group) { - new_group = token->group_sid; + /* This will happen only for anonymous, which has no other groups */ + new_group = token->sids[PRIMARY_USER_SID_INDEX]; } else { new_group = default_group; new_sd->type |= SEC_DESC_GROUP_DEFAULTED; diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c index 7cfb566b91b..f9be977a26b 100644 --- a/source4/libcli/security/security_token.c +++ b/source4/libcli/security/security_token.c @@ -36,8 +36,6 @@ struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx) return NULL; } - st->user_sid = NULL; - st->group_sid = NULL; st->num_sids = 0; st->sids = NULL; st->privilege_mask = 0; @@ -63,9 +61,7 @@ void security_token_debug(int dbg_lev, const struct security_token *token) return; } - DEBUG(dbg_lev, ("Security token of user %s\n", - dom_sid_string(mem_ctx, token->user_sid) )); - DEBUGADD(dbg_lev, (" SIDs (%lu):\n", + DEBUG(dbg_lev, ("Security token SIDs (%lu):\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) { DEBUGADD(dbg_lev, (" SID[%3lu]: %s\n", (unsigned long)i, @@ -81,7 +77,7 @@ void security_token_debug(int dbg_lev, const struct security_token *token) bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid) { - if (dom_sid_equal(token->user_sid, sid)) { + if (token->sids && dom_sid_equal(token->sids[PRIMARY_USER_SID_INDEX], sid)) { return true; } return false; diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c index ba47b9b0402..0beb99d758a 100644 --- a/source4/rpc_server/drsuapi/getncchanges.c +++ b/source4/rpc_server/drsuapi/getncchanges.c @@ -774,7 +774,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_ (req8->replica_flags & DRSUAPI_DRS_WRIT_REP)) { DEBUG(3,(__location__ ": Removing WRIT_REP flag for replication by RODC %s\n", dom_sid_string(mem_ctx, - dce_call->conn->auth_state.session_info->security_token->user_sid))); + dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]))); req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP; } diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c index daf057d6d63..08d49baf2b8 100644 --- a/source4/rpc_server/drsuapi/updaterefs.c +++ b/source4/rpc_server/drsuapi/updaterefs.c @@ -215,11 +215,11 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA /* check that they are using an DSA objectGUID that they own */ ret = dsdb_validate_dsa_guid(b_state->sam_ctx, &req->dest_dsa_guid, - dce_call->conn->auth_state.session_info->security_token->user_sid); + dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); if (ret != LDB_SUCCESS) { DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n", dom_sid_string(mem_ctx, - dce_call->conn->auth_state.session_info->security_token->user_sid), + dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), GUID_string(mem_ctx, &req->dest_dsa_guid))); return WERR_DS_DRA_ACCESS_DENIED; } diff --git a/source4/rpc_server/handles.c b/source4/rpc_server/handles.c index 085703b3d4f..495d42ab4a8 100644 --- a/source4/rpc_server/handles.c +++ b/source4/rpc_server/handles.c @@ -22,7 +22,7 @@ #include "includes.h" #include "../lib/util/dlinklist.h" #include "rpc_server/dcerpc_server.h" -#include "libcli/security/dom_sid.h" +#include "libcli/security/security.h" #include "auth/session.h" /* @@ -44,7 +44,7 @@ _PUBLIC_ struct dcesrv_handle *dcesrv_handle_new(struct dcesrv_connection_contex struct dcesrv_handle *h; struct dom_sid *sid; - sid = context->conn->auth_state.session_info->security_token->user_sid; + sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; h = talloc(context->assoc_group, struct dcesrv_handle); if (!h) { @@ -80,7 +80,7 @@ _PUBLIC_ struct dcesrv_handle *dcesrv_handle_fetch( struct dcesrv_handle *h; struct dom_sid *sid; - sid = context->conn->auth_state.session_info->security_token->user_sid; + sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; if (policy_handle_empty(p)) { /* TODO: we should probably return a NULL handle here */ diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 0a347e07dd8..371419fa700 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -338,7 +338,7 @@ static NTSTATUS dcesrv_lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TAL DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY); - sid = dce_call->conn->auth_state.session_info->security_token->user_sid; + sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; if (h->wire_handle.handle_type == LSA_HANDLE_POLICY) { status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid, 0); |