diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-12-16 12:08:41 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-02-08 00:03:39 +0000 |
commit | e20067c52d642123b7ed929c1e35a2c0d144b13c (patch) | |
tree | 7b0c97ed0ada07c40e068194fa9fb51217ffd241 | |
parent | 5147f011d9b2b37dd46939d4b50d71d50a6776c1 (diff) | |
download | samba-e20067c52d642123b7ed929c1e35a2c0d144b13c.tar.gz |
auth: Make more liberal use of SID index constants
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | auth/auth_log.c | 4 | ||||
-rw-r--r-- | auth/auth_sam_reply.c | 4 | ||||
-rw-r--r-- | auth/wbc_auth_util.c | 8 | ||||
-rw-r--r-- | lib/afs/afs_funcs.c | 2 | ||||
-rw-r--r-- | libcli/security/security_token.h | 2 | ||||
-rw-r--r-- | libgpo/gpo_reg.c | 10 | ||||
-rw-r--r-- | librpc/rpc/dcesrv_handles.c | 8 | ||||
-rw-r--r-- | source4/auth/ntlm/auth.c | 2 | ||||
-rw-r--r-- | source4/auth/unix_token.c | 26 | ||||
-rw-r--r-- | source4/dsdb/common/rodc_helper.c | 4 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/audit_util.c | 4 | ||||
-rw-r--r-- | source4/kdc/pac-glue.c | 6 | ||||
-rw-r--r-- | source4/torture/auth/pac.c | 24 |
13 files changed, 53 insertions, 51 deletions
diff --git a/auth/auth_log.c b/auth/auth_log.c index dc1cea12390..787a9ec6b42 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -407,7 +407,7 @@ static void log_successful_authz_event_json( goto failure; } rc = json_add_sid( - &authorization, "sid", &session_info->security_token->sids[0]); + &authorization, "sid", &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); if (rc != 0) { goto failure; } @@ -758,7 +758,7 @@ static void log_successful_authz_event_human_readable( auth_type, log_escape(frame, session_info->info->domain_name), log_escape(frame, session_info->info->account_name), - dom_sid_str_buf(&session_info->security_token->sids[0], + dom_sid_str_buf(&session_info->security_token->sids[PRIMARY_USER_SID_INDEX], &sid_buf), ts, remote_str, diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 72edf0eed15..93a8c6e9bb0 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -371,7 +371,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, } /* We don't put the user and group SIDs in there */ - for (i=2; i<user_info_dc->num_sids; i++) { + for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) { struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; bool belongs_in_base = is_base_sid(group_sid, sam6->base.domain_sid); if (belongs_in_base) { @@ -668,7 +668,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - user_info_dc->num_sids = 2; + user_info_dc->num_sids = PRIMARY_SIDS_COUNT; user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); diff --git a/auth/wbc_auth_util.c b/auth/wbc_auth_util.c index 311052c9108..83b22adc9d2 100644 --- a/auth/wbc_auth_util.c +++ b/auth/wbc_auth_util.c @@ -116,8 +116,8 @@ struct netr_SamInfo6 *wbcAuthUserInfo_to_netr_SamInfo6(TALLOC_CTX *mem_ctx, NTSTATUS status; bool ok; - memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid)); - memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid)); + memcpy(&user_sid, &info->sids[PRIMARY_USER_SID_INDEX].sid, sizeof(user_sid)); + memcpy(&group_sid, &info->sids[PRIMARY_GROUP_SID_INDEX].sid, sizeof(group_sid)); info6 = talloc_zero(mem_ctx, struct netr_SamInfo6); if (!info6) return NULL; @@ -196,7 +196,7 @@ struct netr_SamInfo6 *wbcAuthUserInfo_to_netr_SamInfo6(TALLOC_CTX *mem_ctx, status = wbcsids_to_samr_RidWithAttributeArray(info6, &info6->base.groups, &domain_sid, - &info->sids[1], + &info->sids[PRIMARY_GROUP_SID_INDEX], info->num_sids - 1); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(info6); @@ -204,7 +204,7 @@ struct netr_SamInfo6 *wbcAuthUserInfo_to_netr_SamInfo6(TALLOC_CTX *mem_ctx, } status = wbcsids_to_netr_SidAttrArray(&domain_sid, - &info->sids[1], + &info->sids[PRIMARY_GROUP_SID_INDEX], info->num_sids - 1, info6, &info6->sids, diff --git a/lib/afs/afs_funcs.c b/lib/afs/afs_funcs.c index c7b263c7e73..4360f54827a 100644 --- a/lib/afs/afs_funcs.c +++ b/lib/afs/afs_funcs.c @@ -252,7 +252,7 @@ bool afs_login(connection_struct *conn) return false; } - user_sid = &conn->session_info->security_token->sids[0]; + user_sid = &conn->session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; afs_username = talloc_string_sub(talloc_tos(), afs_username, "%s", diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h index 15773df617f..8e256074b0e 100644 --- a/libcli/security/security_token.h +++ b/libcli/security/security_token.h @@ -28,6 +28,8 @@ #define PRIMARY_USER_SID_INDEX 0 #define PRIMARY_GROUP_SID_INDEX 1 +#define PRIMARY_SIDS_COUNT 2 +#define REMAINING_SIDS_INDEX 2 /* return a blank security token diff --git a/libgpo/gpo_reg.c b/libgpo/gpo_reg.c index a160c3dd03d..f52173ea189 100644 --- a/libgpo/gpo_reg.c +++ b/libgpo/gpo_reg.c @@ -330,7 +330,7 @@ static WERROR gp_reg_del_groupmembership(TALLOC_CTX *mem_ctx, { const char *path = NULL; - path = gp_reg_groupmembership_path(mem_ctx, &token->sids[0], + path = gp_reg_groupmembership_path(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX], flags); W_ERROR_HAVE_NO_MEMORY(path); @@ -353,7 +353,7 @@ static WERROR gp_reg_store_groupmembership(TALLOC_CTX *mem_ctx, const char *path = NULL; int count = 0; - path = gp_reg_groupmembership_path(mem_ctx, &token->sids[0], + path = gp_reg_groupmembership_path(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX], flags); W_ERROR_HAVE_NO_MEMORY(path); @@ -487,7 +487,7 @@ WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx, W_ERROR_NOT_OK_RETURN(werr); werr = gp_secure_key(mem_ctx, flags, reg_ctx->curr_key, - &token->sids[0]); + &token->sids[PRIMARY_USER_SID_INDEX]); if (!W_ERROR_IS_OK(werr)) { DEBUG(0,("failed to secure key: %s\n", win_errstr(werr))); goto done; @@ -499,7 +499,7 @@ WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx, goto done; } - subkeyname = gp_req_state_path(mem_ctx, &token->sids[0], flags); + subkeyname = gp_req_state_path(mem_ctx, &token->sids[PRIMARY_USER_SID_INDEX], flags); if (!subkeyname) { werr = WERR_NOT_ENOUGH_MEMORY; goto done; @@ -998,7 +998,7 @@ WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx, case GP_REG_ACTION_SEC_KEY_SET: werr = gp_secure_key(mem_ctx, flags, key, - &token->sids[0]); + &token->sids[PRIMARY_USER_SID_INDEX]); if (!W_ERROR_IS_OK(werr)) { DEBUG(0,("reg_apply_registry_entry: " "gp_secure_key failed: %s\n", diff --git a/librpc/rpc/dcesrv_handles.c b/librpc/rpc/dcesrv_handles.c index da1f00f5b67..b8719d8c804 100644 --- a/librpc/rpc/dcesrv_handles.c +++ b/librpc/rpc/dcesrv_handles.c @@ -277,7 +277,7 @@ NTSTATUS _dcesrv_iface_state_store_assoc(struct dcesrv_call_state *call, struct auth_session_info *session_info = dcesrv_call_session_info(call); const struct dom_sid *owner = - &session_info->security_token->sids[0]; + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; NTSTATUS status; status = dcesrv_iface_state_store(call->conn->assoc_group, @@ -302,7 +302,7 @@ void *_dcesrv_iface_state_find_assoc(struct dcesrv_call_state *call, uint64_t ma struct auth_session_info *session_info = dcesrv_call_session_info(call); const struct dom_sid *owner = - &session_info->security_token->sids[0]; + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; void *ptr = NULL; ptr = dcesrv_iface_state_find(call->conn->assoc_group, @@ -328,7 +328,7 @@ NTSTATUS _dcesrv_iface_state_store_conn(struct dcesrv_call_state *call, struct auth_session_info *session_info = dcesrv_call_session_info(call); const struct dom_sid *owner = - &session_info->security_token->sids[0]; + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; NTSTATUS status; status = dcesrv_iface_state_store(call->conn->assoc_group, @@ -353,7 +353,7 @@ void *_dcesrv_iface_state_find_conn(struct dcesrv_call_state *call, uint64_t mag struct auth_session_info *session_info = dcesrv_call_session_info(call); const struct dom_sid *owner = - &session_info->security_token->sids[0]; + &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; void *ptr = NULL; ptr = dcesrv_iface_state_find(call->conn->assoc_group, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 1983bf182a2..abc9716ba74 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -421,7 +421,7 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, state->user_info, status, state->user_info_dc->info->domain_name, state->user_info_dc->info->account_name, - &state->user_info_dc->sids[0].sid); + &state->user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid); *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc); diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c index b3396b852df..97b8292a2dd 100644 --- a/source4/auth/unix_token.c +++ b/source4/auth/unix_token.c @@ -55,7 +55,7 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, } /* we can't do unix security without a user and group */ - if (token->num_sids < 2) { + if (token->num_sids < PRIMARY_SIDS_COUNT) { return NT_STATUS_ACCESS_DENIED; } @@ -76,7 +76,7 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, NT_STATUS_NOT_OK_RETURN(status); g = token->num_sids; - if (ids[0].xid.type != ID_TYPE_BOTH) { + if (ids[PRIMARY_USER_SID_INDEX].xid.type != ID_TYPE_BOTH) { g--; } (*sec)->ngroups = g; @@ -84,36 +84,36 @@ NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, NT_STATUS_HAVE_NO_MEMORY((*sec)->groups); g=0; - if (ids[0].xid.type == ID_TYPE_BOTH) { + if (ids[PRIMARY_USER_SID_INDEX].xid.type == ID_TYPE_BOTH) { (*sec)->uid = ids[0].xid.id; (*sec)->groups[g] = ids[0].xid.id; g++; - } else if (ids[0].xid.type == ID_TYPE_UID) { + } else if (ids[PRIMARY_USER_SID_INDEX].xid.type == ID_TYPE_UID) { (*sec)->uid = ids[0].xid.id; } else { struct dom_sid_buf buf; DEBUG(0, ("Unable to convert first SID (%s) in user token to a UID. Conversion was returned as type %d, full token:\n", - dom_sid_str_buf(ids[0].sid, &buf), - (int)ids[0].xid.type)); + dom_sid_str_buf(ids[PRIMARY_USER_SID_INDEX].sid, &buf), + (int)ids[PRIMARY_USER_SID_INDEX].xid.type)); security_token_debug(DBGC_AUTH, 0, token); return NT_STATUS_INVALID_SID; } - if (ids[1].xid.type == ID_TYPE_BOTH || - ids[1].xid.type == ID_TYPE_GID) { - (*sec)->gid = ids[1].xid.id; - (*sec)->groups[g] = ids[1].xid.id; + if (ids[PRIMARY_GROUP_SID_INDEX].xid.type == ID_TYPE_BOTH || + ids[PRIMARY_GROUP_SID_INDEX].xid.type == ID_TYPE_GID) { + (*sec)->gid = ids[PRIMARY_GROUP_SID_INDEX].xid.id; + (*sec)->groups[g] = ids[PRIMARY_GROUP_SID_INDEX].xid.id; g++; } else { struct dom_sid_buf buf; DEBUG(0, ("Unable to convert second SID (%s) in user token to a GID. Conversion was returned as type %d, full token:\n", - dom_sid_str_buf(ids[1].sid, &buf), - (int)ids[1].xid.type)); + dom_sid_str_buf(ids[PRIMARY_GROUP_SID_INDEX].sid, &buf), + (int)ids[PRIMARY_GROUP_SID_INDEX].xid.type)); security_token_debug(DBGC_AUTH, 0, token); return NT_STATUS_INVALID_SID; } - for (s=2; s < token->num_sids; s++) { + for (s=REMAINING_SIDS_INDEX; s < token->num_sids; s++) { if (ids[s].xid.type == ID_TYPE_BOTH || ids[s].xid.type == ID_TYPE_GID) { (*sec)->groups[g] = ids[s].xid.id; diff --git a/source4/dsdb/common/rodc_helper.c b/source4/dsdb/common/rodc_helper.c index d1fd2dbfb80..b4982aee9ed 100644 --- a/source4/dsdb/common/rodc_helper.c +++ b/source4/dsdb/common/rodc_helper.c @@ -71,7 +71,7 @@ static WERROR samdb_result_sid_array_ndr(struct ldb_context *sam_ctx, el->num_values + 1); W_ERROR_HAVE_NO_MEMORY(*sids); - (*sids)[0] = *primary_sid; + (*sids)[PRIMARY_USER_SID_INDEX] = *primary_sid; for (i = 0; i<el->num_values; i++) { enum ndr_err_code ndr_err; @@ -204,7 +204,7 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct } /* The RODC can replicate and print tickets for itself. */ - if (dom_sid_equal(&token_sids[0], rodc_machine_account_sid)) { + if (dom_sid_equal(&token_sids[PRIMARY_USER_SID_INDEX], rodc_machine_account_sid)) { TALLOC_FREE(frame); return WERR_OK; } diff --git a/source4/dsdb/samdb/ldb_modules/audit_util.c b/source4/dsdb/samdb/ldb_modules/audit_util.c index f25102585f8..53c5fe75fdc 100644 --- a/source4/dsdb/samdb/ldb_modules/audit_util.c +++ b/source4/dsdb/samdb/ldb_modules/audit_util.c @@ -149,7 +149,7 @@ const struct dom_sid *dsdb_audit_get_actual_sid(struct ldb_context *ldb) if (user_token == NULL) { return NULL; } - return &user_token->sids[0]; + return &user_token->sids[PRIMARY_USER_SID_INDEX]; } /* * @brief get the ldb error string. @@ -196,7 +196,7 @@ const struct dom_sid *dsdb_audit_get_user_sid(const struct ldb_module *module) if (user_token == NULL) { return NULL; } - return &user_token->sids[0]; + return &user_token->sids[PRIMARY_USER_SID_INDEX]; } diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index d9c76ba3b1f..437ff83a8c9 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -132,7 +132,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, ZERO_STRUCT(pac_requester_sid); - pac_requester_sid.requester_sid.sid = info->sids[0].sid; + pac_requester_sid.requester_sid.sid = info->sids[PRIMARY_USER_SID_INDEX].sid; ndr_err = ndr_push_union_blob(requester_sid_blob, mem_ctx, &pac_requester_sid, @@ -179,7 +179,7 @@ NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx, = info->info->account_name; pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid - = &info->sids[0].sid; + = &info->sids[PRIMARY_USER_SID_INDEX].sid; ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn, PAC_TYPE_UPN_DNS_INFO, @@ -1326,7 +1326,7 @@ krb5_error_code samba_kdc_validate_pac_blob( goto out; } - pac_sid = pac_user_info->sids[0].sid; + pac_sid = pac_user_info->sids[PRIMARY_USER_SID_INDEX].sid; } else if (code != 0) { goto out; } diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 50ac17ad07b..518caa0d251 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -170,8 +170,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) &user_info_dc_out, NULL, NULL); /* The user's SID is the first element in the list */ - if (!dom_sid_equal(&user_info_dc->sids[0].sid, - &user_info_dc_out->sids[0].sid)) { + if (!dom_sid_equal(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, + &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -182,8 +182,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, &user_info_dc->sids[0].sid), - dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); + dom_sid_string(mem_ctx, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid), + dom_sid_string(mem_ctx, &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid))); } talloc_free(user_info_dc_out); @@ -232,13 +232,13 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_errstr(nt_status))); } - if (!dom_sid_equal(&user_info_dc->sids[0].sid, - &user_info_dc_out->sids[0].sid)) { + if (!dom_sid_equal(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, + &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid)) { torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, &user_info_dc->sids[0].sid), - dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); + dom_sid_string(mem_ctx, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid), + dom_sid_string(mem_ctx, &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid))); } return true; } @@ -447,7 +447,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - &user_info_dc_out->sids[0].sid)) { + &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -458,7 +458,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); + dom_sid_string(mem_ctx, &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid))); } talloc_free(user_info_dc_out); @@ -506,7 +506,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - &user_info_dc_out->sids[0].sid)) { + &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -517,7 +517,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); + dom_sid_string(mem_ctx, &user_info_dc_out->sids[PRIMARY_USER_SID_INDEX].sid))); } if (krbtgt_bytes == NULL) { |