diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-01-25 09:50:17 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2018-03-19 20:30:52 +0100 |
| commit | 8a1c930e1b2452050f4d49a8c54164aa4afdb15f (patch) | |
| tree | 1deede2ae27f48fdab143971eb4c73c921c38547 /libcli | |
| parent | 1f1e221a8ffbecd3f80073c05d8f194d2dad9b24 (diff) | |
| download | samba-8a1c930e1b2452050f4d49a8c54164aa4afdb15f.tar.gz | |
libcli/security: add dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'libcli')
| -rw-r--r-- | libcli/security/dom_sid.c | 63 | ||||
| -rw-r--r-- | libcli/security/dom_sid.h | 1 |
2 files changed, 64 insertions, 0 deletions
diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c index e6beff1a399..17ac0560d83 100644 --- a/libcli/security/dom_sid.c +++ b/libcli/security/dom_sid.c @@ -358,6 +358,69 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid, return dom_sid_compare_auth(domain_sid, sid) == 0; } +bool dom_sid_is_valid_account_domain(const struct dom_sid *sid) +{ + /* + * We expect S-1-5-21-9-8-7, but we don't + * allow S-1-5-21-0-0-0 as this is used + * for claims and compound identities. + * + * With this structure: + * + * struct dom_sid { + * uint8_t sid_rev_num; + * int8_t num_auths; [range(0,15)] + * uint8_t id_auth[6]; + * uint32_t sub_auths[15]; + * } + * + * S-1-5-21-9-8-7 looks like this: + * {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}}; + */ + if (sid == NULL) { + return false; + } + + if (sid->sid_rev_num != 1) { + return false; + } + if (sid->num_auths != 4) { + return false; + } + if (sid->id_auth[5] != 5) { + return false; + } + if (sid->id_auth[4] != 0) { + return false; + } + if (sid->id_auth[3] != 0) { + return false; + } + if (sid->id_auth[2] != 0) { + return false; + } + if (sid->id_auth[1] != 0) { + return false; + } + if (sid->id_auth[0] != 0) { + return false; + } + if (sid->sub_auths[0] != 21) { + return false; + } + if (sid->sub_auths[1] == 0) { + return false; + } + if (sid->sub_auths[2] == 0) { + return false; + } + if (sid->sub_auths[3] == 0) { + return false; + } + + return true; +} + /* Convert a dom_sid to a string, printing into a buffer. Return the string length. If it overflows, return the string length that would diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index 6c3225e267d..d9f4b3fc8a6 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -96,6 +96,7 @@ NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, struct dom_sid **domain, uint32_t *rid); bool dom_sid_in_domain(const struct dom_sid *domain_sid, const struct dom_sid *sid); +bool dom_sid_is_valid_account_domain(const struct dom_sid *sid); #define DOM_SID_STR_BUFLEN (15*11+25) int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen); |