LCOV - code coverage report
Current view: top level - source3/lib - privileges.c (source / functions) Hit Total Coverage
Test: coverage report for abartlet/fix-coverage dd10fb34 Lines: 126 164 76.8 %
Date: 2021-09-23 10:06:22 Functions: 17 19 89.5 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             :    Privileges handling functions
       4             :    Copyright (C) Jean Fran├žois Micouleau       1998-2001
       5             :    Copyright (C) Simo Sorce                     2002-2003
       6             :    Copyright (C) Gerald (Jerry) Carter          2005
       7             :    Copyright (C) Michael Adam                   2007
       8             : 
       9             :    This program is free software; you can redistribute it and/or modify
      10             :    it under the terms of the GNU General Public License as published by
      11             :    the Free Software Foundation; either version 3 of the License, or
      12             :    (at your option) any later version.
      13             : 
      14             :    This program is distributed in the hope that it will be useful,
      15             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      17             :    GNU General Public License for more details.
      18             : 
      19             :    You should have received a copy of the GNU General Public License
      20             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      21             : */
      22             : 
      23             : 
      24             : #include "includes.h"
      25             : #include "lib/privileges.h"
      26             : #include "dbwrap/dbwrap.h"
      27             : #include "libcli/security/privileges_private.h"
      28             : #include "../libcli/security/security.h"
      29             : #include "passdb.h"
      30             : #include "lib/util/string_wrappers.h"
      31             : 
      32             : #define PRIVPREFIX              "PRIV_"
      33             : 
      34             : typedef struct {
      35             :         uint32_t count;
      36             :         struct dom_sid *list;
      37             : } SID_LIST;
      38             : 
      39             : typedef struct {
      40             :         TALLOC_CTX *mem_ctx;
      41             :         uint64_t privilege;
      42             :         SID_LIST sids;
      43             : } PRIV_SID_LIST;
      44             : 
      45             : /*
      46             :   interpret an old style SE_PRIV structure
      47             :  */
      48           0 : static uint64_t map_old_SE_PRIV(unsigned char *dptr)
      49             : {
      50           0 :         uint32_t *old_masks = (uint32_t *)dptr;
      51             :         /*
      52             :          * the old privileges code only ever used up to 0x800, except
      53             :          * for a special case of 'SE_ALL_PRIVS' which was 0xFFFFFFFF
      54             :          */
      55           0 :         if (old_masks[0] == 0xFFFFFFFF) {
      56             :                 /* they set all privileges */
      57           0 :                 return SE_ALL_PRIVS;
      58             :         }
      59             : 
      60             :         /* the old code used the machine byte order, but we don't know
      61             :          * the byte order of the machine that wrote it. However we can
      62             :          * tell what byte order it was by taking advantage of the fact
      63             :          * that it only ever use up to 0x800
      64             :          */
      65           0 :         if (dptr[0] || dptr[1]) {
      66             :                 /* it was little endian */
      67           0 :                 return IVAL(dptr, 0);
      68             :         }
      69             : 
      70             :         /* it was either zero or big-endian */
      71           0 :         return RIVAL(dptr, 0);
      72             : }
      73             : 
      74             : 
      75      156955 : static bool get_privileges( const struct dom_sid *sid, uint64_t *mask )
      76             : {
      77      156955 :         struct db_context *db = get_account_pol_db();
      78             :         struct dom_sid_buf tmp;
      79             :         fstring keystr;
      80             :         TDB_DATA data;
      81             :         NTSTATUS status;
      82             : 
      83             :         /* Fail if the admin has not enable privileges */
      84             : 
      85      156955 :         if ( !lp_enable_privileges() ) {
      86           0 :                 return False;
      87             :         }
      88             : 
      89      156955 :         if ( db == NULL )
      90           0 :                 return False;
      91             : 
      92             :         /* PRIV_<SID> (NULL terminated) as the key */
      93             : 
      94      156955 :         fstr_sprintf(keystr, "%s%s", PRIVPREFIX, dom_sid_str_buf(sid, &tmp));
      95             : 
      96      156955 :         status = dbwrap_fetch_bystring(db, talloc_tos(), keystr, &data);
      97             : 
      98      156955 :         if (!NT_STATUS_IS_OK(status)) {
      99      129981 :                 DEBUG(4, ("get_privileges: No privileges assigned to SID "
     100             :                           "[%s]\n", tmp.buf));
     101      129933 :                 return False;
     102             :         }
     103             : 
     104       26974 :         if (data.dsize == 4*4) {
     105             :                 /* it's an old style SE_PRIV structure. */
     106           0 :                 *mask = map_old_SE_PRIV(data.dptr);
     107             :         } else {
     108       26974 :                 if (data.dsize != sizeof( uint64_t ) ) {
     109           0 :                         DEBUG(3, ("get_privileges: Invalid privileges record assigned to SID "
     110             :                                   "[%s]\n", tmp.buf));
     111           0 :                         return False;
     112             :                 }
     113             : 
     114       26974 :                 *mask = BVAL(data.dptr, 0);
     115             :         }
     116             : 
     117       26974 :         TALLOC_FREE(data.dptr);
     118             : 
     119       26970 :         return True;
     120             : }
     121             : 
     122             : /***************************************************************************
     123             :  Store the privilege mask (set) for a given SID
     124             : ****************************************************************************/
     125             : 
     126         806 : static bool set_privileges( const struct dom_sid *sid, uint64_t mask )
     127             : {
     128         806 :         struct db_context *db = get_account_pol_db();
     129             :         uint8_t privbuf[8];
     130             :         struct dom_sid_buf tmp;
     131             :         fstring keystr;
     132             :         TDB_DATA data;
     133             : 
     134         806 :         if ( !lp_enable_privileges() )
     135           0 :                 return False;
     136             : 
     137         806 :         if ( db == NULL )
     138           0 :                 return False;
     139             : 
     140         806 :         if ( !sid || (sid->num_auths == 0) ) {
     141           0 :                 DEBUG(0,("set_privileges: Refusing to store empty SID!\n"));
     142           0 :                 return False;
     143             :         }
     144             : 
     145             :         /* PRIV_<SID> (NULL terminated) as the key */
     146             : 
     147         806 :         fstr_sprintf(keystr, "%s%s", PRIVPREFIX, dom_sid_str_buf(sid, &tmp));
     148             : 
     149             :         /* This writes the 64 bit bitmask out in little endian format */
     150         806 :         SBVAL(privbuf,0,mask);
     151             : 
     152         806 :         data.dptr  = privbuf;
     153         806 :         data.dsize = sizeof(privbuf);
     154             : 
     155         806 :         return NT_STATUS_IS_OK(dbwrap_store_bystring(db, keystr, data,
     156             :                                                      TDB_REPLACE));
     157             : }
     158             : 
     159             : /*********************************************************************
     160             :  get a list of all privileges for all sids in the list
     161             : *********************************************************************/
     162             : 
     163       19075 : bool get_privileges_for_sids(uint64_t *privileges, struct dom_sid *slist, int scount)
     164             : {
     165             :         uint64_t mask;
     166             :         int i;
     167       19075 :         bool found = False;
     168             : 
     169       19075 :         *privileges = 0;
     170             : 
     171      175116 :         for ( i=0; i<scount; i++ ) {
     172             :                 struct dom_sid_buf buf;
     173             : 
     174             :                 /* don't add unless we actually have a privilege assigned */
     175             : 
     176      156041 :                 if ( !get_privileges( &slist[i], &mask ) )
     177      129163 :                         continue;
     178             : 
     179       26878 :                 DEBUG(5,("get_privileges_for_sids: sid = %s\nPrivilege "
     180             :                          "set: 0x%llx\n",
     181             :                          dom_sid_str_buf(&slist[i], &buf),
     182             :                          (unsigned long long)mask));
     183             : 
     184       26878 :                 *privileges |= mask;
     185       26878 :                 found = True;
     186             :         }
     187             : 
     188       19075 :         return found;
     189             : }
     190             : 
     191         106 : NTSTATUS get_privileges_for_sid_as_set(TALLOC_CTX *mem_ctx, PRIVILEGE_SET **privileges, struct dom_sid *sid)
     192             : {
     193             :         uint64_t mask;
     194         106 :         if (!get_privileges(sid, &mask)) {
     195          66 :                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
     196             :         }
     197             : 
     198          40 :         *privileges = talloc_zero(mem_ctx, PRIVILEGE_SET);
     199          40 :         if (!*privileges) {
     200           0 :                 return NT_STATUS_NO_MEMORY;
     201             :         }
     202             : 
     203          40 :         if (!se_priv_to_privilege_set(*privileges, mask)) {
     204           0 :                 return NT_STATUS_NO_MEMORY;
     205             :         }
     206          40 :         return NT_STATUS_OK;
     207             : }
     208             : 
     209             : /*********************************************************************
     210             :  traversal functions for privilege_enumerate_accounts
     211             : *********************************************************************/
     212             : 
     213         427 : static int priv_traverse_fn(struct db_record *rec, void *state)
     214             : {
     215         427 :         PRIV_SID_LIST *priv = (PRIV_SID_LIST *)state;
     216         427 :         int  prefixlen = strlen(PRIVPREFIX);
     217             :         struct dom_sid sid;
     218             :         fstring sid_string;
     219             :         TDB_DATA key;
     220             : 
     221         427 :         key = dbwrap_record_get_key(rec);
     222             : 
     223             :         /* check we have a PRIV_+SID entry */
     224             : 
     225         427 :         if (strncmp((char *)key.dptr, PRIVPREFIX, prefixlen) != 0)
     226         275 :                 return 0;
     227             : 
     228             :         /* check to see if we are looking for a particular privilege */
     229             : 
     230         152 :         fstrcpy( sid_string, (char *)&(key.dptr[strlen(PRIVPREFIX)]) );
     231             : 
     232         152 :         if (priv->privilege != 0) {
     233             :                 uint64_t mask;
     234             :                 TDB_DATA value;
     235             : 
     236         108 :                 value = dbwrap_record_get_value(rec);
     237             : 
     238         108 :                 if (value.dsize == 4*4) {
     239           0 :                         mask = map_old_SE_PRIV(value.dptr);
     240             :                 } else {
     241         108 :                         if (value.dsize != sizeof( uint64_t ) ) {
     242           0 :                                 DEBUG(3, ("get_privileges: Invalid privileges record assigned to SID "
     243             :                                           "[%s]\n", sid_string));
     244          90 :                                 return 0;
     245             :                         }
     246         108 :                         mask = BVAL(value.dptr, 0);
     247             :                 }
     248             : 
     249             :                 /* if the SID does not have the specified privilege
     250             :                    then just return */
     251             : 
     252         108 :                 if ((mask & priv->privilege) == 0) {
     253          90 :                         return 0;
     254             :                 }
     255             :         }
     256             : 
     257             :         /* this is a last ditch safety check to preventing returning
     258             :            and invalid SID (i've somehow run into this on development branches) */
     259             : 
     260          62 :         if ( strcmp( "S-0-0", sid_string ) == 0 )
     261           0 :                 return 0;
     262             : 
     263          62 :         if ( !string_to_sid(&sid, sid_string) ) {
     264           0 :                 DEBUG(0,("travsersal_fn_enum__acct: Could not convert SID [%s]\n",
     265             :                         sid_string));
     266           0 :                 return 0;
     267             :         }
     268             : 
     269          62 :         if (!NT_STATUS_IS_OK(add_sid_to_array(priv->mem_ctx, &sid,
     270             :                                               &priv->sids.list,
     271             :                                               &priv->sids.count)))
     272             :         {
     273           0 :                 return 0;
     274             :         }
     275             : 
     276          62 :         return 0;
     277             : }
     278             : 
     279             : /*********************************************************************
     280             :  Retrieve list of privileged SIDs (for _lsa_enumerate_accounts()
     281             : *********************************************************************/
     282             : 
     283           7 : NTSTATUS privilege_enumerate_accounts(struct dom_sid **sids, int *num_sids)
     284             : {
     285           7 :         struct db_context *db = get_account_pol_db();
     286             :         PRIV_SID_LIST priv;
     287             :         NTSTATUS status;
     288             : 
     289           7 :         if (db == NULL) {
     290           0 :                 return NT_STATUS_ACCESS_DENIED;
     291             :         }
     292             : 
     293           7 :         ZERO_STRUCT(priv);
     294             : 
     295           7 :         status = dbwrap_traverse_read(db, priv_traverse_fn, &priv, NULL);
     296           7 :         if (!NT_STATUS_IS_OK(status)) {
     297           0 :                 return status;
     298             :         }
     299             : 
     300             :         /* give the memory away; caller will free */
     301             : 
     302           7 :         *sids      = priv.sids.list;
     303           7 :         *num_sids  = priv.sids.count;
     304             : 
     305           7 :         return NT_STATUS_OK;
     306             : }
     307             : 
     308             : /*********************************************************************
     309             :  Retrieve list of SIDs granted a particular privilege
     310             : *********************************************************************/
     311             : 
     312          18 : NTSTATUS privilege_enum_sids(enum sec_privilege privilege, TALLOC_CTX *mem_ctx,
     313             :                              struct dom_sid **sids, int *num_sids)
     314             : {
     315          18 :         struct db_context *db = get_account_pol_db();
     316             :         PRIV_SID_LIST priv;
     317             :         NTSTATUS status;
     318             : 
     319          18 :         if (db == NULL) {
     320           0 :                 return NT_STATUS_ACCESS_DENIED;
     321             :         }
     322             : 
     323          18 :         ZERO_STRUCT(priv);
     324             : 
     325          18 :         priv.privilege = sec_privilege_mask(privilege);
     326          18 :         priv.mem_ctx = mem_ctx;
     327             : 
     328          18 :         status = dbwrap_traverse_read(db, priv_traverse_fn, &priv, NULL);
     329          18 :         if (!NT_STATUS_IS_OK(status)) {
     330           0 :                 return status;
     331             :         }
     332             : 
     333             :         /* give the memory away; caller will free */
     334             : 
     335          18 :         *sids      = priv.sids.list;
     336          18 :         *num_sids  = priv.sids.count;
     337             : 
     338          18 :         return NT_STATUS_OK;
     339             : }
     340             : 
     341             : /***************************************************************************
     342             :  Add privilege to sid
     343             : ****************************************************************************/
     344             : 
     345         766 : static bool grant_privilege_bitmap(const struct dom_sid *sid, const uint64_t priv_mask)
     346             : {
     347             :         uint64_t old_mask, new_mask;
     348             :         struct dom_sid_buf buf;
     349             : 
     350         766 :         ZERO_STRUCT( old_mask );
     351         766 :         ZERO_STRUCT( new_mask );
     352             : 
     353         766 :         if ( get_privileges( sid, &old_mask ) )
     354          16 :                 new_mask = old_mask;
     355             :         else
     356         750 :                 new_mask = 0;
     357             : 
     358         766 :         new_mask |= priv_mask;
     359             : 
     360         766 :         DEBUG(10,("grant_privilege: %s\n", dom_sid_str_buf(sid, &buf)));
     361             : 
     362         766 :         DEBUGADD( 10, ("original privilege mask: 0x%llx\n", (unsigned long long)new_mask));
     363             : 
     364         766 :         DEBUGADD( 10, ("new privilege mask:      0x%llx\n", (unsigned long long)new_mask));
     365             : 
     366         766 :         return set_privileges( sid, new_mask );
     367             : }
     368             : 
     369             : /*********************************************************************
     370             :  Add a privilege based on its name
     371             : *********************************************************************/
     372             : 
     373          49 : bool grant_privilege_by_name(const struct dom_sid *sid, const char *name)
     374             : {
     375             :         uint64_t mask;
     376             : 
     377          49 :         if (! se_priv_from_name(name, &mask)) {
     378           1 :                 DEBUG(3, ("grant_privilege_by_name: "
     379             :                           "No Such Privilege Found (%s)\n", name));
     380           1 :                 return False;
     381             :         }
     382             : 
     383          48 :         return grant_privilege_bitmap( sid, mask );
     384             : }
     385             : 
     386             : /***************************************************************************
     387             :  Grant a privilege set (list of LUID values) from a sid
     388             : ****************************************************************************/
     389             : 
     390           2 : bool grant_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set)
     391             : {
     392             :         uint64_t privilege_mask;
     393           2 :         if (!privilege_set_to_se_priv(&privilege_mask, set)) {
     394           0 :                 return false;
     395             :         }
     396           2 :         return grant_privilege_bitmap(sid, privilege_mask);
     397             : }
     398             : 
     399             : /***************************************************************************
     400             :  Remove privilege from sid
     401             : ****************************************************************************/
     402             : 
     403          40 : static bool revoke_privilege_bitmap(const struct dom_sid *sid, const uint64_t priv_mask)
     404             : {
     405             :         uint64_t mask;
     406             :         struct dom_sid_buf buf;
     407             : 
     408             :         /* if the user has no privileges, then we can't revoke any */
     409             : 
     410          40 :         if ( !get_privileges( sid, &mask ) )
     411           0 :                 return True;
     412             : 
     413          40 :         DEBUG(10,("revoke_privilege: %s\n", dom_sid_str_buf(sid, &buf)));
     414             : 
     415          40 :         DEBUGADD( 10, ("original privilege mask: 0x%llx\n", (unsigned long long)mask));
     416             : 
     417          40 :         mask &= ~priv_mask;
     418             : 
     419          40 :         DEBUGADD( 10, ("new privilege mask:      0x%llx\n", (unsigned long long)mask));
     420             : 
     421          40 :         return set_privileges( sid, mask );
     422             : }
     423             : 
     424             : /***************************************************************************
     425             :  Remove a privilege set (list of LUID values) from a sid
     426             : ****************************************************************************/
     427             : 
     428           2 : bool revoke_privilege_set(const struct dom_sid *sid, struct lsa_PrivilegeSet *set)
     429             : {
     430             :         uint64_t privilege_mask;
     431           2 :         if (!privilege_set_to_se_priv(&privilege_mask, set)) {
     432           0 :                 return false;
     433             :         }
     434           2 :         return revoke_privilege_bitmap(sid, privilege_mask);
     435             : }
     436             : 
     437             : /*********************************************************************
     438             :  Revoke all privileges
     439             : *********************************************************************/
     440             : 
     441           0 : bool revoke_all_privileges( const struct dom_sid *sid )
     442             : {
     443           0 :         return revoke_privilege_bitmap( sid, SE_ALL_PRIVS);
     444             : }
     445             : 
     446             : /*********************************************************************
     447             :  Add a privilege based on its name
     448             : *********************************************************************/
     449             : 
     450          38 : bool revoke_privilege_by_name(const struct dom_sid *sid, const char *name)
     451             : {
     452             :         uint64_t mask;
     453             : 
     454          38 :         if (! se_priv_from_name(name, &mask)) {
     455           0 :                 DEBUG(3, ("revoke_privilege_by_name: "
     456             :                           "No Such Privilege Found (%s)\n", name));
     457           0 :                 return False;
     458             :         }
     459             : 
     460          38 :         return revoke_privilege_bitmap(sid, mask);
     461             : 
     462             : }
     463             : 
     464             : /***************************************************************************
     465             :  Retrieve the SIDs assigned to a given privilege
     466             : ****************************************************************************/
     467             : 
     468         597 : NTSTATUS privilege_create_account(const struct dom_sid *sid )
     469             : {
     470         597 :         return ( grant_privilege_bitmap(sid, 0) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL);
     471             : }
     472             : 
     473             : /***************************************************************************
     474             :  Delete a privileged account
     475             : ****************************************************************************/
     476             : 
     477           3 : NTSTATUS privilege_delete_account(const struct dom_sid *sid)
     478             : {
     479           3 :         struct db_context *db = get_account_pol_db();
     480             :         struct dom_sid_buf tmp;
     481             :         fstring keystr;
     482             : 
     483           3 :         if (!lp_enable_privileges()) {
     484           0 :                 return NT_STATUS_OK;
     485             :         }
     486             : 
     487           3 :         if (!db) {
     488           0 :                 return NT_STATUS_INVALID_HANDLE;
     489             :         }
     490             : 
     491           3 :         if (!sid || (sid->num_auths == 0)) {
     492           0 :                 return NT_STATUS_INVALID_SID;
     493             :         }
     494             : 
     495             :         /* PRIV_<SID> (NULL terminated) as the key */
     496             : 
     497           3 :         fstr_sprintf(keystr, "%s%s", PRIVPREFIX, dom_sid_str_buf(sid, &tmp));
     498             : 
     499           3 :         return dbwrap_delete_bystring(db, keystr);
     500             : }
     501             : 
     502             : /*******************************************************************
     503             : *******************************************************************/
     504             : 
     505           2 : bool is_privileged_sid( const struct dom_sid *sid )
     506             : {
     507             :         uint64_t mask;
     508             : 
     509           2 :         return get_privileges( sid, &mask );
     510             : }
     511             : 
     512             : /*******************************************************************
     513             : *******************************************************************/
     514             : 
     515         119 : bool grant_all_privileges( const struct dom_sid *sid )
     516             : {
     517             :         uint64_t mask;
     518             : 
     519         119 :         se_priv_put_all_privileges(&mask);
     520             : 
     521         119 :         return grant_privilege_bitmap( sid, mask );
     522             : }

Generated by: LCOV version 1.13