summaryrefslogtreecommitdiff
path: root/libcli/security/util_sid.c
AgeCommit message (Collapse)AuthorFilesLines
2025-02-14libcli/security: simplify logic in add_sid_to_array_attrs()Stefan Metzmacher1-2/+8
(struct auth_SidAttr) {} makes sure we don't leave uninitialized memory in case struct auth_SidAttr will change (which will happen in the next commits). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-02-14libcli/security: add some more global_sid_ values required for SID filteringStefan Metzmacher1-0/+30
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-29libcli/security: let dom_sid_lookup_predefined_sid() behave like Windows 2008R2Stefan Metzmacher1-4/+1
Windows 2008R2 (172.31.9.133) returns the following: #> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3' S-1-22-1 *unknown*\*unknown* (8) S-1-22-1-0 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID S-1-3-0 \CREATOR OWNER (5) S-1-3-99 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID While the current Samba (172.31.9.163) returns the following: #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3' result was NT_STATUS_INVALID_SID result was NT_STATUS_INVALID_SID S-1-3-0 \CREATOR OWNER (5) S-1-3-99 *unknown*\*unknown* (8) S-1-3 *unknown*\*unknown* (8) With this change also return the same as Windows 2008R2: #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3' S-1-22-1 *unknown*\*unknown* (8) S-1-22-1-0 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID S-1-3-0 \CREATOR OWNER (5) S-1-3-99 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID This is a minimal fix in order to avoid crashes in the Windows Explorer. The real fix needs more work and additional tests, as the behavior seems to be different in newer Windows releases. The following patch will let us behave like Windows 2022/2025... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-17lib: Fix Coverity ID 1636566 Untrusted loop boundVolker Lendecke1-3/+4
Sanitize num_auths to [0,15] in sid_copy() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2024-02-28libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITYAndrew Bartlett1-0/+4
This allows an ACL level check (rather than only an all-or-nothing KDC configuration) that PKINIT freshness was used during the AS-REQ. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2023-11-01libcli/security: Add sid_attrs_contains_sid()Joseph Sutton1-0/+22
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01libcli/security: Make use of sids_contains_sid()Joseph Sutton1-5/+4
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01libcli/security: Add sids_contains_sid()Joseph Sutton1-0/+22
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01libcli/security: Make use of sids_contains_sid_attrs()Joseph Sutton1-9/+3
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()Joseph Sutton1-4/+4
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01s4:dsdb: Make sids_contains_sid() usable by other Samba modulesJoseph Sutton1-0/+30
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01libcli/security: Correct function documentationJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01libcli/security: Remove unnecessary return statementJoseph Sutton1-2/+0
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25libcli/security: Fix code spellingJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27libcli:security: Add Compounded Authentication and Claims Valid SID constantsJoseph Sutton1-0/+6
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27libcli:security: Correct Asserted Identity SID definitionsJoseph Sutton1-2/+2
These definitions were the wrong way round. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27libcli:security: Add SELF SID constantJoseph Sutton1-0/+3
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14lib: Move few bytes of R/W data to R/O textVolker Lendecke1-24/+34
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-08-08libcli/security: Remove unused function sid_compare_domain()Joseph Sutton1-18/+0
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08libcli/security: Call dom_sid_compare_domain() instead of sid_compare_domain()Joseph Sutton1-1/+1
The two functions are identical in behaviour. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16rpc: Add global_sid_Samba_NPA_Flags SIDVolker Lendecke1-0/+7
This will be used as a flexible way to pass per-RPC-connection flags over ncalrpc to the RPC server without having to modify named_pipe_auth_req_info6 every time something new needs to be passed. It's modeled after global_sid_Samba_SMB3. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-27libcli:security: Fix code spellingAndreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2023-03-09libcli/security: Avoid includes.hVolker Lendecke1-1/+2
Don't rebuild libcli/security when not necessary Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2023-02-08libcli/security: Add auth_SidAttr utility functionsJoseph Sutton1-0/+68
These functions are modelled on add_sid_to_array() and add_sid_to_array_unique(). They differ in that they operate not on an array of dom_sid, but of auth_SidAttr, and take an additional 'attrs' parameter of type uint32_t. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-21libcli/security: Make null_sid static const, not just constJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-10-21libcli/security: Fix function header comments in SID handlingJoseph Sutton1-2/+2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-10-08smbd: Make SID_SAMBA_SMB3 a static SIDVolker Lendecke1-0/+4
No need to parse it Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-28lib/util: remove extra safe_string.h fileMatthew DeVore1-0/+3
lib/util/safe_string.h is similar to source3/include/safe_string.h, but the former has fewer checks. It is missing bcopy, strcasecmp, and strncasecmp. Add the missing elements to lib/util/safe_string.h remove the other safe_string.h which is in the source3-specific path. To accomodate existing uses of str(n?)casecmp, add #undef lines to source files where they are used. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2019-03-12lib: Remove "struct sid_parse_ret" againVolker Lendecke1-4/+3
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-03-12lib: Make sid_parse return the parsed lengthVolker Lendecke1-3/+4
Use a temporary struct as a return value to make the compiler catch all callers. If we just changed bool->ssize_t, this would just generate a warning. struct sid_parse_ret will go away in the next commit Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-12-05libcli/security: add dom_sid_lookup_is_predefined_domain()Ralph Boehme1-0/+33
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: David Mulder <dmulder@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
2018-03-16libcli/security: fix some SID values in commentsStefan Metzmacher1-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Mar 16 19:47:15 CET 2018 on sn-devel-144
2018-02-21libcli/security: add dom_sid_lookup_predefined_{sid,name}()Stefan Metzmacher1-0/+499
This basically implements [MS-LSAT] 3.1.1.1.1 Predefined Translation Database and Corresponding View. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2017-11-13lib: Save a few bytes of .textVolker Lendecke1-1/+1
Looks surprising, but this does save bytes if you look at the object with "size". Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-13libcli: Fix a signed/unsigned hickupVolker Lendecke1-1/+1
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-23libcli/security: add SID_NAME_LABEL to sid_type_lookup()Stefan Metzmacher1-1/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-23libcli: Add an overflow checkVolker Lendecke1-0/+4
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-23libcli: Do not overwrite pointer on realloc failureVolker Lendecke1-3/+5
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-29lib: Annotate well known SID namesSteve French1-1/+35
Add Samba specific well known SIDs for Unix UID and GID owner. Signed-off-by: Steve French <smfrench@gmail.com> Reviewed-by: Guenther Deschner <gd@samba.org>
2016-01-15security: Add Asserted Identity sids (S-1-18)Günther Deschner1-0/+8
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 definitions taken from [MS-DTYP]: Windows Data Types, 2.4.2.4 Well-Known SID Structures. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26lib: Remove unused sid_blob_parseVolker Lendecke1-14/+6
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26lib: Make sid_parse take a uint8_tVolker Lendecke1-1/+1
sid_parse takes a binary blob, uint8_t reflects this a bit better than char * does Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-20lib: Use dom_sid_equal where appropriateVolker Lendecke1-1/+2
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
2014-12-04libcli/security: add NFS SID mappingsRalph Boehme1-0/+17
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2014-05-27libcli: Avoid an explicit memset callVolker Lendecke1-4/+4
On x86 with -O3, this saves surprising 160 bytes .text Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
2012-03-14Fix bug #8795 - Samba does not handle the Owner Rights permissions at allRichard Sharpe1-0/+2
Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Wed Mar 14 02:26:34 CET 2012 on sn-devel-104
2011-11-24security: add local authority well-known SIDsChristian Ambach1-0/+2
add the S-1-2 well-known SID family Autobuild-User: Christian Ambach <ambi@samba.org> Autobuild-Date: Thu Nov 24 19:01:08 CET 2011 on sn-devel-104
2011-08-17Adapt del_sid_from_array to Samba coding styleVolker Lendecke1-1/+2
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Wed Aug 17 16:46:24 CEST 2011 on sn-devel-104
2011-08-17Fix a typoVolker Lendecke1-1/+1
2011-08-17Remove unused "sid_equal"Volker Lendecke1-9/+0
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-06 21:30:15 +0000