Home | History | Annotate | Download | only in smbsrv
      1 /*
      2  * CDDL HEADER START
      3  *
      4  * The contents of this file are subject to the terms of the
      5  * Common Development and Distribution License (the "License").
      6  * You may not use this file except in compliance with the License.
      7  *
      8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
      9  * or http://www.opensolaris.org/os/licensing.
     10  * See the License for the specific language governing permissions
     11  * and limitations under the License.
     12  *
     13  * When distributing Covered Code, include this CDDL HEADER in each
     14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
     15  * If applicable, add the following below this CDDL HEADER, with the
     16  * fields enclosed by brackets "[]" replaced with your own identifying
     17  * information: Portions Copyright [yyyy] [name of copyright owner]
     18  *
     19  * CDDL HEADER END
     20  */
     21 /*
     22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
     23  * Use is subject to license terms.
     24  */
     25 
     26 #ifndef _SMB_TOKEN_H
     27 #define	_SMB_TOKEN_H
     28 
     29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
     30 
     31 #include <smbsrv/netrauth.h>
     32 #include <smbsrv/smb_privilege.h>
     33 #include <smbsrv/smb_sid.h>
     34 
     35 #ifdef __cplusplus
     36 extern "C" {
     37 #endif
     38 
     39 /*
     40  * User Session Key
     41  *
     42  * This is part of the MAC key which is required for signing SMB messages.
     43  */
     44 typedef struct smb_session_key {
     45 	uint8_t data[16];
     46 } smb_session_key_t;
     47 
     48 /*
     49  * Access Token
     50  *
     51  * An access token identifies a user, the user's privileges and the
     52  * list of groups of which the user is a member. This information is
     53  * used when access is requested to an object by comparing this
     54  * information with the DACL in the object's security descriptor.
     55  *
     56  * Only group attributes are defined. No user attributes defined.
     57  */
     58 
     59 #define	SE_GROUP_MANDATORY		0x00000001
     60 #define	SE_GROUP_ENABLED_BY_DEFAULT	0x00000002
     61 #define	SE_GROUP_ENABLED		0x00000004
     62 #define	SE_GROUP_OWNER			0x00000008
     63 #define	SE_GROUP_USE_FOR_DENY_ONLY	0x00000010
     64 #define	SE_GROUP_LOGON_ID		0xC0000000
     65 
     66 typedef struct smb_sid_attrs {
     67 	uint32_t attrs;
     68 	smb_sid_t *sid;
     69 } smb_sid_attrs_t;
     70 
     71 /*
     72  * smb_id_t consists of both the Windows security identifier
     73  * and its corresponding POSIX/ephemeral ID.
     74  */
     75 typedef struct smb_id {
     76 	smb_sid_attrs_t i_sidattr;
     77 	uid_t i_id;
     78 } smb_id_t;
     79 
     80 /*
     81  * Windows groups (each group SID is associated with a POSIX/ephemeral
     82  * gid.
     83  */
     84 typedef struct smb_win_grps {
     85 	uint16_t wg_count;
     86 	smb_id_t wg_groups[ANY_SIZE_ARRAY];
     87 } smb_win_grps_t;
     88 
     89 /*
     90  * Access Token Flags
     91  *
     92  * SMB_ATF_GUEST	Token belongs to guest user
     93  * SMB_ATF_ANON		Token belongs to anonymous user
     94  * 			and it's only good for IPC Connection.
     95  * SMB_ATF_POWERUSER	Token belongs to a Power User member
     96  * SMB_ATF_BACKUPOP	Token belongs to a Power User member
     97  * SMB_ATF_ADMIN	Token belongs to a Domain Admins member
     98  */
     99 #define	SMB_ATF_GUEST		0x00000001
    100 #define	SMB_ATF_ANON		0x00000002
    101 #define	SMB_ATF_POWERUSER	0x00000004
    102 #define	SMB_ATF_BACKUPOP	0x00000008
    103 #define	SMB_ATF_ADMIN		0x00000010
    104 
    105 #define	SMB_POSIX_GRPS_SIZE(n) \
    106 	(sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
    107 /*
    108  * It consists of the primary and supplementary POSIX groups.
    109  */
    110 typedef struct smb_posix_grps {
    111 	uint32_t pg_ngrps;
    112 	gid_t pg_grps[ANY_SIZE_ARRAY];
    113 } smb_posix_grps_t;
    114 
    115 /*
    116  * Token Structure.
    117  *
    118  * This structure contains information of a user. There should be one
    119  * unique token per user per session per client. The information
    120  * provided will either give or deny access to shares, files or folders.
    121  */
    122 typedef struct smb_token {
    123 	smb_id_t *tkn_user;
    124 	smb_id_t *tkn_owner;
    125 	smb_id_t *tkn_primary_grp;
    126 	smb_win_grps_t *tkn_win_grps;
    127 	smb_privset_t *tkn_privileges;
    128 	char *tkn_account_name;
    129 	char *tkn_domain_name;
    130 	uint32_t tkn_flags;
    131 	uint32_t tkn_audit_sid;
    132 	smb_session_key_t *tkn_session_key;
    133 	smb_posix_grps_t *tkn_posix_grps;
    134 } smb_token_t;
    135 
    136 /*
    137  * This is the max buffer length for holding certain fields of
    138  * any access token: domain, account, workstation, and IP with the
    139  * format as show below:
    140  * [domain name]\[user account] [workstation] (IP)
    141  *
    142  * This is not meant to be the maximum buffer length for holding
    143  * the entire context of a token.
    144  */
    145 #define	NTTOKEN_BASIC_INFO_MAXLEN (SMB_PI_MAX_DOMAIN + SMB_PI_MAX_USERNAME \
    146 					+ SMB_PI_MAX_HOST + INET_ADDRSTRLEN + 8)
    147 
    148 /*
    149  * Information returned by an RPC call is allocated on an internal heap
    150  * which is deallocated before returning from the interface call. The
    151  * smb_userinfo structure provides a useful common mechanism to get the
    152  * information back to the caller. It's like a compact access token but
    153  * only parts of it are filled in by each RPC so the content is call
    154  * specific.
    155  */
    156 typedef struct smb_rid_attrs {
    157 	uint32_t rid;
    158 	uint32_t attributes;
    159 } smb_rid_attrs_t;
    160 
    161 #define	SMB_UINFO_FLAG_ANON	0x01
    162 #define	SMB_UINFO_FLAG_LADMIN	0x02	/* Local admin */
    163 #define	SMB_UINFO_FLAG_DADMIN	0x04	/* Domain admin */
    164 #define	SMB_UINFO_FLAG_ADMIN	(SMB_UINFO_FLAG_LADMIN | SMB_UINFO_FLAG_DADMIN)
    165 
    166 /*
    167  * This structure is mainly used where there's some
    168  * kind of user related interaction with a domain
    169  * controller via different RPC calls.
    170  */
    171 typedef struct smb_userinfo {
    172 	uint16_t sid_name_use;
    173 	uint32_t rid;
    174 	uint32_t primary_group_rid;
    175 	char *name;
    176 	char *domain_name;
    177 	smb_sid_t *domain_sid;
    178 	uint32_t n_groups;
    179 	smb_rid_attrs_t *groups;
    180 	uint32_t n_other_grps;
    181 	smb_sid_attrs_t *other_grps;
    182 	smb_session_key_t *session_key;
    183 
    184 	smb_sid_t *user_sid;
    185 	smb_sid_t *pgrp_sid;
    186 	uint32_t flags;
    187 } smb_userinfo_t;
    188 
    189 /* XDR routines */
    190 extern bool_t xdr_smb_session_key_t();
    191 extern bool_t xdr_netr_client_t();
    192 extern bool_t xdr_smb_sid_t();
    193 extern bool_t xdr_smb_sid_attrs_t();
    194 extern bool_t xdr_smb_id_t();
    195 extern bool_t xdr_smb_win_grps_t();
    196 extern bool_t xdr_smb_posix_grps_t();
    197 extern bool_t xdr_smb_token_t();
    198 
    199 
    200 #ifndef _KERNEL
    201 smb_token_t *smb_logon(netr_client_t *clnt);
    202 void smb_token_destroy(smb_token_t *token);
    203 uint8_t *smb_token_mkselfrel(smb_token_t *obj, uint32_t *len);
    204 netr_client_t *netr_client_mkabsolute(uint8_t *buf, uint32_t len);
    205 void netr_client_xfree(netr_client_t *);
    206 void smb_token_log(smb_token_t *token);
    207 #else /* _KERNEL */
    208 smb_token_t *smb_token_mkabsolute(uint8_t *buf, uint32_t len);
    209 void smb_token_free(smb_token_t *token);
    210 uint8_t *netr_client_mkselfrel(netr_client_t *obj, uint32_t *len);
    211 #endif /* _KERNEL */
    212 
    213 int smb_token_query_privilege(smb_token_t *token, int priv_id);
    214 
    215 #ifdef __cplusplus
    216 }
    217 #endif
    218 
    219 
    220 #endif /* _SMB_TOKEN_H */
    221