smb_sid.h revision 148c5f43199ca0b43fc8e3b643aab11cd66ea327
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
*/
#ifndef _SMB_SID_H
#define _SMB_SID_H
/*
* Security Identifier (SID) interface definition.
*/
#include <smbsrv/wintypes.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* Predefined global user RIDs.
*/
#define DOMAIN_USER_RID_ADMIN (0x000001F4L) /* 500 */
#define DOMAIN_USER_RID_GUEST (0x000001F5L) /* 501 */
#define DOMAIN_USER_RID_KRBTGT (0x000001F6L) /* 502 */
/*
* Predefined global group RIDs.
*/
#define DOMAIN_GROUP_RID_ADMINS (0x00000200L) /* 512 */
#define DOMAIN_GROUP_RID_USERS (0x00000201L) /* 513 */
#define DOMAIN_GROUP_RID_GUESTS (0x00000202L) /* 514 */
#define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L) /* 515 */
#define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L) /* 516 */
#define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L) /* 517 */
#define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L) /* 518 */
#define DOMAIN_GROUP_RID_EP_ADMINS (0x00000207L) /* 519 */
#define DOMAIN_GROUP_RID_GP_CREATOR (0x00000208L) /* 520 */
/*
* Predefined local alias RIDs.
*/
#define DOMAIN_ALIAS_RID_ADMINS (0x00000220L) /* 544 */
#define DOMAIN_ALIAS_RID_USERS (0x00000221L)
#define DOMAIN_ALIAS_RID_GUESTS (0x00000222L)
#define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L)
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L)
#define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L)
#define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L)
#define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L)
#define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L)
/*
* Universal and NT well-known SIDs
*/
#define NT_NULL_AUTH_SIDSTR "S-1-0"
#define NT_NULL_SIDSTR "S-1-0-0"
#define NT_WORLD_AUTH_SIDSTR "S-1-1"
#define NT_WORLD_SIDSTR "S-1-1-0"
#define NT_LOCAL_AUTH_SIDSTR "S-1-2"
#define NT_LOCAL_SIDSTR "S-1-2-0"
#define NT_CREATOR_AUTH_SIDSTR "S-1-3"
#define NT_CREATOR_OWNER_ID_SIDSTR "S-1-3-0"
#define NT_CREATOR_GROUP_ID_SIDSTR "S-1-3-1"
#define NT_CREATOR_OWNER_SERVER_ID_SIDSTR "S-1-3-2"
#define NT_CREATOR_GROUP_SERVER_ID_SIDSTR "S-1-3-3"
#define NT_OWNER_RIGHTS_SIDSTR "S-1-3-4"
#define NT_GROUP_RIGHTS_SIDSTR "S-1-3-5"
#define NT_NON_UNIQUE_IDS_SIDSTR "S-1-4"
#define NT_AUTHORITY_SIDSTR "S-1-5"
#define NT_DIALUP_SIDSTR "S-1-5-1"
#define NT_NETWORK_SIDSTR "S-1-5-2"
#define NT_BATCH_SIDSTR "S-1-5-3"
#define NT_INTERACTIVE_SIDSTR "S-1-5-4"
#define NT_LOGON_SESSION_SIDSTR "S-1-5-5"
#define NT_SERVICE_SIDSTR "S-1-5-6"
#define NT_ANONYMOUS_LOGON_SIDSTR "S-1-5-7"
#define NT_PROXY_SIDSTR "S-1-5-8"
#define NT_SERVER_LOGON_SIDSTR "S-1-5-9"
#define NT_SELF_SIDSTR "S-1-5-10"
#define NT_AUTHENTICATED_USER_SIDSTR "S-1-5-11"
#define NT_RESTRICTED_CODE_SIDSTR "S-1-5-12"
#define NT_TERMINAL_SERVER_SIDSTR "S-1-5-13"
#define NT_LOCAL_SYSTEM_SIDSTR "S-1-5-18"
#define NT_NON_UNIQUE_SIDSTR "S-1-5-21"
#define NT_BUILTIN_DOMAIN_SIDSTR "S-1-5-32"
#define NT_BUILTIN_CURRENT_OWNER_SIDSTR "S-1-5-32-766"
#define NT_BUILTIN_CURRENT_GROUP_SIDSTR "S-1-5-32-767"
/*
* SID type indicators (SID_NAME_USE).
*/
#define SidTypeNull 0
#define SidTypeUser 1
#define SidTypeGroup 2
#define SidTypeDomain 3
#define SidTypeAlias 4
#define SidTypeWellKnownGroup 5
#define SidTypeDeletedAccount 6
#define SidTypeInvalid 7
#define SidTypeUnknown 8
#define SidTypeComputer 9
#define SidTypeLabel 10
/*
* Identifier authorities for various domains.
*/
#define NT_SID_NULL_AUTH 0
#define NT_SID_WORLD_AUTH 1
#define NT_SID_LOCAL_AUTH 2
#define NT_SID_CREATOR_AUTH 3
#define NT_SID_NON_UNIQUE_AUTH 4
#define NT_SID_NT_AUTH 5
#define NT_SECURITY_NULL_AUTH {0, 0, 0, 0, 0, 0}
#define NT_SECURITY_WORLD_AUTH {0, 0, 0, 0, 0, 1}
#define NT_SECURITY_LOCAL_AUTH {0, 0, 0, 0, 0, 2}
#define NT_SECURITY_CREATOR_AUTH {0, 0, 0, 0, 0, 3}
#define NT_SECURITY_NON_UNIQUE_AUTH {0, 0, 0, 0, 0, 4}
#define NT_SECURITY_NT_AUTH {0, 0, 0, 0, 0, 5}
#define NT_SECURITY_UNIX_AUTH {0, 0, 0, 0, 0, 99}
#define SECURITY_NULL_RID (0x00000000L)
#define SECURITY_WORLD_RID (0x00000000L)
#define SECURITY_LOCAL_RID (0X00000000L)
#define SECURITY_CREATOR_OWNER_RID (0x00000000L)
#define SECURITY_CREATOR_GROUP_RID (0x00000001L)
#define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L)
#define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L)
#define SECURITY_OWNER_RIGHTS_RID (0x00000004L)
#define SECURITY_GROUP_RIGHTS_RID (0x00000005L)
#define SECURITY_CURRENT_OWNER_RID (0x000002FEL)
#define SECURITY_CURRENT_GROUP_RID (0x000002FFL)
#define SECURITY_DIALUP_RID (0x00000001L)
#define SECURITY_NETWORK_RID (0x00000002L)
#define SECURITY_BATCH_RID (0x00000003L)
#define SECURITY_INTERACTIVE_RID (0x00000004L)
#define SECURITY_LOGON_IDS_RID (0x00000005L)
#define SECURITY_LOGON_IDS_RID_COUNT (3L)
#define SECURITY_SERVICE_RID (0x00000006L)
#define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L)
#define SECURITY_PROXY_RID (0x00000008L)
#define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L)
#define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID
#define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL)
#define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL)
#define SECURITY_RESTRICTED_CODE_RID (0x0000000CL)
#define SECURITY_LOCAL_SYSTEM_RID (0x00000012L)
#define SECURITY_NT_NON_UNIQUE (0x00000015L)
#define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L)
#define NT_SID_NON_UNIQUE_SUBAUTH 21
/*
* Common definition for a SID.
*/
#define NT_SID_REVISION 1
#define NT_SID_AUTH_MAX 6
#define NT_SID_SUBAUTH_MAX 15
/*
* Security Identifier (SID)
*
* The security identifier (SID) uniquely identifies a user, group or
* a domain. It consists of a revision number, the identifier authority,
* and a list of sub-authorities. The revision number is currently 1.
* The identifier authority identifies which system issued the SID. The
* sub-authorities of a domain SID uniquely identify a domain. A user
* or group SID consists of a domain SID with the user or group id
* appended. The user or group id (also known as a relative id (RID)
* uniquely identifies a user within a domain. A user or group SID
* uniquely identifies a user or group across all domains. The SidType
* values identify the various types of SID.
*
* 1 1 1 1 1 1
* 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
* +---------------------------------------------------------------+
* | SubAuthorityCount |Reserved1 (SBZ)| Revision |
* +---------------------------------------------------------------+
* | IdentifierAuthority[0] |
* +---------------------------------------------------------------+
* | IdentifierAuthority[1] |
* +---------------------------------------------------------------+
* | IdentifierAuthority[2] |
* +---------------------------------------------------------------+
* | |
* +- - - - - - - - SubAuthority[] - - - - - - - - -+
* | |
* +---------------------------------------------------------------+
*
*/
/*
* Note: NT defines the Identifier Authority as a separate
* structure (SID_IDENTIFIER_AUTHORITY) containing a literal
* definition of a 6 byte vector but the effect is the same
* as defining it as a member value.
*/
typedef struct smb_sid {
uint8_t sid_revision;
uint8_t sid_subauthcnt;
uint8_t sid_authority[NT_SID_AUTH_MAX];
uint32_t sid_subauth[ANY_SIZE_ARRAY];
} smb_sid_t;
#define SMB_MAX_SID_SIZE ((2 * sizeof (uint8_t)) + \
(NT_SID_AUTH_MAX * sizeof (uint8_t)) + \
(NT_SID_SUBAUTH_MAX * sizeof (uint32_t)))
/*
* Estimated number of sid_subauth is SECURITY_LOGON_IDS_RID_COUNT
* plus the DOMAIN_RID and the RID.
*/
#define SMB_EST_SID_SIZE ((2 * sizeof (uint8_t)) + \
(NT_SID_AUTH_MAX * sizeof (uint8_t)) + \
((2 + SECURITY_LOGON_IDS_RID_COUNT) * sizeof (uint32_t)))
/*
* Only group attributes are defined. No user attributes defined.
*/
#define SE_GROUP_MANDATORY 0x00000001
#define SE_GROUP_ENABLED_BY_DEFAULT 0x00000002
#define SE_GROUP_ENABLED 0x00000004
#define SE_GROUP_OWNER 0x00000008
#define SE_GROUP_USE_FOR_DENY_ONLY 0x00000010
#define SE_GROUP_LOGON_ID 0xC0000000
/*
* smb_id_t consists of both the Windows security identifier
* and its corresponding POSIX/ephemeral ID.
*/
typedef struct smb_id {
uint32_t i_attrs;
smb_sid_t *i_sid;
uid_t i_id;
} smb_id_t;
typedef struct smb_ids {
uint32_t i_cnt;
smb_id_t *i_ids;
} smb_ids_t;
/*
* The maximum size of a SID in string format
*/
#define SMB_SID_STRSZ 256
boolean_t smb_sid_isvalid(smb_sid_t *);
int smb_sid_len(smb_sid_t *);
smb_sid_t *smb_sid_dup(smb_sid_t *);
smb_sid_t *smb_sid_splice(smb_sid_t *, uint32_t);
int smb_sid_getrid(smb_sid_t *, uint32_t *);
smb_sid_t *smb_sid_split(smb_sid_t *, uint32_t *);
boolean_t smb_sid_cmp(smb_sid_t *, smb_sid_t *);
boolean_t smb_sid_islocal(smb_sid_t *);
boolean_t smb_sid_indomain(smb_sid_t *, smb_sid_t *);
void smb_sid_free(smb_sid_t *);
int smb_sid_splitstr(char *, uint32_t *);
void smb_sid_tostr(const smb_sid_t *, char *);
smb_sid_t *smb_sid_fromstr(const char *);
char *smb_sid_type2str(uint16_t);
void smb_ids_free(smb_ids_t *);
#ifdef __cplusplus
}
#endif
#endif /* _SMB_SID_H */