xref: /illumos-gate/usr/src/uts/common/smbsrv/smb_token.h (revision ed5289f91b9bf164dccd6c75398362be77a4478d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_TOKEN_H
27 #define	_SMB_TOKEN_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #include <smbsrv/netrauth.h>
32 #include <smbsrv/smb_privilege.h>
33 #include <smbsrv/smb_sid.h>
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 /*
40  * User Session Key
41  *
42  * This is part of the MAC key which is required for signing SMB messages.
43  */
44 typedef struct smb_session_key {
45 	uint8_t data[16];
46 } smb_session_key_t;
47 
48 /*
49  * Access Token
50  *
51  * An access token identifies a user, the user's privileges and the
52  * list of groups of which the user is a member. This information is
53  * used when access is requested to an object by comparing this
54  * information with the DACL in the object's security descriptor.
55  *
56  * Only group attributes are defined. No user attributes defined.
57  */
58 
59 #define	SE_GROUP_MANDATORY		0x00000001
60 #define	SE_GROUP_ENABLED_BY_DEFAULT	0x00000002
61 #define	SE_GROUP_ENABLED		0x00000004
62 #define	SE_GROUP_OWNER			0x00000008
63 #define	SE_GROUP_USE_FOR_DENY_ONLY	0x00000010
64 #define	SE_GROUP_LOGON_ID		0xC0000000
65 
66 typedef struct smb_sid_attrs {
67 	uint32_t attrs;
68 	smb_sid_t *sid;
69 } smb_sid_attrs_t;
70 
71 /*
72  * smb_id_t consists of both the Windows security identifier
73  * and its corresponding POSIX/ephemeral ID.
74  */
75 typedef struct smb_id {
76 	smb_sid_attrs_t i_sidattr;
77 	uid_t i_id;
78 } smb_id_t;
79 
80 /*
81  * Windows groups (each group SID is associated with a POSIX/ephemeral
82  * gid.
83  */
84 typedef struct smb_win_grps {
85 	uint16_t wg_count;
86 	smb_id_t wg_groups[ANY_SIZE_ARRAY];
87 } smb_win_grps_t;
88 
89 /*
90  * Access Token Flags
91  *
92  * SMB_ATF_GUEST	Token belongs to guest user
93  * SMB_ATF_ANON		Token belongs to anonymous user
94  * 			and it's only good for IPC Connection.
95  * SMB_ATF_POWERUSER	Token belongs to a Power User member
96  * SMB_ATF_BACKUPOP	Token belongs to a Power User member
97  * SMB_ATF_ADMIN	Token belongs to a Domain Admins member
98  */
99 #define	SMB_ATF_GUEST		0x00000001
100 #define	SMB_ATF_ANON		0x00000002
101 #define	SMB_ATF_POWERUSER	0x00000004
102 #define	SMB_ATF_BACKUPOP	0x00000008
103 #define	SMB_ATF_ADMIN		0x00000010
104 
105 #define	SMB_POSIX_GRPS_SIZE(n) \
106 	(sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
107 /*
108  * It consists of the primary and supplementary POSIX groups.
109  */
110 typedef struct smb_posix_grps {
111 	uint32_t pg_ngrps;
112 	gid_t pg_grps[ANY_SIZE_ARRAY];
113 } smb_posix_grps_t;
114 
115 /*
116  * Token Structure.
117  *
118  * This structure contains information of a user. There should be one
119  * unique token per user per session per client. The information
120  * provided will either give or deny access to shares, files or folders.
121  */
122 typedef struct smb_token {
123 	smb_id_t *tkn_user;
124 	smb_id_t *tkn_owner;
125 	smb_id_t *tkn_primary_grp;
126 	smb_win_grps_t *tkn_win_grps;
127 	smb_privset_t *tkn_privileges;
128 	char *tkn_account_name;
129 	char *tkn_domain_name;
130 	uint32_t tkn_flags;
131 	uint32_t tkn_audit_sid;
132 	smb_session_key_t *tkn_session_key;
133 	smb_posix_grps_t *tkn_posix_grps;
134 } smb_token_t;
135 
136 /*
137  * This is the max buffer length for holding certain fields of
138  * any access token: domain, account, workstation, and IP with the
139  * format as show below:
140  * [domain name]\[user account] [workstation] (IP)
141  *
142  * This is not meant to be the maximum buffer length for holding
143  * the entire context of a token.
144  */
145 #define	NTTOKEN_BASIC_INFO_MAXLEN (SMB_PI_MAX_DOMAIN + SMB_PI_MAX_USERNAME \
146 					+ SMB_PI_MAX_HOST + INET_ADDRSTRLEN + 8)
147 
148 /*
149  * Information returned by an RPC call is allocated on an internal heap
150  * which is deallocated before returning from the interface call. The
151  * smb_userinfo structure provides a useful common mechanism to get the
152  * information back to the caller. It's like a compact access token but
153  * only parts of it are filled in by each RPC so the content is call
154  * specific.
155  */
156 typedef struct smb_rid_attrs {
157 	uint32_t rid;
158 	uint32_t attributes;
159 } smb_rid_attrs_t;
160 
161 #define	SMB_UINFO_FLAG_ANON	0x01
162 #define	SMB_UINFO_FLAG_LADMIN	0x02	/* Local admin */
163 #define	SMB_UINFO_FLAG_DADMIN	0x04	/* Domain admin */
164 #define	SMB_UINFO_FLAG_ADMIN	(SMB_UINFO_FLAG_LADMIN | SMB_UINFO_FLAG_DADMIN)
165 
166 /*
167  * This structure is mainly used where there's some
168  * kind of user related interaction with a domain
169  * controller via different RPC calls.
170  */
171 typedef struct smb_userinfo {
172 	uint16_t sid_name_use;
173 	uint32_t rid;
174 	uint32_t primary_group_rid;
175 	char *name;
176 	char *domain_name;
177 	smb_sid_t *domain_sid;
178 	uint32_t n_groups;
179 	smb_rid_attrs_t *groups;
180 	uint32_t n_other_grps;
181 	smb_sid_attrs_t *other_grps;
182 	smb_session_key_t *session_key;
183 
184 	smb_sid_t *user_sid;
185 	smb_sid_t *pgrp_sid;
186 	uint32_t flags;
187 } smb_userinfo_t;
188 
189 /* XDR routines */
190 extern bool_t xdr_smb_session_key_t();
191 extern bool_t xdr_netr_client_t();
192 extern bool_t xdr_smb_sid_t();
193 extern bool_t xdr_smb_sid_attrs_t();
194 extern bool_t xdr_smb_id_t();
195 extern bool_t xdr_smb_win_grps_t();
196 extern bool_t xdr_smb_posix_grps_t();
197 extern bool_t xdr_smb_token_t();
198 
199 
200 #ifndef _KERNEL
201 smb_token_t *smb_logon(netr_client_t *clnt);
202 void smb_token_destroy(smb_token_t *token);
203 uint8_t *smb_token_mkselfrel(smb_token_t *obj, uint32_t *len);
204 netr_client_t *netr_client_mkabsolute(uint8_t *buf, uint32_t len);
205 void netr_client_xfree(netr_client_t *);
206 void smb_token_log(smb_token_t *token);
207 #else /* _KERNEL */
208 smb_token_t *smb_token_mkabsolute(uint8_t *buf, uint32_t len);
209 void smb_token_free(smb_token_t *token);
210 uint8_t *netr_client_mkselfrel(netr_client_t *obj, uint32_t *len);
211 #endif /* _KERNEL */
212 
213 int smb_token_query_privilege(smb_token_t *token, int priv_id);
214 
215 #ifdef __cplusplus
216 }
217 #endif
218 
219 
220 #endif /* _SMB_TOKEN_H */
221