1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _SMB_SID_H 27 #define _SMB_SID_H 28 29 /* 30 * Security Identifier (SID) interface definition. 31 */ 32 #include <smbsrv/wintypes.h> 33 34 #ifdef __cplusplus 35 extern "C" { 36 #endif 37 38 /* 39 * Predefined global user RIDs. 40 */ 41 #define DOMAIN_USER_RID_ADMIN (0x000001F4L) /* 500 */ 42 #define DOMAIN_USER_RID_GUEST (0x000001F5L) /* 501 */ 43 #define DOMAIN_USER_RID_KRBTGT (0x000001F6L) /* 502 */ 44 45 /* 46 * Predefined global group RIDs. 47 */ 48 #define DOMAIN_GROUP_RID_ADMINS (0x00000200L) /* 512 */ 49 #define DOMAIN_GROUP_RID_USERS (0x00000201L) /* 513 */ 50 #define DOMAIN_GROUP_RID_GUESTS (0x00000202L) /* 514 */ 51 #define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L) /* 515 */ 52 #define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L) /* 516 */ 53 #define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L) /* 517 */ 54 #define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L) /* 518 */ 55 #define DOMAIN_GROUP_RID_EP_ADMINS (0x00000207L) /* 519 */ 56 #define DOMAIN_GROUP_RID_GP_CREATOR (0x00000208L) /* 520 */ 57 58 59 /* 60 * Predefined local alias RIDs. 61 */ 62 #define DOMAIN_ALIAS_RID_ADMINS (0x00000220L) /* 544 */ 63 #define DOMAIN_ALIAS_RID_USERS (0x00000221L) 64 #define DOMAIN_ALIAS_RID_GUESTS (0x00000222L) 65 #define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L) 66 #define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L) 67 #define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L) 68 #define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L) 69 #define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L) 70 #define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L) 71 72 73 /* 74 * Universal and NT well-known SIDs 75 */ 76 #define NT_NULL_AUTH_SIDSTR "S-1-0" 77 #define NT_NULL_SIDSTR "S-1-0-0" 78 #define NT_WORLD_AUTH_SIDSTR "S-1-1" 79 #define NT_WORLD_SIDSTR "S-1-1-0" 80 #define NT_LOCAL_AUTH_SIDSTR "S-1-2" 81 #define NT_LOCAL_SIDSTR "S-1-2-0" 82 #define NT_CREATOR_AUTH_SIDSTR "S-1-3" 83 #define NT_CREATOR_OWNER_ID_SIDSTR "S-1-3-0" 84 #define NT_CREATOR_GROUP_ID_SIDSTR "S-1-3-1" 85 #define NT_CREATOR_OWNER_SERVER_ID_SIDSTR "S-1-3-2" 86 #define NT_CREATOR_GROUP_SERVER_ID_SIDSTR "S-1-3-3" 87 #define NT_OWNER_RIGHTS_SIDSTR "S-1-3-4" 88 #define NT_GROUP_RIGHTS_SIDSTR "S-1-3-5" 89 #define NT_NON_UNIQUE_IDS_SIDSTR "S-1-4" 90 #define NT_AUTHORITY_SIDSTR "S-1-5" 91 #define NT_DIALUP_SIDSTR "S-1-5-1" 92 #define NT_NETWORK_SIDSTR "S-1-5-2" 93 #define NT_BATCH_SIDSTR "S-1-5-3" 94 #define NT_INTERACTIVE_SIDSTR "S-1-5-4" 95 #define NT_LOGON_SESSION_SIDSTR "S-1-5-5" 96 #define NT_SERVICE_SIDSTR "S-1-5-6" 97 #define NT_ANONYMOUS_LOGON_SIDSTR "S-1-5-7" 98 #define NT_PROXY_SIDSTR "S-1-5-8" 99 #define NT_SERVER_LOGON_SIDSTR "S-1-5-9" 100 #define NT_SELF_SIDSTR "S-1-5-10" 101 #define NT_AUTHENTICATED_USER_SIDSTR "S-1-5-11" 102 #define NT_RESTRICTED_CODE_SIDSTR "S-1-5-12" 103 #define NT_TERMINAL_SERVER_SIDSTR "S-1-5-13" 104 #define NT_LOCAL_SYSTEM_SIDSTR "S-1-5-18" 105 #define NT_NON_UNIQUE_SIDSTR "S-1-5-21" 106 #define NT_BUILTIN_DOMAIN_SIDSTR "S-1-5-32" 107 #define NT_BUILTIN_CURRENT_OWNER_SIDSTR "S-1-5-32-766" 108 #define NT_BUILTIN_CURRENT_GROUP_SIDSTR "S-1-5-32-767" 109 110 111 /* 112 * SID type indicators (SID_NAME_USE). 113 */ 114 #define SidTypeNull 0 115 #define SidTypeUser 1 116 #define SidTypeGroup 2 117 #define SidTypeDomain 3 118 #define SidTypeAlias 4 119 #define SidTypeWellKnownGroup 5 120 #define SidTypeDeletedAccount 6 121 #define SidTypeInvalid 7 122 #define SidTypeUnknown 8 123 #define SidTypeComputer 9 124 #define SidTypeLabel 10 125 126 127 /* 128 * Identifier authorities for various domains. 129 */ 130 #define NT_SID_NULL_AUTH 0 131 #define NT_SID_WORLD_AUTH 1 132 #define NT_SID_LOCAL_AUTH 2 133 #define NT_SID_CREATOR_AUTH 3 134 #define NT_SID_NON_UNIQUE_AUTH 4 135 #define NT_SID_NT_AUTH 5 136 137 138 #define NT_SECURITY_NULL_AUTH {0, 0, 0, 0, 0, 0} 139 #define NT_SECURITY_WORLD_AUTH {0, 0, 0, 0, 0, 1} 140 #define NT_SECURITY_LOCAL_AUTH {0, 0, 0, 0, 0, 2} 141 #define NT_SECURITY_CREATOR_AUTH {0, 0, 0, 0, 0, 3} 142 #define NT_SECURITY_NON_UNIQUE_AUTH {0, 0, 0, 0, 0, 4} 143 #define NT_SECURITY_NT_AUTH {0, 0, 0, 0, 0, 5} 144 #define NT_SECURITY_UNIX_AUTH {0, 0, 0, 0, 0, 99} 145 146 147 #define SECURITY_NULL_RID (0x00000000L) 148 #define SECURITY_WORLD_RID (0x00000000L) 149 #define SECURITY_LOCAL_RID (0X00000000L) 150 151 #define SECURITY_CREATOR_OWNER_RID (0x00000000L) 152 #define SECURITY_CREATOR_GROUP_RID (0x00000001L) 153 #define SECURITY_CREATOR_OWNER_SERVER_RID (0x00000002L) 154 #define SECURITY_CREATOR_GROUP_SERVER_RID (0x00000003L) 155 #define SECURITY_OWNER_RIGHTS_RID (0x00000004L) 156 #define SECURITY_GROUP_RIGHTS_RID (0x00000005L) 157 #define SECURITY_CURRENT_OWNER_RID (0x000002FEL) 158 #define SECURITY_CURRENT_GROUP_RID (0x000002FFL) 159 160 #define SECURITY_DIALUP_RID (0x00000001L) 161 #define SECURITY_NETWORK_RID (0x00000002L) 162 #define SECURITY_BATCH_RID (0x00000003L) 163 #define SECURITY_INTERACTIVE_RID (0x00000004L) 164 #define SECURITY_LOGON_IDS_RID (0x00000005L) 165 #define SECURITY_LOGON_IDS_RID_COUNT (3L) 166 #define SECURITY_SERVICE_RID (0x00000006L) 167 #define SECURITY_ANONYMOUS_LOGON_RID (0x00000007L) 168 #define SECURITY_PROXY_RID (0x00000008L) 169 #define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x00000009L) 170 #define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID 171 #define SECURITY_PRINCIPAL_SELF_RID (0x0000000AL) 172 #define SECURITY_AUTHENTICATED_USER_RID (0x0000000BL) 173 #define SECURITY_RESTRICTED_CODE_RID (0x0000000CL) 174 175 #define SECURITY_LOCAL_SYSTEM_RID (0x00000012L) 176 #define SECURITY_NT_NON_UNIQUE (0x00000015L) 177 #define SECURITY_BUILTIN_DOMAIN_RID (0x00000020L) 178 179 180 #define NT_SID_NON_UNIQUE_SUBAUTH 21 181 182 183 /* 184 * Common definition for a SID. 185 */ 186 #define NT_SID_REVISION 1 187 #define NT_SID_AUTH_MAX 6 188 #define NT_SID_SUBAUTH_MAX 15 189 190 191 /* 192 * Security Identifier (SID) 193 * 194 * The security identifier (SID) uniquely identifies a user, group or 195 * a domain. It consists of a revision number, the identifier authority, 196 * and a list of sub-authorities. The revision number is currently 1. 197 * The identifier authority identifies which system issued the SID. The 198 * sub-authorities of a domain SID uniquely identify a domain. A user 199 * or group SID consists of a domain SID with the user or group id 200 * appended. The user or group id (also known as a relative id (RID) 201 * uniquely identifies a user within a domain. A user or group SID 202 * uniquely identifies a user or group across all domains. The SidType 203 * values identify the various types of SID. 204 * 205 * 1 1 1 1 1 1 206 * 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 207 * +---------------------------------------------------------------+ 208 * | SubAuthorityCount |Reserved1 (SBZ)| Revision | 209 * +---------------------------------------------------------------+ 210 * | IdentifierAuthority[0] | 211 * +---------------------------------------------------------------+ 212 * | IdentifierAuthority[1] | 213 * +---------------------------------------------------------------+ 214 * | IdentifierAuthority[2] | 215 * +---------------------------------------------------------------+ 216 * | | 217 * +- - - - - - - - SubAuthority[] - - - - - - - - -+ 218 * | | 219 * +---------------------------------------------------------------+ 220 * 221 */ 222 /* 223 * Note: NT defines the Identifier Authority as a separate 224 * structure (SID_IDENTIFIER_AUTHORITY) containing a literal 225 * definition of a 6 byte vector but the effect is the same 226 * as defining it as a member value. 227 */ 228 typedef struct smb_sid { 229 uint8_t sid_revision; 230 uint8_t sid_subauthcnt; 231 uint8_t sid_authority[NT_SID_AUTH_MAX]; 232 uint32_t sid_subauth[ANY_SIZE_ARRAY]; 233 } smb_sid_t; 234 235 #define SMB_MAX_SID_SIZE ((2 * sizeof (uint8_t)) + \ 236 (NT_SID_AUTH_MAX * sizeof (uint8_t)) + \ 237 (NT_SID_SUBAUTH_MAX * sizeof (uint32_t))) 238 239 /* 240 * Estimated number of sid_subauth is SECURITY_LOGON_IDS_RID_COUNT 241 * plus the DOMAIN_RID and the RID. 242 */ 243 #define SMB_EST_SID_SIZE ((2 * sizeof (uint8_t)) + \ 244 (NT_SID_AUTH_MAX * sizeof (uint8_t)) + \ 245 ((2 + SECURITY_LOGON_IDS_RID_COUNT) * sizeof (uint32_t))) 246 247 /* 248 * Only group attributes are defined. No user attributes defined. 249 */ 250 #define SE_GROUP_MANDATORY 0x00000001 251 #define SE_GROUP_ENABLED_BY_DEFAULT 0x00000002 252 #define SE_GROUP_ENABLED 0x00000004 253 #define SE_GROUP_OWNER 0x00000008 254 #define SE_GROUP_USE_FOR_DENY_ONLY 0x00000010 255 #define SE_GROUP_LOGON_ID 0xC0000000 256 257 /* 258 * smb_id_t consists of both the Windows security identifier 259 * and its corresponding POSIX/ephemeral ID. 260 */ 261 typedef struct smb_id { 262 uint32_t i_attrs; 263 smb_sid_t *i_sid; 264 uid_t i_id; 265 } smb_id_t; 266 267 typedef struct smb_ids { 268 uint32_t i_cnt; 269 smb_id_t *i_ids; 270 } smb_ids_t; 271 272 /* 273 * The maximum size of a SID in string format 274 */ 275 #define SMB_SID_STRSZ 256 276 277 boolean_t smb_sid_isvalid(smb_sid_t *); 278 int smb_sid_len(smb_sid_t *); 279 smb_sid_t *smb_sid_dup(smb_sid_t *); 280 smb_sid_t *smb_sid_splice(smb_sid_t *, uint32_t); 281 int smb_sid_getrid(smb_sid_t *, uint32_t *); 282 smb_sid_t *smb_sid_split(smb_sid_t *, uint32_t *); 283 boolean_t smb_sid_cmp(smb_sid_t *, smb_sid_t *); 284 boolean_t smb_sid_islocal(smb_sid_t *); 285 boolean_t smb_sid_indomain(smb_sid_t *, smb_sid_t *); 286 void smb_sid_free(smb_sid_t *); 287 int smb_sid_splitstr(char *, uint32_t *); 288 void smb_sid_tostr(smb_sid_t *, char *); 289 smb_sid_t *smb_sid_fromstr(char *); 290 char *smb_sid_type2str(uint16_t); 291 292 void smb_ids_free(smb_ids_t *); 293 294 #ifdef __cplusplus 295 } 296 #endif 297 298 299 #endif /* _SMB_SID_H */ 300