xref: /titanic_41/usr/src/uts/common/smbsrv/smb_token.h (revision 0868d822e4819c94055f84b183d3e104ba603066)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_TOKEN_H
27 #define	_SMB_TOKEN_H
28 
29 #include <smbsrv/netrauth.h>
30 #include <smbsrv/smb_privilege.h>
31 #include <smbsrv/smb_sid.h>
32 
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 
37 /*
38  * User Session Key
39  *
40  * This is part of the MAC key which is required for signing SMB messages.
41  */
42 typedef struct smb_session_key {
43 	uint8_t data[16];
44 } smb_session_key_t;
45 
46 /*
47  * Access Token
48  *
49  * An access token identifies a user, the user's privileges and the
50  * list of groups of which the user is a member. This information is
51  * used when access is requested to an object by comparing this
52  * information with the DACL in the object's security descriptor.
53  *
54  * Only group attributes are defined. No user attributes defined.
55  */
56 
57 #define	SE_GROUP_MANDATORY		0x00000001
58 #define	SE_GROUP_ENABLED_BY_DEFAULT	0x00000002
59 #define	SE_GROUP_ENABLED		0x00000004
60 #define	SE_GROUP_OWNER			0x00000008
61 #define	SE_GROUP_USE_FOR_DENY_ONLY	0x00000010
62 #define	SE_GROUP_LOGON_ID		0xC0000000
63 
64 typedef struct smb_sid_attrs {
65 	uint32_t attrs;
66 	smb_sid_t *sid;
67 } smb_sid_attrs_t;
68 
69 /*
70  * smb_id_t consists of both the Windows security identifier
71  * and its corresponding POSIX/ephemeral ID.
72  */
73 typedef struct smb_id {
74 	smb_sid_attrs_t i_sidattr;
75 	uid_t i_id;
76 } smb_id_t;
77 
78 /*
79  * Windows groups (each group SID is associated with a POSIX/ephemeral
80  * gid.
81  */
82 typedef struct smb_win_grps {
83 	uint16_t wg_count;
84 	smb_id_t wg_groups[ANY_SIZE_ARRAY];
85 } smb_win_grps_t;
86 
87 /*
88  * Access Token Flags
89  *
90  * SMB_ATF_GUEST	Token belongs to guest user
91  * SMB_ATF_ANON		Token belongs to anonymous user
92  * 			and it's only good for IPC Connection.
93  * SMB_ATF_POWERUSER	Token belongs to a Power User member
94  * SMB_ATF_BACKUPOP	Token belongs to a Power User member
95  * SMB_ATF_ADMIN	Token belongs to a Domain Admins member
96  */
97 #define	SMB_ATF_GUEST		0x00000001
98 #define	SMB_ATF_ANON		0x00000002
99 #define	SMB_ATF_POWERUSER	0x00000004
100 #define	SMB_ATF_BACKUPOP	0x00000008
101 #define	SMB_ATF_ADMIN		0x00000010
102 
103 #define	SMB_POSIX_GRPS_SIZE(n) \
104 	(sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
105 /*
106  * It consists of the primary and supplementary POSIX groups.
107  */
108 typedef struct smb_posix_grps {
109 	uint32_t pg_ngrps;
110 	gid_t pg_grps[ANY_SIZE_ARRAY];
111 } smb_posix_grps_t;
112 
113 /*
114  * Token Structure.
115  *
116  * This structure contains information of a user. There should be one
117  * unique token per user per session per client. The information
118  * provided will either give or deny access to shares, files or folders.
119  */
120 typedef struct smb_token {
121 	smb_id_t *tkn_user;
122 	smb_id_t *tkn_owner;
123 	smb_id_t *tkn_primary_grp;
124 	smb_win_grps_t *tkn_win_grps;
125 	smb_privset_t *tkn_privileges;
126 	char *tkn_account_name;
127 	char *tkn_domain_name;
128 	uint32_t tkn_flags;
129 	uint32_t tkn_audit_sid;
130 	smb_session_key_t *tkn_session_key;
131 	smb_posix_grps_t *tkn_posix_grps;
132 } smb_token_t;
133 
134 /*
135  * Information returned by an RPC call is allocated on an internal heap
136  * which is deallocated before returning from the interface call. The
137  * smb_userinfo structure provides a useful common mechanism to get the
138  * information back to the caller. It's like a compact access token but
139  * only parts of it are filled in by each RPC so the content is call
140  * specific.
141  */
142 typedef struct smb_rid_attrs {
143 	uint32_t rid;
144 	uint32_t attributes;
145 } smb_rid_attrs_t;
146 
147 #define	SMB_UINFO_FLAG_ANON	0x01
148 #define	SMB_UINFO_FLAG_LADMIN	0x02	/* Local admin */
149 #define	SMB_UINFO_FLAG_DADMIN	0x04	/* Domain admin */
150 #define	SMB_UINFO_FLAG_ADMIN	(SMB_UINFO_FLAG_LADMIN | SMB_UINFO_FLAG_DADMIN)
151 
152 /*
153  * This structure is mainly used where there's some
154  * kind of user related interaction with a domain
155  * controller via different RPC calls.
156  */
157 typedef struct smb_userinfo {
158 	uint16_t sid_name_use;
159 	uint32_t rid;
160 	uint32_t primary_group_rid;
161 	char *name;
162 	char *domain_name;
163 	smb_sid_t *domain_sid;
164 	uint32_t n_groups;
165 	smb_rid_attrs_t *groups;
166 	uint32_t n_other_grps;
167 	smb_sid_attrs_t *other_grps;
168 	smb_session_key_t *session_key;
169 
170 	smb_sid_t *user_sid;
171 	smb_sid_t *pgrp_sid;
172 	uint32_t flags;
173 } smb_userinfo_t;
174 
175 /* XDR routines */
176 extern bool_t xdr_smb_session_key_t();
177 extern bool_t xdr_netr_client_t();
178 extern bool_t xdr_smb_sid_t();
179 extern bool_t xdr_smb_sid_attrs_t();
180 extern bool_t xdr_smb_id_t();
181 extern bool_t xdr_smb_win_grps_t();
182 extern bool_t xdr_smb_posix_grps_t();
183 extern bool_t xdr_smb_token_t();
184 
185 
186 #ifndef _KERNEL
187 smb_token_t *smb_logon(netr_client_t *clnt);
188 void smb_token_destroy(smb_token_t *token);
189 uint8_t *smb_token_mkselfrel(smb_token_t *obj, uint32_t *len);
190 netr_client_t *netr_client_mkabsolute(uint8_t *buf, uint32_t len);
191 void netr_client_xfree(netr_client_t *);
192 void smb_token_log(smb_token_t *token);
193 #else /* _KERNEL */
194 smb_token_t *smb_token_mkabsolute(uint8_t *buf, uint32_t len);
195 void smb_token_free(smb_token_t *token);
196 uint8_t *netr_client_mkselfrel(netr_client_t *obj, uint32_t *len);
197 #endif /* _KERNEL */
198 
199 int smb_token_query_privilege(smb_token_t *token, int priv_id);
200 
201 #ifdef __cplusplus
202 }
203 #endif
204 
205 
206 #endif /* _SMB_TOKEN_H */
207