xref: /titanic_50/usr/src/uts/common/smbsrv/smb_token.h (revision 3fbbb872ea33adea240e8fd8c692f6d3131cc69b)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_TOKEN_H
27 #define	_SMB_TOKEN_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #include <smbsrv/netrauth.h>
32 #include <smbsrv/smb_privilege.h>
33 
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37 
38 /*
39  * User Session Key
40  *
41  * This is part of the MAC key which is required for signing SMB messages.
42  */
43 typedef struct smb_session_key {
44 	uint8_t data[16];
45 } smb_session_key_t;
46 
47 /*
48  * Access Token
49  *
50  * An access token identifies a user, the user's privileges and the
51  * list of groups of which the user is a member. This information is
52  * used when access is requested to an object by comparing this
53  * information with the DACL in the object's security descriptor.
54  *
55  * Only group attributes are defined. No user attributes defined.
56  */
57 
58 #define	SE_GROUP_MANDATORY		0x00000001
59 #define	SE_GROUP_ENABLED_BY_DEFAULT	0x00000002
60 #define	SE_GROUP_ENABLED		0x00000004
61 #define	SE_GROUP_OWNER			0x00000008
62 #define	SE_GROUP_USE_FOR_DENY_ONLY	0x00000010
63 #define	SE_GROUP_LOGON_ID		0xC0000000
64 
65 typedef struct smb_sid_attrs {
66 	uint32_t attrs;
67 	nt_sid_t *sid;
68 } smb_sid_attrs_t;
69 
70 /*
71  * smb_id_t consists of both the Windows security identifier
72  * and its corresponding POSIX/ephemeral ID.
73  */
74 typedef struct smb_id {
75 	smb_sid_attrs_t i_sidattr;
76 	uid_t i_id;
77 } smb_id_t;
78 
79 /*
80  * Windows groups (each group SID is associated with a POSIX/ephemeral
81  * gid.
82  */
83 typedef struct smb_win_grps {
84 	uint16_t wg_count;
85 	smb_id_t wg_groups[ANY_SIZE_ARRAY];
86 } smb_win_grps_t;
87 
88 /*
89  * Access Token Flags
90  *
91  * SMB_ATF_GUEST	Token belongs to guest user
92  * SMB_ATF_ANON		Token belongs to anonymous user
93  * 			and it's only good for IPC Connection.
94  * SMB_ATF_POWERUSER	Token belongs to a Power User member
95  * SMB_ATF_BACKUPOP	Token belongs to a Power User member
96  * SMB_ATF_ADMIN	Token belongs to a Domain Admins member
97  */
98 #define	SMB_ATF_GUEST		0x00000001
99 #define	SMB_ATF_ANON		0x00000002
100 #define	SMB_ATF_POWERUSER	0x00000004
101 #define	SMB_ATF_BACKUPOP	0x00000008
102 #define	SMB_ATF_ADMIN		0x00000010
103 
104 #define	SMB_POSIX_GRPS_SIZE(n) \
105 	(sizeof (smb_posix_grps_t) + (n - 1) * sizeof (gid_t))
106 /*
107  * It consists of the primary and supplementary POSIX groups.
108  */
109 typedef struct smb_posix_grps {
110 	uint32_t pg_ngrps;
111 	gid_t pg_grps[ANY_SIZE_ARRAY];
112 } smb_posix_grps_t;
113 
114 /*
115  * Token Structure.
116  *
117  * This structure contains information of a user. There should be one
118  * unique token per user per session per client. The information
119  * provided will either give or deny access to shares, files or folders.
120  */
121 typedef struct smb_token {
122 	smb_id_t *tkn_user;
123 	smb_id_t *tkn_owner;
124 	smb_id_t *tkn_primary_grp;
125 	smb_win_grps_t *tkn_win_grps;
126 	smb_privset_t *tkn_privileges;
127 	char *tkn_account_name;
128 	char *tkn_domain_name;
129 	uint32_t tkn_flags;
130 	uint32_t tkn_audit_sid;
131 	smb_session_key_t *tkn_session_key;
132 	smb_posix_grps_t *tkn_posix_grps;
133 } smb_token_t;
134 
135 /*
136  * This is the max buffer length for holding certain fields of
137  * any access token: domain, account, workstation, and IP with the
138  * format as show below:
139  * [domain name]\[user account] [workstation] (IP)
140  *
141  * This is not meant to be the maximum buffer length for holding
142  * the entire context of a token.
143  */
144 #define	NTTOKEN_BASIC_INFO_MAXLEN (SMB_PI_MAX_DOMAIN + SMB_PI_MAX_USERNAME \
145 					+ SMB_PI_MAX_HOST + INET_ADDRSTRLEN + 8)
146 
147 /*
148  * Information returned by an RPC call is allocated on an internal heap
149  * which is deallocated before returning from the interface call. The
150  * smb_userinfo structure provides a useful common mechanism to get the
151  * information back to the caller. It's like a compact access token but
152  * only parts of it are filled in by each RPC so the content is call
153  * specific.
154  */
155 typedef struct smb_rid_attrs {
156 	uint32_t rid;
157 	uint32_t attributes;
158 } smb_rid_attrs_t;
159 
160 #define	SMB_UINFO_FLAG_ANON	0x01
161 #define	SMB_UINFO_FLAG_LADMIN	0x02	/* Local admin */
162 #define	SMB_UINFO_FLAG_DADMIN	0x04	/* Domain admin */
163 #define	SMB_UINFO_FLAG_ADMIN	(SMB_UINFO_FLAG_LADMIN | SMB_UINFO_FLAG_DADMIN)
164 
165 /*
166  * This structure is mainly used where there's some
167  * kind of user related interaction with a domain
168  * controller via different RPC calls.
169  */
170 typedef struct smb_userinfo {
171 	uint16_t sid_name_use;
172 	uint32_t rid;
173 	uint32_t primary_group_rid;
174 	char *name;
175 	char *domain_name;
176 	nt_sid_t *domain_sid;
177 	uint32_t n_groups;
178 	smb_rid_attrs_t *groups;
179 	uint32_t n_other_grps;
180 	smb_sid_attrs_t *other_grps;
181 	smb_session_key_t *session_key;
182 
183 	nt_sid_t *user_sid;
184 	nt_sid_t *pgrp_sid;
185 	uint32_t flags;
186 } smb_userinfo_t;
187 
188 /* XDR routines */
189 extern bool_t xdr_smb_session_key_t();
190 extern bool_t xdr_netr_client_t();
191 extern bool_t xdr_nt_sid_t();
192 extern bool_t xdr_smb_sid_attrs_t();
193 extern bool_t xdr_smb_id_t();
194 extern bool_t xdr_smb_win_grps_t();
195 extern bool_t xdr_smb_posix_grps_t();
196 extern bool_t xdr_smb_token_t();
197 
198 
199 #ifndef _KERNEL
200 smb_token_t *smb_logon(netr_client_t *clnt);
201 void smb_token_destroy(smb_token_t *token);
202 uint8_t *smb_token_mkselfrel(smb_token_t *obj, uint32_t *len);
203 netr_client_t *netr_client_mkabsolute(uint8_t *buf, uint32_t len);
204 #else /* _KERNEL */
205 smb_token_t *smb_token_mkabsolute(uint8_t *buf, uint32_t len);
206 void smb_token_free(smb_token_t *token);
207 uint8_t *netr_client_mkselfrel(netr_client_t *obj, uint32_t *len);
208 #endif /* _KERNEL */
209 
210 int smb_token_query_privilege(smb_token_t *token, int priv_id);
211 /*
212  * Diagnostic routines:
213  * smb_token_print: write the contents of a token to the log.
214  * smb_token_log: log message is prefixed with token basic info.
215  */
216 void smb_token_print(smb_token_t *token);
217 void smb_token_log(int level, smb_dr_user_ctx_t *user_ctx, char *fmt, ...);
218 
219 #ifdef __cplusplus
220 }
221 #endif
222 
223 
224 #endif /* _SMB_TOKEN_H */
225