xref: /titanic_51/usr/src/uts/common/smbsrv/smb_sid.h (revision a90cf9f29973990687fa61de9f1f6ea22e924e40) 
16537f381Sas200622 /*
26537f381Sas200622  * CDDL HEADER START
36537f381Sas200622  *
46537f381Sas200622  * The contents of this file are subject to the terms of the
56537f381Sas200622  * Common Development and Distribution License (the "License").
66537f381Sas200622  * You may not use this file except in compliance with the License.
76537f381Sas200622  *
86537f381Sas200622  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
96537f381Sas200622  * or http://www.opensolaris.org/os/licensing.
106537f381Sas200622  * See the License for the specific language governing permissions
116537f381Sas200622  * and limitations under the License.
126537f381Sas200622  *
136537f381Sas200622  * When distributing Covered Code, include this CDDL HEADER in each
146537f381Sas200622  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
156537f381Sas200622  * If applicable, add the following below this CDDL HEADER, with the
166537f381Sas200622  * fields enclosed by brackets "[]" replaced with your own identifying
176537f381Sas200622  * information: Portions Copyright [yyyy] [name of copyright owner]
186537f381Sas200622  *
196537f381Sas200622  * CDDL HEADER END
206537f381Sas200622  */
216537f381Sas200622 /*
22148c5f43SAlan Wright  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23*a90cf9f2SGordon Ross  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
246537f381Sas200622  */
256537f381Sas200622 
266537f381Sas200622 #ifndef _SMB_SID_H
276537f381Sas200622 #define	_SMB_SID_H
286537f381Sas200622 
296537f381Sas200622 /*
3089dc44ceSjose borrego  * Security Identifier (SID) interface definition.
316537f381Sas200622  */
326537f381Sas200622 #include <smbsrv/wintypes.h>
336537f381Sas200622 
346537f381Sas200622 #ifdef __cplusplus
356537f381Sas200622 extern "C" {
366537f381Sas200622 #endif
376537f381Sas200622 
386537f381Sas200622 /*
396537f381Sas200622  * Predefined global user RIDs.
406537f381Sas200622  */
416537f381Sas200622 #define	DOMAIN_USER_RID_ADMIN		(0x000001F4L)	/* 500 */
426537f381Sas200622 #define	DOMAIN_USER_RID_GUEST		(0x000001F5L)	/* 501 */
436537f381Sas200622 #define	DOMAIN_USER_RID_KRBTGT		(0x000001F6L)	/* 502 */
446537f381Sas200622 
456537f381Sas200622 /*
466537f381Sas200622  * Predefined global group RIDs.
476537f381Sas200622  */
486537f381Sas200622 #define	DOMAIN_GROUP_RID_ADMINS		(0x00000200L)	/* 512 */
49f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_USERS		(0x00000201L)	/* 513 */
50f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_GUESTS		(0x00000202L)	/* 514 */
51f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_COMPUTERS	(0x00000203L)	/* 515 */
52f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_CONTROLLERS	(0x00000204L)	/* 516 */
53f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_CERT_ADMINS	(0x00000205L)	/* 517 */
54f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_SCHEMA_ADMINS	(0x00000206L)	/* 518 */
55f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_EP_ADMINS	(0x00000207L)	/* 519 */
56f96bd5c8SAlan Wright #define	DOMAIN_GROUP_RID_GP_CREATOR	(0x00000208L)	/* 520 */
576537f381Sas200622 
586537f381Sas200622 
596537f381Sas200622 /*
606537f381Sas200622  * Predefined local alias RIDs.
616537f381Sas200622  */
626537f381Sas200622 #define	DOMAIN_ALIAS_RID_ADMINS		(0x00000220L)	/* 544 */
636537f381Sas200622 #define	DOMAIN_ALIAS_RID_USERS		(0x00000221L)
646537f381Sas200622 #define	DOMAIN_ALIAS_RID_GUESTS		(0x00000222L)
656537f381Sas200622 #define	DOMAIN_ALIAS_RID_POWER_USERS	(0x00000223L)
666537f381Sas200622 #define	DOMAIN_ALIAS_RID_ACCOUNT_OPS	(0x00000224L)
676537f381Sas200622 #define	DOMAIN_ALIAS_RID_SYSTEM_OPS	(0x00000225L)
686537f381Sas200622 #define	DOMAIN_ALIAS_RID_PRINT_OPS	(0x00000226L)
696537f381Sas200622 #define	DOMAIN_ALIAS_RID_BACKUP_OPS	(0x00000227L)
706537f381Sas200622 #define	DOMAIN_ALIAS_RID_REPLICATOR	(0x00000228L)
716537f381Sas200622 
726537f381Sas200622 
736537f381Sas200622 /*
746537f381Sas200622  * Universal and NT well-known SIDs
756537f381Sas200622  */
76f96bd5c8SAlan Wright #define	NT_NULL_AUTH_SIDSTR			"S-1-0"
776537f381Sas200622 #define	NT_NULL_SIDSTR				"S-1-0-0"
78f96bd5c8SAlan Wright #define	NT_WORLD_AUTH_SIDSTR			"S-1-1"
796537f381Sas200622 #define	NT_WORLD_SIDSTR				"S-1-1-0"
80f96bd5c8SAlan Wright #define	NT_LOCAL_AUTH_SIDSTR			"S-1-2"
816537f381Sas200622 #define	NT_LOCAL_SIDSTR				"S-1-2-0"
82f96bd5c8SAlan Wright #define	NT_CREATOR_AUTH_SIDSTR			"S-1-3"
836537f381Sas200622 #define	NT_CREATOR_OWNER_ID_SIDSTR		"S-1-3-0"
846537f381Sas200622 #define	NT_CREATOR_GROUP_ID_SIDSTR		"S-1-3-1"
856537f381Sas200622 #define	NT_CREATOR_OWNER_SERVER_ID_SIDSTR	"S-1-3-2"
866537f381Sas200622 #define	NT_CREATOR_GROUP_SERVER_ID_SIDSTR	"S-1-3-3"
87f96bd5c8SAlan Wright #define	NT_OWNER_RIGHTS_SIDSTR			"S-1-3-4"
88f96bd5c8SAlan Wright #define	NT_GROUP_RIGHTS_SIDSTR			"S-1-3-5"
896537f381Sas200622 #define	NT_NON_UNIQUE_IDS_SIDSTR		"S-1-4"
906537f381Sas200622 #define	NT_AUTHORITY_SIDSTR			"S-1-5"
916537f381Sas200622 #define	NT_DIALUP_SIDSTR			"S-1-5-1"
926537f381Sas200622 #define	NT_NETWORK_SIDSTR			"S-1-5-2"
936537f381Sas200622 #define	NT_BATCH_SIDSTR				"S-1-5-3"
946537f381Sas200622 #define	NT_INTERACTIVE_SIDSTR			"S-1-5-4"
95f96bd5c8SAlan Wright #define	NT_LOGON_SESSION_SIDSTR			"S-1-5-5"
966537f381Sas200622 #define	NT_SERVICE_SIDSTR			"S-1-5-6"
976537f381Sas200622 #define	NT_ANONYMOUS_LOGON_SIDSTR		"S-1-5-7"
986537f381Sas200622 #define	NT_PROXY_SIDSTR				"S-1-5-8"
996537f381Sas200622 #define	NT_SERVER_LOGON_SIDSTR			"S-1-5-9"
1006537f381Sas200622 #define	NT_SELF_SIDSTR				"S-1-5-10"
1016537f381Sas200622 #define	NT_AUTHENTICATED_USER_SIDSTR		"S-1-5-11"
1026537f381Sas200622 #define	NT_RESTRICTED_CODE_SIDSTR		"S-1-5-12"
103f96bd5c8SAlan Wright #define	NT_TERMINAL_SERVER_SIDSTR		"S-1-5-13"
1046537f381Sas200622 #define	NT_LOCAL_SYSTEM_SIDSTR			"S-1-5-18"
1056537f381Sas200622 #define	NT_NON_UNIQUE_SIDSTR			"S-1-5-21"
1066537f381Sas200622 #define	NT_BUILTIN_DOMAIN_SIDSTR		"S-1-5-32"
107f96bd5c8SAlan Wright #define	NT_BUILTIN_CURRENT_OWNER_SIDSTR		"S-1-5-32-766"
108f96bd5c8SAlan Wright #define	NT_BUILTIN_CURRENT_GROUP_SIDSTR		"S-1-5-32-767"
1096537f381Sas200622 
1106537f381Sas200622 
1116537f381Sas200622 /*
1126537f381Sas200622  * SID type indicators (SID_NAME_USE).
1136537f381Sas200622  */
1146537f381Sas200622 #define	SidTypeNull			0
1156537f381Sas200622 #define	SidTypeUser			1
1166537f381Sas200622 #define	SidTypeGroup			2
1176537f381Sas200622 #define	SidTypeDomain			3
1186537f381Sas200622 #define	SidTypeAlias			4
1196537f381Sas200622 #define	SidTypeWellKnownGroup		5
1206537f381Sas200622 #define	SidTypeDeletedAccount		6
1216537f381Sas200622 #define	SidTypeInvalid			7
1226537f381Sas200622 #define	SidTypeUnknown			8
1236537f381Sas200622 #define	SidTypeComputer			9
124fe1c642dSBill Krier #define	SidTypeLabel			10
1256537f381Sas200622 
1266537f381Sas200622 
1276537f381Sas200622 /*
1286537f381Sas200622  * Identifier authorities for various domains.
1296537f381Sas200622  */
1306537f381Sas200622 #define	NT_SID_NULL_AUTH		0
1316537f381Sas200622 #define	NT_SID_WORLD_AUTH		1
1326537f381Sas200622 #define	NT_SID_LOCAL_AUTH		2
1336537f381Sas200622 #define	NT_SID_CREATOR_AUTH		3
1346537f381Sas200622 #define	NT_SID_NON_UNIQUE_AUTH		4
1356537f381Sas200622 #define	NT_SID_NT_AUTH			5
1366537f381Sas200622 
1376537f381Sas200622 
1386537f381Sas200622 #define	NT_SECURITY_NULL_AUTH		{0, 0, 0, 0, 0, 0}
1396537f381Sas200622 #define	NT_SECURITY_WORLD_AUTH		{0, 0, 0, 0, 0, 1}
1406537f381Sas200622 #define	NT_SECURITY_LOCAL_AUTH		{0, 0, 0, 0, 0, 2}
1416537f381Sas200622 #define	NT_SECURITY_CREATOR_AUTH	{0, 0, 0, 0, 0, 3}
1426537f381Sas200622 #define	NT_SECURITY_NON_UNIQUE_AUTH	{0, 0, 0, 0, 0, 4}
1436537f381Sas200622 #define	NT_SECURITY_NT_AUTH		{0, 0, 0, 0, 0, 5}
1446537f381Sas200622 #define	NT_SECURITY_UNIX_AUTH		{0, 0, 0, 0, 0, 99}
1456537f381Sas200622 
1466537f381Sas200622 
1476537f381Sas200622 #define	SECURITY_NULL_RID			(0x00000000L)
1486537f381Sas200622 #define	SECURITY_WORLD_RID			(0x00000000L)
1496537f381Sas200622 #define	SECURITY_LOCAL_RID			(0X00000000L)
1506537f381Sas200622 
1516537f381Sas200622 #define	SECURITY_CREATOR_OWNER_RID		(0x00000000L)
1526537f381Sas200622 #define	SECURITY_CREATOR_GROUP_RID		(0x00000001L)
1536537f381Sas200622 #define	SECURITY_CREATOR_OWNER_SERVER_RID	(0x00000002L)
1546537f381Sas200622 #define	SECURITY_CREATOR_GROUP_SERVER_RID	(0x00000003L)
155f96bd5c8SAlan Wright #define	SECURITY_OWNER_RIGHTS_RID		(0x00000004L)
156f96bd5c8SAlan Wright #define	SECURITY_GROUP_RIGHTS_RID		(0x00000005L)
157f96bd5c8SAlan Wright #define	SECURITY_CURRENT_OWNER_RID		(0x000002FEL)
158f96bd5c8SAlan Wright #define	SECURITY_CURRENT_GROUP_RID		(0x000002FFL)
1596537f381Sas200622 
1606537f381Sas200622 #define	SECURITY_DIALUP_RID			(0x00000001L)
1616537f381Sas200622 #define	SECURITY_NETWORK_RID			(0x00000002L)
1626537f381Sas200622 #define	SECURITY_BATCH_RID			(0x00000003L)
1636537f381Sas200622 #define	SECURITY_INTERACTIVE_RID		(0x00000004L)
1646537f381Sas200622 #define	SECURITY_LOGON_IDS_RID			(0x00000005L)
1656537f381Sas200622 #define	SECURITY_LOGON_IDS_RID_COUNT		(3L)
1666537f381Sas200622 #define	SECURITY_SERVICE_RID			(0x00000006L)
1676537f381Sas200622 #define	SECURITY_ANONYMOUS_LOGON_RID		(0x00000007L)
1686537f381Sas200622 #define	SECURITY_PROXY_RID			(0x00000008L)
1696537f381Sas200622 #define	SECURITY_ENTERPRISE_CONTROLLERS_RID	(0x00000009L)
1706537f381Sas200622 #define	SECURITY_SERVER_LOGON_RID	SECURITY_ENTERPRISE_CONTROLLERS_RID
1716537f381Sas200622 #define	SECURITY_PRINCIPAL_SELF_RID		(0x0000000AL)
1726537f381Sas200622 #define	SECURITY_AUTHENTICATED_USER_RID		(0x0000000BL)
1736537f381Sas200622 #define	SECURITY_RESTRICTED_CODE_RID		(0x0000000CL)
1746537f381Sas200622 
1756537f381Sas200622 #define	SECURITY_LOCAL_SYSTEM_RID		(0x00000012L)
1766537f381Sas200622 #define	SECURITY_NT_NON_UNIQUE			(0x00000015L)
1776537f381Sas200622 #define	SECURITY_BUILTIN_DOMAIN_RID		(0x00000020L)
1786537f381Sas200622 
1796537f381Sas200622 
1806537f381Sas200622 #define	NT_SID_NON_UNIQUE_SUBAUTH 21
1816537f381Sas200622 
1826537f381Sas200622 
1836537f381Sas200622 /*
1846537f381Sas200622  * Common definition for a SID.
1856537f381Sas200622  */
1866537f381Sas200622 #define	NT_SID_REVISION		1
1876537f381Sas200622 #define	NT_SID_AUTH_MAX		6
1886537f381Sas200622 #define	NT_SID_SUBAUTH_MAX	15
1896537f381Sas200622 
1906537f381Sas200622 
1916537f381Sas200622 /*
1926537f381Sas200622  * Security Identifier (SID)
1936537f381Sas200622  *
1946537f381Sas200622  * The security identifier (SID) uniquely identifies a user, group or
1956537f381Sas200622  * a domain. It consists of a revision number, the identifier authority,
1966537f381Sas200622  * and a list of sub-authorities. The revision number is currently 1.
1976537f381Sas200622  * The identifier authority identifies which system issued the SID. The
1986537f381Sas200622  * sub-authorities of a domain SID uniquely identify a domain. A user
1996537f381Sas200622  * or group SID consists of a domain SID with the user or group id
2006537f381Sas200622  * appended. The user or group id (also known as a relative id (RID)
2016537f381Sas200622  * uniquely identifies a user within a domain. A user or group SID
2026537f381Sas200622  * uniquely identifies a user or group across all domains. The SidType
2036537f381Sas200622  * values identify the various types of SID.
2046537f381Sas200622  *
2056537f381Sas200622  *      1   1   1   1   1   1
2066537f381Sas200622  *      5   4   3   2   1   0   9   8   7   6   5   4   3   2   1   0
2076537f381Sas200622  *   +---------------------------------------------------------------+
2086537f381Sas200622  *   |      SubAuthorityCount        |Reserved1 (SBZ)|   Revision    |
2096537f381Sas200622  *   +---------------------------------------------------------------+
2106537f381Sas200622  *   |                   IdentifierAuthority[0]                      |
2116537f381Sas200622  *   +---------------------------------------------------------------+
2126537f381Sas200622  *   |                   IdentifierAuthority[1]                      |
2136537f381Sas200622  *   +---------------------------------------------------------------+
2146537f381Sas200622  *   |                   IdentifierAuthority[2]                      |
2156537f381Sas200622  *   +---------------------------------------------------------------+
2166537f381Sas200622  *   |                                                               |
2176537f381Sas200622  *   +- -  -  -  -  -  -  -  SubAuthority[]  -  -  -  -  -  -  -  - -+
2186537f381Sas200622  *   |                                                               |
2196537f381Sas200622  *   +---------------------------------------------------------------+
2206537f381Sas200622  *
2216537f381Sas200622  */
2226537f381Sas200622 /*
2236537f381Sas200622  * Note: NT defines the Identifier Authority as a separate
2246537f381Sas200622  * structure (SID_IDENTIFIER_AUTHORITY) containing a literal
2256537f381Sas200622  * definition of a 6 byte vector but the effect is the same
2266537f381Sas200622  * as defining it as a member value.
227*a90cf9f2SGordon Ross  * See also: smb_sid_xdr()
2286537f381Sas200622  */
2296537f381Sas200622 typedef struct smb_sid {
2306537f381Sas200622 	uint8_t sid_revision;
2316537f381Sas200622 	uint8_t sid_subauthcnt;
2326537f381Sas200622 	uint8_t sid_authority[NT_SID_AUTH_MAX];
2336537f381Sas200622 	uint32_t sid_subauth[ANY_SIZE_ARRAY];
2346537f381Sas200622 } smb_sid_t;
2356537f381Sas200622 
2369fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States #define	SMB_MAX_SID_SIZE	((2 * sizeof (uint8_t)) + \
2379fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	(NT_SID_AUTH_MAX * sizeof (uint8_t)) + \
2389fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	(NT_SID_SUBAUTH_MAX * sizeof (uint32_t)))
2399fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 
2409fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States /*
2419fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * Estimated number of sid_subauth is SECURITY_LOGON_IDS_RID_COUNT
2429fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  * plus the DOMAIN_RID and the RID.
2439fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States  */
2449fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States #define	SMB_EST_SID_SIZE	((2 * sizeof (uint8_t)) + \
2459fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	(NT_SID_AUTH_MAX * sizeof (uint8_t)) + \
2469fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 	((2 + SECURITY_LOGON_IDS_RID_COUNT) * sizeof (uint32_t)))
2479fb67ea3Safshin salek ardakani - Sun Microsystems - Irvine United States 
2486537f381Sas200622 /*
2497f667e74Sjose borrego  * Only group attributes are defined. No user attributes defined.
2507f667e74Sjose borrego  */
2517f667e74Sjose borrego #define	SE_GROUP_MANDATORY		0x00000001
2527f667e74Sjose borrego #define	SE_GROUP_ENABLED_BY_DEFAULT	0x00000002
2537f667e74Sjose borrego #define	SE_GROUP_ENABLED		0x00000004
2547f667e74Sjose borrego #define	SE_GROUP_OWNER			0x00000008
2557f667e74Sjose borrego #define	SE_GROUP_USE_FOR_DENY_ONLY	0x00000010
2567f667e74Sjose borrego #define	SE_GROUP_LOGON_ID		0xC0000000
2577f667e74Sjose borrego 
2587f667e74Sjose borrego /*
2597f667e74Sjose borrego  * smb_id_t consists of both the Windows security identifier
2607f667e74Sjose borrego  * and its corresponding POSIX/ephemeral ID.
261*a90cf9f2SGordon Ross  * See also: smb_id_xdr()
2627f667e74Sjose borrego  */
2637f667e74Sjose borrego typedef struct smb_id {
2647f667e74Sjose borrego 	uint32_t	i_attrs;
2657f667e74Sjose borrego 	smb_sid_t	*i_sid;
2667f667e74Sjose borrego 	uid_t		i_id;
2677f667e74Sjose borrego } smb_id_t;
2687f667e74Sjose borrego 
269*a90cf9f2SGordon Ross /*
270*a90cf9f2SGordon Ross  * Array of smb_id_t
271*a90cf9f2SGordon Ross  * See also: smb_ids_xdr()
272*a90cf9f2SGordon Ross  */
2737f667e74Sjose borrego typedef struct smb_ids {
2747f667e74Sjose borrego 	uint32_t	i_cnt;
2757f667e74Sjose borrego 	smb_id_t	*i_ids;
2767f667e74Sjose borrego } smb_ids_t;
2777f667e74Sjose borrego 
2787f667e74Sjose borrego /*
2796537f381Sas200622  * The maximum size of a SID in string format
2806537f381Sas200622  */
2816537f381Sas200622 #define	SMB_SID_STRSZ		256
2826537f381Sas200622 
2836537f381Sas200622 boolean_t smb_sid_isvalid(smb_sid_t *);
2846537f381Sas200622 int smb_sid_len(smb_sid_t *);
2856537f381Sas200622 smb_sid_t *smb_sid_dup(smb_sid_t *);
2866537f381Sas200622 smb_sid_t *smb_sid_splice(smb_sid_t *, uint32_t);
2876537f381Sas200622 int smb_sid_getrid(smb_sid_t *, uint32_t *);
2887f667e74Sjose borrego smb_sid_t *smb_sid_split(smb_sid_t *, uint32_t *);
2896537f381Sas200622 boolean_t smb_sid_cmp(smb_sid_t *, smb_sid_t *);
2906537f381Sas200622 boolean_t smb_sid_islocal(smb_sid_t *);
2916537f381Sas200622 boolean_t smb_sid_indomain(smb_sid_t *, smb_sid_t *);
2926537f381Sas200622 void smb_sid_free(smb_sid_t *);
2936537f381Sas200622 int smb_sid_splitstr(char *, uint32_t *);
294148c5f43SAlan Wright void smb_sid_tostr(const smb_sid_t *, char *);
295148c5f43SAlan Wright smb_sid_t *smb_sid_fromstr(const char *);
2966537f381Sas200622 char *smb_sid_type2str(uint16_t);
2976537f381Sas200622 
2987f667e74Sjose borrego void smb_ids_free(smb_ids_t *);
2997f667e74Sjose borrego 
3006537f381Sas200622 #ifdef __cplusplus
3016537f381Sas200622 }
3026537f381Sas200622 #endif
3036537f381Sas200622 
3046537f381Sas200622 
3056537f381Sas200622 #endif /* _SMB_SID_H */
306