Author: gd Date: 2007-07-17 11:47:17 +0000 (Tue, 17 Jul 2007) New Revision: 23928
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23928 Log: Merge all "copy-info3-groups-to-sid-array" blocks to a sid_array_from_info3() function. Guenther Modified: branches/SAMBA_3_2/source/auth/auth_util.c branches/SAMBA_3_2/source/lib/util_sid.c branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c branches/SAMBA_3_2_0/source/auth/auth_util.c branches/SAMBA_3_2_0/source/lib/util_sid.c branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c Changeset: Modified: branches/SAMBA_3_2/source/auth/auth_util.c =================================================================== --- branches/SAMBA_3_2/source/auth/auth_util.c 2007-07-17 11:22:43 UTC (rev 23927) +++ branches/SAMBA_3_2/source/auth/auth_util.c 2007-07-17 11:47:17 UTC (rev 23928) @@ -1405,8 +1405,6 @@ uid_t uid; gid_t gid; - size_t i; - auth_serversupplied_info *result; /* @@ -1584,37 +1582,13 @@ result->num_sids = 0; result->sids = NULL; - /* and create (by appending rids) the 'domain' sids */ - - for (i = 0; i < info3->num_groups2; i++) { - DOM_SID sid; - if (!sid_compose(&sid, &info3->dom_sid.sid, - info3->gids[i].g_rid)) { - DEBUG(3,("could not append additional group rid " - "0x%x\n", info3->gids[i].g_rid)); - TALLOC_FREE(result); - return NT_STATUS_INVALID_PARAMETER; - } - if (!add_sid_to_array(result, &sid, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(result, &info3->other_sids[i].sid, + nt_status = sid_array_from_info3(result, info3, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } + &result->num_sids, + False); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(result); + return nt_status; } result->login_server = unistr2_tdup(result, Modified: branches/SAMBA_3_2/source/lib/util_sid.c =================================================================== --- branches/SAMBA_3_2/source/lib/util_sid.c 2007-07-17 11:22:43 UTC (rev 23927) +++ branches/SAMBA_3_2/source/lib/util_sid.c 2007-07-17 11:47:17 UTC (rev 23928) @@ -669,3 +669,68 @@ static const DOM_SID null_sid = {0}; return sid_equal(sid, &null_sid); } + +NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, + const NET_USER_INFO_3 *info3, + DOM_SID **user_sids, + size_t *num_user_sids, + BOOL include_user_group_rid) +{ + DOM_SID sid; + DOM_SID *sid_array = NULL; + size_t num_sids = 0; + int i; + + if (include_user_group_rid) { + + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->user_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not add user SID from rid 0x%x\n", + info3->user_rid)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->group_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not append additional group rid 0x%x\n", + info3->group_rid)); + + return NT_STATUS_INVALID_PARAMETER; + } + } + + for (i = 0; i < info3->num_groups2; i++) { + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->gids[i].g_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + return NT_STATUS_INVALID_PARAMETER; + } + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < info3->num_other_sids; i++) { + if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + &sid_array, &num_sids)) { + DEBUG(3, ("could not add SID to array: %s\n", + sid_string_static(&info3->other_sids[i].sid))); + return NT_STATUS_NO_MEMORY; + } + } + + *user_sids = sid_array; + *num_user_sids = num_sids; + + return NT_STATUS_OK; +} Modified: branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c 2007-07-17 11:22:43 UTC (rev 23927) +++ branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c 2007-07-17 11:47:17 UTC (rev 23928) @@ -165,51 +165,14 @@ } } - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->user_rid) - || !add_sid_to_array(mem_ctx, &sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3,("could not add user SID from rid 0x%x\n", - info3->user_rid)); - return NT_STATUS_INVALID_PARAMETER; + status = sid_array_from_info3(mem_ctx, info3, + &token->user_sids, + &token->num_sids, + True); + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->group_rid) - || !add_sid_to_array(mem_ctx, &sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->group_rid)); - - return NT_STATUS_INVALID_PARAMETER; - } - - for (i = 0; i < info3->num_groups2; i++) { - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->gids[i].g_rid) - || !add_sid_to_array(mem_ctx, &sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->gids[i].g_rid)); - return NT_STATUS_INVALID_PARAMETER; - } - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3, ("could not add SID to array: %s\n", - sid_string_static(&info3->other_sids[i].sid))); - return NT_STATUS_NO_MEMORY; - } - } - if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(), token)) || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin, Modified: branches/SAMBA_3_2_0/source/auth/auth_util.c =================================================================== --- branches/SAMBA_3_2_0/source/auth/auth_util.c 2007-07-17 11:22:43 UTC (rev 23927) +++ branches/SAMBA_3_2_0/source/auth/auth_util.c 2007-07-17 11:47:17 UTC (rev 23928) @@ -1405,8 +1405,6 @@ uid_t uid; gid_t gid; - size_t i; - auth_serversupplied_info *result; /* @@ -1584,37 +1582,13 @@ result->num_sids = 0; result->sids = NULL; - /* and create (by appending rids) the 'domain' sids */ - - for (i = 0; i < info3->num_groups2; i++) { - DOM_SID sid; - if (!sid_compose(&sid, &info3->dom_sid.sid, - info3->gids[i].g_rid)) { - DEBUG(3,("could not append additional group rid " - "0x%x\n", info3->gids[i].g_rid)); - TALLOC_FREE(result); - return NT_STATUS_INVALID_PARAMETER; - } - if (!add_sid_to_array(result, &sid, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(result, &info3->other_sids[i].sid, + nt_status = sid_array_from_info3(result, info3, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } + &result->num_sids, + False); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(result); + return nt_status; } result->login_server = unistr2_tdup(result, Modified: branches/SAMBA_3_2_0/source/lib/util_sid.c =================================================================== --- branches/SAMBA_3_2_0/source/lib/util_sid.c 2007-07-17 11:22:43 UTC (rev 23927) +++ branches/SAMBA_3_2_0/source/lib/util_sid.c 2007-07-17 11:47:17 UTC (rev 23928) @@ -669,3 +669,68 @@ static const DOM_SID null_sid = {0}; return sid_equal(sid, &null_sid); } + +NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, + const NET_USER_INFO_3 *info3, + DOM_SID **user_sids, + size_t *num_user_sids, + BOOL include_user_group_rid) +{ + DOM_SID sid; + DOM_SID *sid_array = NULL; + size_t num_sids = 0; + int i; + + if (include_user_group_rid) { + + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->user_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not add user SID from rid 0x%x\n", + info3->user_rid)); + return NT_STATUS_INVALID_PARAMETER; + } + + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->group_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not append additional group rid 0x%x\n", + info3->group_rid)); + + return NT_STATUS_INVALID_PARAMETER; + } + } + + for (i = 0; i < info3->num_groups2; i++) { + if (!sid_compose(&sid, &(info3->dom_sid.sid), + info3->gids[i].g_rid) + || !add_sid_to_array(mem_ctx, &sid, + &sid_array, &num_sids)) { + DEBUG(3,("could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + return NT_STATUS_INVALID_PARAMETER; + } + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < info3->num_other_sids; i++) { + if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, + &sid_array, &num_sids)) { + DEBUG(3, ("could not add SID to array: %s\n", + sid_string_static(&info3->other_sids[i].sid))); + return NT_STATUS_NO_MEMORY; + } + } + + *user_sids = sid_array; + *num_user_sids = num_sids; + + return NT_STATUS_OK; +} Modified: branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c 2007-07-17 11:22:43 UTC (rev 23927) +++ branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c 2007-07-17 11:47:17 UTC (rev 23928) @@ -165,51 +165,14 @@ } } - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->user_rid) - || !add_sid_to_array(mem_ctx, &sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3,("could not add user SID from rid 0x%x\n", - info3->user_rid)); - return NT_STATUS_INVALID_PARAMETER; + status = sid_array_from_info3(mem_ctx, info3, + &token->user_sids, + &token->num_sids, + True); + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->group_rid) - || !add_sid_to_array(mem_ctx, &sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->group_rid)); - - return NT_STATUS_INVALID_PARAMETER; - } - - for (i = 0; i < info3->num_groups2; i++) { - if (!sid_compose(&sid, &(info3->dom_sid.sid), - info3->gids[i].g_rid) - || !add_sid_to_array(mem_ctx, &sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->gids[i].g_rid)); - return NT_STATUS_INVALID_PARAMETER; - } - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid, - &token->user_sids, &token->num_sids)) { - DEBUG(3, ("could not add SID to array: %s\n", - sid_string_static(&info3->other_sids[i].sid))); - return NT_STATUS_NO_MEMORY; - } - } - if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(), token)) || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
