diff options
author | Andrew Tridgell <tridge@samba.org> | 2005-12-09 23:43:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:47:16 -0500 |
commit | d811ea17bb3a487b8bdcd2f9aa8dc4ba5cb2ab01 (patch) | |
tree | 128dae49d8b57ee988e72b4b1217798484672344 | |
parent | 7b090b06bf494bcc9bbd080ec2f8761659d8cc6b (diff) | |
download | samba-d811ea17bb3a487b8bdcd2f9aa8dc4ba5cb2ab01.tar.gz samba-d811ea17bb3a487b8bdcd2f9aa8dc4ba5cb2ab01.tar.bz2 samba-d811ea17bb3a487b8bdcd2f9aa8dc4ba5cb2ab01.zip |
r12158: added ldif handlers for the ntSecurityDescriptor attribute, so when
displaying security descriptors in ldbsearch or ldbedit you can see
the SDDL version.
This also allows us to specify security descriptors in our
setup/*.ldif files in SDDL format, which is much more convenient than
the NDR binary format!
(This used to be commit 8185731c1846412c1b3366824cdb3d05b2d50b73)
-rw-r--r-- | source4/lib/ldb/samba/ldif_handlers.c | 67 | ||||
-rw-r--r-- | source4/libcli/security/sddl.c | 16 | ||||
-rw-r--r-- | source4/torture/local/sddl.c | 7 |
3 files changed, 82 insertions, 8 deletions
diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c index dab3552b01..6d2e4349cf 100644 --- a/source4/lib/ldb/samba/ldif_handlers.c +++ b/source4/lib/ldb/samba/ldif_handlers.c @@ -214,6 +214,65 @@ static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx, return ldb_handler_copy(ldb, mem_ctx, in, out); } + +/* + convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob +*/ +static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct security_descriptor *sd; + NTSTATUS status; + const struct dom_sid *domain_sid = samdb_domain_sid(ldb); + if (domain_sid == NULL) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + sd = sddl_decode(mem_ctx, (const char *)in->data, domain_sid); + if (sd == NULL) { + return -1; + } + status = ndr_push_struct_blob(out, mem_ctx, sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + talloc_free(sd); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return 0; +} + +/* + convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format) +*/ +static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct security_descriptor *sd; + NTSTATUS status; + const struct dom_sid *domain_sid = samdb_domain_sid(ldb); + + if (domain_sid == NULL) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + sd = talloc(mem_ctx, struct security_descriptor); + if (sd == NULL) { + return -1; + } + status = ndr_pull_struct_blob(in, sd, sd, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sd); + return -1; + } + out->data = (uint8_t *)sddl_encode(mem_ctx, sd, domain_sid); + talloc_free(sd); + if (out->data == NULL) { + return -1; + } + out->length = strlen((const char *)out->data); + return 0; +} + static const struct ldb_attrib_handler samba_handlers[] = { { .attr = "objectSid", @@ -232,6 +291,14 @@ static const struct ldb_attrib_handler samba_handlers[] = { .comparison_fn = ldb_comparison_objectSid }, { + .attr = "ntSecurityDescriptor", + .flags = 0, + .ldif_read_fn = ldif_read_ntSecurityDescriptor, + .ldif_write_fn = ldif_write_ntSecurityDescriptor, + .canonicalise_fn = ldb_handler_copy, + .comparison_fn = ldb_comparison_binary + }, + { .attr = "objectGUID", .flags = 0, .ldif_read_fn = ldif_read_objectGUID, diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 643cb7a82c..7d7fe856cd 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -92,7 +92,7 @@ static const struct { It can either be a special 2 letter code, or in S-* format */ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *sddl = (*sddlp); int i; @@ -172,7 +172,7 @@ static const struct flag_map ace_access_mask[] = { note that this routine modifies the string */ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *tok[6]; const char *s; @@ -259,7 +259,7 @@ static const struct flag_map acl_flags[] = { */ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, const char **sddlp, uint32_t *flags, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *sddl = *sddlp; struct security_acl *acl; @@ -316,7 +316,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, decode a security descriptor in SDDL format */ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { struct security_descriptor *sd; sd = talloc_zero(mem_ctx, struct security_descriptor); @@ -408,7 +408,7 @@ failed: encode a sid in SDDL format */ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { int i; char *sidstr; @@ -446,7 +446,7 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, encode an ACE in SDDL format */ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { char *sddl; TALLOC_CTX *tmp_ctx; @@ -497,7 +497,7 @@ failed: encode an ACL in SDDL format */ static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl, - uint32_t flags, struct dom_sid *domain_sid) + uint32_t flags, const struct dom_sid *domain_sid) { char *sddl; int i; @@ -527,7 +527,7 @@ failed: encode a security descriptor to SDDL format */ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { char *sddl; TALLOC_CTX *tmp_ctx; diff --git a/source4/torture/local/sddl.c b/source4/torture/local/sddl.c index 8d5874d878..01f4d839d9 100644 --- a/source4/torture/local/sddl.c +++ b/source4/torture/local/sddl.c @@ -57,6 +57,13 @@ static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl) return False; } +#if 0 + /* flags don't have a canonical order ... */ + if (strcmp(sddl, sddl2) != 0) { + printf("Failed sddl equality test\norig: %s\n new: %s\n", sddl, sddl2); + } +#endif + if (DEBUGLVL(2)) { NDR_PRINT_DEBUG(security_descriptor, sd); } |