summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2004-11-17 14:35:29 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:05:56 -0500
commit856ee665374071c89f5ecf540dcc3d68ccf2ff16 (patch)
tree34c2193631b6f965d85724f05c67e57a8508d997
parent04a47a26ce3cdc9de5a98ede499be6e693896824 (diff)
downloadsamba-856ee665374071c89f5ecf540dcc3d68ccf2ff16.tar.gz
samba-856ee665374071c89f5ecf540dcc3d68ccf2ff16.tar.bz2
samba-856ee665374071c89f5ecf540dcc3d68ccf2ff16.zip
r3810: create a LIB_SECURITY subsystem
- move dom_sid, security_descriptor, security_* funtions to one place and rename some of them metze (This used to be commit b620bdd672cfdf0e009492e648b0709e6b6d8596)
-rw-r--r--source4/auth/auth_util.c3
-rw-r--r--source4/build/smb_build/main.pm3
-rw-r--r--source4/include/structs.h4
-rw-r--r--source4/lib/basic.mk4
-rw-r--r--source4/lib/util_sid.c85
-rw-r--r--source4/libcli/config.mk3
-rw-r--r--source4/libcli/raw/rawacl.c1
-rw-r--r--source4/libcli/security/config.mk18
-rw-r--r--source4/libcli/security/dom_sid.c (renamed from source4/libcli/util/dom_sid.c)76
-rw-r--r--source4/libcli/security/security_descriptor.c102
-rw-r--r--source4/libcli/security/security_token.c (renamed from source4/lib/util_secdesc.c)37
-rw-r--r--source4/librpc/config.mk1
-rw-r--r--source4/librpc/idl/krb5pac.idl3
-rw-r--r--source4/librpc/idl/lsa.idl3
-rw-r--r--source4/librpc/idl/misc.idl95
-rw-r--r--source4/librpc/idl/samr.idl2
-rw-r--r--source4/librpc/idl/security.idl123
-rw-r--r--source4/librpc/idl/spoolss.idl3
-rw-r--r--source4/librpc/idl/srvsvc.idl3
-rw-r--r--source4/librpc/ndr/ndr_sec.c16
-rw-r--r--source4/rpc_server/dcerpc_server.c2
-rw-r--r--source4/rpc_server/samr/samdb.c2
-rw-r--r--source4/smb_server/nttrans.c1
-rw-r--r--source4/torture/rpc/samsync.c2
24 files changed, 358 insertions, 234 deletions
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index 9418b613eb..e929e59cc7 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -24,6 +24,7 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_samr.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "librpc/gen_ndr/ndr_security.h"
#include "auth/auth.h"
#undef DBGC_CLASS
@@ -401,7 +402,7 @@ NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
- if (sid_equal(ptoken->user_sids[check_sid_idx],
+ if (dom_sid_equal(ptoken->user_sids[check_sid_idx],
groupSIDs[i])) {
break;
}
diff --git a/source4/build/smb_build/main.pm b/source4/build/smb_build/main.pm
index 3991e395f5..12f132239b 100644
--- a/source4/build/smb_build/main.pm
+++ b/source4/build/smb_build/main.pm
@@ -51,7 +51,8 @@ sub smb_build_main($)
"librpc/config.mk",
"client/config.mk",
"libcli/libsmb.mk",
- "libcli/config.mk"
+ "libcli/config.mk",
+ "libcli/security/config.mk"
);
$| = 1;
diff --git a/source4/include/structs.h b/source4/include/structs.h
index 9e64361dbf..61749111d9 100644
--- a/source4/include/structs.h
+++ b/source4/include/structs.h
@@ -120,3 +120,7 @@ struct test_join_ads_dc;
struct netr_LMSessionKey;
struct ldb_message;
+
+struct security_token;
+struct security_acl;
+struct security_ace;
diff --git a/source4/lib/basic.mk b/source4/lib/basic.mk
index 7360eddf94..1f790a8ca2 100644
--- a/source4/lib/basic.mk
+++ b/source4/lib/basic.mk
@@ -51,8 +51,6 @@ ADD_OBJ_FILES = \
lib/wins_srv.o \
lib/util_str.o \
lib/util_strlist.o \
- lib/util_sid.o \
- lib/util_secdesc.o \
lib/util_uuid.o \
lib/util_unistr.o \
lib/util_file.o \
@@ -74,6 +72,6 @@ ADD_OBJ_FILES = \
lib/db_wrap.o \
lib/gencache.o
REQUIRED_SUBSYSTEMS = \
- LIBLDB CHARSET LIBREPLACE LIBNETIF LIBCRYPTO EXT_LIB_DL
+ LIBLDB CHARSET LIBREPLACE LIBNETIF LIBCRYPTO LIB_SECURITY EXT_LIB_DL
# End SUBSYSTEM LIBBASIC
##############################
diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c
deleted file mode 100644
index cb2ec3eb75..0000000000
--- a/source4/lib/util_sid.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Samba utility functions
- Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
- Copyright (C) Jeremy Allison 1999
- Copyright (C) Stefan (metze) Metzmacher 2002
- Copyright (C) Simo Sorce 2002
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-
-/*****************************************************************
- Compare the auth portion of two sids.
-*****************************************************************/
-
-static int sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2)
-{
- int i;
-
- if (sid1 == sid2)
- return 0;
- if (!sid1)
- return -1;
- if (!sid2)
- return 1;
-
- if (sid1->sid_rev_num != sid2->sid_rev_num)
- return sid1->sid_rev_num - sid2->sid_rev_num;
-
- for (i = 0; i < 6; i++)
- if (sid1->id_auth[i] != sid2->id_auth[i])
- return sid1->id_auth[i] - sid2->id_auth[i];
-
- return 0;
-}
-
-/*****************************************************************
- Compare two sids.
-*****************************************************************/
-
-static int sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2)
-{
- int i;
-
- if (sid1 == sid2)
- return 0;
- if (!sid1)
- return -1;
- if (!sid2)
- return 1;
-
- /* Compare most likely different rids, first: i.e start at end */
- if (sid1->num_auths != sid2->num_auths)
- return sid1->num_auths - sid2->num_auths;
-
- for (i = sid1->num_auths-1; i >= 0; --i)
- if (sid1->sub_auths[i] != sid2->sub_auths[i])
- return sid1->sub_auths[i] - sid2->sub_auths[i];
-
- return sid_compare_auth(sid1, sid2);
-}
-
-/*****************************************************************
- Compare two sids.
-*****************************************************************/
-
-BOOL sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)
-{
- return sid_compare(sid1, sid2) == 0;
-}
diff --git a/source4/libcli/config.mk b/source4/libcli/config.mk
index c931d061fb..e48e5b5066 100644
--- a/source4/libcli/config.mk
+++ b/source4/libcli/config.mk
@@ -6,8 +6,7 @@ ADD_OBJ_FILES = libcli/util/asn1.o \
libcli/util/clierror.o \
libcli/util/nterr.o \
libcli/util/smbdes.o \
- libcli/util/smbencrypt.o \
- libcli/util/dom_sid.o
+ libcli/util/smbencrypt.o
[SUBSYSTEM::LIBCLI_NMB]
ADD_OBJ_FILES = libcli/unexpected.o \
diff --git a/source4/libcli/raw/rawacl.c b/source4/libcli/raw/rawacl.c
index 35c7ce2049..642d0ba72b 100644
--- a/source4/libcli/raw/rawacl.c
+++ b/source4/libcli/raw/rawacl.c
@@ -19,6 +19,7 @@
*/
#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
#include "libcli/raw/libcliraw.h"
/****************************************************************************
diff --git a/source4/libcli/security/config.mk b/source4/libcli/security/config.mk
new file mode 100644
index 0000000000..908a993ce6
--- /dev/null
+++ b/source4/libcli/security/config.mk
@@ -0,0 +1,18 @@
+#################################
+# Start SUBSYSTEM LIB_SECURITY_NDR
+[SUBSYSTEM::LIB_SECURITY_NDR]
+ADD_OBJ_FILES = librpc/gen_ndr/ndr_security.o
+NOPROTO = YES
+# End SUBSYSTEM LIB_SECURITY_NDR
+#################################
+
+#################################
+# Start SUBSYSTEM LIB_SECURITY
+[SUBSYSTEM::LIB_SECURITY]
+ADD_OBJ_FILES = libcli/security/security_token.o \
+ libcli/security/security_descriptor.o \
+ libcli/security/dom_sid.o \
+ librpc/ndr/ndr_sec.o
+REQUIRED_SUBSYSTEMS = LIB_SECURITY_NDR
+# End SUBSYSTEM LIB_SECURITY
+#################################
diff --git a/source4/libcli/util/dom_sid.c b/source4/libcli/security/dom_sid.c
index 1faf3debab..701fa88017 100644
--- a/source4/libcli/util/dom_sid.c
+++ b/source4/libcli/security/dom_sid.c
@@ -1,10 +1,12 @@
/*
Unix SMB/CIFS implementation.
-
- routines to manipulate a "struct dom_sid"
-
- Copyright (C) Andrew Tridgell 2004
-
+ Samba utility functions
+ Copyright (C) Andrew Tridgell 1992-2004
+ Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
+ Copyright (C) Jeremy Allison 1999
+ Copyright (C) Stefan (metze) Metzmacher 2002-2004
+ Copyright (C) Simo Sorce 2002
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -21,6 +23,67 @@
*/
#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+
+/*****************************************************************
+ Compare the auth portion of two sids.
+*****************************************************************/
+
+static int dom_sid_compare_auth(const struct dom_sid *sid1, const struct dom_sid *sid2)
+{
+ int i;
+
+ if (sid1 == sid2)
+ return 0;
+ if (!sid1)
+ return -1;
+ if (!sid2)
+ return 1;
+
+ if (sid1->sid_rev_num != sid2->sid_rev_num)
+ return sid1->sid_rev_num - sid2->sid_rev_num;
+
+ for (i = 0; i < 6; i++)
+ if (sid1->id_auth[i] != sid2->id_auth[i])
+ return sid1->id_auth[i] - sid2->id_auth[i];
+
+ return 0;
+}
+
+/*****************************************************************
+ Compare two sids.
+*****************************************************************/
+
+static int dom_sid_compare(const struct dom_sid *sid1, const struct dom_sid *sid2)
+{
+ int i;
+
+ if (sid1 == sid2)
+ return 0;
+ if (!sid1)
+ return -1;
+ if (!sid2)
+ return 1;
+
+ /* Compare most likely different rids, first: i.e start at end */
+ if (sid1->num_auths != sid2->num_auths)
+ return sid1->num_auths - sid2->num_auths;
+
+ for (i = sid1->num_auths-1; i >= 0; --i)
+ if (sid1->sub_auths[i] != sid2->sub_auths[i])
+ return sid1->sub_auths[i] - sid2->sub_auths[i];
+
+ return dom_sid_compare_auth(sid1, sid2);
+}
+
+/*****************************************************************
+ Compare two sids.
+*****************************************************************/
+
+BOOL dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2)
+{
+ return dom_sid_compare(sid1, sid2) == 0;
+}
/*
convert a dom_sid to a string
@@ -124,7 +187,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
/*
convert a string to a dom_sid, returning a talloc'd dom_sid
*/
-struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, struct dom_sid *dom_sid)
+struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid)
{
struct dom_sid *ret;
int i;
@@ -177,4 +240,3 @@ struct dom_sid *dom_sid_add_rid(TALLOC_CTX *mem_ctx,
sid->num_auths++;
return sid;
}
-
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
new file mode 100644
index 0000000000..255836066a
--- /dev/null
+++ b/source4/libcli/security/security_descriptor.c
@@ -0,0 +1,102 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ security descriptror utility functions
+
+ Copyright (C) Andrew Tridgell 2004
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
+
+/*
+ return a blank security descriptor (no owners, dacl or sacl)
+*/
+struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
+{
+ struct security_descriptor *sd;
+
+ sd = talloc_p(mem_ctx, struct security_descriptor);
+ if (!sd) {
+ return NULL;
+ }
+
+ sd->revision = SD_REVISION;
+ /* we mark as self relative, even though it isn't while it remains
+ a pointer in memory because this simplifies the ndr code later.
+ All SDs that we store/emit are in fact SELF_RELATIVE
+ */
+ sd->type = SEC_DESC_SELF_RELATIVE;
+
+ sd->owner_sid = NULL;
+ sd->group_sid = NULL;
+ sd->sacl = NULL;
+ sd->dacl = NULL;
+
+ return sd;
+}
+
+/*
+ talloc and copy a security descriptor
+ */
+struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
+ const struct security_descriptor *osd)
+{
+ struct security_descriptor *nsd;
+
+ /* FIXME */
+ DEBUG(1, ("security_descriptor_copy(): sorry unimplemented yet\n"));
+ nsd = NULL;
+
+ return nsd;
+}
+
+NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask)
+{
+ size_t i,y;
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+
+ DEBUG(1, ("security_check_dacl(): sorry untested yet\n"));
+ return status;
+
+ if (!sd->dacl) {
+ return NT_STATUS_INVALID_ACL;
+ }
+
+ for (i=0; i < st->num_sids; i++) {
+ for (y=0; y < sd->dacl->num_aces; y++) {
+ if (dom_sid_equal(&st->sids[i], &sd->dacl->aces[y].trustee)) {
+ switch (sd->dacl->aces[y].type) {
+ case SEC_ACE_TYPE_ACCESS_ALLOWED:
+ if (access_mask & sd->dacl->aces[y].access_mask) {
+ status = NT_STATUS_OK;
+ }
+ break;
+ case SEC_ACE_TYPE_ACCESS_DENIED:
+ if (access_mask & sd->dacl->aces[y].access_mask) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ break;
+ default:
+ return NT_STATUS_INVALID_ACL;
+ }
+ }
+ }
+ }
+
+ return status;
+}
diff --git a/source4/lib/util_secdesc.c b/source4/libcli/security/security_token.c
index 92887b21d9..9e26f5a385 100644
--- a/source4/lib/util_secdesc.c
+++ b/source4/libcli/security/security_token.c
@@ -21,31 +21,36 @@
*/
#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
/*
return a blank security descriptor (no owners, dacl or sacl)
*/
-struct security_descriptor *sd_initialise(TALLOC_CTX *mem_ctx)
+struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
{
- struct security_descriptor *sd;
+ struct security_token *st;
- sd = talloc_p(mem_ctx, struct security_descriptor);
- if (!sd) {
+ st = talloc_p(mem_ctx, struct security_token);
+ if (!st) {
return NULL;
}
- sd->revision = SD_REVISION;
- /* we mark as self relative, even though it isn't while it remains
- a pointer in memory because this simplifies the ndr code later.
- All SDs that we store/emit are in fact SELF_RELATIVE
- */
- sd->type = SEC_DESC_SELF_RELATIVE;
+ st->flags = 0;
- sd->owner_sid = NULL;
- sd->group_sid = NULL;
- sd->sacl = NULL;
- sd->dacl = NULL;
+ st->user_sid = NULL;
+ st->group_sid = NULL;
+ st->logon_sid = NULL;
- return sd;
-}
+ st->num_sids = 0;
+ st->sids = NULL;
+
+ st->num_restricted_sids = 0;
+ st->restricted_sids = NULL;
+
+ st->num_privileges = 0;
+ st->privileges = NULL;
+ st->dacl = NULL;
+
+ return st;
+}
diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk
index 2588590275..d527eabb2a 100644
--- a/source4/librpc/config.mk
+++ b/source4/librpc/config.mk
@@ -5,7 +5,6 @@ INIT_OBJ_FILES = \
librpc/ndr/ndr.o
ADD_OBJ_FILES = \
librpc/ndr/ndr_basic.o \
- librpc/ndr/ndr_sec.o \
librpc/ndr/ndr_spoolss_buf.o \
librpc/ndr/ndr_dcom.o
# End SUBSYSTEM LIBNDR_RAW
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index d3a28df27b..6efd8526b2 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -7,7 +7,8 @@
[
uuid("46746756-7567-7567-5677-756756756756"),
version(0.0),
- pointer_default(unique)
+ pointer_default(unique),
+ depends(security)
]
interface krb5pac
{
diff --git a/source4/librpc/idl/lsa.idl b/source4/librpc/idl/lsa.idl
index 05da1bec8b..d3d3ad3da6 100644
--- a/source4/librpc/idl/lsa.idl
+++ b/source4/librpc/idl/lsa.idl
@@ -8,7 +8,8 @@
version(0.0),
endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:"),
pointer_default(unique),
- helpstring("Local Server Authentication(?)")
+ helpstring("Local Server Authentication(?)"),
+ depends(security)
] interface lsarpc
{
/******************/
diff --git a/source4/librpc/idl/misc.idl b/source4/librpc/idl/misc.idl
index dd31f0f54a..61adf04630 100644
--- a/source4/librpc/idl/misc.idl
+++ b/source4/librpc/idl/misc.idl
@@ -6,37 +6,6 @@
interface misc
{
- /* a NULL sid */
- const string SID_NULL = "S-1-0-0";
-
- /* the world domain */
- const string SID_WORLD_DOMAIN = "S-1-1";
- const string SID_WORLD = "S-1-1-0";
-
- /* SECURITY_CREATOR_SID_AUTHORITY */
- const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
- const string SID_CREATOR_OWNER = "S-1-3-0";
- const string SID_CREATOR_GROUP = "S-1-3-1";
-
- /* SECURITY_NT_AUTHORITY */
- const string SID_NT_AUTHORITY = "S-1-5";
- const string SID_NETWORK = "S-1-5-2";
- const string SID_ANONYMOUS = "S-1-5-7";
- const string SID_AUTHENTICATED_USERS = "S-1-5-11";
- const string SID_SYSTEM = "S-1-5-18";
-
- /* SECURITY_BUILTIN_DOMAIN_RID */
- const string SID_BUILTIN = "S-1-5-32";
- const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
- const string SID_BUILTIN_USERS = "S-1-5-32-545";
- const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
- const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
- const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
- const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
- const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
- const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
- const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
-
/* server roles */
typedef enum {
ROLE_STANDALONE = 0,
@@ -54,70 +23,6 @@ interface misc
uint8 node[6];
} GUID;
- /* a domain SID. Note that unlike Samba3 this contains a pointer,
- so you can't copy them using assignment */
- typedef [public,noprint] struct {
- uint8 sid_rev_num; /**< SID revision number */
- uint8 num_auths; /**< Number of sub-authorities */
- uint8 id_auth[6]; /**< Identifier Authority */
- uint32 sub_auths[num_auths];
- } dom_sid;
-
- typedef [public] struct {
- uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
- uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
- [value(ndr_size_security_ace(r))] uint16 size;
- uint32 access_mask;
-
-#if 0
- /* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
- struct {
- uint32 flags;
- GUID object_guid;
- GUID inherit_guid;
- } *obj;
-#endif
-
- dom_sid trustee;
- } security_ace;
-
- typedef [public] struct {
- uint16 revision;
- [value(ndr_size_security_acl(r))] uint16 size;
- uint32 num_aces;
- security_ace aces[num_aces];
- } security_acl;
-
- /* default revision for new ACLs */
- const int SD_REVISION = 1;
-
- /* security_descriptor->type bits */
- const int SEC_DESC_OWNER_DEFAULTED = 0x0001;
- const int SEC_DESC_GROUP_DEFAULTED = 0x0002;
- const int SEC_DESC_DACL_PRESENT = 0x0004;
- const int SEC_DESC_DACL_DEFAULTED = 0x0008;
- const int SEC_DESC_SACL_PRESENT = 0x0010;
- const int SEC_DESC_SACL_DEFAULTED = 0x0020;
- const int SEC_DESC_DACL_TRUSTED = 0x0040;
- const int SEC_DESC_SERVER_SECURITY = 0x0080;
- const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100;
- const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200;
- const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400;
- const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800;
- const int SEC_DESC_DACL_PROTECTED = 0x1000;
- const int SEC_DESC_SACL_PROTECTED = 0x2000;
- const int SEC_DESC_RM_CONTROL_VALID = 0x4000;
- const int SEC_DESC_SELF_RELATIVE = 0x8000;
-
- typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
- uint8 revision;
- uint16 type; /* SEC_DESC_xxxx flags */
- [relative] dom_sid *owner_sid;
- [relative] dom_sid *group_sid;
- [relative] security_acl *sacl; /* system ACL */
- [relative] security_acl *dacl; /* user (discretionary) ACL */
- } security_descriptor;
-
typedef [public] struct {
uint32 handle_type;
GUID uuid;
diff --git a/source4/librpc/idl/samr.idl b/source4/librpc/idl/samr.idl
index a7bbe07b6a..358218c2a0 100644
--- a/source4/librpc/idl/samr.idl
+++ b/source4/librpc/idl/samr.idl
@@ -12,7 +12,7 @@
version(1.0),
endpoint("ncacn_np:[\\pipe\\samr]","ncacn_ip_tcp:", "ncalrpc:"),
pointer_default(unique),
- depends(lsa)
+ depends(lsa,security)
] interface samr
{
/* account control (acct_flags) bits */
diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl
new file mode 100644
index 0000000000..ba75c0f54b
--- /dev/null
+++ b/source4/librpc/idl/security.idl
@@ -0,0 +1,123 @@
+#include "idl_types.h"
+
+/*
+ security IDL structures
+*/
+
+interface security
+{
+ /* a NULL sid */
+ const string SID_NULL = "S-1-0-0";
+
+ /* the world domain */
+ const string SID_WORLD_DOMAIN = "S-1-1";
+ const string SID_WORLD = "S-1-1-0";
+
+ /* SECURITY_CREATOR_SID_AUTHORITY */
+ const string SID_CREATOR_OWNER_DOMAIN = "S-1-3";
+ const string SID_CREATOR_OWNER = "S-1-3-0";
+ const string SID_CREATOR_GROUP = "S-1-3-1";
+
+ /* SECURITY_NT_AUTHORITY */
+ const string SID_NT_AUTHORITY = "S-1-5";
+ const string SID_NETWORK = "S-1-5-2";
+ const string SID_ANONYMOUS = "S-1-5-7";
+ const string SID_AUTHENTICATED_USERS = "S-1-5-11";
+ const string SID_SYSTEM = "S-1-5-18";
+
+ /* SECURITY_BUILTIN_DOMAIN_RID */
+ const string SID_BUILTIN = "S-1-5-32";
+ const string SID_BUILTIN_ADMINISTRATORS = "S-1-5-32-544";
+ const string SID_BUILTIN_USERS = "S-1-5-32-545";
+ const string SID_BUILTIN_GUESTS = "S-1-5-32-546";
+ const string SID_BUILTIN_POWER_USERS = "S-1-5-32-547";
+ const string SID_BUILTIN_ACCOUNT_OPERATORS = "S-1-5-32-548";
+ const string SID_BUILTIN_SERVER_OPERATORS = "S-1-5-32-549";
+ const string SID_BUILTIN_PRINT_OPERATORS = "S-1-5-32-550";
+ const string SID_BUILTIN_BACKUP_OPERATORS = "S-1-5-32-551";
+ const string SID_BUILTIN_REPLICATOR = "S-1-5-32-552";
+
+ /* a domain SID. Note that unlike Samba3 this contains a pointer,
+ so you can't copy them using assignment */
+ typedef [public,noprint] struct {
+ uint8 sid_rev_num; /**< SID revision number */
+ uint8 num_auths; /**< Number of sub-authorities */
+ uint8 id_auth[6]; /**< Identifier Authority */
+ uint32 sub_auths[num_auths];
+ } dom_sid;
+
+ typedef [public] struct {
+ uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */
+ uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */
+ [value(ndr_size_security_ace(r))] uint16 size;
+ uint32 access_mask;
+
+#if 0
+ /* the 'obj' part is present when type is XXXX_TYPE_XXXX_OBJECT */
+ struct {
+ uint32 flags;
+ GUID object_guid;
+ GUID inherit_guid;
+ } *obj;
+#endif
+
+ dom_sid trustee;
+ } security_ace;
+
+ typedef [public] struct {
+ uint16 revision;
+ [value(ndr_size_security_acl(r))] uint16 size;
+ uint32 num_aces;
+ security_ace aces[num_aces];
+ } security_acl;
+
+ /* default revision for new ACLs */
+ const int SD_REVISION = 1;
+
+ /* security_descriptor->type bits */
+ const int SEC_DESC_OWNER_DEFAULTED = 0x0001;
+ const int SEC_DESC_GROUP_DEFAULTED = 0x0002;
+ const int SEC_DESC_DACL_PRESENT = 0x0004;
+ const int SEC_DESC_DACL_DEFAULTED = 0x0008;
+ const int SEC_DESC_SACL_PRESENT = 0x0010;
+ const int SEC_DESC_SACL_DEFAULTED = 0x0020;
+ const int SEC_DESC_DACL_TRUSTED = 0x0040;
+ const int SEC_DESC_SERVER_SECURITY = 0x0080;
+ const int SEC_DESC_DACL_AUTO_INHERIT_REQ = 0x0100;
+ const int SEC_DESC_SACL_AUTO_INHERIT_REQ = 0x0200;
+ const int SEC_DESC_DACL_AUTO_INHERITED = 0x0400;
+ const int SEC_DESC_SACL_AUTO_INHERITED = 0x0800;
+ const int SEC_DESC_DACL_PROTECTED = 0x1000;
+ const int SEC_DESC_SACL_PROTECTED = 0x2000;
+ const int SEC_DESC_RM_CONTROL_VALID = 0x4000;
+ const int SEC_DESC_SELF_RELATIVE = 0x8000;
+
+ typedef [public,flag(NDR_LITTLE_ENDIAN)] struct {
+ uint8 revision;
+ uint16 type; /* SEC_DESC_xxxx flags */
+ [relative] dom_sid *owner_sid;
+ [relative] dom_sid *group_sid;
+ [relative] security_acl *sacl; /* system ACL */
+ [relative] security_acl *dacl; /* user (discretionary) ACL */
+ } security_descriptor;
+
+ typedef [public,printonly] struct {
+ /* TODO */
+ uint32 flags;
+ } security_privilege;
+
+ typedef [public,printonly] struct {
+ uint32 flags;
+ dom_sid *user_sid;
+ dom_sid *group_sid;
+ dom_sid *logon_sid;
+ uint32 num_sids;
+ dom_sid sids[num_sids];
+ uint32 num_restricted_sids;
+ dom_sid restricted_sids[num_restricted_sids];
+ uint32 num_privileges;
+ security_privilege privileges[num_privileges];
+ security_acl *dacl;
+ } security_token;
+
+}
diff --git a/source4/librpc/idl/spoolss.idl b/source4/librpc/idl/spoolss.idl
index 91a7632422..41b992c5a2 100644
--- a/source4/librpc/idl/spoolss.idl
+++ b/source4/librpc/idl/spoolss.idl
@@ -8,7 +8,8 @@
version(1.0),
endpoint("ncacn_np:[\\pipe\\spoolss]"),
pointer_default(unique),
- helpstring("Spooler SubSystem")
+ helpstring("Spooler SubSystem"),
+ depends(security)
] interface spoolss
{
typedef struct {
diff --git a/source4/librpc/idl/srvsvc.idl b/source4/librpc/idl/srvsvc.idl
index 02e3dd6578..ee5b369534 100644
--- a/source4/librpc/idl/srvsvc.idl
+++ b/source4/librpc/idl/srvsvc.idl
@@ -7,7 +7,8 @@
[ uuid("4b324fc8-1670-01d3-1278-5a47bf6ee188"),
version(3.0),
pointer_default(unique),
- helpstring("Server Service")
+ helpstring("Server Service"),
+ depends(security)
] interface srvsvc
{
/**************************/
diff --git a/source4/librpc/ndr/ndr_sec.c b/source4/librpc/ndr/ndr_sec.c
index c91c2762c2..798d3a7cf1 100644
--- a/source4/librpc/ndr/ndr_sec.c
+++ b/source4/librpc/ndr/ndr_sec.c
@@ -23,6 +23,7 @@
#include "includes.h"
+#include "librpc/gen_ndr/ndr_security.h"
/*
parse a dom_sid2 - this is a dom_sid but with an extra copy of the num_auths field
@@ -112,18 +113,3 @@ size_t ndr_size_security_descriptor(struct security_descriptor *sd)
ret += ndr_size_security_acl(sd->sacl);
return ret;
}
-
-/*
- talloc and copy a security descriptor
- */
-struct security_descriptor *copy_security_descriptor(TALLOC_CTX *mem_ctx,
- const struct security_descriptor *osd)
-{
- struct security_descriptor *nsd;
-
- /* FIXME */
- DEBUG(1, ("copy_security_descriptor: sorry unimplemented yet\n"));
- nsd = NULL;
-
- return nsd;
-}
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 11e385153e..de8ac73304 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -198,7 +198,7 @@ NTSTATUS dcesrv_interface_register(struct dcesrv_context *dce_ctx,
* we try to set it
*/
if (ep->sd == NULL) {
- ep->sd = copy_security_descriptor(dce_ctx, sd);
+ ep->sd = security_descriptor_copy(dce_ctx, sd);
}
/* if now there's no security descriptor given on the endpoint
diff --git a/source4/rpc_server/samr/samdb.c b/source4/rpc_server/samr/samdb.c
index 488c48cd50..7501d94ae6 100644
--- a/source4/rpc_server/samr/samdb.c
+++ b/source4/rpc_server/samr/samdb.c
@@ -888,7 +888,7 @@ struct security_descriptor *samdb_default_security_descriptor(TALLOC_CTX *mem_ct
{
struct security_descriptor *sd;
- sd = sd_initialise(mem_ctx);
+ sd = security_descriptor_initialise(mem_ctx);
return sd;
}
diff --git a/source4/smb_server/nttrans.c b/source4/smb_server/nttrans.c
index b623578514..49c41181a8 100644
--- a/source4/smb_server/nttrans.c
+++ b/source4/smb_server/nttrans.c
@@ -24,6 +24,7 @@
#include "includes.h"
#include "smb_server/smb_server.h"
+#include "librpc/gen_ndr/ndr_security.h"
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 4efb5044dd..7f9cf321dc 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -301,7 +301,7 @@ static BOOL samsync_handle_policy(TALLOC_CTX *mem_ctx, struct samsync_state *sam
}
}
- if (!sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
+ if (!dom_sid_equal(samsync_state->sid[SAM_DATABASE_DOMAIN], policy->sid)) {
printf("Domain SID from POLICY (%s) does not match domain sid from SAMR (%s)\n",
dom_sid_string(mem_ctx, policy->sid), dom_sid_string(mem_ctx, samsync_state->sid[SAM_DATABASE_DOMAIN]));
return False;