summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2009-03-01 22:25:57 +0100
committerJelmer Vernooij <jelmer@samba.org>2009-03-01 22:25:57 +0100
commit9551ab8f7b0e69349dc0c1ffb70a6f67163b242c (patch)
tree075bfaec7798dc54db47398ab6ebfe68c85b1573 /source3/lib
parent7ab8f373c84c328b197f923287163e83371e7ccb (diff)
parent8568b4fa9ff8f6f1a24547ec2ed5e2942b213d9e (diff)
downloadsamba-9551ab8f7b0e69349dc0c1ffb70a6f67163b242c.tar.gz
samba-9551ab8f7b0e69349dc0c1ffb70a6f67163b242c.tar.bz2
samba-9551ab8f7b0e69349dc0c1ffb70a6f67163b242c.zip
Merge branch 'master' of git://git.samba.org/samba into convenience
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/secace.c293
-rw-r--r--source3/lib/secacl.c118
-rw-r--r--source3/lib/util_nttoken.c16
3 files changed, 16 insertions, 411 deletions
diff --git a/source3/lib/secace.c b/source3/lib/secace.c
deleted file mode 100644
index 878fac252b..0000000000
--- a/source3/lib/secace.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Unix SMB/Netbios implementation.
- * SEC_ACE handling functions
- * Copyright (C) Andrew Tridgell 1992-1998,
- * Copyright (C) Jeremy R. Allison 1995-2003.
- * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
- * Copyright (C) Paul Ashton 1997-1998.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-/*******************************************************************
- Check if ACE has OBJECT type.
-********************************************************************/
-
-bool sec_ace_object(uint8 type)
-{
- if (type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
- type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT ||
- type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT ||
- type == SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT) {
- return True;
- }
- return False;
-}
-
-/*******************************************************************
- copy a SEC_ACE structure.
-********************************************************************/
-void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
-{
- ace_dest->type = ace_src->type;
- ace_dest->flags = ace_src->flags;
- ace_dest->size = ace_src->size;
- ace_dest->access_mask = ace_src->access_mask;
- ace_dest->object = ace_src->object;
- sid_copy(&ace_dest->trustee, &ace_src->trustee);
-}
-
-/*******************************************************************
- Sets up a SEC_ACE structure.
-********************************************************************/
-
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, enum security_ace_type type,
- uint32_t mask, uint8 flag)
-{
- t->type = type;
- t->flags = flag;
- t->size = ndr_size_dom_sid(sid, NULL, 0) + 8;
- t->access_mask = mask;
-
- ZERO_STRUCTP(&t->trustee);
- sid_copy(&t->trustee, sid);
-}
-
-/*******************************************************************
- adds new SID with its permissions to ACE list
-********************************************************************/
-
-NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsigned *num, DOM_SID *sid, uint32 mask)
-{
- unsigned int i = 0;
-
- if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
-
- *num += 1;
-
- if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
- return NT_STATUS_NO_MEMORY;
-
- for (i = 0; i < *num - 1; i ++)
- sec_ace_copy(&(*pp_new)[i], &old[i]);
-
- (*pp_new)[i].type = SEC_ACE_TYPE_ACCESS_ALLOWED;
- (*pp_new)[i].flags = 0;
- (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + ndr_size_dom_sid(sid, NULL, 0);
- (*pp_new)[i].access_mask = mask;
- sid_copy(&(*pp_new)[i].trustee, sid);
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
- modify SID's permissions at ACL
-********************************************************************/
-
-NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
-{
- unsigned int i = 0;
-
- if (!ace || !sid) return NT_STATUS_INVALID_PARAMETER;
-
- for (i = 0; i < num; i ++) {
- if (sid_compare(&ace[i].trustee, sid) == 0) {
- ace[i].access_mask = mask;
- return NT_STATUS_OK;
- }
- }
- return NT_STATUS_NOT_FOUND;
-}
-
-/*******************************************************************
- delete SID from ACL
-********************************************************************/
-
-NTSTATUS sec_ace_del_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, uint32 *num, DOM_SID *sid)
-{
- unsigned int i = 0;
- unsigned int n_del = 0;
-
- if (!ctx || !pp_new || !old || !sid || !num) return NT_STATUS_INVALID_PARAMETER;
-
- if (*num) {
- if((pp_new[0] = TALLOC_ZERO_ARRAY(ctx, SEC_ACE, *num )) == 0)
- return NT_STATUS_NO_MEMORY;
- } else {
- pp_new[0] = NULL;
- }
-
- for (i = 0; i < *num; i ++) {
- if (sid_compare(&old[i].trustee, sid) != 0)
- sec_ace_copy(&(*pp_new)[i], &old[i]);
- else
- n_del ++;
- }
- if (n_del == 0)
- return NT_STATUS_NOT_FOUND;
- else {
- *num -= n_del;
- return NT_STATUS_OK;
- }
-}
-
-/*******************************************************************
- Compares two SEC_ACE structures
-********************************************************************/
-
-bool sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
-{
- /* Trivial case */
-
- if (!s1 && !s2) {
- return True;
- }
-
- if (!s1 || !s2) {
- return False;
- }
-
- /* Check top level stuff */
-
- if (s1->type != s2->type || s1->flags != s2->flags ||
- s1->access_mask != s2->access_mask) {
- return False;
- }
-
- /* Check SID */
-
- if (!sid_equal(&s1->trustee, &s2->trustee)) {
- return False;
- }
-
- return True;
-}
-
-int nt_ace_inherit_comp( SEC_ACE *a1, SEC_ACE *a2)
-{
- int a1_inh = a1->flags & SEC_ACE_FLAG_INHERITED_ACE;
- int a2_inh = a2->flags & SEC_ACE_FLAG_INHERITED_ACE;
-
- if (a1_inh == a2_inh)
- return 0;
-
- if (!a1_inh && a2_inh)
- return -1;
- return 1;
-}
-
-/*******************************************************************
- Comparison function to apply the order explained below in a group.
-*******************************************************************/
-
-int nt_ace_canon_comp( SEC_ACE *a1, SEC_ACE *a2)
-{
- if ((a1->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
- (a2->type != SEC_ACE_TYPE_ACCESS_DENIED))
- return -1;
-
- if ((a2->type == SEC_ACE_TYPE_ACCESS_DENIED) &&
- (a1->type != SEC_ACE_TYPE_ACCESS_DENIED))
- return 1;
-
- /* Both access denied or access allowed. */
-
- /* 1. ACEs that apply to the object itself */
-
- if (!(a1->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
- (a2->flags & SEC_ACE_FLAG_INHERIT_ONLY))
- return -1;
- else if (!(a2->flags & SEC_ACE_FLAG_INHERIT_ONLY) &&
- (a1->flags & SEC_ACE_FLAG_INHERIT_ONLY))
- return 1;
-
- /* 2. ACEs that apply to a subobject of the object, such as
- * a property set or property. */
-
- if (a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
- !(a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
- return -1;
- else if (a2->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT) &&
- !(a1->flags & (SEC_ACE_FLAG_CONTAINER_INHERIT|SEC_ACE_FLAG_OBJECT_INHERIT)))
- return 1;
-
- return 0;
-}
-
-/*******************************************************************
- Functions to convert a SEC_DESC ACE DACL list into canonical order.
- JRA.
-
---- from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/order_of_aces_in_a_dacl.asp
-
-The following describes the preferred order:
-
- To ensure that noninherited ACEs have precedence over inherited ACEs,
- place all noninherited ACEs in a group before any inherited ACEs.
- This ordering ensures, for example, that a noninherited access-denied ACE
- is enforced regardless of any inherited ACE that allows access.
-
- Within the groups of noninherited ACEs and inherited ACEs, order ACEs according to ACE type, as the following shows:
- 1. Access-denied ACEs that apply to the object itself
- 2. Access-denied ACEs that apply to a subobject of the object, such as a property set or property
- 3. Access-allowed ACEs that apply to the object itself
- 4. Access-allowed ACEs that apply to a subobject of the object"
-
-********************************************************************/
-
-void dacl_sort_into_canonical_order(SEC_ACE *srclist, unsigned int num_aces)
-{
- unsigned int i;
-
- if (!srclist || num_aces == 0)
- return;
-
- /* Sort so that non-inherited ACE's come first. */
- qsort( srclist, num_aces, sizeof(srclist[0]), QSORT_CAST nt_ace_inherit_comp);
-
- /* Find the boundary between non-inherited ACEs. */
- for (i = 0; i < num_aces; i++ ) {
- SEC_ACE *curr_ace = &srclist[i];
-
- if (curr_ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
- break;
- }
-
- /* i now points at entry number of the first inherited ACE. */
-
- /* Sort the non-inherited ACEs. */
- if (i)
- qsort( srclist, i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
-
- /* Now sort the inherited ACEs. */
- if (num_aces - i)
- qsort( &srclist[i], num_aces - i, sizeof(srclist[0]), QSORT_CAST nt_ace_canon_comp);
-}
-
-/*******************************************************************
- Check if this ACE has a SID in common with the token.
-********************************************************************/
-
-bool token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
-{
- size_t i;
-
- for (i = 0; i < token->num_sids; i++) {
- if (sid_equal(&ace->trustee, &token->user_sids[i]))
- return True;
- }
-
- return False;
-}
diff --git a/source3/lib/secacl.c b/source3/lib/secacl.c
deleted file mode 100644
index 5e82242e1b..0000000000
--- a/source3/lib/secacl.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Unix SMB/Netbios implementation.
- * SEC_ACL handling routines
- * Copyright (C) Andrew Tridgell 1992-1998,
- * Copyright (C) Jeremy R. Allison 1995-2003.
- * Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
- * Copyright (C) Paul Ashton 1997-1998.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-
-/*******************************************************************
- Create a SEC_ACL structure.
-********************************************************************/
-
-SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, enum security_acl_revision revision,
- int num_aces, SEC_ACE *ace_list)
-{
- SEC_ACL *dst;
- int i;
-
- if((dst = TALLOC_ZERO_P(ctx,SEC_ACL)) == NULL)
- return NULL;
-
- dst->revision = revision;
- dst->num_aces = num_aces;
- dst->size = SEC_ACL_HEADER_SIZE;
-
- /* Now we need to return a non-NULL address for the ace list even
- if the number of aces required is zero. This is because there
- is a distinct difference between a NULL ace and an ace with zero
- entries in it. This is achieved by checking that num_aces is a
- positive number. */
-
- if ((num_aces) &&
- ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces))
- == NULL)) {
- return NULL;
- }
-
- for (i = 0; i < num_aces; i++) {
- dst->aces[i] = ace_list[i]; /* Structure copy. */
- dst->size += ace_list[i].size;
- }
-
- return dst;
-}
-
-/*******************************************************************
- Duplicate a SEC_ACL structure.
-********************************************************************/
-
-SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src)
-{
- if(src == NULL)
- return NULL;
-
- return make_sec_acl(ctx, src->revision, src->num_aces, src->aces);
-}
-
-/*******************************************************************
- Compares two SEC_ACL structures
-********************************************************************/
-
-bool sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2)
-{
- unsigned int i, j;
-
- /* Trivial cases */
-
- if (!s1 && !s2) return True;
- if (!s1 || !s2) return False;
-
- /* Check top level stuff */
-
- if (s1->revision != s2->revision) {
- DEBUG(10, ("sec_acl_equal(): revision differs (%d != %d)\n",
- s1->revision, s2->revision));
- return False;
- }
-
- if (s1->num_aces != s2->num_aces) {
- DEBUG(10, ("sec_acl_equal(): num_aces differs (%d != %d)\n",
- s1->revision, s2->revision));
- return False;
- }
-
- /* The ACEs could be in any order so check each ACE in s1 against
- each ACE in s2. */
-
- for (i = 0; i < s1->num_aces; i++) {
- bool found = False;
-
- for (j = 0; j < s2->num_aces; j++) {
- if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) {
- found = True;
- break;
- }
- }
-
- if (!found) return False;
- }
-
- return True;
-}
diff --git a/source3/lib/util_nttoken.c b/source3/lib/util_nttoken.c
index 774ef498b7..76e7402422 100644
--- a/source3/lib/util_nttoken.c
+++ b/source3/lib/util_nttoken.c
@@ -115,3 +115,19 @@ NTSTATUS merge_nt_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+
+/*******************************************************************
+ Check if this ACE has a SID in common with the token.
+********************************************************************/
+
+bool token_sid_in_ace(const NT_USER_TOKEN *token, const struct security_ace *ace)
+{
+ size_t i;
+
+ for (i = 0; i < token->num_sids; i++) {
+ if (sid_equal(&ace->trustee, &token->user_sids[i]))
+ return true;
+ }
+
+ return false;
+}