split some security related functions in their own files.

(no need to include all of smbd files to use some basic sec functions)

also minor compile fixes
couldn't compile to test these due to some kerberos problems wirh 3.0,
but on HEAD they're working well, so I suppose it's ok to commit
(This used to be commit c78f2d0bd15ecd2ba643bb141cc35a3405787aa1)

3 files changed, 1 insertions, 151 deletions

diff --git a/source3/lib/talloc.c b/source3/lib/talloc.c
index b6c8b2efdf..485dc28f31 100644
--- a/source3/lib/talloc.c
+++ b/source3/lib/talloc.c
@@ -54,27 +54,6 @@
 
 #include "includes.h"
 
-struct talloc_chunk {
-	struct talloc_chunk *next;
-	size_t size;
-	void *ptr;
-};
-
-
-struct talloc_ctx {
-	struct talloc_chunk *list;
-	size_t total_alloc_size;
-
-	/** The name recorded for this pool, if any.  Should describe
-	 * the purpose for which it was allocated.  The string is
-	 * allocated within the pool. **/
-	char *name;
-
-	/** Pointer to the next allocate talloc pool, so that we can
-	 * summarize all talloc memory usage. **/
-	struct talloc_ctx *next_ctx;
-};
-
 
 /**
  * Start of linked list of all talloc pools.
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 2482d582d2..cb0f46e2f9 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -23,22 +23,6 @@
 
 extern DOM_SID global_sid_Builtin;
 
-/**********************************************************************************
- Check if this ACE has a SID in common with the token.
-**********************************************************************************/
-
-static BOOL token_sid_in_ace(const NT_USER_TOKEN *token, const SEC_ACE *ace)
-{
-	size_t i;
-
-	for (i = 0; i < token->num_sids; i++) {
-		if (sid_equal(&ace->trustee, &token->user_sids[i]))
-			return True;
-	}
-
-	return False;
-}
-
 /*********************************************************************************
  Check an ACE against a SID.  We return the remaining needed permission
  bits not yet granted. Zero means permission allowed (no more needed bits).
@@ -332,119 +316,6 @@ BOOL se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
 	return False;
 }
 
-/* Create a child security descriptor using another security descriptor as
-   the parent container.  This child object can either be a container or
-   non-container object. */
-
-SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, 
-				      BOOL child_container)
-{
-	SEC_DESC_BUF *sdb;
-	SEC_DESC *sd;
-	SEC_ACL *new_dacl, *the_acl;
-	SEC_ACE *new_ace_list = NULL;
-	unsigned int new_ace_list_ndx = 0, i;
-	size_t size;
-
-	/* Currently we only process the dacl when creating the child.  The
-	   sacl should also be processed but this is left out as sacls are
-	   not implemented in Samba at the moment.*/
-
-	the_acl = parent_ctr->dacl;
-
-	if (!(new_ace_list = talloc(ctx, sizeof(SEC_ACE) * the_acl->num_aces))) 
-		return NULL;
-
-	for (i = 0; the_acl && i < the_acl->num_aces; i++) {
-		SEC_ACE *ace = &the_acl->ace[i];
-		SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
-		uint8 new_flags = 0;
-		BOOL inherit = False;
-		fstring sid_str;
-
-		/* The OBJECT_INHERIT_ACE flag causes the ACE to be
-		   inherited by non-container children objects.  Container
-		   children objects will inherit it as an INHERIT_ONLY
-		   ACE. */
-
-		if (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT) {
-
-			if (!child_container) {
-				new_flags |= SEC_ACE_FLAG_OBJECT_INHERIT;
-			} else {
-				new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
-			}
-
-			inherit = True;
-		}
-
-		/* The CONAINER_INHERIT_ACE flag means all child container
-		   objects will inherit and use the ACE. */
-
-		if (ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) {
-			if (!child_container) {
-				inherit = False;
-			} else {
-				new_flags |= SEC_ACE_FLAG_CONTAINER_INHERIT;
-			}
-		}
-
-		/* The INHERIT_ONLY_ACE is not used by the se_access_check()
-		   function for the parent container, but is inherited by
-		   all child objects as a normal ACE. */
-
-		if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
-			/* Move along, nothing to see here */
-		}
-
-		/* The SEC_ACE_FLAG_NO_PROPAGATE_INHERIT flag means the ACE
-		   is inherited by child objects but not grandchildren
-		   objects.  We clear the object inherit and container
-		   inherit flags in the inherited ACE. */
-
-		if (ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) {
-			new_flags &= ~(SEC_ACE_FLAG_OBJECT_INHERIT |
-				       SEC_ACE_FLAG_CONTAINER_INHERIT);
-		}
-
-		/* Add ACE to ACE list */
-
-		if (!inherit)
-			continue;
-
-		init_sec_access(&new_ace->info, ace->info.mask);
-		init_sec_ace(new_ace, &ace->trustee, ace->type,
-			     new_ace->info, new_flags);
-
-		sid_to_string(sid_str, &ace->trustee);
-
-		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
-			  " inherited as %s:%d/0x%02x/0x%08x\n", sid_str,
-			  ace->type, ace->flags, ace->info.mask,
-			  sid_str, new_ace->type, new_ace->flags,
-			  new_ace->info.mask));
-
-		new_ace_list_ndx++;
-	}
-
-	/* Create child security descriptor to return */
-	
-	new_dacl = make_sec_acl(ctx, ACL_REVISION, new_ace_list_ndx, new_ace_list);
-
-	/* Use the existing user and group sids.  I don't think this is
-	   correct.  Perhaps the user and group should be passed in as
-	   parameters by the caller? */
-
-	sd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
-			   parent_ctr->owner_sid,
-			   parent_ctr->grp_sid,
-			   parent_ctr->sacl,
-			   new_dacl, &size);
-
-	sdb = make_sec_desc_buf(ctx, size, sd);
-
-	return sdb;
-}
 
 /*******************************************************************
  samr_make_sam_obj_sd
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index fbb393770d..50bbb4c72c 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -638,7 +638,7 @@ void print_guid(GUID *guid)
  Tallocs a duplicate SID. 
 ********************************************************************/ 
 
-DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, DOM_SID *src)
+DOM_SID *sid_dup_talloc(TALLOC_CTX *ctx, const DOM_SID *src)
 {
 	DOM_SID *dst;