summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorJelmer Vernooij <jelmer@samba.org>2006-09-20 22:23:12 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:00:54 -0500
commit4db7642caa99c1b054322a8971c4b673556487ce (patch)
tree4ca6f040d613bc8127f43cd30a2bc12d3192471b /source3/lib
parent3ef4b8cf2f4a52c08b71fa8cac1ce4e8409c160b (diff)
downloadsamba-4db7642caa99c1b054322a8971c4b673556487ce.tar.gz
samba-4db7642caa99c1b054322a8971c4b673556487ce.tar.bz2
samba-4db7642caa99c1b054322a8971c4b673556487ce.zip
r18745: Use the Samba4 data structures for security descriptors and security descriptor
buffers. Make security access masks simply a uint32 rather than a structure with a uint32 in it. (This used to be commit b41c52b9db5fc4a553b20a7a5a051a4afced9366)
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/display_sec.c10
-rw-r--r--source3/lib/secace.c16
-rw-r--r--source3/lib/secacl.c8
-rw-r--r--source3/lib/secdesc.c81
-rw-r--r--source3/lib/util_seaccess.c10
5 files changed, 58 insertions, 67 deletions
diff --git a/source3/lib/display_sec.c b/source3/lib/display_sec.c
index 49a86c261c..2b3542922c 100644
--- a/source3/lib/display_sec.c
+++ b/source3/lib/display_sec.c
@@ -63,7 +63,7 @@ char *get_sec_mask_str(uint32 type)
****************************************************************************/
void display_sec_access(SEC_ACCESS *info)
{
- printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask));
+ printf("\t\tPermissions: 0x%x: %s\n", *info, get_sec_mask_str(*info));
}
/****************************************************************************
@@ -92,7 +92,7 @@ void display_sec_ace(SEC_ACE *ace)
break;
}
printf(" (%d) flags: %d\n", ace->type, ace->flags);
- display_sec_access(&ace->info);
+ display_sec_access(&ace->access_mask);
sid_to_string(sid_str, &ace->trustee);
printf("\t\tSID: %s\n\n", sid_str);
}
@@ -110,7 +110,7 @@ void display_sec_acl(SEC_ACL *sec_acl)
if (sec_acl->size != 0 && sec_acl->num_aces != 0)
for (i = 0; i < sec_acl->num_aces; i++)
- display_sec_ace(&sec_acl->ace[i]);
+ display_sec_ace(&sec_acl->aces[i]);
}
@@ -179,8 +179,8 @@ void display_sec_desc(SEC_DESC *sec)
printf("\tOwner SID:\t%s\n", sid_str);
}
- if (sec->grp_sid) {
- sid_to_string(sid_str, sec->grp_sid);
+ if (sec->group_sid) {
+ sid_to_string(sid_str, sec->group_sid);
printf("\tParent SID:\t%s\n", sid_str);
}
}
diff --git a/source3/lib/secace.c b/source3/lib/secace.c
index eb2fdd5c2b..d60722c57e 100644
--- a/source3/lib/secace.c
+++ b/source3/lib/secace.c
@@ -46,10 +46,8 @@ void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
ace_dest->type = ace_src->type;
ace_dest->flags = ace_src->flags;
ace_dest->size = ace_src->size;
- ace_dest->info.mask = ace_src->info.mask;
- ace_dest->obj_flags = ace_src->obj_flags;
- memcpy(&ace_dest->obj_guid, &ace_src->obj_guid, sizeof(struct GUID));
- memcpy(&ace_dest->inh_guid, &ace_src->inh_guid, sizeof(struct GUID));
+ ace_dest->access_mask = ace_src->access_mask;
+ ace_dest->object = ace_src->object;
sid_copy(&ace_dest->trustee, &ace_src->trustee);
}
@@ -57,12 +55,12 @@ void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src)
Sets up a SEC_ACE structure.
********************************************************************/
-void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, uint8 type, SEC_ACCESS mask, uint8 flag)
+void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, uint8 type, uint32 mask, uint8 flag)
{
t->type = type;
t->flags = flag;
t->size = sid_size(sid) + 8;
- t->info = mask;
+ t->access_mask = mask;
ZERO_STRUCTP(&t->trustee);
sid_copy(&t->trustee, sid);
@@ -89,7 +87,7 @@ NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsign
(*pp_new)[i].type = 0;
(*pp_new)[i].flags = 0;
(*pp_new)[i].size = SEC_ACE_HEADER_SIZE + sid_size(sid);
- (*pp_new)[i].info.mask = mask;
+ (*pp_new)[i].access_mask = mask;
sid_copy(&(*pp_new)[i].trustee, sid);
return NT_STATUS_OK;
}
@@ -106,7 +104,7 @@ NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask)
for (i = 0; i < num; i ++) {
if (sid_compare(&ace[i].trustee, sid) == 0) {
- ace[i].info.mask = mask;
+ ace[i].access_mask = mask;
return NT_STATUS_OK;
}
}
@@ -160,7 +158,7 @@ BOOL sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2)
/* Check top level stuff */
if (s1->type != s2->type || s1->flags != s2->flags ||
- s1->info.mask != s2->info.mask) {
+ s1->access_mask != s2->access_mask) {
return False;
}
diff --git a/source3/lib/secacl.c b/source3/lib/secacl.c
index e213e0d9a0..4e2178c195 100644
--- a/source3/lib/secacl.c
+++ b/source3/lib/secacl.c
@@ -46,13 +46,13 @@ SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, uint16 revision, int num_aces, SEC_ACE *a
positive number. */
if ((num_aces) &&
- ((dst->ace = TALLOC_ARRAY(ctx, SEC_ACE, num_aces))
+ ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces))
== NULL)) {
return NULL;
}
for (i = 0; i < num_aces; i++) {
- dst->ace[i] = ace_list[i]; /* Structure copy. */
+ dst->aces[i] = ace_list[i]; /* Structure copy. */
dst->size += ace_list[i].size;
}
@@ -68,7 +68,7 @@ SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src)
if(src == NULL)
return NULL;
- return make_sec_acl(ctx, src->revision, src->num_aces, src->ace);
+ return make_sec_acl(ctx, src->revision, src->num_aces, src->aces);
}
/*******************************************************************
@@ -105,7 +105,7 @@ BOOL sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2)
BOOL found = False;
for (j = 0; j < s2->num_aces; j++) {
- if (sec_ace_equal(&s1->ace[i], &s2->ace[j])) {
+ if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) {
found = True;
break;
}
diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index f8873277cf..2f592769b3 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -49,8 +49,8 @@ size_t sec_desc_size(SEC_DESC *psd)
if (psd->owner_sid != NULL)
offset += sid_size(psd->owner_sid);
- if (psd->grp_sid != NULL)
- offset += sid_size(psd->grp_sid);
+ if (psd->group_sid != NULL)
+ offset += sid_size(psd->group_sid);
if (psd->sacl != NULL)
offset += psd->sacl->size;
@@ -104,11 +104,11 @@ BOOL sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2)
return False;
}
- if (!sid_equal(s1->grp_sid, s2->grp_sid)) {
+ if (!sid_equal(s1->group_sid, s2->group_sid)) {
fstring str1, str2;
- sid_to_string(str1, s1->grp_sid);
- sid_to_string(str2, s2->grp_sid);
+ sid_to_string(str1, s1->group_sid);
+ sid_to_string(str2, s2->group_sid);
DEBUG(10, ("sec_desc_equal(): group differs (%s != %s)\n",
str1, str2));
@@ -154,13 +154,13 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU
/* Copy over owner and group sids. There seems to be no flag for
this so just check the pointer values. */
- owner_sid = new_sdb->sec->owner_sid ? new_sdb->sec->owner_sid :
- old_sdb->sec->owner_sid;
+ owner_sid = new_sdb->sd->owner_sid ? new_sdb->sd->owner_sid :
+ old_sdb->sd->owner_sid;
- group_sid = new_sdb->sec->grp_sid ? new_sdb->sec->grp_sid :
- old_sdb->sec->grp_sid;
+ group_sid = new_sdb->sd->group_sid ? new_sdb->sd->group_sid :
+ old_sdb->sd->group_sid;
- secdesc_type = new_sdb->sec->type;
+ secdesc_type = new_sdb->sd->type;
/* Ignore changes to the system ACL. This has the effect of making
changes through the security tab audit button not sticking.
@@ -172,14 +172,14 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU
/* Copy across discretionary ACL */
if (secdesc_type & SEC_DESC_DACL_PRESENT) {
- dacl = new_sdb->sec->dacl;
+ dacl = new_sdb->sd->dacl;
} else {
- dacl = old_sdb->sec->dacl;
+ dacl = old_sdb->sd->dacl;
}
/* Create new security descriptor from bits */
- psd = make_sec_desc(ctx, new_sdb->sec->revision, secdesc_type,
+ psd = make_sec_desc(ctx, new_sdb->sd->revision, secdesc_type,
owner_sid, group_sid, sacl, dacl, &secdesc_size);
return_sdb = make_sec_desc_buf(ctx, secdesc_size, psd);
@@ -211,15 +211,15 @@ SEC_DESC *make_sec_desc(TALLOC_CTX *ctx, uint16 revision, uint16 type,
if (dacl)
dst->type |= SEC_DESC_DACL_PRESENT;
- dst->off_owner_sid = 0;
- dst->off_grp_sid = 0;
- dst->off_sacl = 0;
- dst->off_dacl = 0;
+ dst->owner_sid = NULL;
+ dst->group_sid = NULL;
+ dst->sacl = NULL;
+ dst->dacl = NULL;
if(owner_sid && ((dst->owner_sid = sid_dup_talloc(ctx,owner_sid)) == NULL))
goto error_exit;
- if(grp_sid && ((dst->grp_sid = sid_dup_talloc(ctx,grp_sid)) == NULL))
+ if(grp_sid && ((dst->group_sid = sid_dup_talloc(ctx,grp_sid)) == NULL))
goto error_exit;
if(sacl && ((dst->sacl = dup_sec_acl(ctx, sacl)) == NULL))
@@ -235,22 +235,18 @@ SEC_DESC *make_sec_desc(TALLOC_CTX *ctx, uint16 revision, uint16 type,
*/
if (dst->sacl != NULL) {
- dst->off_sacl = offset;
offset += dst->sacl->size;
}
if (dst->dacl != NULL) {
- dst->off_dacl = offset;
offset += dst->dacl->size;
}
if (dst->owner_sid != NULL) {
- dst->off_owner_sid = offset;
offset += sid_size(dst->owner_sid);
}
- if (dst->grp_sid != NULL) {
- dst->off_grp_sid = offset;
- offset += sid_size(dst->grp_sid);
+ if (dst->group_sid != NULL) {
+ offset += sid_size(dst->group_sid);
}
*sd_size = (size_t)offset;
@@ -274,7 +270,7 @@ SEC_DESC *dup_sec_desc(TALLOC_CTX *ctx, const SEC_DESC *src)
return NULL;
return make_sec_desc( ctx, src->revision, src->type,
- src->owner_sid, src->grp_sid, src->sacl,
+ src->owner_sid, src->group_sid, src->sacl,
src->dacl, &dummy);
}
@@ -301,15 +297,12 @@ SEC_DESC_BUF *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, SEC_DESC *sec_desc)
return NULL;
/* max buffer size (allocated size) */
- dst->max_len = (uint32)len;
- dst->len = (uint32)len;
+ dst->sd_size = (uint32)len;
- if(sec_desc && ((dst->sec = dup_sec_desc(ctx, sec_desc)) == NULL)) {
+ if(sec_desc && ((dst->sd = dup_sec_desc(ctx, sec_desc)) == NULL)) {
return NULL;
}
- dst->ptr = 0x1;
-
return dst;
}
@@ -322,7 +315,7 @@ SEC_DESC_BUF *dup_sec_desc_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *src)
if(src == NULL)
return NULL;
- return make_sec_desc_buf( ctx, src->len, src->sec);
+ return make_sec_desc_buf( ctx, src->sd_size, src->sd);
}
/*******************************************************************
@@ -341,7 +334,7 @@ NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, uint32
*sd_size = 0;
- status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->ace, &psd[0]->dacl->num_aces, sid, mask);
+ status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid, mask);
if (!NT_STATUS_IS_OK(status))
return status;
@@ -350,7 +343,7 @@ NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, uint32
return NT_STATUS_UNSUCCESSFUL;
if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid,
- psd[0]->grp_sid, psd[0]->sacl, dacl, sd_size)))
+ psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
return NT_STATUS_UNSUCCESSFUL;
*psd = sd;
@@ -369,7 +362,7 @@ NTSTATUS sec_desc_mod_sid(SEC_DESC *sd, DOM_SID *sid, uint32 mask)
if (!sd || !sid)
return NT_STATUS_INVALID_PARAMETER;
- status = sec_ace_mod_sid(sd->dacl->ace, sd->dacl->num_aces, sid, mask);
+ status = sec_ace_mod_sid(sd->dacl->aces, sd->dacl->num_aces, sid, mask);
if (!NT_STATUS_IS_OK(status))
return status;
@@ -393,7 +386,7 @@ NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, size_t
*sd_size = 0;
- status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->ace, &psd[0]->dacl->num_aces, sid);
+ status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid);
if (!NT_STATUS_IS_OK(status))
return status;
@@ -402,7 +395,7 @@ NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, size_t
return NT_STATUS_UNSUCCESSFUL;
if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid,
- psd[0]->grp_sid, psd[0]->sacl, dacl, sd_size)))
+ psd[0]->group_sid, psd[0]->sacl, dacl, sd_size)))
return NT_STATUS_UNSUCCESSFUL;
*psd = sd;
@@ -434,7 +427,7 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
return NULL;
for (i = 0; i < the_acl->num_aces; i++) {
- SEC_ACE *ace = &the_acl->ace[i];
+ SEC_ACE *ace = &the_acl->aces[i];
SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx];
uint8 new_flags = 0;
BOOL inherit = False;
@@ -490,17 +483,17 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
if (!inherit)
continue;
- init_sec_access(&new_ace->info, ace->info.mask);
+ init_sec_access(&new_ace->access_mask, ace->access_mask);
init_sec_ace(new_ace, &ace->trustee, ace->type,
- new_ace->info, new_flags);
+ new_ace->access_mask, new_flags);
sid_to_string(sid_str, &ace->trustee);
DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
" inherited as %s:%d/0x%02x/0x%08x\n", sid_str,
- ace->type, ace->flags, ace->info.mask,
+ ace->type, ace->flags, ace->access_mask,
sid_str, new_ace->type, new_ace->flags,
- new_ace->info.mask));
+ new_ace->access_mask));
new_ace_list_ndx++;
}
@@ -515,7 +508,7 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
sd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
parent_ctr->owner_sid,
- parent_ctr->grp_sid,
+ parent_ctr->group_sid,
parent_ctr->sacl,
new_dacl, &size);
@@ -528,9 +521,9 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr,
Sets up a SEC_ACCESS structure.
********************************************************************/
-void init_sec_access(SEC_ACCESS *t, uint32 mask)
+void init_sec_access(uint32 *t, uint32 mask)
{
- t->mask = mask;
+ *t = mask;
}
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 73fc45c844..7d14ed896f 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -31,7 +31,7 @@ extern NT_USER_TOKEN anonymous_token;
static uint32 check_ace(SEC_ACE *ace, const NT_USER_TOKEN *token, uint32 acc_desired,
NTSTATUS *status)
{
- uint32 mask = ace->info.mask;
+ uint32 mask = ace->access_mask;
/*
* Inherit only is ignored.
@@ -97,8 +97,8 @@ static BOOL get_max_access( SEC_ACL *the_acl, const NT_USER_TOKEN *token, uint32
size_t i;
for ( i = 0 ; i < the_acl->num_aces; i++) {
- SEC_ACE *ace = &the_acl->ace[i];
- uint32 mask = ace->info.mask;
+ SEC_ACE *ace = &the_acl->aces[i];
+ uint32 mask = ace->access_mask;
if (!token_sid_in_ace( token, ace))
continue;
@@ -281,12 +281,12 @@ BOOL se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token,
}
for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) {
- SEC_ACE *ace = &the_acl->ace[i];
+ SEC_ACE *ace = &the_acl->aces[i];
DEBUGADD(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n",
(unsigned int)i, ace->type, ace->flags,
sid_to_string(sid_str, &ace->trustee),
- (unsigned int) ace->info.mask,
+ (unsigned int) ace->access_mask,
(unsigned int)tmp_acc_desired ));
tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status);