diff options
| author | Jelmer Vernooij <jelmer@samba.org> | 2006-09-20 22:23:12 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:00:54 -0500 |
| commit | 4db7642caa99c1b054322a8971c4b673556487ce (patch) | |
| tree | 4ca6f040d613bc8127f43cd30a2bc12d3192471b /source3/lib | |
| parent | 3ef4b8cf2f4a52c08b71fa8cac1ce4e8409c160b (diff) | |
| download | samba-4db7642caa99c1b054322a8971c4b673556487ce.tar.gz samba-4db7642caa99c1b054322a8971c4b673556487ce.tar.bz2 samba-4db7642caa99c1b054322a8971c4b673556487ce.zip | |
r18745: Use the Samba4 data structures for security descriptors and security descriptor
buffers.
Make security access masks simply a uint32 rather than a structure
with a uint32 in it.
(This used to be commit b41c52b9db5fc4a553b20a7a5a051a4afced9366)
Diffstat (limited to 'source3/lib')
| -rw-r--r-- | source3/lib/display_sec.c | 10 | ||||
| -rw-r--r-- | source3/lib/secace.c | 16 | ||||
| -rw-r--r-- | source3/lib/secacl.c | 8 | ||||
| -rw-r--r-- | source3/lib/secdesc.c | 81 | ||||
| -rw-r--r-- | source3/lib/util_seaccess.c | 10 |
5 files changed, 58 insertions, 67 deletions
diff --git a/source3/lib/display_sec.c b/source3/lib/display_sec.c index 49a86c261c..2b3542922c 100644 --- a/source3/lib/display_sec.c +++ b/source3/lib/display_sec.c @@ -63,7 +63,7 @@ char *get_sec_mask_str(uint32 type) ****************************************************************************/ void display_sec_access(SEC_ACCESS *info) { - printf("\t\tPermissions: 0x%x: %s\n", info->mask, get_sec_mask_str(info->mask)); + printf("\t\tPermissions: 0x%x: %s\n", *info, get_sec_mask_str(*info)); } /**************************************************************************** @@ -92,7 +92,7 @@ void display_sec_ace(SEC_ACE *ace) break; } printf(" (%d) flags: %d\n", ace->type, ace->flags); - display_sec_access(&ace->info); + display_sec_access(&ace->access_mask); sid_to_string(sid_str, &ace->trustee); printf("\t\tSID: %s\n\n", sid_str); } @@ -110,7 +110,7 @@ void display_sec_acl(SEC_ACL *sec_acl) if (sec_acl->size != 0 && sec_acl->num_aces != 0) for (i = 0; i < sec_acl->num_aces; i++) - display_sec_ace(&sec_acl->ace[i]); + display_sec_ace(&sec_acl->aces[i]); } @@ -179,8 +179,8 @@ void display_sec_desc(SEC_DESC *sec) printf("\tOwner SID:\t%s\n", sid_str); } - if (sec->grp_sid) { - sid_to_string(sid_str, sec->grp_sid); + if (sec->group_sid) { + sid_to_string(sid_str, sec->group_sid); printf("\tParent SID:\t%s\n", sid_str); } } diff --git a/source3/lib/secace.c b/source3/lib/secace.c index eb2fdd5c2b..d60722c57e 100644 --- a/source3/lib/secace.c +++ b/source3/lib/secace.c @@ -46,10 +46,8 @@ void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src) ace_dest->type = ace_src->type; ace_dest->flags = ace_src->flags; ace_dest->size = ace_src->size; - ace_dest->info.mask = ace_src->info.mask; - ace_dest->obj_flags = ace_src->obj_flags; - memcpy(&ace_dest->obj_guid, &ace_src->obj_guid, sizeof(struct GUID)); - memcpy(&ace_dest->inh_guid, &ace_src->inh_guid, sizeof(struct GUID)); + ace_dest->access_mask = ace_src->access_mask; + ace_dest->object = ace_src->object; sid_copy(&ace_dest->trustee, &ace_src->trustee); } @@ -57,12 +55,12 @@ void sec_ace_copy(SEC_ACE *ace_dest, SEC_ACE *ace_src) Sets up a SEC_ACE structure. ********************************************************************/ -void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, uint8 type, SEC_ACCESS mask, uint8 flag) +void init_sec_ace(SEC_ACE *t, const DOM_SID *sid, uint8 type, uint32 mask, uint8 flag) { t->type = type; t->flags = flag; t->size = sid_size(sid) + 8; - t->info = mask; + t->access_mask = mask; ZERO_STRUCTP(&t->trustee); sid_copy(&t->trustee, sid); @@ -89,7 +87,7 @@ NTSTATUS sec_ace_add_sid(TALLOC_CTX *ctx, SEC_ACE **pp_new, SEC_ACE *old, unsign (*pp_new)[i].type = 0; (*pp_new)[i].flags = 0; (*pp_new)[i].size = SEC_ACE_HEADER_SIZE + sid_size(sid); - (*pp_new)[i].info.mask = mask; + (*pp_new)[i].access_mask = mask; sid_copy(&(*pp_new)[i].trustee, sid); return NT_STATUS_OK; } @@ -106,7 +104,7 @@ NTSTATUS sec_ace_mod_sid(SEC_ACE *ace, size_t num, DOM_SID *sid, uint32 mask) for (i = 0; i < num; i ++) { if (sid_compare(&ace[i].trustee, sid) == 0) { - ace[i].info.mask = mask; + ace[i].access_mask = mask; return NT_STATUS_OK; } } @@ -160,7 +158,7 @@ BOOL sec_ace_equal(SEC_ACE *s1, SEC_ACE *s2) /* Check top level stuff */ if (s1->type != s2->type || s1->flags != s2->flags || - s1->info.mask != s2->info.mask) { + s1->access_mask != s2->access_mask) { return False; } diff --git a/source3/lib/secacl.c b/source3/lib/secacl.c index e213e0d9a0..4e2178c195 100644 --- a/source3/lib/secacl.c +++ b/source3/lib/secacl.c @@ -46,13 +46,13 @@ SEC_ACL *make_sec_acl(TALLOC_CTX *ctx, uint16 revision, int num_aces, SEC_ACE *a positive number. */ if ((num_aces) && - ((dst->ace = TALLOC_ARRAY(ctx, SEC_ACE, num_aces)) + ((dst->aces = TALLOC_ARRAY(ctx, SEC_ACE, num_aces)) == NULL)) { return NULL; } for (i = 0; i < num_aces; i++) { - dst->ace[i] = ace_list[i]; /* Structure copy. */ + dst->aces[i] = ace_list[i]; /* Structure copy. */ dst->size += ace_list[i].size; } @@ -68,7 +68,7 @@ SEC_ACL *dup_sec_acl(TALLOC_CTX *ctx, SEC_ACL *src) if(src == NULL) return NULL; - return make_sec_acl(ctx, src->revision, src->num_aces, src->ace); + return make_sec_acl(ctx, src->revision, src->num_aces, src->aces); } /******************************************************************* @@ -105,7 +105,7 @@ BOOL sec_acl_equal(SEC_ACL *s1, SEC_ACL *s2) BOOL found = False; for (j = 0; j < s2->num_aces; j++) { - if (sec_ace_equal(&s1->ace[i], &s2->ace[j])) { + if (sec_ace_equal(&s1->aces[i], &s2->aces[j])) { found = True; break; } diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c index f8873277cf..2f592769b3 100644 --- a/source3/lib/secdesc.c +++ b/source3/lib/secdesc.c @@ -49,8 +49,8 @@ size_t sec_desc_size(SEC_DESC *psd) if (psd->owner_sid != NULL) offset += sid_size(psd->owner_sid); - if (psd->grp_sid != NULL) - offset += sid_size(psd->grp_sid); + if (psd->group_sid != NULL) + offset += sid_size(psd->group_sid); if (psd->sacl != NULL) offset += psd->sacl->size; @@ -104,11 +104,11 @@ BOOL sec_desc_equal(SEC_DESC *s1, SEC_DESC *s2) return False; } - if (!sid_equal(s1->grp_sid, s2->grp_sid)) { + if (!sid_equal(s1->group_sid, s2->group_sid)) { fstring str1, str2; - sid_to_string(str1, s1->grp_sid); - sid_to_string(str2, s2->grp_sid); + sid_to_string(str1, s1->group_sid); + sid_to_string(str2, s2->group_sid); DEBUG(10, ("sec_desc_equal(): group differs (%s != %s)\n", str1, str2)); @@ -154,13 +154,13 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU /* Copy over owner and group sids. There seems to be no flag for this so just check the pointer values. */ - owner_sid = new_sdb->sec->owner_sid ? new_sdb->sec->owner_sid : - old_sdb->sec->owner_sid; + owner_sid = new_sdb->sd->owner_sid ? new_sdb->sd->owner_sid : + old_sdb->sd->owner_sid; - group_sid = new_sdb->sec->grp_sid ? new_sdb->sec->grp_sid : - old_sdb->sec->grp_sid; + group_sid = new_sdb->sd->group_sid ? new_sdb->sd->group_sid : + old_sdb->sd->group_sid; - secdesc_type = new_sdb->sec->type; + secdesc_type = new_sdb->sd->type; /* Ignore changes to the system ACL. This has the effect of making changes through the security tab audit button not sticking. @@ -172,14 +172,14 @@ SEC_DESC_BUF *sec_desc_merge(TALLOC_CTX *ctx, SEC_DESC_BUF *new_sdb, SEC_DESC_BU /* Copy across discretionary ACL */ if (secdesc_type & SEC_DESC_DACL_PRESENT) { - dacl = new_sdb->sec->dacl; + dacl = new_sdb->sd->dacl; } else { - dacl = old_sdb->sec->dacl; + dacl = old_sdb->sd->dacl; } /* Create new security descriptor from bits */ - psd = make_sec_desc(ctx, new_sdb->sec->revision, secdesc_type, + psd = make_sec_desc(ctx, new_sdb->sd->revision, secdesc_type, owner_sid, group_sid, sacl, dacl, &secdesc_size); return_sdb = make_sec_desc_buf(ctx, secdesc_size, psd); @@ -211,15 +211,15 @@ SEC_DESC *make_sec_desc(TALLOC_CTX *ctx, uint16 revision, uint16 type, if (dacl) dst->type |= SEC_DESC_DACL_PRESENT; - dst->off_owner_sid = 0; - dst->off_grp_sid = 0; - dst->off_sacl = 0; - dst->off_dacl = 0; + dst->owner_sid = NULL; + dst->group_sid = NULL; + dst->sacl = NULL; + dst->dacl = NULL; if(owner_sid && ((dst->owner_sid = sid_dup_talloc(ctx,owner_sid)) == NULL)) goto error_exit; - if(grp_sid && ((dst->grp_sid = sid_dup_talloc(ctx,grp_sid)) == NULL)) + if(grp_sid && ((dst->group_sid = sid_dup_talloc(ctx,grp_sid)) == NULL)) goto error_exit; if(sacl && ((dst->sacl = dup_sec_acl(ctx, sacl)) == NULL)) @@ -235,22 +235,18 @@ SEC_DESC *make_sec_desc(TALLOC_CTX *ctx, uint16 revision, uint16 type, */ if (dst->sacl != NULL) { - dst->off_sacl = offset; offset += dst->sacl->size; } if (dst->dacl != NULL) { - dst->off_dacl = offset; offset += dst->dacl->size; } if (dst->owner_sid != NULL) { - dst->off_owner_sid = offset; offset += sid_size(dst->owner_sid); } - if (dst->grp_sid != NULL) { - dst->off_grp_sid = offset; - offset += sid_size(dst->grp_sid); + if (dst->group_sid != NULL) { + offset += sid_size(dst->group_sid); } *sd_size = (size_t)offset; @@ -274,7 +270,7 @@ SEC_DESC *dup_sec_desc(TALLOC_CTX *ctx, const SEC_DESC *src) return NULL; return make_sec_desc( ctx, src->revision, src->type, - src->owner_sid, src->grp_sid, src->sacl, + src->owner_sid, src->group_sid, src->sacl, src->dacl, &dummy); } @@ -301,15 +297,12 @@ SEC_DESC_BUF *make_sec_desc_buf(TALLOC_CTX *ctx, size_t len, SEC_DESC *sec_desc) return NULL; /* max buffer size (allocated size) */ - dst->max_len = (uint32)len; - dst->len = (uint32)len; + dst->sd_size = (uint32)len; - if(sec_desc && ((dst->sec = dup_sec_desc(ctx, sec_desc)) == NULL)) { + if(sec_desc && ((dst->sd = dup_sec_desc(ctx, sec_desc)) == NULL)) { return NULL; } - dst->ptr = 0x1; - return dst; } @@ -322,7 +315,7 @@ SEC_DESC_BUF *dup_sec_desc_buf(TALLOC_CTX *ctx, SEC_DESC_BUF *src) if(src == NULL) return NULL; - return make_sec_desc_buf( ctx, src->len, src->sec); + return make_sec_desc_buf( ctx, src->sd_size, src->sd); } /******************************************************************* @@ -341,7 +334,7 @@ NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, uint32 *sd_size = 0; - status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->ace, &psd[0]->dacl->num_aces, sid, mask); + status = sec_ace_add_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid, mask); if (!NT_STATUS_IS_OK(status)) return status; @@ -350,7 +343,7 @@ NTSTATUS sec_desc_add_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, uint32 return NT_STATUS_UNSUCCESSFUL; if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid, - psd[0]->grp_sid, psd[0]->sacl, dacl, sd_size))) + psd[0]->group_sid, psd[0]->sacl, dacl, sd_size))) return NT_STATUS_UNSUCCESSFUL; *psd = sd; @@ -369,7 +362,7 @@ NTSTATUS sec_desc_mod_sid(SEC_DESC *sd, DOM_SID *sid, uint32 mask) if (!sd || !sid) return NT_STATUS_INVALID_PARAMETER; - status = sec_ace_mod_sid(sd->dacl->ace, sd->dacl->num_aces, sid, mask); + status = sec_ace_mod_sid(sd->dacl->aces, sd->dacl->num_aces, sid, mask); if (!NT_STATUS_IS_OK(status)) return status; @@ -393,7 +386,7 @@ NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, size_t *sd_size = 0; - status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->ace, &psd[0]->dacl->num_aces, sid); + status = sec_ace_del_sid(ctx, &ace, psd[0]->dacl->aces, &psd[0]->dacl->num_aces, sid); if (!NT_STATUS_IS_OK(status)) return status; @@ -402,7 +395,7 @@ NTSTATUS sec_desc_del_sid(TALLOC_CTX *ctx, SEC_DESC **psd, DOM_SID *sid, size_t return NT_STATUS_UNSUCCESSFUL; if (!(sd = make_sec_desc(ctx, psd[0]->revision, psd[0]->type, psd[0]->owner_sid, - psd[0]->grp_sid, psd[0]->sacl, dacl, sd_size))) + psd[0]->group_sid, psd[0]->sacl, dacl, sd_size))) return NT_STATUS_UNSUCCESSFUL; *psd = sd; @@ -434,7 +427,7 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, return NULL; for (i = 0; i < the_acl->num_aces; i++) { - SEC_ACE *ace = &the_acl->ace[i]; + SEC_ACE *ace = &the_acl->aces[i]; SEC_ACE *new_ace = &new_ace_list[new_ace_list_ndx]; uint8 new_flags = 0; BOOL inherit = False; @@ -490,17 +483,17 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, if (!inherit) continue; - init_sec_access(&new_ace->info, ace->info.mask); + init_sec_access(&new_ace->access_mask, ace->access_mask); init_sec_ace(new_ace, &ace->trustee, ace->type, - new_ace->info, new_flags); + new_ace->access_mask, new_flags); sid_to_string(sid_str, &ace->trustee); DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x " " inherited as %s:%d/0x%02x/0x%08x\n", sid_str, - ace->type, ace->flags, ace->info.mask, + ace->type, ace->flags, ace->access_mask, sid_str, new_ace->type, new_ace->flags, - new_ace->info.mask)); + new_ace->access_mask)); new_ace_list_ndx++; } @@ -515,7 +508,7 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, sd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE, parent_ctr->owner_sid, - parent_ctr->grp_sid, + parent_ctr->group_sid, parent_ctr->sacl, new_dacl, &size); @@ -528,9 +521,9 @@ SEC_DESC_BUF *se_create_child_secdesc(TALLOC_CTX *ctx, SEC_DESC *parent_ctr, Sets up a SEC_ACCESS structure. ********************************************************************/ -void init_sec_access(SEC_ACCESS *t, uint32 mask) +void init_sec_access(uint32 *t, uint32 mask) { - t->mask = mask; + *t = mask; } diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 73fc45c844..7d14ed896f 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -31,7 +31,7 @@ extern NT_USER_TOKEN anonymous_token; static uint32 check_ace(SEC_ACE *ace, const NT_USER_TOKEN *token, uint32 acc_desired, NTSTATUS *status) { - uint32 mask = ace->info.mask; + uint32 mask = ace->access_mask; /* * Inherit only is ignored. @@ -97,8 +97,8 @@ static BOOL get_max_access( SEC_ACL *the_acl, const NT_USER_TOKEN *token, uint32 size_t i; for ( i = 0 ; i < the_acl->num_aces; i++) { - SEC_ACE *ace = &the_acl->ace[i]; - uint32 mask = ace->info.mask; + SEC_ACE *ace = &the_acl->aces[i]; + uint32 mask = ace->access_mask; if (!token_sid_in_ace( token, ace)) continue; @@ -281,12 +281,12 @@ BOOL se_access_check(const SEC_DESC *sd, const NT_USER_TOKEN *token, } for ( i = 0 ; i < the_acl->num_aces && tmp_acc_desired != 0; i++) { - SEC_ACE *ace = &the_acl->ace[i]; + SEC_ACE *ace = &the_acl->aces[i]; DEBUGADD(10,("se_access_check: ACE %u: type %d, flags = 0x%02x, SID = %s mask = %x, current desired = %x\n", (unsigned int)i, ace->type, ace->flags, sid_to_string(sid_str, &ace->trustee), - (unsigned int) ace->info.mask, + (unsigned int) ace->access_mask, (unsigned int)tmp_acc_desired )); tmp_acc_desired = check_ace( ace, token, tmp_acc_desired, status); |