summaryrefslogtreecommitdiff
path: root/source4/libcli/security
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-18 12:55:31 +1000
committerAndrew Tridgell <tridge@samba.org>2010-10-14 02:35:05 +0000
commita879a4610dac03b814ad40800f408416d250c6be (patch)
tree3b1bb4216ace458281db4bc3355f0fb3ccf42e89 /source4/libcli/security
parent8b22eefd252e5d8d787ce3368d54b23d75b00310 (diff)
downloadsamba-a879a4610dac03b814ad40800f408416d250c6be.tar.gz
samba-a879a4610dac03b814ad40800f408416d250c6be.tar.bz2
samba-a879a4610dac03b814ad40800f408416d250c6be.zip
libcli/auth Merge source4/libcli/security and util_sid.c into the common code
This should ensure we only have one copy of these core functions in the tree. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/libcli/security')
-rw-r--r--source4/libcli/security/access_check.c316
-rw-r--r--source4/libcli/security/create_descriptor.c410
-rw-r--r--source4/libcli/security/object_tree.c121
-rw-r--r--source4/libcli/security/wscript_build8
4 files changed, 1 insertions, 854 deletions
diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c
deleted file mode 100644
index 5ae318be43..0000000000
--- a/source4/libcli/security/access_check.c
+++ /dev/null
@@ -1,316 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- security access checking routines
-
- Copyright (C) Andrew Tridgell 2004
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "libcli/security/security.h"
-
-/*
- perform a SEC_FLAG_MAXIMUM_ALLOWED access check
-*/
-static uint32_t access_check_max_allowed(const struct security_descriptor *sd,
- const struct security_token *token)
-{
- uint32_t denied = 0, granted = 0;
- uint32_t i;
-
- if (security_token_has_sid(token, sd->owner_sid)) {
- granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE;
- } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- granted |= SEC_STD_DELETE;
- }
-
- if (sd->dacl == NULL) {
- return granted & ~denied;
- }
-
- for (i = 0;i<sd->dacl->num_aces; i++) {
- struct security_ace *ace = &sd->dacl->aces[i];
-
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- continue;
- }
-
- if (!security_token_has_sid(token, &ace->trustee)) {
- continue;
- }
-
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- granted |= ace->access_mask;
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- denied |= ace->access_mask;
- break;
- default: /* Other ACE types not handled/supported */
- break;
- }
- }
-
- return granted & ~denied;
-}
-
-static const struct GUID *get_ace_object_type(struct security_ace *ace)
-{
- struct GUID *type;
-
- if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.type.type;
- else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)
- type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */
- else
- type = NULL;
-
- return type;
-
-}
-
-/*
- The main entry point for access checking. If returning ACCESS_DENIED
- this function returns the denied bits in the uint32_t pointed
- to by the access_granted pointer.
-*/
-NTSTATUS se_access_check(const struct security_descriptor *sd,
- const struct security_token *token,
- uint32_t access_desired,
- uint32_t *access_granted)
-{
- uint32_t i;
- uint32_t bits_remaining;
-
- *access_granted = access_desired;
- bits_remaining = access_desired;
-
- /* handle the maximum allowed flag */
- if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
- uint32_t orig_access_desired = access_desired;
-
- access_desired |= access_check_max_allowed(sd, token);
- access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
- *access_granted = access_desired;
- bits_remaining = access_desired & ~SEC_STD_DELETE;
-
- DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n",
- orig_access_desired,
- *access_granted,
- bits_remaining));
- }
-
- if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
- if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
- bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
- } else {
- return NT_STATUS_PRIVILEGE_NOT_HELD;
- }
- }
-
- /* a NULL dacl allows access */
- if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
- *access_granted = access_desired;
- return NT_STATUS_OK;
- }
-
- /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
- if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
- security_token_has_sid(token, sd->owner_sid)) {
- bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
- }
- if ((bits_remaining & SEC_STD_DELETE) &&
- (security_token_has_privilege(token, SEC_PRIV_RESTORE))) {
- bits_remaining &= ~SEC_STD_DELETE;
- }
- if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
- security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
- }
- if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
- security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
- }
-
- if (sd->dacl == NULL) {
- goto done;
- }
-
- /* check each ace in turn. */
- for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
- struct security_ace *ace = &sd->dacl->aces[i];
-
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- continue;
- }
-
- if (!security_token_has_sid(token, &ace->trustee)) {
- continue;
- }
-
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- bits_remaining &= ~ace->access_mask;
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- if (bits_remaining & ace->access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- default: /* Other ACE types not handled/supported */
- break;
- }
- }
-
-done:
- if (bits_remaining != 0) {
- *access_granted = bits_remaining;
- return NT_STATUS_ACCESS_DENIED;
- }
-
- return NT_STATUS_OK;
-}
-
-/* modified access check for the purposes of DS security
- * Lots of code duplication, it will ve united in just one
- * function eventually */
-
-NTSTATUS sec_access_check_ds(const struct security_descriptor *sd,
- const struct security_token *token,
- uint32_t access_desired,
- uint32_t *access_granted,
- struct object_tree *tree,
- struct dom_sid *replace_sid)
-{
- uint32_t i;
- uint32_t bits_remaining;
- struct object_tree *node;
- const struct GUID *type;
- struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF);
-
- *access_granted = access_desired;
- bits_remaining = access_desired;
-
- /* handle the maximum allowed flag */
- if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
- access_desired |= access_check_max_allowed(sd, token);
- access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
- *access_granted = access_desired;
- bits_remaining = access_desired & ~SEC_STD_DELETE;
- }
-
- if (access_desired & SEC_FLAG_SYSTEM_SECURITY) {
- if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) {
- bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY;
- } else {
- return NT_STATUS_PRIVILEGE_NOT_HELD;
- }
- }
-
- /* a NULL dacl allows access */
- if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) {
- *access_granted = access_desired;
- return NT_STATUS_OK;
- }
-
- /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */
- if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) &&
- security_token_has_sid(token, sd->owner_sid)) {
- bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE);
- }
- if ((bits_remaining & SEC_STD_DELETE) &&
- security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- bits_remaining &= ~SEC_STD_DELETE;
- }
-
- if (sd->dacl == NULL) {
- goto done;
- }
-
- /* check each ace in turn. */
- for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) {
- struct dom_sid *trustee;
- struct security_ace *ace = &sd->dacl->aces[i];
-
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) {
- continue;
- }
- if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) {
- trustee = replace_sid;
- }
- else
- {
- trustee = &ace->trustee;
- }
- if (!security_token_has_sid(token, trustee)) {
- continue;
- }
-
- switch (ace->type) {
- case SEC_ACE_TYPE_ACCESS_ALLOWED:
- if (tree)
- object_tree_modify_access(tree, ace->access_mask);
-
- bits_remaining &= ~ace->access_mask;
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED:
- if (bits_remaining & ace->access_mask) {
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
- case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
- /* check only in case we have provided a tree,
- * the ACE has an object type and that type
- * is in the tree */
- type = get_ace_object_type(ace);
-
- if (!tree)
- continue;
-
- if (!type)
- node = tree;
- else
- if (!(node = get_object_tree_by_GUID(tree, type)))
- continue;
-
- if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) {
- object_tree_modify_access(node, ace->access_mask);
- if (node->remaining_access == 0) {
- return NT_STATUS_OK;
- }
- }
- else {
- if (node->remaining_access & ace->access_mask){
- return NT_STATUS_ACCESS_DENIED;
- }
- }
- break;
- default: /* Other ACE types not handled/supported */
- break;
- }
- }
-
-done:
- if (bits_remaining != 0) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- return NT_STATUS_OK;
-}
-
diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c
deleted file mode 100644
index bc3f42e1f2..0000000000
--- a/source4/libcli/security/create_descriptor.c
+++ /dev/null
@@ -1,410 +0,0 @@
-/*
- Copyright (C) Nadezhda Ivanova 2009
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-/*
- * Name: create_descriptor
- *
- * Component: routines for calculating and creating security descriptors
- * as described in MS-DTYP 2.5.2.2
- *
- * Description:
- *
- *
- * Author: Nadezhda Ivanova
- */
-#include "includes.h"
-#include "libcli/security/security.h"
-#include "librpc/gen_ndr/ndr_security.h"
-
-/* Todos:
- * build the security token dacl as follows:
- * SYSTEM: GA, OWNER: GA, LOGIN_SID:GW|GE
- * Need session id information for the login SID. Probably
- * the best place for this is during token creation
- *
- * Implement SD Invariants
- * ACE sorting rules
- * LDAP_SERVER_SD_FLAGS_OID control
- * ADTS 7.1.3.3 needs to be clarified
- */
-
-/* the mapping function for generic rights for DS.(GA,GR,GW,GX)
- * The mapping function is passed as an argument to the
- * descriptor calculating routine and depends on the security
- * manager that calls the calculating routine.
- * TODO: need similar mappings for the file system and
- * registry security managers in order to make this code
- * generic for all security managers
- */
-
-uint32_t map_generic_rights_ds(uint32_t access_mask)
-{
- if (access_mask & SEC_GENERIC_ALL) {
- access_mask |= SEC_ADS_GENERIC_ALL;
- access_mask = ~SEC_GENERIC_ALL;
- }
-
- if (access_mask & SEC_GENERIC_EXECUTE) {
- access_mask |= SEC_ADS_GENERIC_EXECUTE;
- access_mask = ~SEC_GENERIC_EXECUTE;
- }
-
- if (access_mask & SEC_GENERIC_WRITE) {
- access_mask |= SEC_ADS_GENERIC_WRITE;
- access_mask &= ~SEC_GENERIC_WRITE;
- }
-
- if (access_mask & SEC_GENERIC_READ) {
- access_mask |= SEC_ADS_GENERIC_READ;
- access_mask &= ~SEC_GENERIC_READ;
- }
-
- return access_mask;
-}
-
-/* Not sure what this has to be,
-* and it does not seem to have any influence */
-static bool object_in_list(struct GUID *object_list, struct GUID *object)
-{
- return true;
-}
-
-static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
- struct security_acl *acl,
- bool is_container,
- struct dom_sid *owner,
- struct dom_sid *group,
- struct GUID *object_list)
-{
- uint32_t i;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- struct security_acl *tmp_acl = talloc_zero(mem_ctx, struct security_acl);
- struct dom_sid *co, *cg;
- if (!tmp_acl) {
- return NULL;
- }
-
- if (!acl) {
- return NULL;
- }
- co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
- cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
-
- for (i=0; i < acl->num_aces; i++) {
- struct security_ace *ace = &acl->aces[i];
- if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) ||
- (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) {
- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
- tmp_acl->num_aces+1);
- if (tmp_acl->aces == NULL) {
- talloc_free(tmp_ctx);
- return NULL;
- }
-
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
-
- if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
-
- if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
- ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
- if (!object_in_list(object_list, &ace->object.object.type.type)) {
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- }
-
- }
- tmp_acl->aces[tmp_acl->num_aces].access_mask =
- map_generic_rights_ds(ace->access_mask);
- tmp_acl->num_aces++;
- if (is_container) {
- if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) &&
- ((dom_sid_equal(&ace->trustee, co) || dom_sid_equal(&ace->trustee, cg)))) {
- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
- tmp_acl->num_aces+1);
- if (tmp_acl->aces == NULL) {
- talloc_free(tmp_ctx);
- return NULL;
- }
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY;
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE;
- if (dom_sid_equal(&tmp_acl->aces[tmp_acl->num_aces].trustee, co)) {
- tmp_acl->aces[tmp_acl->num_aces].trustee = *owner;
- }
- if (dom_sid_equal(&tmp_acl->aces[tmp_acl->num_aces].trustee, cg)) {
- tmp_acl->aces[tmp_acl->num_aces].trustee = *group;
- }
- tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
- tmp_acl->aces[tmp_acl->num_aces].access_mask =
- map_generic_rights_ds(ace->access_mask);
- tmp_acl->num_aces++;
- }
- }
- }
- }
- if (tmp_acl->num_aces == 0) {
- return NULL;
- }
- if (acl) {
- tmp_acl->revision = acl->revision;
- }
- return tmp_acl;
-}
-
-static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx,
- struct security_acl *acl,
- bool is_container,
- struct dom_sid *owner,
- struct dom_sid *group,
- struct GUID *object_list)
-{
- uint32_t i;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
- struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl);
- struct security_acl *new_acl;
- struct dom_sid *co, *cg;
-
- if (!acl)
- return NULL;
-
- if (!tmp_acl)
- return NULL;
-
- tmp_acl->revision = acl->revision;
- DEBUG(6,(__location__ ": acl revision %u\n", acl->revision));
-
- co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER);
- cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP);
-
- for (i=0; i < acl->num_aces; i++){
- struct security_ace *ace = &acl->aces[i];
- if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE)
- continue;
- if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY &&
- !(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT ||
- ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT))
- continue;
-
- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
- tmp_acl->num_aces+1);
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- if (dom_sid_equal(&(tmp_acl->aces[tmp_acl->num_aces].trustee), co)) {
- tmp_acl->aces[tmp_acl->num_aces].trustee = *owner;
- tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
- }
- if (dom_sid_equal(&(tmp_acl->aces[tmp_acl->num_aces].trustee), cg)) {
- tmp_acl->aces[tmp_acl->num_aces].trustee = *group;
- tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT;
- }
- tmp_acl->aces[tmp_acl->num_aces].access_mask =
- map_generic_rights_ds(tmp_acl->aces[tmp_acl->num_aces].access_mask);
- tmp_acl->num_aces++;
-
- if (!dom_sid_equal(&ace->trustee, co) && !dom_sid_equal(&ace->trustee, cg))
- continue;
-
- tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace,
- tmp_acl->num_aces+1);
- tmp_acl->aces[tmp_acl->num_aces] = *ace;
- tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
- tmp_acl->num_aces++;
- }
- new_acl = security_acl_dup(mem_ctx,tmp_acl);
-
- if (new_acl)
- new_acl->revision = acl->revision;
-
- talloc_free(tmp_ctx);
- return new_acl;
-}
-
-static void cr_descr_log_descriptor(struct security_descriptor *sd,
- const char *message,
- int level)
-{
- if (sd) {
- DEBUG(level,("%s: %s\n", message,
- ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,
- "", sd)));
- }
- else {
- DEBUG(level,("%s: NULL\n", message));
- }
-}
-
-static void cr_descr_log_acl(struct security_acl *acl,
- const char *message,
- int level)
-{
- if (acl) {
- DEBUG(level,("%s: %s\n", message,
- ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_acl,
- "", acl)));
- }
- else {
- DEBUG(level,("%s: NULL\n", message));
- }
-}
-
-static bool compute_acl(struct security_descriptor *parent_sd,
- struct security_descriptor *creator_sd,
- bool is_container,
- uint32_t inherit_flags,
- struct GUID *object_list,
- uint32_t (*generic_map)(uint32_t access_mask),
- struct security_token *token,
- struct security_descriptor *new_sd) /* INOUT argument */
-{
- struct security_acl *user_dacl, *user_sacl, *inherited_dacl, *inherited_sacl;
- int level = 10;
-
- if (!parent_sd || !(inherit_flags & SEC_DACL_AUTO_INHERIT)) {
- inherited_dacl = NULL;
- } else if (creator_sd && (creator_sd->type & SEC_DESC_DACL_PROTECTED)) {
- inherited_dacl = NULL;
- } else {
- inherited_dacl = calculate_inherited_from_parent(new_sd,
- parent_sd->dacl,
- is_container,
- new_sd->owner_sid,
- new_sd->group_sid,
- object_list);
- }
-
-
- if (!parent_sd || !(inherit_flags & SEC_SACL_AUTO_INHERIT)) {
- inherited_sacl = NULL;
- } else if (creator_sd && (creator_sd->type & SEC_DESC_SACL_PROTECTED)) {
- inherited_sacl = NULL;
- } else {
- inherited_sacl = calculate_inherited_from_parent(new_sd,
- parent_sd->sacl,
- is_container,
- new_sd->owner_sid,
- new_sd->group_sid,
- object_list);
- }
-
- if (!creator_sd || (inherit_flags & SEC_DEFAULT_DESCRIPTOR)) {
- user_dacl = NULL;
- user_sacl = NULL;
- } else {
- user_dacl = process_user_acl(new_sd,
- creator_sd->dacl,
- is_container,
- new_sd->owner_sid,
- new_sd->group_sid,
- object_list);
- user_sacl = process_user_acl(new_sd,
- creator_sd->sacl,
- is_container,
- new_sd->owner_sid,
- new_sd->group_sid,
- object_list);
- }
- cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level);
- cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level);
-
- new_sd->dacl = security_acl_concatenate(new_sd, user_dacl, inherited_dacl);
- if (new_sd->dacl) {
- new_sd->type |= SEC_DESC_DACL_PRESENT;
- }
- if (inherited_dacl) {
- new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED;
- }
-
- new_sd->sacl = security_acl_concatenate(new_sd, user_sacl, inherited_sacl);
- if (new_sd->sacl) {
- new_sd->type |= SEC_DESC_SACL_PRESENT;
- }
- if (inherited_sacl) {
- new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED;
- }
- /* This is a hack to handle the fact that
- * apprantly any AI flag provided by the user is preserved */
- if (creator_sd)
- new_sd->type |= creator_sd->type;
- cr_descr_log_descriptor(new_sd, __location__"final sd", level);
- return true;
-}
-
-struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
- struct security_descriptor *parent_sd,
- struct security_descriptor *creator_sd,
- bool is_container,
- struct GUID *object_list,
- uint32_t inherit_flags,
- struct security_token *token,
- struct dom_sid *default_owner, /* valid only for DS, NULL for the other RSs */
- struct dom_sid *default_group, /* valid only for DS, NULL for the other RSs */
- uint32_t (*generic_map)(uint32_t access_mask))
-{
- struct security_descriptor *new_sd;
- struct dom_sid *new_owner = NULL;
- struct dom_sid *new_group = NULL;
-
- new_sd = security_descriptor_initialise(mem_ctx);
- if (!new_sd) {
- return NULL;
- }
-
- if (!creator_sd || !creator_sd->owner_sid) {
- if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
- new_owner = parent_sd->owner_sid;
- } else if (!default_owner) {
- new_owner = &token->sids[PRIMARY_USER_SID_INDEX];
- } else {
- new_owner = default_owner;
- new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
- }
- } else {
- new_owner = creator_sd->owner_sid;
- }
-
- if (!creator_sd || !creator_sd->group_sid){
- if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
- new_group = parent_sd->group_sid;
- } else if (!default_group && token->num_sids > PRIMARY_GROUP_SID_INDEX) {
- new_group = &token->sids[PRIMARY_GROUP_SID_INDEX];
- } else if (!default_group) {
- /* This will happen only for anonymous, which has no other groups */
- new_group = &token->sids[PRIMARY_USER_SID_INDEX];
- } else {
- new_group = default_group;
- new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
- }
- } else {
- new_group = creator_sd->group_sid;
- }
-
- new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid));
- new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid));
- if (!new_sd->owner_sid || !new_sd->group_sid){
- talloc_free(new_sd);
- return NULL;
- }
-
- if (!compute_acl(parent_sd, creator_sd,
- is_container, inherit_flags, object_list,
- generic_map,token,new_sd)){
- talloc_free(new_sd);
- return NULL;
- }
-
- return new_sd;
-}
diff --git a/source4/libcli/security/object_tree.c b/source4/libcli/security/object_tree.c
deleted file mode 100644
index 7c7d644543..0000000000
--- a/source4/libcli/security/object_tree.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- security access checking routines
-
- Copyright (C) Nadezhda Ivanova 2009
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-/*
- * Description: Contains data handler functions for
- * the object tree that must be constructed to perform access checks.
- * The object tree is an unbalanced tree of depth 3, indexed by
- * object type guid. Perhaps a different data structure
- * should be concidered later to improve performance
- *
- * Author: Nadezhda Ivanova
- */
-#include "includes.h"
-#include "libcli/security/security.h"
-#include "librpc/ndr/libndr.h"
-
-/* Adds a new node to the object tree. If attributeSecurityGUID is not zero and
- * has already been added to the tree, the new node is added as a child of that node
- * In all other cases as a child of the root
- */
-
-bool insert_in_object_tree(TALLOC_CTX *mem_ctx,
- const struct GUID *guid,
- uint32_t init_access,
- struct object_tree **root,
- struct object_tree **new_node)
-{
- if (!guid || GUID_all_zero(guid)){
- return true;
- }
-
- if (!*root){
- *root = talloc_zero(mem_ctx, struct object_tree);
- if (!*root) {
- return false;
- }
- (*root)->guid = *guid;
- *new_node = *root;
- return true;
- }
-
- if (!(*root)->children) {
- (*root)->children = talloc_array(mem_ctx, struct object_tree, 1);
- (*root)->children[0].guid = *guid;
- (*root)->children[0].num_of_children = 0;
- (*root)->children[0].children = NULL;
- (*root)->num_of_children++;
- (*root)->children[0].remaining_access = init_access;
- *new_node = &((*root)->children[0]);
- return true;
- }
- else {
- int i;
- for (i = 0; i < (*root)->num_of_children; i++) {
- if (GUID_equal(&((*root)->children[i].guid), guid)) {
- *new_node = &((*root)->children[i]);
- return true;
- }
- }
- (*root)->children = talloc_realloc(mem_ctx, (*root)->children, struct object_tree,
- (*root)->num_of_children +1);
- (*root)->children[(*root)->num_of_children].guid = *guid;
- (*root)->children[(*root)->num_of_children].remaining_access = init_access;
- *new_node = &((*root)->children[(*root)->num_of_children]);
- (*root)->num_of_children++;
- return true;
- }
- return true;
-}
-
-/* search by GUID */
-struct object_tree *get_object_tree_by_GUID(struct object_tree *root,
- const struct GUID *guid)
-{
- struct object_tree *result = NULL;
- int i;
-
- if (!root || GUID_equal(&root->guid, guid)) {
- result = root;
- return result;
- }
- else if (root->num_of_children > 0) {
- for (i = 0; i < root->num_of_children; i++) {
- if ((result = get_object_tree_by_GUID(&root->children[i], guid)))
- break;
- }
- }
- return result;
-}
-
-/* Change the granted access per each ACE */
-
-void object_tree_modify_access(struct object_tree *root,
- uint32_t access)
-{
- root->remaining_access &= ~access;
- if (root->num_of_children > 0) {
- int i;
- for (i = 0; i < root->num_of_children; i++) {
- object_tree_modify_access(&root->children[i], access);
- }
- }
-}
diff --git a/source4/libcli/security/wscript_build b/source4/libcli/security/wscript_build
index 02d79428d0..f06899e9d4 100644
--- a/source4/libcli/security/wscript_build
+++ b/source4/libcli/security/wscript_build
@@ -3,12 +3,6 @@
bld.SAMBA_SUBSYSTEM('LIBSECURITY_SESSION',
source='session.c',
autoproto='session_proto.h',
- public_deps='LIBSECURITY_COMMON'
- )
-
-bld.SAMBA_SUBSYSTEM('LIBSECURITY',
- source='access_check.c create_descriptor.c object_tree.c',
- autoproto='proto.h',
- public_deps='LIBNDR LIBSECURITY_COMMON'
+ public_deps='LIBSECURITY'
)