summaryrefslogtreecommitdiff
path: root/source4/libcli/security
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-11-18 01:02:27 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:05:57 -0500
commitbbf009b46f75f292a625b853b9331b5d5e0da7c2 (patch)
tree679baa8ec6a1fb4724870983e294573188f5c3c6 /source4/libcli/security
parentcae123912c15ad7d7ecd44a6d468f368aaeab95c (diff)
downloadsamba-bbf009b46f75f292a625b853b9331b5d5e0da7c2.tar.gz
samba-bbf009b46f75f292a625b853b9331b5d5e0da7c2.tar.bz2
samba-bbf009b46f75f292a625b853b9331b5d5e0da7c2.zip
r3829: added a RAW-ACLS test suite that tests query/set of ACLs on a file
(This used to be commit 2ff9816ae0ae41e0e63e4276a70d292888346dc7)
Diffstat (limited to 'source4/libcli/security')
-rw-r--r--source4/libcli/security/dom_sid.c4
-rw-r--r--source4/libcli/security/security_descriptor.c128
2 files changed, 128 insertions, 4 deletions
diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c
index 254b8dbfab..001618bb07 100644
--- a/source4/libcli/security/dom_sid.c
+++ b/source4/libcli/security/dom_sid.c
@@ -184,7 +184,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr)
}
/*
- convert a string to a dom_sid, returning a talloc'd dom_sid
+ copy a dom_sid structure
*/
struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid)
{
@@ -195,7 +195,7 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid)
return NULL;
}
- ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, dom_sid->num_auths);
+ ret->sub_auths = talloc_array_p(ret, uint32_t, dom_sid->num_auths);
if (!ret->sub_auths) {
return NULL;
}
diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c
index 255836066a..671174a824 100644
--- a/source4/libcli/security/security_descriptor.c
+++ b/source4/libcli/security/security_descriptor.c
@@ -54,7 +54,7 @@ struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx)
talloc and copy a security descriptor
*/
struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
- const struct security_descriptor *osd)
+ const struct security_descriptor *osd)
{
struct security_descriptor *nsd;
@@ -65,7 +65,9 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx,
return nsd;
}
-NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask)
+NTSTATUS security_check_dacl(struct security_token *st,
+ struct security_descriptor *sd,
+ uint32 access_mask)
{
size_t i,y;
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
@@ -100,3 +102,125 @@ NTSTATUS security_check_dacl(struct security_token *st, struct security_descript
return status;
}
+
+
+/*
+ add an ACE to the DACL of a security_descriptor
+*/
+NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd,
+ struct security_ace *ace)
+{
+ if (sd->dacl == NULL) {
+ sd->dacl = talloc_p(sd, struct security_acl);
+ if (sd->dacl == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ sd->dacl->revision = SD_REVISION;
+ sd->dacl->size = 0;
+ sd->dacl->num_aces = 0;
+ sd->dacl->aces = NULL;
+ }
+
+ sd->dacl->aces = talloc_realloc_p(sd->dacl, sd->dacl->aces,
+ struct security_ace, sd->dacl->num_aces+1);
+ if (sd->dacl->aces == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sd->dacl->aces[sd->dacl->num_aces] = *ace;
+ sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths =
+ talloc_memdup(sd->dacl->aces,
+ sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths,
+ sizeof(uint32_t) *
+ sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths);
+ if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sd->dacl->num_aces++;
+
+ return NT_STATUS_OK;
+}
+
+
+/*
+ delete the ACE corresponding to the given trustee in the DACL of a security_descriptor
+*/
+NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd,
+ struct dom_sid *trustee)
+{
+ int i;
+
+ if (sd->dacl == NULL) {
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ }
+
+ for (i=0;i<sd->dacl->num_aces;i++) {
+ if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) {
+ memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1],
+ sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1)));
+ sd->dacl->num_aces--;
+ if (sd->dacl->num_aces == 0) {
+ sd->dacl->aces = NULL;
+ }
+ return NT_STATUS_OK;
+ }
+ }
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+}
+
+
+/*
+ compare two security ace structures
+*/
+BOOL security_ace_equal(const struct security_ace *ace1,
+ const struct security_ace *ace2)
+{
+ if (ace1 == ace2) return True;
+ if (!ace1 || !ace2) return False;
+ if (ace1->type != ace2->type) return False;
+ if (ace1->flags != ace2->flags) return False;
+ if (ace1->access_mask != ace2->access_mask) return False;
+ if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False;
+
+ return True;
+}
+
+
+/*
+ compare two security acl structures
+*/
+BOOL security_acl_equal(const struct security_acl *acl1,
+ const struct security_acl *acl2)
+{
+ int i;
+
+ if (acl1 == acl2) return True;
+ if (!acl1 || !acl2) return False;
+ if (acl1->revision != acl2->revision) return False;
+ if (acl1->num_aces != acl2->num_aces) return False;
+
+ for (i=0;i<acl1->num_aces;i++) {
+ if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False;
+ }
+ return True;
+}
+
+/*
+ compare two security descriptors.
+*/
+BOOL security_descriptor_equal(const struct security_descriptor *sd1,
+ const struct security_descriptor *sd2)
+{
+ if (sd1 == sd2) return True;
+ if (!sd1 || !sd2) return False;
+ if (sd1->revision != sd2->revision) return False;
+ if (sd1->type != sd2->type) return False;
+
+ if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False;
+ if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False;
+ if (!security_acl_equal(sd1->sacl, sd2->sacl)) return False;
+ if (!security_acl_equal(sd1->dacl, sd2->dacl)) return False;
+
+ return True;
+}