diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-09-18 12:55:31 +1000 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-10-14 02:35:05 +0000 |
commit | a879a4610dac03b814ad40800f408416d250c6be (patch) | |
tree | 3b1bb4216ace458281db4bc3355f0fb3ccf42e89 /source4/libcli | |
parent | 8b22eefd252e5d8d787ce3368d54b23d75b00310 (diff) | |
download | samba-a879a4610dac03b814ad40800f408416d250c6be.tar.gz samba-a879a4610dac03b814ad40800f408416d250c6be.tar.bz2 samba-a879a4610dac03b814ad40800f408416d250c6be.zip |
libcli/auth Merge source4/libcli/security and util_sid.c into the common code
This should ensure we only have one copy of these core functions
in the tree.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/raw/smb.h | 13 | ||||
-rw-r--r-- | source4/libcli/security/access_check.c | 316 | ||||
-rw-r--r-- | source4/libcli/security/create_descriptor.c | 410 | ||||
-rw-r--r-- | source4/libcli/security/object_tree.c | 121 | ||||
-rw-r--r-- | source4/libcli/security/wscript_build | 8 |
5 files changed, 1 insertions, 867 deletions
diff --git a/source4/libcli/raw/smb.h b/source4/libcli/raw/smb.h index 7291821fae..d93ad0d005 100644 --- a/source4/libcli/raw/smb.h +++ b/source4/libcli/raw/smb.h @@ -366,19 +366,6 @@ #define DESIRED_ACCESS_PIPE 0x2019f -/* Mapping of generic access rights for files to specific rights. */ -#define FILE_GENERIC_ALL (STANDARD_RIGHTS_REQUIRED_ACCESS| NT_ACCESS_SYNCHRONIZE_ACCESS|FILE_ALL_ACCESS) - -#define FILE_GENERIC_READ (STANDARD_RIGHTS_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES|\ - FILE_READ_EA|NT_ACCESS_SYNCHRONIZE_ACCESS) - -#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\ - FILE_WRITE_EA|FILE_APPEND_DATA|NT_ACCESS_SYNCHRONIZE_ACCESS) - -#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|FILE_READ_ATTRIBUTES|\ - FILE_EXECUTE|NT_ACCESS_SYNCHRONIZE_ACCESS) - - /* FileAttributes (search attributes) field */ #define FILE_ATTRIBUTE_READONLY 0x0001 #define FILE_ATTRIBUTE_HIDDEN 0x0002 diff --git a/source4/libcli/security/access_check.c b/source4/libcli/security/access_check.c deleted file mode 100644 index 5ae318be43..0000000000 --- a/source4/libcli/security/access_check.c +++ /dev/null @@ -1,316 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - security access checking routines - - Copyright (C) Andrew Tridgell 2004 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "libcli/security/security.h" - -/* - perform a SEC_FLAG_MAXIMUM_ALLOWED access check -*/ -static uint32_t access_check_max_allowed(const struct security_descriptor *sd, - const struct security_token *token) -{ - uint32_t denied = 0, granted = 0; - uint32_t i; - - if (security_token_has_sid(token, sd->owner_sid)) { - granted |= SEC_STD_WRITE_DAC | SEC_STD_READ_CONTROL | SEC_STD_DELETE; - } else if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - granted |= SEC_STD_DELETE; - } - - if (sd->dacl == NULL) { - return granted & ~denied; - } - - for (i = 0;i<sd->dacl->num_aces; i++) { - struct security_ace *ace = &sd->dacl->aces[i]; - - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - continue; - } - - if (!security_token_has_sid(token, &ace->trustee)) { - continue; - } - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - granted |= ace->access_mask; - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - denied |= ace->access_mask; - break; - default: /* Other ACE types not handled/supported */ - break; - } - } - - return granted & ~denied; -} - -static const struct GUID *get_ace_object_type(struct security_ace *ace) -{ - struct GUID *type; - - if (ace->object.object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) - type = &ace->object.object.type.type; - else if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) - type = &ace->object.object.inherited_type.inherited_type; /* This doesn't look right. Is something wrong with the IDL? */ - else - type = NULL; - - return type; - -} - -/* - The main entry point for access checking. If returning ACCESS_DENIED - this function returns the denied bits in the uint32_t pointed - to by the access_granted pointer. -*/ -NTSTATUS se_access_check(const struct security_descriptor *sd, - const struct security_token *token, - uint32_t access_desired, - uint32_t *access_granted) -{ - uint32_t i; - uint32_t bits_remaining; - - *access_granted = access_desired; - bits_remaining = access_desired; - - /* handle the maximum allowed flag */ - if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { - uint32_t orig_access_desired = access_desired; - - access_desired |= access_check_max_allowed(sd, token); - access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; - *access_granted = access_desired; - bits_remaining = access_desired & ~SEC_STD_DELETE; - - DEBUG(10,("se_access_check: MAX desired = 0x%x, granted = 0x%x, remaining = 0x%x\n", - orig_access_desired, - *access_granted, - bits_remaining)); - } - - if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { - if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { - bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; - } else { - return NT_STATUS_PRIVILEGE_NOT_HELD; - } - } - - /* a NULL dacl allows access */ - if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { - *access_granted = access_desired; - return NT_STATUS_OK; - } - - /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ - if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && - security_token_has_sid(token, sd->owner_sid)) { - bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); - } - if ((bits_remaining & SEC_STD_DELETE) && - (security_token_has_privilege(token, SEC_PRIV_RESTORE))) { - bits_remaining &= ~SEC_STD_DELETE; - } - if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && - security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); - } - if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && - security_token_has_privilege(token, SEC_PRIV_BACKUP)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); - } - - if (sd->dacl == NULL) { - goto done; - } - - /* check each ace in turn. */ - for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { - struct security_ace *ace = &sd->dacl->aces[i]; - - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - continue; - } - - if (!security_token_has_sid(token, &ace->trustee)) { - continue; - } - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - bits_remaining &= ~ace->access_mask; - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - if (bits_remaining & ace->access_mask) { - return NT_STATUS_ACCESS_DENIED; - } - break; - default: /* Other ACE types not handled/supported */ - break; - } - } - -done: - if (bits_remaining != 0) { - *access_granted = bits_remaining; - return NT_STATUS_ACCESS_DENIED; - } - - return NT_STATUS_OK; -} - -/* modified access check for the purposes of DS security - * Lots of code duplication, it will ve united in just one - * function eventually */ - -NTSTATUS sec_access_check_ds(const struct security_descriptor *sd, - const struct security_token *token, - uint32_t access_desired, - uint32_t *access_granted, - struct object_tree *tree, - struct dom_sid *replace_sid) -{ - uint32_t i; - uint32_t bits_remaining; - struct object_tree *node; - const struct GUID *type; - struct dom_sid *ps_sid = dom_sid_parse_talloc(NULL, SID_NT_SELF); - - *access_granted = access_desired; - bits_remaining = access_desired; - - /* handle the maximum allowed flag */ - if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) { - access_desired |= access_check_max_allowed(sd, token); - access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED; - *access_granted = access_desired; - bits_remaining = access_desired & ~SEC_STD_DELETE; - } - - if (access_desired & SEC_FLAG_SYSTEM_SECURITY) { - if (security_token_has_privilege(token, SEC_PRIV_SECURITY)) { - bits_remaining &= ~SEC_FLAG_SYSTEM_SECURITY; - } else { - return NT_STATUS_PRIVILEGE_NOT_HELD; - } - } - - /* a NULL dacl allows access */ - if ((sd->type & SEC_DESC_DACL_PRESENT) && sd->dacl == NULL) { - *access_granted = access_desired; - return NT_STATUS_OK; - } - - /* the owner always gets SEC_STD_WRITE_DAC, SEC_STD_READ_CONTROL and SEC_STD_DELETE */ - if ((bits_remaining & (SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE)) && - security_token_has_sid(token, sd->owner_sid)) { - bits_remaining &= ~(SEC_STD_WRITE_DAC|SEC_STD_READ_CONTROL|SEC_STD_DELETE); - } - if ((bits_remaining & SEC_STD_DELETE) && - security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining &= ~SEC_STD_DELETE; - } - - if (sd->dacl == NULL) { - goto done; - } - - /* check each ace in turn. */ - for (i=0; bits_remaining && i < sd->dacl->num_aces; i++) { - struct dom_sid *trustee; - struct security_ace *ace = &sd->dacl->aces[i]; - - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { - continue; - } - if (dom_sid_equal(&ace->trustee, ps_sid) && replace_sid) { - trustee = replace_sid; - } - else - { - trustee = &ace->trustee; - } - if (!security_token_has_sid(token, trustee)) { - continue; - } - - switch (ace->type) { - case SEC_ACE_TYPE_ACCESS_ALLOWED: - if (tree) - object_tree_modify_access(tree, ace->access_mask); - - bits_remaining &= ~ace->access_mask; - break; - case SEC_ACE_TYPE_ACCESS_DENIED: - if (bits_remaining & ace->access_mask) { - return NT_STATUS_ACCESS_DENIED; - } - break; - case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: - case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: - /* check only in case we have provided a tree, - * the ACE has an object type and that type - * is in the tree */ - type = get_ace_object_type(ace); - - if (!tree) - continue; - - if (!type) - node = tree; - else - if (!(node = get_object_tree_by_GUID(tree, type))) - continue; - - if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { - object_tree_modify_access(node, ace->access_mask); - if (node->remaining_access == 0) { - return NT_STATUS_OK; - } - } - else { - if (node->remaining_access & ace->access_mask){ - return NT_STATUS_ACCESS_DENIED; - } - } - break; - default: /* Other ACE types not handled/supported */ - break; - } - } - -done: - if (bits_remaining != 0) { - return NT_STATUS_ACCESS_DENIED; - } - - return NT_STATUS_OK; -} - diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c deleted file mode 100644 index bc3f42e1f2..0000000000 --- a/source4/libcli/security/create_descriptor.c +++ /dev/null @@ -1,410 +0,0 @@ -/* - Copyright (C) Nadezhda Ivanova 2009 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -/* - * Name: create_descriptor - * - * Component: routines for calculating and creating security descriptors - * as described in MS-DTYP 2.5.2.2 - * - * Description: - * - * - * Author: Nadezhda Ivanova - */ -#include "includes.h" -#include "libcli/security/security.h" -#include "librpc/gen_ndr/ndr_security.h" - -/* Todos: - * build the security token dacl as follows: - * SYSTEM: GA, OWNER: GA, LOGIN_SID:GW|GE - * Need session id information for the login SID. Probably - * the best place for this is during token creation - * - * Implement SD Invariants - * ACE sorting rules - * LDAP_SERVER_SD_FLAGS_OID control - * ADTS 7.1.3.3 needs to be clarified - */ - -/* the mapping function for generic rights for DS.(GA,GR,GW,GX) - * The mapping function is passed as an argument to the - * descriptor calculating routine and depends on the security - * manager that calls the calculating routine. - * TODO: need similar mappings for the file system and - * registry security managers in order to make this code - * generic for all security managers - */ - -uint32_t map_generic_rights_ds(uint32_t access_mask) -{ - if (access_mask & SEC_GENERIC_ALL) { - access_mask |= SEC_ADS_GENERIC_ALL; - access_mask = ~SEC_GENERIC_ALL; - } - - if (access_mask & SEC_GENERIC_EXECUTE) { - access_mask |= SEC_ADS_GENERIC_EXECUTE; - access_mask = ~SEC_GENERIC_EXECUTE; - } - - if (access_mask & SEC_GENERIC_WRITE) { - access_mask |= SEC_ADS_GENERIC_WRITE; - access_mask &= ~SEC_GENERIC_WRITE; - } - - if (access_mask & SEC_GENERIC_READ) { - access_mask |= SEC_ADS_GENERIC_READ; - access_mask &= ~SEC_GENERIC_READ; - } - - return access_mask; -} - -/* Not sure what this has to be, -* and it does not seem to have any influence */ -static bool object_in_list(struct GUID *object_list, struct GUID *object) -{ - return true; -} - -static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, - struct security_acl *acl, - bool is_container, - struct dom_sid *owner, - struct dom_sid *group, - struct GUID *object_list) -{ - uint32_t i; - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct security_acl *tmp_acl = talloc_zero(mem_ctx, struct security_acl); - struct dom_sid *co, *cg; - if (!tmp_acl) { - return NULL; - } - - if (!acl) { - return NULL; - } - co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER); - cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP); - - for (i=0; i < acl->num_aces; i++) { - struct security_ace *ace = &acl->aces[i]; - if ((ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT) || - (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) { - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace, - tmp_acl->num_aces+1); - if (tmp_acl->aces == NULL) { - talloc_free(tmp_ctx); - return NULL; - } - - tmp_acl->aces[tmp_acl->num_aces] = *ace; - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; - - if (is_container && (ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - - if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || - ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { - if (!object_in_list(object_list, &ace->object.object.type.type)) { - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - } - - } - tmp_acl->aces[tmp_acl->num_aces].access_mask = - map_generic_rights_ds(ace->access_mask); - tmp_acl->num_aces++; - if (is_container) { - if (!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT) && - ((dom_sid_equal(&ace->trustee, co) || dom_sid_equal(&ace->trustee, cg)))) { - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace, - tmp_acl->num_aces+1); - if (tmp_acl->aces == NULL) { - talloc_free(tmp_ctx); - return NULL; - } - tmp_acl->aces[tmp_acl->num_aces] = *ace; - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_INHERIT_ONLY; - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERITED_ACE; - if (dom_sid_equal(&tmp_acl->aces[tmp_acl->num_aces].trustee, co)) { - tmp_acl->aces[tmp_acl->num_aces].trustee = *owner; - } - if (dom_sid_equal(&tmp_acl->aces[tmp_acl->num_aces].trustee, cg)) { - tmp_acl->aces[tmp_acl->num_aces].trustee = *group; - } - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; - tmp_acl->aces[tmp_acl->num_aces].access_mask = - map_generic_rights_ds(ace->access_mask); - tmp_acl->num_aces++; - } - } - } - } - if (tmp_acl->num_aces == 0) { - return NULL; - } - if (acl) { - tmp_acl->revision = acl->revision; - } - return tmp_acl; -} - -static struct security_acl *process_user_acl(TALLOC_CTX *mem_ctx, - struct security_acl *acl, - bool is_container, - struct dom_sid *owner, - struct dom_sid *group, - struct GUID *object_list) -{ - uint32_t i; - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct security_acl *tmp_acl = talloc_zero(tmp_ctx, struct security_acl); - struct security_acl *new_acl; - struct dom_sid *co, *cg; - - if (!acl) - return NULL; - - if (!tmp_acl) - return NULL; - - tmp_acl->revision = acl->revision; - DEBUG(6,(__location__ ": acl revision %u\n", acl->revision)); - - co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER); - cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP); - - for (i=0; i < acl->num_aces; i++){ - struct security_ace *ace = &acl->aces[i]; - if (ace->flags & SEC_ACE_FLAG_INHERITED_ACE) - continue; - if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY && - !(ace->flags & SEC_ACE_FLAG_CONTAINER_INHERIT || - ace->flags & SEC_ACE_FLAG_OBJECT_INHERIT)) - continue; - - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace, - tmp_acl->num_aces+1); - tmp_acl->aces[tmp_acl->num_aces] = *ace; - if (dom_sid_equal(&(tmp_acl->aces[tmp_acl->num_aces].trustee), co)) { - tmp_acl->aces[tmp_acl->num_aces].trustee = *owner; - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; - } - if (dom_sid_equal(&(tmp_acl->aces[tmp_acl->num_aces].trustee), cg)) { - tmp_acl->aces[tmp_acl->num_aces].trustee = *group; - tmp_acl->aces[tmp_acl->num_aces].flags &= ~SEC_ACE_FLAG_CONTAINER_INHERIT; - } - tmp_acl->aces[tmp_acl->num_aces].access_mask = - map_generic_rights_ds(tmp_acl->aces[tmp_acl->num_aces].access_mask); - tmp_acl->num_aces++; - - if (!dom_sid_equal(&ace->trustee, co) && !dom_sid_equal(&ace->trustee, cg)) - continue; - - tmp_acl->aces = talloc_realloc(tmp_acl, tmp_acl->aces, struct security_ace, - tmp_acl->num_aces+1); - tmp_acl->aces[tmp_acl->num_aces] = *ace; - tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; - tmp_acl->num_aces++; - } - new_acl = security_acl_dup(mem_ctx,tmp_acl); - - if (new_acl) - new_acl->revision = acl->revision; - - talloc_free(tmp_ctx); - return new_acl; -} - -static void cr_descr_log_descriptor(struct security_descriptor *sd, - const char *message, - int level) -{ - if (sd) { - DEBUG(level,("%s: %s\n", message, - ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor, - "", sd))); - } - else { - DEBUG(level,("%s: NULL\n", message)); - } -} - -static void cr_descr_log_acl(struct security_acl *acl, - const char *message, - int level) -{ - if (acl) { - DEBUG(level,("%s: %s\n", message, - ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_acl, - "", acl))); - } - else { - DEBUG(level,("%s: NULL\n", message)); - } -} - -static bool compute_acl(struct security_descriptor *parent_sd, - struct security_descriptor *creator_sd, - bool is_container, - uint32_t inherit_flags, - struct GUID *object_list, - uint32_t (*generic_map)(uint32_t access_mask), - struct security_token *token, - struct security_descriptor *new_sd) /* INOUT argument */ -{ - struct security_acl *user_dacl, *user_sacl, *inherited_dacl, *inherited_sacl; - int level = 10; - - if (!parent_sd || !(inherit_flags & SEC_DACL_AUTO_INHERIT)) { - inherited_dacl = NULL; - } else if (creator_sd && (creator_sd->type & SEC_DESC_DACL_PROTECTED)) { - inherited_dacl = NULL; - } else { - inherited_dacl = calculate_inherited_from_parent(new_sd, - parent_sd->dacl, - is_container, - new_sd->owner_sid, - new_sd->group_sid, - object_list); - } - - - if (!parent_sd || !(inherit_flags & SEC_SACL_AUTO_INHERIT)) { - inherited_sacl = NULL; - } else if (creator_sd && (creator_sd->type & SEC_DESC_SACL_PROTECTED)) { - inherited_sacl = NULL; - } else { - inherited_sacl = calculate_inherited_from_parent(new_sd, - parent_sd->sacl, - is_container, - new_sd->owner_sid, - new_sd->group_sid, - object_list); - } - - if (!creator_sd || (inherit_flags & SEC_DEFAULT_DESCRIPTOR)) { - user_dacl = NULL; - user_sacl = NULL; - } else { - user_dacl = process_user_acl(new_sd, - creator_sd->dacl, - is_container, - new_sd->owner_sid, - new_sd->group_sid, - object_list); - user_sacl = process_user_acl(new_sd, - creator_sd->sacl, - is_container, - new_sd->owner_sid, - new_sd->group_sid, - object_list); - } - cr_descr_log_descriptor(parent_sd, __location__"parent_sd", level); - cr_descr_log_descriptor(creator_sd,__location__ "creator_sd", level); - - new_sd->dacl = security_acl_concatenate(new_sd, user_dacl, inherited_dacl); - if (new_sd->dacl) { - new_sd->type |= SEC_DESC_DACL_PRESENT; - } - if (inherited_dacl) { - new_sd->type |= SEC_DESC_DACL_AUTO_INHERITED; - } - - new_sd->sacl = security_acl_concatenate(new_sd, user_sacl, inherited_sacl); - if (new_sd->sacl) { - new_sd->type |= SEC_DESC_SACL_PRESENT; - } - if (inherited_sacl) { - new_sd->type |= SEC_DESC_SACL_AUTO_INHERITED; - } - /* This is a hack to handle the fact that - * apprantly any AI flag provided by the user is preserved */ - if (creator_sd) - new_sd->type |= creator_sd->type; - cr_descr_log_descriptor(new_sd, __location__"final sd", level); - return true; -} - -struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx, - struct security_descriptor *parent_sd, - struct security_descriptor *creator_sd, - bool is_container, - struct GUID *object_list, - uint32_t inherit_flags, - struct security_token *token, - struct dom_sid *default_owner, /* valid only for DS, NULL for the other RSs */ - struct dom_sid *default_group, /* valid only for DS, NULL for the other RSs */ - uint32_t (*generic_map)(uint32_t access_mask)) -{ - struct security_descriptor *new_sd; - struct dom_sid *new_owner = NULL; - struct dom_sid *new_group = NULL; - - new_sd = security_descriptor_initialise(mem_ctx); - if (!new_sd) { - return NULL; - } - - if (!creator_sd || !creator_sd->owner_sid) { - if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) { - new_owner = parent_sd->owner_sid; - } else if (!default_owner) { - new_owner = &token->sids[PRIMARY_USER_SID_INDEX]; - } else { - new_owner = default_owner; - new_sd->type |= SEC_DESC_OWNER_DEFAULTED; - } - } else { - new_owner = creator_sd->owner_sid; - } - - if (!creator_sd || !creator_sd->group_sid){ - if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) { - new_group = parent_sd->group_sid; - } else if (!default_group && token->num_sids > PRIMARY_GROUP_SID_INDEX) { - new_group = &token->sids[PRIMARY_GROUP_SID_INDEX]; - } else if (!default_group) { - /* This will happen only for anonymous, which has no other groups */ - new_group = &token->sids[PRIMARY_USER_SID_INDEX]; - } else { - new_group = default_group; - new_sd->type |= SEC_DESC_GROUP_DEFAULTED; - } - } else { - new_group = creator_sd->group_sid; - } - - new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid)); - new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid)); - if (!new_sd->owner_sid || !new_sd->group_sid){ - talloc_free(new_sd); - return NULL; - } - - if (!compute_acl(parent_sd, creator_sd, - is_container, inherit_flags, object_list, - generic_map,token,new_sd)){ - talloc_free(new_sd); - return NULL; - } - - return new_sd; -} diff --git a/source4/libcli/security/object_tree.c b/source4/libcli/security/object_tree.c deleted file mode 100644 index 7c7d644543..0000000000 --- a/source4/libcli/security/object_tree.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - security access checking routines - - Copyright (C) Nadezhda Ivanova 2009 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -/* - * Description: Contains data handler functions for - * the object tree that must be constructed to perform access checks. - * The object tree is an unbalanced tree of depth 3, indexed by - * object type guid. Perhaps a different data structure - * should be concidered later to improve performance - * - * Author: Nadezhda Ivanova - */ -#include "includes.h" -#include "libcli/security/security.h" -#include "librpc/ndr/libndr.h" - -/* Adds a new node to the object tree. If attributeSecurityGUID is not zero and - * has already been added to the tree, the new node is added as a child of that node - * In all other cases as a child of the root - */ - -bool insert_in_object_tree(TALLOC_CTX *mem_ctx, - const struct GUID *guid, - uint32_t init_access, - struct object_tree **root, - struct object_tree **new_node) -{ - if (!guid || GUID_all_zero(guid)){ - return true; - } - - if (!*root){ - *root = talloc_zero(mem_ctx, struct object_tree); - if (!*root) { - return false; - } - (*root)->guid = *guid; - *new_node = *root; - return true; - } - - if (!(*root)->children) { - (*root)->children = talloc_array(mem_ctx, struct object_tree, 1); - (*root)->children[0].guid = *guid; - (*root)->children[0].num_of_children = 0; - (*root)->children[0].children = NULL; - (*root)->num_of_children++; - (*root)->children[0].remaining_access = init_access; - *new_node = &((*root)->children[0]); - return true; - } - else { - int i; - for (i = 0; i < (*root)->num_of_children; i++) { - if (GUID_equal(&((*root)->children[i].guid), guid)) { - *new_node = &((*root)->children[i]); - return true; - } - } - (*root)->children = talloc_realloc(mem_ctx, (*root)->children, struct object_tree, - (*root)->num_of_children +1); - (*root)->children[(*root)->num_of_children].guid = *guid; - (*root)->children[(*root)->num_of_children].remaining_access = init_access; - *new_node = &((*root)->children[(*root)->num_of_children]); - (*root)->num_of_children++; - return true; - } - return true; -} - -/* search by GUID */ -struct object_tree *get_object_tree_by_GUID(struct object_tree *root, - const struct GUID *guid) -{ - struct object_tree *result = NULL; - int i; - - if (!root || GUID_equal(&root->guid, guid)) { - result = root; - return result; - } - else if (root->num_of_children > 0) { - for (i = 0; i < root->num_of_children; i++) { - if ((result = get_object_tree_by_GUID(&root->children[i], guid))) - break; - } - } - return result; -} - -/* Change the granted access per each ACE */ - -void object_tree_modify_access(struct object_tree *root, - uint32_t access) -{ - root->remaining_access &= ~access; - if (root->num_of_children > 0) { - int i; - for (i = 0; i < root->num_of_children; i++) { - object_tree_modify_access(&root->children[i], access); - } - } -} diff --git a/source4/libcli/security/wscript_build b/source4/libcli/security/wscript_build index 02d79428d0..f06899e9d4 100644 --- a/source4/libcli/security/wscript_build +++ b/source4/libcli/security/wscript_build @@ -3,12 +3,6 @@ bld.SAMBA_SUBSYSTEM('LIBSECURITY_SESSION', source='session.c', autoproto='session_proto.h', - public_deps='LIBSECURITY_COMMON' - ) - -bld.SAMBA_SUBSYSTEM('LIBSECURITY', - source='access_check.c create_descriptor.c object_tree.c', - autoproto='proto.h', - public_deps='LIBNDR LIBSECURITY_COMMON' + public_deps='LIBSECURITY' ) |