diff options
-rw-r--r-- | source4/libcli/security/sddl.c | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 7ae7d83839..a1b8346969 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -146,7 +146,6 @@ static const struct flag_map ace_flags[] = { }; static const struct flag_map ace_access_mask[] = { - { "RC", SEC_STD_READ_CONTROL }, { "RP", SEC_ADS_READ_PROP }, { "WP", SEC_ADS_WRITE_PROP }, { "CR", SEC_ADS_CONTROL_ACCESS }, @@ -154,6 +153,7 @@ static const struct flag_map ace_access_mask[] = { { "DC", SEC_ADS_DELETE_CHILD }, { "LC", SEC_ADS_LIST }, { "LO", SEC_ADS_LIST_OBJECT }, + { "RC", SEC_STD_READ_CONTROL }, { "WO", SEC_STD_WRITE_OWNER }, { "WD", SEC_STD_WRITE_DAC }, { "SD", SEC_STD_DELETE }, @@ -408,6 +408,33 @@ failed: static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, struct dom_sid *domain_sid) { + int i; + char *sidstr; + + sidstr = dom_sid_string(mem_ctx, sid); + if (sidstr == NULL) return NULL; + + /* seen if its a well known sid */ + for (i=0;sid_codes[i].sid;i++) { + if (strcmp(sidstr, sid_codes[i].sid) == 0) { + talloc_free(sidstr); + return talloc_strdup(mem_ctx, sid_codes[i].code); + } + } + + /* or a well known rid in our domain */ + if (dom_sid_in_domain(domain_sid, sid)) { + uint32_t rid = sid->sub_auths[sid->num_auths-1]; + for (;i<ARRAY_SIZE(sid_codes);i++) { + if (rid == sid_codes[i].rid) { + talloc_free(sidstr); + return talloc_strdup(mem_ctx, sid_codes[i].code); + } + } + } + + talloc_free(sidstr); + /* TODO: encode well known sids as two letter codes */ return dom_sid_string(mem_ctx, sid); } @@ -435,11 +462,23 @@ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace s_mask = sddl_flags_to_string(tmp_ctx, ace_access_mask, ace->access_mask, True); if (s_mask == NULL) goto failed; - s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || + ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT || + ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT || + ace->type == SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT) { + if (!GUID_all_zero(&ace->object.object.type.type)) { + s_object = GUID_string(tmp_ctx, &ace->object.object.type.type); + if (s_object == NULL) goto failed; + } - s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); + if (!GUID_all_zero(&ace->object.object.inherited_type.inherited_type)) { + s_iobject = GUID_string(tmp_ctx, &ace->object.object.inherited_type.inherited_type); + if (s_iobject == NULL) goto failed; + } + } s_trustee = sddl_encode_sid(tmp_ctx, &ace->trustee, domain_sid); + if (s_trustee == NULL) goto failed; sddl = talloc_asprintf(mem_ctx, "%s;%s;%s;%s;%s;%s", s_type, s_flags, s_mask, s_object, s_iobject, s_trustee); |