diff options
| -rw-r--r-- | source4/include/rpc_secdes.h | 23 | ||||
| -rw-r--r-- | source4/libcli/raw/rawacl.c | 15 | ||||
| -rw-r--r-- | source4/libcli/security/dom_sid.c | 4 | ||||
| -rw-r--r-- | source4/libcli/security/security_descriptor.c | 128 | ||||
| -rw-r--r-- | source4/librpc/idl/security.idl | 23 | ||||
| -rw-r--r-- | source4/torture/config.mk | 1 | ||||
| -rw-r--r-- | source4/torture/raw/acls.c | 162 | ||||
| -rw-r--r-- | source4/torture/torture.c | 1 |
8 files changed, 326 insertions, 31 deletions
diff --git a/source4/include/rpc_secdes.h b/source4/include/rpc_secdes.h index f1797435b8..9cf899a59a 100644 --- a/source4/include/rpc_secdes.h +++ b/source4/include/rpc_secdes.h @@ -52,29 +52,6 @@ typedef struct security_descriptor SEC_DESC; #define SEC_RIGHTS_RESET_PASSWD SEC_RIGHTS_EXTENDED #define SEC_RIGHTS_FULL_CTRL 0xf01ff -#define SEC_ACE_OBJECT_PRESENT 0x00000001 /* thanks for Jim McDonough <jmcd@us.ibm.com> */ -#define SEC_ACE_OBJECT_INHERITED_PRESENT 0x00000002 - -#define SEC_ACE_FLAG_OBJECT_INHERIT 0x1 -#define SEC_ACE_FLAG_CONTAINER_INHERIT 0x2 -#define SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0x4 -#define SEC_ACE_FLAG_INHERIT_ONLY 0x8 -#define SEC_ACE_FLAG_INHERITED_ACE 0x10 /* New for Windows 2000 */ -#define SEC_ACE_FLAG_VALID_INHERIT 0xf -#define SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0x40 -#define SEC_ACE_FLAG_FAILED_ACCESS 0x80 - -#define SEC_ACE_TYPE_ACCESS_ALLOWED 0x0 -#define SEC_ACE_TYPE_ACCESS_DENIED 0x1 -#define SEC_ACE_TYPE_SYSTEM_AUDIT 0x2 -#define SEC_ACE_TYPE_SYSTEM_ALARM 0x3 -#define SEC_ACE_TYPE_ALLOWED_COMPOUND 0x4 -#define SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT 0x5 -#define SEC_ACE_TYPE_ACCESS_DENIED_OBJECT 0x6 -#define SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT 0x7 -#define SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT 0x8 - - /* Don't know what this means. */ /* security information */ diff --git a/source4/libcli/raw/rawacl.c b/source4/libcli/raw/rawacl.c index 642d0ba72b..2e05002491 100644 --- a/source4/libcli/raw/rawacl.c +++ b/source4/libcli/raw/rawacl.c @@ -1,7 +1,8 @@ /* Unix SMB/CIFS implementation. ACL get/set operations - Copyright (C) Andrew Tridgell 2003 + + Copyright (C) Andrew Tridgell 2003-2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -107,7 +108,7 @@ NTSTATUS smb_raw_query_secdesc(struct smbcli_tree *tree, set file ACL (async send) ****************************************************************************/ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree, - struct smb_set_secdesc *set) + struct smb_set_secdesc *set) { struct smb_nttrans nt; uint8_t params[8]; @@ -145,3 +146,13 @@ struct smbcli_request *smb_raw_set_secdesc_send(struct smbcli_tree *tree, ndr_push_free(ndr); return req; } + +/**************************************************************************** +set file ACL (sync interface) +****************************************************************************/ +NTSTATUS smb_raw_set_secdesc(struct smbcli_tree *tree, + struct smb_set_secdesc *set) +{ + struct smbcli_request *req = smb_raw_set_secdesc_send(tree, set); + return smbcli_request_simple_recv(req); +} diff --git a/source4/libcli/security/dom_sid.c b/source4/libcli/security/dom_sid.c index 254b8dbfab..001618bb07 100644 --- a/source4/libcli/security/dom_sid.c +++ b/source4/libcli/security/dom_sid.c @@ -184,7 +184,7 @@ struct dom_sid *dom_sid_parse_talloc(TALLOC_CTX *mem_ctx, const char *sidstr) } /* - convert a string to a dom_sid, returning a talloc'd dom_sid + copy a dom_sid structure */ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) { @@ -195,7 +195,7 @@ struct dom_sid *dom_sid_dup(TALLOC_CTX *mem_ctx, const struct dom_sid *dom_sid) return NULL; } - ret->sub_auths = talloc_array_p(mem_ctx, uint32_t, dom_sid->num_auths); + ret->sub_auths = talloc_array_p(ret, uint32_t, dom_sid->num_auths); if (!ret->sub_auths) { return NULL; } diff --git a/source4/libcli/security/security_descriptor.c b/source4/libcli/security/security_descriptor.c index 255836066a..671174a824 100644 --- a/source4/libcli/security/security_descriptor.c +++ b/source4/libcli/security/security_descriptor.c @@ -54,7 +54,7 @@ struct security_descriptor *security_descriptor_initialise(TALLOC_CTX *mem_ctx) talloc and copy a security descriptor */ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, - const struct security_descriptor *osd) + const struct security_descriptor *osd) { struct security_descriptor *nsd; @@ -65,7 +65,9 @@ struct security_descriptor *security_descriptor_copy(TALLOC_CTX *mem_ctx, return nsd; } -NTSTATUS security_check_dacl(struct security_token *st, struct security_descriptor *sd, uint32 access_mask) +NTSTATUS security_check_dacl(struct security_token *st, + struct security_descriptor *sd, + uint32 access_mask) { size_t i,y; NTSTATUS status = NT_STATUS_ACCESS_DENIED; @@ -100,3 +102,125 @@ NTSTATUS security_check_dacl(struct security_token *st, struct security_descript return status; } + + +/* + add an ACE to the DACL of a security_descriptor +*/ +NTSTATUS security_descriptor_dacl_add(struct security_descriptor *sd, + struct security_ace *ace) +{ + if (sd->dacl == NULL) { + sd->dacl = talloc_p(sd, struct security_acl); + if (sd->dacl == NULL) { + return NT_STATUS_NO_MEMORY; + } + sd->dacl->revision = SD_REVISION; + sd->dacl->size = 0; + sd->dacl->num_aces = 0; + sd->dacl->aces = NULL; + } + + sd->dacl->aces = talloc_realloc_p(sd->dacl, sd->dacl->aces, + struct security_ace, sd->dacl->num_aces+1); + if (sd->dacl->aces == NULL) { + return NT_STATUS_NO_MEMORY; + } + + sd->dacl->aces[sd->dacl->num_aces] = *ace; + sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths = + talloc_memdup(sd->dacl->aces, + sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths, + sizeof(uint32_t) * + sd->dacl->aces[sd->dacl->num_aces].trustee.num_auths); + if (sd->dacl->aces[sd->dacl->num_aces].trustee.sub_auths == NULL) { + return NT_STATUS_NO_MEMORY; + } + + sd->dacl->num_aces++; + + return NT_STATUS_OK; +} + + +/* + delete the ACE corresponding to the given trustee in the DACL of a security_descriptor +*/ +NTSTATUS security_descriptor_dacl_del(struct security_descriptor *sd, + struct dom_sid *trustee) +{ + int i; + + if (sd->dacl == NULL) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + for (i=0;i<sd->dacl->num_aces;i++) { + if (dom_sid_equal(trustee, &sd->dacl->aces[i].trustee)) { + memmove(&sd->dacl->aces[i], &sd->dacl->aces[i+1], + sizeof(sd->dacl->aces[i]) * (sd->dacl->num_aces - (i+1))); + sd->dacl->num_aces--; + if (sd->dacl->num_aces == 0) { + sd->dacl->aces = NULL; + } + return NT_STATUS_OK; + } + } + return NT_STATUS_OBJECT_NAME_NOT_FOUND; +} + + +/* + compare two security ace structures +*/ +BOOL security_ace_equal(const struct security_ace *ace1, + const struct security_ace *ace2) +{ + if (ace1 == ace2) return True; + if (!ace1 || !ace2) return False; + if (ace1->type != ace2->type) return False; + if (ace1->flags != ace2->flags) return False; + if (ace1->access_mask != ace2->access_mask) return False; + if (!dom_sid_equal(&ace1->trustee, &ace2->trustee)) return False; + + return True; +} + + +/* + compare two security acl structures +*/ +BOOL security_acl_equal(const struct security_acl *acl1, + const struct security_acl *acl2) +{ + int i; + + if (acl1 == acl2) return True; + if (!acl1 || !acl2) return False; + if (acl1->revision != acl2->revision) return False; + if (acl1->num_aces != acl2->num_aces) return False; + + for (i=0;i<acl1->num_aces;i++) { + if (!security_ace_equal(&acl1->aces[i], &acl2->aces[i])) return False; + } + return True; +} + +/* + compare two security descriptors. +*/ +BOOL security_descriptor_equal(const struct security_descriptor *sd1, + const struct security_descriptor *sd2) +{ + if (sd1 == sd2) return True; + if (!sd1 || !sd2) return False; + if (sd1->revision != sd2->revision) return False; + if (sd1->type != sd2->type) return False; + + if (!dom_sid_equal(sd1->owner_sid, sd2->owner_sid)) return False; + if (!dom_sid_equal(sd1->group_sid, sd2->group_sid)) return False; + if (!security_acl_equal(sd1->sacl, sd2->sacl)) return False; + if (!security_acl_equal(sd1->dacl, sd2->dacl)) return False; + + return True; +} diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl index ba75c0f54b..201868e531 100644 --- a/source4/librpc/idl/security.idl +++ b/source4/librpc/idl/security.idl @@ -46,9 +46,28 @@ interface security uint32 sub_auths[num_auths]; } dom_sid; + const int SEC_ACE_FLAG_OBJECT_INHERIT = 0x001; + const int SEC_ACE_FLAG_CONTAINER_INHERIT = 0x002; + const int SEC_ACE_FLAG_NO_PROPAGATE_INHERIT = 0x004; + const int SEC_ACE_FLAG_INHERIT_ONLY = 0x008; + const int SEC_ACE_FLAG_INHERITED_ACE = 0x010; + const int SEC_ACE_FLAG_VALID_INHERIT = 0x00f; + const int SEC_ACE_FLAG_SUCCESSFUL_ACCESS = 0x040; + const int SEC_ACE_FLAG_FAILED_ACCESS = 0x080; + + const int SEC_ACE_TYPE_ACCESS_ALLOWED = 0x0; + const int SEC_ACE_TYPE_ACCESS_DENIED = 0x1; + const int SEC_ACE_TYPE_SYSTEM_AUDIT = 0x2; + const int SEC_ACE_TYPE_SYSTEM_ALARM = 0x3; + const int SEC_ACE_TYPE_ALLOWED_COMPOUND = 0x4; + const int SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT = 0x5; + const int SEC_ACE_TYPE_ACCESS_DENIED_OBJECT = 0x6; + const int SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT = 0x7; + const int SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT = 0x8; + typedef [public] struct { - uint8 type; /* xxxx_xxxx_ACE_TYPE - e.g allowed / denied etc */ - uint8 flags; /* xxxx_INHERIT_xxxx - e.g OBJECT_INHERIT_ACE */ + uint8 type; /* SEC_ACE_TYPE_* */ + uint8 flags; /* SEC_ACE_FLAG_* */ [value(ndr_size_security_ace(r))] uint16 size; uint32 access_mask; diff --git a/source4/torture/config.mk b/source4/torture/config.mk index 5aa621bdb5..d7e99db0d0 100644 --- a/source4/torture/config.mk +++ b/source4/torture/config.mk @@ -48,6 +48,7 @@ ADD_OBJ_FILES = \ torture/raw/rename.o \ torture/raw/eas.o \ torture/raw/streams.o \ + torture/raw/acls.o \ torture/raw/seek.o REQUIRED_SUBSYSTEMS = \ LIBSMB diff --git a/source4/torture/raw/acls.c b/source4/torture/raw/acls.c new file mode 100644 index 0000000000..1562af55ca --- /dev/null +++ b/source4/torture/raw/acls.c @@ -0,0 +1,162 @@ +/* + Unix SMB/CIFS implementation. + + test security descriptor operations + + Copyright (C) Andrew Tridgell 2004 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_security.h" + +#define BASEDIR "\\testsd" + +#define CHECK_STATUS(status, correct) do { \ + if (!NT_STATUS_EQUAL(status, correct)) { \ + printf("(%s) Incorrect status %s - should be %s\n", \ + __location__, nt_errstr(status), nt_errstr(correct)); \ + ret = False; \ + goto done; \ + }} while (0) + + +static BOOL test_sd(struct smbcli_state *cli, TALLOC_CTX *mem_ctx) +{ + NTSTATUS status; + union smb_open io; + const char *fname = BASEDIR "\\sd.txt"; + BOOL ret = True; + int fnum; + struct smb_query_secdesc q; + struct smb_set_secdesc set; + struct security_ace ace; + struct security_descriptor *sd; + struct dom_sid *test_sid; + + printf("TESTING SETFILEINFO EA_SET\n"); + + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.root_fid = 0; + io.ntcreatex.in.flags = 0; + io.ntcreatex.in.access_mask = SEC_RIGHT_MAXIMUM_ALLOWED; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = + NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_CREATE; + io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.fname = fname; + status = smb_raw_open(cli->tree, mem_ctx, &io); + CHECK_STATUS(status, NT_STATUS_OK); + fnum = io.ntcreatex.out.fnum; + + q.in.fnum = fnum; + q.in.secinfo_flags = + OWNER_SECURITY_INFORMATION | + GROUP_SECURITY_INFORMATION | + DACL_SECURITY_INFORMATION; + status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + CHECK_STATUS(status, NT_STATUS_OK); + sd = q.out.sd; + + printf("add a new ACE to the DACL\n"); + + test_sid = dom_sid_parse_talloc(mem_ctx, "S-1-5-32-1234-5432"); + + ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED; + ace.flags = 0; + ace.access_mask = STD_RIGHT_ALL_ACCESS; + ace.trustee = *test_sid; + + status = security_descriptor_dacl_add(sd, &ace); + CHECK_STATUS(status, NT_STATUS_OK); + + set.in.fnum = fnum; + set.in.secinfo_flags = q.in.secinfo_flags; + set.in.sd = sd; + + status = smb_raw_set_secdesc(cli->tree, &set); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + CHECK_STATUS(status, NT_STATUS_OK); + + if (!security_descriptor_equal(q.out.sd, sd)) { + printf("security descriptors don't match!\n"); + printf("got:\n"); + NDR_PRINT_DEBUG(security_descriptor, q.out.sd); + printf("expected:\n"); + NDR_PRINT_DEBUG(security_descriptor, sd); + } + + printf("remove it again\n"); + + status = security_descriptor_dacl_del(sd, test_sid); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb_raw_set_secdesc(cli->tree, &set); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb_raw_query_secdesc(cli->tree, mem_ctx, &q); + CHECK_STATUS(status, NT_STATUS_OK); + + if (!security_descriptor_equal(q.out.sd, sd)) { + printf("security descriptors don't match!\n"); + printf("got:\n"); + NDR_PRINT_DEBUG(security_descriptor, q.out.sd); + printf("expected:\n"); + NDR_PRINT_DEBUG(security_descriptor, sd); + } + +done: + smbcli_close(cli->tree, fnum); + return ret; +} + + +/* + basic testing of security descriptor calls +*/ +BOOL torture_raw_acls(void) +{ + struct smbcli_state *cli; + BOOL ret = True; + TALLOC_CTX *mem_ctx; + + if (!torture_open_connection(&cli)) { + return False; + } + + mem_ctx = talloc_init("torture_raw_acls"); + + if (!torture_setup_dir(cli, BASEDIR)) { + return False; + } + + ret &= test_sd(cli, mem_ctx); + + smb_raw_exit(cli->session); + smbcli_deltree(cli->tree, BASEDIR); + + torture_close_connection(cli); + talloc_destroy(mem_ctx); + return ret; +} diff --git a/source4/torture/torture.c b/source4/torture/torture.c index bc3b5f545f..09f7c65f04 100644 --- a/source4/torture/torture.c +++ b/source4/torture/torture.c @@ -2421,6 +2421,7 @@ static struct { {"RAW-SEEK", torture_raw_seek, 0}, {"RAW-EAS", torture_raw_eas, 0}, {"RAW-STREAMS", torture_raw_streams, 0}, + {"RAW-ACLS", torture_raw_acls, 0}, {"RAW-RAP", torture_raw_rap, 0}, /* protocol scanners */ |