diff options
| -rw-r--r-- | source4/lib/ldb/samba/ldif_handlers.c | 67 | ||||
| -rw-r--r-- | source4/libcli/security/sddl.c | 16 | ||||
| -rw-r--r-- | source4/torture/local/sddl.c | 7 |
3 files changed, 82 insertions, 8 deletions
diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c index dab3552b01..6d2e4349cf 100644 --- a/source4/lib/ldb/samba/ldif_handlers.c +++ b/source4/lib/ldb/samba/ldif_handlers.c @@ -214,6 +214,65 @@ static int ldb_canonicalise_objectGUID(struct ldb_context *ldb, void *mem_ctx, return ldb_handler_copy(ldb, mem_ctx, in, out); } + +/* + convert a ldif (SDDL) formatted ntSecurityDescriptor to a NDR formatted blob +*/ +static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct security_descriptor *sd; + NTSTATUS status; + const struct dom_sid *domain_sid = samdb_domain_sid(ldb); + if (domain_sid == NULL) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + sd = sddl_decode(mem_ctx, (const char *)in->data, domain_sid); + if (sd == NULL) { + return -1; + } + status = ndr_push_struct_blob(out, mem_ctx, sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + talloc_free(sd); + if (!NT_STATUS_IS_OK(status)) { + return -1; + } + return 0; +} + +/* + convert a NDR formatted blob to a ldif formatted ntSecurityDescriptor (SDDL format) +*/ +static int ldif_write_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + struct security_descriptor *sd; + NTSTATUS status; + const struct dom_sid *domain_sid = samdb_domain_sid(ldb); + + if (domain_sid == NULL) { + return ldb_handler_copy(ldb, mem_ctx, in, out); + } + + sd = talloc(mem_ctx, struct security_descriptor); + if (sd == NULL) { + return -1; + } + status = ndr_pull_struct_blob(in, sd, sd, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(sd); + return -1; + } + out->data = (uint8_t *)sddl_encode(mem_ctx, sd, domain_sid); + talloc_free(sd); + if (out->data == NULL) { + return -1; + } + out->length = strlen((const char *)out->data); + return 0; +} + static const struct ldb_attrib_handler samba_handlers[] = { { .attr = "objectSid", @@ -232,6 +291,14 @@ static const struct ldb_attrib_handler samba_handlers[] = { .comparison_fn = ldb_comparison_objectSid }, { + .attr = "ntSecurityDescriptor", + .flags = 0, + .ldif_read_fn = ldif_read_ntSecurityDescriptor, + .ldif_write_fn = ldif_write_ntSecurityDescriptor, + .canonicalise_fn = ldb_handler_copy, + .comparison_fn = ldb_comparison_binary + }, + { .attr = "objectGUID", .flags = 0, .ldif_read_fn = ldif_read_objectGUID, diff --git a/source4/libcli/security/sddl.c b/source4/libcli/security/sddl.c index 643cb7a82c..7d7fe856cd 100644 --- a/source4/libcli/security/sddl.c +++ b/source4/libcli/security/sddl.c @@ -92,7 +92,7 @@ static const struct { It can either be a special 2 letter code, or in S-* format */ static struct dom_sid *sddl_decode_sid(TALLOC_CTX *mem_ctx, const char **sddlp, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *sddl = (*sddlp); int i; @@ -172,7 +172,7 @@ static const struct flag_map ace_access_mask[] = { note that this routine modifies the string */ static BOOL sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char *str, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *tok[6]; const char *s; @@ -259,7 +259,7 @@ static const struct flag_map acl_flags[] = { */ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, const char **sddlp, uint32_t *flags, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { const char *sddl = *sddlp; struct security_acl *acl; @@ -316,7 +316,7 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, decode a security descriptor in SDDL format */ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { struct security_descriptor *sd; sd = talloc_zero(mem_ctx, struct security_descriptor); @@ -408,7 +408,7 @@ failed: encode a sid in SDDL format */ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { int i; char *sidstr; @@ -446,7 +446,7 @@ static char *sddl_encode_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, encode an ACE in SDDL format */ static char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { char *sddl; TALLOC_CTX *tmp_ctx; @@ -497,7 +497,7 @@ failed: encode an ACL in SDDL format */ static char *sddl_encode_acl(TALLOC_CTX *mem_ctx, const struct security_acl *acl, - uint32_t flags, struct dom_sid *domain_sid) + uint32_t flags, const struct dom_sid *domain_sid) { char *sddl; int i; @@ -527,7 +527,7 @@ failed: encode a security descriptor to SDDL format */ char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, - struct dom_sid *domain_sid) + const struct dom_sid *domain_sid) { char *sddl; TALLOC_CTX *tmp_ctx; diff --git a/source4/torture/local/sddl.c b/source4/torture/local/sddl.c index 8d5874d878..01f4d839d9 100644 --- a/source4/torture/local/sddl.c +++ b/source4/torture/local/sddl.c @@ -57,6 +57,13 @@ static BOOL test_sddl(TALLOC_CTX *mem_ctx, const char *sddl) return False; } +#if 0 + /* flags don't have a canonical order ... */ + if (strcmp(sddl, sddl2) != 0) { + printf("Failed sddl equality test\norig: %s\n new: %s\n", sddl, sddl2); + } +#endif + if (DEBUGLVL(2)) { NDR_PRINT_DEBUG(security_descriptor, sd); } |